Local Analysis Alert Investigation - WF Flow Fix (#32513)

* fixing an issue with a logic flow in Local Analysis Malware Alert Investigation * adding updated PNGs * fixed missing inputs * update RN * update RN
demisto · Feb 4, 2024 · 78a9a0f · 78a9a0f
1 parent 1a65742
commit 78a9a0f
Show file tree

Hide file tree

Showing 13 changed files with 323 additions and 161 deletions.
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml
@@ -142,42 +142,6 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
-  "14":
-    id: "14"
-    taskid: 23d5414c-6989-467d-8f25-135e5cc83841
-    type: regular
-    task:
-      id: 23d5414c-6989-467d-8f25-135e5cc83841
-      version: -1
-      name: Get WildFire report
-      description: Retrieves results for a file hash using WildFire.
-      script: '|||wildfire-report'
-      type: regular
-      iscommand: true
-      brand: ""
-    nexttasks:
-      '#none#':
-      - "42"
-    scriptarguments:
-      sha256:
-        complex:
-          root: inputs.FileSHA256
-    separatecontext: false
-    continueonerror: true
-    view: |-
-      {
-        "position": {
-          "x": 2310,
-          "y": 1130
-        }
-      }
-    note: false
-    timertriggers: []
-    ignoreworker: false
-    skipunavailable: true
-    quietmode: 0
-    isoversize: false
-    isautoswitchedtoquietmode: false
   "15":
     id: "15"
     taskid: 6825c22c-48d1-4f99-803f-1b6169565f9c
@@ -232,16 +196,16 @@ tasks:
     task:
       id: 5a797f7b-e0f2-46de-85c1-0d2165ce20a9
       version: -1
-      name: Was the file found as Suspicious?
-      description: "Was the file found as suspicious?"
+      name: Was the file found as Benign?
+      description: Was the file found as suspicious?
       type: condition
       iscommand: false
       brand: ""
     nexttasks:
       '#default#':
       - "29"
       "yes":
-      - "14"
+      - "54"
     separatecontext: false
     conditions:
     - label: "yes"
@@ -696,7 +660,7 @@ tasks:
     task:
       id: cbb20744-6ea2-4151-8575-3bbac0b2962e
       version: -1
-      name: Set file verdict
+      name: Set file verdict suspicious
       description: Set the SuspectedVerdict key in context to Suspicious File.
       scriptName: Set
       type: regular
@@ -709,22 +673,13 @@ tasks:
       key:
         simple: FileVerdict
       value:
-        complex:
-          root: WildFire.Verdicts
-          accessor: VerdictDescription
-          transformers:
-          - operator: SetIfEmpty
-            args:
-              applyIfEmpty: {}
-              defaultValue:
-                value:
-                  simple: Suspicious
+        simple: Suspicious
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 2310,
-          "y": 1450
+          "x": 2320,
+          "y": 1190
         }
       }
     note: false
@@ -961,41 +916,6 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
-  "42":
-    id: "42"
-    taskid: 765d45fd-edfa-4084-8e93-ee9b3687c228
-    type: regular
-    task:
-      id: 765d45fd-edfa-4084-8e93-ee9b3687c228
-      version: -1
-      name: Get WildFire verdict
-      description: Returns a verdict for a hash.
-      script: '|||wildfire-get-verdict'
-      type: regular
-      iscommand: true
-      brand: ""
-    nexttasks:
-      '#none#':
-      - "29"
-    scriptarguments:
-      hash:
-        complex:
-          root: inputs.FileSHA256
-    separatecontext: false
-    view: |-
-      {
-        "position": {
-          "x": 2310,
-          "y": 1290
-        }
-      }
-    note: false
-    timertriggers: []
-    ignoreworker: false
-    skipunavailable: true
-    quietmode: 0
-    isoversize: false
-    isautoswitchedtoquietmode: false
   "43":
     id: "43"
     taskid: 30038490-f60a-4a8a-8edd-06bd7af8e182
@@ -1347,6 +1267,43 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+  "54":
+    id: "54"
+    taskid: 22852879-29ee-4b24-8286-57c1d6f5f3ef
+    type: regular
+    task:
+      id: 22852879-29ee-4b24-8286-57c1d6f5f3ef
+      version: -1
+      name: Set file verdict benign
+      description: Set the SuspectedVerdict key in context to Suspicious File.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "25"
+    scriptarguments:
+      key:
+        simple: FileVerdict
+      value:
+        simple: Benign
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1880,
+          "y": 1190
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
 system: true
 view: |-
   {

diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md
@@ -6,26 +6,25 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
 
+* URL Enrichment - Generic v2
 * Domain Enrichment - Generic v2
 * Get prevalence for IOCs
-* IP Enrichment - Generic v2
-* Account Enrichment - Generic v2.1
-* URL Enrichment - Generic v2
 * File Reputation
+* Account Enrichment - Generic v2.1
+* IP Enrichment - Generic v2
 
 ### Integrations
 
 This playbook does not use any integrations.
 
