diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Service_Ownership.yml b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Service_Ownership.yml index 42ef3fe184cd..2fad0d1985ea 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Service_Ownership.yml +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Service_Ownership.yml @@ -1,121 +1,129 @@ -description: Identifies and recommends the most likely owners of the service, additionally citing an explanation and ranking score for each. id: Cortex ASM - Service Ownership -inputs: [] +version: -1 name: Cortex ASM - Service Ownership -outputs: [] +description: Identifies and recommends the most likely owners of the service, additionally citing an explanation and ranking score for each. starttaskid: "0" tasks: "0": id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "7" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: true + taskid: 57e985be-0db1-4244-832b-b27213d31989 + type: start task: - brand: "" - id: 7d8acddf-5ee0-460f-8fef-2d0d24385bcb - iscommand: false - name: "" + id: 57e985be-0db1-4244-832b-b27213d31989 version: -1 + name: "" + iscommand: false + brand: "" description: '' - taskid: 7d8acddf-5ee0-460f-8fef-2d0d24385bcb - timertriggers: [] - type: start + nexttasks: + '#none#': + - "9" + separatecontext: false + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 190 + "x": 280, + "y": -170 } } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "2": + id: "2" + taskid: 911821d8-f053-4873-8384-d08acd8bbb6d + type: condition + task: + id: 911821d8-f053-4873-8384-d08acd8bbb6d + version: -1 + name: Is service account defined? + description: Determine whether a service account was included among the potential service owners. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "yes": + - "4" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: isNotEmpty + left: value: complex: + root: alert.asmserviceowner filters: - - - left: - iscontext: true + - - operator: startWith + left: value: simple: alert.asmserviceowner.Source - operator: startWith + iscontext: true right: value: simple: Service account on instance - root: alert.asmserviceowner - operator: isNotEmpty + iscontext: true right: value: {} - label: "yes" - id: "2" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "6" - "yes": - - "4" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: true - task: - brand: "" - description: Determine whether a service account was included among the potential service owners. - id: 36af0f89-236c-4d42-8d0d-62adedcfd283 - iscommand: false - name: Is service account defined? - type: condition - version: -1 - taskid: 36af0f89-236c-4d42-8d0d-62adedcfd283 - timertriggers: [] - type: condition + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 520 + "x": 400, + "y": 630 } } - "4": - id: "4" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 4a61e141-236d-4725-8abb-9e8b143943f4 + type: regular + task: + id: 4a61e141-236d-4725-8abb-9e8b143943f4 + version: -1 + name: Lookup project owner + description: Retrieves the IAM access control policy for the specified project. + script: GCP-IAM|||gcp-iam-project-iam-policy-get + type: regular + iscommand: true + brand: GCP-IAM nexttasks: '#none#': - "8" - note: false - quietmode: 0 scriptarguments: project_name: complex: + root: alert.asmserviceowner filters: - - - left: - iscontext: true + - - operator: startWith + left: value: simple: alert.asmserviceowner.Source - operator: startWith + iscontext: true right: value: simple: Service account on instance - root: alert.asmserviceowner transformers: - - args: + - operator: getField + args: field: value: simple: Email - operator: getField - - args: + - operator: RegexExtractAll + args: error_if_no_match: {} ignore_case: {} multi_line: {} @@ -124,44 +132,46 @@ tasks: value: simple: (?<=@)[^\.]+(?=\.iam\.gserviceaccount\.com) unpack_matches: {} - operator: RegexExtractAll - - args: + - operator: concat + args: prefix: value: simple: projects/ suffix: {} - operator: concat separatecontext: false - skipunavailable: true - task: - brand: GCP-IAM - description: Retrieves the IAM access control policy for the specified project. - id: 1fc23625-bec5-4f2e-8fe5-3f51e46c32aa - iscommand: true - name: Lookup project owner - script: GCP-IAM|||gcp-iam-project-iam-policy-get - type: regular - version: -1 - taskid: 1fc23625-bec5-4f2e-8fe5-3f51e46c32aa - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 830 + "x": 410, + "y": 870 } } - "5": - id: "5" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: