diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0043.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC CrowdStrike Falcon - Endpoint Alerts.yml similarity index 94% rename from Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0043.yml rename to Packs/soc-crowdstrike-falcon/CorrelationRules/SOC CrowdStrike Falcon - Endpoint Alerts.yml index 7a748e5..b4d665e 100644 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0043.yml +++ b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC CrowdStrike Falcon - Endpoint Alerts.yml @@ -1,5 +1,4 @@ fromversion: 6.10.0 -rule_id: 0 action: ALERTS alert_category: User Defined alert_description: $alert_description @@ -73,7 +72,7 @@ description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detecti Event drilldown_query_timeframe: ALERT execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0043 +global_rule_id: SOC CrowdStrike Falcon - Endpoint Alerts investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry is being collected @@ -82,16 +81,19 @@ investigation_query_link: '// All (stitched) activity from host - assuming raw t | filter agent_hostname = $hostname | fields * ' +is_enabled: true lookup_mapping: [] mapping_strategy: CUSTOM -mitre_defs: - TA0043 - Reconnaissance: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Reconnaissance +mitre_defs: {} +name: SOC CrowdStrike Falcon - Endpoint Alerts +rule_id: 0 search_window: null severity: User Defined +simple_schedule: null suppression_duration: null suppression_enabled: false suppression_fields: null +timezone: null user_defined_category: tactic user_defined_severity: severity_name xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ @@ -103,8 +105,7 @@ xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: S \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ \ mitre_tactic = tactic,\n mitre_tactic_id \ \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0043\" or mitre_tactic = \"\ - Reconnaissance\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ + \ = technique_id\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ \ objects\n| alter \n hostname = device->hostname,\n domain\ \ = device->machine_domain,\n local_ip = device->local_ip,\n \ \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_other.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_other.yml deleted file mode 100644 index 2425980..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_other.yml +++ /dev/null @@ -1,125 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_other -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -name: SOC CrowdStrike Falcon - Endpoint Alerts - Other or Unknown Tactic -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"\" and mitre_tactic = \"\"\n\n\ - | filter product = \"epp\"\n\n// Extract fields from nested objects\n| alter \n\ - \ hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0001.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0001.yml deleted file mode 100644 index 56f1af5..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0001.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0001 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0001 - Initial Access: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Initial Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0001\" or mitre_tactic = \"\ - Initial Access\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0002.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0002.yml deleted file mode 100644 index 6cdd492..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0002.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0002 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0002 - Execution: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Execution -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0002\" or mitre_tactic = \"\ - Execution\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0003.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0003.yml deleted file mode 100644 index 4f4f2a2..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0003.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0003 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0003 - Persistence: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Persistence -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0003\" or mitre_tactic = \"\ - Persistence\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0004.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0004.yml deleted file mode 100644 index cc89330..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0004.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0004 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0004 - Privilege Escalation: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Privilege Escalation -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0004\" or mitre_tactic = \"\ - Privilege Escalation\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0005.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0005.yml deleted file mode 100644 index 27abbf5..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0005.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0005 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0005 - Defense Evasion: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Defense Evasion -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0005\" or mitre_tactic = \"\ - Defense Evasion\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0006.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0006.yml deleted file mode 100644 index 6f929db..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0006.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0006 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0006 - Credential Access: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Credential Access -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0006\" or mitre_tactic = \"\ - Credential Access\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0007.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0007.yml deleted file mode 100644 index 888b0a9..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0007.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0007 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0007 - Discovery: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Discovery -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0007\" or mitre_tactic = \"\ - Discovery\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0008.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0008.yml deleted file mode 100644 index d25016d..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0008.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0008 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0008 - Lateral Movement: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Lateral Movement -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0008\" or mitre_tactic = \"\ - Lateral Movement\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0009.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0009.yml deleted file mode 100644 index ed531cd..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0009.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0009 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0009 - Collection: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Collection -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0009\" or mitre_tactic = \"\ - Collection\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0010.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0010.yml deleted file mode 100644 index 2e3e26d..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0010.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0010 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0010 - Exfiltration: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Exfiltration -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0010\" or mitre_tactic = \"\ - Exfiltration\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0011.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0011.yml deleted file mode 100644 index d8d2eaa..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0011.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0011 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0011 - Command and Control: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Command and Control -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0011\" or mitre_tactic = \"\ - Command and Control\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0040.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0040.yml deleted file mode 100644 index 41dd474..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0040.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0040 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0040 - Impact: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Impact -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0040\" or mitre_tactic = \"\ - Impact\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested objects\n\ - | alter \n hostname = device->hostname,\n domain = device->machine_domain,\n\ - \ local_ip = device->local_ip,\n external_ip = device->external_ip,\n\ - \ mac_address = device->mac_address,\n device_id = device->device_id,\n\ - \ device_ou = device->ou[],\n parent_process_name = parent_details->filename,\n\ - \ parent_process_cmd = parent_details->cmdline,\n parent_process_path\ - \ = parent_details->filepath,\n parent_process_sha256 = parent_details->sha256,\n\ - \ parent_local_process_id = parent_details->local_process_id,\n \ - \ grandparent_process_name = grandparent_details->filename,\n \ - \ grandparent_process_cmd = grandparent_details->cmdline,\n grandparent_process_path\ - \ = grandparent_details->filepath,\n grandparent_process_sha256 =\ - \ grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0042.yml b/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0042.yml deleted file mode 100644 index 45a8191..0000000 --- a/Packs/soc-crowdstrike-falcon/CorrelationRules/SOC_CrowdStrike_Falcon_Endpoint_Alert_ta0042.yml +++ /dev/null @@ -1,127 +0,0 @@ -fromversion: 6.10.0 -rule_id: 0 -action: ALERTS -alert_category: User Defined -alert_description: $alert_description -alert_domain: DOMAIN_SECURITY -alert_fields: - _device_id: device_id - action_file_path: filepath - action_file_sha256: sha256 - action_local_ip: local_ip - action_process_image_sha256: sha256 - action_remote_ip: remote_ips - actor_effective_username: user_name - actor_process_command_line: cmdline - actor_process_image_name: filename - actor_process_image_path: filepath - actor_process_image_sha256: sha256 - actor_process_os_pid: local_process_id - additionalindicators: ioc_value - agent_device_domain: domain - agent_hostname: hostname - agent_id: agent_id - alert_description: alert_description - alertaction: pattern_disposition_description - causality_actor_causality_id: aggregate_id - causality_actor_process_image_sha256: grandparent_process_sha256 - detectionid: template_instance_id - deviceexternalips: external_ip - deviceou: device_ou_arr - dns_query_name: dns_queries - eventaction: ioc_source - external_pivot_url: falcon_host_link - externalconfidence: confidence - externallink: falcon_host_link - externalseverity: severity - grandparentprocesscmd: grandparent_process_cmd - grandparentprocessid: grandparent_local_process_id - grandparentprocessname: grandparent_process_name - grandparentprocesspath: grandparent_process_path - grandparentprocesssha256: grandparent_process_sha256 - mac: mac_address - mitretacticid: mitre_tactic_id - mitretacticname: mitre_tactic - mitretechniqueid: mitre_technique_id - mitretechniquename: mitre_technique - objective: objective - originalalertid: composite_id - originalalertname: alert_name - originaldescription: alert_description - parentprocesscmd: parent_process_cmd - parentprocessid: parent_process_name - parentprocessids: parent_local_process_id - parentprocessname: parent_process_name - parentprocesspath: parent_process_path - parentprocesssha256: parent_process_sha256 - postnatdestinationip: remote_ips - prenatsourceip: local_ip - processcreationtime: process_start_time - processid: grandparent_local_process_id - processmd5: md5 - scenario: scenario - severity: severity_name - sourceid: aggregate_id - tim_main_indicator: ioc_value - userid: user_name - usersid: user_id -alert_name: SOC CrowdStrike Falcon - $alert_name -alert_type: null -crontab: null -dataset: alerts -description: Creates an XSIAM alert for each CrowdStrike Falcon Endpoint Detection - Event -drilldown_query_timeframe: ALERT -execution_mode: REAL_TIME -global_rule_id: f83e316a-e2b8-4627-ac19-4375f8fe7ae8_ta0042 -investigation_query_link: '// All (stitched) activity from host - assuming raw telemetry - is being collected - - dataset = xdr_data - - | filter agent_hostname = $hostname - - | fields * ' -lookup_mapping: [] -mapping_strategy: CUSTOM -mitre_defs: - TA0042 - Resource Development: [] -name: SOC CrowdStrike Falcon - Endpoint Alerts - Resource Development -search_window: null -severity: User Defined -suppression_duration: null -suppression_enabled: false -suppression_fields: null -user_defined_category: tactic -user_defined_severity: severity_name -xql_query: "/*\nTitle: SOC CrowdStrike Falcon - Endpoint Alerts\nDescription: Single\ - \ rule handler for any Detection Summary alert fetched from the CrowdStrike Falcon\ - \ Integration\nDatasets: crowdstrike_falcon_event_raw (note, this may be different\ - \ depending on how the initial integration is configured)\nDependencies: CrowdStrike\ - \ Falcon automation integration\nVersion: 1.0\n*/\nconfig case_sensitive = false\n\ - | dataset = crowdstrike_falcon_event_raw \n\n// XSIAM MITRE Normalization\n| alter\n\ - \ tactic = if(tactic = \"Malware\", \"Execution\", tactic),\n\ - \ mitre_tactic = tactic,\n mitre_tactic_id \ - \ = tactic_id,\n mitre_technique = technique,\n mitre_technique_id\ - \ = technique_id\n| filter mitre_tactic_id = \"TA0042\" or mitre_tactic = \"\ - Resource Development\"\n\n| filter product = \"epp\"\n\n// Extract fields from nested\ - \ objects\n| alter \n hostname = device->hostname,\n domain\ - \ = device->machine_domain,\n local_ip = device->local_ip,\n \ - \ external_ip = device->external_ip,\n mac_address = device->mac_address,\n\ - \ device_id = device->device_id,\n device_ou = device->ou[],\n\ - \ parent_process_name = parent_details->filename,\n parent_process_cmd\ - \ = parent_details->cmdline,\n parent_process_path = parent_details->filepath,\n\ - \ parent_process_sha256 = parent_details->sha256,\n parent_local_process_id\ - \ = parent_details->local_process_id,\n grandparent_process_name = grandparent_details->filename,\n\ - \ grandparent_process_cmd = grandparent_details->cmdline,\n \ - \ grandparent_process_path = grandparent_details->filepath,\n grandparent_process_sha256\ - \ = grandparent_details->sha256,\n grandparent_local_process_id = grandparent_details->local_process_id\n\ - \n// CGO Normalization\n| alter cgo_name = if(lowercase(grandparent_process_name)\ - \ not in (\"wininit.exe\", \"userinit.exe\"), grandparent_process_name, coalesce(parent_process_name,\ - \ filename)),\n cgo_path = if(lowercase(grandparent_process_name) not in (\"wininit.exe\"\ - , \"userinit.exe\"), grandparent_process_path, coalesce(parent_process_path, filepath)),\n\ - \ cgo_cmd = if(lowercase(grandparent_process_name) not in (\"wininit.exe\", \"userinit.exe\"\ - ), grandparent_process_cmd, coalesce(parent_process_cmd, cmdline))\n\n// Keep optional\ - \ enrichments disabled for performance\n| alter dns_queries = null\n| alter remote_ips\ - \ = null\n\n| alter alert_name = _name\n| alter alert_description = description\n\ - \n// Final field ordering\n| fields device_id,local_ip,user_name,cmdline,sha256,domain,hostname,agent_id,pattern_disposition_description,cgo_cmd,cgo_name,cgo_path,template_instance_id,external_ip,falcon_host_link,mac_address,tactic_id,tactic,technique_id,technique,objective,composite_id,parent_process_cmd,parent_process_name,parent_local_process_id,parent_process_path,parent_process_sha256,process_start_time,local_process_id,md5,scenario,severity_name,aggregate_id,indicator_id,user_name,user_id,alert_name,alert_description,*" diff --git a/Packs/soc-crowdstrike-falcon/pack_metadata.json b/Packs/soc-crowdstrike-falcon/pack_metadata.json index cfea8a9..8cd59ed 100644 --- a/Packs/soc-crowdstrike-falcon/pack_metadata.json +++ b/Packs/soc-crowdstrike-falcon/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-crowdstrike-falcon", "description": "This contains the content for XSIAM CrowdStrike Falcon. This includes layouts, playbooks and incident fields", "support": "xsoar", - "currentVersion": "1.0.38", + "currentVersion": "1.0.39", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-crowdstrike-falcon/xsoar_config.json b/Packs/soc-crowdstrike-falcon/xsoar_config.json index 7f513f4..930a29e 100644 --- a/Packs/soc-crowdstrike-falcon/xsoar_config.json +++ b/Packs/soc-crowdstrike-falcon/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-crowdstrike-falcon.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-crowdstrike-falcon-v1.0.38/soc-crowdstrike-falcon-v1.0.38.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-crowdstrike-falcon-v1.0.39/soc-crowdstrike-falcon-v1.0.39.zip", "system": "yes" } ], diff --git a/Packs/soc-optimization-unified/Lists/SOCArtifacts_V3/SOCArtifacts_V3.json b/Packs/soc-optimization-unified/Lists/SOCArtifacts_V3/SOCArtifacts_V3.json deleted file mode 100644 index e5e6581..0000000 --- a/Packs/soc-optimization-unified/Lists/SOCArtifacts_V3/SOCArtifacts_V3.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "allRead": true, - "allReadWrite": true, - "cacheVersn": 0, - "data": "-", - "definitionId": "", - "description": "", - "detached": false, - "fromServerVersion": "", - "id": "SOCArtifacts_V3", - "isOverridable": false, - "itemVersion": "", - "locked": false, - "name": "SOCArtifacts_V3", - "nameLocked": false, - "packID": "", - "packName": "", - "previousAllRead": true, - "previousAllReadWrite": true, - "system": false, - "tags": null, - "toServerVersion": "", - "truncated": false, - "type": "json", - "version": -1, - "fromVersion": "6.5.0" -} diff --git a/Packs/soc-optimization-unified/Lists/SOCArtifacts_V3/SOCArtifacts_V3_data.json b/Packs/soc-optimization-unified/Lists/SOCArtifacts_V3/SOCArtifacts_V3_data.json deleted file mode 100644 index e642fd3..0000000 --- a/Packs/soc-optimization-unified/Lists/SOCArtifacts_V3/SOCArtifacts_V3_data.json +++ /dev/null @@ -1,193 +0,0 @@ -{ - "Artifacts": { - "endpoint.id": { - "description": "Primary identifier for an endpoint/host used for containment and process actions.", - "examples": [ - "endpoint_id", - "machine_id", - "device_id", - "agent_id" - ], - "product_categories": [ - "Endpoint", - "Network" - ], - "sources": [ - "SOCFramework.Artifacts.Host.endpoint_id", - "SOCFramework.Artifacts.Host.device_id", - "SOCFramework.Artifacts.Host.agent_id" - ] - }, - "endpoint.process.id": { - "description": "Process identifier for termination / suspension.", - "examples": [ - "process_id", - "process_name" - ], - "product_categories": [ - "Endpoint" - ], - "sources": [ - "SOCFramework.Artifacts.Process.pid", - "SOCFramework.Artifacts.Process.name" - ] - }, - "file.hash": { - "description": "File hash used for blocklist/allowlist actions.", - "examples": [ - "hash", - "sha256", - "md5" - ], - "product_categories": [ - "Endpoint" - ], - "sources": [ - "SOCFramework.Artifacts.File.sha256", - "SOCFramework.Artifacts.File.md5" - ] - }, - "file.path": { - "description": "File path used for quarantine/removal.", - "examples": [ - "file_path" - ], - "product_categories": [ - "Endpoint" - ], - "sources": [ - "SOCFramework.Artifacts.File.path" - ] - }, - "user.id": { - "description": "User identifier for identity actions.", - "examples": [ - "user_id", - "username", - "upn" - ], - "product_categories": [ - "Identity" - ], - "sources": [ - "SOCFramework.Artifacts.User.id", - "SOCFramework.Artifacts.User.username", - "SOCFramework.Artifacts.User.email" - ] - }, - "email.message_id": { - "description": "Email message ID used to search, quarantine, release, or delete.", - "examples": [ - "message_id", - "guid" - ], - "product_categories": [ - "EmailSecurity" - ], - "sources": [ - "SOCFramework.Artifacts.Email.message_id", - "SOCFramework.Artifacts.Email.guid" - ] - }, - "ip.address": { - "description": "IP address used for blocking/unblocking in firewalls and proxies.", - "examples": [ - "ip" - ], - "product_categories": [ - "Network", - "Cloud" - ], - "sources": [ - "SOCFramework.Artifacts.IPAddresses.[].ip" - ] - }, - "url.value": { - "description": "URL used for proxy/filter block/unblock.", - "examples": [ - "url" - ], - "product_categories": [ - "Network", - "EmailSecurity" - ], - "sources": [ - "SOCFramework.Artifacts.URLs.[].value" - ] - }, - "cloud.resource_id": { - "description": "Cloud resource ID / container / instance identifier.", - "examples": [ - "resource_id", - "container_id" - ], - "product_categories": [ - "Cloud" - ], - "sources": [ - "SOCFramework.Artifacts.Cloud.resource_id", - "SOCFramework.Artifacts.Cloud.container_id" - ] - }, - "alert.id": { - "description": "Primary alert, incident, or threat identifier used for enrichment.", - "examples": [ - "alert_id", - "incident_id", - "threat_id" - ], - "product_categories": [ - "Endpoint", - "EmailSecurity", - "Identity", - "Network", - "Cloud" - ], - "sources": [ - "SOCFramework.Artifacts.Alert.alert_id", - "SOCFramework.Artifacts.Alert.incident_id", - "SOCFramework.Artifacts.Alert.threat_id" - ] - }, - "email.sender.address": { - "description": "Sender email address used for blocking.", - "examples": [ - "sender" - ], - "product_categories": [ - "EmailSecurity" - ], - "sources": [ - "SOCFramework.Artifacts.Email.sender" - ] - }, - "email.search.query": { - "description": "Search query string used by email security products.", - "examples": [ - "query" - ], - "product_categories": [ - "EmailSecurity" - ], - "sources": [ - "SOCFramework.Artifacts.Email.search_query" - ] - }, - "network.asset.mac": { - "description": "MAC address used in NAC and network asset control.", - "examples": [ - "mac_address" - ], - "product_categories": [ - "Network", - "Identity" - ], - "sources": [ - "SOCFramework.Artifacts.Network.mac_address", - "SOCFramework.Artifacts.Host.mac_address" - ] - } - }, - "id": "SOCArtifacts_V3", - "name": "SOCArtifacts_V3" -} diff --git a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3.json b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3.json index 2a8c0b3..029aeba 100644 --- a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3.json +++ b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3.json @@ -6,10 +6,10 @@ "definitionId": "", "description": "", "detached": false, - "fromServerVersion": "", + "fromServerVersion": "6.5.0", "id": "SOCFrameworkActions_V3", "isOverridable": false, - "itemVersion": "", + "itemVersion": "3.0.29", "locked": false, "name": "SOCFrameworkActions_V3", "nameLocked": false, @@ -24,4 +24,4 @@ "type": "json", "version": -1, "fromVersion": "6.5.0" -} +} \ No newline at end of file diff --git a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json index d5b0d0a..3e9b380 100644 --- a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json +++ b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json @@ -1,124 +1,115 @@ { - "Actions": { - "soc-enrich-alert": { - "required_artifacts": [ - "alert.id" - ] - }, - "soc-isolate-endpoint": { - "required_artifacts": [ - "endpoint.id" - ] - }, - "soc-unisolate-endpoint": { - "required_artifacts": [ - "endpoint.id" - ] - }, - "soc-terminate-process": { - "required_artifacts": [ - "endpoint.id", - "endpoint.process.id" - ] - }, - "soc-quarantine-file": { - "required_artifacts": [ - "endpoint.id", - "file.path" - ] - }, - "soc-block-hash": { - "required_artifacts": [ - "file.hash" - ] - }, - "soc-disable-identity": { - "required_artifacts": [ - "user.id" - ] - }, - "soc-enable-identity": { - "required_artifacts": [ - "user.id" - ] - }, - "soc-reset-password": { - "required_artifacts": [ - "user.id" - ] - }, - "soc-revoke-sessions": { - "required_artifacts": [ - "user.id" - ] - }, - "soc-quarantine-email": { - "required_artifacts": [ - "email.message_id" - ] - }, - "soc-release-email": { - "required_artifacts": [ - "email.message_id" - ] - }, - "soc-delete-email": { - "required_artifacts": [ - "email.message_id" - ] - }, - "soc-block-sender": { - "required_artifacts": [ - "email.sender.address" - ] - }, - "soc-search-email": { - "required_artifacts": [ - "email.search.query" - ] - }, - "soc-fetch-forensics": { - "required_artifacts": [] - }, - "soc-disable-network-asset": { - "required_artifacts": [ - "network.asset.mac" - ] - }, - "soc-enable-network-asset": { - "required_artifacts": [ - "network.asset.mac" - ] - }, - "soc-block-url": { - "required_artifacts": [ - "url.value" - ] - }, - "soc-unblock-url": { - "required_artifacts": [ - "url.value" - ] - }, - "soc-block-ip": { - "required_artifacts": [ - "ip.address" - ] - }, - "soc-unblock-ip": { - "required_artifacts": [ - "ip.address" - ] - }, - "soc-quarantine-cloud": { - "required_artifacts": [ - "cloud.resource_id" - ] - }, - "soc-disable-cloud-session": { - "required_artifacts": [ - "cloud.resource_id" - ] + "soc-isolate-endpoint": { + "responses": { + "Cortex Core - IR": { + "command": "core-isolate-endpoint", + "inline_args": { + "endpoint_id": "SOCFramework.Artifacts.EndPointID" + } + }, + "CrowdstrikeFalcon": { + "command": "cs-falcon-contain-host", + "inline_args": { + "agent_id(s)": "SOCFramework.Artifacts.EndPointID" + } + }, + "Trend Micro Vision One V3": { + "command": "trendmicro-visionone-isolate-endpoint", + "inline_args": { + "endpoint_identifiers": "SOCFramework.Artifacts.EndPointID" + } + }, + "Microsoft Defender Advanced Threat Protection": { + "command": "microsoft-atp-isolate-machine", + "inline_args": { + "machine_id": "SOCFramework.Artifacts.EndPointID", + "comment": "SOCFramework isolate endpoint", + "isolation_type": "Full" + } + } + } + }, + "soc-disable-user": { + "responses": { + "Active Directory Query v2": { + "command": "disable-user", + "inline_args": { + "user_email": "SOCFramework.Artifacts.UserEmail", + "user_name": "SOCFramework.Artifacts.UserName", + "user_id": "SOCFramework.Artifacts.UserID" + } + }, + "Microsoft Graph User": { + "command": "disable-user", + "inline_args": { + "user_email": "SOCFramework.Artifacts.UserEmail", + "user_name": "SOCFramework.Artifacts.UserName", + "user_id": "SOCFramework.Artifacts.UserID" + } + }, + "Okta IAM": { + "command": "disable-user", + "inline_args": { + "user_email": "SOCFramework.Artifacts.UserEmail", + "user_name": "SOCFramework.Artifacts.UserName", + "user_id": "SOCFramework.Artifacts.UserID" + } + }, + "Okta V2": { + "command": "disable-user", + "inline_args": { + "user_email": "SOCFramework.Artifacts.UserEmail", + "user_name": "SOCFramework.Artifacts.UserName", + "user_id": "SOCFramework.Artifacts.UserID" + } + } + } + }, + "soc-kill-process": { + "responses": { + "Cortex Core - IR": { + "command": "core-run-script-kill-process", + "inline_args": { + "endpoint_ids": "SOCFramework.Artifacts.EndPointID", + "process_names": "SOCFramework.Artifacts.ProcessName" + } + }, + "CrowdstrikeFalcon": { + "command": "cs-falcon-rtr-kill-process", + "inline_args": { + "host_id": "SOCFramework.Artifacts.EndPointID", + "process_ids": "SOCFramework.Artifacts.PID" + } + }, + "Trend