diff --git a/Packs/CommonTypes/.pack-ignore b/Packs/CommonTypes/.pack-ignore index 3c373863cf31..9fc12acb9194 100644 --- a/Packs/CommonTypes/.pack-ignore +++ b/Packs/CommonTypes/.pack-ignore @@ -327,6 +327,12 @@ ignore=IF100 [file:incidentfield-Original_Events.json] ignore=IF100 +[file:incidentfield-Failed_Logon_Events.json] +ignore=IF100 + +[file:incidentfield-Failed_Logon_Events_Timeframe.json] +ignore=IF100 + [file:classifier-Mail-listener.json] ignore=BA101 diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Failed_Logon_Events.json b/Packs/CommonTypes/IncidentFields/incidentfield-Failed_Logon_Events.json new file mode 100644 index 000000000000..fd1151327d54 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Failed_Logon_Events.json @@ -0,0 +1,29 @@ +{ + "id": "incident_failedlogonevents", + "version": -1, + "modified": "2023-06-13T21:19:00.853901858Z", + "name": "Failed Logon Events", + "ownerOnly": false, + "description": "The number of failed logon events in a specific timeframe. Can be used with reference to the \"Failed Logon Events Timeframe\" field.", + "cliName": "failedlogonevents", + "type": "number", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedToAll": true, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Failed_Logon_Events_Timeframe.json b/Packs/CommonTypes/IncidentFields/incidentfield-Failed_Logon_Events_Timeframe.json new file mode 100644 index 000000000000..8bc10501266e --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Failed_Logon_Events_Timeframe.json @@ -0,0 +1,29 @@ +{ + "id": "incident_failedlogoneventstimeframe", + "version": -1, + "modified": "2023-06-13T21:20:01.302001465Z", + "name": "Failed Logon Events Timeframe", + "ownerOnly": false, + "description": "The timeframe which the failed logon events occurred in.", + "cliName": "failedlogoneventstimeframe", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedToAll": true, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-User_Groups.json b/Packs/CommonTypes/IncidentFields/incidentfield-User_Groups.json new file mode 100644 index 000000000000..300b71bd1099 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-User_Groups.json @@ -0,0 +1,31 @@ +{ + "id": "incident_usergroups", + "version": -1, + "modified": "2023-06-13T21:36:13.191337431Z", + "name": "User Groups", + "ownerOnly": false, + "cliName": "usergroups", + "type": "multiSelect", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": true, + "associatedTypes": [ + "Data Loss Prevention" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_77.md b/Packs/CommonTypes/ReleaseNotes/3_3_77.md new file mode 100644 index 000000000000..6fd688136ecc --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/3_3_77.md @@ -0,0 +1,6 @@ + +#### Incident Fields + +- New: **Failed Logon Events Timeframe** +- New: **User Groups** +- New: **Failed Logon Events** diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json index a31f8c3846cd..194968673b37 100644 --- a/Packs/CommonTypes/pack_metadata.json +++ b/Packs/CommonTypes/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Types", "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.", "support": "xsoar", - "currentVersion": "3.3.76", + "currentVersion": "3.3.77", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/.pack-ignore b/Packs/Palo_Alto_Networks_Enterprise_DLP/.pack-ignore index 17ccb2cdfbd9..bf5045193d3e 100644 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/.pack-ignore +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/.pack-ignore @@ -4,6 +4,8 @@ ignore=PA125 [file:Palo_Alto_Networks_Enterprise_DLP.yml] ignore=BA108,BA109,IN145 - [file:Palo_Alto_Networks_Enterprise_DLP_image.png] -ignore=IM111 \ No newline at end of file +ignore=IM111 + +[file:DLP_Incident_Feedback_Loop_6_8.yml] +ignore=PB106 \ No newline at end of file diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/.secrets-ignore b/Packs/Palo_Alto_Networks_Enterprise_DLP/.secrets-ignore index e69de29bb2d1..c940d56ddcc9 100644 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/.secrets-ignore +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/.secrets-ignore @@ -0,0 +1 @@ +SailPoint \ No newline at end of file diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/IncidentFields/incidentfield-DLP-Detections.json b/Packs/Palo_Alto_Networks_Enterprise_DLP/IncidentFields/incidentfield-DLP-Detections.json new file mode 100644 index 000000000000..b5452758b8a4 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/IncidentFields/incidentfield-DLP-Detections.json @@ -0,0 +1,32 @@ +{ + "id": "incident_dlpdetections", + "version": -1, + "modified": "2023-06-21T06:56:52.858570445Z", + "name": "DLP Detections", + "ownerOnly": false, + "description": "Detected violations snippets.", + "cliName": "dlpdetections", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "Data Loss Prevention" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP.py b/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP.py index 8a28b589e7bb..fd407c0336ad 100644 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP.py +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP.py @@ -43,6 +43,7 @@ class FeedbackStatus(Enum): EXCEPTION_GRANTED = 'EXCEPTION_GRANTED' EXCEPTION_NOT_REQUESTED = 'EXCEPTION_NOT_REQUESTED' SEND_NOTIFICATION_FAILURE = 'SEND_NOTIFICATION_FAILURE' + EXCEPTION_DENIED = 'EXCEPTION_DENIED' class Client(BaseClient): diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP.yml b/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP.yml index d18bbcf024ac..54dc98878fe9 100755 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP.yml +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP.yml @@ -41,7 +41,7 @@ configuration: type: 12 required: false additionalinfo: The message to send to the user to ask for feedback. - defaultvalue: Hi $userđź””, \n\n*We need your feedback:* \n\nYour upload of *$file_name* on *$app_name* was blocked due to company policy. This file contains sensitive information which violates *$data_profile_name* policy. \n\n $snippets\n\n + defaultvalue: Hi $userđź””, \n\n*We need your feedback:* \n\nYour activity on *$app_name* was blocked due to company policy. The data in this activity contains sensitive information which violates *$data_profile_name* policy.