Use case builder updates and fixes (#28237) (#28505)

* Use case builder updates and fixes (#28237)

* updated the authentication markdown field

* updated release notes and metadata

* fixed the incident template fields and updated release notes and README

* Fixed RNs

Co-authored-by: Joe Cosgrove <joecosgrove5@gmail.com>

Packs/Use_Case_Builder/.pack-ignore

@@ -132,4 +132,8 @@ ignore=IF113
 ignore=IF113
 
 [file:Use_Case_Builder.yml]
-ignore=PB105
+ignore=PB105
+
+[known_words]
+NGFW
+SEIM

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Builder_Authentication.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Authentication\n## Top Use Cases:\n\n- Use credentials from authentication vault in order to configure instances in Cortex XSOAR (Save credentials in: Settings -\n Integrations -\n Credentials) The integration should include the isFetchCredentials Parameter, and other integrations that will use credentials from the vault, should have the 'Switch to credentials' option.\n- Lock/Delete Account – Give option to lock account (credentials), and unlock/undelete.\n- Reset Account - Perform a reset password command for an account.\n- List credential names – Do not post the actual credentials. (For example – Credential name: McAfee ePO, do not show actual username and password.)\n- Lock Vault – In case of an emergency (if the vault has been compromised), allow the option to lock + unlock the whole vault.\n- Step-Up authentication - Enforce Multi Factor Authentication for an account.\n\n## Authentication Integration Example: [CyberArk AIM](https://xsoar.pan.dev/docs/reference/integrations/cyber-ark-aim))",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Builder_Case_Management.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Case Management\n## Top Use Cases:\n\n- Create, get, edit, close a ticket/issue, add + view comments.\n- Assign a ticket/issue to a specified user.\n- List all tickets, filter by name, date, assignee.\n- Get details about a managed object, update, create, delete.\n- Add and manage users.\n\n## Case Management/Ticketing Integration Example: [ServiceNow](https://xsoar.pan.dev/docs/reference/integrations/service-now-v2)",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Builder_Data_Enrichment_and_Threat_Intelligence.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Data Enrichment\n## Threat Intelligence\n## Top Use Cases:\n\n- Enriching information about different IOC types:\n- Upload object for scan and get the scan results. (If there's a possibility to upload private/public, default should be set to private).\n- Search for former scan results about an object (This way you can get information about a sample without uploading it yourself).\n- Enrich information and scoring for the object.\n- Add/Search for indicators in the system.\n- Add indicators to allow list / block list.\n- Calculate DBot Score for indicators.\n\n## Data Enrichment\n Threat Intelligence Integration Example: [VirusTotal](https://xsoar.pan.dev/docs/reference/integrations/virus-total)\n",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Builder_Email_Gateway.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Email Gateway\n## Top Use Cases:\n\n- Get message – Download the email itself, retrieve metadata, body.\n- Download attachments for a given message.\n- Manage senders – Block/ Allow specified mail senders.\n- Manage URLs – Block/ Allow the sending of specified URLs.\n- Encode/ Decode URLs in messages.\n- Release a held message (The gateway can place suspicious messages on hold, and sometimes they would need to be released to the receiver).\n\n## Email Gateway Integration Example: [MimeCast](https://xsoar.pan.dev/docs/reference/integrations/mimecast-v2)",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Builder_Endpoint.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Endpoint\n## Top Use Cases:\n\n- Fetch Incidents\n Events\n- Get event details (from specified incident)\n- Quarantine File\n- Isolate and contain endpoints\n- Update Indicators (Network, hashes, etc.) by policy (can be block, monitor) – Block list\n- Add indicators to allow list\n- Search for indicators in the system (Seen indicators and related incidents/events)\n- Download file (based on hash, path)\n- Trigger scans on specified hosts\n- Update .DAT files for signatures and compare existing .DAT file to the newest one on the server\n- Get information for a specified host (OS, users, addresses, hostname)\n- Get policy information and assign policies to endpoints\n\n## Endpoint Integration Examples: [Cortex XDR](https://xsoar.pan.dev/docs/reference/integrations/cortex-xdr---ir), [Tanium](https://xsoar.pan.dev/docs/reference/integrations/tanium-v2) and [Carbon Black Protection](https://xsoar.pan.dev/docs/reference/integrations/carbon-black-protection-v2) ",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Builder_IAM.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# IAM (Identity and Access Management)\n## Top Use Cases:\n\n- Create, update and delete users.\n- Manage user groups.\n- Block users, Force change of passwords.\n- Manage access to resources and applications.\n- Create, update and delete roles.\n",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Builder_Network_Security_NGFW.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Network Security (Firewall)\n## Top Use Cases:\n\n- Create block/accept policies (Source, Destination, Port), for IP addresses and domains.\n- Add addresses and ports (services) to predefined groups, create groups, etc.\n- Support custom url categories.\n- Fetch network logs for a specific address for a configurable time frame.\n- URL filtering categorization change request\n- Built in blocked rule command for fast-blocking.\n- If there is a Management FW, allow the option to manage policy rules through it.\n\n## Network Security Firewall Integration Example: [Palo Alto Networks PAN-OS](https://xsoar.pan.dev/docs/reference/integrations/panorama)",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Builder_SEIM.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Analytics and SIEM\n## Top Use Cases:\n\n- Fetch Incidents with relevant filters\n- Create, close and delete incidents/events/cases\n- Update Incidents - Update status, assignees, Severity, SLA, etc.\n- Get events related to an incident/case for enrichment/investigation purposes.\n- Query SIEM (consider aggregating logs)\n\n **Please Note:** Will normally include the Fetch Incidents possibility for the instance. Can also include list-incidents or get-incident as integration commands. Important information for an Event/Incident\n\n## Analytics \n SIEM Integration Example: [ArcSight ESM](https://xsoar.pan.dev/docs/reference/integrations/arc-sight-esm-v2)\n",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Builder_Vulnerability_Management.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Vulnerability Management\n## Top Use Cases:\n\n- Enrich asset – get vulnerability information for an asset (or a group of assets) in the organization.\n- Generate/Trigger a scan on specified assets.\n- Generate scheduled scans.\n- Get a scan report including vulnerability information for a specified scan and export it.\n- Get details for a specified vulnerability.\n- Scan assets that have a specific vulnerability.\n- Get hosts latest vulnerability.\n\n## Vulnerability Management Integration Example: [Tenable.io](https://xsoar.pan.dev/docs/reference/integrations/tenableio)",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Design_Best_Practice.json

