Cs malware - fixing incidents flow issues (#23034)

1. Fixed an issue with custom Mitre Attack 2. Fixed an issue with the behavior's pattern disposition details path. 3. Added mapping for File Sha256 for incidents' detections 4. Added unique transformer in get detections details task. * added input validation - is not empty. * updated rn * Fixed review comments
demisto · Dec 19, 2022 · df5d955 · df5d955
1 parent 1b2f2a7
commit df5d955
Show file tree

Hide file tree

Showing 7 changed files with 134 additions and 17 deletions.
diff --git a/.../CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_-_Get_Detections_by_Incident.yml b/.../CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_-_Get_Detections_by_Incident.yml
@@ -90,7 +90,11 @@ tasks:
       extended_data:
         simple: Yes
       ids:
-        simple: ${CrowdStrike.IncidentDetection.detection_ids}
+        complex:
+          root: CrowdStrike.IncidentDetection
+          accessor: detection_ids
+          transformers:
+          - operator: uniq
     separatecontext: false
     view: |-
       {
@@ -130,6 +134,9 @@ tasks:
     - incidentfield: Technique ID
       output:
         simple: ${CrowdStrike.Detection.Behavior.TechniqueId}
+    - incidentfield: File SHA256
+      output:
+        simple: ${CrowdStrike.Detection.Behavior.SHA256}
     skipunavailable: false
     quietmode: 0
     isoversize: false

diff --git a/...CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_Malware_-_Incident_Enrichment.yml b/...CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_Malware_-_Incident_Enrichment.yml
@@ -428,7 +428,7 @@ tasks:
     task:
       id: 76cc6bfa-107f-4440-85c0-066f67bede92
       version: -1
-      name: Check if we have more than 1 item
+      name: Is there only one endpoint?
       description: Checks whether given entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If an array is provided, will return 'yes' if one of the entries returns an error.
       scriptName: isError
       type: condition

diff --git a/...rikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_Malware_-_Investigation_and_Response.yml b/...rikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_Malware_-_Investigation_and_Response.yml
@@ -1008,7 +1008,30 @@ tasks:
       - '43'
     scriptarguments:
       PolicyBehaviourDetails:
-        simple: ${CrowdStrike.Detection.Behavior.pattern_disposition_details}
+        complex:
+          root: CrowdStrike.Detection.Behavior
+          accessor: pattern_disposition_details
+          transformers:
+            - operator: If-Then-Else
+              args:
+                condition:
+                  value:
+                    simple: lhs==rhs
+                else:
+                  value:
+                    simple: CrowdStrike.Detection.Behavior.pattern_disposition_details
+                  iscontext: true
+                equals: { }
+                lhs:
+                  value:
+                    simple: CrowdStrike.Detection.Behavior.pattern_disposition_details
+                  iscontext: true
+                options: { }
+                rhs: { }
+                then:
+                  value:
+                    simple: CrowdStrike.Detection.Behavior.PatternDispositionDetails
+                  iscontext: true
     separatecontext: true
     loop:
       iscommand: false
@@ -1185,7 +1208,18 @@ tasks:
       - '66'
     scriptarguments:
       TechniqueID:
-        simple: ${incident.mitretechniqueid}
+        complex:
+          root: incident.mitretechniqueid
+          filters:
+            - - operator: notStartWith
+                left:
+                  value:
+                    simple: incident.mitretechniqueid
+                  iscontext: true
+                right:
+                  value:
+                    simple: cs
+                ignorecase: true
     separatecontext: true
     loop:
       iscommand: false

