Bugfix/XSUP-30713/add-InternalIPRanges-as-playbook-input (#31329)

* Pass InternalIPRanges as input for alert handling subplaybook * Add InternalIPRanges playbook input * Remove unwanted change * Fix validation error * Update release notes * Fix alert handling subplaybook to use InternalIPRanges from inputs * Fix release notes based on review comments * Bump pack from version CortexXDR to 6.0.9. --------- Co-authored-by: Content Bot <bot@demisto.com>
demisto · Dec 31, 2023 · 04d1951 · 04d1951
1 parent f0dacfb
commit 04d1951
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 3 deletions.
diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml
@@ -342,6 +342,9 @@ tasks:
       xdr_alert_id:
         complex:
           root: inputs.alert_id
+      InternalIPRanges:
+        complex:
+          root: inputs.InternalIPRanges
     separatecontext: true
     continueonerrortype: ""
     loop:
@@ -1459,6 +1462,25 @@ inputs:
   required: false
   description: Alert ID.
   playbookInputQuery:
+- key: InternalIPRanges
+  value:
+    complex:
+      root: lists
+      accessor: PrivateIPs
+      transformers:
+      - operator: RegexReplace
+        args:
+          action_dt: {}
+          ignore_case: {}
+          multi_line: {}
+          output_format: {}
+          period_matches_newline: {}
+          regex:
+            value:
+              simple: IANA_Private_Address
+  required: false
+  description: 'A list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).'
+  playbookInputQuery:
 outputs:
 - contextPath: PaloAltoNetworksXDR.Incident.incident_id
   description: Unique ID assigned to each returned incident.

diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling_README.md b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling_README.md
@@ -46,6 +46,7 @@ This playbook does not use any scripts.
 | --- | --- | --- | --- |
 | incident_id | Incident ID. | PaloAltoNetworksXDR.Incident.incident_id | Optional |
 | alert_id | Alert ID. | PaloAltoNetworksXDR.Incident.alerts.alert_id | Optional |
+| InternalIPRanges | A list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). If a list is not provided, will use default list provided in the IsIPInRanges script \(the known IPv4 private address ranges\). | lists.PrivateIPs | Optional |
 
 ## Playbook Outputs
 

diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml
@@ -1608,6 +1608,9 @@ tasks:
       '#none#':
       - "79"
     scriptarguments:
+      InternalIPRanges:
+        complex:
+          root: inputs.InternalRange
       alert_id:
         complex:
           root: PaloAltoNetworksXDR.Incident.alerts
@@ -2013,7 +2016,21 @@ inputs:
   description: This input indicates whether the playbook will hunt for related IOCs. Specify Yes/No.
   playbookInputQuery:
 - key: InternalRange
-  value: {}
+  value:
+    complex:
+      root: lists
+      accessor: PrivateIPs
+      transformers:
+      - operator: RegexReplace
+        args:
+          action_dt: {}
+          ignore_case: {}
+          multi_line: {}
+          output_format: {}
+          period_matches_newline: {}
+          regex:
+            value:
+              simple: IANA_Private_Address
   required: false
   description: "A comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. An example of a list \n\"172.16.0.0/12,10.0.0.0/8,192.168.0.0/16\" (without quotes). \nIf a list is not provided, will use the default list provided in the IsIPInRanges."
   playbookInputQuery:

diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5_README.md b/Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5_README.md
@@ -45,7 +45,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 | incident_id | Incident ID. | incident.xdrincidentid | Optional |
 | LinkSimilarIncidents | This input indicates whether the playbook will link similar incidents. To link similar incidents, specify Yes/No. | Yes | Optional |
 | Hunting | This input indicates whether the playbook will hunt for related IOCs. Specify Yes/No. | Yes | Optional |
-| InternalRange | A comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. An example of a list <br/>"172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). <br/>If a list is not provided, will use the default list provided in the IsIPInRanges. |  | Optional |
+| InternalRange | A comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. An example of a list <br/>"172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). <br/>If a list is not provided, will use the default list provided in the IsIPInRanges. | lists.PrivateIPs | Optional |
 | CriticalUsernames | A comma-separated list of names of critical users in the organization.<br/>This will affect the calculated severity of the incident. | admin,administrator | Optional |
 | CriticalHostnames | A comma-separated list of names of critical endpoints in the organization. This will affect the calculated severity of the incident. |  | Optional |
 | CriticalADGroups | A comma-separated list of DN names of critical Active Directory groups. This will affect the severity calculated for this incident. |  | Optional |

diff --git a/Packs/CortexXDR/ReleaseNotes/6_0_9.md b/Packs/CortexXDR/ReleaseNotes/6_0_9.md
@@ -0,0 +1,12 @@
+
+#### Playbooks
+
+##### Cortex XDR incident handling v3
+
+- Updated the "Cortex XDR Alerts Handling" sub-playbook to use the "InternalRanges" input instead of default static value.
+- Added a default value to the "InternalRanges" playbook input.
+
+##### Cortex XDR Alerts Handling
+
+- Added a new playbook input for Internal IP ranges.
+- Updated the "Port Scan - adjusted" sub-playbook to get Internal IP ranges from inputs instead of static value.
diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "6.0.8",
+    "currentVersion": "6.0.9",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",