@@ -26,5 +26,6 @@
     "unsearchable": true,
     "useAsKpi": false,
     "version": -1,
-    "fromVersion": "6.8.0"
+    "fromVersion": "6.8.0",
+    "template": "# Playbook And Automation Design\n## We recommend the following practices to ensure your playbooks run optimally.\n\n### Use Quiet Mode\nRun playbooks in quiet mode to reduce the incident size and execute playbooks faster. For playbooks running in jobs, indicator enrichment should be done in quiet mode.\n\n### Limit Indicator Extraction\nWhen configuring your integration, set indicator extraction to none and extract indicators only in specific tasks where required.\n\n### Break up Large Playbooks into Sub-Playbooks\nIf playbooks have more than thirty tasks, break the tasks into multiple sub playbooks. Sub playbooks can be reused, can be managed easily when upgrading, and make it easier to follow the main playbook.\n\n### Update Automations\nUpdate automations and integration commands in playbook tasks to their most current version. Automations that have updates are designated by a yellow triangle.\n\n### Remove Unused Playbook Tasks\nFor production playbooks, remove playbook tasks that are not connected to the playbook workflow.\n\n### Optimize Parallel Automation Runs\nWhen an automation runs, a worker is used. The number of configured workers determines the maximum number of automations that can run in parallel. By default, the number of workers on a Cortex XSOAR instance is 4 x the number of CPU cores. For example, for 8 CPU cores, there are 32 configured workers.\n\n### Check worker status using the /workers/status/ endpoint. For example, https://example.demisto/workers/status\n\n## Playbook and Automation Design: [Best Practice](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Best-Practices)"
 }