diff --git a/...rikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_Malware_-_Verify_Containment_Actions.yml b/...rikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_Malware_-_Verify_Containment_Actions.yml
@@ -19,13 +19,13 @@ tasks:
       description: ''
     nexttasks:
       '#none#':
-      - '9'
+      - "20"
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 450,
-          "y": -210
+          "x": 200,
+          "y": -380
         }
       }
     note: false
@@ -35,6 +35,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '1':
     id: '1'
     taskid: 66b61c68-3550-4853-8519-a14f6d3426a7
@@ -46,7 +47,7 @@ tasks:
       type: condition
       iscommand: false
       brand: ''
-      description: ''
+      description: 'Is policy enabled?'
     nexttasks:
       '#default#':
       - '2'
@@ -79,6 +80,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '2':
     id: '2'
     taskid: 0aed7220-4345-4618-884a-e09854131ef8
@@ -104,7 +106,7 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 120,
+          "x": 450,
           "y": 380
         }
       }
@@ -115,6 +117,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '3':
     id: '3'
     taskid: 76f47710-f7d5-477e-8580-796e1083c4fd
@@ -152,6 +155,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '4':
     id: '4'
     taskid: be369256-7e95-4bf2-81b6-3cf05ceb26c8
@@ -168,7 +172,7 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 120,
+          "x": 200,
           "y": 1180
         }
       }
@@ -179,6 +183,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '5':
     id: '5'
     taskid: 498d0b00-bd30-4bb8-8e24-ecf6d97e8e5d
@@ -190,7 +195,7 @@ tasks:
       type: condition
       iscommand: false
       brand: ''
-      description: ''
+      description: 'Was host isolated?'
     nexttasks:
       '#default#':
       - '8'
@@ -223,6 +228,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '7':
     id: '7'
     taskid: 2ddbc174-fc63-4b7c-8a86-282ca82d80c2
@@ -259,6 +265,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '8':
     id: '8'
     taskid: efd68ab1-05fb-479b-8b00-dfd720f014b9
@@ -295,6 +302,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '9':
     id: '9'
     taskid: d71558d5-a17b-4077-856b-e2c7819cb716
@@ -325,6 +333,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '10':
     id: '10'
     taskid: 7259fb74-92b6-4084-8f04-ee58d84a0671
@@ -355,6 +364,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '11':
     id: '11'
     taskid: 15f02b8f-ff2c-46ca-8f8d-87958f36e139
@@ -385,6 +395,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '12':
     id: '12'
     taskid: 64484bbc-8000-46e9-8d21-4f8a06eb8d75
@@ -415,6 +426,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '13':
     id: '13'
     taskid: d4a6ca8c-00c3-4775-89d2-30f986c4a8b1
@@ -426,7 +438,7 @@ tasks:
       type: condition
       iscommand: false
       brand: ''
-      description: ''
+      description: 'Was process handled?'
     nexttasks:
       '#default#':
       - '17'
@@ -485,6 +497,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '14':
     id: '14'
     taskid: a5b33061-f3d9-4eb1-8459-c00fc5978435
@@ -521,6 +534,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '15':
     id: '15'
     taskid: dd702688-dfae-4463-8e0f-8d5e8ae552cc
@@ -557,6 +571,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '16':
     id: '16'
     taskid: b87386a4-4266-425b-868f-7da9bcedcf8c
@@ -587,6 +602,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '17':
     id: '17'
     taskid: f20c30ab-2b68-4522-830c-79b4c8f53253
@@ -623,6 +639,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '18':
     id: '18'
     taskid: 53a03f32-0e2a-44c4-8511-9569737270b2
@@ -659,6 +676,7 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   '19':
     id: '19'
     taskid: f46aa1ab-ee2d-4802-8199-a4b9e5661913
@@ -695,15 +713,57 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
+  "20":
+    id: "20"
+    taskid: e5ba8aa5-c0b8-4a58-85fe-7566ede7a5a3
+    type: condition
+    task:
+      id: e5ba8aa5-c0b8-4a58-85fe-7566ede7a5a3
+      version: -1
+      name: Is there a policy object?
+      description: Is there a policy object?
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "4"
+      "yes":
+      - "9"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              simple: inputs.PolicyBehaviourDetails
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 200,
+          "y": -250
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
 view: |-
   {
     "linkLabelsPosition": {},
     "paper": {
       "dimensions": {
-        "height": 1455,
-        "width": 2990,
-        "x": 120,
-        "y": -210
+        "height": 1625,
+        "width": 2910,
+        "x": 200,
+        "y": -380
       }
     }
   }
@@ -726,3 +786,6 @@ outputs:
 tests:
 - No tests (auto formatted)
 fromversion: 6.5.0
+contentitemexportablefields:
+  contentitemfields: {}
+system: true
diff --git a/Packs/CrowdStrikeFalcon/ReleaseNotes/1_9_16.md b/Packs/CrowdStrikeFalcon/ReleaseNotes/1_9_16.md
@@ -0,0 +1,13 @@
+
+#### Playbooks
+##### CrowdStrike Falcon Malware - Verify Containment Actions
+Added input's validation.
+
+##### CrowdStrike Falcon Malware - Incident Enrichment
+Fixed a confusion task name.
+##### CrowdStrike Falcon - Get Detections by Incident
+- Added mapping for File Sha256 for incidents' detections.
+- Added unique transformer in get detections details task.
+##### CrowdStrike Falcon Malware - Investigation and Response
+- Fixed an issue with custom Mitre Attack 
+- Fixed an issue with the behavior's pattern disposition details path.
diff --git a/...ikeFalcon/doc_files/CrowdStrike_Falcon_Malware_-_Verify_Containment_Actions.png b/...ikeFalcon/doc_files/CrowdStrike_Falcon_Malware_-_Verify_Containment_Actions.png
diff --git a/Packs/CrowdStrikeFalcon/pack_metadata.json b/Packs/CrowdStrikeFalcon/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "CrowdStrike Falcon",
     "description": "The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.",
     "support": "xsoar",
-    "currentVersion": "1.9.15",
+    "currentVersion": "1.9.16",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",