diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Status_Reason.json b/Packs/CommonTypes/IncidentFields/incidentfield-Status_Reason.json new file mode 100644 index 000000000000..8e9a1bd92ac2 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Status_Reason.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "statusreason", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_statusreason", + "isReadOnly": false, + "locked": false, + "name": "Status Reason", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_98.md b/Packs/CommonTypes/ReleaseNotes/3_3_98.md new file mode 100644 index 000000000000..7db415c80e47 --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/3_3_98.md @@ -0,0 +1,4 @@ + +#### Incident Fields + +- New: **Status Reason** diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json index 9f27ddaceffd..4ad676d294c5 100644 --- a/Packs/CommonTypes/pack_metadata.json +++ b/Packs/CommonTypes/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Types", "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.", "support": "xsoar", - "currentVersion": "3.3.97", + "currentVersion": "3.3.98", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/PrismaCloud/Classifiers/classifier-mapper-incoming-Prisma_Cloud.json b/Packs/PrismaCloud/Classifiers/classifier-mapper-incoming-Prisma_Cloud.json index 09d86704be78..4be930c0916c 100644 --- a/Packs/PrismaCloud/Classifiers/classifier-mapper-incoming-Prisma_Cloud.json +++ b/Packs/PrismaCloud/Classifiers/classifier-mapper-incoming-Prisma_Cloud.json @@ -1949,7 +1949,11 @@ "accessor": "lastModifiedOn", "filters": [], "root": "policy", - "transformers": [] + "transformers": [ + { + "operator": "TimeStampToDate" + } + ] } }, "Last Seen": { @@ -2073,7 +2077,11 @@ "complex": { "filters": [], "root": "alertTime", - "transformers": [] + "transformers": [ + { + "operator": "TimeStampToDate" + } + ] } }, "RRN": { @@ -2159,6 +2167,13 @@ "transformers": [] } }, +"Status Reason": { + "complex": { + "filters": [], + "root": "reason", + "transformers": [] + } + }, "Subscription Assigned By": { "complex": { "accessor": "data.properties.metadata.assignedBy", diff --git a/Packs/PrismaCloud/LayoutRules/Prisma_Cloud_V2.json b/Packs/PrismaCloud/LayoutRules/Prisma_Cloud_V2.json new file mode 100644 index 000000000000..8fbf4ac65586 --- /dev/null +++ b/Packs/PrismaCloud/LayoutRules/Prisma_Cloud_V2.json @@ -0,0 +1,68 @@ +{ + "rule_id": "Prisma_Cloud_V2_Layout_Rule", + "layout_id": "Prisma Cloud V2", + "description": "display for Prisma Cloud alerts.", + "rule_name": "Prisma Cloud V2 Layout Rule", + "alerts_filter": { + "filter": { + "OR": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "AWS CloudTrail Misconfiguration" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "AWS EC2 Instance Misconfiguration" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "AWS IAM Policy Misconfiguration" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure AKS Misconfiguration" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure Network Misconfiguration" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure SQL Misconfiguration" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure Storage Misconfiguration" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "GCP Compute Engine Misconfiguration" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "GCP Kubernetes Engine Misconfiguration" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Prisma Cloud - VM Alert Prioritization" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Prisma Cloud" + } + ] + } + }, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Layouts/layoutscontainer-Prisma_Cloud_V2.json b/Packs/PrismaCloud/Layouts/layoutscontainer-Prisma_Cloud_V2.json new file mode 100644 index 000000000000..9d7034dccf3b --- /dev/null +++ b/Packs/PrismaCloud/Layouts/layoutscontainer-Prisma_Cloud_V2.json @@ -0,0 +1,570 @@ +{ + "detailsV2": { + "tabs": [ + { + "hidden": false, + "id": "gfrgdzfgei", + "name": "Alert Info", + "sections": [ + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "gfrgdzfgei-aa0d7560-b338-11e9-b119-d93d58ec6fe8", + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "type", + "height": 26, + "id": "0acff760-b339-11e9-b119-d93d58ec6fe8", + "index": 0, + "listId": "gfrgdzfgei-aa0d7560-b338-11e9-b119-d93d58ec6fe8", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 26, + "id": "0d2d2140-b339-11e9-b119-d93d58ec6fe8", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 26, + "id": "108218a0-b339-11e9-b119-d93d58ec6fe8", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 26, + "id": "19d3ced0-b339-11e9-b119-d93d58ec6fe8", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "sourcebrand", + "height": 26, + "id": "21f23520-b339-11e9-b119-d93d58ec6fe8", + "index": 4, + "listId": "gfrgdzfgei-aa0d7560-b338-11e9-b119-d93d58ec6fe8", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 26, + "id": "282bfcf0-b339-11e9-b119-d93d58ec6fe8", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Alert Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 3, + "hideName": false, + "i": "gfrgdzfgei-ba344900-b338-11e9-b119-d93d58ec6fe8", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 2, + "y": 0 + }, + { + "h": 4, + "hideName": false, + "i": "gfrgdzfgei-c0c5f4d0-b338-11e9-b119-d93d58ec6fe8", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 0, + "y": 3 + }, + { + "h": 4, + "hideName": false, + "i": "gfrgdzfgei-c690a720-b338-11e9-b119-d93d58ec6fe8", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Incident Timeline", + "query": { + "categories": [ + "incidentInfo" + ], + "lastId": "", + "pageSize": 100, + "tags": [], + "users": [] + }, + "queryType": "warRoomFilter", + "static": false, + "type": "invTimeline", + "w": 2, + "x": 1, + "y": 3 + }, + { + "description": "", + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "gfrgdzfgei-57cfecc0-f766-11e9-8c27-6359f1848ae7", + "items": [ + { + "endCol": 2, + "fieldId": "prismacloudid", + "height": 26, + "id": "7a4369a0-f8b8-11e9-a470-b7537b797c27", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "prismacloudtime", + "height": 26, + "id": "97ada000-f8b8-11e9-a470-b7537b797c27", + "index": 1, + "listId": "gfrgdzfgei-57cfecc0-f766-11e9-8c27-6359f1848ae7", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "prismacloudstatus", + "height": 26, + "id": "7fc5c850-f8b8-11e9-a470-b7537b797c27", + "index": 2, + "listId": "gfrgdzfgei-57cfecc0-f766-11e9-8c27-6359f1848ae7", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "statusreason", + "height": 26, + "id": "0e2688a0-9d8d-11ee-a927-75775b2f32ea", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "firstseen", + "height": 26, + "id": "a5bd1cf0-f766-11e9-8c27-6359f1848ae7", + "index": 4, + "listId": "gfrgdzfgei-57cfecc0-f766-11e9-8c27-6359f1848ae7", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "lastseen", + "height": 26, + "id": "a6b97e50-f766-11e9-8c27-6359f1848ae7", + "index": 5, + "listId": "gfrgdzfgei-57cfecc0-f766-11e9-8c27-6359f1848ae7", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "riskscore", + "height": 26, + "id": "b062f170-f766-11e9-8c27-6359f1848ae7", + "index": 6, + "listId": "gfrgdzfgei-57cfecc0-f766-11e9-8c27-6359f1848ae7", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "riskrating", + "height": 26, + "id": "aa6fa880-f766-11e9-8c27-6359f1848ae7", + "index": 7, + "listId": "gfrgdzfgei-57cfecc0-f766-11e9-8c27-6359f1848ae7", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Prisma Cloud Alert Summary", + "static": false, + "w": 1, + "x": 1, + "y": 0 + } + ], + "type": "custom" + }, + { + "hidden": false, + "id": "fyjdlofdhd", + "name": "Technical Info", + "sections": [ + { + "description": "Remediation tasks information.", + "displayType": "CARD", + "h": 3, + "hideItemTitleOnlyOne": true, + "hideName": false, + "i": "gfrgdzfgei-fyjdlofdhd-f70ad9a0-93c3-11e9-a1e7-13edb5b78371", + "isVisible": true, + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "policyrecommendation", + "height": 48, + "id": "25b6c980-93c4-11e9-a1e7-13edb5b78371", + "index": 0, + "listId": "fyjdlofdhd-f70ad9a0-93c3-11e9-a1e7-13edb5b78371", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Remediation Actions", + "static": false, + "w": 1, + "x": 2, + "y": 0 + }, + { + "description": "Violated policy information.", + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "gfrgdzfgei-fyjdlofdhd-3cf20d80-93c4-11e9-a1e7-13edb5b78371", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "policyid", + "height": 24, + "id": "60add970-93c4-11e9-a1e7-13edb5b78371", + "index": 0, + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "policytype", + "height": 24, + "id": "650d8a10-93c4-11e9-a1e7-13edb5b78371", + "index": 1, + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "policyseverity", + "height": 24, + "id": "569fc100-a9d1-11e9-a91e-57df9227e86a", + "index": 2, + "listId": "3cf20d80-93c4-11e9-a1e7-13edb5b78371", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "policydescription", + "height": 48, + "id": "52384830-a9d1-11e9-a91e-57df9227e86a", + "index": 3, + "listId": "3cf20d80-93c4-11e9-a1e7-13edb5b78371", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "systemdefault", + "height": 24, + "id": "dbf3d150-a9d8-11e9-a91e-57df9227e86a", + "index": 4, + "listId": "3cf20d80-93c4-11e9-a1e7-13edb5b78371", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "policyremediable", + "height": 24, + "id": "67e58940-93c4-11e9-a1e7-13edb5b78371", + "index": 5, + "listId": "3cf20d80-93c4-11e9-a1e7-13edb5b78371", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "policydeleted", + "height": 24, + "id": "642758b0-a9d1-11e9-a91e-57df9227e86a", + "index": 6, + "listId": "3cf20d80-93c4-11e9-a1e7-13edb5b78371", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "lastmodifiedon", + "height": 24, + "id": "ad90aa40-a9d8-11e9-a91e-57df9227e86a", + "index": 7, + "listId": "3cf20d80-93c4-11e9-a1e7-13edb5b78371", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "lastmodifiedby", + "height": 24, + "id": "b07a0e90-a9d8-11e9-a91e-57df9227e86a", + "index": 8, + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Policy Violated", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "description": "Violating resource information.", + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "gfrgdzfgei-fyjdlofdhd-9c8d74a0-93c4-11e9-9dd5-3b4f6f9f1bae", + "isVisible": true, + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "resourceid", + "height": 24, + "id": "bac55b40-93c4-11e9-9dd5-3b4f6f9f1bae", + "index": 0, + "listId": "9c8d74a0-93c4-11e9-9dd5-3b4f6f9f1bae", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "resourcename", + "height": 24, + "id": "b80a59f0-93c4-11e9-9dd5-3b4f6f9f1bae", + "index": 1, + "listId": "9c8d74a0-93c4-11e9-9dd5-3b4f6f9f1bae", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "resourcetype", + "height": 24, + "id": "c9fc50a0-93c4-11e9-9dd5-3b4f6f9f1bae", + "index": 2, + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "region", + "height": 24, + "id": "c61a8290-93c4-11e9-9dd5-3b4f6f9f1bae", + "index": 3, + "listId": "9c8d74a0-93c4-11e9-9dd5-3b4f6f9f1bae", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "accountname", + "height": 24, + "id": "c264f4a0-93c4-11e9-9dd5-3b4f6f9f1bae", + "index": 