Micro Vision One V3": { + "command": "trendmicro-visionone-terminate-process", + "inline_args": { + "process_identifiers": "SOCFramework.Artifacts.PID" + } + } + } + }, + "soc-quarantine-files": { + "responses": { + "Cortex Core - IR": { + "command": "core-quarantine-files", + "inline_args": { + "endpoint_id_list": "SOCFramework.Artifacts.EndPointID", + "file_hash": "SOCFramework.Artifacts.File", + "file_path": "SOCFramework.Artifacts.FilePath" + } + }, + "Microsoft Defender Advanced Threat Protection": { + "command": "microsoft-atp-stop-and-quarantine-file", + "inline_args": { + "machine_ids": "SOCFramework.Artifacts.EndPointID", + "file_hashes": "SOCFramework.Artifacts.File" + } + }, + "Trend Micro Vision One V3": { + "command": "trendmicro-visionone-quarantine-email-message", + "inline_args": {} + } } }, "id": "SOCFrameworkActions_V3", diff --git a/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3.json b/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3.json index 3cd4573..10cce95 100644 --- a/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3.json +++ b/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3.json @@ -6,10 +6,10 @@ "definitionId": "", "description": "", "detached": false, - "fromServerVersion": "", + "fromServerVersion": "6.5.0", "id": "SOCProductCategoryMap_V3", "isOverridable": false, - "itemVersion": "", + "itemVersion": "3.0.29", "locked": false, "name": "SOCProductCategoryMap_V3", "nameLocked": false, @@ -24,4 +24,4 @@ "type": "json", "version": -1, "fromVersion": "6.5.0" -} +} \ No newline at end of file diff --git a/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3_data.json b/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3_data.json index aa81bc2..115c8e1 100644 --- a/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3_data.json +++ b/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3_data.json @@ -1,131 +1,139 @@ { - "ds_paloaltonetworks_cloud_identity_engine_directory": { - "category": "Identity", - "type": "Directory", - "confidence": "high" - }, - "ds_microsoft_defender_identity": { - "category": "Identity", - "type": "IDP", - "confidence": "high" - }, - "ds_okta_systemlog": { - "category": "Identity", - "type": "IDP", - "confidence": "high" - }, - "ds_cisco_ise": { - "category": "Identity", - "type": "NAC", - "confidence": "high" - }, - "ds_cyberark": { - "category": "Identity", - "type": "PAM", - "confidence": "high" - }, - "ds_microsoft_defender_email": { - "category": "Email", - "type": "SEG", - "confidence": "high" - }, - "ds_abnormalsecurity_abx": { - "category": "Email", - "type": "BEC/ML", - "confidence": "high" - }, - "ds_paloaltonetworks_Email": { - "category": "Email", - "type": "SEG", - "confidence": "high" - }, - "ds_proofpoint_tap_v2": { - "Name": "Proofpoint TAP V2", - "category": "Email", - "type": "SEG", - "confidence": "high" - }, - "ds_paloaltonetworks_firewall_threat": { - "category": "Network", - "type": "NGFW", - "confidence": "high" - }, - "ds_paloaltonetworks_firewall_traffic": { - "category": "Network", - "type": "NGFW", - "confidence": "high" - }, - "ds_cisco_asa_vpn": { - "category": "Network", - "type": "VPN", - "confidence": "high" - }, - "ds_fortinet_fortigate": { - "Name": "Fortinet Fortigate", - "category": "Network", - "type": "NGFW", - "confidence": "high" - }, - "ds_zscaler_zia": { - "category": "Network", - "type": "Proxy", - "confidence": "high" - }, - "ds_aws_cloudtrail": { - "category": "Cloud", - "type": "CSPM", - "confidence": "high" - }, - "ds_azure_activity": { - "category": "Cloud", - "type": "CSPM", - "confidence": "high" - }, - "ds_gcp_audit": { - "category": "Cloud", - "type": "CSPM", - "confidence": "high" - }, - "ds_alibaba_actiontrail": { - "category": "Cloud", - "type": "CSPM", - "confidence": "high" - }, - "ds_crowdstrike_falcon_event": { - "Name": "CrowdStrike Falcon Alerts", - "category": "Endpoint", - "type": "EDR", - "confidence": "high" - }, - "ds_msft_graph_security_alerts": { - "Name": "Microsoft Defender Alerts", - "category": "Endpoint", - "type": "EDR", - "confidence": "high" - }, - "ds_msft_defenderxdr": { - "Name": "Microsoft Defender MDE Telemetry", - "category": "Endpoint", - "type": "EDR", - "confidence": "high" - }, - "ds_panw_xdr_agent": { - "Name": "Cortext XDR Agent", - "category": "Endpoint", - "type": "XDR", - "confidence": "high" - }, - "ds_sentinelone_event": { - "category": "Endpoint", - "type": "EDR", - "confidence": "high" - }, - "ds_trend_micro_vision_one_v3_generic_alert": { - "Name": "Trend Micro Vision One V3", - "category": "Endpoint", - "type": "EDR", - "confidence": "high" - }, - "id": "SOCProductCategoryMap_V3", - "name": "SOCProductCategoryMap_V3" -} + "ds_paloaltonetworks_cloud_identity_engine_directory": { + "category": "Identity", + "type": "Directory", + "confidence": "high" + }, + "ds_microsoft_defender_identity": { + "category": "Identity", + "type": "IDP", + "confidence": "high" + }, + "ds_okta_systemlog": { + "category": "Identity", + "type": "IDP", + "confidence": "high" + }, + "ds_cisco_ise": { + "category": "Identity", + "type": "NAC", + "confidence": "high" + }, + "ds_cyberark": { + "category": "Identity", + "type": "PAM", + "confidence": "high" + }, + "ds_microsoft_defender_email": { + "category": "Email", + "type": "SEG", + "confidence": "high" + }, + "ds_abnormalsecurity_abx": { + "category": "Email", + "type": "BEC/ML", + "confidence": "high" + }, + "ds_paloaltonetworks_Email": { + "category": "Email", + "type": "SEG", + "confidence": "high" + }, + "ds_proofpoint_tap_v2": { + "Name": "Proofpoint TAP V2", + "category": "Email", + "type": "SEG", + "confidence": "high" + }, + "ds_paloaltonetworks_firewall_threat": { + "category": "Network", + "type": "NGFW", + "confidence": "high" + }, + "ds_paloaltonetworks_firewall_traffic": { + "category": "Network", + "type": "NGFW", + "confidence": "high" + }, + "ds_cisco_asa_vpn": { + "category": "Network", + "type": "VPN", + "confidence": "high" + }, + "ds_fortinet_fortigate": { + "Name": "Fortinet Fortigate", + "category": "Network", + "type": "NGFW", + "confidence": "high" + }, + "ds_zscaler_zia": { + "category": "Network", + "type": "Proxy", + "confidence": "high" + }, + "ds_aws_cloudtrail": { + "category": "Cloud", + "type": "CSPM", + "confidence": "high" + }, + "ds_azure_activity": { + "category": "Cloud", + "type": "CSPM", + "confidence": "high" + }, + "ds_gcp_audit": { + "category": "Cloud", + "type": "CSPM", + "confidence": "high" + }, + "ds_alibaba_actiontrail": { + "category": "Cloud", + "type": "CSPM", + "confidence": "high" + }, + "ds_crowdstrike_falcon_event": { + "name": "CrowdStrike Falcon Alerts", + "category": "Endpoint", + "type": "EDR", + "confidence": "high", + "product": "epp", + "response": "CrowdstrikeFalcon" + }, + "ds_msft_graph_security_alerts": { + "Name": "Microsoft Defender Alerts", + "category": "Endpoint", + "type": "EDR", + "confidence": "high", + "product": "Microsoft Defender for Endpoint", + "response": "Microsoft Defender Advanced Threat Protection" + }, + "ds_msft_defenderxdr": { + "Name": "Microsoft Defender MDE Telemetry", + "category": "Endpoint", + "type": "EDR", + "confidence": "high" + }, + "ds_panw_xdr_agent": { + "Name": "Cortext XDR Agent", + "category": "Endpoint", + "type": "XDR", + "confidence": "high", + "product": "Fusion", + "response": "Cortex Core - IR" + }, + "ds_sentinelone_event": { + "category": "Endpoint", + "type": "EDR", + "confidence": "high" + }, + "ds_trend_micro_vision_one_v3_generic_alert": { + "Name": "Trend Micro Vision One V3", + "category": "Endpoint", + "type": "EDR", + "confidence": "high", + "product": "SAE", + "response": "Trend Micro Vision One V3" + }, + "id": "SOCProductCategoryMap_V3", + "name": "SOCProductCategoryMap_V3" +} \ No newline at end of file diff --git a/Packs/soc-optimization-unified/Lists/SOCVendorCapabilities_V3/SOCVendorCapabilities_V3.json b/Packs/soc-optimization-unified/Lists/SOCVendorCapabilities_V3/SOCVendorCapabilities_V3.json deleted file mode 100644 index b56fa4f..0000000 --- a/Packs/soc-optimization-unified/Lists/SOCVendorCapabilities_V3/SOCVendorCapabilities_V3.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "allRead": true, - "allReadWrite": true, - "cacheVersn": 0, - "data": "-", - "definitionId": "", - "description": "", - "detached": false, - "fromServerVersion": "", - "id": "SOCVendorCapabilities_V3", - "isOverridable": false, - "itemVersion": "", - "locked": false, - "name": "SOCVendorCapabilities_V3", - "nameLocked": false, - "packID": "", - "packName": "", - "previousAllRead": true, - "previousAllReadWrite": true, - "system": false, - "tags": null, - "toServerVersion": "", - "truncated": false, - "type": "json", - "version": -1, - "fromVersion": "6.5.0" -} diff --git a/Packs/soc-optimization-unified/Lists/SOCVendorCapabilities_V3/SOCVendorCapabilities_V3_data.json b/Packs/soc-optimization-unified/Lists/SOCVendorCapabilities_V3/SOCVendorCapabilities_V3_data.json deleted file mode 100644 index fa8b0ae..0000000 --- a/Packs/soc-optimization-unified/Lists/SOCVendorCapabilities_V3/SOCVendorCapabilities_V3_data.json +++ /dev/null @@ -1,449 +0,0 @@ -{ - "VendorCapabilities": { - "Cortex XDR - IR": { - "soc-enrich-alert": { - "command": "xdr-get-alert-details", - "args": [ - "alert_id" - ] - }, - "soc-isolate-endpoint": { - "command": "xdr-endpoint-isolate", - "args": [ - "endpoint_id" - ] - }, - "soc-unisolate-endpoint": { - "command": "xdr-endpoint-unisolate", - "args": [ - "endpoint_id" - ] - }, - "soc-terminate-process": { - "command": "xdr-terminate-process", - "args": [ - "endpoint_id", - "process_id" - ] - }, - "soc-quarantine-file": { - "command": "xdr-quarantine-file", - "args": [ - "endpoint_id", - "file_path" - ] - }, - "soc-block-hash": { - "command": "xdr-blocklist-add", - "args": [ - "hash" - ] - } - }, - "Microsoft 365 Defender": { - "soc-enrich-alert": { - "command": "microsoft-atp-get-alert-by-id", - "args": [ - "alert_id" - ] - }, - "soc-isolate-endpoint": { - "command": "microsoft-atp-isolate-machine", - "args": [ - "machine_id" - ] - }, - "soc-unisolate-endpoint": { - "command": "microsoft-atp-unisolate-machine", - "args": [ - "machine_id" - ] - }, - "soc-terminate-process": { - "command": "microsoft-atp-restrict-app-execution", - "args": [ - "machine_id" - ] - }, - "soc-quarantine-file": { - "command": "microsoft-atp-quarantine-file", - "args": [ - "machine_id", - "file_path" - ] - }, - "soc-block-hash": { - "command": "microsoft-atp-block-indicator", - "args": [ - "hash" - ] - } - }, - "Trend Micro Vision One": { - "soc-enrich-alert": { - "command": "trendmicro-get-alert-details", - "args": [ - "alert_id" - ] - }, - "soc-isolate-endpoint": { - "command": "trendmicro-isolate-endpoint", - "args": [ - "endpoint_id" - ] - }, - "soc-unisolate-endpoint": { - "command": "trendmicro-unisolate-endpoint", - "args": [ - "endpoint_id" - ] - }, - "soc-terminate-process": { - "command": "trendmicro-terminate-process", - "args": [ - "endpoint_id", - "process_id" - ] - }, - "soc-quarantine-file": { - "command": "trendmicro-quarantine-file", - "args": [ - "endpoint_id", - "file_path" - ] - } - }, - "CrowdStrike Falcon": { - "soc-enrich-alert": { - "command": "cs-falcon-get-incident-details", - "args": [ - "incident_id" - ] - }, - "soc-fetch-forensics": { - "command": "cs-falcon-get-behaviors", - "args": [ - "device_id" - ] - }, - "soc-isolate-endpoint": { - "command": "cs-falcon-contain-host", - "args": [ - "device_id" - ] - }, - "soc-unisolate-endpoint": { - "command": "cs-falcon-lift-host-containment", - "args": [ - "device_id" - ] - } - }, - "SentinelOne v2": { - "soc-enrich-alert": { - "command": "sentinelone-get-threat-details", - "args": [ - "threat_id" - ] - }, - "soc-isolate-endpoint": { - "command": "sentinelone-isolate-agent", - "args": [ - "agent_id" - ] - }, - "soc-unisolate-endpoint": { - "command": "sentinelone-connect-agent", - "args": [ - "agent_id" - ] - }, - "soc-terminate-process": { - "command": "sentinelone-kill-process", - "args": [ - "agent_id", - "process_name" - ] - }, - "soc-quarantine-file": { - "command": "sentinelone-quarantine-file", - "args": [ - "agent_id", - "file_path" - ] - } - }, - "Microsoft Graph User": { - "soc-enrich-alert": { - "command": "msgraph-user-get", - "args": [ - "user_id" - ] - }, - "soc-disable-identity": { - "command": "msgraph-user-block", - "args": [ - "user_id" - ] - }, - "soc-enable-identity": { - "command": "msgraph-user-unblock", - "args": [ - "user_id" - ] - }, - "soc-reset-password": { - "command": "msgraph-user-reset-password", - "args": [ - "user_id" - ] - }, - "soc-revoke-sessions": { - "command": "msgraph-user-revoke-sessions", - "args": [ - "user_id" - ] - } - }, - "Okta": { - "soc-enrich-alert": { - "command": "okta-get-events", - "args": [ - "user_id" - ] - }, - "soc-disable-identity": { - "command": "okta-suspend-user", - "args": [ - "user_id" - ] - }, - "soc-enable-identity": { - "command": "okta-unsuspend-user", - "args": [ - "user_id" - ] - }, - "soc-reset-password": { - "command": "okta-reset-password", - "args": [ - "user_id" - ] - }, - "soc-revoke-sessions": { - "command": "okta-clear-user-sessions", - "args": [ - "user_id" - ] - } - }, - "Palo Alto Networks - Email Security": { - "soc-enrich-alert": { - "command": "pan-emailsecurity-get-message-details", - "args": [ - "message_id" - ] - }, - "soc-quarantine-email": { - "command": "pan-emailsecurity-quarantine-message", - "args": [ - "message_id" - ] - }, - "soc-release-email": { - "command": "pan-emailsecurity-release-message", - "args": [ - "message_id" - ] - }, - "soc-delete-email": { - "command": "pan-emailsecurity-delete-message", - "args": [ - "message_id" - ] - }, - "soc-block-sender": { - "command": "pan-emailsecurity-block-sender", - "args": [ - "sender" - ] - }, - "soc-search-email": { - "command": "pan-emailsecurity-search-messages", - "args": [ - "query" - ] - } - }, - "Abnormal Security": { - "soc-enrich-alert": { - "command": "abnormal-get-message-details", - "args": [ - "message_id" - ] - }, - "soc-quarantine-email": { - "command": "abnormal-quarantine-message", - "args": [ - "message_id" - ] - }, - "soc-release-email": { - "command": "abnormal-restore-message", - "args": [ - "message_id" - ] - }, - "soc-search-email": { - "command": "abnormal-search-messages", - "args": [ - "query" - ] - } - }, - "Proofpoint TAP v2": { - "soc-fetch-forensics": { - "command": "proofpoint-get-forensics", - "args": [ - "guid" - ] - }, - "soc-quarantine-email": { - "command": "proofpoint-quarantine-message", - "args": [ - "guid" - ] - }, - "soc-release-email": { - "command": "proofpoint-release-message", - "args": [ - "guid" - ] - }, - "soc-search-email": { - "command": "proofpoint-search-message", - "args": [ - "query" - ] - } - }, - "Cisco ISE": { - "soc-enrich-alert": { - "command": "ise-get-endpoint", - "args": [ - "mac_address" - ] - }, - "soc-disable-network-asset": { - "command": "ise-anc-endpoint", - "args": [ - "mac_address" - ] - }, - "soc-enable-network-asset": { - "command": "ise-clear-anc-endpoint", - "args": [ - "mac_address" - ] - } - }, - "Zscaler ZIA": { - "soc-enrich-alert": { - "command": "zscaler-get-url-info", - "args": [ - "url" - ] - }, - "soc-block-url": { - "command": "zscaler-blacklist-url", - "args": [ - "url" - ] - }, - "soc-unblock-url": { - "command": "zscaler-unblacklist-url", - "args": [ - "url" - ] - } - }, - "Palo Alto Networks Panorama": { - "soc-enrich-alert": { - "command": "panorama-list-addresses", - "args": [] - }, - "soc-block-ip": { - "command": "panorama-ban-ip", - "args": [ - "ip" - ] - }, - "soc-unblock-ip": { - "command": "panorama-unban-ip", - "args": [ - "ip" - ] - } - }, - "Palo Alto Networks Firewall": { - "soc-enrich-alert": { - "command": "pan-os-list-addresses", - "args": [] - }, - "soc-block-ip": { - "command": "pan-os-ban-ip", - "args": [ - "ip" - ] - }, - "soc-unblock-ip": { - "command": "pan-os-unban-ip", - "args": [ - "ip" - ] - } - }, - "Fortinet FortiGate": { - "soc-enrich-alert": { - "command": "fortigate-get-logs", - "args": [ - "ip" - ] - }, - "soc-block-ip": { - "command": "fortigate-ban-ip", - "args": [ - "ip" - ] - }, - "soc-unblock-ip": { - "command": "fortigate-unban-ip", - "args": [ - "ip" - ] - } - }, - "Prisma Cloud Compute": { - "soc-enrich-alert": { - "command": "prismacloudcompute-audit-events", - "args": [ - "resource_id" - ] - }, - "soc-quarantine-cloud": { - "command": "prismacloudcompute-container-quarantine", - "args": [ - "container_id" - ] - }, - "soc-disable-cloud-session": { - "command": "prismacloudcompute-container-stop", - "args": [ - "container_id" - ] - } - } - }, - "id": "SOCVendorCapabilities_V3", - "name": "SOCVendorCapabilities_V3" -} diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml new file mode 100644 index 0000000..6449b81 --- /dev/null +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml @@ -0,0 +1,282 @@ +fromversion: 5.0.0 +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 3.0.29 + packID: "" + packName: SOC Framework Unified + prevname: "" + supportedModules: [] + toServerVersion: "" +description: | + Core fields are evaluated + Unpopulated core fields refer to alternatives for values + Field values are evaluated for formatting and syntax +dirtyInputs: true +id: 'Foundation - Data Integrity_V3' +inputSections: +- description: Generic group for inputs + inputs: [] + name: General (Inputs group) +inputs: [] +name: Foundation - Data Integrity_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Foundation - Upon Trigger +starttaskid: "0" +tags: +- SOC +- SOC_Framework_Unified +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4bb50423-9a1a-4c0e-88ba-c31e26fdf280 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: 4bb50423-9a1a-4c0e-88ba-c31e26fdf280 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2eb08148-d069-489a-83e1-1ab88016aac3 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 2eb08148-d069-489a-83e1-1ab88016aac3 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 930 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + description: This is a common playbook intended to integrate the Indicator Extraction + to all automated alerts. + id: d946d1a6-1e49-4f3f-bb84-cb106bab39dd + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Foundation Common - Extract Indicators from alerts_V3 + playbookId: Foundation Common - Extract Indicators from alerts_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: d946d1a6-1e49-4f3f-bb84-cb106bab39dd + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 50, + "y": 745 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Is this an EndPoint, Network, Cloud SaaS, Cloud Workload, Identity, + etc? This is used downstream for automations based on product category. + id: 6c69403f-3987-4921-93b0-59b803e8ab06 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Product Category + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 6c69403f-3987-4921-93b0-59b803e8ab06 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 220 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "28" + note: false + quietmode: 0 + scriptarguments: + ProductKey: + complex: + accessor: tags} + root: ${issue + transformers: + - args: + limit: {} + replaceWith: + value: + simple: _ + toReplace: + value: + simple: ':' + operator: replace + - args: + limit: {} + replaceWith: + value: + simple: _ + toReplace: + value: + simple: / + operator: replace + - operator: toLowerCase + product: + simple: Fusion + separatecontext: true + skipunavailable: true + task: + brand: "" + description: Designed to get the product category (EndPoint, Network, Cloud + SaaS, Cloud Workload, etc) from the list SOCProductCategoryMap_V3 + id: 75eb4055-6454-49ec-ad99-1be4a447a34f + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Foundation - Product Classification_V3 + playbookId: Foundation - Product Classification_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 75eb4055-6454-49ec-ad99-1be4a447a34f + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 50, + "y": 390 + } + } + "28": + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8951326c-3b3f-412d-94b0-da4f88c02844 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Artifact Extraction + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 8951326c-3b3f-412d-94b0-da4f88c02844 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 575 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 940, + "width": 380, + "x": 50, + "y": 50 + } + } + } diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml index f71136c..a6d4073 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Endpoint_Enrichment_V3.yml @@ -1,93 +1,196 @@ fromversion: 5.0.0 -id: Foundation - Endpoint Enrichment_V3 -version: 5 +adopted: true contentitemexportablefields: contentitemfields: - packID: soc-optimization-unified - packName: SOC Framework Unified - itemVersion: 3.0.17 - fromServerVersion: 5.0.0 - toServerVersion: "" definitionid: "" - prevname: "" + fromServerVersion: 5.0.0 isoverridable: false + itemVersion: 3.0.29 + packID: "" + packName: SOC Framework Unified + prevname: "" supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false -name: Foundation - Endpoint Enrichment_V3 + toServerVersion: "" description: | Identifies the core fields present and starts tailored enrichment pipelines Generates threat flags based on findings (ex: if we identify a domain controller or admin account) +dirtyInputs: true +id: 'Foundation - Endpoint Enrichment_V3' +inputSections: +- description: Generic group for inputs + inputs: + - SourceIP + - RemoteIP + - UserName + - EndpointID + - HostName + - Domain + - MD5 + - SHA256 + - PID + - ProcessName + name: General (Inputs group) +inputs: +- description: "" + key: SourceIP + playbookInputQuery: null + required: false + value: + simple: ${issue.hostip} +- description: "" + key: RemoteIP + playbookInputQuery: null + required: false + value: + simple: ${issue.remoteip} +- description: "" + key: UserName + playbookInputQuery: null + required: false + value: + simple: ${issue.username} +- description: "" + key: EndpointID + playbookInputQuery: null + required: false + value: + simple: ${issue.agentid} +- description: "" + key: HostName + playbookInputQuery: null + required: false + value: + simple: ${issue.hostname} +- description: "" + key: Domain + playbookInputQuery: null + required: false + value: + simple: ${issue.domain} +- description: "" + key: MD5 + playbookInputQuery: null + required: false + value: + simple: ${issue.initiatormd5} +- description: "" + key: SHA256 + playbookInputQuery: null + required: false + value: + simple: ${issue.initiatorsha256} +- description: "" + key: PID + playbookInputQuery: null + required: false + value: + simple: ${issue.initiatorpid} +- description: "" + key: ProcessName + playbookInputQuery: null + required: false + value: + simple: ${issue.xdmsourceprocessname} +name: Foundation - Endpoint Enrichment_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - SOCFramework.Artifacts.IP + - SOCFramework.Artifacts.EndPointID + - SOCFramework.Artifacts.UserName + - SOCFramework.Artifacts.ProcessName + - SOCFramework.Artifacts.File + - SOCFramework.Artifacts.Verdict +outputs: +- contextPath: SOCFramework.Artifacts.IP + type: unknown +- contextPath: SOCFramework.Artifacts.EndPointID + type: unknown +- contextPath: SOCFramework.Artifacts.UserName + type: unknown +- contextPath: SOCFramework.Artifacts.ProcessName + type: unknown +- contextPath: SOCFramework.Artifacts.File + type: unknown +- contextPath: SOCFramework.Artifacts.Verdict + type: unknown +sourceplaybookid: Foundation - Enrichment_V3 +starttaskid: "0" tags: - SOC - SOC_Framework_Unified - Enrichment - EndPoint -starttaskid: "0" tasks: "0": + continueonerrortype: "" id: "0" - taskid: 8492b25a-a19c-4593-8191-9cb60e4d3007 - type: start + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "38" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 8492b25a-a19c-4593-8191-9cb60e4d3007 - version: -1 - name: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "9" - - "18" - - "19" - - "22" - separatecontext: false - continueonerrortype: "" + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: 8492b25a-a19c-4593-8191-9cb60e4d3007 + timertriggers: [] + type: start view: |- { "position": { - "x": 1042.5, - "y": 50 + "x": 1050, + "y": -340 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "2": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.SourceIP + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" id: "2" - taskid: 887a6152-8190-438a-bb7f-aa55cb8aa1af - type: condition - task: - id: 887a6152-8190-438a-bb7f-aa55cb8aa1af - version: -1 - name: Is Source IP Defined? - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#default#': - "5" "yes": - "10" + note: false + quietmode: 0 separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isExists - left: - value: - simple: inputs.SourceIP - iscontext: true - right: - value: {} - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 492f9a4d-166a-498e-9c6e-dfb786911560 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Is Source IP Defined? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 492f9a4d-166a-498e-9c6e-dfb786911560 + timertriggers: [] + type: condition view: |- { "position": { @@ -95,28 +198,28 @@ tasks: "y": 390 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "4": + continueonerrortype: "" id: "4" - taskid: 6b3dbf1c-9a22-4bd4-8593-bc8d49dcc7c0 - type: title + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 6b3dbf1c-9a22-4bd4-8593-bc8d49dcc7c0 - version: -1 - name: Done - type: title iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - separatecontext: false - continueonerrortype: "" + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 6b3dbf1c-9a22-4bd4-8593-bc8d49dcc7c0 + timertriggers: [] + type: title view: |- { "position": { @@ -124,43 +227,43 @@ tasks: "y": 1290 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "5": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.RemoteIP + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" id: "5" - taskid: 432e8616-dad1-44f1-9cc5-bb558490721d - type: condition - task: - id: 432e8616-dad1-44f1-9cc5-bb558490721d - version: -1 - name: Is Destination IP Defined? - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#default#': - "4" "yes": - "11" + note: false + quietmode: 0 separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isExists - left: - value: - simple: inputs.RemoteIP - iscontext: true - right: - value: {} - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 7dba9f04-0e82-4fdd-9185-3ca038f978e6 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Is Destination IP Defined? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 7dba9f04-0e82-4fdd-9185-3ca038f978e6 + timertriggers: [] + type: condition view: |- { "position": { @@ -168,71 +271,71 @@ tasks: "y": 750 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "9": + continueonerrortype: "" id: "9" - taskid: 02dc9df5-d1cf-4475-83a6-dc33e09fc4fe - type: title - task: - id: 02dc9df5-d1cf-4475-83a6-dc33e09fc4fe - version: -1 - name: IP Enrichment - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "2" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 162.5, - "y": 220 - } - } + - "33" note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "10": - id: "10" - taskid: 0afabf4a-0534-4793-ae26-b271fd53dc33 - type: regular + separatecontext: false + skipunavailable: false task: - id: 0afabf4a-0534-4793-ae26-b271fd53dc33 - version: -1 - name: Enrich Source IP - description: Provides data enrichment for ips. - script: '|||ip' - type: regular - iscommand: true brand: "" - playbooktaskmissingcomponent: null + id: 02dc9df5-d1cf-4475-83a6-dc33e09fc4fe + iscommand: false istaskmissingcomponenterrordismissed: false + name: IP Enrichment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 02dc9df5-d1cf-4475-83a6-dc33e09fc4fe + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 190, + "y": 40 + } + } + "10": + continueonerror: true + continueonerrortype: errorPath + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#error#': - "16" '#none#': - "5" + note: false + quietmode: 0 scriptarguments: ip: simple: ${inputs.SourceIP} separatecontext: false - continueonerror: true - continueonerrortype: errorPath + skipunavailable: false + task: + brand: "" + description: Provides data enrichment for ips. + id: 7402ac5c-de53-492c-a7fa-ec826ef30adf + iscommand: true + istaskmissingcomponenterrordismissed: false + name: Enrich Source IP + playbooktaskmissingcomponent: null + script: '|||ip' + type: regular + version: -1 + taskid: 7402ac5c-de53-492c-a7fa-ec826ef30adf + timertriggers: [] + type: regular view: |- { "position": { @@ -240,39 +343,39 @@ tasks: "y": 570 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "11": + continueonerror: true + continueonerrortype: errorPath id: "11" - taskid: b4d4bb3d-8081-4660-946d-040ab0a09217 - type: regular - task: - id: b4d4bb3d-8081-4660-946d-040ab0a09217 - version: -1 - name: Enrich Destination IP - description: Provides data enrichment for ips. - script: '|||ip' - type: regular - iscommand: true - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#error#': - "16" '#none#': - "4" + note: false + quietmode: 0 scriptarguments: ip: simple: ${inputs.RemoteIP} separatecontext: false - continueonerror: true - continueonerrortype: errorPath + skipunavailable: false + task: + brand: "" + description: Provides data enrichment for ips. + id: ef34ca76-959d-4677-aaf2-bd88f9cfc4e6 + iscommand: true + istaskmissingcomponenterrordismissed: false + name: Enrich Destination IP + playbooktaskmissingcomponent: null + script: '|||ip' + type: regular + version: -1 + taskid: ef34ca76-959d-4677-aaf2-bd88f9cfc4e6 + timertriggers: [] + type: regular view: |- { "position": { @@ -280,37 +383,37 @@ tasks: "y": 930 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "16": + continueonerrortype: "" id: "16" - taskid: 35dec624-d2e2-448e-a49c-62dc66589b2e - type: playbook - task: - id: 35dec624-d2e2-448e-a49c-62dc66589b2e - version: -1 - name: Foundation - Error Handling_V3 - playbookName: Foundation - Error Handling_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "4" + note: false + quietmode: 0 separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + id: 35dec624-d2e2-448e-a49c-62dc66589b2e iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: Foundation - Error Handling_V3 + playbookId: Foundation - Error Handling_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 35dec624-d2e2-448e-a49c-62dc66589b2e + timertriggers: [] + type: playbook view: |- { "position": { @@ -318,95 +421,95 @@ tasks: "y": 1110 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "18": + continueonerrortype: "" id: "18" - taskid: 7654576b-eded-482f-bec2-270055ebde0c - type: title + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "32" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 7654576b-eded-482f-bec2-270055ebde0c - version: -1 - name: User Enrichment - type: title iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "27" - separatecontext: false - continueonerrortype: "" + name: User Enrichment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 7654576b-eded-482f-bec2-270055ebde0c + timertriggers: [] + type: title view: |- { "position": { "x": 827.5, - "y": 935 + "y": 740 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "19": + continueonerrortype: "" id: "19" - taskid: 38b6a1fa-dc59-43ae-8091-ff4c66c459be - type: title + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "39" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 38b6a1fa-dc59-43ae-8091-ff4c66c459be - version: -1 - name: File Enrichment - type: title iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "25" - separatecontext: false - continueonerrortype: "" + name: File Enrichment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 38b6a1fa-dc59-43ae-8091-ff4c66c459be + timertriggers: [] + type: title view: |- { "position": { - "x": 1687.5, - "y": 935 + "x": 1710, + "y": 530 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "22": + continueonerrortype: "" id: "22" - taskid: 1e7de422-55dc-4dfd-b67f-d5c6a7d9570d - type: title - task: - id: 1e7de422-55dc-4dfd-b67f-d5c6a7d9570d - version: -1 - name: EndPoint Enrichment - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "26" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 1e7de422-55dc-4dfd-b67f-d5c6a7d9570d + iscommand: false + istaskmissingcomponenterrordismissed: false + name: EndPoint Enrichment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 1e7de422-55dc-4dfd-b67f-d5c6a7d9570d + timertriggers: [] + type: title view: |- { "position": { @@ -414,78 +517,68 @@ tasks: "y": 935 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "25": + continueonerrortype: "" id: "25" - taskid: 46f954a6-d134-4186-b23c-a553161ddd01 - type: playbook - task: - id: 46f954a6-d134-4186-b23c-a553161ddd01 - version: -1 - name: SOC File Enrichment - File reputation_V3 - description: Get file reputation using one or more integrations - playbookName: SOC File Enrichment - File reputation_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - - "4" + - "31" + note: false + quietmode: 0 scriptarguments: MD5: simple: ${inputs.MD5} SHA1: - complex: - root: File - accessor: SHA1 + simple: ${inputs.SHA1} SHA256: simple: ${inputs.SHA256} separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: Get file reputation using one or more integrations + id: 1191bbbd-a098-4503-9af2-d44af45477e7 iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: SOC File Enrichment - File reputation_V3 + playbookId: SOC File Enrichment - File reputation_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 1191bbbd-a098-4503-9af2-d44af45477e7 + timertriggers: [] + type: playbook view: |- { "position": { - "x": 1687.5, + "x": 1720, "y": 1110 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "26": + continueonerrortype: "" id: "26" - taskid: 9ae147a2-2f2d-4a5f-863f-f2fb5cc5aa2f - type: playbook - task: - id: 9ae147a2-2f2d-4a5f-863f-f2fb5cc5aa2f - version: -1 - name: SOC Endpoint Enrichment - Generic v2.1_V3 - playbookName: SOC Endpoint Enrichment - Generic v2.1_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "4" + note: false + quietmode: 0 scriptarguments: EndpointID: complex: @@ -505,12 +598,31 @@ tasks: UseReputationCommand: simple: "False" separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: |- + Enrich an endpoint by hostname using one or more integrations. + Supported integrations: + - Active Directory Query v2 + - McAfee ePO v2 + - VMware Carbon Black EDR v2 + - Cylance Protect v2 + - CrowdStrike Falcon + - ExtraHop Reveal(x) + - Cortex XDR / Core (endpoint enrichment, reputation and risk) + - Endpoint reputation using !endpoint command. + id: 7a660f68-880d-408d-9d36-b6c05eb14776 iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: SOC Endpoint Enrichment - Generic v2.1_V3 + playbookId: SOC Endpoint Enrichment - Generic v2.1_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 7a660f68-880d-408d-9d36-b6c05eb14776 + timertriggers: [] + type: playbook view: |- { "position": { @@ -518,21 +630,34 @@ tasks: "y": 1110 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "27": + continueonerrortype: "" id: "27" - taskid: 63ca32bd-6512-412a-b14e-9003333e8da4 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + Domain: + simple: ${inputs.Domain} + Username: + complex: + root: inputs.UserName + transformers: + - operator: uniq + separatecontext: true + skipunavailable: false task: - id: 63ca32bd-6512-412a-b14e-9003333e8da4 - version: -1 - name: SOC Account Enrichment - Generic v2.1_V3 + brand: "" description: |- Enrich accounts using one or more integrations. Supported integrations: @@ -546,123 +671,644 @@ tasks: - Cortex XDR (account enrichment and reputation) Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. - playbookName: SOC Account Enrichment - Generic v2.1_V3 + id: 7a727f50-0c00-4d67-a958-da0fc9ea4627 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC Account Enrichment - Generic v2.1_V3 + playbookId: SOC Account Enrichment - Generic v2.1_V3 + playbooktaskmissingcomponent: null type: playbook + version: -1 + taskid: 7a727f50-0c00-4d67-a958-da0fc9ea4627 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 827.5, + "y": 1110 + } + } + "28": + continueonerror: true + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "29" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.ProcessName + value: + simple: ${issue.xdmsourceprocessname} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: bef489c3-a84d-4165-bd1d-962459b13b2e iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Process Name SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: bef489c3-a84d-4165-bd1d-962459b13b2e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1720, + "y": 825 + } + } + "29": + continueonerror: true + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "25" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.File + value: + simple: ${inputs.SHA256} + separatecontext: false + skipunavailable: false + task: brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 7f37bc21-a7aa-402b-bc75-f563fb6d649c + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set File SHA256 SOCFramework Artifact playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 7f37bc21-a7aa-402b-bc75-f563fb6d649c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1720, + "y": 960 + } + } + "30": + continueonerror: true + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + - "22" + - "18" + - "9" + - "34" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.EndPointID + value: + simple: ${inputs.EndpointID} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: de9aeb7d-0a29-4116-95d9-5b7f39ab52f8 + iscommand: false istaskmissingcomponenterrordismissed: false + name: Set EndPoint ID SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: de9aeb7d-0a29-4116-95d9-5b7f39ab52f8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1050, + "y": -120 + } + } + "31": + continueonerror: true + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "4" + note: false + quietmode: 0 scriptarguments: - Domain: - simple: ${inputs.Domain} - Username: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.Verdict + value: complex: - root: inputs.UserName + accessor: Verdict + filters: + - - left: + iscontext: true + value: + simple: Unit42Intelligence.File.Value + operator: in + right: + iscontext: true + value: + simple: inputs.SHA256 + root: Unit42Intelligence.File transformers: - - operator: uniq - separatecontext: true + - operator: StringToArray + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: b9da1344-05bb-40c9-82af-65506a6aad43 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Unit 42 File Verdict Name SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: b9da1344-05bb-40c9-82af-65506a6aad43 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1720, + "y": 1230 + } + } + "32": + continueonerror: true continueonerrortype: "" - loop: + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: SOCFramework.Artifacts.UserName + value: + simple: ${inputs.UserName} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: c9f5968e-f194-4768-867a-ba1c6b234989 iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: Set Process Name SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: c9f5968e-f194-4768-867a-ba1c6b234989 + timertriggers: [] + type: regular view: |- { "position": { "x": 827.5, - "y": 1110 + "y": 930 } } + "33": + continueonerror: true + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.IP + value: + simple: ${inputs.SourceIP} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 413a9a1b-01eb-43bb-96b1-b2cc830851b0 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set IP SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 413a9a1b-01eb-43bb-96b1-b2cc830851b0 timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 190, + "y": 200 + } + } + "34": + continueonerrortype: "" + id: "34" ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "40" + note: false + quietmode: 0 + separatecontext: false skipunavailable: false + task: + brand: "" + id: c990cbe2-c1cd-45fe-b3d9-e138e446e074 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Process Enrichment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: c990cbe2-c1cd-45fe-b3d9-e138e446e074 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2360, + "y": 530 + } + } + "35": + continueonerror: true + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "36" + note: false quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.ProcessName + value: + simple: ${inputs.ProcessName} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 92db05bd-9e78-43ac-b88a-eac0fcd566ed + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Process Name SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 92db05bd-9e78-43ac-b88a-eac0fcd566ed + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2360, + "y": 840 + } + } + "36": + continueonerror: true + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false isoversize: false + nexttasks: + '#none#': + - "37" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.PID + value: + simple: ${inputs.PID} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 966d8fc9-1c14-46a6-a320-fdfc15141a25 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Process ID SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 966d8fc9-1c14-46a6-a320-fdfc15141a25 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2360, + "y": 1020 + } + } + "37": + continueonerrortype: "" + id: "37" + ignoreworker: false isautoswitchedtoquietmode: false -system: true + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ccb68bea-4961-4bfc-98fd-ff7608a7eb92 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: No Enrichment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: ccb68bea-4961-4bfc-98fd-ff7608a7eb92 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2360, + "y": 1190 + } + } + "38": + continueonerror: true + continueonerrortype: "" + id: "38" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "30" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.HostName + value: + simple: ${inputs.HostName} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 4205da3b-ac89-47c0-b432-fe7300ce01c1 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set HostName SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 4205da3b-ac89-47c0-b432-fe7300ce01c1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1050, + "y": -240 + } + } + "39": + continueonerror: true + continueonerrortype: "" + id: "39" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "28" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.FilePath + value: + simple: ${issue.initiatorpath} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 943d5886-2046-4245-a73a-bc522568fe08 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set File Path SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 943d5886-2046-4245-a73a-bc522568fe08 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1720, + "y": 690 + } + } + "40": + continueonerror: true + continueonerrortype: "" + id: "40" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "35" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Artifacts.FilePath + value: + simple: ${issue.initiatorpath} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: dffd68e4-3122-473d-97ac-586715742234 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set File Path SOCFramework Artifact + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: dffd68e4-3122-473d-97ac-586715742234 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2360, + "y": 675 + } + } +version: -1 view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 1300, - "width": 2017.5, + "height": 1690, + "width": 2690, "x": 50, - "y": 50 + "y": -340 } } } -inputs: -- key: SourceIP - value: - simple: ${issue.hostip} - required: false - description: "" - playbookInputQuery: null -- key: RemoteIP - value: - simple: ${issue.remoteip} - required: false - description: "" - playbookInputQuery: null -- key: UserName - value: - simple: ${issue.username} - required: false - description: "" - playbookInputQuery: null -- key: EndpointID - value: - simple: ${issue.agentid} - required: false - description: "" - playbookInputQuery: null -- key: HostName - value: - simple: ${issue.hostname} - required: false - description: "" - playbookInputQuery: null -- key: Domain - value: - simple: ${issue.domain} - required: false - description: "" - playbookInputQuery: null -- key: MD5 - value: - simple: ${issue.initiatormd5} - required: false - description: "" - playbookInputQuery: null -- key: SHA256 - value: - simple: ${issue.initiatorsha256} - required: false - description: "" - playbookInputQuery: null -inputSections: -- inputs: - - SourceIP - - RemoteIP - - UserName - - EndpointID - - HostName - - Domain - - MD5 - - SHA256 - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs -outputs: [] -sourceplaybookid: Foundation - Enrichment_V3 -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml index 60e8135..8fa80fd 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml @@ -1,73 +1,110 @@ fromversion: 5.0.0 -id: Foundation - Enrichment_V3 -version: 13 +adopted: true contentitemexportablefields: contentitemfields: - packID: soc-optimization-unified - packName: SOC Framework Unified - itemVersion: 3.0.17 - fromServerVersion: 5.0.0 - toServerVersion: "" definitionid: "" - prevname: "" + fromServerVersion: 5.0.0 isoverridable: false + itemVersion: 3.0.29 + packID: "" + packName: SOC Framework Unified + prevname: "" supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false -name: Foundation - Enrichment_V3 + toServerVersion: "" description: | Identifies the core fields present and starts tailored enrichment pipelines Generates threat flags based on findings (ex: if we identify a domain controller or admin account) +dirtyInputs: true +id: 'Foundation - Enrichment_V3' +inputSections: +- description: Generic group for inputs + inputs: + - CategoryType + - ProductType + name: General (Inputs group) +inputs: +- description: What Category of Alert is this? (malware, phishing, etc.) + key: CategoryType + playbookInputQuery: null + required: false + value: + complex: + accessor: categoryname + root: issue + transformers: + - operator: toLowerCase +- description: Product Type is configured in the list and extracted as the first task + in the Upon Trigger. i.e. (endpoint, network, cloud workload, etc.) + key: ProductType + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Product.category} +name: Foundation - Enrichment_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: Foundation - Enrichment_V3 +starttaskid: "0" tags: - SOC - SOC_Framework_Unified -starttaskid: "0" tasks: "0": + continueonerrortype: "" id: "0" - taskid: 8492b25a-a19c-4593-8191-9cb60e4d3007 - type: start + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "33" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 8492b25a-a19c-4593-8191-9cb60e4d3007 - version: -1 - name: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "22" - separatecontext: false - continueonerrortype: "" + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: 8492b25a-a19c-4593-8191-9cb60e4d3007 + timertriggers: [] + type: start view: |- { "position": { "x": 910, - "y": 50 + "y": -130 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "4": + continueonerrortype: "" id: "4" - taskid: 6b3dbf1c-9a22-4bd4-8593-bc8d49dcc7c0 - type: title + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 6b3dbf1c-9a22-4bd4-8593-bc8d49dcc7c0 - version: -1 - name: Done - type: title iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - separatecontext: false - continueonerrortype: "" + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 6b3dbf1c-9a22-4bd4-8593-bc8d49dcc7c0 + timertriggers: [] + type: title view: |- { "position": { @@ -75,31 +112,31 @@ tasks: "y": 760 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "8": + continueonerrortype: "" id: "8" - taskid: 921bdd5d-2fab-4996-8682-a5e6f80b9aca - type: title - task: - id: 921bdd5d-2fab-4996-8682-a5e6f80b9aca - version: -1 - name: Email Enrichment - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "31" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 921bdd5d-2fab-4996-8682-a5e6f80b9aca + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Email Enrichment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 921bdd5d-2fab-4996-8682-a5e6f80b9aca + timertriggers: [] + type: title view: |- { "position": { @@ -107,104 +144,104 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "22": - id: "22" - taskid: eae57768-ffc1-4bfd-9b69-0341c5e4de11 - type: condition - task: - id: eae57768-ffc1-4bfd-9b69-0341c5e4de11 - version: -1 - name: Product Category - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "4" - Email: - - "8" - EndPoint: - - "23" - Identity: - - "25" - Network: - - "26" - SaaS: - - "27" - Workload: - - "28" - separatecontext: false conditions: - - label: EndPoint - condition: - - - operator: isEqualString - left: - value: - simple: SOCFramework.Product.category + - condition: + - - left: iscontext: true + value: + simple: inputs.ProductType + operator: isEqualString right: value: simple: Endpoint - - label: Email - condition: - - - operator: isEqualString - left: - value: - simple: SOCFramework.Product.category + label: EndPoint + - condition: + - - left: iscontext: true + value: + simple: inputs.ProductType + operator: isEqualString right: value: simple: Email - - label: Identity - condition: - - - operator: isEqualString - left: - value: - simple: SOCFramework.Product.category + label: Email + - condition: + - - left: iscontext: true + value: + simple: inputs.ProductType + operator: isEqualString right: value: simple: Identity - - label: Network - condition: - - - operator: isEqualString - left: - value: - simple: SOCFramework.Product.category + label: Identity + - condition: + - - left: iscontext: true + value: + simple: inputs.ProductType + operator: isEqualString right: value: simple: Network - - label: SaaS - condition: - - - operator: isEqualString - left: - value: - simple: SOCFramework.Product.category + label: Network + - condition: + - - left: iscontext: true + value: + simple: inputs.ProductType + operator: isEqualString right: value: simple: SaaS - - label: Workload - condition: - - - operator: isEqualString - left: - value: - simple: SOCFramework.Product.category + label: SaaS + - condition: + - - left: iscontext: true + value: + simple: inputs.ProductType + operator: isEqualString right: value: simple: Workload + label: Workload continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + Email: + - "8" + EndPoint: + - "23" + Identity: + - "25" + Network: + - "26" + SaaS: + - "27" + Workload: + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4d41c7ce-cd87-4679-ab19-d4871ea1756e + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Product Category + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 4d41c7ce-cd87-4679-ab19-d4871ea1756e + timertriggers: [] + type: condition view: |- { "position": { @@ -212,31 +249,31 @@ tasks: "y": 220 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "23": + continueonerrortype: "" id: "23" - taskid: 57f577ac-9e6a-4024-8a3b-ec37f26acb4c - type: title - task: - id: 57f577ac-9e6a-4024-8a3b-ec37f26acb4c - version: -1 - name: Endpoint Enrichment - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "24" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 57f577ac-9e6a-4024-8a3b-ec37f26acb4c + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Endpoint Enrichment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 57f577ac-9e6a-4024-8a3b-ec37f26acb4c + timertriggers: [] + type: title view: |- { "position": { @@ -244,57 +281,61 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "24": + continueonerrortype: "" id: "24" - taskid: fc7d9fe2-bcb2-45f8-865c-40e42c1eb3ce - type: playbook - task: - id: fc7d9fe2-bcb2-45f8-865c-40e42c1eb3ce - version: -1 - name: Foundation - Endpoint Enrichment_V3 - description: | - Identifies the core fields present and starts tailored enrichment pipelines - Generates threat flags based on findings (ex: if we identify a domain controller or admin account) - playbookName: Foundation - Endpoint Enrichment_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "4" + note: false + quietmode: 0 scriptarguments: Domain: - simple: ${inputs.Domain} + simple: ${issue.domain} EndpointID: - simple: ${inputs.EndpointID} + simple: ${issue.agentid} HostName: - simple: ${inputs.Hostname} + simple: ${issue.hostname} MD5: - simple: ${inputs.MD5} + simple: ${issue.initiatormd5} + PID: + simple: ${issue.initiatorpid} + ProcessName: + simple: ${issue.xdmsourceprocessname} RemoteIP: - simple: ${inputs.Remote_IP} + simple: ${issue.remoteip} SHA256: - simple: ${inputs.MD5} + simple: ${issue.initiatorsha256} SourceIP: - simple: ${inputs.Hostname} + simple: ${issue.hostip} UserName: - simple: ${inputs.UserName} + simple: ${issue.username} separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: | + Identifies the core fields present and starts tailored enrichment pipelines + Generates threat flags based on findings (ex: if we identify a domain controller or admin account) + id: 301faca1-9a2b-499a-ae11-1cb8e6d45deb iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: Foundation - Endpoint Enrichment_V3 + playbookId: Foundation - Endpoint Enrichment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 301faca1-9a2b-499a-ae11-1cb8e6d45deb + timertriggers: [] + type: playbook view: |- { "position": { @@ -302,31 +343,31 @@ tasks: "y": 575 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "25": + continueonerrortype: "" id: "25" - taskid: 57f44287-1e46-44a9-92d8-1b5b49866f25 - type: title - task: - id: 57f44287-1e46-44a9-92d8-1b5b49866f25 - version: -1 - name: Identity Enrichment - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "30" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 57f44287-1e46-44a9-92d8-1b5b49866f25 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Identity Enrichment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 57f44287-1e46-44a9-92d8-1b5b49866f25 + timertriggers: [] + type: title view: |- { "position": { @@ -334,31 +375,31 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "26": + continueonerrortype: "" id: "26" - taskid: 6c299cfa-85fd-4ed6-b4d0-ef553bf02465 - type: title - task: - id: 6c299cfa-85fd-4ed6-b4d0-ef553bf02465 - version: -1 - name: Network - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "29" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 6c299cfa-85fd-4ed6-b4d0-ef553bf02465 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Network + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 6c299cfa-85fd-4ed6-b4d0-ef553bf02465 + timertriggers: [] + type: title view: |- { "position": { @@ -366,28 +407,28 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "27": + continueonerrortype: "" id: "27" - taskid: 27b5ad01-dd78-442c-b2ac-f2632dfc5d77 - type: title + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 27b5ad01-dd78-442c-b2ac-f2632dfc5d77 - version: -1 - name: SaaS - type: title iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - separatecontext: false - continueonerrortype: "" + name: SaaS + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 27b5ad01-dd78-442c-b2ac-f2632dfc5d77 + timertriggers: [] + type: title view: |- { "position": { @@ -395,31 +436,31 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "28": + continueonerrortype: "" id: "28" - taskid: 69a4b4b0-f8a2-41a5-a727-ba69921f6e97 - type: title - task: - id: 69a4b4b0-f8a2-41a5-a727-ba69921f6e97 - version: -1 - name: Workload - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "32" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 69a4b4b0-f8a2-41a5-a727-ba69921f6e97 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Workload + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 69a4b4b0-f8a2-41a5-a727-ba69921f6e97 + timertriggers: [] + type: title view: |- { "position": { @@ -427,57 +468,55 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "29": + continueonerrortype: "" id: "29" - taskid: eb3116d8-1621-475a-93c9-85d9432de381 - type: playbook - task: - id: eb3116d8-1621-475a-93c9-85d9432de381 - version: -1 - name: Foundation - Network Enrichment_V3 - description: | - Identifies the core fields present and starts tailored enrichment pipelines - Generates threat flags based on findings (ex: if we identify a domain controller or admin account) - playbookName: Foundation - Network Enrichment_V3 - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 0 + wait: 1 nexttasks: '#none#': - "4" + note: false + quietmode: 0 scriptarguments: Domain: - simple: ${inputs.Domain} + simple: ${issue.domain} EndpointID: - simple: ${inputs.EndpointID} + simple: ${issue.agentid} HostName: - simple: ${inputs.Hostname} + simple: ${issue.hostname} MD5: - simple: ${inputs.MD5} - RemoteIP: - simple: ${inputs.Remote_IP} + simple: ${issue.initiatormd5} SHA256: - simple: ${inputs.SHA256} + simple: ${issue.initiatorsha256} SourceIP: - simple: ${inputs.Source_IP} + simple: ${issue.hostip} UserName: - simple: ${inputs.UserName} + simple: ${issue.username} separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: | + Identifies the core fields present and starts tailored enrichment pipelines + Generates threat flags based on findings (ex: if we identify a domain controller or admin account) + id: dc64009a-b51f-4e1d-8ade-4e23654d65ab iscommand: false - exitCondition: "" - wait: 1 - max: 0 + istaskmissingcomponenterrordismissed: false + name: Foundation - Network Enrichment_V3 + playbookId: Foundation - Network Enrichment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: dc64009a-b51f-4e1d-8ade-4e23654d65ab + timertriggers: [] + type: playbook view: |- { "position": { @@ -485,21 +524,35 @@ tasks: "y": 575 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "30": + continueonerrortype: "" id: "30" - taskid: 82feb219-ef0f-4c4d-89ff-234e257c3db4 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + Domain: + simple: ${issue.domain} + Username: + complex: + accessor: username + root: issue + transformers: + - operator: uniq + separatecontext: true + skipunavailable: false task: - id: 82feb219-ef0f-4c4d-89ff-234e257c3db4 - version: -1 - name: SOC Account Enrichment - Generic v2.1_V3 + brand: "" description: |- Enrich accounts using one or more integrations. Supported integrations: @@ -513,30 +566,17 @@ tasks: - Cortex XDR (account enrichment and reputation) Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. - playbookName: SOC Account Enrichment - Generic v2.1_V3 - type: playbook + id: 819fd7e9-5a7a-4550-b8b1-372dfb1c8712 iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "4" - scriptarguments: - Domain: - simple: ${inputs.Domain} - Username: - complex: - root: inputs.UserName - transformers: - - operator: uniq - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 + name: SOC Account Enrichment - Generic v2.1_V3 + playbookId: SOC Account Enrichment - Generic v2.1_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 819fd7e9-5a7a-4550-b8b1-372dfb1c8712 + timertriggers: [] + type: playbook view: |- { "position": { @@ -544,52 +584,47 @@ tasks: "y": 575 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "31": + continueonerrortype: "" id: "31" - taskid: ade0d98b-c10b-442c-a73b-73afb40bbb5c - type: playbook - task: - id: ade0d98b-c10b-442c-a73b-73afb40bbb5c - version: -1 - name: SOC Email Address Enrichment - Generic v2.1_V3 - description: |- - Enrich email addresses. - - Get information from Active Directory for internal addresses - - Get the domain-squatting reputation for external addresses - - Email address reputation using !email command. - playbookName: SOC Email Address Enrichment - Generic v2.1_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 0 + wait: 1 nexttasks: '#none#': - "4" + note: false + quietmode: 0 scriptarguments: Domain: simple: ${issue.domain} - Email: - complex: - root: inputs.Email - transformers: - - operator: uniq UseReputationCommand: simple: "False" separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: |- + Enrich email addresses. + - Get information from Active Directory for internal addresses + - Get the domain-squatting reputation for external addresses + - Email address reputation using !email command. + id: 97f001db-3e90-4e89-909b-4ddef8c133b0 iscommand: false - exitCondition: "" - wait: 1 - max: 0 + istaskmissingcomponenterrordismissed: false + name: SOC Email Address Enrichment - Generic v2.1_V3 + playbookId: SOC Email Address Enrichment - Generic v2.1_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 97f001db-3e90-4e89-909b-4ddef8c133b0 + timertriggers: [] + type: playbook view: |- { "position": { @@ -597,57 +632,57 @@ tasks: "y": 575 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "32": + continueonerrortype: "" id: "32" - taskid: b13b43e7-c68e-43c5-9fba-ad2e719b4226 - type: playbook - task: - id: b13b43e7-c68e-43c5-9fba-ad2e719b4226 - version: -1 - name: Foundation - Endpoint Enrichment_V3 - description: | - Identifies the core fields present and starts tailored enrichment pipelines - Generates threat flags based on findings (ex: if we identify a domain controller or admin account) - playbookName: Foundation - Endpoint Enrichment_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "4" + note: false + quietmode: 0 scriptarguments: Domain: - simple: ${inputs.Domain} + simple: ${issue.domain} EndpointID: - simple: ${inputs.EndpointID} + simple: ${issue.agentid} HostName: - simple: ${inputs.Hostname} + simple: ${issue.hostname} MD5: - simple: ${inputs.MD5} - RemoteIP: - simple: ${inputs.Remote_IP} + simple: ${issue.initiatormd5} + PID: + simple: ${issue.initiatorpid} SHA256: - simple: ${inputs.SHA256} + simple: ${issue.initiatorsha256} SourceIP: - simple: ${inputs.Source_IP} + simple: ${issue.hostip} UserName: - simple: ${inputs.UserName} + simple: ${issue.username} separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: | + Identifies the core fields present and starts tailored enrichment pipelines + Generates threat flags based on findings (ex: if we identify a domain controller or admin account) + id: 178700be-043d-4612-b445-2be7159585ee iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: Foundation - Endpoint Enrichment_V3 + playbookId: Foundation - Endpoint Enrichment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 178700be-043d-4612-b445-2be7159585ee + timertriggers: [] + type: playbook view: |- { "position": { @@ -655,106 +690,64 @@ tasks: "y": 575 } } - note: false - timertriggers: [] + "33": + continueonerrortype: "" + id: "33" ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false -system: true + isoversize: false + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + key: + simple: SOCFramework.Artifacts.CategoryType + value: + complex: + root: inputs.CategoryType + transformers: + - operator: toLowerCase + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: d916b7b9-609f-482f-8e5a-00e951084f54 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Issue Category Type + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: d916b7b9-609f-482f-8e5a-00e951084f54 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 910, + "y": 50 + } + } +version: -1 view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 770, + "height": 950, "width": 2530, "x": 50, - "y": 50 + "y": -130 } } } -inputs: -- key: Source_IP - value: - simple: ${issue.remoteip} - required: false - description: "" - playbookInputQuery: null -- key: File_Hash - value: - simple: ${issue.initiatorsha256} - required: false - description: "" - playbookInputQuery: null -- key: Remote_IP - value: - simple: ${issue.remoteip} - required: false - description: "" - playbookInputQuery: null -- key: UserName - value: - simple: ${issue.username} - required: false - description: "" - playbookInputQuery: null -- key: Email - value: - simple: ${issue.email} - required: false - description: "" - playbookInputQuery: null -- key: EndpointID - value: - simple: ${issue.agentid} - required: false - description: "" - playbookInputQuery: null -- key: Hostname - value: - simple: ${issue.hostname} - required: false - description: "" - playbookInputQuery: null -- key: Domain - value: - simple: ${issue.domain} - required: false - description: "" - playbookInputQuery: null -- key: MD5 - value: - simple: ${issue.filemd5} - required: false - description: "" - playbookInputQuery: null -- key: SHA256 - value: - simple: ${issue.filesha256} - required: false - description: "" - playbookInputQuery: null -inputSections: -- inputs: - - Source_IP - - File_Hash - - Remote_IP - - UserName - - Email - - EndpointID - - Hostname - - Domain - - MD5 - - SHA256 - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs -outputs: [] -sourceplaybookid: Foundation - Enrichment_V3 -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml new file mode 100644 index 0000000..74212f1 --- /dev/null +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml @@ -0,0 +1,670 @@ +fromversion: 5.0.0 +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 3.0.29 + packID: "" + packName: SOC Framework Unified + prevname: "" + supportedModules: [] + toServerVersion: "" +description: Designed to get the product category (EndPoint, Network, Cloud SaaS, + Cloud Workload, etc) from the list SOCProductCategoryMap_V3 +dirtyInputs: true +id: 'Foundation - Product Classification_V3' +inputSections: +- description: Generic group for inputs + inputs: + - ProductKey + - product + name: General (Inputs group) +inputs: +- description: Pass the product Data Source typically found here (i.e. issue.tags.[0]) + key: ProductKey + playbookInputQuery: null + required: true + value: + simple: ${issue.tags.[0]} +- description: This is the filter value in the XQL. Many vendors have multiple products + in the same dataset. + key: product + playbookInputQuery: null + required: false + value: + simple: Fusion +name: Foundation - Product Classification_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - SOCFramework.Product.key + - SOCFramework.Product.category + - SOCFramework.Product.type + - SOCFramework.Product.confidence +outputs: +- contextPath: SOCFramework.Product.key + description: Canonical resolved product key + type: string +- contextPath: SOCFramework.Product.category + description: High-level product category used for SOC routing (e.g. Endpoint, Identity, + Network). + type: string +- contextPath: SOCFramework.Product.type + description: More specific product type (e.g. EDR, NGFW, IDP, PAM). + type: string +- contextPath: SOCFramework.Product.confidence + description: Confidence level of the product classification (e.g. high, medium, + low). + type: string +sourceplaybookid: Foundation - Upon Trigger +starttaskid: "0" +tags: +- SOC +- SOC_Framework_Unified +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4bb50423-9a1a-4c0e-88ba-c31e26fdf280 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: 4bb50423-9a1a-4c0e-88ba-c31e26fdf280 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 265, + "y": 50 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2eb08148-d069-489a-83e1-1ab88016aac3 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 2eb08148-d069-489a-83e1-1ab88016aac3 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 705, + "y": 1315 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Is this an EndPoint, Network, Cloud SaaS, Cloud Workload, Identity, + etc? This is used downstream for automations based on product category. + id: 6c69403f-3987-4921-93b0-59b803e8ab06 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Product Category + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 6c69403f-3987-4921-93b0-59b803e8ab06 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 265, + "y": 220 + } + } + "22": + continueonerror: true + continueonerrortype: errorPath + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "27" + - "28" + - "29" + - "31" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Product.key + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: issue.tags + operator: containsGeneral + right: + value: + simple: 'DS:' + root: issue.tags + transformers: + - operator: toLowerCase + - args: + action_dt: {} + ignore_case: {} + multi_line: {} + output_format: + value: + simple: _ + period_matches_newline: {} + regex: + value: + simple: (?<=.)[^A-Za-z0-9](?=.) + operator: RegexReplace + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: cf53f551-0737-4de5-a8cd-f9f6e9452992 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set New ProductKey from issue.tags + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: cf53f551-0737-4de5-a8cd-f9f6e9452992 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 490, + "y": 760 + } + } + "24": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: lists.SOCProductCategoryMap_V3 + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "30" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if list exist in demisto lists. + id: ea108651-9f73-4d60-85d2-32e110fb573e + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Does List Product Category List Exist? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: ea108651-9f73-4d60-85d2-32e110fb573e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 265, + "y": 390 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 2665edd0-55b1-4425-86c4-1e13d790a4a1 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Foundation - Error Handling_V3 + playbookId: Foundation - Error Handling_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 2665edd0-55b1-4425-86c4-1e13d790a4a1 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 50, + "y": 1130 + } + } + "27": + continueonerror: true + continueonerrortype: errorPath + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Product.type + value: + complex: + accessor: SOCProductCategoryMap_V3 + root: lists + transformers: + - args: + field: + iscontext: true + value: + simple: SOCFramework.Product.key + operator: getField + - args: + equalTo: + iscontext: true + value: + simple: inputs.product + field: + value: + simple: product + getField: {} + stringify: {} + operator: WhereFieldEquals + - args: + field: + value: + simple: type + operator: getField + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: edb91e31-66ef-4fb8-9e51-8321afdb0da6 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Product Type + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: edb91e31-66ef-4fb8-9e51-8321afdb0da6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 275, + "y": 945 + } + } + "28": + continueonerror: true + continueonerrortype: errorPath + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Product.confidence + value: + complex: + accessor: SOCProductCategoryMap_V3 + root: lists + transformers: + - args: + field: + iscontext: true + value: + simple: SOCFramework.Product.key + operator: getField + - args: + equalTo: + iscontext: true + value: + simple: inputs.product + field: + value: + simple: product + getField: {} + stringify: {} + operator: WhereFieldEquals + - args: + field: + value: + simple: confidence + operator: getField + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 8fc0138a-45e3-49a0-b441-a2ab4025afa8 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Product Confidence + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 8fc0138a-45e3-49a0-b441-a2ab4025afa8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 705, + "y": 945 + } + } + "29": + continueonerror: true + continueonerrortype: errorPath + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Product.category + value: + complex: + accessor: SOCProductCategoryMap_V3 + root: lists + transformers: + - args: + field: + iscontext: true + value: + simple: SOCFramework.Product.key + operator: getField + - args: + equalTo: + iscontext: true + value: + simple: inputs.product + field: + value: + simple: product + getField: {} + stringify: {} + operator: WhereFieldEquals + - args: + field: + value: + simple: category + operator: getField + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 5d3794a5-e0b1-4449-a388-61e6192a1ffb + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Product Category2 + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 5d3794a5-e0b1-4449-a388-61e6192a1ffb + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1135, + "y": 945 + } + } + "30": + continueonerror: true + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + scriptarguments: + key: + simple: SOCFramework.Product. + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Delete field from context.\n\nThis automation runs using the default + Limited User role, unless you explicitly change the permissions.\nFor more + information, see the section about permissions here:\n- For Cortex XSOAR 6 + see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: dc35e6af-2180-4dce-81f5-5ad8efb8554a + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Remove SOCFramework.Product to clean up. + playbooktaskmissingcomponent: null + script: DeleteContext + type: regular + version: -1 + taskid: dc35e6af-2180-4dce-81f5-5ad8efb8554a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 490, + "y": 575 + } + } + "31": + continueonerror: true + continueonerrortype: errorPath + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "26" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: SOCFramework.Product.response + value: + complex: + accessor: SOCProductCategoryMap_V3 + root: lists + transformers: + - args: + field: + iscontext: true + value: + simple: SOCFramework.Product.key + operator: getField + - args: + equalTo: + iscontext: true + value: + simple: inputs.product + field: + value: + simple: product + getField: {} + stringify: {} + operator: WhereFieldEquals + - args: + field: + value: + simple: response + operator: getField + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\n + For more information, see the section about permissions here:\n- For Cortex + see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n + - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 71dd30a7-b77f-451a-bfaa-a0e9584e6142 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Response Integration Brand + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 71dd30a7-b77f-451a-bfaa-a0e9584e6142 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1545, + "y": 945 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1325, + "width": 1875, + "x": 50, + "y": 50 + } + } + } diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml index a2599bd..6fcb6e9 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml @@ -1,41 +1,60 @@ fromversion: 5.0.0 -id: Foundation - Upon Trigger V3 -version: 3 +adopted: true contentitemexportablefields: contentitemfields: - packID: soc-optimization-unified - packName: SOC Framework Unified - itemVersion: 3.0.17 - fromServerVersion: 5.0.0 - toServerVersion: "" definitionid: "" - prevname: "" + fromServerVersion: 5.0.0 isoverridable: false + itemVersion: 3.0.29 + packID: "" + packName: SOC Framework Unified + prevname: "" supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false + toServerVersion: "" +dirtyInputs: true +id: 'Foundation - Upon Trigger V3' +inputSections: +- description: Generic group for inputs + inputs: [] + name: General (Inputs group) +inputs: [] name: Foundation - Upon Trigger V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +quiet: true +sourceplaybookid: Foundation - Upon Trigger +starttaskid: "0" tags: - SOC - SOC_Framework_Unified -starttaskid: "0" tasks: "0": + continueonerrortype: "" id: "0" - taskid: 5206068f-fdf3-4829-8cc2-c3ada7b5516b - type: start - task: - id: 5206068f-fdf3-4829-8cc2-c3ada7b5516b - version: -1 - name: "" - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "1" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 5206068f-fdf3-4829-8cc2-c3ada7b5516b + iscommand: false + istaskmissingcomponenterrordismissed: false + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: 5206068f-fdf3-4829-8cc2-c3ada7b5516b + timertriggers: [] + type: start view: |- { "position": { @@ -43,31 +62,31 @@ tasks: "y": 50 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "1": + continueonerrortype: "" id: "1" - taskid: cd6cbd33-49b9-4c0e-8c76-12c43c541cb5 - type: title - task: - id: cd6cbd33-49b9-4c0e-8c76-12c43c541cb5 - version: -1 - name: Environment Detection - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "27" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: cd6cbd33-49b9-4c0e-8c76-12c43c541cb5 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Environment Detection + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: cd6cbd33-49b9-4c0e-8c76-12c43c541cb5 + timertriggers: [] + type: title view: |- { "position": { @@ -75,31 +94,31 @@ tasks: "y": 220 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "2": + continueonerrortype: "" id: "2" - taskid: eaffbc30-3533-483b-80c1-82bdd0e73dd3 - type: title - task: - id: eaffbc30-3533-483b-80c1-82bdd0e73dd3 - version: -1 - name: Data Integrity - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "28" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: eaffbc30-3533-483b-80c1-82bdd0e73dd3 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Data Integrity + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: eaffbc30-3533-483b-80c1-82bdd0e73dd3 + timertriggers: [] + type: title view: |- { "position": { @@ -107,31 +126,31 @@ tasks: "y": 575 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "3": + continueonerrortype: "" id: "3" - taskid: 2b3a538a-4c64-408a-86b2-74cd81484c7f - type: title - task: - id: 2b3a538a-4c64-408a-86b2-74cd81484c7f - version: -1 - name: Alert Sync (Ledger / Owner Notification) - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "32" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 2b3a538a-4c64-408a-86b2-74cd81484c7f + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Alert Sync (Ledger / Owner Notification) + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 2b3a538a-4c64-408a-86b2-74cd81484c7f + timertriggers: [] + type: title view: |- { "position": { @@ -139,31 +158,31 @@ tasks: "y": 930 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "4": + continueonerrortype: "" id: "4" - taskid: 4bc7c9d9-c8d2-4e49-8f24-1e964e9ad270 - type: title - task: - id: 4bc7c9d9-c8d2-4e49-8f24-1e964e9ad270 - version: -1 - name: Dedup - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "35" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 4bc7c9d9-c8d2-4e49-8f24-1e964e9ad270 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Dedup + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 4bc7c9d9-c8d2-4e49-8f24-1e964e9ad270 + timertriggers: [] + type: title view: |- { "position": { @@ -171,31 +190,31 @@ tasks: "y": 1640 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "5": + continueonerrortype: "" id: "5" - taskid: a4730ca6-80a0-4fb3-80d3-9a2e6e1f964c - type: title - task: - id: a4730ca6-80a0-4fb3-80d3-9a2e6e1f964c - version: -1 - name: Enrichment (User, IP, Hash, Domain) - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "23" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: a4730ca6-80a0-4fb3-80d3-9a2e6e1f964c + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Enrichment (User, IP, Hash, Domain) + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: a4730ca6-80a0-4fb3-80d3-9a2e6e1f964c + timertriggers: [] + type: title view: |- { "position": { @@ -203,31 +222,31 @@ tasks: "y": 1285 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "6": + continueonerrortype: "" id: "6" - taskid: 35c54f0f-e1e7-48a9-8aed-57d322ddf9c7 - type: title - task: - id: 35c54f0f-e1e7-48a9-8aed-57d322ddf9c7 - version: -1 - name: Assessment - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "30" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 35c54f0f-e1e7-48a9-8aed-57d322ddf9c7 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Assessment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 35c54f0f-e1e7-48a9-8aed-57d322ddf9c7 + timertriggers: [] + type: title view: |- { "position": { @@ -235,31 +254,31 @@ tasks: "y": 1995 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "7": + continueonerrortype: "" id: "7" - taskid: 76dd4bf8-4839-4846-8cc2-95492ce2721a - type: title - task: - id: 76dd4bf8-4839-4846-8cc2-95492ce2721a - version: -1 - name: Escalation - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "31" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 76dd4bf8-4839-4846-8cc2-95492ce2721a + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Escalation + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 76dd4bf8-4839-4846-8cc2-95492ce2721a + timertriggers: [] + type: title view: |- { "position": { @@ -267,28 +286,28 @@ tasks: "y": 2350 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "8": + continueonerrortype: "" id: "8" - taskid: d6a23a94-520a-4ff6-8146-c309f064e6ed - type: title + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: d6a23a94-520a-4ff6-8146-c309f064e6ed - version: -1 - name: Done - type: title iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - separatecontext: false - continueonerrortype: "" + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: d6a23a94-520a-4ff6-8146-c309f064e6ed + timertriggers: [] + type: title view: |- { "position": { @@ -296,61 +315,49 @@ tasks: "y": 3060 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "23": + continueonerrortype: "" id: "23" - taskid: c5f48fdf-5a69-4392-8a11-332b1ddef033 - type: playbook - task: - id: c5f48fdf-5a69-4392-8a11-332b1ddef033 - version: -1 - name: Foundation - Enrichment_V3 - description: | - Identifies the core fields present and starts tailored enrichment pipelines - Generates threat flags based on findings (ex: if we identify a domain controller or admin account) - playbookName: Foundation - Enrichment_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "4" + note: false + quietmode: 0 scriptarguments: - Domain: - simple: ${inputs.Domain} - Email: - simple: ${inputs.Email} - EndpointID: - simple: ${inputs.EndpointID} - File_Hash: - simple: ${inputs.File_Hash} - Hostname: - simple: ${inputs.Hostname} - MD5: - simple: ${inputs.MD5} + CategoryType: + complex: + accessor: categoryname + root: issue + transformers: + - operator: toLowerCase Remote_IP: simple: ${inputs.Remote_IP} - SHA256: - simple: ${inputs.SHA256} - Source_IP: - simple: ${inputs.Source_IP} - UserName: - simple: ${inputs.UserName} separatecontext: false - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: | + Identifies the core fields present and starts tailored enrichment pipelines + Generates threat flags based on findings (ex: if we identify a domain controller or admin account) + id: db2b5b40-227a-43f3-a1ed-34278b0f6f76 iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: Foundation - Enrichment_V3 + playbookId: Foundation - Enrichment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: db2b5b40-227a-43f3-a1ed-34278b0f6f76 + timertriggers: [] + type: playbook view: |- { "position": { @@ -358,40 +365,40 @@ tasks: "y": 1455 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "27": + continueonerrortype: "" id: "27" - taskid: e7fb3a47-a406-4aae-8dc2-db183be1d0a7 - type: playbook - task: - id: e7fb3a47-a406-4aae-8dc2-db183be1d0a7 - version: -1 - name: Foundation - Environment Detection_V3 - description: | - Identify Non-Production Use Cases - Keeps downstream playbooks from performing ‘hazardous tasks’ - playbookName: Foundation - Environment Detection_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "2" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: | + Identify Non-Production Use Cases + Keeps downstream playbooks from performing ‘hazardous tasks’ + id: a81da524-2eec-4b17-b2d7-fc33a1a6002c iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: Foundation - Environment Detection_V3 + playbookId: Foundation - Environment Detection_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: a81da524-2eec-4b17-b2d7-fc33a1a6002c + timertriggers: [] + type: playbook view: |- { "position": { @@ -399,78 +406,78 @@ tasks: "y": 390 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "28": + continueonerrortype: "" id: "28" - taskid: a659e0eb-4d52-4b3d-bfca-d072c8b33d04 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: - id: a659e0eb-4d52-4b3d-bfca-d072c8b33d04 - version: -1 - name: Foundation - Data Integrity_V3 + brand: "" description: | Core fields are evaluated Unpopulated core fields refer to alternatives for values Field values are evaluated for formatting and syntax - playbookName: Foundation - Data Integrity_V3 - type: playbook + id: f611e5ee-70fb-4913-8ee3-dc6fe456527c iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "3" - separatecontext: false - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 + name: Foundation - Data Integrity_V3 + playbookId: Foundation - Data Integrity_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: f611e5ee-70fb-4913-8ee3-dc6fe456527c + timertriggers: [] + type: playbook view: |- { "position": { "x": 50, - "y": 745 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false + "y": 745 + } + } "30": + continueonerrortype: "" id: "30" - taskid: 0b8ac779-46fc-4fd0-81f7-b353236b24c3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false task: - id: 0b8ac779-46fc-4fd0-81f7-b353236b24c3 - version: -1 - name: Foundation - Assessment_V3 + brand: "" description: |+ Evaluates our enrichment flags, and severity value(s) to formalize a final severity score Creates human readable summary of severity assessment reasoning - playbookName: Foundation - Assessment_V3 - type: playbook + id: 0b8ac779-46fc-4fd0-81f7-b353236b24c3 iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "7" - separatecontext: true - continueonerrortype: "" + name: Foundation - Assessment_V3 + playbookId: Foundation - Assessment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 0b8ac779-46fc-4fd0-81f7-b353236b24c3 + timertriggers: [] + type: playbook view: |- { "position": { @@ -478,35 +485,35 @@ tasks: "y": 2165 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "31": + continueonerrortype: "" id: "31" - taskid: 11861ffc-38b6-4bda-8a82-4657bd1ceeff - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "33" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false task: - id: 11861ffc-38b6-4bda-8a82-4657bd1ceeff - version: -1 - name: Foundation - Escalation_V3 + brand: "" description: | Handles dispatching pagerduty alert / SOC email Identifies if another alert within the alert already paged - playbookName: Foundation - Escalation_V3 - type: playbook + id: 11861ffc-38b6-4bda-8a82-4657bd1ceeff iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "33" - separatecontext: true - continueonerrortype: "" + name: Foundation - Escalation_V3 + playbookId: Foundation - Escalation_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 11861ffc-38b6-4bda-8a82-4657bd1ceeff + timertriggers: [] + type: playbook view: |- { "position": { @@ -514,41 +521,41 @@ tasks: "y": 2520 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "32": + continueonerrortype: "" id: "32" - taskid: f21ef304-0199-4462-b3f9-2a67cb579af3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false task: - id: f21ef304-0199-4462-b3f9-2a67cb579af3 - version: -1 - name: Foundation - Case Sync_V3 + brand: "" description: |+ Generates/Updates the Case Alert Ledger Notifies alert owner of new issue addition - playbookName: Foundation - Case Sync_V3 - type: playbook + id: f21ef304-0199-4462-b3f9-2a67cb579af3 iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "5" - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 + name: Foundation - Case Sync_V3 + playbookId: Foundation - Case Sync_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: f21ef304-0199-4462-b3f9-2a67cb579af3 + timertriggers: [] + type: playbook view: |- { "position": { @@ -556,31 +563,31 @@ tasks: "y": 1100 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "33": + continueonerrortype: "" id: "33" - taskid: 53a0a8d4-f046-4bf1-bd2e-d86e6e5b5cea - type: title - task: - id: 53a0a8d4-f046-4bf1-bd2e-d86e6e5b5cea - version: -1 - name: Performance Capture - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "34" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 53a0a8d4-f046-4bf1-bd2e-d86e6e5b5cea + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Performance Capture + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 53a0a8d4-f046-4bf1-bd2e-d86e6e5b5cea + timertriggers: [] + type: title view: |- { "position": { @@ -588,32 +595,32 @@ tasks: "y": 2705 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "34": + continueonerrortype: "" id: "34" - taskid: 75031272-0824-439f-8219-be2a80c0186e - type: playbook - task: - id: 75031272-0824-439f-8219-be2a80c0186e - version: -1 - name: Foundation - Performance Capture_V3 - playbookName: Foundation - Performance Capture_V3 - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "8" + note: false + quietmode: 0 separatecontext: true - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 75031272-0824-439f-8219-be2a80c0186e + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Foundation - Performance Capture_V3 + playbookId: Foundation - Performance Capture_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 75031272-0824-439f-8219-be2a80c0186e + timertriggers: [] + type: playbook view: |- { "position": { @@ -621,32 +628,32 @@ tasks: "y": 2875 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "35": + continueonerrortype: "" id: "35" - taskid: 1d4e4498-5b23-4b7f-89ba-646cd8f33034 - type: playbook - task: - id: 1d4e4498-5b23-4b7f-89ba-646cd8f33034 - version: -1 - name: Foundation - Dedup_V3 - playbookName: Foundation - Dedup_V3 - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "6" + note: false + quietmode: 0 separatecontext: true - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 1d4e4498-5b23-4b7f-89ba-646cd8f33034 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Foundation - Dedup_V3 + playbookId: Foundation - Dedup_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 1d4e4498-5b23-4b7f-89ba-646cd8f33034 + timertriggers: [] + type: playbook view: |- { "position": { @@ -654,14 +661,7 @@ tasks: "y": 1802.20703125 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false -system: true +version: -1 view: |- { "linkLabelsPosition": {}, @@ -674,87 +674,3 @@ view: |- } } } -inputs: -- key: Source_IP - value: - simple: ${issue.localip} - required: false - description: "" - playbookInputQuery: null -- key: File_Hash - value: - simple: ${issue.filesha256} - required: false - description: "" - playbookInputQuery: null -- key: Remote_IP - value: - simple: ${issue.remoteip} - required: false - description: "" - playbookInputQuery: null -- key: UserName - value: - simple: ${issue.username} - required: false - description: "" - playbookInputQuery: null -- key: Email - value: - simple: ${issue.email} - required: false - description: "" - playbookInputQuery: null -- key: EndpointID - value: - simple: ${issue.agentid} - required: false - description: "" - playbookInputQuery: null -- key: Hostname - value: - simple: ${issue.hostname} - required: false - description: "" - playbookInputQuery: null -- key: Domain - value: - simple: ${issue.domain} - required: false - description: "" - playbookInputQuery: null -- key: MD5 - value: - simple: ${issue.filemd5} - required: false - description: "" - playbookInputQuery: null -- key: SHA256 - value: - simple: ${issue.filesha256} - required: false - description: "" - playbookInputQuery: null -inputSections: -- inputs: - - Source_IP - - File_Hash - - Remote_IP - - UserName - - Email - - EndpointID - - Hostname - - Domain - - MD5 - - SHA256 - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs -outputs: [] -sourceplaybookid: Foundation - Upon Trigger -quiet: true -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/SOCUniversalCommand.yml b/Packs/soc-optimization-unified/Playbooks/SOCUniversalCommand.yml new file mode 100644 index 0000000..db8a4a0 --- /dev/null +++ b/Packs/soc-optimization-unified/Playbooks/SOCUniversalCommand.yml @@ -0,0 +1,491 @@ +fromversion: 5.0.0 +adopted: true +description: This is designed to use the List SOCFrameworkActions_V3 as a list of + universal commands that match to specific vendors and artifacts. +dirtyInputs: true +id: 'SOCUniversalCommand' +inputSections: +- description: Generic group for inputs + inputs: + - universal_cmd + - framework_actions_listname + - ShadowMode + name: General (Inputs group) +inputs: +- description: "" + key: universal_cmd + playbookInputQuery: null + required: true + value: + simple: soc-isolate-endpoint +- description: "" + key: framework_actions_listname + playbookInputQuery: null + required: true + value: + simple: SOCFrameworkActions_V3 +- description: "" + key: ShadowMode + playbookInputQuery: null + required: true + value: + simple: "False" +name: SOCUniversalCommand +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: "0" +tags: +- SOC +- SOC_Framework +- SOC_Framework_Unified +- Actions +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f3eb8178-e23e-4292-8186-ab49bb200b0b + iscommand: false + istaskmissingcomponenterrordismissed: false + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: f3eb8178-e23e-4292-8186-ab49bb200b0b + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 255, + "y": 50 + } + } + "3": + continueonerror: true + continueonerrortype: errorPath + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "9" + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + command: + simple: ${SOCFramework.UniversalCommand.VendorCmd} + inline_args: + simple: ${SOCFramework.UniversalCommand.VendorArgs} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7f57ea21-63a3-4ba0-8c0e-8ef557a95f24 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Command Wrapper + playbooktaskmissingcomponent: null + script: 'SOCCommandWrapper' + type: regular + version: -1 + taskid: 7f57ea21-63a3-4ba0-8c0e-8ef557a95f24 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 480, + "y": 960 + } + } + "6": + continueonerror: true + continueonerrortype: errorPath + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "9" + '#none#': + - "7" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + extend-context: + simple: SOCFramework.UniversalCommand.UC + key: + simple: SOCFramework.UniversalCommand.UC + value: + simple: ${inputs.universal_cmd} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: a574e1e6-6c3f-4895-b46d-0427155b4b28 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Universal Command + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: a574e1e6-6c3f-4895-b46d-0427155b4b28 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 255, + "y": 220 + } + } + "7": + continueonerror: true + continueonerrortype: errorPath + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "9" + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + extend-context: + simple: SOCFramework.UniversalCommand.UC + key: + simple: SOCFramework.UniversalCommand.VendorCmd + value: + complex: + accessor: SOCFrameworkActions_V3 + root: lists + transformers: + - args: + field: + value: + simple: ${SOCFramework.UniversalCommand.UC} + operator: getField + - args: + field: + value: + simple: responses + operator: getField + - args: + field: + value: + simple: ${SOCFramework.Product.response} + operator: getField + - args: + field: + value: + simple: command + operator: getField + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 80e6e727-079a-4324-b528-cb97e7c17f9c + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Universal Command + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 80e6e727-079a-4324-b528-cb97e7c17f9c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 367.5, + "y": 405 + } + } + "8": + continueonerror: true + continueonerrortype: errorPath + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - "9" + '#none#': + - "13" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + extend-context: + simple: SOCFramework.UniversalCommand.UC + key: + simple: SOCFramework.UniversalCommand.VendorArgs + value: + complex: + accessor: SOCFrameworkActions_V3 + root: lists + transformers: + - args: + field: + value: + simple: ${SOCFramework.UniversalCommand.UC} + operator: getField + - args: + field: + value: + simple: responses + operator: getField + - args: + field: + value: + simple: ${SOCFramework.Product.response} + operator: getField + - args: + field: + value: + simple: inline_args + operator: getField + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 9370850b-ef80-460d-944f-f2803794adec + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Universal Command Args + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9370850b-ef80-460d-944f-f2803794adec + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 480, + "y": 590 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 9be7281e-9ddb-4e35-8eb5-98afb3bd055c + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Foundation - Error Handling_V3 + playbookId: Foundation - Error Handling_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 9be7281e-9ddb-4e35-8eb5-98afb3bd055c + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 50, + "y": 1145 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8857f596-f3b2-4830-a0fd-512c668f4c91 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 8857f596-f3b2-4830-a0fd-512c668f4c91 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 387.5, + "y": 1330 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + value: + simple: |- + Shadow Mode: ${inputs.shadow_mode} + Command: ${SOCFramework.UniversalCommand.VendorCmd} + Args: ${SOCFramework.UniversalCommand.VendorArgs} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: c8a5245f-4ab0-4e57-9526-2c91a51f58a6 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Print Command To War Room + playbooktaskmissingcomponent: null + script: Print + type: regular + version: -1 + taskid: c8a5245f-4ab0-4e57-9526-2c91a51f58a6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 715, + "y": 1145 + } + } + "13": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ShadowMode + transformers: + - operator: toLowerCase + operator: isTrue + right: + value: {} + label: Shadow Mode + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ShadowMode + transformers: + - operator: toLowerCase + operator: isFalse + label: Full Run + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Full Run: + - "3" + Shadow Mode: + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 5ab38983-4309-4bae-af39-6a11107f6695 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Shadow Mode or Full Run + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 5ab38983-4309-4bae-af39-6a11107f6695 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 592.5, + "y": 775 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1340, + "width": 1045, + "x": 50, + "y": 50 + } + } + } diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Analysis_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Analysis_V3.yml new file mode 100644 index 0000000..326f5b4 --- /dev/null +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Analysis_V3.yml @@ -0,0 +1,1126 @@ +fromversion: 5.0.0 +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 3.0.29 + packID: "" + packName: SOC Framework Unified + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + Identify potential security events, determine whether they represent true alerts, understand their scope and impact, and establish the actionable context needed to respond effectively. + + What this phase includes: + + Monitoring security telemetry from logs, alerts, sensors, EDR, SIEM/XSIAM analytics, threat intel, and user reports. + + Triaging events to distinguish benign activity, false positives, and true security alerts. + + Enriching indicators and artifacts (e.g., IPs, hashes, domains, user accounts, processes, network connections) using internal data and external threat intelligence. + + Correlating events across systems to understand the timeline, root cause, attack vector, and potential lateral movement. + + Assigning alert classification, severity, priority, and category for consistent response. + + Documenting findings, evidence, and hypotheses while preserving forensic integrity. + + Determining the initial scope and business impact to decide how aggressive containment must be. + + Outcome: + A validated and well-understood security alert with clear context, severity, indicators, and scope—enabling the organization to transition into Containment with confidence and accuracy. +dirtyInputs: true +id: 'SOC Analysis_V3' +inputSections: +- description: Generic group for inputs + inputs: + - ExecutionBranch + - ProductCategory + name: General (Inputs group) +inputs: +- description: "" + key: ExecutionBranch + playbookInputQuery: null + required: false + value: + simple: ${lists.SOCExecutionList_V3} +- description: Get The Product Category + key: ProductCategory + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Product.category} +name: SOC Analysis_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: SOC Containment_V3 +starttaskid: "0" +tags: +- SOC +- SOC_Framework_Unified +- NIST 800-61 +- Analysis +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2d9b464e-b61d-4ff1-8425-1dec11c5d731 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: 2d9b464e-b61d-4ff1-8425-1dec11c5d731 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 1175, + "y": 50 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 57a5da65-400a-4cd5-826c-3436a01618f8 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC Data Analysis_V3 + playbookId: SOC Data Analysis_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 57a5da65-400a-4cd5-826c-3436a01618f8 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 162.5, + "y": 590 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + IPAddress: + simple: ${issue.hostip} + ListernerMailbox: + simple: ${issue.xdmemailmailboxowner} + MessageID: + simple: ${issue.emailmessageid} + SHA256: + simple: ${issue.xdmsourceprocessexecutablesha256} + alert_id: + simple: ${issue.internal_id} + case_category: + complex: + accessor: CategoryType + root: SOCFramework.Artifacts + transformers: + - operator: toLowerCase + endpoint_id: + simple: ${issue.agentid} + entity_type: + complex: + accessor: category + root: SOCFramework.Product + transformers: + - operator: toLowerCase + file_name: + simple: ${issue.xdmsourceprocessname} + file_path: + simple: ${issue.initiatorpath} + pid: + simple: ${SOCFramework.Artifacts.PID} + process_name: + simple: ${SOCFramework.Artifacts.ProcessName} + user_name: + simple: ${SOCFramework.Artifacts.UserName} + verdict: + simple: ${SOCFramework.Artifacts.Verdict} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + This is the analyst’s core domain. + + Key tasks: + + Investigate alerts and anomalies. + + Validate true/false positives. + + Perform triage, correlation, and root cause analysis. + + Classify the alert (category, severity, impact). + + Document findings and escalate confirmed alerts. + + Outcome: Determine whether an event is a legitimate alert and assess its scope. + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. + id: 08c656f1-230f-4f60-86ee-662640e2c54b + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC EndPoint Analysis_V3 + playbookId: SOC EndPoint Analysis_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 08c656f1-230f-4f60-86ee-662640e2c54b + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1062.5, + "y": 590 + } + } + "5": + continueonerrortype: "" + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: d7385c3a-2283-4938-81b3-58ea63cc75f2 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC Identity Analysis_V3 + playbookId: SOC Identity Analysis_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: d7385c3a-2283-4938-81b3-58ea63cc75f2 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1512.5, + "y": 590 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: e2089744-16e7-4227-8a13-0c65f8278895 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC Network Analysis_V3 + playbookId: SOC Network Analysis_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: e2089744-16e7-4227-8a13-0c65f8278895 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 1962.5, + "y": 590 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 4b7573be-bd91-4fe6-8959-2bc5d4aaa78c + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC SaaS Analysis_V3 + playbookId: SOC SaaS Analysis_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 4b7573be-bd91-4fe6-8959-2bc5d4aaa78c + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2412.5, + "y": 590 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + id: 3d8bf25e-863c-4ee5-8a18-47d621adbc11 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC Workload Analysis_V3 + playbookId: SOC Workload Analysis_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 3d8bf25e-863c-4ee5-8a18-47d621adbc11 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 2862.5, + "y": 590 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8ceb5aed-c39b-452d-8fd8-f5f2ed8eb896 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 8ceb5aed-c39b-452d-8fd8-f5f2ed8eb896 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1287.5, + "y": 775 + } + } + "10": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.ProductCategory + operator: isEqualString + right: + value: + simple: Data + label: Data + - condition: + - - left: + iscontext: true + value: + simple: inputs.ProductCategory + operator: isEqualString + right: + value: + simple: Workload + label: Workload + - condition: + - - left: + iscontext: true + value: + simple: inputs.ProductCategory + operator: isEqualString + right: + value: + simple: Identity + label: Identity + - condition: + - - left: + iscontext: true + value: + simple: inputs.ProductCategory + operator: isEqualString + right: + value: + simple: SaaS + label: SaaS + - condition: + - - left: + iscontext: true + value: + simple: inputs.ProductCategory + operator: isEqualString + right: + value: + simple: Endpoint + label: Endpoint + - condition: + - - left: + iscontext: true + value: + simple: inputs.ProductCategory + operator: isEqualString + right: + value: + simple: Email + label: Email + - condition: + - - left: + iscontext: true + value: + simple: inputs.ProductCategory + operator: isEqualString + right: + value: + simple: Network + label: Network + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + Data: + - "13" + Email: + - "18" + Endpoint: + - "12" + Identity: + - "14" + Network: + - "15" + SaaS: + - "16" + Workload: + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 92178e4d-7444-47c9-8229-cca9ce09d331 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Product Category + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 92178e4d-7444-47c9-8229-cca9ce09d331 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1175, + "y": 220 + } + } + "12": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Endpoint Analysis + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: default + label: Default + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Endpoint Analysis + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: custom + label: Custom + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + Default: + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 479c410e-067c-44a3-8744-28453f704ad2 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Endpoint Analysis Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 479c410e-067c-44a3-8744-28453f704ad2 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 950, + "y": 405 + } + } + "13": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Data Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: default + label: Default + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Data Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: custom + label: Custom + continueonerrortype: "" + id: "13" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + Default: + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: bdabddaf-0b19-4e96-971a-d3f85479805e + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Data Analysis Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: bdabddaf-0b19-4e96-971a-d3f85479805e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 405 + } + } + "14": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Identity Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: default + label: Default + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Identity Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: custom + label: Custom + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + Default: + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1333bc58-8ac4-4522-b913-52c76f5cc116 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Identity Analysis Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 1333bc58-8ac4-4522-b913-52c76f5cc116 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1400, + "y": 405 + } + } + "15": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Network Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: default + label: Default + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Network Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: custom + label: Custom + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + Default: + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: dca31f2e-7363-4767-bfdd-42af9b9a5066 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Network Analysis Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: dca31f2e-7363-4767-bfdd-42af9b9a5066 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1850, + "y": 405 + } + } + "16": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC SaaS Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: default + label: Default + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC SaaS Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: custom + label: Custom + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + Default: + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 419f92e1-5c35-47f4-ae4e-8b75acf42e57 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SaaS Analysis Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 419f92e1-5c35-47f4-ae4e-8b75acf42e57 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2300, + "y": 405 + } + } + "17": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Workload Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: default + label: Default + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Workload Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: custom + label: Custom + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + Default: + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 866225a9-2ae1-434f-b042-8907793f102f + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Workload Analysis Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 866225a9-2ae1-434f-b042-8907793f102f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 2750, + "y": 405 + } + } + "18": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Email Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: default + label: Default + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.ExecutionBranch + transformers: + - args: + field: + value: + simple: SOC Email Analysis_V3 + operator: getField + - args: + field: + value: + simple: execute_branch + operator: getField + operator: isEqualString + right: + value: + simple: custom + label: Custom + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "9" + Default: + - "19" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e96a6c41-f225-4ae6-9939-0bb1639cdecb + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Email Analysis Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: e96a6c41-f225-4ae6-9939-0bb1639cdecb + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 500, + "y": 405 + } + } + "19": + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: "" + description: |- + This is the analyst’s core domain. + + Key tasks: + + Investigate alerts and anomalies. + + Validate true/false positives. + + Perform triage, correlation, and root cause analysis. + + Classify the alert (category, severity, impact). + + Document findings and escalate confirmed alerts. + + Outcome: Determine whether an event is a legitimate alert and assess its scope. + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. + id: 8d429896-10a1-417b-8289-dbaeb060bcce + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC Email Analysis_V3 + playbookId: SOC Email Analysis_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 8d429896-10a1-417b-8289-dbaeb060bcce + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 612.5, + "y": 590 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "10_14_Identity": 0.88, + "10_16_SaaS": 0.82, + "10_17_Workload": 0.9, + "18_19_Default": 0.8 + }, + "paper": { + "dimensions": { + "height": 785, + "width": 3192.5, + "x": 50, + "y": 50 + } + } + } diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml index 506253e..a6cbe79 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Containment_V3.yml @@ -1,19 +1,16 @@ fromversion: 5.0.0 -id: SOC Containment_V3 -version: 5 +adopted: true contentitemexportablefields: contentitemfields: - packID: soc-optimization-unified - packName: SOC Framework Unified - itemVersion: 3.0.17 - fromServerVersion: 5.0.0 - toServerVersion: "" definitionid: "" - prevname: "" + fromServerVersion: 5.0.0 isoverridable: false + itemVersion: 3.0.29 + packID: "" + packName: SOC Framework Unified + prevname: "" supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false -name: SOC Containment_V3 + toServerVersion: "" description: |- Limit the damage, stop the attacker’s ability to continue harmful activity, and prevent the alert from spreading while preserving evidence and keeping essential business operations running. @@ -33,75 +30,110 @@ description: |- Outcome: The alert is stabilized, the attacker’s ability to cause further harm is limited, and the environment is safe enough to begin eradication and recovery without losing essential evidence. +dirtyInputs: true +id: 'SOC Containment_V3' +inputSections: +- description: Generic group for inputs + inputs: + - ProductCategory + - ExecutionBranch + name: General (Inputs group) +inputs: +- description: 'Get the Product Category ' + key: ProductCategory + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Product.category} +- description: "" + key: ExecutionBranch + playbookInputQuery: null + required: false + value: + simple: ${lists.SOCExecutionList_V3} +name: SOC Containment_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +sourceplaybookid: SOC Containment_V3 +starttaskid: "0" tags: - SOC - SOC_Framework_Unified - Containment - NIST 800-61 -starttaskid: "0" tasks: "0": + continueonerrortype: "" id: "0" - taskid: 2d9b464e-b61d-4ff1-8425-1dec11c5d731 - type: start + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "21" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 2d9b464e-b61d-4ff1-8425-1dec11c5d731 - version: -1 - name: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "9" - separatecontext: false - continueonerrortype: "" + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: 2d9b464e-b61d-4ff1-8425-1dec11c5d731 + timertriggers: [] + type: start view: |- { "position": { - "x": 1257.5, - "y": 50 + "x": 1250, + "y": -100 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "1": + continueonerrortype: "" id: "1" - taskid: 0663ed94-0870-46de-9b69-b7b89f98aecd - type: playbook - task: - id: 0663ed94-0870-46de-9b69-b7b89f98aecd - version: -1 - name: SOC Data Containment_V3 - description: |- - Primary owners: Alert responders, automation, endpoint/network teams. - - Analyst role: May initiate or recommend containment actions (isolate host, disable account, block IP), often via playbook automation or escalation. - playbookName: SOC Data Containment_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 0 + wait: 1 nexttasks: '#none#': - "8" + note: false + quietmode: 0 scriptarguments: ShadowMode: simple: SOCFramework.shadow_mode separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: |- + Primary owners: Alert responders, automation, endpoint/network teams. + + Analyst role: May initiate or recommend containment actions (isolate host, disable account, block IP), often via playbook automation or escalation. + id: 0663ed94-0870-46de-9b69-b7b89f98aecd iscommand: false - exitCondition: "" - wait: 1 - max: 0 + istaskmissingcomponenterrordismissed: false + name: SOC Data Containment_V3 + playbookId: SOC Data Containment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 0663ed94-0870-46de-9b69-b7b89f98aecd + timertriggers: [] + type: playbook view: |- { "position": { @@ -109,32 +141,32 @@ tasks: "y": 590 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "2": + continueonerrortype: "" id: "2" - taskid: a2786a59-ca22-439f-8b0e-95768261ab21 - type: playbook - task: - id: a2786a59-ca22-439f-8b0e-95768261ab21 - version: -1 - name: SOC Email Containment_V3 - playbookName: SOC Email Containment_V3 - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "8" + note: false + quietmode: 0 separatecontext: true - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: a2786a59-ca22-439f-8b0e-95768261ab21 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC Email Containment_V3 + playbookId: SOC Email Containment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: a2786a59-ca22-439f-8b0e-95768261ab21 + timertriggers: [] + type: playbook view: |- { "position": { @@ -142,44 +174,44 @@ tasks: "y": 590 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "6": + continueonerrortype: "" id: "6" - taskid: 9ba85669-25b5-4ecd-903a-93c19eb1715b - type: playbook - task: - id: 9ba85669-25b5-4ecd-903a-93c19eb1715b - version: -1 - name: SOC SaaS Containment_V3 - description: |- - Primary owners: Alert responders, automation, endpoint/network teams. - - Analyst role: May initiate or recommend containment actions (isolate host, disable account, block IP), often via playbook automation or escalation. - playbookName: SOC SaaS Containment_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "8" + note: false + quietmode: 0 scriptarguments: ShadowMode: simple: SOCFramework.shadow_mode separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: |- + Primary owners: Alert responders, automation, endpoint/network teams. + + Analyst role: May initiate or recommend containment actions (isolate host, disable account, block IP), often via playbook automation or escalation. + id: 9ba85669-25b5-4ecd-903a-93c19eb1715b iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: SOC SaaS Containment_V3 + playbookId: SOC SaaS Containment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 9ba85669-25b5-4ecd-903a-93c19eb1715b + timertriggers: [] + type: playbook view: |- { "position": { @@ -187,32 +219,32 @@ tasks: "y": 590 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "7": + continueonerrortype: "" id: "7" - taskid: 8b26a6cf-2770-48b7-8e1e-c82c86e12557 - type: playbook - task: - id: 8b26a6cf-2770-48b7-8e1e-c82c86e12557 - version: -1 - name: SOC Workload Containment_V3 - playbookName: SOC Workload Containment_V3 - type: playbook - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "8" + note: false + quietmode: 0 separatecontext: true - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 8b26a6cf-2770-48b7-8e1e-c82c86e12557 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC Workload Containment_V3 + playbookId: SOC Workload Containment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 8b26a6cf-2770-48b7-8e1e-c82c86e12557 + timertriggers: [] + type: playbook view: |- { "position": { @@ -220,28 +252,28 @@ tasks: "y": 590 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "8": + continueonerrortype: "" id: "8" - taskid: 65f28176-2b84-4727-961b-54aaae7a2dd7 - type: title + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 65f28176-2b84-4727-961b-54aaae7a2dd7 - version: -1 - name: Done - type: title iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - separatecontext: false - continueonerrortype: "" + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 65f28176-2b84-4727-961b-54aaae7a2dd7 + timertriggers: [] + type: title view: |- { "position": { @@ -249,116 +281,116 @@ tasks: "y": 775 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "9": - id: "9" - taskid: f9c4e418-5629-4e5b-b368-9e1ff70a4d10 - type: condition - task: - id: f9c4e418-5629-4e5b-b368-9e1ff70a4d10 - version: -1 - name: Product Category? - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "8" - Cloud SaaS: - - "18" - Cloud Workload: - - "19" - Data: - - "15" - Email: - - "14" - Endpoint: - - "16" - Identity: - - "20" - Network: - - "17" - separatecontext: false conditions: - - label: Email - condition: - - - operator: isEqualString - left: + - condition: + - - left: + iscontext: true value: simple: inputs.ProductCategory - iscontext: true + operator: isEqualString right: value: simple: Email - - label: Endpoint - condition: - - - operator: isEqualString - left: + label: Email + - condition: + - - left: + iscontext: true value: simple: inputs.ProductCategory - iscontext: true + operator: isEqualString right: value: simple: Endpoint - - label: Identity - condition: - - - operator: isEqualString - left: + label: Endpoint + - condition: + - - left: + iscontext: true value: simple: inputs.ProductCategory - iscontext: true + operator: isEqualString right: value: simple: Identity - - label: Data - condition: - - - operator: isEqualString - left: + label: Identity + - condition: + - - left: + iscontext: true value: simple: inputs.ProductCategory - iscontext: true + operator: isEqualString right: value: simple: Data - - label: Network - condition: - - - operator: isEqualString - left: + label: Data + - condition: + - - left: + iscontext: true value: simple: inputs.ProductCategory - iscontext: true + operator: isEqualString right: value: simple: Network - - label: Cloud SaaS - condition: - - - operator: isEqualString - left: + label: Network + - condition: + - - left: + iscontext: true value: simple: inputs.ProductCategory - iscontext: true + operator: isEqualString right: value: simple: SaaS - - label: Cloud Workload - condition: - - - operator: isEqualString - left: + label: Cloud SaaS + - condition: + - - left: + iscontext: true value: simple: inputs.ProductCategory - iscontext: true + operator: isEqualString right: value: simple: Workload + label: Cloud Workload continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + Cloud SaaS: + - "18" + Cloud Workload: + - "19" + Data: + - "15" + Email: + - "14" + Endpoint: + - "16" + Identity: + - "20" + Network: + - "17" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f9c4e418-5629-4e5b-b368-9e1ff70a4d10 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Product Category? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: f9c4e418-5629-4e5b-b368-9e1ff70a4d10 + timertriggers: [] + type: condition view: |- { "position": { @@ -366,37 +398,22 @@ tasks: "y": 220 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "10": + continueonerrortype: "" id: "10" - taskid: 6af8157c-0f1e-40d4-8cbf-c5e7f5701d23 - type: playbook - task: - id: 6af8157c-0f1e-40d4-8cbf-c5e7f5701d23 - version: -1 - name: SOC Identity Containment_V3 - description: "This playbook handles the main containment actions available with - Cortex XSIAM, including the following sub-playbooks: \n* Containment Plan - - Isolate endpoint\n * Containment Plan - Disable account\n* Containment Plan - - Quarantine file\n* Containment Plan - Block indicators\n* Containment Plan - - Clear user session (currently, the playbook supports only Okta)\n\nNote: - The playbook inputs enable manipulating the execution flow. Read the input - descriptions for details." - playbookName: SOC Identity Containment_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "8" + note: false + quietmode: 0 scriptarguments: AutoContainment: simple: "False" @@ -408,20 +425,19 @@ tasks: simple: "False" IAMUserDomain: complex: - root: Issue + accessor: domain filters: - - - operator: containsGeneral - left: + - - left: + iscontext: true value: simple: issue - iscontext: true + operator: containsGeneral right: value: simple: '@' - accessor: domain + root: Issue transformers: - - operator: RegexExtractAll - args: + - args: error_if_no_match: {} ignore_case: {} multi_line: {} @@ -430,6 +446,7 @@ tasks: value: simple: ^([^@]+) unpack_matches: {} + operator: RegexExtractAll ShadowMode: simple: SOCFramework.shadow_mode UserContainment: @@ -437,12 +454,27 @@ tasks: Username: simple: ${issue.username} separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: "This playbook handles the main containment actions available with + Cortex XSIAM, including the following sub-playbooks: \n* Containment Plan + - Isolate endpoint\n * Containment Plan - Disable account\n* Containment Plan + - Quarantine file\n* Containment Plan - Block indicators\n* Containment Plan + - Clear user session (currently, the playbook supports only Okta)\n\nNote: + The playbook inputs enable manipulating the execution flow. Read the input + descriptions for details." + id: 6af8157c-0f1e-40d4-8cbf-c5e7f5701d23 iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: SOC Identity Containment_V3 + playbookId: SOC Identity Containment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 6af8157c-0f1e-40d4-8cbf-c5e7f5701d23 + timertriggers: [] + type: playbook view: |- { "position": { @@ -450,51 +482,39 @@ tasks: "y": 590 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "11": + continueonerrortype: "" id: "11" - taskid: 5e3220b7-cd88-499a-9795-8e466fafb2d7 - type: playbook - task: - id: 5e3220b7-cd88-499a-9795-8e466fafb2d7 - version: -1 - name: SOC Endpoint Containment_V3 - description: |- - Primary owners: Alert responders, automation, endpoint/network teams. - - Analyst role: May initiate or recommend containment actions (isolate host, disable account, block IP), often via playbook automation or escalation. - playbookName: SOC Endpoint Containment_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "8" + note: false + quietmode: 0 scriptarguments: AutoContainment: simple: "False" EndpointID: - simple: ${Issue.agentid} + simple: ${SOCFramework.Artifacts.EndPointID} FeaturedHost: simple: "False" FileContainment: simple: "True" FileHash: - simple: ${Issue.filehash} + simple: ${SOCFramework.Artifacts.File} FilePath: simple: ${Issue.filepath} FileRemediation: simple: Quarantine FileVerdict: - simple: ${Issue.verdict} + simple: ${SOCFramework.Artifacts.Verdict.[0]} HostContainment: simple: "True" Hostname: @@ -502,12 +522,24 @@ tasks: ShadowMode: simple: ${SOCFramework.shadow_mode} separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: |- + Primary owners: Alert responders, automation, endpoint/network teams. + + Analyst role: May initiate or recommend containment actions (isolate host, disable account, block IP), often via playbook automation or escalation. + id: 58296e28-06e5-4da7-94c0-14cfe6478b74 iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: SOC Endpoint Containment_V3 + playbookId: SOC Endpoint Containment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 58296e28-06e5-4da7-94c0-14cfe6478b74 + timertriggers: [] + type: playbook view: |- { "position": { @@ -515,41 +547,41 @@ tasks: "y": 590 } } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "8" note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "12": - id: "12" - taskid: 2e54d1f4-9515-4f99-a815-0030c6b2799c - type: playbook + separatecontext: true + skipunavailable: false task: - id: 2e54d1f4-9515-4f99-a815-0030c6b2799c - version: -1 - name: SOC Network Containment_V3 + brand: "" description: |- Primary owners: Alert responders, automation, endpoint/network teams. Analyst role: May initiate or recommend containment actions (isolate host, disable account, block IP), often via playbook automation or escalation. - playbookName: SOC Network Containment_V3 - type: playbook + id: 2e54d1f4-9515-4f99-a815-0030c6b2799c iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "8" - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 + name: SOC Network Containment_V3 + playbookId: SOC Network Containment_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 2e54d1f4-9515-4f99-a815-0030c6b2799c + timertriggers: [] + type: playbook view: |- { "position": { @@ -557,42 +589,42 @@ tasks: "y": 590 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "13": + continueonerrortype: "" id: "13" - taskid: 9a48b1d6-61e8-43aa-a346-ff821a332697 - type: playbook - task: - id: 9a48b1d6-61e8-43aa-a346-ff821a332697 - version: -1 - name: SOC - Email Containment - Example - playbookName: SOC - Email Containment - RAF - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "8" + note: false + quietmode: 0 scriptarguments: BlockIndicators: simple: "False" UserEngagement: simple: "False" separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: true + task: + brand: "" + id: 9a48b1d6-61e8-43aa-a346-ff821a332697 iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: SOC - Email Containment - Example + playbookId: 'SOC - Email Containment - RAF' + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 9a48b1d6-61e8-43aa-a346-ff821a332697 + timertriggers: [] + type: playbook view: |- { "position": { @@ -600,80 +632,80 @@ tasks: "y": 590 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "14": - id: "14" - taskid: d86f9961-8748-4ada-a6ea-fbc465ca239b - type: condition - task: - id: d86f9961-8748-4ada-a6ea-fbc465ca239b - version: -1 - name: Email Containment Execution Branch - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "8" - Custom: - - "13" - Default: - - "2" - separatecontext: false conditions: - - label: Default - condition: - - - operator: isEqualString - left: + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Email Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: default - - label: Custom - condition: - - - operator: isEqualString - left: + label: Default + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Email Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: custom + label: Custom continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + Custom: + - "13" + Default: + - "2" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d86f9961-8748-4ada-a6ea-fbc465ca239b + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Email Containment Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: d86f9961-8748-4ada-a6ea-fbc465ca239b + timertriggers: [] + type: condition view: |- { "position": { @@ -681,78 +713,78 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "15": - id: "15" - taskid: bea5ec66-6bc4-4d50-b53a-630f4942eb1c - type: condition - task: - id: bea5ec66-6bc4-4d50-b53a-630f4942eb1c - version: -1 - name: Data Containment Execution Branch - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "8" - Default: - - "1" - separatecontext: false conditions: - - label: Default - condition: - - - operator: isEqualString - left: + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Data Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: default - - label: Custom - condition: - - - operator: isEqualString - left: + label: Default + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Data Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: custom + label: Custom continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + Default: + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: bea5ec66-6bc4-4d50-b53a-630f4942eb1c + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Data Containment Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: bea5ec66-6bc4-4d50-b53a-630f4942eb1c + timertriggers: [] + type: condition view: |- { "position": { @@ -760,157 +792,157 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "16": - id: "16" - taskid: bfa559df-b0f4-4744-99da-a78ded4ffd81 - type: condition - task: - id: bfa559df-b0f4-4744-99da-a78ded4ffd81 - version: -1 - name: Endpoint Containment Execution Branch - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "8" - Default: - - "11" - separatecontext: false conditions: - - label: Default - condition: - - - operator: isEqualString - left: + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Endpoint Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: default - - label: Custom - condition: - - - operator: isEqualString - left: + label: Default + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Endpoint Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: custom + label: Custom continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + Default: + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: bfa559df-b0f4-4744-99da-a78ded4ffd81 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Endpoint Containment Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: bfa559df-b0f4-4744-99da-a78ded4ffd81 + timertriggers: [] + type: condition view: |- { "position": { "x": 2362.5, "y": 405 } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false + } "17": - id: "17" - taskid: a06f2bee-8b17-4710-af3f-17e8b48f20a7 - type: condition - task: - id: a06f2bee-8b17-4710-af3f-17e8b48f20a7 - version: -1 - name: Network Containment Execution Branch - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "8" - Default: - - "12" - separatecontext: false conditions: - - label: Default - condition: - - - operator: isEqualString - left: + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Network Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: default - - label: Custom - condition: - - - operator: isEqualString - left: + label: Default + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Network Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: custom + label: Custom continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + Default: + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a06f2bee-8b17-4710-af3f-17e8b48f20a7 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Network Containment Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: a06f2bee-8b17-4710-af3f-17e8b48f20a7 + timertriggers: [] + type: condition view: |- { "position": { @@ -918,78 +950,78 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "18": - id: "18" - taskid: 8c74e1e1-fe1c-4572-9ebf-5608a6450fb2 - type: condition - task: - id: 8c74e1e1-fe1c-4572-9ebf-5608a6450fb2 - version: -1 - name: SaaS Containment Execution Branch - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "8" - Default: - - "6" - separatecontext: false conditions: - - label: Default - condition: - - - operator: isEqualString - left: + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC SaaS Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: default - - label: Custom - condition: - - - operator: isEqualString - left: + label: Default + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC SaaS Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: custom + label: Custom continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + Default: + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8c74e1e1-fe1c-4572-9ebf-5608a6450fb2 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SaaS Containment Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 8c74e1e1-fe1c-4572-9ebf-5608a6450fb2 + timertriggers: [] + type: condition view: |- { "position": { @@ -997,76 +1029,76 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "19": - id: "19" - taskid: c44e25f5-eea2-41bf-93ca-e8a97a3b6e86 - type: condition - task: - id: c44e25f5-eea2-41bf-93ca-e8a97a3b6e86 - version: -1 - name: Workload Containment Execution Branch - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - Default: - - "7" - separatecontext: false conditions: - - label: Default - condition: - - - operator: isEqualString - left: + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Workload Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: default - - label: Custom - condition: - - - operator: isEqualString - left: + label: Default + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Workload Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: custom + label: Custom continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Default: + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: c44e25f5-eea2-41bf-93ca-e8a97a3b6e86 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Workload Containment Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: c44e25f5-eea2-41bf-93ca-e8a97a3b6e86 + timertriggers: [] + type: condition view: |- { "position": { @@ -1074,78 +1106,78 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "20": - id: "20" - taskid: f4dc5700-dd72-4a7d-bd48-3197f138f8d2 - type: condition - task: - id: f4dc5700-dd72-4a7d-bd48-3197f138f8d2 - version: -1 - name: Identity Containment Execution Branch - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "8" - Default: - - "10" - separatecontext: false conditions: - - label: Default - condition: - - - operator: isEqualString - left: + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Identity Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: default - - label: Custom - condition: - - - operator: isEqualString - left: + label: Default + - condition: + - - left: + iscontext: true value: complex: root: inputs.ExecutionBranch transformers: - - operator: getField - args: + - args: field: value: simple: SOC Identity Containment_V3 - - operator: getField - args: + operator: getField + - args: field: value: simple: execute_branch - iscontext: true + operator: getField + operator: isEqualString right: value: simple: custom + label: Custom continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + Default: + - "10" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f4dc5700-dd72-4a7d-bd48-3197f138f8d2 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Identity Containment Execution Branch + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: f4dc5700-dd72-4a7d-bd48-3197f138f8d2 + timertriggers: [] + type: condition view: |- { "position": { @@ -1153,14 +1185,49 @@ tasks: "y": 405 } } - note: false - timertriggers: [] + "21": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: 'Analysis.response_recommended ' + operator: isTrue + label: "yes" + continueonerrortype: "" + id: "21" ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false -system: true + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "9" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 209eb193-974e-413b-861e-032622483935 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Analysis Recommended an Action + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 209eb193-974e-413b-861e-032622483935 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1250, + "y": 30 + } + } +version: -1 view: |- { "linkLabelsPosition": { @@ -1169,36 +1236,10 @@ view: |- }, "paper": { "dimensions": { - "height": 785, + "height": 935, "width": 3705, "x": 50, - "y": 50 + "y": -100 } } } -inputs: -- key: ProductCategory - value: - simple: ${SOCFramework.Product.category} - required: false - description: 'Get the Product Category ' - playbookInputQuery: null -- key: ExecutionBranch - value: - simple: ${lists.SOCExecutionList_V3} - required: false - description: "" - playbookInputQuery: null -inputSections: -- inputs: - - ProductCategory - - ExecutionBranch - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs -outputs: [] -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_EndPoint_Analysis_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_EndPoint_Analysis_V3.yml new file mode 100644 index 0000000..a05b6cd --- /dev/null +++ b/Packs/soc-optimization-unified/Playbooks/SOC_EndPoint_Analysis_V3.yml @@ -0,0 +1,1382 @@ +fromversion: 5.0.0 +adopted: true +contentitemexportablefields: + contentitemfields: + definitionid: "" + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 3.0.29 + packID: "" + packName: SOC Framework Unified + prevname: "" + supportedModules: [] + toServerVersion: "" +description: |- + This is the analyst’s core domain. + + Key tasks: + + Investigate alerts and anomalies. + + Validate true/false positives. + + Perform triage, correlation, and root cause analysis. + + Classify the alert (category, severity, impact). + + Document findings and escalate confirmed alerts. + + Outcome: Determine whether an event is a legitimate alert and assess its scope. + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. +dirtyInputs: true +id: 'SOC EndPoint Analysis_V3' +inputSections: +- description: Generic group for inputs + inputs: + - SHA256 + - IPAddress + - MessageID + - ListernerMailbox + - file_name + - file_path + - endpoint_id + - alert_id + - process_name + - pid + - verdict + - user_name + - entity_type + - case_category + name: General (Inputs group) +inputs: +- description: "" + key: SHA256 + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.File} +- description: "" + key: IPAddress + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.IP} +- description: "" + key: MessageID + playbookInputQuery: null + required: false + value: + simple: ${issue.emailmessageid} +- description: "" + key: ListernerMailbox + playbookInputQuery: null + required: false + value: + simple: ${issue.xdmemailmailboxowner} +- description: "" + key: file_name + playbookInputQuery: null + required: false + value: + simple: ${issue.filename} +- description: "" + key: file_path + playbookInputQuery: null + required: false + value: + simple: ${issue.filepath} +- description: "" + key: endpoint_id + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.EndPointID} +- description: "" + key: alert_id + playbookInputQuery: null + required: false + value: + simple: ${issue.id} +- description: "" + key: process_name + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.ProcessName} +- description: "" + key: pid + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.PID} +- description: "" + key: verdict + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.Verdict} +- description: "" + key: user_name + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.UserName} +- description: "" + key: entity_type + playbookInputQuery: null + required: false + value: + complex: + accessor: category + root: SOCFramework.Product + transformers: + - operator: toLowerCase +- description: "" + key: case_category + playbookInputQuery: null + required: false + value: + complex: + accessor: CategoryType + root: SOCFramework.Artifacts + transformers: + - operator: toLowerCase +name: SOC EndPoint Analysis_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - analysis.verdict + - analysis.case_category + - analysis.confidence + - analysis.primary_entity_type + - analysis.primary_entity_id + - analysis.secondary_entities + - analysis.response_recommended + - analysis.notes +outputs: +- contextPath: analysis.verdict + type: unknown +- contextPath: analysis.case_category + type: unknown +- contextPath: analysis.confidence + type: unknown +- contextPath: analysis.primary_entity_type + type: unknown +- contextPath: analysis.primary_entity_id + type: unknown +- contextPath: analysis.secondary_entities + type: unknown +- contextPath: analysis.response_recommended + type: unknown +- contextPath: analysis.notes + type: unknown +sourceplaybookid: SOC Data Analysis_V3 +starttaskid: "0" +tags: +- SOC +- SOC_Framework_Unified +- Detection & Analysis +- NIST 800-61 +- EndPoint +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "15" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7e6a701e-667b-4a70-8a74-14564da75fc7 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": -530, + "y": 70 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -220, + "y": 2280 + } + } + "10": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: sourceBrand + root: issue + transformers: + - operator: toLowerCase + operator: isEqualString + right: + value: + simple: traps + label: XDR Agent + - condition: + - - left: + iscontext: true + value: + simple: issue.originalalertsource + operator: isEqualString + right: + value: + simple: Microsoft Defender for Endpoint + label: MS Defender + - condition: + - - left: + iscontext: true + value: + simple: issue.tags + operator: isEqualString + right: + value: + simple: DS:CrowdStrike/Falcon_Event + label: CrowdStrike + - condition: + - - left: + iscontext: true + value: + simple: issue.tags + operator: isEqualString + right: + value: + simple: DS:Trend Micro Vision One V3 + label: Trend Micro + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + MS Defender: + - "11" + Trend Micro: + - "14" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e4f0079d-d9a1-496b-8830-e9436d7f984f + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Endpoint Agent? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: e4f0079d-d9a1-496b-8830-e9436d7f984f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 550, + "y": 400 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + IPAddress: + simple: ${inputs.IPAddress} + ListenerMailbox: + simple: ${inputs.ListernerMailbox} + MessageID: + simple: ${inputs.MessageID} + ResultsLimit: + simple: "50" + SHA256: + simple: ${inputs.SHA256} + SearchTimeframe: + simple: "7" + Timeout: + simple: "180" + separatecontext: true + skipunavailable: true + task: + brand: "" + description: | + This playbook retrieves email data based on the `URLDomain`, `SHA256`, `IPAddress`. and `MessageID` inputs. The output is a unified object with all of the retrieved emails based on the following sub-playbooks outputs: + + - **Microsoft 365 Defender - Get Email URL clicks**: + Retrieves data based on URL click events. + + + - **Microsoft 365 Defender - Emails Indicators Hunt**: + Retrieves data based on several different email events. + + Read the playbook's descriptions in order to get the full details. + id: 080a811b-4797-4133-b3b2-540e5bb1efb4 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Microsoft 365 Defender - Threat Hunting Generic + playbookId: Microsoft 365 Defender - Threat Hunting Generic + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 080a811b-4797-4133-b3b2-540e5bb1efb4 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 450, + "y": 640 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true + task: + brand: "" + id: b5188a48-89ce-4695-ae0f-1834c19c7bed + iscommand: false + istaskmissingcomponenterrordismissed: false + name: SOC Trend Micro Alert Enrichment + playbookId: SOC Trend Micro Alert Enrichment + playbookName: SOC Trend Micro Alert Enrichment + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: b5188a48-89ce-4695-ae0f-1834c19c7bed + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 910, + "y": 650 + } + } + "15": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.SHA256 + operator: isNotEmpty + label: FILE + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "10" + - "16" + FILE: + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 69b517d8-a3b4-42a1-86e3-ac67d80b762c + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Artifact Is File? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 69b517d8-a3b4-42a1-86e3-ac67d80b762c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -530, + "y": 220 + } + } + "16": + continueonerrortype: "" + id: "16" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "38" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 667d3087-7a84-4449-a2b5-82483e404ed4 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Artifact is Process / Behavior + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 667d3087-7a84-4449-a2b5-82483e404ed4 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -1520, + "y": 387.5 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4a5347c9-1b51-4060-9103-6952be298b3e + iscommand: false + istaskmissingcomponenterrordismissed: false + name: File Verdict + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 4a5347c9-1b51-4060-9103-6952be298b3e + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -530, + "y": 530 + } + } + "19": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + operator: isEqualString + right: + value: + simple: malicious + label: Malicious + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + operator: isEqualString + right: + value: + simple: suspicious + label: Supicious + - condition: + - - left: + iscontext: true + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + operator: isEqualString + right: + value: + simple: benign + label: Benign + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "2" + Benign: + - "25" + Malicious: + - "21" + Supicious: + - "22" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: This pulls from the SOC Framework field that is set in the Upon + Trigger from the Unit 42 Intelligence data context. + id: cefda01d-1514-443f-8bf1-8d0bc6e9a9dc + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Unit 42 File Verdict + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: cefda01d-1514-443f-8bf1-8d0bc6e9a9dc + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": -530, + "y": 700 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 96b43e5e-3ad6-498c-98fe-406da228309d + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Artifact is FIle + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 96b43e5e-3ad6-498c-98fe-406da228309d + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -530, + "y": 387.5 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "23" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 60e76198-1b19-4918-9492-86b16b2ba083 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Malcious + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 60e76198-1b19-4918-9492-86b16b2ba083 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -1420, + "y": 900 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8e4c5b5a-69ec-44c5-9277-c30466868862 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Supicious + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 8e4c5b5a-69ec-44c5-9277-c30466868862 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -980, + "y": 900 + } + } + "23": + continueonerror: true + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "35" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Analysis.verdict + value: + simple: malicious + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 6ebe5b9f-4207-466c-9bf3-fb656b142cc3 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Verdict + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 6ebe5b9f-4207-466c-9bf3-fb656b142cc3 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -1420, + "y": 1050 + } + } + "24": + continueonerror: true + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "37" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Analysis.verdict + value: + simple: supicious + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: d60ff05a-04d8-455c-8697-78b16442ce89 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Verdict + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: d60ff05a-04d8-455c-8697-78b16442ce89 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -980, + "y": 1050 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "26" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 836a021d-4297-4663-9886-a99995717c56 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Benign + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 836a021d-4297-4663-9886-a99995717c56 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -550, + "y": 900 + } + } + "26": + continueonerror: true + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "36" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Analysis.verdict + value: + simple: benign + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: d7eb1278-d5aa-4dc4-902f-98ee124f7965 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Verdict + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: d7eb1278-d5aa-4dc4-902f-98ee124f7965 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -550, + "y": 1050 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "28" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7042e9a9-6674-449e-86a9-1580dcb8e7ca + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Analysis Details + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 7042e9a9-6674-449e-86a9-1580dcb8e7ca + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -980, + "y": 1500 + } + } + "28": + continueonerror: true + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "29" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Analysis.primary_entity_type + value: + complex: + root: inputs.entity_type + transformers: + - operator: toLowerCase + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 8de3f341-2b1d-463a-b84d-bc21adca0ed3 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Entity Type + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 8de3f341-2b1d-463a-b84d-bc21adca0ed3 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -980, + "y": 1620 + } + } + "29": + continueonerror: true + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "30" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Analysis.case_category + value: + simple: ${inputs.case_category} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 05b96653-8ad6-4a58-88ff-9eafb4a2ae1c + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Category Type + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 05b96653-8ad6-4a58-88ff-9eafb4a2ae1c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -980, + "y": 1800 + } + } + "30": + continueonerror: true + continueonerrortype: "" + id: "30" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "31" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Analysis.confidence + value: + simple: high + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 0fbc31cb-05e6-4ebd-b48c-b2f1b4b2f0ce + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Verdict Confidence + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 0fbc31cb-05e6-4ebd-b48c-b2f1b4b2f0ce + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -980, + "y": 1962.5 + } + } + "31": + continueonerror: true + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + key: + simple: Analysis.primary_entity_id + value: + simple: ${inputs.endpoint_id} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 43b66a7a-e4ad-4cdb-8c51-c522e0c9c8ff + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Entity Type + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 43b66a7a-e4ad-4cdb-8c51-c522e0c9c8ff + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -980, + "y": 2120 + } + } + "32": + continueonerror: true + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + scriptarguments: + key: + simple: 'Analysis.response_recommended ' + value: + simple: "true" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: be9ece67-c525-42a5-b200-fdd2dadad478 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Response Recommended + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: be9ece67-c525-42a5-b200-fdd2dadad478 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -1420, + "y": 1300 + } + } + "33": + continueonerror: true + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + scriptarguments: + key: + simple: 'Analysis.response_recommended ' + value: + simple: "false" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 0cbdfec7-90a8-4dac-86e3-c7b1ac90e84d + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Response Recommended + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: 0cbdfec7-90a8-4dac-86e3-c7b1ac90e84d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -550, + "y": 1300 + } + } + "34": + continueonerror: true + continueonerrortype: "" + id: "34" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + scriptarguments: + key: + simple: 'Analysis.response_recommended ' + value: + simple: "true" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: da79252d-5ff2-436a-bfae-c4f9fe852810 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Analysis Phase Response Recommended + playbooktaskmissingcomponent: null + script: SetAndHandleEmpty + type: regular + version: -1 + taskid: da79252d-5ff2-436a-bfae-c4f9fe852810 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -980, + "y": 1300 + } + } + "35": + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "32" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: f12a353f-5828-403c-8abd-adf7099d6492 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Action Required + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: f12a353f-5828-403c-8abd-adf7099d6492 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -1420, + "y": 1172.5 + } + } + "36": + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "33" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0691f226-13d0-4cd7-9035-bed3061629f1 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Action Required + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 0691f226-13d0-4cd7-9035-bed3061629f1 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -550, + "y": 1180 + } + } + "37": + continueonerrortype: "" + id: "37" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "34" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 4a968990-6563-4d01-9691-0bbf574dcbf2 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Action Required + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 4a968990-6563-4d01-9691-0bbf574dcbf2 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": -980, + "y": 1180 + } + } + "38": + continueonerrortype: "" + id: "38" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + value: + simple: Endpoint=${inputs.endpoint_id} PID=${inputs.pid} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Prints text to war room (Markdown supported) + id: c9bc08b3-ae3b-4955-9f09-82a14fa08d6d + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Print PID + playbooktaskmissingcomponent: null + script: Print + type: regular + version: -1 + taskid: c9bc08b3-ae3b-4955-9f09-82a14fa08d6d + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -1520, + "y": 515 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "15_20_FILE": 0.89 + }, + "paper": { + "dimensions": { + "height": 2270, + "width": 2810, + "x": -1520, + "y": 70 + } + } + } diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml index e44617d..efc2059 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Endpoint_Containment_V3.yml @@ -1,48 +1,169 @@ fromversion: 5.0.0 -id: SOC Endpoint Containment_V3 -version: 4 +adopted: true contentitemexportablefields: contentitemfields: - packID: soc-optimization-unified - packName: SOC Framework Unified - itemVersion: 3.0.17 - fromServerVersion: 5.0.0 - toServerVersion: "" definitionid: "" - prevname: "" + fromServerVersion: 5.0.0 isoverridable: false + itemVersion: 3.0.29 + packID: "" + packName: SOC Framework Unified + prevname: "" supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false -name: SOC Endpoint Containment_V3 + toServerVersion: "" description: |- Primary owners: Alert responders, automation, endpoint/network teams. Analyst role: May initiate or recommend containment actions (isolate host, disable account, block IP), often via playbook automation or escalation. +dirtyInputs: true +id: 'SOC Endpoint Containment_V3' +inputSections: +- description: Generic group for inputs + inputs: + - AutoContainment + - HostContainment + - FileContainment + - EndpointID + - FileHash + - FilePath + - FileRemediation + - ShadowMode + - Hostname + - FeaturedHost + - FileVerdict + - SourceBrand + name: General (Inputs group) +inputs: +- description: |- + Whether to execute containment plan (except isolation) automatically. + The specific containment playbook inputs should also be set to 'True'. + key: AutoContainment + playbookInputQuery: null + required: false + value: + simple: "False" +- description: Whether to execute endpoint isolation. + key: HostContainment + playbookInputQuery: null + required: false + value: + simple: "True" +- description: Set to 'True' to quarantine the identified file. + key: FileContainment + playbookInputQuery: null + required: false + value: + simple: "True" +- description: The endpoint ID to run commands over. + key: EndpointID + playbookInputQuery: null + required: false + value: + simple: ${Analysis.primary_entity_id} +- description: The file hash to block. + key: FileHash + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.File} +- description: The path of the file to block. + key: FilePath + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.FilePath} +- description: "Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. + \nFor example, choosing 'Quarantine' ignores the 'Delete file' task under the + eradication playbook and will execute only file quarantine." + key: FileRemediation + playbookInputQuery: null + required: false + value: + simple: Quarantine +- description: "" + key: ShadowMode + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.shadow_mode} +- description: "" + key: Hostname + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Artifacts.HostName} +- description: Is this a Featured Host? + key: FeaturedHost + playbookInputQuery: null + required: false + value: + simple: "False" +- description: File Verdict from Enrichment + key: FileVerdict + playbookInputQuery: null + required: false + value: + simple: ${Analysis.verdict} +- description: This is the Source Brand for the Integration. Set in the SOCProductCategoryMap_V3 + List. + key: SourceBrand + playbookInputQuery: null + required: false + value: + simple: ${SOCFramework.Product.response} +name: SOC Endpoint Containment_V3 +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: + - Blocklist.Final + - QuarantinedFilesFromEndpoints + - Core.blocklist.added_hashes + - Core.Isolation.endpoint_id +outputs: +- contextPath: Blocklist.Final + description: The blocked accounts. + type: unknown +- contextPath: QuarantinedFilesFromEndpoints + description: The quarantined files from endpoint. + type: unknown +- contextPath: Core.blocklist.added_hashes + description: The file Hash that was added to the blocklist. +- contextPath: Core.Isolation.endpoint_id + description: The isolated endpoint ID. +sourceplaybookid: Containment Plan +starttaskid: "0" tags: - SOC - SOC_Framework_Unified - Containment - NIST 800-61 - EndPoint -starttaskid: "0" tasks: "0": + continueonerrortype: "" id: "0" - taskid: 8b859cdc-d653-40d8-88b5-856b497221a5 - type: start - task: - id: 8b859cdc-d653-40d8-88b5-856b497221a5 - version: -1 - name: "" - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "150" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 8b859cdc-d653-40d8-88b5-856b497221a5 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: "" + playbooktaskmissingcomponent: null + version: -1 + taskid: 8b859cdc-d653-40d8-88b5-856b497221a5 + timertriggers: [] + type: start view: |- { "position": { @@ -50,31 +171,31 @@ tasks: "y": 50 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "48": + continueonerrortype: "" id: "48" - taskid: 5683bb61-e50c-4fee-8006-76a9d2cd15e6 - type: title - task: - id: 5683bb61-e50c-4fee-8006-76a9d2cd15e6 - version: -1 - name: Isolate Device - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "165" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 5683bb61-e50c-4fee-8006-76a9d2cd15e6 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Isolate Device + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 5683bb61-e50c-4fee-8006-76a9d2cd15e6 + timertriggers: [] + type: title view: |- { "position": { @@ -82,31 +203,31 @@ tasks: "y": 1130 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "50": + continueonerrortype: "" id: "50" - taskid: 1cc8a082-9506-43d3-86ed-50836d2be721 - type: title - task: - id: 1cc8a082-9506-43d3-86ed-50836d2be721 - version: -1 - name: Quarantine File - type: title - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "168" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 1cc8a082-9506-43d3-86ed-50836d2be721 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Quarantine File + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 1cc8a082-9506-43d3-86ed-50836d2be721 + timertriggers: [] + type: title view: |- { "position": { @@ -114,49 +235,49 @@ tasks: "y": 1130 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "138": - id: "138" - taskid: cb628d2d-29f6-4d2b-8250-f7d20b163239 - type: condition - task: - id: cb628d2d-29f6-4d2b-8250-f7d20b163239 - version: -1 - name: Should containment automatically? - description: |+ - Whether to perform containment actions automatically or manually. - - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "139" - "yes": - - "147" - separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isEqualString + - condition: + - - ignorecase: true left: + iscontext: true value: complex: root: inputs.AutoContainment - iscontext: true + operator: isEqualString right: value: simple: "True" - ignorecase: true + label: "yes" continueonerrortype: "" + id: "138" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "139" + "yes": + - "147" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |+ + Whether to perform containment actions automatically or manually. + + id: ba28dbc8-bdbf-43ef-8124-2878feeb213e + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Should containment automatically? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: ba28dbc8-bdbf-43ef-8124-2878feeb213e + timertriggers: [] + type: condition view: |- { "position": { @@ -164,128 +285,81 @@ tasks: "y": 590 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "139": - id: "139" - taskid: eeedc27d-be4e-4065-adb7-cf22d2f6a75d - type: collection - task: - id: eeedc27d-be4e-4065-adb7-cf22d2f6a75d - version: -1 - name: Which containment actions would you like to perform? - description: Select which indicators to block. - type: collection - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - "147" - separatecontext: false continueonerrortype: "" - view: |- - { - "position": { - "x": 172.5, - "y": 775 - } - } - note: false - timertriggers: [] - ignoreworker: false - message: - to: null - subject: null - body: null - methods: [] - format: "" - bcc: null - cc: null - timings: - retriescount: 2 - retriesinterval: 360 - completeafterreplies: 1 - completeafterv2: true - completeaftersla: false form: + description: Select which containment actions to perform + expired: false questions: - - id: "0" + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" label: "" labelarg: simple: Select the Endpoint to isolate by Endpoint name - required: false - gridcolumns: [] - defaultrows: [] - type: multiSelect options: [] optionsarg: - complex: - root: Core.Endpoint accessor: endpoint_name + root: Core.Endpoint transformers: - operator: uniq - fieldassociated: "" placeholder: "" - tooltip: "" readonly: false - - id: "1" + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "1" label: "" labelarg: simple: Select Endpoint to isolate by Endpoint ID - required: false - gridcolumns: [] - defaultrows: [] - type: multiSelect options: [] optionsarg: - complex: root: inputs.EndpointID transformers: - operator: uniq - fieldassociated: "" placeholder: "" - tooltip: "" readonly: false - - id: "2" + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "2" label: "" labelarg: simple: Select Files to quarantine - required: false - gridcolumns: [] - defaultrows: [] - type: multiSelect options: [] optionsarg: - complex: root: FilesList transformers: - operator: uniq - - operator: SetIfEmpty - args: + - args: applyIfEmpty: {} defaultValue: + iscontext: true value: simple: inputs.FilePath - iscontext: true - fieldassociated: "" + operator: SetIfEmpty placeholder: "" - tooltip: "" readonly: false - - id: "3" + required: false + tooltip: "" + type: multiSelect + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "3" label: "" labelarg: simple: 'Select Files Hash to block ' - required: false - gridcolumns: [] - defaultrows: [] - type: multiSelect options: [] optionsarg: - complex: @@ -293,38 +367,85 @@ tasks: transformers: - operator: uniq - {} - fieldassociated: "" placeholder: "" - tooltip: "" readonly: false - title: Which containment actions would you like to perform? - description: Select which containment actions to perform + required: false + tooltip: "" + type: multiSelect sender: "" - expired: false + title: Which containment actions would you like to perform? totalanswers: 0 - skipunavailable: false - quietmode: 0 - isoversize: false + id: "139" + ignoreworker: false isautoswitchedtoquietmode: false - "147": - id: "147" - taskid: f486236e-11d4-4d91-8f9d-252577239705 - type: title + isoversize: false + message: + bcc: null + body: null + cc: null + format: "" + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - "147" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: - id: f486236e-11d4-4d91-8f9d-252577239705 - version: -1 - name: Containment - type: title - iscommand: false brand: "" - playbooktaskmissingcomponent: null + description: Select which indicators to block. + id: eeedc27d-be4e-4065-adb7-cf22d2f6a75d + iscommand: false istaskmissingcomponenterrordismissed: false + name: Which containment actions would you like to perform? + playbooktaskmissingcomponent: null + type: collection + version: -1 + taskid: eeedc27d-be4e-4065-adb7-cf22d2f6a75d + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 172.5, + "y": 775 + } + } + "147": + continueonerrortype: "" + id: "147" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - "50" - "48" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: f486236e-11d4-4d91-8f9d-252577239705 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Containment + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: f486236e-11d4-4d91-8f9d-252577239705 + timertriggers: [] + type: title view: |- { "position": { @@ -332,28 +453,28 @@ tasks: "y": 960 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "148": + continueonerrortype: "" id: "148" - taskid: 48ad472b-5301-4524-899a-41e29d38151d - type: title + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: "" id: 48ad472b-5301-4524-899a-41e29d38151d - version: -1 - name: Done - type: title iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - separatecontext: false - continueonerrortype: "" + name: Done + playbooktaskmissingcomponent: null + type: title + version: -1 + taskid: 48ad472b-5301-4524-899a-41e29d38151d + timertriggers: [] + type: title view: |- { "position": { @@ -361,33 +482,20 @@ tasks: "y": 1855 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "149": + continueonerror: true + continueonerrortype: errorPath id: "149" - taskid: f93cc26a-6b45-420b-8ec8-c33e920be3a7 - type: regular - task: - id: f93cc26a-6b45-420b-8ec8-c33e920be3a7 - version: -1 - name: Set Process list - description: Set a value in context under the key you entered. - scriptName: Set - type: regular - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#error#': - "151" '#none#': - "138" + note: false + quietmode: 0 scriptarguments: key: simple: FilesList @@ -397,14 +505,13 @@ tasks: complex: root: inputs.FilePath transformers: - - operator: MakePair - args: + - args: array1_key: iscontext: true array2: + iscontext: true value: simple: inputs.FileHash - iscontext: true array2_key: {} determine_output_length_by: {} merge_dict: {} @@ -414,9 +521,23 @@ tasks: output_name2: value: simple: Hash + operator: MakePair separatecontext: false - continueonerror: true - continueonerrortype: errorPath + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: f93cc26a-6b45-420b-8ec8-c33e920be3a7 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Set Process list + playbooktaskmissingcomponent: null + script: Set + type: regular + version: -1 + taskid: f93cc26a-6b45-420b-8ec8-c33e920be3a7 + timertriggers: [] + type: regular view: |- { "position": { @@ -424,51 +545,51 @@ tasks: "y": 405 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "150": - id: "150" - taskid: d3750674-0c66-4ecc-8c51-8d01487249d7 - type: condition - task: - id: d3750674-0c66-4ecc-8c51-8d01487249d7 - version: -1 - name: The file path and file hash defined? - description: Check if the file path and file hash are defined. - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "138" - "yes": - - "149" - separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: + - condition: + - - left: + iscontext: true value: complex: root: inputs.FilePath - iscontext: true + operator: isNotEmpty right: value: {} - - - operator: isNotEmpty - left: + - - left: + iscontext: true value: complex: root: inputs.FileHash - iscontext: true + operator: isNotEmpty + label: "yes" continueonerrortype: "" + id: "150" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "138" + "yes": + - "149" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if the file path and file hash are defined. + id: d3750674-0c66-4ecc-8c51-8d01487249d7 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: The file path and file hash defined? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: d3750674-0c66-4ecc-8c51-8d01487249d7 + timertriggers: [] + type: condition view: |- { "position": { @@ -476,34 +597,34 @@ tasks: "y": 220 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "151": + continueonerrortype: "" id: "151" - taskid: 2bd9441a-09d2-4286-8c0f-b3bfec13291e - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + note: false + quietmode: 0 + separatecontext: true + skipunavailable: true task: + brand: "" id: 2bd9441a-09d2-4286-8c0f-b3bfec13291e - version: -1 - name: Foundation - Error Handling_V3 - playbookName: Foundation - Error Handling_V3 - type: playbook iscommand: false - brand: "" - playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 + name: Foundation - Foundation - Error Handling_V3 + playbookId: Foundation - Foundation - Error Handling_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 2bd9441a-09d2-4286-8c0f-b3bfec13291e + timertriggers: [] + type: playbook view: |- { "position": { @@ -511,33 +632,51 @@ tasks: "y": 590 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "158": + continueonerrortype: "" id: "158" - taskid: 6276c905-eedb-4266-8544-042d9051abb3 - type: condition - task: - id: 6276c905-eedb-4266-8544-042d9051abb3 - version: -1 - name: Isolate Device? - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: Would you like to Isolate the device ${inputs.Hostname} + cc: null + format: "" + methods: [] + replyOptions: + - "Yes" + - "No" + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null nexttasks: "No": - "148" "Yes": - "169" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: 6276c905-eedb-4266-8544-042d9051abb3 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Isolate Device? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: 6276c905-eedb-4266-8544-042d9051abb3 + timertriggers: [] + type: condition view: |- { "position": { @@ -545,51 +684,51 @@ tasks: "y": 1485 } } - note: false - timertriggers: [] + "161": + continueonerrortype: "" + id: "161" ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false message: - to: null - subject: null - body: - simple: Would you like to Isolate the device ${inputs.Hostname} - methods: [] - format: "" bcc: null + body: + simple: Should we quarantine the file ${issue.filename} cc: null - timings: - retriescount: 2 - retriesinterval: 360 - completeafterreplies: 1 - completeafterv2: true - completeaftersla: false + format: "" + methods: [] replyOptions: - "Yes" - "No" - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "161": - id: "161" - taskid: dff486ba-3e4f-42f0-8c29-d767f19b36e2 - type: condition - task: - id: dff486ba-3e4f-42f0-8c29-d767f19b36e2 - version: -1 - name: Quarantine File? - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null nexttasks: "No": - "148" "Yes": - "170" + note: false + quietmode: 0 separatecontext: false - continueonerrortype: "" + skipunavailable: false + task: + brand: "" + id: dff486ba-3e4f-42f0-8c29-d767f19b36e2 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Quarantine File? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: dff486ba-3e4f-42f0-8c29-d767f19b36e2 + timertriggers: [] + type: condition view: |- { "position": { @@ -597,39 +736,34 @@ tasks: "y": 1485 } } - note: false - timertriggers: [] - ignoreworker: false - message: - to: null - subject: null - body: - simple: Should we quarantine the file ${issue.filename} - methods: [] - format: "" - bcc: null - cc: null - timings: - retriescount: 2 - retriesinterval: 360 - completeafterreplies: 1 - completeafterv2: true - completeaftersla: false - replyOptions: - - "Yes" - - "No" - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "165": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: issue.mitreattcktechnique + operator: match + right: + value: + simple: (T1059|T1486|T1071|T1095|T1068|T1021|T1027|T1003|T1547|T1074|T1485|T1046|T1498) + label: "yes" + continueonerrortype: "" id: "165" - taskid: ee42b9d3-f370-49c5-8a4e-ca754a7c2211 - type: condition + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "148" + "yes": + - "158" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: - id: ee42b9d3-f370-49c5-8a4e-ca754a7c2211 - version: -1 - name: Miter Technique for Isolation + brand: "" description: |- Techniques Covered T1059 – Command & Scripting Interpreter @@ -638,36 +772,23 @@ tasks: T1095 – Non-Application Layer Protocol T1068 – Exploitation for Privilege Escalation T1021 – Remote Services - T1027 – Obfuscated Files or Information - T1003 – OS Credential Dumping - T1547 – Boot or Logon Autostart Execution - T1074 – Data Staged - T1485 – Data Destruction - T1046 – Network Service Discovery - T1498 – Network Denial of Service - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "148" - "yes": - - "158" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: match - left: - value: - simple: issue.mitreattcktechnique - iscontext: true - right: - value: - simple: (T1059|T1486|T1071|T1095|T1068|T1021|T1027|T1003|T1547|T1074|T1485|T1046|T1498) - continueonerrortype: "" + T1027 – Obfuscated Files or Information + T1003 – OS Credential Dumping + T1547 – Boot or Logon Autostart Execution + T1074 – Data Staged + T1485 – Data Destruction + T1046 – Network Service Discovery + T1498 – Network Denial of Service + id: ee42b9d3-f370-49c5-8a4e-ca754a7c2211 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Miter Technique for Isolation + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: ee42b9d3-f370-49c5-8a4e-ca754a7c2211 + timertriggers: [] + type: condition view: |- { "position": { @@ -675,44 +796,44 @@ tasks: "y": 1300 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "168": - id: "168" - taskid: fe29a7f1-1dd7-4fb3-81af-00704151f661 - type: condition - task: - id: fe29a7f1-1dd7-4fb3-81af-00704151f661 - version: -1 - name: Quarantine file needed? - type: condition - iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - "148" - "yes": - - "161" - separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isEqualString - left: + - condition: + - - left: + iscontext: true value: simple: inputs.FileVerdict - iscontext: true + operator: isEqualString right: value: simple: Suspicious + label: "yes" continueonerrortype: "" + id: "168" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "148" + "yes": + - "161" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: fe29a7f1-1dd7-4fb3-81af-00704151f661 + iscommand: false + istaskmissingcomponenterrordismissed: false + name: Quarantine file needed? + playbooktaskmissingcomponent: null + type: condition + version: -1 + taskid: fe29a7f1-1dd7-4fb3-81af-00704151f661 + timertriggers: [] + type: condition view: |- { "position": { @@ -720,32 +841,22 @@ tasks: "y": 1300 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "169": + continueonerrortype: "" id: "169" - taskid: 0034e537-0923-4d4c-a763-a21ac1993209 - type: playbook - task: - id: 0034e537-0923-4d4c-a763-a21ac1993209 - version: -1 - name: SOC Isolation Router_V3 - description: Determine the correct playbook to run for the correct endpoint - product. - playbookName: SOC Isolation Router_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "148" + note: false + quietmode: 0 scriptarguments: Endpoint ID: simple: ${inputs.EndpointID} @@ -756,12 +867,22 @@ tasks: ShadowMode: simple: ${inputs.ShadowMode} separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: Determine the correct playbook to run for the correct endpoint + product. + id: 0034e537-0923-4d4c-a763-a21ac1993209 iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: SOC Isolation Router_V3 + playbookId: SOC Isolation Router_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 0034e537-0923-4d4c-a763-a21ac1993209 + timertriggers: [] + type: playbook view: |- { "position": { @@ -769,35 +890,22 @@ tasks: "y": 1670 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "170": + continueonerrortype: "" id: "170" - taskid: 48b8dce7-7461-4030-b641-de2dce672c35 - type: playbook - task: - id: 48b8dce7-7461-4030-b641-de2dce672c35 - version: -1 - name: SOC Containment Plan_V3 - Quarantine File_V3 - description: |- - ## Containment Plan - Quarantine File - - This playbook is a sub-playbook within the containment plan playbook. - The playbook quarantines files using core commands. - playbookName: SOC Containment Plan_V3 - Quarantine File_V3 - type: playbook + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" iscommand: false - brand: "" - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + max: 100 + wait: 1 nexttasks: '#none#': - "148" + note: false + quietmode: 0 scriptarguments: AutoContainment: simple: ${inputs.AutoContainment} @@ -814,12 +922,25 @@ tasks: ShadowMode: simple: "true" separatecontext: true - continueonerrortype: "" - loop: + skipunavailable: false + task: + brand: "" + description: |- + ## Containment Plan - Quarantine File + + This playbook is a sub-playbook within the containment plan playbook. + The playbook quarantines files using core commands. + id: 48b8dce7-7461-4030-b641-de2dce672c35 iscommand: false - exitCondition: "" - wait: 1 - max: 100 + istaskmissingcomponenterrordismissed: false + name: SOC Containment Plan_V3 - Quarantine File_V3 + playbookId: SOC Containment Plan_V3 - Quarantine File_V3 + playbooktaskmissingcomponent: null + type: playbook + version: -1 + taskid: 48b8dce7-7461-4030-b641-de2dce672c35 + timertriggers: [] + type: playbook view: |- { "position": { @@ -827,14 +948,7 @@ tasks: "y": 1670 } } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false -system: true +version: -1 view: |- { "linkLabelsPosition": { @@ -851,111 +965,3 @@ view: |- } } } -inputs: -- key: AutoContainment - value: - simple: "False" - required: false - description: |- - Whether to execute containment plan (except isolation) automatically. - The specific containment playbook inputs should also be set to 'True'. - playbookInputQuery: null -- key: HostContainment - value: - simple: "True" - required: false - description: Whether to execute endpoint isolation. - playbookInputQuery: null -- key: FileContainment - value: - simple: "True" - required: false - description: Set to 'True' to quarantine the identified file. - playbookInputQuery: null -- key: EndpointID - value: - simple: ${issue.agentsid} - required: false - description: The endpoint ID to run commands over. - playbookInputQuery: null -- key: FileHash - value: - simple: ${issue.filehash} - required: false - description: The file hash to block. - playbookInputQuery: null -- key: FilePath - value: - simple: ${issue.filepath} - required: false - description: The path of the file to block. - playbookInputQuery: null -- key: FileRemediation - value: - simple: Quarantine - required: false - description: "Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. - \nFor example, choosing 'Quarantine' ignores the 'Delete file' task under the - eradication playbook and will execute only file quarantine." - playbookInputQuery: null -- key: ShadowMode - value: - simple: ${SOCFramework.shadow_mode} - required: false - description: "" - playbookInputQuery: null -- key: Hostname - value: - simple: ${issue.hostname} - required: false - description: "" - playbookInputQuery: null -- key: FeaturedHost - value: - simple: "False" - required: false - description: Is this a Featured Host? - playbookInputQuery: null -- key: FileVerdict - value: - simple: ${issue.verdict} - required: false - description: File Verdict from Enrichment - playbookInputQuery: null -inputSections: -- inputs: - - AutoContainment - - HostContainment - - FileContainment - - EndpointID - - FileHash - - FilePath - - FileRemediation - - ShadowMode - - Hostname - - FeaturedHost - - FileVerdict - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: - - Blocklist.Final - - QuarantinedFilesFromEndpoints - - Core.blocklist.added_hashes - - Core.Isolation.endpoint_id - name: General (Outputs group) - description: Generic group for outputs -outputs: -- contextPath: Blocklist.Final - description: The blocked accounts. - type: unknown -- contextPath: QuarantinedFilesFromEndpoints - description: The quarantined files from endpoint. - type: unknown -- contextPath: Core.blocklist.added_hashes - description: The file Hash that was added to the blocklist. -- contextPath: Core.Isolation.endpoint_id - description: The isolated endpoint ID. -sourceplaybookid: Containment Plan -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/README.md b/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/README.md new file mode 100644 index 0000000..e69de29 diff --git a/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py b/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py new file mode 100644 index 0000000..f722db2 --- /dev/null +++ b/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py @@ -0,0 +1,175 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 +import json +import re + +CTX_REF_RE = re.compile(r"^\$\{(.+?)\}$") + +def _try_json_loads(s: str): + try: + return json.loads(s) + except Exception: + return None + +def _as_dict(v): + if v is None: + return {} + if isinstance(v, dict): + return v + if isinstance(v, str): + s = v.strip() + if not s: + return {} + parsed = _try_json_loads(s) + return parsed if isinstance(parsed, dict) else {} + return {} + +def _coerce_scalar(v): + if v is None: + return None + if isinstance(v, (list, tuple)): + if len(v) == 0: + return None + if len(v) == 1: + return _coerce_scalar(v[0]) + return [str(x).strip() for x in v if str(x).strip()] + if isinstance(v, str): + s = v.strip() + if not s: + return None + # If it is a stringified JSON list/dict, parse it + if (s.startswith("[") and s.endswith("]")) or (s.startswith("{") and s.endswith("}")): + parsed = _try_json_loads(s) + if parsed is not None: + return _coerce_scalar(parsed) + return s + return v + +def _looks_like_ctx_path(s: str) -> bool: + s = s.strip() + return s.startswith("SOCFramework.") or s.startswith("incident.") or s.startswith("alert.") + +def _resolve_ctx_string(s: str, ctx: dict): + """ + Resolve either: + - "${SOCFramework.Artifacts.EndPointID}" + - "SOCFramework.Artifacts.EndPointID" + """ + s = s.strip() + m = CTX_REF_RE.match(s) + if m: + path = m.group(1).strip() + return demisto.get(ctx, path) + + if _looks_like_ctx_path(s): + return demisto.get(ctx, s) + + return s # literal string + +def _resolve_templates(obj, ctx: dict): + """ + Recursively resolve templates/paths in dict/list/str. + """ + if obj is None: + return None + if isinstance(obj, dict): + return {k: _resolve_templates(v, ctx) for k, v in obj.items()} + if isinstance(obj, list): + return [_resolve_templates(x, ctx) for x in obj] + if isinstance(obj, str): + return _resolve_ctx_string(obj, ctx) + return obj + +def _should_be_list(arg_name: str) -> bool: + """ + Heuristic: + keep list for plural-y args like: + *_ids, *_id_list, *_list, identifiers, endpoints, machines, hashes, paths + """ + n = (arg_name or "").lower() + return ( + n.endswith("s") or + "list" in n or + "identifiers" in n or + n.endswith("_ids") or + n.endswith("ids") or + "hash" in n or + "paths" in n + ) + +def _normalize_arg_value(arg_name: str, value): + """ + - Resolve singletons: ["id"] -> "id" for scalar args + - Keep list for list-y args + """ + v = _coerce_scalar(value) + if _should_be_list(arg_name): + # ensure list if scalar provided for list arg + if v is None: + return [] + if isinstance(v, list): + return v + return [v] + else: + # scalar arg: unwrap singleton lists + if isinstance(v, list): + return v[0] if v else None + return v + +def main(): + args = demisto.args() + ctx = demisto.context() + + command = args.get("command") + if not command: + return demisto.results({"success": False, "error": "Missing required argument: command"}) + + artifacts_path_or_dict = args.get("artifacts") + artifacts = _as_dict(artifacts_path_or_dict) + if not artifacts and isinstance(artifacts_path_or_dict, str) and artifacts_path_or_dict.strip(): + maybe = demisto.get(ctx, artifacts_path_or_dict.strip()) + artifacts = maybe if isinstance(maybe, dict) else {} + if not artifacts: + artifacts = demisto.get(ctx, "SOCFramework.Artifacts") or {} + if not isinstance(artifacts, dict): + artifacts = {} + + inline_args_raw = args.get("inline_args") + inline_args = _as_dict(inline_args_raw) + + # ✅ Resolve context refs INSIDE inline_args (the key fix) + inline_args = _resolve_templates(inline_args, ctx) + + # Build exec args with normalization + exec_args = {} + for k, v in inline_args.items(): + exec_args[k] = _normalize_arg_value(k, v) + + using = args.get("using") or demisto.get(ctx, "SOCFramework.Product.using") + + try: + if using: + result = demisto.executeCommand(command, exec_args, using=using) + else: + result = demisto.executeCommand(command, exec_args) + except TypeError: + # runtime fallback + if using: + exec_args2 = dict(exec_args) + exec_args2["using"] = using + result = demisto.executeCommand(command, exec_args2) + else: + result = demisto.executeCommand(command, exec_args) + + demisto.setContext("SOCFramework.ActionOutput", result) + + demisto.results({ + "success": True, + "command_executed": command, + "using": using, + "args_used": exec_args, + "raw_result": result + }) + +if __name__ in ("__builtin__", "builtins", "__main__"): + main() diff --git a/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.yml b/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.yml new file mode 100644 index 0000000..2bbb977 --- /dev/null +++ b/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.yml @@ -0,0 +1,44 @@ +fromversion: 6.10.0 +args: +- description: Integration command name (e.g., proofpoint-quarantine-message). + name: command + required: true + supportedModules: [] +- description: List of vendor-specific argument names (e.g., ["guid"]). + name: args_map + supportedModules: [] +- description: Raw artifact object from context (same passed into ValidateArtifacts). + name: artifacts + supportedModules: [] +- name: inline_args + supportedModules: [] +commonfields: + id: SOCCommandWrapper + version: -1 +dockerimage: demisto/python3:3.12.12.5490952 +enabled: true +engineinfo: {} +mainengineinfo: {} +name: SOCCommandWrapper +outputs: +- contextPath: SOCFramework.ActionOutput + description: Raw result returned by the integration command. +- contextPath: success + description: True if execution succeeded. + type: boolean +- contextPath: command_executed + description: The command actually run. + type: string +- contextPath: args_used + description: The arguments passed to the executed command. +pswd: "" +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +tags: +- Commands +- SOC +- SOC_Framework +type: python diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index a12da44..3b7973e 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.29", + "currentVersion": "3.0.30", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 3cb2569..87e8844 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.29/soc-optimization-unified-v3.0.29.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.30/soc-optimization-unified-v3.0.30.zip", "system": "yes" }, { diff --git a/pack_catalog.json b/pack_catalog.json index 67c4d73..325eccc 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -19,7 +19,7 @@ { "id": "soc-crowdstrike-falcon", "display_name": "SOC CrowdStrike Falcon Integration Enhancement for Cortex XSIAM", - "version": "1.0.38", + "version": "1.0.39", "path": "Packs/soc-crowdstrike-falcon", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-crowdstrike-falcon/xsoar_config.json" @@ -59,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.29", + "version": "3.0.30", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json"