Inputs groups playbooks improvement xsiam (#31893)

* Inputs groups for XSIAM playbooks * RN - Inputs groups for XSIAM playbooks * update png path * update readme files * removed the input section alert data * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * fix - after doc review * change inputs locations according sections * Bump pack from version CloudIncidentResponse to 1.0.12. --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com>
demisto · Jan 10, 2024 · d8d7493 · d8d7493
1 parent 0d2df1d
commit d8d7493
Show file tree

Hide file tree

Showing 10 changed files with 300 additions and 162 deletions.
diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation.yml
@@ -995,6 +995,12 @@ view: |-
     }
   }
 inputs:
+- key: ShouldCloseAutomatically
+  value:
+    simple: "False"
+  required: false
+  description: Whether to close alerts automatically as a false positive. (True/False).
+  playbookInputQuery:
 - key: autoAccessKeyRemediation
   value:
     simple: "False"
@@ -1068,119 +1074,158 @@ inputs:
     Delete - For deleting the user.
     Disable - For disabling the user.
   playbookInputQuery:
-- key: ShouldCloseAutomatically
+- key: ShouldOpenTicket
   value:
     simple: "False"
   required: false
-  description: Whether to close alerts automatically as a false positive. (True/False).
+  description: Whether to open a ticket automatically in a ticketing system. (True/False).
   playbookInputQuery:
-- key: ShouldOpenTicket
+- key: description
   value:
-    simple: "False"
+    simple: ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}
   required: false
-  description: Whether to open a ticket automatically in a ticketing system. (True/False).
-  playbookInputQuery: null
+  description: The ticket description.
+  playbookInputQuery:
+- key: CommentToAdd
+  value:
+    simple: '${alert.name}. Alert ID: ${alert.id}'
+  required: false
+  description: Comment for the ticket.
+  playbookInputQuery:
+- key: addCommentPerEndpoint
+  value:
+    simple: "True"
+  required: false
+  description: 'Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.'
+  playbookInputQuery:
 - key: serviceNowShortDescription
   value:
     simple: XSIAM Incident ID - ${parentIncidentFields.incident_id}
   required: false
   description: A short description of the ticket.
-  playbookInputQuery: null
+  playbookInputQuery:
 - key: serviceNowImpact
   value: {}
   required: false
   description: The impact for the new ticket. Leave empty for ServiceNow default impact.
-  playbookInputQuery: null
+  playbookInputQuery:
 - key: serviceNowUrgency
   value: {}
   required: false
   description: The urgency of the new ticket. Leave empty for ServiceNow default urgency.
-  playbookInputQuery: null
+  playbookInputQuery:
 - key: serviceNowSeverity
   value: {}
   required: false
-  description: The severity of the new ticket. Leave empty for ServiceNow default
-    severity.
-  playbookInputQuery: null
+  description: The severity of the new ticket. Leave empty for ServiceNow default severity.
+  playbookInputQuery:
 - key: serviceNowTicketType
   value: {}
   required: false
-  description: The ServiceNow ticket type. Options are "incident", "problem", "change_request",
-    "sc_request", "sc_task", or "sc_req_item". Default is "incident".
-  playbookInputQuery: null
+  description: The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
+  playbookInputQuery:
 - key: serviceNowCategory
   value: {}
   required: false
   description: The category of the ServiceNow ticket.
-  playbookInputQuery: null
+  playbookInputQuery:
 - key: serviceNowAssignmentGroup
   value: {}
   required: false
   description: The group to which to assign the new ticket.
-  playbookInputQuery: null
+  playbookInputQuery:
 - key: ZendeskPriority
   value: {}
   required: false
-  description: The urgency with which the ticket should be addressed. Allowed values
-    are "urgent", "high", "normal", or "low".
-  playbookInputQuery: null
+  description: The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
+  playbookInputQuery:
 - key: ZendeskRequester
   value: {}
   required: false
   description: The user who requested this ticket.
-  playbookInputQuery: null
+  playbookInputQuery:
 - key: ZendeskStatus
   value: {}
   required: false
-  description: The state of the ticket. Allowed values are "new", "open", "pending",
-    "hold", "solved", or "closed".
-  playbookInputQuery: null
+  description: The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
+  playbookInputQuery:
 - key: ZendeskSubject
   value:
     simple: XSIAM Incident ID - ${parentIncidentFields.incident_id}
   required: false
   description: The value of the subject field for this ticket.
-  playbookInputQuery: null
+  playbookInputQuery:
 - key: ZendeskTags
   value: {}
   required: false
   description: The array of tags applied to this ticket.
-  playbookInputQuery: null
+  playbookInputQuery:
 - key: ZendeskType
   value: {}
   required: false
-  description: The type of this ticket. Allowed values are "problem", "incident",
-    "question", or "task".
-  playbookInputQuery: null
+  description: The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
+  playbookInputQuery:
 - key: ZendeskAssigne
   value: {}
   required: false
   description: The agent currently assigned to the ticket.
-  playbookInputQuery: null
+  playbookInputQuery:
 - key: ZendeskCollaborators
   value: {}
   required: false
   description: The users currently CC'ed on the ticket.
-  playbookInputQuery: null
-- key: description
-  value:
-    simple: ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}
-  required: false
-  description: The ticket description.
-  playbookInputQuery: null
-- key: addCommentPerEndpoint
-  value:
-    simple: "True"
-  required: false
-  description: 'Whether to append a new comment to the ticket for each endpoint in the incident.  
-    Possible values: True/False.'
-  playbookInputQuery: null
-- key: CommentToAdd
-  value:
-    simple: '${alert.name}. Alert ID: ${alert.id}'
-  required: false
-  description: Comment for the ticket.
-  playbookInputQuery: null
+  playbookInputQuery:
+inputSections:
+- inputs:
+  - ShouldCloseAutomatically
+  name: Alert Management
+  description: Alert management settings and data, including escalation processes, user engagements, and ticketing methods.
+- inputs:
+  - autoAccessKeyRemediation
+  - autoBlockIndicators
+  - autoUserRemediation
+  name: Remediation
+  description: Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - AWS-accessKeyRemediationType
+  - AWS-userRemediationType
+  name: AWS Remediation
+  description: AWS Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - Azure-userRemediationType
+  name: Azure Remediation
+  description: Azure Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - GCP-accessKeyRemediationType
+  - GCP-userRemediationType
+  name: GCP Remediation
+  description: GCP Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - ShouldOpenTicket
+  - description
+  - CommentToAdd
+  - addCommentPerEndpoint
+  - serviceNowShortDescription
+  - serviceNowImpact
+  - serviceNowUrgency
+  - serviceNowSeverity
+  - serviceNowTicketType
+  - serviceNowCategory
+  - serviceNowAssignmentGroup
+  - ZendeskPriority
+  - ZendeskRequester
+  - ZendeskStatus
+  - ZendeskSubject
+  - ZendeskTags
+  - ZendeskType
+  - ZendeskAssigne
+  - ZendeskCollaborators
+  name: Ticket Management
+  description: Ticket management settings and data.
+outputSections:
+- outputs: []
+  name: General (Outputs group)
+  description: Generic group for outputs
 outputs: []
 tests:
 - No tests (auto formatted)