4, + "listId": "9c8d74a0-93c4-11e9-9dd5-3b4f6f9f1bae", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "accountid", + "height": 24, + "id": "18654c40-a9d9-11e9-a91e-57df9227e86a", + "index": 5, + "listId": "9c8d74a0-93c4-11e9-9dd5-3b4f6f9f1bae", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "resourceapiname", + "height": 24, + "id": "0a428600-a9d9-11e9-a91e-57df9227e86a", + "index": 6, + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "resourcecloudtype", + "height": 24, + "id": "cc430c50-93c4-11e9-9dd5-3b4f6f9f1bae", + "index": 7, + "listId": "9c8d74a0-93c4-11e9-9dd5-3b4f6f9f1bae", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Violating Resource", + "static": false, + "w": 1, + "x": 1, + "y": 0 + }, + { + "description": "Policy compliance-related information.", + "displayType": "CARD", + "h": 3, + "hideItemTitleOnlyOne": true, + "hideName": false, + "i": "gfrgdzfgei-fyjdlofdhd-98793800-a9d5-11e9-a91e-57df9227e86a", + "isVisible": true, + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Policy Compliance Metadata", + "static": false, + "w": 2, + "x": 0, + "y": 6 + }, + { + "description": "Alert Rules created using the policy.", + "displayType": "CARD", + "h": 3, + "hideItemTitleOnlyOne": true, + "hideName": false, + "i": "gfrgdzfgei-fyjdlofdhd-1adf4900-f761-11e9-8abd-b54c9337d32a", + "items": [ + { + "dropEffect": "move", + "endCol": 6, + "fieldId": "prismacloudrules", + "height": 110, + "id": "aabb18d0-f8b8-11e9-a470-b7537b797c27", + "index": 0, + "listId": "fyjdlofdhd-1adf4900-f761-11e9-8abd-b54c9337d32a", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Alert Rules", + "static": false, + "w": 3, + "x": 0, + "y": 3 + }, + { + "displayType": "CARD", + "h": 3, + "hideItemTitleOnlyOne": true, + "i": "gfrgdzfgei-e446c900-9d9b-11ee-9ab5-577a321f7e17", + "items": [ + { + "endCol": 2, + "fieldId": "incident_attachment", + "height": 53, + "id": "e4423520-9d9b-11ee-9ab5-577a321f7e17", + "index": 0, + "isVisible": true, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Attachments", + "static": false, + "type": "", + "w": 1, + "x": 2, + "y": 6 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + } + ] + }, + "marketplaces": [ + "marketplacev2" + ], + "group": "incident", + "id": "Prisma Cloud V2", + "name": "Prisma Cloud V2", + "system": false, + "version": -1, + "fromVersion": "6.10.0", + "description": "" +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Misconfig_v2.yml b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Misconfig_v2.yml index db35d48a29ea..c178adb63c5d 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Misconfig_v2.yml +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Misconfig_v2.yml @@ -1,6 +1,7 @@ id: Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2 version: -1 -fromversion: 6.5.0 +contentitemexportablefields: + contentitemfields: {} name: Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2 description: |- This playbook remediates Prisma Cloud AWS CloudTrail alerts. It calls sub-playbooks that perform the actual remediation steps. @@ -9,7 +10,7 @@ description: |- - AWS CloudTrail Trail Log Validation Is Not Enabled In All Regions - AWS CloudTrail is not enabled in all regions - AWS CloudTrail Trail Is Not Integrated With CloudWatch Logs - - AWS CloudTrail is not enabled on the account + - AWS CloudTrail is not enabled on the account. starttaskid: "0" tasks: "0": @@ -20,23 +21,28 @@ tasks: id: 972c2cba-e9e8-4b4e-8f92-407ca7fb7917 version: -1 name: "" - description: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "1" separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 690, - "y": -190 + "x": 680, + "y": -180 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "1": id: "1" taskid: 0a5eb45f-9464-4658-804d-c547f70d4ea1 @@ -85,16 +91,21 @@ tasks: right: value: simple: AWS - CloudTrail + continueonerrortype: "" view: |- { "position": { - "x": 690, + "x": 680, "y": -50 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" taskid: ff25e4bd-1a36-4ced-857a-e446165b0aaf @@ -127,16 +138,21 @@ tasks: right: value: simple: "yes" + continueonerrortype: "" view: |- { "position": { - "x": -150, - "y": 290 + "x": 1380, + "y": 310 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "5": id: "5" taskid: c5628a8e-bcf2-4886-8c98-10499d31f6d7 @@ -155,11 +171,12 @@ tasks: "Yes": - "10" separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 160, - "y": 460 + "x": 1160, + "y": 480 } } note: false @@ -178,9 +195,15 @@ tasks: retriescount: 2 retriesinterval: 360 completeafterreplies: 1 + completeafterv2: false + completeaftersla: false replyOptions: - "Yes" - "No" + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" taskid: b8279f24-0d0d-48f6-8c67-554d8e0dac81 @@ -198,16 +221,21 @@ tasks: '#none#': - "9" separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 800 + "x": 890, + "y": 840 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "7": id: "7" taskid: 599730fe-9f1e-4a63-89c5-e941732683b6 @@ -225,26 +253,26 @@ tasks: '#none#': - "8" scriptarguments: - assetid: {} - closeNotes: {} - closeReason: {} - emailclassification: {} id: complex: root: incident accessor: id - phishingsubtype: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 450, + "x": 1500, "y": 1350 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "8": id: "8" taskid: a8d06dc1-f186-4459-87b6-3d05d85f70d0 @@ -253,21 +281,26 @@ tasks: id: a8d06dc1-f186-4459-87b6-3d05d85f70d0 version: -1 name: Done - description: "" type: title iscommand: false brand: "" + description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 690, + "x": 680, "y": 1520 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "9": id: "9" taskid: 74f7bb07-9a7c-4ac1-8e00-e7182e57208f @@ -285,7 +318,6 @@ tasks: - "7" "yes": - "17" - continueonerror: true separatecontext: false conditions: - label: "yes" @@ -314,24 +346,30 @@ tasks: simple: active accessor: brand iscontext: true + continueonerror: true + continueonerrortype: "" view: |- { "position": { - "x": 450, + "x": 1500, "y": 1010 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "10": id: "10" - taskid: dc1e21c8-b771-4f12-8fc9-b53e3b98e410 + taskid: a69e7fa3-0e41-490d-867a-5095f727e355 type: condition task: - id: dc1e21c8-b771-4f12-8fc9-b53e3b98e410 + id: a69e7fa3-0e41-490d-867a-5095f727e355 version: -1 - name: Execute playbook + name: Remediate based on policy ID description: Execute the appropriate sub-playbook to perform the actual remediation. type: condition iscommand: false @@ -390,16 +428,21 @@ tasks: right: value: simple: 05befc8b-c78a-45e9-98dc-c7fbaef580e7 + continueonerrortype: "" view: |- { "position": { - "x": -150, - "y": 630 + "x": 1380, + "y": 650 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "13": id: "13" taskid: 2265ae7a-bc20-45ed-849b-d30e2853d952 @@ -427,16 +470,21 @@ tasks: complex: root: inputs.policyId iscontext: true + continueonerrortype: "" view: |- { "position": { - "x": 450, + "x": 890, "y": 120 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "14": id: "14" taskid: 5a898bb5-6f8e-4c9f-8dd9-d064da965868 @@ -445,11 +493,11 @@ tasks: id: 5a898bb5-6f8e-4c9f-8dd9-d064da965868 version: -1 name: Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration - description: "" playbookName: Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration type: playbook iscommand: false brand: "" + description: '' nexttasks: '#none#': - "9" @@ -458,20 +506,26 @@ tasks: complex: root: inputs.policyId separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" wait: 1 + max: 0 view: |- { "position": { - "x": 40, + "x": 1300, "y": 840 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "15": id: "15" taskid: a77d7d44-38b7-4b66-8599-3dbe50cb4034 @@ -494,20 +548,26 @@ tasks: CloudTrailRegion: simple: us-west-2 separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" wait: 1 + max: 0 view: |- { "position": { - "x": -390, + "x": 1700, "y": 840 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "16": id: "16" taskid: 025549f1-f265-49b3-8ae7-05e7f344a502 @@ -516,20 +576,21 @@ tasks: id: 025549f1-f265-49b3-8ae7-05e7f344a502 version: -1 name: Prisma Cloud Remediation - AWS CloudTrail Is Not Integrated With CloudWatch Logs - description: "" playbookName: Prisma Cloud Remediation - AWS CloudTrail Is Not Integrated With CloudWatch Logs type: playbook iscommand: false brand: "" + description: '' nexttasks: '#none#': - "9" separatecontext: true + continueonerrortype: "" view: |- { "position": { - "x": -810, - "y": 800 + "x": 2100, + "y": 840 } } note: false @@ -537,6 +598,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "17": id: "17" taskid: 9245d63b-9dcd-4cb6-81e6-6b09dcb35f4f @@ -566,12 +629,13 @@ tasks: simple: id dismissal_note: simple: ${incident.labels.id} has been remediated by Cortex XSOAR. - continueonerror: true separatecontext: false + continueonerror: true + continueonerrortype: "" view: |- { "position": { - "x": 140, + "x": 1190, "y": 1180 } } @@ -580,12 +644,15 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { "10_14_trailMisconfig": 0.51, "10_15_account": 0.51, - "10_6_#default#": 0.52, + "10_6_#default#": 0.68, "13_3_yes": 0.29, "13_6_#default#": 0.27, "1_13_yes": 0.56, @@ -598,10 +665,10 @@ view: |- }, "paper": { "dimensions": { - "height": 1775, - "width": 1880, - "x": -810, - "y": -190 + "height": 1765, + "width": 1800, + "x": 680, + "y": -180 } } } @@ -611,6 +678,7 @@ inputs: simple: "no" required: false description: Update AWS CloudTrail automatically? + playbookInputQuery: - key: policyId value: complex: @@ -625,6 +693,8 @@ inputs: simple: policyId required: false description: Get the Prisma Cloud policy ID. + playbookInputQuery: outputs: [] tests: -- No Test +- No tests (auto formatted) +fromversion: 6.5.0 \ No newline at end of file diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Misconfig_v2_README.md b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Misconfig_v2_README.md index b66423a21a56..9f48542e554f 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Misconfig_v2_README.md +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Misconfig_v2_README.md @@ -4,7 +4,7 @@ Remediation: - AWS CloudTrail Trail Log Validation Is Not Enabled In All Regions - AWS CloudTrail is not enabled in all regions - AWS CloudTrail Trail Is Not Integrated With CloudWatch Logs - - AWS CloudTrail is not enabled on the account + - AWS CloudTrail is not enabled on the account. ## Dependencies @@ -12,13 +12,13 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks +* Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration * Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account * Prisma Cloud Remediation - AWS CloudTrail Is Not Integrated With CloudWatch Logs -* Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration ### Integrations -PrismaCloud v2 +* PrismaCloud v2 ### Scripts @@ -26,8 +26,8 @@ This playbook does not use any scripts. ### Commands -* prisma-cloud-alert-dismiss * closeInvestigation +* prisma-cloud-alert-dismiss ## Playbook Inputs diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Trail_Misconfig.yml b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Trail_Misconfig.yml index 88835552c541..a821d1cca898 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Trail_Misconfig.yml +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Trail_Misconfig.yml @@ -1,6 +1,7 @@ id: Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration version: -1 -fromversion: 5.0.0 +contentitemexportablefields: + contentitemfields: {} name: Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration description: |- This playbook remediates the following Prisma Cloud AWS CloudTrail alerts. @@ -8,7 +9,7 @@ description: |- Prisma Cloud policies remediated: - AWS CloudTrail Trail Log Validation Is Not Enabled In All Regions - - AWS CloudTrail is not enabled in all regions + - AWS CloudTrail is not enabled in all regions. starttaskid: "0" tasks: "0": @@ -19,13 +20,14 @@ tasks: id: 305bea67-c7fc-4c7b-82e4-2fe016a2dc8d version: -1 name: "" - description: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "11" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -36,6 +38,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "2": id: "2" taskid: cc4e73f0-012b-4764-8371-d19ac7ec4f12 @@ -44,8 +50,7 @@ tasks: id: cc4e73f0-012b-4764-8371-d19ac7ec4f12 version: -1 name: Get CloudTrail detail - description: Retrieves settings for the trail associated with the current region - for your account. + description: Retrieves settings for the trail associated with the current region for your account. script: AWS - CloudTrail|||aws-cloudtrail-describe-trails type: regular iscommand: true @@ -67,9 +72,6 @@ tasks: field: value: simple: regionId - roleArn: {} - roleSessionDuration: {} - roleSessionName: {} trailNameList: complex: root: incident @@ -82,16 +84,21 @@ tasks: value: simple: name separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 200 + "x": 230, + "y": 160 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" taskid: 4bbca790-07ae-46d0-875c-fbe36ec0fea1 @@ -100,21 +107,26 @@ tasks: id: 4bbca790-07ae-46d0-875c-fbe36ec0fea1 version: -1 name: Done - description: "" type: title iscommand: false brand: "" + description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { "x": 450, - "y": 860 + "y": 850 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" taskid: 4345980c-8417-4c1d-8731-b60891f78292 @@ -123,8 +135,7 @@ tasks: id: 4345980c-8417-4c1d-8731-b60891f78292 version: -1 name: Update CloudTrail LogValidation - description: Updates the settings that specify delivery of log files. Changes - to a trail do not require stopping the CloudTrail service. + description: Updates the settings that specify delivery of log files. Changes to a trail do not require stopping the CloudTrail service. script: AWS - CloudTrail|||aws-cloudtrail-update-trail type: regular iscommand: true @@ -133,13 +144,8 @@ tasks: '#none#': - "3" scriptarguments: - cloudWatchLogsLogGroupArn: {} - cloudWatchLogsRoleArn: {} enableLogFileValidation: simple: "True" - includeGlobalServiceEvents: {} - isMultiRegionTrail: {} - kmsKeyId: {} name: complex: root: AWS @@ -148,23 +154,22 @@ tasks: complex: root: AWS accessor: CloudTrail.Trails.HomeRegion - roleArn: {} - roleSessionDuration: {} - roleSessionName: {} - s3BucketName: {} - s3KeyPrefix: {} - snsTopicName: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 680, - "y": 690 + "x": 50, + "y": 680 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "7": id: "7" taskid: 38769991-b99b-49d9-81f6-08fa7804e258 @@ -173,24 +178,29 @@ tasks: id: 38769991-b99b-49d9-81f6-08fa7804e258 version: -1 name: Log Validation Is Not Enabled In All Regions - description: "" type: title iscommand: false brand: "" + description: '' nexttasks: '#none#': - "6" separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 750, - "y": 550 + "x": 50, + "y": 540 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "8": id: "8" taskid: 25ce1127-90a3-4d3d-8534-682c1cbaa338 @@ -199,8 +209,7 @@ tasks: id: 25ce1127-90a3-4d3d-8534-682c1cbaa338 version: -1 name: Execute remediation - description: Remediate the appropriate Prisma Cloud policy based on the policy - Id. + description: Remediate the appropriate Prisma Cloud policy based on the policy Id. type: condition iscommand: false brand: "" @@ -235,16 +244,21 @@ tasks: right: value: simple: 36a5345a-230d-438e-a04c-a287a513e3dc + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 380 + "x": 230, + "y": 340 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "9": id: "9" taskid: 995dca59-86c9-448b-8e89-9aadebb39be7 @@ -253,24 +267,29 @@ tasks: id: 995dca59-86c9-448b-8e89-9aadebb39be7 version: -1 name: Trail Not Enabled In All Regions - description: "" type: title iscommand: false brand: "" + description: '' nexttasks: '#none#': - "10" separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 160, - "y": 550 + "x": -430, + "y": 540 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "10": id: "10" taskid: 3957322d-5aa1-42a0-8f63-22d364fcf373 @@ -279,8 +298,7 @@ tasks: id: 3957322d-5aa1-42a0-8f63-22d364fcf373 version: -1 name: Update CloudTrail MultiRegion - description: Updates the settings that specify delivery of log files. Changes - to a trail do not require stopping the CloudTrail service. + description: Updates the settings that specify delivery of log files. Changes to a trail do not require stopping the CloudTrail service. script: AWS - CloudTrail|||aws-cloudtrail-update-trail type: regular iscommand: true @@ -289,14 +307,10 @@ tasks: '#none#': - "3" scriptarguments: - cloudWatchLogsLogGroupArn: {} - cloudWatchLogsRoleArn: {} - enableLogFileValidation: {} includeGlobalServiceEvents: simple: "True" isMultiRegionTrail: simple: "True" - kmsKeyId: {} name: complex: root: AWS @@ -305,18 +319,13 @@ tasks: complex: root: AWS accessor: CloudTrail.Trails.HomeRegion - roleArn: {} - roleSessionDuration: {} - roleSessionName: {} - s3BucketName: {} - s3KeyPrefix: {} - snsTopicName: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 230, - "y": 690 + "x": -430, + "y": 670 } } note: false @@ -324,6 +333,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "11": id: "11" taskid: c3d9c341-1e4b-4025-846d-dd4c45929670 @@ -369,11 +380,12 @@ tasks: simple: active accessor: brand iscontext: true + continueonerrortype: "" view: |- { "position": { "x": 450, - "y": -10 + "y": -30 } } note: false @@ -381,6 +393,9 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -391,9 +406,9 @@ view: |- }, "paper": { "dimensions": { - "height": 1085, - "width": 970, - "x": 160, + "height": 1075, + "width": 1260, + "x": -430, "y": -160 } } @@ -403,6 +418,8 @@ inputs: value: {} required: true description: Grab the Prisma Cloud policy Id. + playbookInputQuery: outputs: [] tests: -- No Test +- No tests (auto formatted) +fromversion: 5.0.0 \ No newline at end of file diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Trail_Misconfig_README.md b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Trail_Misconfig_README.md new file mode 100644 index 000000000000..0442a813b76f --- /dev/null +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_CloudTrail_Trail_Misconfig_README.md @@ -0,0 +1,46 @@ +This playbook remediates the following Prisma Cloud AWS CloudTrail alerts. + +Prisma Cloud policies remediated: + + - AWS CloudTrail Trail Log Validation Is Not Enabled In All Regions + - AWS CloudTrail is not enabled in all regions. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +* AWS - CloudTrail + +### Scripts + +This playbook does not use any scripts. + +### Commands + +* aws-cloudtrail-update-trail +* aws-cloudtrail-describe-trails + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| policyId | Grab the Prisma Cloud policy Id. | | Required | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration](../doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_Trail_Misconfiguration.png) diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_EC2_Instance_Misconfig_v2.yml b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_EC2_Instance_Misconfig_v2.yml index b4ed3bc20252..b1460521a9fa 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_EC2_Instance_Misconfig_v2.yml +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_EC2_Instance_Misconfig_v2.yml @@ -1,6 +1,7 @@ id: Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2 version: -1 -fromversion: 6.5.0 +contentitemexportablefields: + contentitemfields: {} name: Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2 description: |- This playbook remediates Prisma Cloud AWS EC2 alerts. It calls the following sub-playbooks to perform the remediation: @@ -19,11 +20,12 @@ tasks: name: "" iscommand: false brand: "" - description: "" + description: '' nexttasks: '#none#': - "1" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -38,7 +40,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "1": id: "1" taskid: 3bd78b35-5c67-4c29-82d3-56cd93cb2e1a @@ -47,7 +48,7 @@ tasks: id: 3bd78b35-5c67-4c29-82d3-56cd93cb2e1a version: -1 name: Is AWS - EC2 integration available? - description: Returns 'yes' if integration brand is available. Otherwise returns 'no'. + description: Returns 'yes' if integration brand is available. Otherwise returns 'no' scriptName: IsIntegrationAvailable type: condition iscommand: false @@ -60,9 +61,8 @@ tasks: scriptarguments: brandname: simple: AWS - EC2 - results: - - brandInstances separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -77,7 +77,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "3": id: "3" taskid: 77885611-1518-41c5-8929-0da5c8de85cb @@ -110,6 +109,7 @@ tasks: right: value: simple: "yes" + continueonerrortype: "" view: |- { "position": { @@ -124,7 +124,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "5": id: "5" taskid: a1526b70-d9ce-4d1c-8e36-4aaa1cf5d850 @@ -133,7 +132,7 @@ tasks: id: a1526b70-d9ce-4d1c-8e36-4aaa1cf5d850 version: -1 name: Auto remediate? - description: Determines whether or not to auto-remediate. + description: Determines whether or not to auto-remediate? type: condition iscommand: false brand: "" @@ -143,6 +142,7 @@ tasks: "Yes": - "10" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -175,7 +175,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "6": id: "6" taskid: f8dfdf9c-3271-4644-89ce-2fdfd9f25e9f @@ -192,6 +191,7 @@ tasks: '#none#': - "9" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -206,23 +206,29 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "7": id: "7" - taskid: 6875afa1-821e-4015-81a8-97e77b6316f5 + taskid: 8941af46-893e-47e2-8119-670c65cf561e type: regular task: - id: 6875afa1-821e-4015-81a8-97e77b6316f5 + id: 8941af46-893e-47e2-8119-670c65cf561e version: -1 name: Close investigation - description: Close the current incident. + description: commands.local.cmd.close.inv + script: Builtin|||closeInvestigation type: regular - iscommand: false + iscommand: true brand: Builtin nexttasks: '#none#': - "8" + scriptarguments: + id: + complex: + root: incident + accessor: id separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -237,7 +243,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "8": id: "8" taskid: 5bfb7869-0a96-4ca5-875c-1ec4c9072953 @@ -249,8 +254,9 @@ tasks: type: title iscommand: false brand: "" - description: "" + description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -265,7 +271,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "9": id: "9" taskid: 1b01f096-ed50-4e46-8dfc-1fc611535c7a @@ -283,7 +288,6 @@ tasks: - "7" "yes": - "17" - continueonerror: true separatecontext: false conditions: - label: "yes" @@ -312,6 +316,8 @@ tasks: simple: active accessor: brand iscontext: true + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -326,7 +332,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "10": id: "10" taskid: 1ac99665-2df1-40fe-8293-7d2513605e2f @@ -378,6 +383,7 @@ tasks: right: value: simple: b82f90ce-ed8b-4b49-970c-2268b0a6c2e5 + continueonerrortype: "" view: |- { "position": { @@ -392,7 +398,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "14": id: "14" taskid: 0d732bc3-22a0-4b2e-8b03-4d8aa68b9389 @@ -421,6 +426,7 @@ tasks: complex: root: inputs.policyId iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -435,7 +441,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "15": id: "15" taskid: b5281377-31ef-472b-8699-6c94c222e807 @@ -448,7 +453,7 @@ tasks: type: playbook iscommand: false brand: "" - description: "" + description: '' nexttasks: '#none#': - "9" @@ -457,6 +462,7 @@ tasks: complex: root: inputs.policyId separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" @@ -476,7 +482,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "16": id: "16" taskid: 3d9a9afc-e7e3-4be6-8142-57b5ef3bffb2 @@ -489,11 +494,12 @@ tasks: type: playbook iscommand: false brand: "" - description: "" + description: '' nexttasks: '#none#': - "9" separatecontext: true + continueonerrortype: "" view: |- { "position": { @@ -508,7 +514,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" "17": id: "17" taskid: f8385099-65e3-47ef-818d-0131c61c0d6f @@ -549,8 +554,9 @@ tasks: field: value: simple: policyId - continueonerror: true separatecontext: false + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -565,7 +571,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - continueonerrortype: "" +system: true view: |- { "linkLabelsPosition": { @@ -615,6 +621,4 @@ inputs: outputs: [] tests: - No tests (auto formatted) -contentitemexportablefields: - contentitemfields: {} -system: true +fromversion: 6.5.0 \ No newline at end of file diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_EC2_Instance_Misconfig_v2_README.md b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_EC2_Instance_Misconfig_v2_README.md index 4c673a329a70..e24d3b4cf82c 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_EC2_Instance_Misconfig_v2_README.md +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_EC2_Instance_Misconfig_v2_README.md @@ -1,27 +1,7 @@ This playbook remediates Prisma Cloud AWS EC2 alerts. It calls the following sub-playbooks to perform the remediation: -- AWS Default Security Group Does Not Restrict All Traffic -- AWS Security Groups Allow Internet Traffic -- AWS Security Groups With Inbound Rule Overly Permissive To All Traffic -- AWS Security Groups allow internet traffic from internet to FTP-Data port (20) -- AWS Security Groups allow internet traffic from internet to FTP port (21) -- AWS Security Groups allow internet traffic to SSH port (22) -- AWS Security Group allows all traffic on SSH port (22) -- AWS Security Groups allow internet traffic from internet to Telnet port (23) -- AWS Security Groups allow internet traffic from internet to SMTP port (25) -- AWS Security Groups allow internet traffic from internet to DNS port (53) -- AWS Security Groups allow internet traffic from internet to Windows RPC port (135) -- AWS Security Groups allow internet traffic from internet to NetBIOS port (137) -- AWS Security Groups allow internet traffic from internet to NetBIOS port (138) -- AWS Security Groups allow internet traffic from internet to CIFS port (445) -- AWS Security Groups allow internet traffic from internet to SQLServer port (1433) -- AWS Security Groups allow internet traffic from internet to SQLServer port (1434) -- AWS Security Groups allow internet traffic from internet to MYSQL port (3306) -- AWS Security Groups allow internet traffic from internet to RDP port (3389) -- AWS Security Groups allow internet traffic from internet to MSQL port (4333) -- AWS Security Groups allow internet traffic from internet to PostgreSQL port (5432) -- AWS Security Groups allow internet traffic from internet to VNC Listener port (5500) -- AWS Security Groups allow internet traffic from internet to VNC Server port (5900) - +- AWS Default Security Group Does Not Restrict All Traffic (policy id: 2378dbf4-b104-4bda-9b05-7417affbba3f) +- AWS Security Group allows all traffic on SSH port (22) (policy id: 617b9138-584b-4e8e-ad15-7fbabafbed1a) +- AWS Security Groups allow internet traffic from internet to RDP port (3389) (policy id: b82f90ce-ed8b-4b49-970c-2268b0a6c2e5). ## Dependencies @@ -33,14 +13,15 @@ This playbook uses the following sub-playbooks, integrations, and scripts. * Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration ### Integrations -* Builtin + * PrismaCloud v2 ### Scripts -IsIntegrationAvailable +* IsIntegrationAvailable ### Commands + * closeInvestigation * prisma-cloud-alert-dismiss diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_IAM_Policy_Misconfig_v2.yml b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_IAM_Policy_Misconfig_v2.yml index fdfff984f8a8..9933bf9da537 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_IAM_Policy_Misconfig_v2.yml +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_IAM_Policy_Misconfig_v2.yml @@ -1,6 +1,7 @@ id: Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2 version: -1 -fromversion: 6.5.0 +contentitemexportablefields: + contentitemfields: {} name: Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2 description: This playbook remediates Prisma Cloud AWS IAM policy alerts. It uses sub-playbooks that perform the remediation steps. starttaskid: "0" @@ -13,13 +14,14 @@ tasks: id: 972c2cba-e9e8-4b4e-8f92-407ca7fb7917 version: -1 name: "" - description: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "1" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -30,6 +32,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "1": id: "1" taskid: 5da95853-5c28-4f84-824d-38b0e1c0e9c9 @@ -78,6 +84,7 @@ tasks: right: value: simple: AWS - IAM + continueonerrortype: "" view: |- { "position": { @@ -88,6 +95,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "2": id: "2" taskid: aff07456-1840-40d5-8b24-53c75bf75e62 @@ -105,6 +116,7 @@ tasks: '#none#': - "3" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -115,6 +127,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" taskid: 711289d0-3db3-43d7-8527-39112d8bae61 @@ -147,6 +163,7 @@ tasks: right: value: simple: "yes" + continueonerrortype: "" view: |- { "position": { @@ -157,6 +174,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "5": id: "5" taskid: d7495e19-5781-4bbf-88e1-7c4be19f9ad8 @@ -165,7 +186,7 @@ tasks: id: d7495e19-5781-4bbf-88e1-7c4be19f9ad8 version: -1 name: Auto remediate? - description: Determine whether or not to auto-remediate. + description: Determine whether or not to auto-remediate? type: condition iscommand: false brand: "" @@ -175,6 +196,7 @@ tasks: "Yes": - "10" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -198,9 +220,15 @@ tasks: retriescount: 2 retriesinterval: 360 completeafterreplies: 1 + completeafterv2: false + completeaftersla: false replyOptions: - "Yes" - "No" + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" taskid: 1214b667-e9c5-4efe-8503-d92b4f36cc0a @@ -210,10 +238,10 @@ tasks: version: -1 name: Manually update IAM password policy description: |- - 1. Log in to the AWS console and navigate to the IAM dashboard. - 2. On the left navigation panel, click Account Settings. - 3. Check Prevent password reuse and enter remember 5 passwords. - 4. Click Apply password policy. + 1. Login to the AWS console and navigate to the IAM dashboard + 2. On the left navigation panel, click on Account Settings + 3. Check Prevent password reuse and enter remember 5 passwords + 4. Click on Apply password policy type: regular iscommand: false brand: "" @@ -221,6 +249,7 @@ tasks: '#none#': - "13" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -231,6 +260,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "7": id: "7" taskid: 599730fe-9f1e-4a63-89c5-e941732683b6 @@ -248,16 +281,12 @@ tasks: '#none#': - "8" scriptarguments: - assetid: {} - closeNotes: {} - closeReason: {} - emailclassification: {} id: complex: root: incident accessor: id - phishingsubtype: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -268,6 +297,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "8": id: "8" taskid: a8d06dc1-f186-4459-87b6-3d05d85f70d0 @@ -276,11 +309,12 @@ tasks: id: a8d06dc1-f186-4459-87b6-3d05d85f70d0 version: -1 name: Done - description: "" type: title iscommand: false brand: "" + description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -291,19 +325,23 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "9": id: "9" - taskid: bd2eb7f2-5e30-4623-8e11-ea91b99c23d8 + taskid: 84a57f97-7df7-43e4-8ef4-b7abee45a9fe type: regular task: - id: bd2eb7f2-5e30-4623-8e11-ea91b99c23d8 + id: 84a57f97-7df7-43e4-8ef4-b7abee45a9fe version: -1 name: Dismiss Prisma Cloud alert description: Dismiss or snooze the alerts matching the given filter. Either policy IDs or alert IDs must be provided. When no absolute time nor relative time arguments are provided, the default time range is all times. For snoozing, provide "snooze_unit" and "snooze_value" arguments. - script: PrismaCloud v2|||prisma-cloud-alert-dismiss + script: '|||prisma-cloud-alert-dismiss' type: regular iscommand: true - brand: PrismaCloud v2 + brand: "" nexttasks: '#none#': - "7" @@ -331,8 +369,9 @@ tasks: field: value: simple: policyId - continueonerror: true separatecontext: false + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -343,6 +382,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "10": id: "10" taskid: 47348d70-6e0a-4efc-80d8-4f1f37d9561a @@ -387,6 +430,7 @@ tasks: right: value: simple: e809c246-2ef5-4319-bba9-2c5735d88aa8 + continueonerrortype: "" view: |- { "position": { @@ -397,6 +441,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "11": id: "11" taskid: 95edff8c-bcac-4296-80c9-293d77209f66 @@ -430,10 +478,12 @@ tasks: complex: root: inputs.policyId separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" wait: 1 + max: 0 view: |- { "position": { @@ -444,6 +494,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "12": id: "12" taskid: ac6bdd4a-0d17-49b5-8d5e-ca830175b5a9 @@ -453,9 +507,9 @@ tasks: version: -1 name: Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration description: |- - This playbook remediates the following Prisma Cloud AWS IAM User alert. + This playbook remediates the following Prisma Cloud AWS IAM User alerts. - Prisma Cloud policy remediated: + Prisma Cloud policies remediated: - AWS IAM user has two active Access Keys playbookName: Prisma Cloud Remediation - AWS IAM User Policy Misconfiguration @@ -470,10 +524,12 @@ tasks: complex: root: inputs.policyId separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" wait: 1 + max: 0 view: |- { "position": { @@ -486,6 +542,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "13": id: "13" taskid: 06bdb957-83d6-4613-8589-376daa6136c1 @@ -503,7 +561,6 @@ tasks: - "7" "yes": - "9" - continueonerror: true separatecontext: false conditions: - label: "yes" @@ -532,6 +589,8 @@ tasks: simple: active accessor: brand iscontext: true + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -544,6 +603,9 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -571,6 +633,7 @@ inputs: simple: "no" required: false description: Update AWS IAM password policy automatically? + playbookInputQuery: - key: policyId value: complex: @@ -585,6 +648,8 @@ inputs: simple: policyId required: false description: Get the Prisma Cloud policy ID. + playbookInputQuery: outputs: [] tests: -- No Test +- Prisma Cloud V2 Test +fromversion: 6.5.0 \ No newline at end of file diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_IAM_Policy_Misconfig_v2_README.md b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_IAM_Policy_Misconfig_v2_README.md index 0d08913f1d18..4d033536b05e 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_IAM_Policy_Misconfig_v2_README.md +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_AWS_IAM_Policy_Misconfig_v2_README.md @@ -1,4 +1,4 @@ -This playbook remediates Prisma Cloud AWS IAM policy alerts. It uses sub-playbooks that perform the remediation steps. +This playbook remediates Prisma Cloud AWS IAM policy alerts. It uses sub-playbooks that perform the remediation steps. ## Dependencies @@ -11,8 +11,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Integrations -* PrismaCloud v2 -* Builtin +* PrismaCloudV2 ### Scripts @@ -20,8 +19,8 @@ This playbook does not use any scripts. ### Commands -* prisma-cloud-alert-dismiss * aws-iam-get-account-password-policy +* prisma-cloud-alert-dismiss * closeInvestigation ## Playbook Inputs @@ -42,4 +41,4 @@ There are no outputs for this playbook. --- -![Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2](../doc_files/Prisma_Cloud_Remediation_-_AWS_IAM_Policy_Misconfiguration_v2.png) \ No newline at end of file +![Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2](../doc_files/Prisma_Cloud_Remediation_-_AWS_IAM_Policy_Misconfiguration_v2.png) diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_Azure_Network_Misconfig_v2.yml b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_Azure_Network_Misconfig_v2.yml index 64e4c7c98c15..427267a22afc 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_Azure_Network_Misconfig_v2.yml +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_Azure_Network_Misconfig_v2.yml @@ -1,6 +1,5 @@ id: Prisma Cloud Remediation - Azure Network Misconfiguration v2 version: -1 -fromversion: 6.5.0 contentitemexportablefields: contentitemfields: {} name: Prisma Cloud Remediation - Azure Network Misconfiguration v2 @@ -31,7 +30,7 @@ description: |- - Azure Network Security Group allows NetBIOS (UDP Port 137) - Azure Network Security Group allows NetBIOS (UDP Port 138) - Azure Network Security Group allows SQLServer (UDP Port 1434) - - Azure Network Security Group allows DNS (UDP Port 53) + - Azure Network Security Group allows DNS (UDP Port 53). starttaskid: "0" tasks: "0": @@ -42,13 +41,14 @@ tasks: id: 61bee172-14d4-4a48-815c-913b49bef800 version: -1 name: "" - description: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "2" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -61,6 +61,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "2": id: "2" taskid: 1826b574-2085-4229-82f2-8dc09b963292 @@ -82,9 +84,8 @@ tasks: scriptarguments: brandname: simple: Azure Network Security Groups - results: - - brandInstances separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -97,6 +98,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" taskid: 1abd9220-e39e-4206-8aa3-dba2695c7f4e @@ -105,11 +108,12 @@ tasks: id: 1abd9220-e39e-4206-8aa3-dba2695c7f4e version: -1 name: Done - description: "" type: title iscommand: false brand: "" + description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -122,6 +126,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "4": id: "4" taskid: 223403a2-356c-4acb-813a-a8286d359ebb @@ -130,7 +136,7 @@ tasks: id: 223403a2-356c-4acb-813a-a8286d359ebb version: -1 name: Is there a policy to remediate? - description: Checks for a Prisma Cloud policy ID. + description: Checks for a Prisma Cloud policy Id. type: condition iscommand: false brand: "" @@ -149,6 +155,7 @@ tasks: complex: root: inputs.policyId iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -161,6 +168,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "5": id: "5" taskid: a2344123-1f43-4a53-8cf4-ea7474e2af8e @@ -193,6 +202,7 @@ tasks: right: value: simple: "yes" + continueonerrortype: "" view: |- { "position": { @@ -205,6 +215,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" taskid: fdee1b8a-3337-49e1-8fef-d1409e5563fb @@ -223,6 +235,7 @@ tasks: "Yes": - "7" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -246,11 +259,15 @@ tasks: retriescount: 2 retriesinterval: 360 completeafterreplies: 1 + completeafterv2: false + completeaftersla: false replyOptions: - "Yes" - "No" skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "7": id: "7" taskid: 25c06945-d2ac-4126-85b8-94618b8563fb @@ -259,7 +276,7 @@ tasks: id: 25c06945-d2ac-4126-85b8-94618b8563fb version: -1 name: Execute playbook - description: Execute the appropriate remediation sub-playbook based on the Prisma Cloud policy ID. + description: Execute the appropriate remediation sub-playbook based on the Prisma Cloud policy Id. type: condition iscommand: false brand: "" @@ -479,6 +496,7 @@ tasks: right: value: simple: 543c6a0a-a50c-11e8-98d0-529269fb1459 + continueonerrortype: "" view: |- { "position": { @@ -491,6 +509,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "8": id: "8" taskid: cfe6460f-9ef9-4da7-80d1-0e90a50b1351 @@ -514,6 +534,7 @@ tasks: '#none#': - "11" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -526,6 +547,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "9": id: "9" taskid: c3d736e6-e9ab-4cfc-8ed0-7276f754c074 @@ -543,17 +566,12 @@ tasks: '#none#': - "3" scriptarguments: - assetid: {} - closeNotes: {} - closeReason: {} - emailclassification: {} id: complex: root: incident accessor: id - mndadone: {} - phishingsubtype: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -566,6 +584,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "11": id: "11" taskid: edf547ca-7606-4d2b-8c3c-fc5cb0348c6e @@ -583,7 +603,6 @@ tasks: - "9" "yes": - "14" - continueonerror: true separatecontext: false conditions: - label: "yes" @@ -612,6 +631,8 @@ tasks: simple: active accessor: brand iscontext: true + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -624,19 +645,21 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "14": id: "14" - taskid: ff1ae442-5e53-498e-884c-afa86f9bf22e + taskid: 4cd723db-5316-406b-8513-d44fce4ce286 type: regular task: - id: ff1ae442-5e53-498e-884c-afa86f9bf22e + id: 4cd723db-5316-406b-8513-d44fce4ce286 version: -1 name: Dismiss Prisma Cloud alert description: Dismiss or snooze the alerts matching the given filter. Either policy IDs or alert IDs must be provided. When no absolute time nor relative time arguments are provided, the default time range is all times. For snoozing, provide "snooze_unit" and "snooze_value" arguments. - script: PrismaCloud v2|||prisma-cloud-alert-dismiss + script: '|||prisma-cloud-alert-dismiss' type: regular iscommand: true - brand: PrismaCloud v2 + brand: "" nexttasks: '#none#': - "9" @@ -653,8 +676,9 @@ tasks: simple: id dismissal_note: simple: ${incident.labels.id} has been remediated by Cortex XSOAR. - continueonerror: true separatecontext: false + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -667,6 +691,8 @@ tasks: ignoreworker: false skipunavailable: true quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "15": id: "15" taskid: ea7af525-a8bc-40d6-82d8-70f8f139f28d @@ -718,6 +744,7 @@ tasks: complex: root: inputs.portNumber separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" @@ -735,6 +762,9 @@ tasks: ignoreworker: false skipunavailable: true quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -811,4 +841,5 @@ outputs: description: Security group name. type: string tests: -- No Test +- Prisma Cloud V2 Test +fromversion: 6.5.0 diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_GCP_Compute_Engine_Misconfig_v2.yml b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_GCP_Compute_Engine_Misconfig_v2.yml index a805e22c977e..e230f263ba73 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_GCP_Compute_Engine_Misconfig_v2.yml +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_GCP_Compute_Engine_Misconfig_v2.yml @@ -1,14 +1,15 @@ id: Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2 version: -1 -fromversion: 6.5.0 +contentitemexportablefields: + contentitemfields: {} name: Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2 -description: | +description: |- This playbook remediates Prisma Cloud GCP Compute Engine alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: - GCP VM instances have serial port access enabled - GCP VM instances have block project-wide SSH keys feature disabled - - GCP VM instances without any custom metadata information + - GCP VM instances without any custom metadata information. starttaskid: "0" tasks: "0": @@ -19,13 +20,14 @@ tasks: id: 61bee172-14d4-4a48-815c-913b49bef800 version: -1 name: "" - description: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "2" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -36,6 +38,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "2": id: "2" taskid: 223e678e-d65d-4337-87b9-3233b3da80d5 @@ -84,6 +90,7 @@ tasks: right: value: simple: Google Cloud Compute + continueonerrortype: "" view: |- { "position": { @@ -94,6 +101,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" taskid: 1abd9220-e39e-4206-8aa3-dba2695c7f4e @@ -102,11 +113,12 @@ tasks: id: 1abd9220-e39e-4206-8aa3-dba2695c7f4e version: -1 name: Done - description: "" type: title iscommand: false brand: "" + description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -117,6 +129,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "4": id: "4" taskid: 29d44dce-2e00-46c3-8523-b4aaf1c1352c @@ -144,6 +160,7 @@ tasks: complex: root: inputs.policyId iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -154,6 +171,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "5": id: "5" taskid: 33d179f1-0884-41ba-82fb-f8cff80516da @@ -186,6 +207,7 @@ tasks: right: value: simple: "yes" + continueonerrortype: "" view: |- { "position": { @@ -196,6 +218,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" taskid: 16fb9188-5edd-4d99-814a-33090e0b03d2 @@ -214,6 +240,7 @@ tasks: "Yes": - "7" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -237,9 +264,15 @@ tasks: retriescount: 2 retriesinterval: 360 completeafterreplies: 1 + completeafterv2: false + completeaftersla: false replyOptions: - "Yes" - "No" + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "7": id: "7" taskid: e8bff3c4-de53-4a71-8bcc-1ff7082b5737 @@ -288,6 +321,7 @@ tasks: right: value: simple: 10bc76ee-6f29-4c04-98bb-b9f8bafb0964 + continueonerrortype: "" view: |- { "position": { @@ -298,6 +332,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "8": id: "8" taskid: 0e8b3b11-44a3-4b44-830f-f9493a739fc1 @@ -314,6 +352,7 @@ tasks: '#none#': - "11" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -324,6 +363,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "9": id: "9" taskid: fb37a3ed-6884-4601-8841-f9414cf4a2ac @@ -341,17 +384,12 @@ tasks: '#none#': - "3" scriptarguments: - assetid: {} - closeNotes: {} - closeReason: {} - emailclassification: {} id: complex: root: incident accessor: id - mndadone: {} - phishingsubtype: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -362,6 +400,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "10": id: "10" taskid: 615b56ba-f121-4f7c-806c-a82fd25cda5e @@ -390,10 +432,12 @@ tasks: complex: root: inputs.policyId separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" wait: 1 + max: 0 view: |- { "position": { @@ -404,6 +448,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "11": id: "11" taskid: 50e95fd5-f248-4f02-8556-11437e1323e8 @@ -421,7 +469,6 @@ tasks: - "9" "yes": - "12" - continueonerror: true separatecontext: false conditions: - label: "yes" @@ -450,6 +497,8 @@ tasks: simple: active accessor: brand iscontext: true + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -462,12 +511,14 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "12": id: "12" - taskid: 1491bb10-b009-4dd8-8d1b-f12ff53a746a + taskid: b13b2b8d-c470-4283-83ec-b522d9fa2539 type: regular task: - id: 1491bb10-b009-4dd8-8d1b-f12ff53a746a + id: b13b2b8d-c470-4283-83ec-b522d9fa2539 version: -1 name: Dismiss Prisma Cloud alert description: Dismiss or snooze the alerts matching the given filter. Either policy IDs or alert IDs must be provided. When no absolute time nor relative time arguments are provided, the default time range is all times. For snoozing, provide "snooze_unit" and "snooze_value" arguments. @@ -491,8 +542,9 @@ tasks: simple: id dismissal_note: simple: ${incident.labels.id} has been remediated by Cortex XSOAR. - continueonerror: true separatecontext: false + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -503,6 +555,11 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -514,7 +571,6 @@ view: |- "5_6_#default#": 0.55, "5_7_yes": 0.46, "6_7_Yes": 0.45, - "6_8_No": 0.34, "7_10_VMs": 0.57, "7_8_#default#": 0.24 }, @@ -533,6 +589,7 @@ inputs: simple: "no" required: false description: Execute GCP Compute Engine remediation automatically? + playbookInputQuery: - key: policyId value: complex: @@ -547,6 +604,8 @@ inputs: simple: policyId required: false description: Grab the Prima Cloud policy ID. + playbookInputQuery: outputs: [] tests: -- No Test +- No tests (auto formatted) +fromversion: 6.5.0 diff --git a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_GCP_Kub_Engine_Misconfig_v2.yml b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_GCP_Kub_Engine_Misconfig_v2.yml index 72908d14bfee..ceae1910548c 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PCR_-_GCP_Kub_Engine_Misconfig_v2.yml +++ b/Packs/PrismaCloud/Playbooks/playbook-PCR_-_GCP_Kub_Engine_Misconfig_v2.yml @@ -1,8 +1,9 @@ id: Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2 version: -1 -fromversion: 6.5.0 +contentitemexportablefields: + contentitemfields: {} name: Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2 -description: | +description: |- This playbook remediates Prisma Cloud GCP Kubernetes Engine alerts. It calls sub-playbooks that perform the actual remediation steps. Remediation: @@ -15,7 +16,7 @@ description: | * GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled * GCP Kubernetes Engine Clusters have binary authorization disabled * GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled - * GCP Kubernetes cluster intra-node visibility disabled + * GCP Kubernetes cluster intra-node visibility disabled. starttaskid: "0" tasks: "0": @@ -26,13 +27,14 @@ tasks: id: 61bee172-14d4-4a48-815c-913b49bef800 version: -1 name: "" - description: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "14" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -45,6 +47,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "3": id: "3" taskid: 1abd9220-e39e-4206-8aa3-dba2695c7f4e @@ -53,11 +57,12 @@ tasks: id: 1abd9220-e39e-4206-8aa3-dba2695c7f4e version: -1 name: Done - description: "" type: title iscommand: false brand: "" + description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -70,6 +75,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "4": id: "4" taskid: c29ab7ff-a6fd-4211-80e8-eeccafa8981c @@ -97,6 +104,7 @@ tasks: complex: root: inputs.policyId iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -109,6 +117,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "5": id: "5" taskid: 14ec4b6b-a5b7-4981-85be-a18ba5f49a84 @@ -141,6 +151,7 @@ tasks: right: value: simple: "yes" + continueonerrortype: "" view: |- { "position": { @@ -153,6 +164,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" taskid: 16fb9188-5edd-4d99-814a-33090e0b03d2 @@ -171,6 +184,7 @@ tasks: "Yes": - "7" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -194,11 +208,15 @@ tasks: retriescount: 2 retriesinterval: 360 completeafterreplies: 1 + completeafterv2: false + completeaftersla: false replyOptions: - "Yes" - "No" skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "7": id: "7" taskid: dc7b1198-6db2-4115-8ac2-e6661561335f @@ -310,6 +328,7 @@ tasks: right: value: simple: bee0893d-85fb-403f-9ba7-a5269a46d382 + continueonerrortype: "" view: |- { "position": { @@ -322,6 +341,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "8": id: "8" taskid: 5d63c6a5-e9c0-484a-84ee-11d31cd44017 @@ -338,6 +359,7 @@ tasks: '#none#': - "11" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -350,6 +372,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "9": id: "9" taskid: fb37a3ed-6884-4601-8841-f9414cf4a2ac @@ -367,17 +391,12 @@ tasks: '#none#': - "3" scriptarguments: - assetid: {} - closeNotes: {} - closeReason: {} - emailclassification: {} id: complex: root: incident accessor: id - mndadone: {} - phishingsubtype: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -390,6 +409,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "11": id: "11" taskid: ec388f16-6c05-47b6-8cd8-d3e4bf955f6e @@ -407,7 +428,6 @@ tasks: - "9" "yes": - "12" - continueonerror: true separatecontext: false conditions: - label: "yes" @@ -436,6 +456,8 @@ tasks: simple: active accessor: brand iscontext: true + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -448,12 +470,14 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "12": id: "12" - taskid: 1491bb10-b009-4dd8-8d1b-f12ff53a746a + taskid: a9f2cbfa-6e0e-43f6-840b-a0781fb6664e type: regular task: - id: 1491bb10-b009-4dd8-8d1b-f12ff53a746a + id: a9f2cbfa-6e0e-43f6-840b-a0781fb6664e version: -1 name: Dismiss Prisma Cloud alert description: Dismiss or snooze the alerts matching the given filter. Either policy IDs or alert IDs must be provided. When no absolute time nor relative time arguments are provided, the default time range is all times. For snoozing, provide "snooze_unit" and "snooze_value" arguments. @@ -477,8 +501,9 @@ tasks: simple: id dismissal_note: simple: ${incident.labels.id} has been remediated by Cortex XSOAR. - continueonerror: true separatecontext: false + continueonerror: true + continueonerrortype: "" view: |- { "position": { @@ -491,6 +516,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "13": id: "13" taskid: 1ba4f261-b3a6-40c7-8c51-ad726a3b42bd @@ -526,6 +553,7 @@ tasks: complex: root: inputs.policyId separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" @@ -543,6 +571,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "14": id: "14" taskid: 34fd8c47-e326-4ee2-8343-b9c0794a0e06 @@ -587,6 +617,7 @@ tasks: value: simple: active iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -599,6 +630,9 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -645,4 +679,5 @@ inputs: playbookInputQuery: outputs: [] tests: -- No Test +- No tests (auto formatted) +fromversion: 6.5.0 diff --git a/Packs/PrismaCloud/Playbooks/playbook-PrismaCloudRemediation_-_AWSCloudTrailIsNotEnabledOnTheAccount.yml b/Packs/PrismaCloud/Playbooks/playbook-PrismaCloudRemediation_-_AWSCloudTrailIsNotEnabledOnTheAccount.yml index 41b1d0647a7a..04905a3cc49d 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PrismaCloudRemediation_-_AWSCloudTrailIsNotEnabledOnTheAccount.yml +++ b/Packs/PrismaCloud/Playbooks/playbook-PrismaCloudRemediation_-_AWSCloudTrailIsNotEnabledOnTheAccount.yml @@ -1,12 +1,9 @@ id: Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account version: -1 +contentitemexportablefields: + contentitemfields: {} name: Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account -description: AWS Cloudtrail is a service which provides event history of your AWS - account activity, including actions taken through the AWS Management Console, AWS - SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert - "CloudTrail is not enabled on the account", this playbook creates an S3 bucket to - host Cloudtrail logs and enable Cloudtrail (includes all region events and global - service events). +description: AWS Cloudtrail is a service which provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert "CloudTrail is not enabled on the account", this playbook creates an S3 bucket to host Cloudtrail logs and enable Cloudtrail (includes all region events and global service events). starttaskid: "0" tasks: "0": @@ -17,14 +14,15 @@ tasks: id: c1cb0d12-bd26-480b-8e04-c4ce9f412a2b version: -1 name: "" - description: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "12" - "13" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -35,40 +33,10 @@ tasks: note: false timertriggers: [] ignoreworker: false - "2": - id: "2" - taskid: 82c65074-07ec-49ca-8a83-2a8c39affe12 - type: regular - task: - id: 82c65074-07ec-49ca-8a83-2a8c39affe12 - version: -1 - name: Close Investigation - description: Close the current incident - script: Builtin|||closeInvestigation - type: regular - iscommand: true - brand: Builtin - nexttasks: - '#none#': - - "8" - scriptarguments: - assetid: {} - closeNotes: {} - closeReason: {} - id: - simple: ${incident.id} - mndadone: {} - separatecontext: false - view: |- - { - "position": { - "x": 265, - "y": 1245 - } - } - note: false - timertriggers: [] - ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "4": id: "4" taskid: 28752caf-c19b-404e-8c39-af4103c18bdc @@ -86,7 +54,6 @@ tasks: '#none#': - "5" scriptarguments: - acl: {} bucket: complex: root: incident @@ -106,19 +73,11 @@ tasks: suffix: value: simple: -logging - grantFullControl: {} - grantRead: {} - grantReadACP: {} - grantWrite: {} - grantWriteACP: {} locationConstraint: complex: root: inputs.CloudTrailRegion - region: {} - roleArn: {} - roleSessionDuration: {} - roleSessionName: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -129,6 +88,10 @@ tasks: note: true timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "5": id: "5" taskid: 1f8c90df-c081-4ed3-8924-5d463369ce24 @@ -137,8 +100,7 @@ tasks: id: 1f8c90df-c081-4ed3-8924-5d463369ce24 version: -1 name: Allow Cloudtrail to write to S3 bucket - description: Replaces a policy on a bucket. If the bucket already has a policy, - the one in this request completely replaces it. + description: Replaces a policy on a bucket. If the bucket already has a policy, the one in this request completely replaces it. script: '|||aws-s3-put-bucket-policy' type: regular iscommand: true @@ -151,18 +113,14 @@ tasks: complex: root: AWS accessor: S3.Buckets.