diff --git a/Packs/Core/Playbooks/playbook-NGFW_Scan.yml b/Packs/Core/Playbooks/playbook-NGFW_Scan.yml index 6f51e48846d7..fc10e1a4d2aa 100644 --- a/Packs/Core/Playbooks/playbook-NGFW_Scan.yml +++ b/Packs/Core/Playbooks/playbook-NGFW_Scan.yml @@ -131,7 +131,7 @@ tasks: { "position": { "x": 20, - "y": 3190 + "y": 3010 } } note: false @@ -249,7 +249,7 @@ tasks: brand: "" nexttasks: '#default#': - - "43" + - "46" "yes": - "19" separatecontext: false @@ -316,7 +316,7 @@ tasks: { "position": { "x": 1000, - "y": 1860 + "y": 1840 } } note: false @@ -657,7 +657,7 @@ tasks: brand: "" nexttasks: '#none#': - - "43" + - "46" scriptarguments: AutoContainment: complex: @@ -718,7 +718,7 @@ tasks: { "position": { "x": 1000, - "y": 2030 + "y": 2010 } } note: false @@ -750,7 +750,7 @@ tasks: { "position": { "x": 480, - "y": 3020 + "y": 2840 } } note: false @@ -775,7 +775,7 @@ tasks: brand: "" nexttasks: '#default#': - - "41" + - "60" "yes": - "45" separatecontext: false @@ -796,84 +796,7 @@ tasks: { "position": { "x": 480, - "y": 2675 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - continueonerrortype: "" - "43": - id: "43" - taskid: 603b1088-07d0-4656-8b8d-ce58e06cf7e6 - type: condition - task: - id: 603b1088-07d0-4656-8b8d-ce58e06cf7e6 - version: -1 - name: Should close alert automatically? - description: Whether to close the alert automatically. - type: condition - iscommand: false - brand: "" - nexttasks: - '#default#': - - "44" - "yes": - - "46" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.AutoCloseAlert - iscontext: true - right: - value: - simple: "true" - ignorecase: true - view: |- - { - "position": { - "x": 480, - "y": 2200 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - continueonerrortype: "" - "44": - id: "44" - taskid: 0efdf166-59cc-4539-8732-ce0aa4c08d3e - type: regular - task: - id: 0efdf166-59cc-4539-8732-ce0aa4c08d3e - version: -1 - name: Continue with the alert investigation - description: Manual continuation of the investigation. - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "46" - separatecontext: false - view: |- - { - "position": { - "x": 1000, - "y": 2370 + "y": 2315 } } note: false @@ -905,7 +828,7 @@ tasks: brand: "" nexttasks: '#none#': - - "41" + - "60" scriptarguments: releaseFile: simple: "false" @@ -921,7 +844,7 @@ tasks: { "position": { "x": 1000, - "y": 2850 + "y": 2490 } } note: false @@ -952,7 +875,7 @@ tasks: { "position": { "x": 480, - "y": 2540 + "y": 2180 } } note: false @@ -1478,18 +1401,61 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "60": + id: "60" + taskid: c0b99b5f-80b6-4423-8e16-a2f9ce2e2a1e + type: condition + task: + id: c0b99b5f-80b6-4423-8e16-a2f9ce2e2a1e + version: -1 + name: Should close alert automatically? + description: Whether to close the alert automatically. + type: condition + iscommand: false + brand: Builtin + nexttasks: + '#default#': + - "5" + "yes": + - "41" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.AutoCloseAlert + iscontext: true + right: + value: + simple: "true" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 480, + "y": 2665 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": { "17_19_yes": 0.49, - "17_43_#default#": 0.16, "26_28_#default#": 0.47, "26_57_yes": 0.48, "28_47_#default#": 0.51, "28_57_yes": 0.36, - "42_41_#default#": 0.53, "42_45_yes": 0.49, - "43_44_#default#": 0.48, "47_48_Yes": 0.58, "47_5_#default#": 0.12, "4_11_#default#": 0.41, @@ -1497,11 +1463,13 @@ view: |- "55_14_#default#": 0.28, "55_56_yes": 0.48, "56_14_#default#": 0.43, - "56_54_yes": 0.5 + "56_54_yes": 0.5, + "60_41_yes": 0.63, + "60_5_#default#": 0.43 }, "paper": { "dimensions": { - "height": 4395, + "height": 