diff --git a/...cidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation_README.md b/...cidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation_README.md
@@ -10,32 +10,33 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
 
+* Ticket Management - Generic
 * Cloud IAM Enrichment - Generic
-* Handle False Positive Alerts
-* Enrichment for Verdict
 * Cloud Response - Generic
-* Ticket Management - Generic
+* Enrichment for Verdict
+* Handle False Positive Alerts
 
 ### Integrations
 
-* CortexCoreIR
+This playbook does not use any integrations.
 
 ### Scripts
 
 * LoadJSON
 
 ### Commands
 
-* setParentIncidentFields
-* closeInvestigation
 * core-get-cloud-original-alerts
+* closeInvestigation
+* setParentIncidentFields
 
 ## Playbook Inputs
 
 ---
 
 | **Name** | **Description** | **Default Value** | **Required** |
 | --- | --- | --- | --- |
+| ShouldCloseAutomatically | Whether to close alerts automatically as a false positive. \(True/False\). | False | Optional |
 | autoAccessKeyRemediation | Whether to execute the user remediation flow automatically. | False | Optional |
 | autoBlockIndicators | Whether to block the indicators automatically. | True | Optional |
 | autoUserRemediation | Whether to execute the user remediation flow automatically. | False | Optional |
@@ -44,8 +45,10 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 | Azure-userRemediationType | Choose the remediation type for the user involved.<br/><br/>Azure available types:<br/>Disable - for disabling the user.<br/>Delete - for deleting the user. | Disable | Optional |
 | GCP-accessKeyRemediationType | Choose the remediation type for the user's access key.<br/><br/>GCP available types:<br/>Disable - For disabling the user's access key.<br/>Delete - For deleting the user's access key. | Disable | Optional |
 | GCP-userRemediationType | Choose the remediation type for the user involved.<br/><br/>GCP available types:<br/>Delete - For deleting the user.<br/>Disable - For disabling the user. | Disable | Optional |
-| ShouldCloseAutomatically | Whether to close alerts automatically as a false positive. \(True/False\). | False | Optional |
 | ShouldOpenTicket | Whether to open a ticket automatically in a ticketing system. \(True/False\). | False | Optional |
+| description | The ticket description. | ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url} | Optional |
+| CommentToAdd | Comment for the ticket. | ${alert.name}. Alert ID: ${alert.id} | Optional |
+| addCommentPerEndpoint | Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False. | True | Optional |
 | serviceNowShortDescription | A short description of the ticket. | XSIAM Incident ID - ${parentIncidentFields.incident_id} | Optional |
 | serviceNowImpact | The impact for the new ticket. Leave empty for ServiceNow default impact. |  | Optional |
 | serviceNowUrgency | The urgency of the new ticket. Leave empty for ServiceNow default urgency. |  | Optional |
@@ -61,9 +64,6 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 | ZendeskType | The type of this ticket. Allowed values are "problem", "incident", "question", or "task". |  | Optional |
 | ZendeskAssigne | The agent currently assigned to the ticket. |  | Optional |
 | ZendeskCollaborators | The users currently CC'ed on the ticket. |  | Optional |
-| description | The ticket description. | ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url} | Optional |
-| addCommentPerEndpoint | Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False. | True | Optional |
-| CommentToAdd | Comment for the ticket. | ${alert.name}. Alert ID: ${alert.id} | Optional |
 
 ## Playbook Outputs