diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml index bc843e925f62..baa0bb3df044 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict.yml @@ -142,42 +142,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "14": - id: "14" - taskid: 23d5414c-6989-467d-8f25-135e5cc83841 - type: regular - task: - id: 23d5414c-6989-467d-8f25-135e5cc83841 - version: -1 - name: Get WildFire report - description: Retrieves results for a file hash using WildFire. - script: '|||wildfire-report' - type: regular - iscommand: true - brand: "" - nexttasks: - '#none#': - - "42" - scriptarguments: - sha256: - complex: - root: inputs.FileSHA256 - separatecontext: false - continueonerror: true - view: |- - { - "position": { - "x": 2310, - "y": 1130 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "15": id: "15" taskid: 6825c22c-48d1-4f99-803f-1b6169565f9c @@ -232,8 +196,8 @@ tasks: task: id: 5a797f7b-e0f2-46de-85c1-0d2165ce20a9 version: -1 - name: Was the file found as Suspicious? - description: "Was the file found as suspicious?" + name: Was the file found as Benign? + description: Was the file found as suspicious? type: condition iscommand: false brand: "" @@ -241,7 +205,7 @@ tasks: '#default#': - "29" "yes": - - "14" + - "54" separatecontext: false conditions: - label: "yes" @@ -696,7 +660,7 @@ tasks: task: id: cbb20744-6ea2-4151-8575-3bbac0b2962e version: -1 - name: Set file verdict + name: Set file verdict suspicious description: Set the SuspectedVerdict key in context to Suspicious File. scriptName: Set type: regular @@ -709,22 +673,13 @@ tasks: key: simple: FileVerdict value: - complex: - root: WildFire.Verdicts - accessor: VerdictDescription - transformers: - - operator: SetIfEmpty - args: - applyIfEmpty: {} - defaultValue: - value: - simple: Suspicious + simple: Suspicious separatecontext: false view: |- { "position": { - "x": 2310, - "y": 1450 + "x": 2320, + "y": 1190 } } note: false @@ -961,41 +916,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "42": - id: "42" - taskid: 765d45fd-edfa-4084-8e93-ee9b3687c228 - type: regular - task: - id: 765d45fd-edfa-4084-8e93-ee9b3687c228 - version: -1 - name: Get WildFire verdict - description: Returns a verdict for a hash. - script: '|||wildfire-get-verdict' - type: regular - iscommand: true - brand: "" - nexttasks: - '#none#': - - "29" - scriptarguments: - hash: - complex: - root: inputs.FileSHA256 - separatecontext: false - view: |- - { - "position": { - "x": 2310, - "y": 1290 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "43": id: "43" taskid: 30038490-f60a-4a8a-8edd-06bd7af8e182 @@ -1347,6 +1267,43 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "54": + id: "54" + taskid: 22852879-29ee-4b24-8286-57c1d6f5f3ef + type: regular + task: + id: 22852879-29ee-4b24-8286-57c1d6f5f3ef + version: -1 + name: Set file verdict benign + description: Set the SuspectedVerdict key in context to Suspicious File. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "25" + scriptarguments: + key: + simple: FileVerdict + value: + simple: Benign + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1880, + "y": 1190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false system: true view: |- { diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md index a1030089a7ef..b11545db9c85 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Enrichment_for_Verdict_README.md @@ -6,12 +6,12 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks +* URL Enrichment - Generic v2 * Domain Enrichment - Generic v2 * Get prevalence for IOCs -* IP Enrichment - Generic v2 -* Account Enrichment - Generic v2.1 -* URL Enrichment - Generic v2 * File Reputation +* Account Enrichment - Generic v2.1 +* IP Enrichment - Generic v2 ### Integrations @@ -19,13 +19,12 @@ This playbook does not use any integrations. ### Scripts -* SearchIncidentsV2 * Set +* SearchIncidentsV2 ### Commands -* wildfire-get-verdict -* wildfire-report +This playbook does not use any commands. ## Playbook Inputs diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation.yml b/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation.yml index c04d48bf21ea..d7867bc79236 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation.yml @@ -26,6 +26,7 @@ tasks: - "7" - "4" - "18" + - "25" separatecontext: false view: |- { @@ -129,7 +130,7 @@ tasks: note: false timertriggers: [] ignoreworker: false - skipunavailable: false + skipunavailable: true quietmode: 0 isoversize: false isautoswitchedtoquietmode: false @@ -346,7 +347,7 @@ tasks: task: id: afa05da2-350f-4d09-85f1-7d9ddb31477c version: -1 - name: Set file verdict - NSRL + name: Set file verdict - IsNSRL description: Set a value in context under the key you entered. scriptName: Set type: regular @@ -682,7 +683,7 @@ tasks: task: id: bb096e6a-72b8-43f3-81a3-14633d6a58d3 version: -1 - name: Set file verdict - NSRL + name: Set file verdict - IsNotNSRL description: Set a value in context under the key you entered. scriptName: Set type: regular @@ -754,7 +755,7 @@ tasks: task: id: 9bc117b9-97ee-4aa4-81b5-e2ca1e5c9549 version: -1 - name: Set file verdict - XDR-TrustedSigners + name: Set file verdict - XDR-UnTrustedSigners description: Set a value in context under the key you entered. scriptName: Set type: regular @@ -825,6 +826,112 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: 825810e7-b8fb-4347-894b-51dae87fcb7f + type: title + task: + id: 825810e7-b8fb-4347-894b-51dae87fcb7f + version: -1 + name: WildFire + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "27" + - "28" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -2950, + "y": -440 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 7bcc68bb-ba26-4690-8535-395ec5fbb28f + type: regular + task: + id: 7bcc68bb-ba26-4690-8535-395ec5fbb28f + version: -1 + name: Get WildFire report + description: Retrieves results for a file hash using WildFire. + script: '|||wildfire-report' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + sha256: + complex: + root: inputs.FileSHA256 + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -2730, + "y": 90 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: e91fa96b-14ce-40a2-8ba6-2607ee95ea47 + type: regular + task: + id: e91fa96b-14ce-40a2-8ba6-2607ee95ea47 + version: -1 + name: Get WildFire verdict + description: Returns a verdict for a hash. + script: '|||wildfire-get-verdict' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + hash: + complex: + root: inputs.FileSHA256 + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -3170, + "y": 90 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -840,8 +947,8 @@ view: |- "paper": { "dimensions": { "height": 1195, - "width": 3540, - "x": -2280, + "width": 4430, + "x": -3170, "y": -600 } } @@ -879,6 +986,12 @@ outputs: - contextPath: XDRFileSigners description: XDR file signers. type: unknown +- contextPath: WildFire.Report + description: WildFire report details. + type: unknown +- contextPath: WildFire.Verdicts + description: WildFire verdict. + type: unknown tests: - No tests. fromversion: 6.6.0 diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation_README.md b/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation_README.md index 1220ee154eaf..9860967a1f56 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation_README.md +++ b/Packs/CommonPlaybooks/Playbooks/playbook-File_Reputation_README.md @@ -10,23 +10,31 @@ Note: a user can provide a list of trusted signers of his own using the playbook ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks + This playbook does not use any sub-playbooks. ### Integrations + This playbook does not use any integrations. ### Scripts + +* Set * http * ParseJSON -* Set ### Commands + +* wildfire-report +* wildfire-get-verdict * file ## Playbook Inputs + --- | **Name** | **Description** | **Default Value** | **Required** | @@ -36,6 +44,7 @@ This playbook does not use any integrations. | FileSHA256 | The file SHA256. | | Optional | ## Playbook Outputs + --- | **Path** | **Description** | **Type** | @@ -44,7 +53,11 @@ This playbook does not use any integrations. | NSRLFileVerdict | NSRL file verdict. | unknown | | VTFileSigners | VirusTotal file signers. | unknown | | XDRFileSigners | XDR file signers. | unknown | +| WildFire.Report | WildFire report details. | unknown | +| WildFire.Verdicts | WildFire verdict. | unknown | ## Playbook Image + --- -![File Reputation](https://raw.githubusercontent.com/demisto/content/48a7f1a1a628a2755201c55c24bc68d94e0dd49c/Packs/CommonPlaybooks/doc_files/File_Reputation.png) \ No newline at end of file + +![File Reputation](../doc_files/File_Reputation.png) diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_6_7.md b/Packs/CommonPlaybooks/ReleaseNotes/2_6_7.md new file mode 100644 index 000000000000..1575ca4a9e05 --- /dev/null +++ b/Packs/CommonPlaybooks/ReleaseNotes/2_6_7.md @@ -0,0 +1,10 @@ + +#### Playbooks + +##### File Reputation + +- Added a flow to get the file reputation from WildFire + +##### Enrichment for Verdict + +- Removed the WildFire reputation flow and moved it to the File Reputation playbook \ No newline at end of file diff --git a/Packs/CommonPlaybooks/doc_files/Enrichment_for_Verdict.png b/Packs/CommonPlaybooks/doc_files/Enrichment_for_Verdict.png index 36c9fc3c02a5..0cf2996a5003 100644 Binary files a/Packs/CommonPlaybooks/doc_files/Enrichment_for_Verdict.png and b/Packs/CommonPlaybooks/doc_files/Enrichment_for_Verdict.png differ diff --git a/Packs/CommonPlaybooks/doc_files/File_Reputation.png b/Packs/CommonPlaybooks/doc_files/File_Reputation.png index 44eb106c875c..faac84f6d6b7 100644 Binary files a/Packs/CommonPlaybooks/doc_files/File_Reputation.png and b/Packs/CommonPlaybooks/doc_files/File_Reputation.png differ diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json index 189721fe6b83..159a1e910c10 100644 --- a/Packs/CommonPlaybooks/pack_metadata.json +++ b/Packs/CommonPlaybooks/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Playbooks", "description": "Frequently used playbooks pack.", "support": "xsoar", - "currentVersion": "2.6.6", + "currentVersion": "2.6.7", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation.yml b/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation.yml index ffb0b024d590..8da1d6d8bc37 100644 --- a/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation.yml +++ b/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation.yml @@ -99,14 +99,6 @@ tasks: value: simple: Suspicious ignorecase: true - - operator: isEqualString - left: - value: - simple: FileVerdict - iscontext: true - right: - value: - simple: Malicious - - operator: isEqualString left: value: @@ -225,9 +217,11 @@ tasks: brand: '' nexttasks: '#default#': - - '39' + - "39" Benign: - - "77" + - "85" + Greyware: + - "86" separatecontext: false conditions: - label: Benign @@ -241,31 +235,31 @@ tasks: iscontext: true right: value: - simple: '0' - - operator: isEqualString + simple: "0" + - label: Greyware + condition: + - - operator: isEqualString left: value: - complex: - root: inputs.GraywareAsMalware + simple: WildFire.Verdicts.Verdict iscontext: true right: value: - simple: 'False' + simple: "2" - - operator: isEqualString left: value: - complex: - root: inputs.ShouldRescanBenign + simple: inputs.GraywareAsMalware iscontext: true right: value: - simple: 'True' - ignorecase: true + simple: "False" + continueonerrortype: "" view: |- { "position": { "x": 900, - "y": 875 + "y": 825 } } note: false @@ -275,9 +269,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" - '33': - id: '33' + "33": + id: "33" taskid: 6b6f4826-2aa2-456a-8587-93f122f1c99e type: title task: @@ -428,7 +421,7 @@ tasks: { "position": { "x": 900, - "y": 2910 + "y": 2800 } } note: false @@ -472,7 +465,7 @@ tasks: { "position": { "x": 900, - "y": 2670 + "y": 2560 } } note: false @@ -550,7 +543,7 @@ tasks: { "position": { "x": 900, - "y": 3410 + "y": 3300 } } note: false @@ -596,7 +589,7 @@ tasks: { "position": { "x": 900, - "y": 3750 + "y": 3640 } } note: false @@ -627,7 +620,7 @@ tasks: { "position": { "x": 1270, - "y": 3920 + "y": 3810 } } note: false @@ -658,7 +651,7 @@ tasks: { "position": { "x": 900, - "y": 3255 + "y": 3145 } } note: false @@ -685,8 +678,8 @@ tasks: view: |- { "position": { - "x": 430, - "y": 4290 + "x": 40, + "y": 4170 } } note: false @@ -889,8 +882,8 @@ tasks: view: |- { "position": { - "x": 1280, - "y": 1720 + "x": 1340, + "y": 1590 } } note: false @@ -926,8 +919,8 @@ tasks: view: |- { "position": { - "x": 1280, - "y": 1880 + "x": 1340, + "y": 1750 } } note: false @@ -1135,7 +1128,7 @@ tasks: { "position": { "x": 900, - "y": 2500 + "y": 2390 } } note: false @@ -1265,7 +1258,7 @@ tasks: { "position": { "x": 1300, - "y": 3050 + "y": 2940 } } note: false @@ -1398,7 +1391,7 @@ tasks: { "position": { "x": 1370, - "y": 3580 + "y": 3470 } } note: false @@ -1457,8 +1450,8 @@ tasks: view: |- { "position": { - "x": 430, - "y": 2500 + "x": 40, + "y": 2390 } } note: false @@ -1493,8 +1486,8 @@ tasks: view: |- { "position": { - "x": 1280, - "y": 2040 + "x": 1340, + "y": 1910 } } note: false @@ -1577,8 +1570,8 @@ tasks: view: |- { "position": { - "x": 1280, - "y": 2200 + "x": 1340, + "y": 2070 } } note: false @@ -1624,7 +1617,7 @@ tasks: { "position": { "x": 1760, - "y": 3050 + "y": 2940 } } note: false @@ -1742,7 +1735,7 @@ tasks: { "position": { "x": 1760, - "y": 2910 + "y": 2800 } } note: false @@ -1777,8 +1770,8 @@ tasks: view: |- { "position": { - "x": 1280, - "y": 1280 + "x": 1340, + "y": 1150 } } note: false @@ -1820,11 +1813,20 @@ tasks: right: value: simple: Success + - operator: isEqualString + left: + value: + simple: inputs.ShouldRescanBenign + iscontext: true + right: + value: + simple: "True" + ignorecase: true view: |- { "position": { - "x": 1280, - "y": 1480 + "x": 1340, + "y": 1350 } } note: false @@ -1851,7 +1853,6 @@ tasks: '#none#': - "80" separatecontext: false - continueonerrortype: "" view: |- { "position": { @@ -2086,6 +2087,69 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "85": + id: "85" + taskid: d5e7fd85-67c3-44c5-8f35-f08f3727a564 + type: title + task: + id: d5e7fd85-67c3-44c5-8f35-f08f3727a564 + version: -1 + name: Benign + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "77" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1560, + "y": 1010 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "86": + id: "86" + taskid: 4457cf9c-89af-450f-8fe6-c211a98c3eca + type: title + task: + id: 4457cf9c-89af-450f-8fe6-c211a98c3eca + version: -1 + name: Greyware + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "77" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1110, + "y": 1010 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { diff --git a/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation_README.md b/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation_README.md index e9a64657d285..345214b4bbe3 100644 --- a/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation_README.md +++ b/Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation_README.md @@ -41,14 +41,14 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks -* Containment Plan -* Handle False Positive Alerts -* Ticket Management - Generic * Wildfire Detonate and Analyze File * Enrichment for Verdict +* Recovery Plan * Endpoint Investigation Plan +* Ticket Management - Generic +* Containment Plan * Eradication Plan -* Recovery Plan +* Handle False Positive Alerts ### Integrations @@ -62,11 +62,11 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Commands * core-retrieve-file-details -* closeInvestigation -* core-report-incorrect-wildfire -* internal-wildfire-get-report * setParentIncidentFields +* internal-wildfire-get-report +* closeInvestigation * core-retrieve-files +* core-report-incorrect-wildfire ## Playbook Inputs diff --git a/Packs/Core/ReleaseNotes/3_0_17.md b/Packs/Core/ReleaseNotes/3_0_17.md new file mode 100644 index 000000000000..2f89d60e4850 --- /dev/null +++ b/Packs/Core/ReleaseNotes/3_0_17.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### Local Analysis alert Investigation + +- Fixed the WildFire verdict decision tas number 14 to handle correctly Benign and Malware verdicts diff --git a/Packs/Core/doc_files/Local_Analysis_alert_Investigation.png b/Packs/Core/doc_files/Local_Analysis_alert_Investigation.png index 9e574181d735..f7a6fdda057c 100644 Binary files a/Packs/Core/doc_files/Local_Analysis_alert_Investigation.png and b/Packs/Core/doc_files/Local_Analysis_alert_Investigation.png differ diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index b0ed5bbd6110..2204eb640190 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "3.0.16", + "currentVersion": "3.0.17", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",