[0].BucketName - confirmRemoveSelfBucketAccess: {} policy: simple: '{"Version":"2012-10-17","Statement":[{"Sid":"AWSCloudTrailAclCheck20150319","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:GetBucketAcl","Resource":"arn:aws:s3:::${AWS.S3.Buckets.[0].BucketName}"},{"Sid":"AWSCloudTrailWrite20150319","Effect":"Allow","Principal":{"Service":"cloudtrail.amazonaws.com"},"Action":"s3:PutObject","Resource":"arn:aws:s3:::${AWS.S3.Buckets.[0].BucketName}/AWSLogs/*","Condition":{"StringEquals":{"s3:x-amz-acl":"bucket-owner-full-control"}}}]}' - region: {} retry-count: simple: "3" retry-interval: simple: "30" - roleArn: {} - roleSessionDuration: {} - roleSessionName: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -173,6 +131,10 @@ tasks: note: true timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" taskid: a13aaab9-61e4-4d50-8114-f873584423d3 @@ -181,9 +143,7 @@ tasks: id: a13aaab9-61e4-4d50-8114-f873584423d3 version: -1 name: Create Cloudtrail - description: Creates a trail that specifies the settings for delivery of log - data to an Amazon S3 bucket. A maximum of five trails can exist in a region, - irrespective of the region in which they were created. + description: Creates a trail that specifies the settings for delivery of log data to an Amazon S3 bucket. A maximum of five trails can exist in a region, irrespective of the region in which they were created. script: '|||aws-cloudtrail-create-trail' type: regular iscommand: true @@ -192,15 +152,12 @@ tasks: '#none#': - "14" scriptarguments: - cloudWatchLogsLogGroupArn: {} - cloudWatchLogsRoleArn: {} enableLogFileValidation: simple: "True" includeGlobalServiceEvents: simple: "True" isMultiRegionTrail: simple: "True" - kmsKeyId: {} name: complex: root: incident @@ -221,16 +178,12 @@ tasks: region: complex: root: inputs.CloudTrailRegion - roleArn: {} - roleSessionDuration: {} - roleSessionName: {} s3BucketName: complex: root: AWS accessor: S3.Buckets.[0].BucketName - s3KeyPrefix: {} - snsTopicName: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -241,6 +194,10 @@ tasks: note: true timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "8": id: "8" taskid: bcfc6579-7116-44a2-8457-711819d46a94 @@ -249,21 +206,26 @@ tasks: id: bcfc6579-7116-44a2-8457-711819d46a94 version: -1 name: Done - description: "" type: title iscommand: false brand: "" + description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { "x": 265, - "y": 1640 + "y": 1240 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "10": id: "10" taskid: c2a083f0-cbf8-4f43-8e4c-607a622d2ba1 @@ -272,10 +234,10 @@ tasks: id: c2a083f0-cbf8-4f43-8e4c-607a622d2ba1 version: -1 name: Enable CloudTrail Automatically? - description: "" type: condition iscommand: false brand: "" + description: '' nexttasks: '#default#': - "11" @@ -296,6 +258,7 @@ tasks: right: value: simple: "yes" + continueonerrortype: "" view: |- { "position": { @@ -306,6 +269,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "11": id: "11" taskid: 51c1f706-c182-4a59-88e9-5fd43d16c37b @@ -323,18 +290,23 @@ tasks: brand: "" nexttasks: '#none#': - - "2" + - "8" separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 40, + "x": 50, "y": 895 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "12": id: "12" taskid: 97306837-1cbd-46cf-85f1-f45f09e81b98 @@ -343,10 +315,10 @@ tasks: id: 97306837-1cbd-46cf-85f1-f45f09e81b98 version: -1 name: Is AWS S3 integration enabled? - description: "" type: condition iscommand: false brand: "" + description: '' nexttasks: '#default#': - "8" @@ -380,6 +352,7 @@ tasks: simple: active accessor: brand iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -390,6 +363,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "13": id: "13" taskid: 2e9a3412-f811-4660-896d-da247355c2c2 @@ -398,10 +375,10 @@ tasks: id: 2e9a3412-f811-4660-896d-da247355c2c2 version: -1 name: Is AWS - CloudTrail integration enabled? - description: "" type: condition iscommand: false brand: "" + description: '' nexttasks: '#default#': - "8" @@ -435,6 +412,7 @@ tasks: simple: active accessor: brand iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -445,6 +423,10 @@ tasks: note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "14": id: "14" taskid: 12e7d629-8970-49bb-86cf-63522044a276 @@ -453,18 +435,14 @@ tasks: id: 12e7d629-8970-49bb-86cf-63522044a276 version: -1 name: Enable Cloudtrail - description: Starts the recording of AWS API calls and log file delivery for - a trail. For a trail that is enabled in all regions, this operation must be - called from the region in which the trail was created. This operation cannot - be called on the shadow trails (replicated trails in other regions) of a trail - that is enabled in all regions. + description: Starts the recording of AWS API calls and log file delivery for a trail. For a trail that is enabled in all regions, this operation must be called from the region in which the trail was created. This operation cannot be called on the shadow trails (replicated trails in other regions) of a trail that is enabled in all regions. script: '|||aws-cloudtrail-start-logging' type: regular iscommand: true brand: "" nexttasks: '#none#': - - "2" + - "8" scriptarguments: name: complex: @@ -486,10 +464,8 @@ tasks: region: complex: root: inputs.CloudTrailRegion - roleArn: {} - roleSessionDuration: {} - roleSessionName: {} separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -500,6 +476,11 @@ tasks: note: true timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true view: |- { "linkLabelsPosition": { @@ -508,7 +489,7 @@ view: |- }, "paper": { "dimensions": { - "height": 1675, + "height": 1275, "width": 1420, "x": -270, "y": 30 @@ -526,12 +507,14 @@ inputs: - Cloudtrail cloudtrail- Type 'Yes' to auto-enable CloudTrail. + playbookInputQuery: - key: CloudTrailRegion value: simple: us-west-2 required: false description: S3 bucket and (global) Cloudtrail will be created on this region + playbookInputQuery: outputs: [] tests: - - No test -fromversion: 5.0.0 +- No tests (auto formatted) +fromversion: 5.0.0 \ No newline at end of file diff --git a/Packs/PrismaCloud/Playbooks/playbook-PrismaCloudRemediation_-_AWSCloudTrailIsNotEnabledOnTheAccount_README.md b/Packs/PrismaCloud/Playbooks/playbook-PrismaCloudRemediation_-_AWSCloudTrailIsNotEnabledOnTheAccount_README.md index 50cbc24ff5b7..e8dc368723ff 100644 --- a/Packs/PrismaCloud/Playbooks/playbook-PrismaCloudRemediation_-_AWSCloudTrailIsNotEnabledOnTheAccount_README.md +++ b/Packs/PrismaCloud/Playbooks/playbook-PrismaCloudRemediation_-_AWSCloudTrailIsNotEnabledOnTheAccount_README.md @@ -1,36 +1,44 @@ -Provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert "CloudTrail is not enabled on the account", this playbook creates a S3 bucket to host Cloudtrail logs and enable Cloudtrail (includes all region events and global service events). +AWS Cloudtrail is a service which provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. To remediate Prisma Cloud Alert "CloudTrail is not enabled on the account", this playbook creates an S3 bucket to host Cloudtrail logs and enable Cloudtrail (includes all region events and global service events). ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks + This playbook does not use any sub-playbooks. ### Integrations -* Builtin + +This playbook does not use any integrations. ### Scripts + This playbook does not use any scripts. ### Commands + * aws-s3-put-bucket-policy * aws-cloudtrail-start-logging * aws-cloudtrail-create-trail * aws-s3-create-bucket -* closeInvestigation ## Playbook Inputs + --- | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | -| AutoEnableCloudTrail | The following resources will be created, `S3 bucket cloudtrail-`, and `Cloudtrail cloudtrail-`. Type "Yes" to auto-enable CloudTrail. | No | Optional | -| CloudTrailRegion | S3 bucket and (global) Cloudtrail will be created on this region | us-west-2 | Optional | +| AutoEnableCloudTrail | The following resources will be created:
- S3 bucket cloudtrail-<account_id>
- Cloudtrail cloudtrail-<account_id>

Type 'Yes' to auto-enable CloudTrail. | No | Optional | +| CloudTrailRegion | S3 bucket and \(global\) Cloudtrail will be created on this region | us-west-2 | Optional | ## Playbook Outputs + --- There are no outputs for this playbook. ## Playbook Image + --- -![PrismaCloudRemediation_AWSCloudTrailIsNotEnabledOnTheAccount](https://raw.githubusercontent.com/demisto/content/1bdd5229392bd86f0cc58265a24df23ee3f7e662/docs/images/playbooks/PrismaCloudRemediation_AWSCloudTrailIsNotEnabledOnTheAccount.png) + +![Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account](../doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_is_not_Enabled_on_the_Account.png) diff --git a/Packs/PrismaCloud/ReleaseNotes/4_2_15.md b/Packs/PrismaCloud/ReleaseNotes/4_2_15.md new file mode 100644 index 000000000000..5f39869b02dc --- /dev/null +++ b/Packs/PrismaCloud/ReleaseNotes/4_2_15.md @@ -0,0 +1,112 @@ + +#### Playbooks + +##### Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2 + +Updated the "Dismiss Prisma Cloud alert" automation form redlock to 'prisma-cloud-alert-dismiss' + +##### Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2 + +Updated the "Dismiss Prisma Cloud alert" automation form redlock to 'prisma-cloud-alert-dismiss' + +##### Prisma Cloud Remediation - Azure Network Misconfiguration v2 + +Updated the "Dismiss Prisma Cloud alert" automation form redlock to 'prisma-cloud-alert-dismiss' + +##### Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2 + +Added a automation to the "Close Investigation" task that closes the incident. + +##### Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2 + +Added a automation to the "Close Investigation" task that closes the incident. + +##### Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2 + +Minor improvements. +##### Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account + +Removed "Close Investigation" task to avoid from closing the investigation in the main playbook 'Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2' before all actions are done. +##### Prisma Cloud Remediation - AWS CloudTrail Trail Misconfiguration + +Minor improvements. + +#### Triggers Recommendations + +- New: **AWS CloudTrail Misconfiguration** + +- New: **AWS EC2 Instance Misconfiguration** + +- New: **AWS IAM Policy Misconfiguration** + +- New: **Azure AKS Misconfiguration** + +- New: **Azure Network Misconfiguration** + +- New: **Azure SQL Misconfiguration** + +- New: **Azure Storage Misconfiguration** + +- New: **GCP Compute Engine Misconfiguration** + +- New: **GCP Kubernetes Engine Misconfiguration** + +- New: **Prisma Cloud - VM Alert Prioritization** + +- New: **AWS CloudTrail Misconfiguration** + +- New: **AWS EC2 Instance Misconfiguration** + +- New: **AWS IAM Policy Misconfiguration** + +- New: **Azure AKS Misconfiguration** + +- New: **Azure Network Misconfiguration** + +- New: **Azure SQL Misconfiguration** + +- New: **Azure Storage Misconfiguration** + +- New: **GCP Compute Engine Misconfiguration** + +- New: **GCP Kubernetes Engine Misconfiguration** + +- New: **Prisma Cloud - VM Alert Prioritization** + +- New: **AWS CloudTrail Misconfiguration** + +- New: **AWS EC2 Instance Misconfiguration** + +- New: **AWS IAM Policy Misconfiguration** + +- New: **Azure AKS Misconfiguration** + +- New: **Azure Network Misconfiguration** + +- New: **Azure SQL Misconfiguration** + +- New: **Azure Storage Misconfiguration** + +- New: **GCP Kubernetes Engine Misconfiguration** + +- New: **Prisma Cloud - VM Alert Prioritization** + + +#### Mappers + +##### Prisma Cloud - Incoming Mapper + +- Added time convert transformer to 'Prisma Cloud Time' and 'Last Modified On' incident fields mapping. +- Added mapping to 'Status Reason' field + +#### Layout Rules + +##### New: Prisma Cloud V2 Layout Rule + +- New: **Prisma Cloud V2 Layout Rule** + +#### Layouts + +##### New: Prisma Cloud V2 + +New: **Prisma Cloud V2** \ No newline at end of file diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_AWS_CloudTrail_Misconfiguration.json b/Packs/PrismaCloud/Triggers/Trigger_-_AWS_CloudTrail_Misconfiguration.json new file mode 100644 index 000000000000..84f061089738 --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_AWS_CloudTrail_Misconfiguration.