diff --git a/IncidentFields/incidentfields.json b/IncidentFields/incidentfields.json index 4e4ce7562f76..6b0764bd1697 100644 --- a/IncidentFields/incidentfields.json +++ b/IncidentFields/incidentfields.json @@ -1027,5 +1027,222 @@ "associatedToAll": false, "unmapped": false, "unsearchable": false + }, + { + "id": "incident_assetid", + "version": 1, + "modified": "2018-05-14T11:49:51.903376595Z", + "name": "Asset ID", + "ownerOnly": false, + "placeholder": "", + "description": "", + "cliName": "assetid", + "type": "shortText", + "closeForm": true, + "editForm": true, + "required": false, + "script": "", + "neverSetAsRequired": false, + "isReadOnly": false, + "selectValues": null, + "validationRegex": "", + "useAsKpi": false, + "locked": false, + "system": false, + "content": false, + "group": 0, + "hidden": false, + "associatedTypes": [ + "Vulnerability" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": false + }, + { + "id": "incident_bugtraq", + "version": 1, + "modified": "2018-05-22T08:29:50.617989641Z", + "name": "Bugtraq", + "ownerOnly": false, + "placeholder": "", + "description": "", + "cliName": "bugtraq", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "script": "", + "neverSetAsRequired": false, + "isReadOnly": false, + "selectValues": null, + "validationRegex": "", + "useAsKpi": false, + "locked": false, + "system": false, + "content": false, + "group": 0, + "hidden": false, + "associatedTypes": [ + "Vulnerability" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": false + }, + { + "id": "incident_cve", + "version": 1, + "modified": "2018-05-22T08:30:34.518509397Z", + "name": "CVE", + "ownerOnly": false, + "placeholder": "", + "description": "", + "cliName": "cve", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "script": "", + "neverSetAsRequired": false, + "isReadOnly": false, + "selectValues": null, + "validationRegex": "", + "useAsKpi": false, + "locked": false, + "system": false, + "content": false, + "group": 0, + "hidden": false, + "associatedTypes": [ + "Vulnerability" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": false + }, + { + "id": "incident_cvss", + "version": 1, + "modified": "2018-05-22T08:31:16.706045637Z", + "name": "CVSS", + "ownerOnly": false, + "placeholder": "", + "description": "", + "cliName": "cvss", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "script": "", + "neverSetAsRequired": false, + "isReadOnly": false, + "selectValues": null, + "validationRegex": "", + "useAsKpi": false, + "locked": false, + "system": false, + "content": false, + "group": 0, + "hidden": false, + "associatedTypes": [ + "Vulnerability" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": false + }, + { + "id": "incident_signature", + "version": 1, + "modified": "2018-05-22T08:37:48.611917798Z", + "name": "Signature", + "ownerOnly": false, + "placeholder": "", + "description": "", + "cliName": "signature", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "script": "", + "neverSetAsRequired": false, + "isReadOnly": false, + "selectValues": null, + "validationRegex": "", + "useAsKpi": false, + "locked": false, + "system": false, + "content": false, + "group": 0, + "hidden": false, + "associatedTypes": [ + "Vulnerability" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": false + }, + { + "id": "incident_vendorid", + "version": 2, + "modified": "2018-05-14T12:54:09.074711366Z", + "name": "Vendor ID", + "ownerOnly": false, + "placeholder": "", + "description": "", + "cliName": "vendorid", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "script": "", + "neverSetAsRequired": false, + "isReadOnly": false, + "selectValues": [], + "validationRegex": "", + "useAsKpi": false, + "locked": false, + "system": false, + "content": false, + "group": 0, + "hidden": false, + "associatedTypes": [ + "Vulnerability" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": false + }, + { + "id": "incident_vulnerabilitycategory", + "version": 1, + "modified": "2018-05-22T10:35:05.304309354Z", + "name": "Vulnerability Category", + "ownerOnly": false, + "placeholder": "", + "description": "", + "cliName": "vulnerabilitycategory", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "script": "", + "neverSetAsRequired": false, + "isReadOnly": false, + "selectValues": null, + "validationRegex": "", + "useAsKpi": false, + "locked": false, + "system": false, + "content": false, + "group": 0, + "hidden": false, + "associatedTypes": [ + "Vulnerability" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": false }] } \ No newline at end of file diff --git a/Layouts/layout-details-Vulnerability.json b/Layouts/layout-details-Vulnerability.json new file mode 100644 index 000000000000..7e6e2c3a63fa --- /dev/null +++ b/Layouts/layout-details-Vulnerability.json @@ -0,0 +1,416 @@ +{ + "typeId": "Vulnerability", + "kind": "details", + "layout": { + "id": "Vulnerability", + "version": -1, + "modified": "2018-05-23T08:26:33.071254532Z", + "name": "", + "sections": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Vulnerability Information", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_assetid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_vendorid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_vulnerabilitycategory", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_cve", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_cvss", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_bugtraq", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_signature", + "isVisible": true + } + ], + "description": "The vulnerability information", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Basic Information", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_type", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_severity", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_owner", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbotstatus", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbotsource", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_playbookid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_phase", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_roles", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Work Plan", + "type": "workplan", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Timeline Information", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbotcreated", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_occurred", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbotduedate", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbotmodified", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbottotaltime", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Custom Fields", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Details", + "type": "", + "isVisible": true, + "readOnly": true, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_details", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Labels", + "type": "labels", + "isVisible": true, + "readOnly": true, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_labels", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Attachments", + "type": "", + "isVisible": true, + "readOnly": true, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_attachment", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Bad or Suspicious Indicators", + "type": "indicators", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": "reputation:Bad