b5acafc7-f647-4210-881b-13d9d5f252f8 + type: regular + task: + id: b5acafc7-f647-4210-881b-13d9d5f252f8 + version: -1 + name: Add project owner to service owner grid field + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Example of command: + `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` + scriptName: GridFieldSetup + type: regular + iscommand: false + brand: "" nexttasks: '#none#': - "6" - note: false - quietmode: 0 scriptarguments: gridfield: simple: asmserviceowner @@ -171,25 +181,25 @@ tasks: simple: n/a val2: complex: - accessor: members + root: GCPIAM.Policy.bindings filters: - - - left: - iscontext: true + - - operator: isEqualString + left: value: simple: GCPIAM.Policy.bindings.role - operator: isEqualString + iscontext: true right: value: simple: roles/owner - root: GCPIAM.Policy.bindings + accessor: members transformers: - - args: + - operator: replace + args: limit: {} replaceWith: {} toReplace: value: simple: 'user:' - operator: replace val3: simple: Owner of GCP project where service account is defined val4: @@ -198,69 +208,74 @@ tasks: transformers: - operator: TimeStampToDate separatecontext: false - skipunavailable: false - task: - brand: "" - description: |- - Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Example of command: - `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - id: 00298ed8-f84b-4444-8207-50f3af9ec22d - iscommand: false - name: Add project owner to service owner grid field - script: GridFieldSetup - type: regular - version: -1 - taskid: 00298ed8-f84b-4444-8207-50f3af9ec22d - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 1190 + "x": 410, + "y": 1210 } } - "6": - id: "6" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 2b90887f-a6ba-47a6-875f-622c8285dffc + type: regular + task: + id: 2b90887f-a6ba-47a6-875f-622c8285dffc + version: -1 + name: Normalize and rank likely service owners + description: Recommend most likely service owners from those surfaced by Cortex ASM Enrichment. + scriptName: RankServiceOwners + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "10" scriptarguments: owners: simple: ${alert.asmserviceowner} separatecontext: false - skipunavailable: true - task: - brand: "" - description: Recommend most likely service owners from those surfaced by Cortex ASM Enrichment. - id: 7eb4fb8d-14f3-4c09-82ae-6b5893d7f8c4 - iscommand: false - name: Normalize and rank likely service owners - script: RankServiceOwners - type: regular - version: -1 - taskid: 7eb4fb8d-14f3-4c09-82ae-6b5893d7f8c4 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { - "x": 200, - "y": 1420 + "x": 740, + "y": 1380 } } - "7": - id: "7" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 7ca75c22-47ac-40a9-84f2-fc68e43d7d53 + type: regular + task: + id: 7ca75c22-47ac-40a9-84f2-fc68e43d7d53 + version: -1 + name: Back up service owners gridfield + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Example of command: + `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` + scriptName: GridFieldSetup + type: regular + iscommand: false + brand: "" nexttasks: '#none#': - - "2" - note: false - quietmode: 0 + - "12" scriptarguments: gridfield: simple: asmserviceownerunrankedraw @@ -268,114 +283,266 @@ tasks: simple: name,email,source,timestamp val1: complex: - accessor: asmserviceowner root: alert + accessor: asmserviceowner transformers: - - args: + - operator: getField + args: field: value: simple: Name - operator: getField val2: complex: - accessor: asmserviceowner root: alert + accessor: asmserviceowner transformers: - - args: + - operator: getField + args: field: value: simple: Email - operator: getField val3: complex: - accessor: asmserviceowner root: alert + accessor: asmserviceowner transformers: - - args: + - operator: getField + args: field: value: simple: Source - operator: getField val4: complex: - accessor: asmserviceowner root: alert + accessor: asmserviceowner transformers: - - args: + - operator: getField + args: field: value: simple: Timestamp - operator: getField separatecontext: false - skipunavailable: true - task: - brand: "" - description: |- - Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Example of command: - `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - id: beb1aba3-dc17-4cab-8621-3f670166844b - iscommand: false - name: Back up service owners gridfield - script: GridFieldSetup - type: regular - version: -1 - taskid: beb1aba3-dc17-4cab-8621-3f670166844b - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 340 + "x": 460, + "y": 