 ### Scripts
 
-* SearchIncidentsV2
 * Set
+* SearchIncidentsV2
 
 ### Commands
 
-* wildfire-get-verdict
-* wildfire-report
+This playbook does not use any commands.
 
 ## Playbook Inputs
 

diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation.yml b/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation.yml
@@ -26,6 +26,7 @@ tasks:
       - "7"
       - "4"
       - "18"
+      - "25"
     separatecontext: false
     view: |-
       {
@@ -129,7 +130,7 @@ tasks:
     note: false
     timertriggers: []
     ignoreworker: false
-    skipunavailable: false
+    skipunavailable: true
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
@@ -346,7 +347,7 @@ tasks:
     task:
       id: afa05da2-350f-4d09-85f1-7d9ddb31477c
       version: -1
-      name: Set file verdict - NSRL
+      name: Set file verdict - IsNSRL
       description: Set a value in context under the key you entered.
       scriptName: Set
       type: regular
@@ -682,7 +683,7 @@ tasks:
     task:
       id: bb096e6a-72b8-43f3-81a3-14633d6a58d3
       version: -1
-      name: Set file verdict - NSRL
+      name: Set file verdict - IsNotNSRL
       description: Set a value in context under the key you entered.
       scriptName: Set
       type: regular
@@ -754,7 +755,7 @@ tasks:
     task:
       id: 9bc117b9-97ee-4aa4-81b5-e2ca1e5c9549
       version: -1
-      name: Set file verdict - XDR-TrustedSigners
+      name: Set file verdict - XDR-UnTrustedSigners
       description: Set a value in context under the key you entered.
       scriptName: Set
       type: regular
@@ -825,6 +826,112 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+  "25":
+    id: "25"
+    taskid: 825810e7-b8fb-4347-894b-51dae87fcb7f
+    type: title
+    task:
+      id: 825810e7-b8fb-4347-894b-51dae87fcb7f
+      version: -1
+      name: WildFire
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "27"
+      - "28"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -2950,
+          "y": -440
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "27":
+    id: "27"
+    taskid: 7bcc68bb-ba26-4690-8535-395ec5fbb28f
+    type: regular
+    task:
+      id: 7bcc68bb-ba26-4690-8535-395ec5fbb28f
+      version: -1
+      name: Get WildFire report
+      description: Retrieves results for a file hash using WildFire.
+      script: '|||wildfire-report'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      sha256:
+        complex:
+          root: inputs.FileSHA256
+    separatecontext: false
+    continueonerror: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -2730,
+          "y": 90
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "28":
+    id: "28"
+    taskid: e91fa96b-14ce-40a2-8ba6-2607ee95ea47
+    type: regular
+    task:
+      id: e91fa96b-14ce-40a2-8ba6-2607ee95ea47
+      version: -1
+      name: Get WildFire verdict
+      description: Returns a verdict for a hash.
+      script: '|||wildfire-get-verdict'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      hash:
+        complex:
+          root: inputs.FileSHA256
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -3170,
+          "y": 90
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+system: true
 view: |-
   {
     "linkLabelsPosition": {
@@ -840,8 +947,8 @@ view: |-
     "paper": {
       "dimensions": {
         "height": 1195,
-        "width": 3540,
-        "x": -2280,
+        "width": 4430,
+        "x": -3170,
         "y": -600
       }
     }
@@ -879,6 +986,12 @@ outputs:
 - contextPath: XDRFileSigners
   description: XDR file signers.
   type: unknown
+- contextPath: WildFire.Report
+  description: WildFire report details.
+  type: unknown
+- contextPath: WildFire.Verdicts
+  description: WildFire verdict.
+  type: unknown
 tests:
 - No tests.
 fromversion: 6.6.0