Malware fixes v3

Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml

@@ -443,7 +443,7 @@ tasks:
       description: Checks whether given entries returned an error. Use ${lastCompletedTaskEntries} to check the previous task entries. If an array is provided, returns 'yes' if one of the entries returned an error.
       id: ad8f236e-56eb-4e7a-8e03-3f98b22f7fe3
       iscommand: false
-      name: Check if we have more than 1 item
+      name: Is there only one endpoint?
       scriptName: isError
       type: condition
       version: -1
@@ -525,9 +525,7 @@ tasks:
       grid_id:
         simple: alertsandrelatedinfo
       keys:
-        simple: alert_id,host_name,actor_process_image_name,actor_process_os_pid,actor_process_image_sha256,actor_process_command_line,causality_actor_process_image_name
-      sort_by:
-        simple: MicrosoftATP.Alert.Evidence.[0].processCommandLine
+        simple: name,host_name,actor_process_image_name,actor_process_os_pid,actor_process_image_sha256,actor_process_command_line,causality_actor_process_image_name
     separatecontext: false
     skipunavailable: false
     task:
@@ -867,7 +865,33 @@ tasks:
       - "14"
     scriptarguments:
       accountmemberof:
-        simple: ${Account.Groups}
+        complex:
+          root: Account
+          accessor: Groups
+          transformers:
+          - operator: uniq
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith:
+                value:
+                  simple: /
+              toReplace:
+                value:
+                  simple: ','
+          - operator: concat
+            args:
+              prefix:
+                value:
+                  simple: '"'
+              suffix:
+                value:
+                  simple: '"'
+          - operator: join
+            args:
+              separator:
+                value:
+                  simple: ','
       accountname:
         complex:
           root: Account

Packs/CortexXDR/ReleaseNotes/4_9_11.md

@@ -0,0 +1,3 @@
+#### Playbooks
+##### Cortex XDR Malware - Incident Enrichment
+Fixed an issue with setting up account groups information in the layout.

Packs/CortexXDR/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "4.9.10",
+    "currentVersion": "4.9.11",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_-_True_Positive_Incident_Handling.yml

@@ -644,7 +644,7 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 2050,
+          "x": 2020,
           "y": 510
         }
       }
@@ -675,7 +675,7 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 1810,
+          "x": 1780,
           "y": -140
         }
       }
@@ -706,7 +706,7 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 1810,
+          "x": 1780,
           "y": 145
         }
       }
@@ -777,7 +777,7 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 1810,
+          "x": 1780,
           "y": 920
         }
       }
@@ -796,7 +796,7 @@ tasks:
     task:
       id: e8f22502-f0dd-4c13-899a-9f94b25f38b3
       version: -1
-      name: CrowdStrike Falcon - Isolate Endpoint
+      name: Crowdstrike Falcon - Isolate Endpoint
       description: This playbook auto isolates endpoints by the device ID provided in the playbook.
       playbookName: Crowdstrike Falcon - Isolate Endpoint
       type: playbook
@@ -817,8 +817,8 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 550,
-          "y": 330
+          "x": 300,
+          "y": 510
         }
       }
     note: false
@@ -874,7 +874,7 @@ tasks:
       description: Is auto isolation allowed?
     nexttasks:
       '#default#':
-      - '31'
+      - "64"
       yes:
       - '28'
     separatecontext: false
@@ -1228,7 +1228,7 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 1810,
+          "x": 1780,
           "y": 315
         }
       }
@@ -1798,6 +1798,57 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+  "64":
+    id: "64"
+    taskid: a9e3db15-a7f5-460a-8a50-57ea9fbc56ee
+    type: condition
+    task:
+      id: a9e3db15-a7f5-460a-8a50-57ea9fbc56ee
+      version: -1
+      name: Approve isolation
+      description: Approve isolation
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "31"
+      "Yes":
+      - "28"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 520,
+          "y": 320
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    message:
+      to:
+      subject:
+      body:
+        simple: Approve isolation
+      methods: []
+      format: ""
+      bcc:
+      cc:
+      timings:
+        retriescount: 2
+        retriesinterval: 360
+        completeafterreplies: 1
+        completeafterv2: true
+        completeaftersla: false
+      replyOptions:
+      - "Yes"
+      - "No"
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
 view: |-
   {
     "linkLabelsPosition": {
@@ -1806,7 +1857,7 @@ view: |-
     "paper": {
       "dimensions": {
         "height": 3145,
-        "width": 2790,
+        "width": 2760,
         "x": -360,
         "y": -1540
       }

Packs/CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_Malware_-_Incident_Enrichment.yml

@@ -860,7 +860,33 @@ tasks:
       - "11"
     scriptarguments:
       accountmemberof:
-        simple: ${Account.Groups}
+        complex:
+          root: Account
+          accessor: Groups
+          transformers:
+          - operator: uniq
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith:
+                value:
+                  simple: /
+              toReplace:
+                value:
+                  simple: ','
+          - operator: concat
+            args:
+              prefix:
+                value:
+                  simple: '"'
+              suffix:
+                value:
+                  simple: '"'
+          - operator: join
+            args:
+              separator:
+                value:
+                  simple: ','
       accountname:
         complex:
           root: Account

Packs/CrowdStrikeFalcon/ReleaseNotes/1_9_17.md

@@ -0,0 +1,5 @@
+#### Playbooks
+##### CrowdStrike Falcon Malware - Incident Enrichment
+Fixed an issue with setting up account groups information in the layout.
+##### CrowdStrike Falcon - True Positive Incident Handling
+Added manual approving for endpoint isolation flow.

Packs/CrowdStrikeFalcon/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "CrowdStrike Falcon",
     "description": "The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.",
     "support": "xsoar",
-    "currentVersion": "1.9.16",
+    "currentVersion": "1.9.17",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Host_Advanced_Hunting.yml

@@ -1280,7 +1280,7 @@ tasks:
       - "94"
     scriptarguments:
       extend-context:
-        simple: customQueries
+        simple: MicrosoftATP.Hunt.Result.customQueries=
       query_batch:
         complex:
           root: inputs.QueryBatch

Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_Malware_-_Incident_Enrichment.yml

@@ -1336,7 +1336,33 @@ tasks:
       - "16"
     scriptarguments:
       accountmemberof:
-        simple: ${Account.Groups}
+        complex:
+          root: Account
+          accessor: Groups
+          transformers:
+          - operator: uniq
+          - operator: replace
+            args:
+              limit: {}
+              replaceWith:
+                value:
+                  simple: /
+              toReplace:
+                value:
+                  simple: ','
+          - operator: concat
+            args:
+              prefix:
+                value:
+                  simple: '"'
+              suffix:
+                value:
+                  simple: '"'
+          - operator: join
+            args:
+              separator:
+                value:
+                  simple: ','
       accountname:
         complex:
           root: Account

Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_14_8.md

@@ -0,0 +1,6 @@
+
+#### Playbooks
+##### MDE - Host Advanced Hunting
+Fixed tagging issue with returned results from Custom batch queries flow.
+##### MDE Malware - Incident Enrichment
+Fixed an issue with setting up account groups information in the layout.

Packs/MicrosoftDefenderAdvancedThreatProtection/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Microsoft Defender for Endpoint",
     "description": "Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.",
     "support": "xsoar",
-    "currentVersion": "1.14.7",
+    "currentVersion": "1.14.8",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",