210 } } - "8": - id: "8" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: true + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: b0bddb17-8cec-405c-8441-478959b9e8c4 + type: regular + task: + id: b0bddb17-8cec-405c-8441-478959b9e8c4 + version: -1 + name: Get current time + description: | + Retrieves the current date and time. + scriptName: GetTime + type: regular + iscommand: false + brand: "" nexttasks: '#none#': - "5" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 410, + "y": 1040 + } + } note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 1bad13f3-b959-46d9-8b56-90282a3afdcf + type: condition + task: + id: 1bad13f3-b959-46d9-8b56-90282a3afdcf + version: -1 + name: Is asmserviceowner populated? + description: Determines if the asmserviceowner field exists and if the common fields within it also exists. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "10" + "yes": + - "7" separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: alert + accessor: asmserviceowner + iscontext: true + right: + value: {} + - - operator: isNotEmpty + left: + value: + complex: + root: alert.asmserviceowner + accessor: Email + iscontext: true + - - operator: isNotEmpty + left: + value: + complex: + root: alert.asmserviceowner + accessor: Name + iscontext: true + - - operator: isNotEmpty + left: + value: + complex: + root: alert.asmserviceowner + accessor: Source + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 280, + "y": 0 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 97716817-0eab-418a-8517-40dc54d22f00 + type: title task: - brand: "" - description: | - Retrieves the current date and time. - id: 9e27252f-1db0-40f8-890c-ab9b816c1579 - iscommand: false - name: Get current time - script: GetTime - type: regular + id: 97716817-0eab-418a-8517-40dc54d22f00 version: -1 - taskid: 9e27252f-1db0-40f8-890c-ab9b816c1579 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 180, + "y": 1600 + } + } + note: false timertriggers: [] - type: regular + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: 1e322e1d-faef-420f-81bf-56d3d57eb27d + type: condition + task: + id: 1e322e1d-faef-420f-81bf-56d3d57eb27d + version: -1 + name: Is GCP - IAM enabled? + description: Determines if the GCP-IAM integration instance is configured. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "yes": + - "2" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: GCP-IAM + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + iscontext: true + right: + value: {} + continueonerrortype: "" view: |- { "position": { - "x": 450, - "y": 1010 + "x": 460, + "y": 380 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": { - "2_6_#default#": 0.42 + "12_6_#default#": 0.23, + "2_6_#default#": 0.28, + "9_10_#default#": 0.34 }, "paper": { "dimensions": { - "height": 1325, - "width": 630, - "x": 200, - "y": 190 + "height": 1835, + "width": 940, + "x": 180, + "y": -170 } } } -fromversion: 6.5.0 +inputs: [] +outputs: [] tests: - No tests (auto formatted) +fromversion: 6.5.0 diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Service_Ownership_README.md b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Service_Ownership_README.md index c0fe32cb204e..8c11712c4b52 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Service_Ownership_README.md +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Service_Ownership_README.md @@ -1,30 +1,39 @@ Identifies and recommends the most likely owners of the service, additionally citing an explanation and ranking score for each. ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks + This playbook does not use any sub-playbooks. ### Integrations + * GCP-IAM ### Scripts + * GetTime * GridFieldSetup * RankServiceOwners ### Commands + * gcp-iam-project-iam-policy-get ## Playbook Inputs + --- There are no inputs for this playbook. ## Playbook Outputs + --- There are no outputs for this playbook. ## Playbook Image + --- -![Cortex ASM - Service Ownership](../doc_files/Cortex_ASM_-_Service_Ownership.png) \ No newline at end of file + +![Cortex ASM - Service Ownership](../doc_files/Cortex_ASM_-_Service_Ownership.png) diff --git a/Packs/CortexAttackSurfaceManagement/README.md b/Packs/CortexAttackSurfaceManagement/README.md index 20cbffc5da25..7d6a8e60062b 100644 --- a/Packs/CortexAttackSurfaceManagement/README.md +++ b/Packs/CortexAttackSurfaceManagement/README.md @@ -76,12 +76,14 @@ The main active response playbook is the `Cortex ASM - ASM Alert` playbook. This - [Cortex ASM - Remediation