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_Ingestion_Best_Practice.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Performance Optimization and Avoiding Common Pitfalls\n### Classification and Mapping\nWhen creating incidents in XSOAR it is important to use **unique incident types** for each specific type of alert that is created/ingested. Do not create one incident type for a variety of alerts since that will cause performance issues and will make playbook development overly complex. Utilize Classifiers and Mappers wherever necessary to make your playbooks more efficient.\n\n### Database\nToo much data indexing of investigation tasks or entries can cause major database issues. Ensure the proper configurations are set (investigation.task.partial.index = 7). See the general troubleshooting guide for more details on checking the value. If no value is set, you are running the default recommended standard.\n\n### Pre-Processing Rules\nPre-processing rules enable you to perform certain actions on incidents as they are ingested into Cortex XSOAR. You can, for example, link an incoming incident to an existing incident, or under certain conditions, drop the incoming incident altogether.\n\n## Alert Filtering and Deduplication: [Pre-Processing Rules](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Create-Pre-Process-Rules-for-Incidents)\n## Performance Tuning For XSOAR: [General Troubleshooting](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Performance-Tuning-for-Cortex-XSOAR)\n## Classification and Mapping: [Best Practice](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.9/Cortex-XSOAR-Administrator-Guide/Classification-and-Mapping)\n\n",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/IncidentFields/incidentfield-Use_Case_TIM_Best_Practice.json

@@ -20,6 +20,7 @@
     "required": false,
     "sla": 0,
     "system": false,
+    "template": "# Threat Intel Management\n## Manually Add Indicators to the Exclusion List\nFrom the Exclusion List page, you can manually add a single indicator or define indicators using a regular expression (regex) or CIDR.\n\n### Regex\n\nA regular expression enables you to identify a sequence of characters in an unknown string. The following example would identify www.demisto.com: [A-Za-z0-9!@#$%\\.\u0026]*demisto[A-Za-z0-9!@#$%\\.\u0026]*.\n\n### CIDR\nClassless inter-domain routing (CIDR) enables you to define a range of IP addresses. For example, the IPv4 block 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.\n\n## Indicator Management: [TIM](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.5/Cortex-XSOAR-Threat-Intel-Management-Guide/Exclusion-List)",
     "threshold": 72,
     "type": "markdown",
     "unmapped": false,

Packs/Use_Case_Builder/README.md

@@ -2,6 +2,10 @@
 
 The Use Case builder contains tools to help you measure and track use cases through your automation journey, quickly autogenerate OOTB playbooks and custom workflows and more.
 
+## Setup And Configuration
+
+To run this content you will need to setup the **Cortex REST API** integration. To do this, simply download and install the content from the marketplace, generate a api key, then add your api key to the instance (Choosing the standard authentication method.) Once that is complete, you can start using the Use Case Builder!
+
 ## Default Incident Type
 
 This Pack includes an Incident Type of '**Use Case Builder**', which is the starting point for creating new Use Cases.  To use this, navigate to the +New Incidents -> Select Type -> Use Case Builder+ and fill out the form to begin.
@@ -34,4 +38,4 @@ This pack includes 1 dashboards:
 
 ## Dynamic Sections
 
-There are Several Dynamic sections in this pack such as the **Getting Started**, **Common Use Cases** and **Incident Flow** section which are your guide to following XSOAR Best Practices and creating great use cases
+There are Several Dynamic sections in this pack such as the **Getting Started**, **Common Use Cases** and **Incident Flow** section which are your guide to following XSOAR Best Practices and creating great use cases

Packs/Use_Case_Builder/ReleaseNotes/1_0_1.md

@@ -0,0 +1,16 @@
+
+#### Incident Fields
+
+Updated the markdown and fixed formatting for the following fields:
+- **Use Case Builder Data Enrichment and Threat Intelligence**
+- **Use Case Builder IAM**
+- **Use Case Builder Vulnerability Management**
+- **Use Case TIM Best Practice**
+- **Use Case Builder Endpoint**
+- **Use Case Ingestion Best Practice**
+- **Use Case Design Best Practice**
+- **Use Case Builder Network Security NGFW**
+- **Use Case Builder SEIM**
+- **Use Case Builder Case Management**
+- **Use Case Builder Email Gateway**
+- **Use Case Builder Authentication**

Packs/Use_Case_Builder/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Use Case Builder",
     "description": "To streamline the Use Case Design process and provide tools to help you get into production faster!",
     "support": "community",
-    "currentVersion": "1.0.0",
+    "currentVersion": "1.0.1",
     "author": "Joe Cosgrove",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "jcosgrove@paloaltonetworks.com",
@@ -11,8 +11,10 @@
     ],
     "tags": [],
     "useCases": [],
-    "keywords": ["Use Case Builder"],
+    "keywords": [
+        "Use Case Builder"
+    ],
     "marketplaces": [
         "xsoar"
     ]
-}
+}