\n\nfilename - *$file_name* \n\n $snippets\n\n - display: Fetch incidents name: isFetch type: 8 @@ -94,6 +94,7 @@ script: - EXCEPTION_NOT_REQUESTED - OPERATIONAL_ERROR - SEND_NOTIFICATION_FAILURE + - EXCEPTION_DENIED description: The user feedback - name: user_id required: true @@ -141,7 +142,7 @@ script: description: The snippets of the violation. - name: app_name required: true - description: The name of the application that performed the upload. + description: The name of the application that performed the activity. outputs: - contextPath: DLP.slack_message description: The Slack bot message. diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP_description.md b/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP_description.md new file mode 100644 index 000000000000..568f6176bc9d --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/Palo_Alto_Networks_Enterprise_DLP_description.md @@ -0,0 +1,9 @@ +## Palo Alto Networks Enterprise DLP +Palo Alto Networks Enterprise DLP discovers and protects company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity. + +### Authentication +There are 2 methods to authenticate. +1. Use Enterprise DLP API **Access Token** and **Refresh Token**. +2. Use Cortex XSOAR's credentials store with a **Client ID** and **Client Secret** as the `username` and `password` in case you are using Enterprise DLP through a SASE platform. + +For more information on how to create the above credentials, see [the documentation](https://docs.paloaltonetworks.com/enterprise-dlp/enterprise-dlp-admin/configure-enterprise-dlp/configure-exact-data-matching/configure-connectivity-to-the-dlp-cloud-service). diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/README.md b/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/README.md index ad2b40604ffb..5a796cd8a4e9 100644 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/README.md +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Integrations/Palo_Alto_Networks_Enterprise_DLP/README.md @@ -60,15 +60,15 @@ Updates a DLP incident with user feedback. `pan-dlp-update-incident` #### Input -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| incident_id | The ID of the incident to update. | Required | -| feedback | The user feedback. Possible values are: PENDING_RESPONSE, CONFIRMED_SENSITIVE, CONFIRMED_FALSE_POSITIVE, EXCEPTION_REQUESTED, EXCEPTION_GRANTED, EXCEPTION_NOT_REQUESTED, OPERATIONAL_ERROR, SEND_NOTIFICATION_FAILURE. | Required | -| user_id | The ID of the user the feedback is collected from. | Required | -| region | The region where the incident originated. | Optional | -| report_id | The DLP report ID, needed only for granting exemptions. | Optional | -| dlp_channel | The DLP channel, needed only for granting exemptions. | Optional | -| error_details | Error details if status is SEND_NOTIFICATION_FAILURE. | Optional | +| **Argument Name** | **Description** | **Required** | +| --- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --- | +| incident_id | The ID of the incident to update. | Required | +| feedback | The user feedback. Possible values are: PENDING_RESPONSE, CONFIRMED_SENSITIVE, CONFIRMED_FALSE_POSITIVE, EXCEPTION_REQUESTED, EXCEPTION_GRANTED, EXCEPTION_NOT_REQUESTED, OPERATIONAL_ERROR, SEND_NOTIFICATION_FAILURE, EXCEPTION_DENIED. | Required | +| user_id | The ID of the user the feedback is collected from. | Required | +| region | The region where the incident originated. | Optional | +| report_id | The DLP report ID, needed only for granting exemptions. | Optional | +| dlp_channel | The DLP channel, needed only for granting exemptions. | Optional | +| error_details | Error details if status is SEND_NOTIFICATION_FAILURE. | Optional | #### Context Output @@ -109,13 +109,13 @@ Gets the Slack bot message to send to the user for gathering feedback. `pan-dlp-slack-message` #### Input -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| user | The name of the user that receives this message. | Required | -| file_name | The name of the file that triggered the incident. | Required | -| data_profile_name | The data profile name associated with the incident. | Required | -| snippets | The snippets of the violation. | Optional | -| app_name | The name of the application that performed the upload. | Required | +| **Argument Name** | **Description** | **Required** | +| --- |----------------------------------------------------------| --- | +| user | The name of the user that receives this message. | Required | +| file_name | The name of the file that triggered the incident. | Required | +| data_profile_name | The data profile name associated with the incident. | Required | +| snippets | The snippets of the violation. | Optional | +| app_name | The name of the application that performed the activity. | Required | #### Context Output diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Layouts/layoutscontainer-Data_Loss_Prevention.json b/Packs/Palo_Alto_Networks_Enterprise_DLP/Layouts/layoutscontainer-Data_Loss_Prevention.json index 4ad2af5b33be..4f6329ba2d43 100644 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/Layouts/layoutscontainer-Data_Loss_Prevention.json +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Layouts/layoutscontainer-Data_Loss_Prevention.json @@ -393,6 +393,7 @@ "name": "Palo Alto Networks Enterprise DLP Incident Layout", "system": false, "fromVersion": "6.0.0", + "toVersion": "6.7.9", "version": -1, "description": "", "marketplaces": ["xsoar"] diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Layouts/layoutscontainer-Data_Loss_Prevention_6_8.json b/Packs/Palo_Alto_Networks_Enterprise_DLP/Layouts/layoutscontainer-Data_Loss_Prevention_6_8.json new file mode 100644 index 000000000000..59f98277ab16 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Layouts/layoutscontainer-Data_Loss_Prevention_6_8.json @@ -0,0 +1,474 @@ +{ + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 3, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "app", + "height": 22, + "id": "4178f580-a483-11ec-b2d5-1766fa1e8878", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "filename", + "height": 22, + "id": "a8dcd3b0-8848-11ec-942a-13db467db92a", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "pandlptenantid", + "height": 22, + "id": "c26efaf0-b053-11ec-85b4-9bec70cb1be4", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "pandlpdataprofilename", + "height": 22, + "id": "ca39ea10-b053-11ec-85b4-9bec70cb1be4", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "pandlpreportid", + "height": 22, + "id": "d1d76090-b053-11ec-85b4-9bec70cb1be4", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "pandlpchannel", + "height": 22, + "id": "e35efcb0-b053-11ec-85b4-9bec70cb1be4", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "pandlpincidentid", + "height": 22, + "id": "dafb1000-0dc1-11ee-89ae-13d2a7377956", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "filesha256", + "height": 22, + "id": "85c04190-0dc2-11ee-89ae-13d2a7377956", + "index": 10, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "displayType": "ROW", + "h": 3, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 2, + "x": 1, + "y": 7 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 3, + "x": 0, + "y": 5 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 53, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 53, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 53, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "dbotcreated", + "height": 53, + "id": "incident-created-field", + "index": 0, + "listId": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "sectionItemType": "field", + "startCol": 1 