or reputation:Suspicious", + "queryType": "input" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Evidence", + "type": "evidence", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Notes", + "type": "notes", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Linked Incidents", + "type": "linkedIncidents", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Incident Timeline", + "type": "invTimeline", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": { + "categories": [ + "incidentInfo" + ], + "lastId": "", + "pageSize": 100, + "tags": [], + "users": [] + }, + "queryType": "warRoomFilter" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Incident Files", + "type": "invTimeline", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": { + "categories": [ + "attachments" + ], + "lastId": "", + "pageSize": 100, + "tags": [], + "users": [] + }, + "queryType": "warRoomFilter" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Team", + "type": "team", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Child Investigation", + "type": "childInv", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Automation Highlights", + "type": "findings", + "isVisible": true, + "readOnly": true, + "fields": [], + "description": "", + "query": null, + "queryType": "" + } + ] + } +} \ No newline at end of file diff --git a/Layouts/layout-edit-Vulnerability.json b/Layouts/layout-edit-Vulnerability.json new file mode 100644 index 000000000000..49247313c098 --- /dev/null +++ b/Layouts/layout-edit-Vulnerability.json @@ -0,0 +1,306 @@ +{ + "typeId": "Vulnerability", + "kind": "edit", + "layout": { + "id": "Vulnerability", + "version": -1, + "modified": "2018-05-23T08:26:17.835704322Z", + "name": "", + "sections": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Vulnerability Information", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_assetid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_vendorid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_vulnerabilitycategory", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_cve", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_cvss", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_bugtraq", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_signature", + "isVisible": true + } + ], + "description": "Vulnerability Information", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Basic Information", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_name", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_occurred", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_reminder", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_owner", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_roles", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_type", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_severity", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_playbookid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_labels", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_phase", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_details", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_attachment", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Custom Fields", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_backupowner", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_falses", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_fetchid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_fetchtype", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_important", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_importantfield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_mdtest", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_selector", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_single", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_single2", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_source", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_test", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_testfield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timeassignedtolevel2", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timefield1", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timelevel1", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_username", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + } + ] + } +} \ No newline at end of file diff --git a/Playbooks/playbook-CVE_Enrichment_-_Generic.yml b/Playbooks/playbook-CVE_Enrichment_-_Generic.yml new file mode 100644 index 000000000000..115d06705261 --- /dev/null +++ b/Playbooks/playbook-CVE_Enrichment_-_Generic.yml @@ -0,0 +1,387 @@ +id: cve_enrichment_-_generic +version: -1 +name: CVE Enrichment - Generic +fromversion: 3.6.0 +description: Enrich CVE using one or more integrations. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 8a9b5f57-93dc-4f6e-847a-472c93c1af17 + type: start + task: + id: 8a9b5f57-93dc-4f6e-847a-472c93c1af17 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + separatecontext: false + view: |- + { + "position": { + "x": 162.5, + "y": 50 + } + } + "1": + id: "1" + taskid: 8bb9a465-c8c6-4c01-855c-949ae425e1ee + type: condition + task: + id: 8bb9a465-c8c6-4c01-855c-949ae425e1ee + version: -1 + name: Are there any CVE IDs? + description: Verify that the playbook input includes at least one CVE ID to + enrich. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "8" + - "3" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.CVE + accessor: ID + iscontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 195 + } + } + "2": + id: "2" + taskid: 1c1df4a5-6a12-4724-8cf5-586f7743fc57 + type: title + task: + id: 1c1df4a5-6a12-4724-8cf5-586f7743fc57 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 387.5, + "y": 865 + } + } + "3": + id: "3" + taskid: f7b01173-8ceb-4a00-843c-ae25be38be72 + type: title + task: + id: f7b01173-8ceb-4a00-843c-ae25be38be72 + version: -1 + name: Enrich CVE + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + - "5" + separatecontext: false + view: |- + { + "position": { + "x": 817.5, + "y": 370 + } + } + "4": + id: "4" + taskid: ec903a88-c4cd-4c15-8cf4-3e2065626e24 + type: condition + task: + id: ec903a88-c4cd-4c15-8cf4-3e2065626e24 + version: -1 + name: Is XFE enabled? + description: Verify that there's a valid instance of XFE enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "7" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: modules + filters: + - - operator: string.isEqual + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: XFE + ignorecase: true + - - operator: string.isEqual + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + ignorecase: true + accessor: brand + iscontext: true + view: |- + { + "position": { + "x": 592.5, + "y": 515 + } + } + "5": + id: "5" + taskid: 306a2d9e-6bf5-483e-8dae-7f65b705e535 + type: condition + task: + id: 306a2d9e-6bf5-483e-8dae-7f65b705e535 + version: -1 + name: Is "CVE Search" enabled? + description: Verify that there's a valid instance of "CVE Search" enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "6" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: modules + filters: + - - operator: string.isEqual + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: CVE Search + ignorecase: true + - - operator: string.isEqual + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + ignorecase: true + accessor: brand + iscontext: true + view: |- + { + "position": { + "x": 1042.5, + "y": 515 + } + } + "6": + id: "6" + taskid: 7674b375-bbfd-4ac0-877a-42110ffc1a89 + type: regular + task: + id: 7674b375-bbfd-4ac0-877a-42110ffc1a89 + version: -1 + name: Get CVE info from "CVE Search" + description: Retrieve CVE information from "CVE Search". + script: CVE Search|||cve-search + type: regular + iscommand: true + brand: CVE Search + nexttasks: + '#none#': + - "2" + scriptarguments: + cveId: + complex: + root: inputs.CVE + accessor: ID + continueonerror: true + separatecontext: false + view: |- + { + "position": { + "x": 1155, + "y": 690 + } + } + "7": + id: "7" + taskid: 64e794a4-8cf1-4f18-8d0c-0dd74d6f295e + type: regular + task: + id: 64e794a4-8cf1-4f18-8d0c-0dd74d6f295e + version: -1 + name: Get CVE info from XFE + description: Retrieve CVE information from XFE. + script: XFE|||cve-search + type: regular + iscommand: true + brand: XFE + nexttasks: + '#none#': + - "2" + scriptarguments: + cveId: + complex: + root: inputs.CVE + accessor: ID + continueonerror: true + separatecontext: false + view: |- + { + "position": { + "x": 705, + "y": 690 + } + } + "8": + id: "8" + taskid: a8dc9bc9-7c74-4b59-86a4-aa7c09063fd0 + type: condition + task: + id: a8dc9bc9-7c74-4b59-86a4-aa7c09063fd0 + version: -1 + name: Should the system retrieve the CVE reputation? + description: Is the GetReputation input set to 'True'? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "9" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: string.isEqual + left: + value: + complex: + root: inputs.GetReputation + iscontext: true + right: + value: + simple: "True" + ignorecase: true + view: |- + { + "position": { + "x": 162.5, + "y": 515 + } + } + "9": + id: "9" + taskid: f779358d-7e46-4afd-8b42-b48167adb764 + type: regular + task: + id: f779358d-7e46-4afd-8b42-b48167adb764 + version: -1 + name: Retrieve CVE reputation + description: Retrieve CVE reputation using one or more integrations. + scriptName: cveReputation + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + input: + complex: + root: inputs.CVE + accessor: ID + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 690 + } + } +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 880, + "width": 1485, + "x": 50, + "y": 50 + } + } + } +inputs: +- key: CVE + value: + complex: + root: CVE + required: false + description: The CVE to enrich. +- key: GetReputation + value: + simple: "True" + required: true + description: Should the playbook retrieve the reputation for the CVE? +outputs: +- contextPath: CVE + type: unknown +- contextPath: CVE.ID + description: The ID of the CVE + type: string +- contextPath: CVE.CVSS + description: The CVSS score of the CVE + type: number +- contextPath: CVE.Published + description: The date this was published + type: date +- contextPath: CVE.Modified + description: When CVE was last modified + type: date +- contextPath: CVE.Description + description: The CVE description + type: string diff --git a/Playbooks/playbook-Calculate_Severity_-_Generic.yml b/Playbooks/playbook-Calculate_Severity_-_Generic.yml index 17f77a4af951..f325d86d443e 100644 --- a/Playbooks/playbook-Calculate_Severity_-_Generic.yml +++ b/Playbooks/playbook-Calculate_Severity_-_Generic.yml @@ -2,6 +2,7 @@ id: Calculate Severity - Generic version: -1 name: Calculate Severity - Generic fromversion: 3.5.0 +releaseNotes: "Add support for Qualys" description: |- Calculate incident severity by indicators reputation and user/endpoint membership in critical groups. @@ -11,6 +12,7 @@ description: |- * CriticalUsers - Comma separated array with usernames of critical users * CriticalEndpoints - Comma separated array with hostnames of critical endpoints * CriticalGroups - Comma separated array with DN of critical Active Directory groups + * QualysSeverity - A Qualys severity score (1-5) to calculate severity from starttaskid: "0" tasks: "0": @@ -26,12 +28,12 @@ tasks: brand: "" nexttasks: '#none#': - - "1" + - "20" separatecontext: false view: |- { "position": { - "x": 725, + "x": 510, "y": 50 } } @@ -54,8 +56,8 @@ tasks: view: |- { "position": { - "x": 725, - "y": 195 + "x": 60, + "y": 515 } } "3": @@ -135,8 +137,8 @@ tasks: view: |- { "position": { - "x": 397.5, - "y": 515 + "x": -64, + "y": 850 } } "4": @@ -206,8 +208,8 @@ tasks: view: |- { "position": { - "x": 135.5, - "y": 690 + "x": 735, + "y": 1010 } } "5": @@ -277,8 +279,8 @@ tasks: view: |- { "position": { - "x": 612.5, - "y": 690 + "x": 1165, + "y": 1010 } } "6": @@ -348,8 +350,8 @@ tasks: view: |- { "position": { - "x": 1105, - "y": 690 + "x": 305, + "y": 1010 } } "7": @@ -372,8 +374,8 @@ tasks: view: |- { "position": { - "x": 612.5, - "y": 865 + "x": 520, + "y": 1185 } } "8": @@ -402,7 +404,7 @@ tasks: { "position": { "x": 50, - "y": 1010 + "y": 1330 } } "9": @@ -435,8 +437,8 @@ tasks: view: |- { "position": { - "x": 50, - "y": 1185 + "x": 172.5, + "y": 1505 } } "10": @@ -455,8 +457,8 @@ tasks: view: |- { "position": { - "x": 612.5, - "y": 1889 + "x": 417.5, + "y": 2205 } } "11": @@ -523,8 +525,8 @@ tasks: view: |- { "position": { - "x": 735, - "y": 1710 + "x": 745, + "y": 2030 } } "12": @@ -553,8 +555,8 @@ tasks: view: |- { "position": { - "x": 1185, - "y": 1010 + "x": 867.5, + "y": 1330 } } "13": @@ -588,8 +590,8 @@ tasks: view: |- { "position": { - "x": 1185, - "y": 1185 + "x": 1195, + "y": 1505 } } "15": @@ -623,8 +625,8 @@ tasks: view: |- { "position": { - "x": 50, - "y": 1554 + "x": 172.5, + "y": 1855 } } "16": @@ -658,8 +660,8 @@ tasks: view: |- { "position": { - "x": 1185, - "y": 1535 + "x": 1195, + "y": 1855 } } "17": @@ -687,8 +689,8 @@ tasks: view: |- { "position": { - "x": 1185, - "y": 1360 + "x": 1082.5, + "y": 1680 } } "18": @@ -716,8 +718,8 @@ tasks: view: |- { "position": { - "x": 50, - "y": 1360 + "x": 60, + "y": 1680 } } "19": @@ -750,10 +752,156 @@ tasks: view: |- { "position": { - "x": 725, + "x": 60, + "y": 660 + } + } + "20": + id: "20" + taskid: 72dd5ec9-0650-41a5-8e7d-db6849db35ba + type: title + task: + id: 72dd5ec9-0650-41a5-8e7d-db6849db35ba + version: -1 + name: Calculate from 3rd-party input + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "21" + separatecontext: false + view: |- + { + "position": { + "x": 510, + "y": 195 + } + } + "21": + id: "21" + taskid: b003aaf2-586f-46a3-8bee-76c110d8bb75 + type: condition + task: + id: b003aaf2-586f-46a3-8bee-76c110d8bb75 + version: -1 + name: Is there a Qualys severity? + description: "" + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "1" + "yes": + - "22" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.QualysSeverity + iscontext: true + view: |- + { + "position": { + "x": 510, "y": 340 } } + "22": + id: "22" + taskid: 127f0e43-3179-4df7-8c4b-6a9877353e40 + type: condition + task: + id: 127f0e43-3179-4df7-8c4b-6a9877353e40 + version: -1 + name: Chance severity based Qulays vulnerability score + description: "" + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "7" + HIGH: + - "6" + LOW: + - "4" + MEDIUM: + - "5" + separatecontext: false + conditions: + - label: HIGH + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.QualysSeverity + filters: + - - operator: number.greaterThanOrEqual + left: + value: + simple: inputs.QualysSeverity + iscontext: true + right: + value: + simple: "4" + iscontext: true + - label: MEDIUM + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.QualysSeverity + filters: + - - operator: number.greaterThanOrEqual + left: + value: + simple: inputs.QualysSeverity + iscontext: true + right: + value: + simple: "2" + - - operator: number.lessThan + left: + value: + simple: inputs.QualysSeverity + iscontext: true + right: + value: + simple: "4" + iscontext: true + - label: LOW + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.QualysSeverity + filters: + - - operator: number.lessThan + left: + value: + simple: inputs.QualysSeverity + iscontext: true + right: + value: + simple: "2" + iscontext: true + view: |- + { + "position": { + "x": 745, + "y": 515 + } + } view: |- { "linkLabelsPosition": { @@ -763,16 +911,16 @@ view: |- "15_11_yes": 0.15, "16_10_#default#": 0.36, "16_11_yes": 0.16, - "3_5_Medium": 0.57, + "3_5_Medium": 0.73, "3_7_#default#": 0.29, "8_10_#default#": 0.16, "9_11_yes": 0.1 }, "paper": { "dimensions": { - "height": 1904, - "width": 1515, - "x": 50, + "height": 2220, + "width": 1639, + "x": -64, "y": 50 } } @@ -790,4 +938,11 @@ inputs: value: {} required: false description: Critical active directory groups DN +- key: QualysSeverity + value: + complex: + root: Qualys + accessor: Severity + required: false + description: Qualys Vulnerability Severity score (1-5) outputs: [] diff --git a/Playbooks/playbook-Vulnerability_Handling_-_Qualys.yml b/Playbooks/playbook-Vulnerability_Handling_-_Qualys.yml new file mode 100644 index 000000000000..4f431ed9b7a3 --- /dev/null +++ b/Playbooks/playbook-Vulnerability_Handling_-_Qualys.yml @@ -0,0 +1,685 @@ +id: vulnerability_handling_-_qualys +version: -1 +name: Vulnerability Handling - Qualys +fromversion: 3.6.0 +description: |- + Manage vulnerability remediation using Qualys data, and optionally enrich data with 3rd-party tools. + + Before you run this playbook, run the "Vulnerability Management - Qualys (Job)" playbook. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 70a808bd-c5f5-4a34-8e73-7bd426ea3c48 + type: start + task: + id: 70a808bd-c5f5-4a34-8e73-7bd426ea3c48 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "12" + separatecontext: false + view: |- + { + "position": { + "x": 1370, + "y": 50 + } + } + "1": + id: "1" + taskid: c028a317-3e87-4ee2-85c9-53754152340d + type: regular + task: + id: c028a317-3e87-4ee2-85c9-53754152340d + version: -1 + name: Get Asset information + description: Get asset metadata from Qualys based on Asset ID. + script: Qualys|||qualys-host-list + type: regular + iscommand: true + brand: Qualys + nexttasks: + '#none#': + - "2" + scriptarguments: + ag_ids: {} + ag_titles: {} + compliance_enabled: {} + compliance_scan_since: {} + details: {} + id_max: {} + id_min: {} + ids: + complex: + root: incident + accessor: assetid + ips: {} + network_ids: {} + no_compliance_scan_since: {} + no_vm_scan_since: {} + os_pattern: {} + truncation_limit: {} + vm_scan_since: {} + separatecontext: false + view: |- + { + "position": { + "x": 1257.5, + "y": 515 + } + } + "2": + id: "2" + taskid: a0bb5b2f-f89a-48ec-8cef-70477b2adf1e + type: regular + task: + id: a0bb5b2f-f89a-48ec-8cef-70477b2adf1e + version: -1 + name: Get Vulnerability information + description: Get vulnerability metadata from Qualys based on QID. + script: Qualys|||qualys-vulnerability-list + type: regular + iscommand: true + brand: Qualys + nexttasks: + '#none#': + - "3" + - "4" + scriptarguments: + details: {} + discovery_auth_types: {} + discovery_method: {} + extend-context: + simple: Qualys.Consequence=KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.CONSEQUENCE::Qualys.Diagnosis=KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.DIAGNOSIS::Qualys.Solution=KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.SOLUTION::CVE.ID=KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.CVE_LIST.CVE.ID::Qualys.Severity=KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.SEVERITY_LEVEL::Qualys.Category=KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.CATEGORY::Qualys.Bugtraq=KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.BUGTRAQ_LIST.BUGTRAQ::Qualys.Title=KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST.VULN.TITLE + id_max: {} + id_min: {} + ids: + complex: + root: incident + accessor: vendorid + is_patchable: {} + last_modified_after: {} + last_modified_before: {} + last_modified_by_service_after: {} + last_modified_by_service_before: {} + last_modified_by_user_after: {} + last_modified_by_user_before: {} + published_after: {} + published_before: {} + show_pci_reasons: {} + separatecontext: false + view: |- + { + "position": { + "x": 1257.5, + "y": 690 + } + } + "3": + id: "3" + taskid: f557cc38-4b4e-4beb-88fa-55a1c6cc3de6 + type: title + task: + id: f557cc38-4b4e-4beb-88fa-55a1c6cc3de6 + version: -1 + name: Mark important notes + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + - "21" + - "23" + separatecontext: false + view: |- + { + "position": { + "x": 612.5, + "y": 865 + } + } + "4": + id: "4" + taskid: cdbea748-55ef-48c7-8e82-df37a53667ff + type: title + task: + id: cdbea748-55ef-48c7-8e82-df37a53667ff + version: -1 + name: Enrich Entities + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "10" + - "11" + separatecontext: false + view: |- + { + "position": { + "x": 1697.5, + "y": 865 + } + } + "5": + id: "5" + taskid: d75db3b1-aeec-44f1-88c9-fb782f8f0291 + type: regular + task: + id: d75db3b1-aeec-44f1-88c9-fb782f8f0291 + version: -1 + name: 'Display diagnosis ' + description: Display the diagnosis HTML in the War Room. + scriptName: DisplayHTML + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + scriptarguments: + header: + simple: Vulnerability Diagnosis + html: + complex: + root: Qualys + accessor: Diagnosis + markAsNote: + simple: "True" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 1185 + } + } + "6": + id: "6" + taskid: 3a0acb6e-cd22-42b7-86cf-2c0c638d6e41 + type: condition + task: + id: 3a0acb6e-cd22-42b7-86cf-2c0c638d6e41 + version: -1 + name: Is there a diagnosis for the vulnerability? + description: Verify that there's a diagnosis for the detected vulnerability + in context. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "7" + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: Qualys + accessor: Diagnosis + iscontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 1010 + } + } + "7": + id: "7" + taskid: 58ab86c1-fd77-4a67-8804-2e8cc87eedb4 + type: title + task: + id: 58ab86c1-fd77-4a67-8804-2e8cc87eedb4 + version: -1 + name: 'Remediate' + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "20" + separatecontext: false + view: |- + { + "position": { + "x": 725, + "y": 1360 + } + } + "10": + id: "10" + taskid: 01d06edb-b109-4ce1-8618-ad49f8f33648 + type: playbook + task: + id: 01d06edb-b109-4ce1-8618-ad49f8f33648 + version: -1 + name: Endpoint Enrichment - Generic + description: "" + playbookName: Endpoint Enrichment - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "19" + scriptarguments: + Hostname: + complex: + root: Qualys + accessor: Endpoint.NETBIOS + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + view: |- + { + "position": { + "x": 1482.5, + "y": 1010 + } + } + "11": + id: "11" + taskid: 60d2a53c-3ae5-453f-875a-1203347f16e7 + type: playbook + task: + id: 60d2a53c-3ae5-453f-875a-1203347f16e7 + version: -1 + name: CVE Enrichment - Generic + description: "" + playbookName: CVE Enrichment - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "19" + separatecontext: true + view: |- + { + "position": { + "x": 1912.5, + "y": 1010 + } + } + "12": + id: "12" + taskid: a7ff415a-8066-4f3c-826c-5c6f840075f2 + type: condition + task: + id: a7ff415a-8066-4f3c-826c-5c6f840075f2 + version: -1 + name: Is Qualys enabled? + description: Verify that there's a valid instance of Qualys enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "7" + "yes": + - "17" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: modules + filters: + - - operator: string.isEqual + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Qualys + ignorecase: true + - - operator: string.isEqual + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + ignorecase: true + accessor: brand + iscontext: true + view: |- + { + "position": { + "x": 1370, + "y": 195 + } + } + "14": + id: "14" + taskid: 65d23550-509d-4f8b-8f31-a9ec236d59d0 + type: regular + task: + id: 65d23550-509d-4f8b-8f31-a9ec236d59d0 + version: -1 + name: 'Remediate the vulnerability ' + description: Manually remediate the vulnerability using the remediation note + from Qualys. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "15" + separatecontext: false + view: |- + { + "position": { + "x": 725, + "y": 1680 + } + } + "15": + id: "15" + taskid: fd70751e-253f-404b-8820-e63a3eff0d68 + type: regular + task: + id: fd70751e-253f-404b-8820-e63a3eff0d68 + version: -1 + name: Close Investigation + description: Close the investigation. + scriptName: CloseInvestigation + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "18" + scriptarguments: + notes: {} + reason: {} + separatecontext: false + view: |- + { + "position": { + "x": 725, + "y": 1855 + } + } + "17": + id: "17" + taskid: 2d483c30-2066-4696-82f9-781aa207df9f + type: title + task: + id: 2d483c30-2066-4696-82f9-781aa207df9f + version: -1 + name: Get incident information from Qualys + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + separatecontext: false + view: |- + { + "position": { + "x": 1257.5, + "y": 370 + } + } + "18": + id: "18" + taskid: ab94f99a-9546-4837-8ed9-cfe970154bea + type: title + task: + id: ab94f99a-9546-4837-8ed9-cfe970154bea + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 725, + "y": 2030 + } + } + "19": + id: "19" + taskid: 3e271fab-839e-4253-8aa9-f8579c607fd6 + type: playbook + task: + id: 3e271fab-839e-4253-8aa9-f8579c607fd6 + version: -1 + name: Vulnerability Management - Qualys - Add custom fields + description: "" + playbookName: Vulnerability Handling - Qualys - Add custom fields to default + layout + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + separatecontext: true + view: |- + { + "position": { + "x": 1697.5, + "y": 1185 + } + } + "20": + id: "20" + taskid: cd0cd64a-046d-467f-836f-3afa1f8e5acf + type: playbook + task: + id: cd0cd64a-046d-467f-836f-3afa1f8e5acf + version: -1 + name: Calculate Severity - Generic + description: |- + Calculate incident severity by indicators reputation and user/endpoint membership in critical groups. + + Note - current severity will be overwritten and new severity may be lower than the current one. + + Playbook inputs: + * CriticalUsers - Comma separated array with usernames of critical users + * CriticalEndpoints - Comma separated array with hostnames of critical endpoints + * CriticalGroups - Comma separated array with DN of critical Active Directory groups + playbookName: Calculate Severity - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "14" + scriptarguments: + CriticalEndpoints: {} + CriticalGroups: {} + CriticalUsers: {} + separatecontext: false + loop: + iscommand: false + exitCondition: "" + wait: 1 + view: |- + { + "position": { + "x": 725, + "y": 1505 + } + } + "21": + id: "21" + taskid: e70ad3fc-4274-4b7b-8e05-564266f65b2e + type: condition + task: + id: e70ad3fc-4274-4b7b-8e05-564266f65b2e + version: -1 + name: Is there a consequence for the vulnerability? + description: Verify that there's a consequence for the detected vulnerability + in context. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "7" + "yes": + - "22" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: Qualys + accessor: Consequence + iscontext: true + view: |- + { + "position": { + "x": 612.5, + "y": 1010 + } + } + "22": + id: "22" + taskid: 85f071de-346c-4cf6-8a54-6bef8b32e3c1 + type: regular + task: + id: 85f071de-346c-4cf6-8a54-6bef8b32e3c1 + version: -1 + name: 'Display consequence' + description: Display the remediation HTML in the War Room. + scriptName: DisplayHTML + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + scriptarguments: + header: + simple: Vulnerability Consequence + html: + complex: + root: Qualys + accessor: Consequence + markAsNote: + simple: "True" + separatecontext: false + view: |- + { + "position": { + "x": 500, + "y": 1185 + } + } + "23": + id: "23" + taskid: e142b442-105b-4016-8d77-40eb431e5503 + type: condition + task: + id: e142b442-105b-4016-8d77-40eb431e5503 + version: -1 + name: Is there a remediation for the vulnerability? + description: Verify that there's a remediation for the detected vulnerability + in context. + type: condition + iscommand: false + brand: "" + nexttasks: + "yes": + - "24" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: Qualys + accessor: Solution + iscontext: true + view: |- + { + "position": { + "x": 1052.5, + "y": 1010 + } + } + "24": + id: "24" + taskid: e9c369da-0f47-4243-8628-c8f959084f2d + type: regular + task: + id: e9c369da-0f47-4243-8628-c8f959084f2d + version: -1 + name: 'Display remediation' + description: Display the remediation HTML in the War Room. + scriptName: DisplayHTML + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + scriptarguments: + header: + simple: Vulnerability Remediation + html: + complex: + root: Qualys + accessor: Solution + markAsNote: + simple: "True" + separatecontext: false + view: |- + { + "position": { + "x": 1052.5, + "y": 1185 + } + } +view: |- + { + "linkLabelsPosition": { + "12_7_#default#": 0.52 + }, + "paper": { + "dimensions": { + "height": 2045, + "width": 2242.5, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: [] diff --git a/Playbooks/playbook-Vulnerability_Handling_-_Qualys_-_Add_custom_fields_to_default_layout.yml b/Playbooks/playbook-Vulnerability_Handling_-_Qualys_-_Add_custom_fields_to_default_layout.yml new file mode 100644 index 000000000000..64324302fc33 --- /dev/null +++ b/Playbooks/playbook-Vulnerability_Handling_-_Qualys_-_Add_custom_fields_to_default_layout.yml @@ -0,0 +1,492 @@ +id: vulnerability_handling_-_qualys_-_add _ustom_fields_to_default_layout +version: -1 +name: Vulnerability Handling - Qualys - Add custom fields to default layout +fromversion: 3.6.0 +description: Add information about the vulnerability and asset from the "Vulnerability + Handling - Qualys" playbook data to the default "Vulnerability" layout. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 7c0a6113-ccc4-4b67-8ae0-5b6ebed288fb + type: start + task: + id: 7c0a6113-ccc4-4b67-8ae0-5b6ebed288fb + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "15" + - "17" + - "18" + - "19" + - "20" + separatecontext: false + view: |- + { + "position": { + "x": 1062.5, + "y": 50 + } + } + "2": + id: "2" + taskid: 2115cdff-522d-4787-822c-39684be05294 + type: title + task: + id: 2115cdff-522d-4787-822c-39684be05294 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 1062.5, + "y": 545 + } + } + "3": + id: "3" + taskid: 8e4fc911-843f-47ff-8a54-1b3efb8470b8 + type: regular + task: + id: 8e4fc911-843f-47ff-8a54-1b3efb8470b8 + version: -1 + name: Set "Vulnerability Category" + description: Populate the custom field. + scriptName: IncidentSet + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + addLabels: {} + customFieldName: + simple: vulnerabilitycategory + customFieldValue: + complex: + root: inputs.Qualys + accessor: Category + transformers: + - operator: general.uniq + - operator: general.join + args: + separator: + value: + simple: ',' + details: {} + labels: {} + name: {} + owner: {} + playbook: {} + severity: {} + stage: {} + type: {} + updatePlaybookForType: {} + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + "8": + id: "8" + taskid: e041a676-db54-4695-8ecd-34befbfbc79c + type: regular + task: + id: e041a676-db54-4695-8ecd-34befbfbc79c + version: -1 + name: Set "Signature" + description: Populate the custom field. + scriptName: IncidentSet + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + addLabels: {} + customFieldName: + simple: signature + customFieldValue: + complex: + root: inputs.Qualys + accessor: Title + transformers: + - operator: general.join + args: + separator: + value: + simple: ', ' + details: {} + labels: {} + name: {} + owner: {} + playbook: {} + severity: {} + stage: {} + type: {} + updatePlaybookForType: {} + separatecontext: false + view: |- + { + "position": { + "x": 1400, + "y": 370 + } + } + "9": + id: "9" + taskid: 7c7cb394-27b8-470b-8503-fca384538827 + type: regular + task: + id: 7c7cb394-27b8-470b-8503-fca384538827 + version: -1 + name: Set "Bugtraq" + description: Populate the custom field. + scriptName: IncidentSet + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + addLabels: {} + customFieldName: + simple: bugtraq + customFieldValue: + complex: + root: inputs.Qualys + accessor: Bugtraq.ID + transformers: + - operator: general.join + args: + separator: + value: + simple: ', ' + details: {} + labels: {} + name: {} + owner: {} + playbook: {} + severity: {} + stage: {} + type: {} + updatePlaybookForType: {} + separatecontext: false + view: |- + { + "position": { + "x": 1850, + "y": 370 + } + } + "11": + id: "11" + taskid: b79b6492-0fe9-47ea-8712-25e67bb05384 + type: regular + task: + id: b79b6492-0fe9-47ea-8712-25e67bb05384 + version: -1 + name: Set "CVE" + description: Populate the custom field. + scriptName: IncidentSet + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + addLabels: {} + customFieldName: + simple: cve + customFieldValue: + complex: + root: inputs.CVE + accessor: ID + transformers: + - operator: general.uniq + - operator: general.join + args: + separator: + value: + simple: ',' + details: {} + labels: {} + name: {} + owner: {} + playbook: {} + severity: {} + stage: {} + type: {} + updatePlaybookForType: {} + separatecontext: false + view: |- + { + "position": { + "x": 950, + "y": 370 + } + } + "13": + id: "13" + taskid: 12f3c186-65f1-41b8-89bb-b2e47b2b358b + type: regular + task: + id: 12f3c186-65f1-41b8-89bb-b2e47b2b358b + version: -1 + name: Set "CVSS" + description: Populate the custom field. + scriptName: IncidentSet + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + addLabels: {} + customFieldName: + simple: cvss + customFieldValue: + complex: + root: inputs.CVE + accessor: CVSS + transformers: + - operator: general.join + args: + separator: + value: + simple: ', ' + details: {} + labels: {} + name: {} + owner: {} + playbook: {} + severity: {} + stage: {} + type: {} + updatePlaybookForType: {} + separatecontext: false + view: |- + { + "position": { + "x": 500, + "y": 370 + } + } + "15": + id: "15" + taskid: e23eb213-9603-4c62-8825-9c3fb601e139 + type: condition + task: + id: e23eb213-9603-4c62-8825-9c3fb601e139 + version: -1 + name: Is there a valid "Vulnerability Category"? + description: Check if there’s a "Vulnerability Category" in the playbook inputs. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "3" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.Qualys + accessor: Category + iscontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 195 + } + } + "17": + id: "17" + taskid: 6c1b4f4a-5d12-4d78-81d3-02892cc3ad37 + type: condition + task: + id: 6c1b4f4a-5d12-4d78-81d3-02892cc3ad37 + version: -1 + name: Is there a valid "CVSS"? + description: Check if there’s a "CVSS" in the playbook inputs. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "13" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.CVE + accessor: CVSS + iscontext: true + view: |- + { + "position": { + "x": 612.5, + "y": 195 + } + } + "18": + id: "18" + taskid: 360bab9f-806f-48c0-8080-fbbbe2efd466 + type: condition + task: + id: 360bab9f-806f-48c0-8080-fbbbe2efd466 + version: -1 + name: Is there a valid "CVE"? + description: Check if there’s a "CVE" in the playbook inputs. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "11" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.CVE + accessor: ID + iscontext: true + view: |- + { + "position": { + "x": 1062.5, + "y": 195 + } + } + "19": + id: "19" + taskid: 19976cc4-28dd-4594-8972-1c512a7dd3f5 + type: condition + task: + id: 19976cc4-28dd-4594-8972-1c512a7dd3f5 + version: -1 + name: Is there a valid "Signature"? + description: Check if there’s a "Signature" in the playbook inputs. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "8" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.Qualys + accessor: Title + iscontext: true + view: |- + { + "position": { + "x": 1512.5, + "y": 195 + } + } + "20": + id: "20" + taskid: a3def47b-593f-4a87-8ce5-356ad232dc95 + type: condition + task: + id: a3def47b-593f-4a87-8ce5-356ad232dc95 + version: -1 + name: Is there a valid "Bugtraq"? + description: Check if there’s a "Bugtraq" in the playbook inputs. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "9" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: inputs.Qualys + accessor: Bugtraq.ID + iscontext: true + view: |- + { + "position": { + "x": 1962.5, + "y": 195 + } + } +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 560, + "width": 2292.5, + "x": 50, + "y": 50 + } + } + } +inputs: +- key: Qualys + value: + complex: + root: Qualys + required: false + description: The Qualys object containing the vulnerability data +- key: CVE + value: + complex: + root: CVE + required: false + description: The CVE object containing the vulnerability data +outputs: [] diff --git a/Playbooks/playbook-Vulnerability_Management__-_Qualys_(Job).yml b/Playbooks/playbook-Vulnerability_Management__-_Qualys_(Job).yml new file mode 100644 index 000000000000..4faef28baa5c --- /dev/null +++ b/Playbooks/playbook-Vulnerability_Management__-_Qualys_(Job).yml @@ -0,0 +1,451 @@ +id: vulnerability_management_-_qualys_Job +version: -1 +name: Vulnerability Management - Qualys (Job) +fromversion: 3.6.0 +description: |- + Use the latest Qualys report to manage vulnerabilities. + + This playbook runs as a job, and by default creates incidents of type "Vulnerability" based on assets and vulnerabilities. + The incidents are created from the latest version of the report determined by the report timestamp. + You can define the minimum severity (minSeverity) that incidents are created for. + Duplicate incidents are not created for the same asset ID and QID. + + This playbook is a part of a series of playbooks for Qualys vulnerability management and remediation. + For this series of playbooks to run successfully, create a Job and do the following: + 1. Assign this playbook to the Job + 2. Enter the Qualys XML report name into the "Details" field + 3. Associate the "Vulnerability" type incident to the "Vulnerability Handling - Qualys" playbook. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 44eb6f9d-29e2-449e-85fd-2077af1ff45e + type: start + task: + id: 44eb6f9d-29e2-449e-85fd-2077af1ff45e + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "10" + separatecontext: false + view: |- + { + "position": { + "x": 162.5, + "y": 50 + } + } + "2": + id: "2" + taskid: 1471cc73-16be-429c-8619-b07e7e7271ba + type: regular + task: + id: 1471cc73-16be-429c-8619-b07e7e7271ba + version: -1 + name: Get Qualys reports list + description: Retrieve a list of all reports from Qualys. Can be filtered by + the `expires_before_datetime` parameter. + script: Qualys|||qualys-report-list + type: regular + iscommand: true + brand: Qualys + nexttasks: + '#none#': + - "12" + scriptarguments: + expires_before_datetime: {} + id: {} + state: {} + user_login: {} + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 515 + } + } + "3": + id: "3" + taskid: 4ae94d3c-f26b-4d09-89a7-7e2d087a5549 + type: condition + task: + id: 4ae94d3c-f26b-4d09-89a7-7e2d087a5549 + version: -1 + name: Is there a valid report? + description: Check if there's a Qualys report that matches the input report + name and is in XML format. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "YES": + - "11" + separatecontext: false + conditions: + - label: "YES" + condition: + - - operator: general.isExists + left: + value: + complex: + root: QualysReport + filters: + - - operator: string.isEqual + left: + value: + simple: QualysReport.Title + iscontext: true + right: + value: + simple: inputs.QualysReportTitle + iscontext: true + - - operator: string.isEqual + left: + value: + simple: QualysReport.Status.State + iscontext: true + right: + value: + simple: Finished + ignorecase: true + - - operator: string.isEqual + left: + value: + simple: QualysReport.OutputFormat + iscontext: true + right: + value: + simple: XML + accessor: ID + iscontext: true + view: |- + { + "position": { + "x": 50, + "y": 865 + } + } + "5": + id: "5" + taskid: 03b60980-2f8f-4dc6-830e-781a10150988 + type: title + task: + id: 03b60980-2f8f-4dc6-830e-781a10150988 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 162.5, + "y": 1710 + } + } + "7": + id: "7" + taskid: 73f17571-d171-4ba5-8cd0-d4b39cfd62ab + type: title + task: + id: 73f17571-d171-4ba5-8cd0-d4b39cfd62ab + version: -1 + name: Create incidents from the Qualys report + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + separatecontext: false + view: |- + { + "position": { + "x": 162.5, + "y": 1215 + } + } + "8": + id: "8" + taskid: a898c316-7a9a-4c01-8984-e02c4a572a17 + type: regular + task: + id: a898c316-7a9a-4c01-8984-e02c4a572a17 + version: -1 + name: Create incidents from the Qualys report + description: |- + Create incidents from a Qualys report (XML), based on the Qualys asset ID and vulnerability ID (QID). + Duplicate incidents are not created for the same asset ID and QID. + scriptName: QualysCreateIncidentFromReport + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "14" + scriptarguments: + entryID: + complex: + root: File + filters: + - - operator: string.isEqual + left: + value: + simple: File.Info + iscontext: true + right: + value: + simple: application/xml + ignorecase: true + accessor: EntryID + maxFileSize: {} + minSeverity: + simple: ${inputs.MinSeverity} + separatecontext: false + view: |- + { + "position": { + "x": 162.5, + "y": 1360 + } + } + "10": + id: "10" + taskid: 7bd9b687-d830-4ef7-8f2c-11430ace9299 + type: condition + task: + id: 7bd9b687-d830-4ef7-8f2c-11430ace9299 + version: -1 + name: Is Qualys enabled? + description: Verify that there's a valid instance of Qualys enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "14" + "yes": + - "15" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: modules + filters: + - - operator: string.isEqual + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Qualys + ignorecase: true + - - operator: string.isEqual + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + ignorecase: true + accessor: brand + iscontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 195 + } + } + "11": + id: "11" + taskid: 4e17432e-44c3-41c2-8c3a-50b477ac0d64 + type: regular + task: + id: 4e17432e-44c3-41c2-8c3a-50b477ac0d64 + version: -1 + name: Get report + description: Retrieve the report from Qualys. + script: Qualys|||qualys-report-fetch + type: regular + iscommand: true + brand: Qualys + nexttasks: + '#none#': + - "7" + scriptarguments: + id: + complex: + root: QualysReport + filters: + - - operator: string.isEqual + left: + value: + simple: QualysReport.Title + iscontext: true + right: + value: + simple: inputs.QualysReportTitle + iscontext: true + - - operator: string.isEqual + left: + value: + simple: QualysReport.Status.State + iscontext: true + right: + value: + simple: Finished + ignorecase: true + - - operator: string.isEqual + left: + value: + simple: QualysReport.OutputFormat + iscontext: true + right: + value: + simple: XML + ignorecase: true + accessor: ID + transformers: + - operator: general.atIndex + args: + index: + value: + simple: "0" + separatecontext: false + view: |- + { + "position": { + "x": 162.5, + "y": 1040 + } + } + "12": + id: "12" + taskid: 760d26bf-1cf0-453e-874d-6289febaf523 + type: regular + task: + id: 760d26bf-1cf0-453e-874d-6289febaf523 + version: -1 + name: Set context + description: 'Set the Qualys reports list into context. ' + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + append: {} + key: + simple: QualysReport + value: + complex: + root: Qualys + accessor: Report + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 690 + } + } + "14": + id: "14" + taskid: f6e8fab3-d733-4383-8969-f1db2e0850b6 + type: regular + task: + id: f6e8fab3-d733-4383-8969-f1db2e0850b6 + version: -1 + name: Close Investigation + description: Close the investigation. + script: Builtin|||closeInvestigation + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "5" + scriptarguments: + assetid: {} + closeNotes: {} + closeReason: {} + id: {} + importantfield: {} + test2: {} + timefield1: {} + separatecontext: false + view: |- + { + "position": { + "x": 279, + "y": 1535 + } + } + "15": + id: "15" + taskid: d810fa86-61da-49c6-84c6-1216e66f77bb + type: title + task: + id: d810fa86-61da-49c6-84c6-1216e66f77bb + version: -1 + name: Get report from Qualys + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1725, + "width": 609, + "x": 50, + "y": 50 + } + } + } +inputs: +- key: QualysReportTitle + value: + complex: + root: incident + accessor: details + required: true + description: "The report title as it appears in Qualys.\nHas to be in XML format. " +- key: MinSeverity + value: + simple: "3" + required: true + description: The minimum Qualys severity (1 -5) to create incidents for +outputs: [] diff --git a/Scripts/script-DisplayHTML.yml b/Scripts/script-DisplayHTML.yml new file mode 100644 index 000000000000..addfeeb20915 --- /dev/null +++ b/Scripts/script-DisplayHTML.yml @@ -0,0 +1,32 @@ +commonfields: + id: displayhtml + version: -1 +name: DisplayHTML +script: | + html = demisto.get(demisto.args(),"html") + note = demisto.get(demisto.args(),"markAsNote") + header = demisto.get(demisto.args(),"header") + + note = True if note == "True" else False + if header: + html = "