4215, "width": 1620, "x": -240, "y": -1140 @@ -1673,6 +1641,8 @@ inputs: playbookInputQuery: outputs: [] tests: -- No tests (auto formatted). +- No tests (auto formatted) marketplaces: ["marketplacev2"] -fromversion: 6.6.0 \ No newline at end of file +fromversion: 6.6.0 +contentitemexportablefields: + contentitemfields: {} \ No newline at end of file diff --git a/Packs/Core/Playbooks/playbook-NGFW_Scan_README.md b/Packs/Core/Playbooks/playbook-NGFW_Scan_README.md index 9bb9d8317aef..4f8b425b7181 100644 --- a/Packs/Core/Playbooks/playbook-NGFW_Scan_README.md +++ b/Packs/Core/Playbooks/playbook-NGFW_Scan_README.md @@ -41,17 +41,17 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks * Containment Plan -* Endpoint Investigation Plan -* Recovery Plan -* Handle False Positive Alerts * Block IP - Generic v3 -* Ticket Management - Generic +* Handle False Positive Alerts +* Endpoint Investigation Plan * NGFW Internal Scan +* Ticket Management - Generic +* Recovery Plan ### Integrations -* CoreIOCs * CortexCoreIR +* CoreIOCs ### Scripts @@ -59,11 +59,11 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Commands -* setParentIncidentFields -* ip * abuseipdb-report-ip -* send-mail * closeInvestigation +* send-mail +* ip +* setParentIncidentFields ## Playbook Inputs diff --git a/Packs/Core/Playbooks/playbook-WildFire_Malware.yml b/Packs/Core/Playbooks/playbook-WildFire_Malware.yml index 931af4be44e1..922ad14744f2 100644 --- a/Packs/Core/Playbooks/playbook-WildFire_Malware.yml +++ b/Packs/Core/Playbooks/playbook-WildFire_Malware.yml @@ -1,9 +1,6 @@ id: WildFire Malware version: -1 name: WildFire Malware -"marketplaces": [ - "marketplacev2" -] description: |- This playbook handles WildFire Malware alerts. It performs enrichment on the different alert entities and establishes a verdict. @@ -405,7 +402,7 @@ tasks: brand: "" nexttasks: '#default#': - - "114" + - "117" "yes": - "25" separatecontext: false @@ -441,7 +438,7 @@ tasks: { "position": { "x": -1260, - "y": 3970 + "y": 3810 } } note: false @@ -506,7 +503,7 @@ tasks: brand: "" nexttasks: '#none#': - - "114" + - "117" scriptarguments: AutoContainment: complex: @@ -858,7 +855,7 @@ tasks: { "position": { "x": 730, - "y": 3800 + "y": 3640 } } note: false @@ -883,7 +880,7 @@ tasks: brand: "" nexttasks: '#default#': - - "112" + - "114" "yes": - "116" separatecontext: false @@ -905,7 +902,7 @@ tasks: { "position": { "x": 730, - "y": 3455 + "y": 3115 } } note: false @@ -930,9 +927,9 @@ tasks: brand: "" nexttasks: '#default#': - - "115" + - "84" "yes": - - "117" + - "112" separatecontext: false conditions: - label: "yes" @@ -952,38 +949,7 @@ tasks: { "position": { "x": 730, - "y": 2970 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - continueonerrortype: "" - "115": - id: "115" - taskid: 43a5ee18-7758-4a50-8709-9e464a43f369 - type: regular - task: - id: 43a5ee18-7758-4a50-8709-9e464a43f369 - version: -1 - name: Continue with the incident investigation - description: "Continue with the incident investigation." - type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "117" - separatecontext: false - view: |- - { - "position": { - "x": 1060, - "y": 3140 + "y": 3460 } } note: false @@ -1014,7 +980,7 @@ tasks: brand: "" nexttasks: '#none#': - - "112" + - "114" scriptarguments: FileHash: complex: @@ -1037,7 +1003,7 @@ tasks: { "position": { "x": 1060, - "y": 3630 + "y": 3290 } } note: false @@ -1068,7 +1034,7 @@ tasks: { "position": { "x": 730, - "y": 3310 + "y": 2970 } } note: false @@ -1695,7 +1661,7 @@ tasks: brand: "" nexttasks: '#default#': - - "114" + - "117" "yes": - "135" separatecontext: false @@ -1722,6 +1688,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "134": id: "134" taskid: 0d11e289-2dc4-4eba-8d92-08335800fcf8 @@ -1729,8 +1696,8 @@ tasks: task: id: 0d11e289-2dc4-4eba-8d92-08335800fcf8 version: -1 - name: Set Incident Severity to High - description: commands.local.cmd.set.parent.incident.field + name: Set Alert Severity to High + description: commands.local.cmd.set.parent.alert.field script: Builtin|||setParentIncidentFields type: regular iscommand: true @@ -1764,8 +1731,8 @@ tasks: task: id: b40b3fef-fdd3-4523-80a3-671fcfd4d630 version: -1 - name: Set Incident Severity to High - description: commands.local.cmd.set.parent.incident.field + name: Set Alert Severity to High + description: commands.local.cmd.set.parent.alert.field script: Builtin|||setParentIncidentFields type: regular iscommand: true @@ -1934,14 +1901,13 @@ view: |- { "linkLabelsPosition": { "106_36_#default#": 0.4, - "113_112_#default#": 0.57, "113_116_yes": 0.42, - "114_117_yes": 0.52, + "114_84_#default#": 0.17, "124_25_#default#": 0.5, "128_25_yes": 0.13, "128_66_#default#": 0.59, "130_36_Yes": 0.47, - "133_114_#default#": 0.12, + "133_117_#default#": 0.29, "36_126_Malware": 0.61, "36_127_#default#": 0.52, "3_36_Yes": 0.31, @@ -1949,12 +1915,11 @@ view: |- "66_68_Allow list": 0.5, "66_69_Block list": 0.45, "66_70_#default#": 0.53, - "70_114_#default#": 0.16, "70_25_yes": 0.23 }, "paper": { "dimensions": { - "height": 5395, + "height": 5235, "width": 2700, "x": -1260, "y": -1360 @@ -2174,6 +2139,7 @@ inputs: outputs: [] tests: - No tests (auto formatted) +marketplaces: ["marketplacev2"] fromversion: 6.6.0 contentitemexportablefields: contentitemfields: {} diff --git a/Packs/Core/Playbooks/playbook-WildFire_Malware_README.md b/Packs/Core/Playbooks/playbook-WildFire_Malware_README.md index 055455de4191..598f84b13436 100644 --- a/Packs/Core/Playbooks/playbook-WildFire_Malware_README.md +++ b/Packs/Core/Playbooks/playbook-WildFire_Malware_README.md @@ -8,12 +8,12 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks -* Containment Plan -* Handle False Positive Alerts -* Recovery Plan * Enrichment for Verdict -* Ticket Management - Generic * Endpoint Investigation Plan +* Handle False Positive Alerts +* Ticket Management - Generic +* Recovery Plan +* Containment Plan ### Integrations @@ -28,8 +28,8 @@ This playbook uses the following sub-playbooks, integrations, and scripts. * setParentIncidentFields * core-allowlist-files * closeInvestigation -* core-report-incorrect-wildfire * core-blocklist-files +* core-report-incorrect-wildfire ## Playbook Inputs diff --git a/Packs/Core/ReleaseNotes/2_0_15.md b/Packs/Core/ReleaseNotes/2_0_15.md new file mode 100644 index 000000000000..eeb91b693e1b --- /dev/null +++ b/Packs/Core/ReleaseNotes/2_0_15.md @@ -0,0 +1,10 @@ + +#### Playbooks + +##### WildFire Malware + +- Removed the *'Continue with the alert investigation'* manual task. + +##### NGFW Scan + +- Removed the *'Continue with the alert investigation'* manual task. diff --git a/Packs/Core/doc_files/NGFW_Scan.png b/Packs/Core/doc_files/NGFW_Scan.png index ab404bbc33f1..007f53bd5f3c 100644 Binary files a/Packs/Core/doc_files/NGFW_Scan.png and b/Packs/Core/doc_files/NGFW_Scan.png differ diff --git a/Packs/Core/doc_files/WildFire_Malware.png b/Packs/Core/doc_files/WildFire_Malware.png index cc99fbf76255..097f8f38c1fa 100644 Binary files a/Packs/Core/doc_files/WildFire_Malware.png and b/Packs/Core/doc_files/WildFire_Malware.png differ diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index 6f3d9d89d11e..46211758c4f1 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "2.0.14", + "currentVersion": "2.0.15", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",