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "fc37d4039563569b21b5bebec0a92500", + "playbook_id": "Prisma Cloud Remediation - AWS CloudTrail Misconfiguration v2", + "suggestion_reason": "Recommended for AWS CloudTrail Misconfiguration alerts", + "description": "This trigger is responsible for handling AWS CloudTrail Misconfiguration alerts", + "trigger_name": "AWS CloudTrail Misconfiguration", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "AWS CloudTrail Misconfiguration" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_AWS_EC2_Instance_Misconfiguration.json b/Packs/PrismaCloud/Triggers/Trigger_-_AWS_EC2_Instance_Misconfiguration.json new file mode 100644 index 000000000000..a320e1c077d6 --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_AWS_EC2_Instance_Misconfiguration.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "44e61bd26eec45c3264a384324567e90", + "playbook_id": "Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration v2", + "suggestion_reason": "Recommended for AWS EC2 Instance Misconfiguration alerts", + "description": "This trigger is responsible for handling AWS EC2 Instance Misconfiguration alerts", + "trigger_name": "AWS EC2 Instance Misconfiguration", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "AWS EC2 Instance Misconfiguration" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_AWS_IAM_Policy_Misconfiguration.json b/Packs/PrismaCloud/Triggers/Trigger_-_AWS_IAM_Policy_Misconfiguration.json new file mode 100644 index 000000000000..36ca7dd20341 --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_AWS_IAM_Policy_Misconfiguration.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "3abc6225418901f71303bdaf73df7ae9", + "playbook_id": "Prisma Cloud Remediation - AWS IAM Policy Misconfiguration v2", + "suggestion_reason": "Recommended for AWS IAM Policy Misconfiguration alerts", + "description": "This trigger is responsible for handling AWS IAM Policy Misconfiguration alerts", + "trigger_name": "AWS IAM Policy Misconfiguration", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "AWS IAM Policy Misconfiguration" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_Azure_AKS_Misconfiguration.json b/Packs/PrismaCloud/Triggers/Trigger_-_Azure_AKS_Misconfiguration.json new file mode 100644 index 000000000000..bff2f27bfbc3 --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_Azure_AKS_Misconfiguration.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "82719687c5d2aee11e490084dbe15fd8", + "playbook_id": "Prisma Cloud Remediation - Azure AKS Misconfiguration v2", + "suggestion_reason": "Recommended for Azure AKS Misconfiguration alerts", + "description": "This trigger is responsible for handling Azure AKS Misconfiguration alerts", + "trigger_name": "Azure AKS Misconfiguration", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure AKS Misconfiguration" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_Azure_Network_Misconfiguration.json b/Packs/PrismaCloud/Triggers/Trigger_-_Azure_Network_Misconfiguration.json new file mode 100644 index 000000000000..b13dfb97bbde --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_Azure_Network_Misconfiguration.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "b1d5915dea04d48f8aff2eff41ad8351", + "playbook_id": "Prisma Cloud Remediation - Azure Network Misconfiguration v2", + "suggestion_reason": "Recommended for Azure Network Misconfiguration alerts", + "description": "This trigger is responsible for handling Azure Network Misconfiguration alerts", + "trigger_name": "Azure Network Misconfiguration", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure Network Misconfiguration" + } + ] + } + } +} diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_Azure_SQL_Misconfiguration.json b/Packs/PrismaCloud/Triggers/Trigger_-_Azure_SQL_Misconfiguration.json new file mode 100644 index 000000000000..50a1c3ae83d3 --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_Azure_SQL_Misconfiguration.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "29cdd6d019dcaaea2d1ca79371f9f7cb", + "playbook_id": "Prisma Cloud Remediation - Azure SQL Misconfiguration v2", + "suggestion_reason": "Recommended for Azure SQL Misconfiguration alerts", + "description": "This trigger is responsible for handling Azure SQL Misconfiguration alerts", + "trigger_name": "Azure SQL Misconfiguration", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure SQL Misconfiguration" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_Azure_Storage_Misconfiguration.json b/Packs/PrismaCloud/Triggers/Trigger_-_Azure_Storage_Misconfiguration.json new file mode 100644 index 000000000000..cc4c1671f3a9 --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_Azure_Storage_Misconfiguration.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "f9e54dc16b690386b07866af8464e368", + "playbook_id": "Prisma Cloud Remediation - Azure Storage Misconfiguration v2", + "suggestion_reason": "Recommended for Azure Storage Misconfiguration alerts", + "description": "This trigger is responsible for handling Azure Storage Misconfiguration alerts", + "trigger_name": "Azure Storage Misconfiguration", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure Storage Misconfiguration" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_GCP_Compute_Engine_Misconfiguration.json b/Packs/PrismaCloud/Triggers/Trigger_-_GCP_Compute_Engine_Misconfiguration.json new file mode 100644 index 000000000000..5abe3693d1d1 --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_GCP_Compute_Engine_Misconfiguration.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "d150d0519b334c040b1fcc0f34a3ded9", + "playbook_id": "Prisma Cloud Remediation - GCP Compute Engine Misconfiguration v2", + "suggestion_reason": "Recommended for GCP Compute Engine Misconfiguration alerts", + "description": "This trigger is responsible for handling GCP Compute Engine Misconfiguration alerts", + "trigger_name": "GCP Compute Engine Misconfiguration", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "GCP Compute Engine Misconfiguration" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_GCP_Kubernetes_Engine_Misconfiguration.json b/Packs/PrismaCloud/Triggers/Trigger_-_GCP_Kubernetes_Engine_Misconfiguration.json new file mode 100644 index 000000000000..6c72820e3f59 --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_GCP_Kubernetes_Engine_Misconfiguration.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "7106713a54ef8482181fe37bbf7fda29", + "playbook_id": "Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration v2", + "suggestion_reason": "Recommended for GCP Kubernetes Engine Misconfiguration alerts", + "description": "This trigger is responsible for handling GCP Kubernetes Engine Misconfiguration alerts", + "trigger_name": "GCP Kubernetes Engine Misconfiguration", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "GCP Kubernetes Engine Misconfiguration" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Triggers/Trigger_-_Prisma_Cloud_-_VM_Alert_Prioritization.json b/Packs/PrismaCloud/Triggers/Trigger_-_Prisma_Cloud_-_VM_Alert_Prioritization.json new file mode 100644 index 000000000000..2c119040b262 --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Trigger_-_Prisma_Cloud_-_VM_Alert_Prioritization.json @@ -0,0 +1,18 @@ +{ + "trigger_id": "0d1389eba67bdd284ab668368e230000", + "playbook_id": "Prisma Cloud - VM Alert Prioritization", + "suggestion_reason": "Recommended for Prisma Cloud - VM Alert Prioritization alerts", + "description": "This trigger is responsible for handling Prisma Cloud - VM Alert Prioritization alerts", + "trigger_name": "Prisma Cloud - VM Alert Prioritization", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Prisma Cloud - VM Alert Prioritization" + } + ] + } + } +} diff --git a/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_Misconfiguration_v2.png b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_Misconfiguration_v2.png index 3164babdddde..db5e83e790ef 100644 Binary files a/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_Misconfiguration_v2.png and b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_Misconfiguration_v2.png differ diff --git a/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_Trail_Misconfiguration.png b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_Trail_Misconfiguration.png new file mode 100644 index 000000000000..6cb399e465ad Binary files /dev/null and b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_Trail_Misconfiguration.png differ diff --git a/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_is_not_Enabled_on_the_Account.png b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_is_not_Enabled_on_the_Account.png new file mode 100644 index 000000000000..4d391f0bd19c Binary files /dev/null and b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_CloudTrail_is_not_Enabled_on_the_Account.png differ diff --git a/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_EC2_Instance_Misconfiguration_v2_Wed_Nov_29_2023.png b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_EC2_Instance_Misconfiguration_v2_Wed_Nov_29_2023.png new file mode 100644 index 000000000000..97c5c58161aa Binary files /dev/null and b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_EC2_Instance_Misconfiguration_v2_Wed_Nov_29_2023.png differ diff --git a/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_IAM_Policy_Misconfiguration_v2.png b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_IAM_Policy_Misconfiguration_v2.png index 688ce7a5118b..b88b6ed54d58 100644 Binary files a/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_IAM_Policy_Misconfiguration_v2.png and b/Packs/PrismaCloud/doc_files/Prisma_Cloud_Remediation_-_AWS_IAM_Policy_Misconfiguration_v2.png differ diff --git a/Packs/PrismaCloud/pack_metadata.json b/Packs/PrismaCloud/pack_metadata.json index c762ae3ef524..de96e4e39410 100644 --- a/Packs/PrismaCloud/pack_metadata.json +++ b/Packs/PrismaCloud/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Prisma Cloud by Palo Alto Networks", "description": "Automate and unify security incident response across your cloud environments, while still giving a degree of control to dedicated cloud teams.", "support": "xsoar", - "currentVersion": "4.2.14", + "currentVersion": "4.2.15", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",