{0}

{1}".format(header,html) + + demisto.results( {'ContentsFormat': formats['html'], 'Type': entryTypes['note'], 'Contents': html, 'Note': note} ) +type: python +tags: [] +comment: Display HTML in the War Room. +system: true +args: +- name: html + required: true + description: The HTML to display +- name: markAsNote + auto: PREDEFINED + predefined: + - "True" + - "False" + description: Should the entry be marked as a note? +- name: header + description: Add a header text to the output +scripttarget: 0 +runonce: false diff --git a/Scripts/script-QualysCreateIncidentFromReport.yml b/Scripts/script-QualysCreateIncidentFromReport.yml new file mode 100644 index 000000000000..5a3a0a4e0912 --- /dev/null +++ b/Scripts/script-QualysCreateIncidentFromReport.yml @@ -0,0 +1,119 @@ +commonfields: + id: QualysCreateIncidentFromReport + version: -1 +name: QualysCreateIncidentFromReport +script: |- + import json + incident_type = demisto.get(demisto.args(), 'incidentType') + if not incident_type: + incident_type = "Vulnerability" + + max_file_size = demisto.get(demisto.args(), 'maxFileSize') + if max_file_size: + max_file_size = int(max_file_size) + else: + max_file_size = 1024**2 + + min_severity = demisto.get(demisto.args(), 'minSeverity') or 1 + min_severity = int(min_severity) + + res = demisto.executeCommand('getFilePath', {'id': demisto.args()['entryID']}) + with open(res[0]['Contents']['path'], 'r') as f: + data = f.read(max_file_size).decode('unicode_escape').encode('utf-8') + if data: + report = json.loads(xml2json(data)) + + generation_date = demisto.get(report, "ASSET_DATA_REPORT.HEADER.GENERATION_DATETIME") + + #Get asset list + asset_list = demisto.get(report, "ASSET_DATA_REPORT.HOST_LIST.HOST") + if not asset_list: + demisto.results( { "Type" : entryTypes["note"], "ContentsFormat" : formats["text"], "Contents" : 'No vulnerable assets were found' } ) + sys.exit(0) + if not isinstance(asset_list, list): + asset_list = [asset_list] + + # Get QIDs only if over relevant severity + general_vulnerabilities = argToList(demisto.get(report, "ASSET_DATA_REPORT.GLOSSARY.VULN_DETAILS_LIST.VULN_DETAILS")) + if not isinstance(general_vulnerabilities, list): + general_vulnerabilities = [general_vulnerabilities] + + qid_severity = [demisto.get(vulnerability,"QID.#text") for vulnerability in general_vulnerabilities if demisto.get(vulnerability,'SEVERITY') and (int(demisto.get(vulnerability,'SEVERITY')) >= min_severity)] + + for asset in asset_list: + # Get Asset ID from Qualys + ip = demisto.get(asset,"IP") + if not ip: + demisto.results( { "Type" : entryTypes["error"], "ContentsFormat" : formats["text"], "Contents" : 'No IP was found for asset {0}'.format(str(asset)) } ) + sys.exit(0) + + resp = demisto.executeCommand("qualys-host-list", {"ips": ip}) + if isError(resp[0]): + demisto.results(resp) + sys.exit(0) + + asset_id = demisto.get(resp[0],'Contents.HOST_LIST_OUTPUT.RESPONSE.HOST_LIST.HOST.ID') + if not asset_id: + demisto.results( { "Type" : entryTypes["error"], "ContentsFormat" : formats["text"], "Contents" : 'No ID was found for asset {0}'.format(str(asset)) } ) + sys.exit(0) + + # Get Asset vulnerability list + vulnerabilities = argToList(demisto.get(asset, "VULN_INFO_LIST.VULN_INFO")) + if not isinstance(vulnerabilities, list): + vulnerabilities = [vulnerabilities] + + qids = map(lambda vulnerability : demisto.get(vulnerability,"QID.#text"), vulnerabilities) + + qids = list(set(qids) & set(qid_severity)) + + for qid in qids: + resp = demisto.executeCommand("getIncidents", {"query" : "vendorid: {0} and assetid: {1} and --status:Closed".format(qid,asset_id)}) + if isError(resp[0]): + demisto.results(resp) + sys.exit(0) + + incident_number = demisto.get(resp[0],"Contents.total") + + try: + incident_number = int(incident_number) + except: + demisto.results( { "Type" : entryTypes["error"], "ContentsFormat" : formats["text"], "Contents" : 'Error whild searching the incident repository' } ) + sys.exit(0) + + if incident_number == 0: + #Create incident + demisto.executeCommand("createNewIncident", {"name": "Vulnerability - Asset {0} QID {1} - {2}".format(asset_id,qid,generation_date), + "vendorid" : str(qid), + "type": incident_type, + "assetid" : str(asset_id) + }) + + demisto.results("Done.") + else: + demisto.results( { "Type" : entryTypes["error"], "ContentsFormat" : formats["text"], "Contents" : 'No data could be read.' } )() +type: python +tags: +- qualys +comment: |- + Create incidents from a Qualys report (XML), based on the Qualys asset ID and vulnerability ID (QID). + Duplicate incidents are not created for the same asset ID and QID. +system: true +args: +- name: entryID + required: true + description: War room entryID of the XML report. +- name: maxFileSize + description: Maximum file size to load, in bytes. Default is 1024 KB. +- name: minSeverity + auto: PREDEFINED + predefined: + - "1" + - "2" + - "3" + - "4" + - "5" + description: The minimum Qualys severity to create incidents for. +- name: incidentType + description: The incident type to create incidents for. Default is "Vulnerability". +scripttarget: 0 +runonce: false diff --git a/TestPlaybooks/playbook-CVE_Enrichment_-_Generic_-_Test.yml b/TestPlaybooks/playbook-CVE_Enrichment_-_Generic_-_Test.yml new file mode 100644 index 000000000000..1b0cae6b1233 --- /dev/null +++ b/TestPlaybooks/playbook-CVE_Enrichment_-_Generic_-_Test.yml @@ -0,0 +1,145 @@ +id: cve_enrichment_-_generic_-_test +version: -1 +name: CVE Enrichment - Generic - Test +fromversion: 3.6.0 +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 919accd1-fe51-4921-8aa2-4b6406591252 + type: start + task: + id: 919accd1-fe51-4921-8aa2-4b6406591252 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + "1": + id: "1" + taskid: 3e4f00e5-d358-4059-8f17-96c20f5a2388 + type: regular + task: + id: 3e4f00e5-d358-4059-8f17-96c20f5a2388 + version: -1 + name: Set CVE + description: "" + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + append: {} + key: + simple: CVE.ID + value: + simple: CVE-2013-2566 + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + "2": + id: "2" + taskid: 0c99df3b-66b6-4aa5-89b9-b619b2d8a54d + type: playbook + task: + id: 0c99df3b-66b6-4aa5-89b9-b619b2d8a54d + version: -1 + name: CVE Enrichment - Generic + description: "" + playbookName: CVE Enrichment - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + "3": + id: "3" + taskid: ea6d15cd-ec2c-4d1e-827f-c00e64e401d6 + type: regular + task: + id: ea6d15cd-ec2c-4d1e-827f-c00e64e401d6 + version: -1 + name: Verify + description: "" + scriptName: VerifyContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + expectedValue: {} + fields: {} + path: + simple: CVE.CVSS + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 545 + } + } + "4": + id: "4" + taskid: 23bf7baa-7431-4835-819e-2d9ce96ad057 + type: title + task: + id: 23bf7baa-7431-4835-819e-2d9ce96ad057 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 735, + "width": 380, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: [] diff --git a/Tests/conf.json b/Tests/conf.json index f3cde6d08bfe..130b02f2d851 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -2,6 +2,10 @@ "testTimeout": 160, "testInterval": 20, "tests": [ + { + "integrations": "CVE Search", + "playbookID": "cve_enrichment_-_generic_-_test" + }, { "playbookID": "test_url_regex" },