Guidance](#cortex-asm---remediation-guidance) - [Cortex ASM - Remediation Path Rules](#cortex-asm---remediation-path-rules) - [Cortex ASM - Remediation](#cortex-asm---remediation) + - [Cortex ASM - Service Ownership](#cortex-asm---service-ownership) - [Cortex ASM - ServiceNow CMDB Enrichment](#cortex-asm---servicenow-cmdb-enrichment) - [Cortex ASM - SNMP Check](#cortex-asm---snmp-check) - [Cortex ASM - Splunk Enrichment](#cortex-asm---splunk-enrichment) - [Cortex ASM - Tenable.io Enrichment](#cortex-asm---tenableio-enrichment) - Automation Scripts - [GenerateASMReport](#generateasmreport) + - [RankServiceOwners](#rankserviceowners) - [RemediationPathRuleEvaluation](#remediationpathruleevaluation) - [SnmpDetection](#snmpdetection) @@ -133,7 +135,7 @@ Playbook that given the IP address enriches GCP information relevant to ASM aler Playbook that given the IP address enriches Qualys information relevant to ASM alerts. -![Cortex ASM - Qualys Enrichment](https://raw.githubusercontent.com/demisto/content/4a11ae583d49014d5326a74dfde7a998c4ebca70/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Qualys_Enrichment.png) +![Cortex ASM - Qualys Enrichment](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Qualys_Enrichment.png) #### Cortex ASM - Rapid7 Enrichment @@ -159,6 +161,12 @@ Playbook that is used as a container folder for all remediation of ASM alerts. ![Cortex ASM - Remediation](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Remediation.png) +#### Cortex ASM - Service Ownership + +Playbook that identifies and recommends the most likely owners of a given service. + +![Cortex ASM - Remediation](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Service_Ownership.png) + #### Cortex ASM - ServiceNow CMDB Enrichment Playbook that given the IP address enriches ServiceNow CMDB information relevant to ASM alerts. @@ -175,7 +183,7 @@ Playbook that given the IP address checks if SNMP is enabled or not and returns Playbook that given the IP address enriches Splunk information relevant to ASM alerts. -![Cortex ASM - Splunk Enrichment](https://raw.githubusercontent.com/demisto/content/8f2a866b666627cb0c6c7ea860e7f1337b4766b7/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Splunk_Enrichment.png) +![Cortex ASM - Splunk Enrichment](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Splunk_Enrichment.png) #### Cortex ASM - Tenable.io Enrichment @@ -199,6 +207,10 @@ This automation identifies whether the service is a "development" server. Develo ![InferWhetherServiceIsDev](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/InferWhetherServiceIsDev.png) +#### RankServiceOwners + +This automation recommends the most likely service owners from those surfaced by Cortex ASM Enrichment and updates content. + #### RemediationPathRuleEvaluation This automation attempts to find a matching remediation path rule based on criteria. If multiple rules match, it will return the most recently created rule. This assumes that the rules passed in are filtered to correlate with the alert's attack surface rule (Xpanse only). diff --git a/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_6_9.md b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_6_9.md new file mode 100644 index 000000000000..940b4ac49cd0 --- /dev/null +++ b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_6_9.md @@ -0,0 +1,7 @@ + +#### Playbooks + +##### Cortex ASM - Service Ownership + +- Fixed an issue where service owners were not found. +- Updated the Cortex ASM - Service Ownership playbook to check for GCP IAM integration and for the existence of service owners. diff --git a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Service_Ownership.png b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Service_Ownership.png index c3e23e27cc5d..34d7f2c9e665 100644 Binary files a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Service_Ownership.png and b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Service_Ownership.png differ diff --git a/Packs/CortexAttackSurfaceManagement/pack_metadata.json b/Packs/CortexAttackSurfaceManagement/pack_metadata.json index 7db82f07de7e..17f1eae32326 100644 --- a/Packs/CortexAttackSurfaceManagement/pack_metadata.json +++ b/Packs/CortexAttackSurfaceManagement/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex Attack Surface Management", "description": "Content for working with Attack Surface Management (ASM).", "support": "xsoar", - "currentVersion": "1.6.8", + "currentVersion": "1.6.9", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",