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "dbotclosed", + "height": 53, + "id": "incident-closed-field", + "index": 1, + "listId": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 3 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 7 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-246f2100-e2c9-11ed-b2df-c75bb402add1", + "items": [ + { + "endCol": 2, + "fieldId": "sourceusername", + "height": 22, + "id": "03cb7510-e2ca-11ed-b2df-c75bb402add1", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "employeeemail", + "height": 22, + "id": "17a0d1c0-e2ca-11ed-b2df-c75bb402add1", + "index": 1, + "listId": "caseinfoid-246f2100-e2c9-11ed-b2df-c75bb402add1", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "employeedisplayname", + "height": 22, + "id": "19f214c0-e2ca-11ed-b2df-c75bb402add1", + "index": 2, + "listId": "caseinfoid-246f2100-e2c9-11ed-b2df-c75bb402add1", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "manageremailaddress", + "height": 22, + "id": "0823aba0-e2ca-11ed-b2df-c75bb402add1", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "managername", + "height": 22, + "id": "1e3822e0-e2ca-11ed-b2df-c75bb402add1", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "usergroups", + "height": 22, + "id": "534315d0-e2ca-11ed-bbfe-a5f57e2755c8", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "failedlogonevents", + "height": 22, + "id": "890e38f0-0a31-11ee-9fb5-05d0af7f266d", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "failedlogoneventstimeframe", + "height": 22, + "id": "8ad7d560-0a31-11ee-9fb5-05d0af7f266d", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "User Enrichment", + "static": false, + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "CARD", + "h": 2, + "hideName": false, + "i": "caseinfoid-125fd170-0dc2-11ee-89ae-13d2a7377956", + "items": [ + { + "dropEffect": "move", + "endCol": 1, + "fieldId": "pandlpincidentfeedback", + "height": 53, + "id": "2bac6940-0dc2-11ee-89ae-13d2a7377956", + "index": 0, + "listId": "caseinfoid-125fd170-0dc2-11ee-89ae-13d2a7377956", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "approver", + "height": 53, + "id": "396bb2c0-0dc2-11ee-89ae-13d2a7377956", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Feedback and Approvals", + "static": false, + "w": 1, + "x": 1, + "y": 3 + }, + { + "description": "In case a report was retrieved, the detections returned will show up here.", + "displayType": "CARD", + "h": 2, + "hideName": true, + "i": "caseinfoid-2881be60-1000-11ee-89bc-77346ac9432f", + "items": [ + { + "endCol": 2, + "fieldId": "dlpdetections", + "height": 22, + "id": "db01d980-1000-11ee-94e7-1bd73e4d63bf", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Detections", + "static": false, + "w": 1, + "x": 2, + "y": 3 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "Palo Alto Networks Enterprise DLP Incident Layout", + "name": "Palo Alto Networks Enterprise DLP Incident Layout", + "system": false, + "version": -1, + "fromVersion": "6.8.0", + "description": "", + "marketplaces": [ + "xsoar" + ] +} \ No newline at end of file diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop.yml b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop.yml index c33db219af8a..b4e20a002df0 100644 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop.yml +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop.yml @@ -1,6 +1,7 @@ id: DLP Incident Feedback Loop version: -1 fromversion: 6.0.0 +toversion: 6.7.9 name: DLP Incident Feedback Loop description: Collects feedback from user about blocked files. starttaskid: "0" diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop_6_8.yml b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop_6_8.yml new file mode 100644 index 000000000000..106a2c849529 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop_6_8.yml @@ -0,0 +1,2109 @@ +id: DLP Incident Feedback Loop +version: -1 +contentitemexportablefields: + contentitemfields: {} +name: DLP Incident Feedback Loop +description: Collects feedback from the user about blocked files. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: e30f57ca-15b6-48f0-84aa-f0577c21d95e + type: start + task: + id: e30f57ca-15b6-48f0-84aa-f0577c21d95e + version: -1 + name: start_task + type: start + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "84" + - "54" + - "75" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 815, + "y": -430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 04f42348-9370-46d9-8d26-947a028f312a + type: title + task: + id: 04f42348-9370-46d9-8d26-947a028f312a + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 380, + "y": 4240 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 3bf112c2-5c6a-48ab-8601-a3c80d565aa2 + type: regular + task: + id: 3bf112c2-5c6a-48ab-8601-a3c80d565aa2 + version: -1 + name: Call API to save status + description: Call DLP API to save user feedback for the incident. + script: '|||pan-dlp-update-incident' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "99" + scriptarguments: + dlp_channel: + simple: ${incident.pandlpchannel} + feedback: + simple: ${incident.pandlpincidentfeedback} + incident_id: + simple: ${incident.pandlpincidentid} + region: + simple: ${incident.pandlpincidentregion} + report_id: + simple: ${incident.pandlpreportid} + user_id: + simple: ${incident.sourceusername} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 625, + "y": 3190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 8444a46b-5234-4bb0-8bd0-1e3c209c8578 + type: regular + task: + id: 8444a46b-5234-4bb0-8bd0-1e3c209c8578 + version: -1 + name: Send Slack notice about exemption approval + description: Send the user a Slack message about the temporary exemption on the file. + script: SlackV3|||send-notification + type: regular + iscommand: true + brand: SlackV3 + nexttasks: + '#none#': + - "11" + scriptarguments: + blocks: + simple: "[\n\t\t{\n\t\t\t\"type\": \"section\",\n\t\t\t\"text\": {\n\t\t\t\t\"type\": \"mrkdwn\",\n\t\t\t\t\"text\": \"Thank you for the request. Your temporary exemption for ${incident.filename} was approved by ${incident.approver} and is enabled now for ${Exemption.duration}.\"\n\t\t\t}\n\t\t}\n\t]" + to: + simple: ${Slack.User.Email} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 160, + "y": 3970 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 41fa4cc1-14f8-444d-84bb-10c4202df7c9 + type: regular + task: + id: 41fa4cc1-14f8-444d-84bb-10c4202df7c9 + version: -1 + name: Set feedback to "Exception Granted" + description: Set feedback to "Exception Granted". + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "35" + scriptarguments: + pandlpincidentfeedback: + simple: EXCEPTION_GRANTED + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1930, + "y": 2840 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: c06cf63e-0b10-4efa-815f-54394f0e54db + type: regular + task: + id: c06cf63e-0b10-4efa-815f-54394f0e54db + version: -1 + name: Set feedback to "Exception not requested" + description: Set feedback to "Exception not requested". + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "35" + scriptarguments: + pandlpincidentfeedback: + simple: EXCEPTION_NOT_REQUESTED + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 815, + "y": 1580 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: 0d8eb032-dc3c-4fa3-8775-6d5e2ece20cc + type: condition + task: + id: 0d8eb032-dc3c-4fa3-8775-6d5e2ece20cc + description: "" + version: -1 + name: Was exception request approved? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "11" + "No": + - "103" + "yes": + - "97" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: incident.pandlpincidentfeedback + iscontext: true + right: + value: + simple: EXCEPTION_GRANTED + - label: "No" + condition: + - - operator: isEqualString + left: + value: + simple: incident.pandlpincidentfeedback + iscontext: true + right: + value: + simple: EXCEPTION_DENIED + continueonerrortype: "" + view: |- + { + "position": { + "x": 625, + "y": 3550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "54": + id: "54" + taskid: f21719d2-f14d-4323-8097-70b5408a7a70 + type: condition + task: + id: f21719d2-f14d-4323-8097-70b5408a7a70 + description: "" + version: -1 + name: Is action "block"? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "85" + "yes": + - "84" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: incident.pandlpaction + iscontext: true + right: + value: + simple: block + continueonerrortype: "" + view: |- + { + "position": { + "x": 380, + "y": 230 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "62": + id: "62" + taskid: aa9e011e-decb-4f4b-8efd-47543cef9927 + type: regular + task: + id: aa9e011e-decb-4f4b-8efd-47543cef9927 + version: -1 + name: Send Teams notice about exemption approval + description: |- + Sends a message to the specified teams. + To mention a user in the message, add a semicolon ";" at the end of the user mentioned. For example: @Bruce Willis; + script: Microsoft Teams|||send-notification + type: regular + iscommand: true + brand: Microsoft Teams + nexttasks: + '#none#': + - "11" + scriptarguments: + adaptive_card: + simple: "{\n\t\"contentType\": \"application/vnd.microsoft.card.adaptive\",\n\t\"content\": {\n\t\t\"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n\t\t\"version\": \"1.0\",\n\t\t\"type\": \"AdaptiveCard\",\n\t\t\"msteams\": {\n\t\t\t\"width\": \"Full\"\n\t\t},\n\t\t\"body\": [{\n\t\t\t\"type\": \"TextBlock\",\n\t\t\t\"text\": \"Thank you for the request. Your temporary exemption for ${incident.filename} was approved by ${incident.approver} and is enabled now for ${Exemption.duration}.\",\n\t\t\t\"wrap\": true\n\t\t}]\n\t}\n}" + team_member: + complex: + root: Account + accessor: Email + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -240, + "y": 3970 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "67": + id: "67" + taskid: 0ba6af1c-840b-47a4-8d1b-2ed2e8b7d5e2 + type: title + task: + id: 0ba6af1c-840b-47a4-8d1b-2ed2e8b7d5e2 + version: -1 + name: Get approval + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "96" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1650, + "y": 1530 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "70": + id: "70" + taskid: e72f5c68-80d1-4b8f-8599-4799c41d450f + type: condition + task: + id: e72f5c68-80d1-4b8f-8599-4799c41d450f + description: "" + version: -1 + name: Manager email found? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "95" + "yes": + - "77" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: UserManagerEmail + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1650, + "y": 1900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "75": + id: "75" + taskid: 8d9db002-e04e-4e72-89e8-07d299e072ba + type: title + task: + id: 8d9db002-e04e-4e72-89e8-07d299e072ba + version: -1 + name: Enrichment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "76" + - "89" + - "111" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1550, + "y": -230 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "76": + id: "76" + taskid: afe484bf-ad9d-4456-8bb6-65062c75b54a + type: playbook + task: + id: afe484bf-ad9d-4456-8bb6-65062c75b54a + version: -1 + name: Account Enrichment - Generic v2.1 + description: |- + Enrich accounts using one or more integrations. + Supported integrations: + - Active Directory + - SailPoint IdentityNow + - SailPoint IdentityIQ + - PingOne + - Okta + - AWS IAM + + Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations. + playbookName: Account Enrichment - Generic v2.1 + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "90" + scriptarguments: + Username: + complex: + root: incident + accessor: sourceusername + transformers: + - operator: uniq + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 1055, + "y": -90 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "77": + id: "77" + taskid: 80bf32db-d5e2-447d-85ba-8945e6785b7b + type: playbook + task: + id: 80bf32db-d5e2-447d-85ba-8945e6785b7b + version: -1 + name: DLP - Get Approval + description: Get an approver response for an exemption request from a user. + playbookName: DLP - Get Approval + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "107" + scriptarguments: + Approver: + complex: + root: UserManagerEmail + ApproverMessageApp: + complex: + root: inputs.ApproverMessageApp + Detections: + complex: + root: DLP.Report.DataPatternMatches.Detections + accessor: detection + transformers: + - operator: StringifyArray + SendMailInstance: + complex: + root: inputs.SendMailInstance + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 1650, + "y": 2100 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "78": + id: "78" + taskid: 87083a52-82ef-4449-89ea-7d492e2698bf + type: playbook + task: + id: 87083a52-82ef-4449-89ea-7d492e2698bf + version: -1 + name: DLP - Get Approval + description: Get an approver response for an exemption request from a user. + playbookName: DLP - Get Approval + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "108" + scriptarguments: + Approver: + complex: + root: inputs.ApprovalTarget + ApproverMessageApp: + complex: + root: inputs.ApproverMessageApp + Detections: + complex: + root: DLP.Report.DataPatternMatches.Detections + accessor: detection + transformers: + - operator: StringifyArray + SendMailInstance: + complex: + root: inputs.SendMailInstance + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 980, + "y": 2090 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "80": + id: "80" + taskid: 10b38d4a-5611-468b-8085-665b0314e5f9 + type: condition + task: + id: 10b38d4a-5611-468b-8085-665b0314e5f9 + description: "" + version: -1 + name: What should be next action? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "82" + Approve: + - "41" + Deny: + - "81" + separatecontext: false + conditions: + - label: Deny + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.ActionOnApproverNotFound + iscontext: true + right: + value: + simple: Deny + ignorecase: true + - label: Approve + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.ActionOnApproverNotFound + iscontext: true + right: + value: + simple: Approve + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1510, + "y": 2630 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "81": + id: "81" + taskid: 1ce8289e-22cc-43ea-8107-0c06b4a96b06 + type: regular + task: + id: 1ce8289e-22cc-43ea-8107-0c06b4a96b06 + version: -1 + name: Set feedback to "Exception denied" + description: Set feedback to "Exception denied". + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "35" + scriptarguments: + pandlpincidentfeedback: + simple: EXCEPTION_DENIED + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1510, + "y": 2840 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "82": + id: "82" + taskid: de00da84-ee83-4ac4-855a-46df114e3229 + type: collection + task: + id: de00da84-ee83-4ac4-855a-46df114e3229 + description: "" + version: -1 + name: Manual review of the exemption request + type: collection + iscommand: false + brand: "" + nexttasks: + '#none#': + - "83" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1080, + "y": 2840 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: {} + subject: + body: {} + methods: [] + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: |- + What should be the value of the feedback? The current feedback is: + ${incident.pandlpincidentfeedback} + required: false + gridcolumns: [] + defaultrows: [] + type: singleSelect + options: [] + optionsarg: + - {} + - simple: PENDING_RESPONSE + - simple: CONFIRMED_SENSITIVE + - simple: CONFIRMED_FALSE_POSITIVE + - simple: EXCEPTION_REQUESTED + - simple: EXCEPTION_GRANTED + - simple: EXCEPTION_DENIED + - simple: EXCEPTION_NOT_REQUESTED + - simple: SEND_NOTIFICATION_FAILURE + fieldassociated: "" + placeholder: "" + tooltip: "" + readonly: false + title: DLP Feedback + description: "" + sender: Your SOC team + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "83": + id: "83" + taskid: 19d67ecc-65cf-4e42-8458-9640360e3b04 + type: regular + task: + id: 19d67ecc-65cf-4e42-8458-9640360e3b04 + version: -1 + name: Set feedback + description: commands.local.cmd.set.incident + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "35" + scriptarguments: + pandlpincidentfeedback: + complex: + root: DLP Feedback.Answers + accessor: "0" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1080, + "y": 3020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "84": + id: "84" + taskid: 2e2cdd4a-a16c-4ab5-8f78-062ccfb5d0b6 + type: title + task: + id: 2e2cdd4a-a16c-4ab5-8f78-062ccfb5d0b6 + version: -1 + name: Set messaging app + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "91" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 815, + "y": 450 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "85": + id: "85" + taskid: 3a8b42ee-1d89-4a4a-8e30-4d8bf00f3f3c + type: title + task: + id: 3a8b42ee-1d89-4a4a-8e30-4d8bf00f3f3c + version: -1 + name: File wasn't blockes + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "11" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 380, + "y": 450 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "88": + id: "88" + taskid: 4875253f-3fc0-43db-80c4-7a617507787f + type: regular + task: + id: 4875253f-3fc0-43db-80c4-7a617507787f + version: -1 + name: Set incident fields in layout + description: commands.local.cmd.set.incident + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "84" + scriptarguments: + dlpdetections: + complex: + root: DLP.Report.DataPatternMatches.Detections + accessor: detection + transformers: + - operator: StringifyArray + employeedisplayname: + complex: + root: Account + accessor: DisplayName + employeeemail: + complex: + root: Account + accessor: Email + employeemanageremail: + complex: + root: UserManagerEmail + failedlogonevents: + complex: + root: NumOfFailedLogon + failedlogoneventstimeframe: + simple: 1d + managername: + complex: + root: UserManagerDisplayName + usergroups: + complex: + root: Account + accessor: Groups + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1550, + "y": 280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "89": + id: "89" + taskid: 7fff0c85-ed9f-4b29-82af-8818155f1e89 + type: playbook + task: + id: 7fff0c85-ed9f-4b29-82af-8818155f1e89 + version: -1 + name: User Investigation - Generic + playbookName: User Investigation - Generic + type: playbook + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "90" + scriptarguments: + AzureSearchTime: + simple: ago(1d) + OktaSearch: + simple: "True" + QRadarSearchTime: + simple: Last 1 days + SIEMFailedLogonSearch: + simple: "True" + SplunkEarliestTime: + simple: -1d + SplunkIndex: + simple: '*' + SplunkLatestTime: + simple: now + ThreatLogSearch: + simple: "True" + Username: + complex: + root: incident + accessor: sourceusername + XDRAlertSearch: + simple: "True" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 1550, + "y": -90 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "90": + id: "90" + taskid: a3ad19e3-4ec1-428c-81f9-c924664b5519 + type: condition + task: + id: a3ad19e3-4ec1-428c-81f9-c924664b5519 + description: "" + version: -1 + name: Any results? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "84" + "yes": + - "88" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: NumOfFailedLogon + filters: + - - operator: greaterThan + left: + value: + simple: NumOfFailedLogon + iscontext: true + right: + value: + simple: "0" + iscontext: true + right: + value: {} + ignorecase: true + - operator: isNotEmpty + left: + value: + complex: + root: Account + accessor: DisplayName + iscontext: true + - operator: isNotEmpty + left: + value: + complex: + root: DLP.Report.DataPatternMatches.Detections + accessor: detection + iscontext: true + - operator: isNotEmpty + left: + value: + complex: + root: Account + accessor: Email + iscontext: true + - operator: isNotEmpty + left: + value: + complex: + root: UserManagerEmail + iscontext: true + - operator: isNotEmpty + left: + value: + complex: + root: UserManagerDisplayName + iscontext: true + - operator: isNotEmpty + left: + value: + complex: + root: Account + accessor: Groups + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1550, + "y": 90 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "91": + id: "91" + taskid: d7e176ab-c665-4409-88c1-679f46e26d26 + type: playbook + task: + id: d7e176ab-c665-4409-88c1-679f46e26d26 + version: -1 + name: DLP - User Message App Check + description: Check if the given message app exists and is configured and retrieve the user details from it. + playbookName: DLP - User Message App Check + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "98" + scriptarguments: + UserDisplayName: + complex: + root: ActiveDirectory.Users + accessor: displayName + UserEmail: + complex: + root: Account + accessor: Email + UserMessageApp: + complex: + root: inputs.UserMessageApp + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 815, + "y": 600 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "92": + id: "92" + taskid: b08c2ac0-7bd5-4296-85ba-2f7e8ff676fa + type: playbook + task: + id: b08c2ac0-7bd5-4296-85ba-2f7e8ff676fa + version: -1 + name: DLP - Get User Feedback + description: Get the user feedback on a blocked file, whether it is false or true positive and if an exemption is needed. + playbookName: DLP - Get User Feedback + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "93" + scriptarguments: + Detections: + complex: + root: DLP.Report.DataPatternMatches.Detections + accessor: detection + transformers: + - operator: StringifyArray + MessageApp: + complex: + root: inputs.UserMessageApp + SendMailInstance: + complex: + root: inputs.SendMailInstance + UserDisplayName: + complex: + root: user_display_name + UserEmail: + complex: + root: Account + accessor: Email + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 815, + "y": 1140 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "93": + id: "93" + taskid: 1d74afde-9d09-49a9-8438-13e2d52d0781 + type: condition + task: + id: 1d74afde-9d09-49a9-8438-13e2d52d0781 + description: "" + version: -1 + name: Did the user request exemption? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "11" + "No": + - "45" + "Yes": + - "67" + separatecontext: false + conditions: + - label: "Yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: UserRequestedExemption + iscontext: true + right: + value: + simple: "True" + ignorecase: true + - label: "No" + condition: + - - operator: isEqualString + left: + value: + complex: + root: UserRequestedExemption + iscontext: true + right: + value: + simple: "False" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 815, + "y": 1310 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "94": + id: "94" + taskid: 8cb8c50e-1a17-4e65-8de1-d324ad4dd1c6 + type: title + task: + id: 8cb8c50e-1a17-4e65-8de1-d324ad4dd1c6 + version: -1 + name: Get user feedback + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "92" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 815, + "y": 970 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "95": + id: "95" + taskid: 1e49ea27-3b6e-481a-84ed-2d38f6fbae57 + type: title + task: + id: 1e49ea27-3b6e-481a-84ed-2d38f6fbae57 + version: -1 + name: Approver not found + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "80" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1510, + "y": 2480 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "96": + id: "96" + taskid: 9dcf575d-122e-4f28-8ed6-351e87b40dff + type: condition + task: + id: 9dcf575d-122e-4f28-8ed6-351e87b40dff + description: "" + version: -1 + name: Approval needed? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "112" + Email/Manual: + - "78" + Manager: + - "70" + separatecontext: false + conditions: + - label: Manager + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.ApprovalTarget + iscontext: true + right: + value: + simple: Manager + ignorecase: true + - label: Email/Manual + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.ApprovalTarget + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1650, + "y": 1660 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "97": + id: "97" + taskid: fed24834-4fea-447f-8105-1fba54b62a85 + type: condition + task: + id: fed24834-4fea-447f-8105-1fba54b62a85 + description: "" + version: -1 + name: Which messenger app should be used? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "11" + Email: + - "105" + Slack: + - "40" + Teams: + - "62" + separatecontext: false + conditions: + - label: Slack + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UserMessageApp + iscontext: true + right: + value: + simple: Slack + ignorecase: true + - label: Teams + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UserMessageApp + iscontext: true + right: + value: + simple: Microsoft Teams + ignorecase: true + - label: Email + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UserMessageApp + iscontext: true + right: + value: + simple: Email + continueonerrortype: "" + view: |- + { + "position": { + "x": -240, + "y": 3760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "98": + id: "98" + taskid: 5ff59dbc-374e-417e-858b-9f1965a2428c + type: condition + task: + id: 5ff59dbc-374e-417e-858b-9f1965a2428c + description: "" + version: -1 + name: Does feedback status equal "Send notification failure"? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "94" + "yes": + - "11" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: incident + accessor: pandlpincidentfeedback + iscontext: true + right: + value: + simple: Send notification failure + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 815, + "y": 770 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "99": + id: "99" + taskid: 4145e6ff-3c5a-4386-85ef-42a5d7be078d + type: title + task: + id: 4145e6ff-3c5a-4386-85ef-42a5d7be078d + version: -1 + name: Update user with the result + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "46" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 625, + "y": 3370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "100": + id: "100" + taskid: 374f6cc0-27a0-4607-8d1a-33297213ef89 + type: regular + task: + id: 374f6cc0-27a0-4607-8d1a-33297213ef89 + version: -1 + name: Send Slack notice about exemption denial + description: Send the user a Slack message about the temporary exemption on the file. + script: SlackV3|||send-notification + type: regular + iscommand: true + brand: SlackV3 + nexttasks: + '#none#': + - "11" + scriptarguments: + blocks: + simple: "[\n\t\t{\n\t\t\t\"type\": \"section\",\n\t\t\t\"text\": {\n\t\t\t\t\"type\": \"mrkdwn\",\n\t\t\t\t\"text\": \"${inputs.DenyMessage}\"\n\t\t\t}\n\t\t}\n\t]" + to: + simple: ${Slack.User.Email} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1415, + "y": 3970 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "101": + id: "101" + taskid: be93ea31-3882-4b6b-882d-1b1edb8be1a3 + type: regular + task: + id: be93ea31-3882-4b6b-882d-1b1edb8be1a3 + version: -1 + name: Send Teams notice about exemption denial + description: |- + Sends a message to the specified teams. + To mention a user in the message, add a semicolon ";" at the end of the user mentioned. For example: @Bruce Willis; + script: Microsoft Teams|||send-notification + type: regular + iscommand: true + brand: Microsoft Teams + nexttasks: + '#none#': + - "11" + scriptarguments: + adaptive_card: + simple: "{\n\t\"contentType\": \"application/vnd.microsoft.card.adaptive\",\n\t\"content\": {\n\t\t\"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n\t\t\"version\": \"1.0\",\n\t\t\"type\": \"AdaptiveCard\",\n\t\t\"msteams\": {\n\t\t\t\"width\": \"Full\"\n\t\t},\n\t\t\"body\": [{\n\t\t\t\"type\": \"TextBlock\",\n\t\t\t\"text\": \"${inputs.DenyMessage}\",\n\t\t\t\"wrap\": true\n\t\t}]\n\t}\n}" + team_member: + complex: + root: Account + accessor: Email + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1005, + "y": 3970 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "103": + id: "103" + taskid: 9c769ed8-e435-452a-8d02-66b474c9d5f0 + type: condition + task: + id: 9c769ed8-e435-452a-8d02-66b474c9d5f0 + description: "" + version: -1 + name: Which messenger app should be used? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "11" + Email: + - "106" + Slack: + - "100" + Teams: + - "101" + separatecontext: false + conditions: + - label: Slack + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UserMessageApp + iscontext: true + right: + value: + simple: Slack + ignorecase: true + - label: Teams + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UserMessageApp + iscontext: true + right: + value: + simple: Microsoft Teams + ignorecase: true + - label: Email + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UserMessageApp + iscontext: true + right: + value: + simple: Email + continueonerrortype: "" + view: |- + { + "position": { + "x": 1005, + "y": 3760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "104": + id: "104" + taskid: 5a8e8974-13b1-4577-8575-b6669735d4ce + type: title + task: + id: 5a8e8974-13b1-4577-8575-b6669735d4ce + version: -1 + name: Approver contacted + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "35" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 980, + "y": 2480 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "105": + id: "105" + taskid: a15f305f-03b3-4a2d-865b-ff6e1380b06c + type: regular + task: + id: a15f305f-03b3-4a2d-865b-ff6e1380b06c + version: -1 + name: Send email notice about exemption approval + description: Ask a user a question via email and process the reply directly into the investigation. + scriptName: EmailAskUser + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + email: + complex: + root: ActiveDirectory.Users + accessor: mail + transformers: + - operator: FirstArrayElement + message: + simple: Thank you for the request. Your temporary exemption for ${incident.filename} was approved by ${incident.approver} and is enabled now for ${Exemption.duration}. + subject: + simple: DLP - Exemption approved. + task: + simple: "230" + using: + simple: ${inputs.SendMailInstance} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -640, + "y": 3970 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "106": + id: "106" + taskid: 3d1cbcdc-5733-4948-87f3-9edc55342727 + type: regular + task: + id: 3d1cbcdc-5733-4948-87f3-9edc55342727 + version: -1 + name: Send email notice about exemption denial + description: Ask a user a question via email and process the reply directly into the investigation. + scriptName: EmailAskUser + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + email: + complex: + root: ActiveDirectory.Users + accessor: mail + transformers: + - operator: FirstArrayElement + message: + complex: + root: inputs.DenyMessage + subject: + simple: DLP - Exemption denied. + task: + simple: "230" + using: + simple: ${inputs.SendMailInstance} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 600, + "y": 3970 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "107": + id: "107" + taskid: e9b30ae4-95ee-465d-8758-1907a6828f4d + type: regular + task: + id: e9b30ae4-95ee-465d-8758-1907a6828f4d + version: -1 + name: Set Approver (Manager) + description: commands.local.cmd.set.incident + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "104" + scriptarguments: + approver: + complex: + root: UserManagerEmail + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1650, + "y": 2280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "108": + id: "108" + taskid: 20ec92f7-1495-4004-8779-45064e0a22d7 + type: regular + task: + id: 20ec92f7-1495-4004-8779-45064e0a22d7 + version: -1 + name: Set Approver (Approver) + description: commands.local.cmd.set.incident + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "104" + scriptarguments: + approver: + complex: + root: . + transformers: + - operator: If-Then-Else + args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: + value: + simple: inputs.ApprovalTarget + iscontext: true + equals: {} + lhs: + value: + simple: inputs.ApprovalTarget + iscontext: true + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: Manual + rhsB: {} + then: + value: + simple: Manual review + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 980, + "y": 2280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "111": + id: "111" + taskid: 3579d335-de3c-429b-8904-445f8e3b2c21 + type: regular + task: + id: 3579d335-de3c-429b-8904-445f8e3b2c21 + version: -1 + name: Get file report + description: Fetches DLP reports associated with a report ID. + script: '|||pan-dlp-get-report' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "90" + scriptarguments: + fetch_snippets: + simple: "true" + report_id: + complex: + root: incident + accessor: pandlpreportid + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2040, + "y": -90 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "112": + id: "112" + taskid: c6b6106e-cb4f-40d7-8c39-48e70587ff44 + type: regular + task: + id: c6b6106e-cb4f-40d7-8c39-48e70587ff44 + version: -1 + name: Set Approver (Not Required) + description: commands.local.cmd.set.incident + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "41" + scriptarguments: + approver: + simple: Not Required + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 2100, + "y": 2280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": { + "103_11_#default#": 0.25, + "46_11_#default#": 0.1, + "54_85_#default#": 0.43, + "70_77_yes": 0.54, + "70_95_#default#": 0.32, + "80_41_Approve": 0.64, + "80_81_Deny": 0.58, + "80_82_#default#": 0.49, + "90_84_#default#": 0.1, + "90_88_yes": 0.43, + "93_11_#default#": 0.1, + "96_70_Manager": 0.57, + "96_78_Email/Manual": 0.48, + "97_11_#default#": 0.15, + "97_62_Teams": 0.61, + "98_11_yes": 0.1, + "98_94_#default#": 0.51 + }, + "paper": { + "dimensions": { + "height": 4735, + "width": 3120, + "x": -640, + "y": -430 + } + } + } +inputs: +- key: ApprovalTarget + value: {} + required: false + description: |- + Can be either empty or one of the following: + - Manager + - + - Manual + + "Manager" - the user's manager details will be retrieved using Active Directory enrichment and will be used for approving the exemption, if requested. + - the configured email address will be used for the approval process. + "Manual" - Approval will be a manual task for a further review. + + Leaving this input empty will skip the approval process. + playbookInputQuery: +- key: ActionOnApproverNotFound + value: + simple: Manual + required: false + description: |- + If the approver cannot be contacted via Slack or MS Teams, what should be the next action: + - Deny + - Approve + - Manual + playbookInputQuery: +- key: SendMailInstance + value: {} + required: false + description: |- + This input is only relevant when the "UserMessageApp" or "ApproverMessageApp" are set to "Email". + The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used (default). + playbookInputQuery: +- key: UserMessageApp + value: + simple: Slack + required: false + description: |- + The communication method with the user. + Can be one of the following: + + - Slack + - Microsoft Teams + - Email + + If you choose to set "Email", it's also possible to set the relevant email integration instance with the "SendEmailInstance" input. + playbookInputQuery: +- key: ApproverMessageApp + value: + simple: Slack + required: false + description: |- + The communication method with the approver. + Can be one of the following: + + - Slack + - Microsoft Teams + - Email + - Manual + + If you choose to set "Email", it's also possible to set the relevant email integration instance with the "SendEmailInstance" input. + playbookInputQuery: +- key: DenyMessage + value: + simple: Thank you for the request. Your request was reviewed and denied. + required: false + description: The message that users will receive when they are denied. + playbookInputQuery: +outputs: [] +tests: +- No tests (auto formatted) +fromversion: 6.8.0 diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop_6_8_README.md b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop_6_8_README.md new file mode 100644 index 000000000000..858866d28d49 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/DLP_Incident_Feedback_Loop_6_8_README.md @@ -0,0 +1,54 @@ +Collects feedback from user about blocked files. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +* DLP - Get User Feedback +* DLP - User Message App Check +* Account Enrichment - Generic v2.1 +* DLP - Get Approval +* User Investigation - Generic + +### Integrations + +* SlackV3 +* Microsoft Teams +* Palo_Alto_Networks_Enterprise_DLP + +### Scripts + +EmailAskUser + +### Commands + +* pan-dlp-get-report +* pan-dlp-update-incident +* send-notification +* setIncident + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| ApprovalTarget | Can be either empty or one of the following:
- Manager
- <email_address>
- Manual

"Manager" - the user's manager details will be retrieved using Active Directory enrichment and will be used for approving the exemption, if requested.
<email_address> - the configured email address will be used for the approval process.
"Manual" - Approval will be a manual task for a further review.

Leaving this input empty will skip the approval process. | | Optional | +| ActionOnApproverNotFound | If the approver cannot be contacted via Slack or MS Teams, what should be the next action:
- Deny
- Approve
- Manual | Manual | Optional | +| SendMailInstance | This input is only relevant when the "UserMessageApp" or "ApproverMessageApp" are set to "Email".
The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used \(default\). | | Optional | +| UserMessageApp | The communication method with the user.
Can be one of the following:

- Slack
- Microsoft Teams
- Email

If you choose to set "Email", it's also possible to set the relevant email integration instance with the "SendEmailInstance" input. | Slack | Optional | +| ApproverMessageApp | The communication method with the approver.
Can be one of the following:

- Slack
- Microsoft Teams
- Email
- Manual

If you choose to set "Email", it's also possible to set the relevant email integration instance with the "SendEmailInstance" input. | Slack | Optional | +| DenyMessage | The message that users will receive when they are denied. | Thank you for the request. Your request was reviewed and denied. | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![DLP Incident Feedback Loop](../doc_files/DLP_Incident_Feedback_Loop.png) diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_Approval.yml b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_Approval.yml new file mode 100644 index 000000000000..dd6688c7fcad --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_Approval.yml @@ -0,0 +1,725 @@ +id: DLP - Get Approval +version: -1 +name: DLP - Get Approval +description: Get an approver response for an exemption request from a user. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: bcd176d7-ec48-4529-8b0d-f2ba436c1753 + type: start + task: + id: bcd176d7-ec48-4529-8b0d-f2ba436c1753 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "28" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 420, + "y": -330 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 685b8517-2709-4dc6-875b-595b4f2bcdf8 + type: regular + task: + id: 685b8517-2709-4dc6-875b-595b4f2bcdf8 + version: -1 + name: Find approver on slack + description: Gets details about a specified user. + script: SlackV3|||slack-get-user-details + type: regular + iscommand: true + brand: SlackV3 + nexttasks: + '#none#': + - "3" + scriptarguments: + user: + complex: + root: inputs.Approver + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 880, + "y": 520 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 705ad813-8b3a-4063-800c-e8d711e90124 + type: regular + task: + id: 705ad813-8b3a-4063-800c-e8d711e90124 + version: -1 + name: Get approval via slack + description: Sends a message (question) to either user (in a direct message) or to a channel. The message includes predefined reply options. The response can also close a task (might be conditional) in a playbook. + scriptName: SlackAskV2 + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + message: + simple: |- + **DLP Exemption Request** + Hello ${inputs.approver}, + The user ${incident.sourceusername} is asking to exclude this file: *${incident.filename}* which was blocked by *${incident.pandlpdataprofilename}* data profile on *${incident.app}*. + + ${inputs.Detections} + + Please choose "Yes" to approve. Otherwise, please choose "No". + task: + simple: AwaitApproval + user: + complex: + root: inputs.Approver + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 880, + "y": 750 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 010e1f79-a7cb-41e7-86e1-c453accbe4af + type: condition + task: + id: 010e1f79-a7cb-41e7-86e1-c453accbe4af + description: "" + version: -1 + name: Exemption approved? + tags: + - AwaitApproval + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "Yes": + - "5" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 420, + "y": 1145 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: b163796c-0cd3-485e-8598-fd3cadc97dc0 + type: regular + task: + id: b163796c-0cd3-485e-8598-fd3cadc97dc0 + version: -1 + name: Set feedback to "Exception Granted by By Approver" + description: Set feedback to "Exception Granted". + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "7" + scriptarguments: + pandlpincidentfeedback: + simple: EXCEPTION_GRANTED + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 680, + "y": 1330 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 8a8ed02f-d8cb-4426-89d0-4d466cc2aef0 + type: regular + task: + id: 8a8ed02f-d8cb-4426-89d0-4d466cc2aef0 + version: -1 + name: Set feedback to "Exception denied" + description: Set feedback to "Exception Granted". + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "7" + scriptarguments: + pandlpincidentfeedback: + simple: EXCEPTION_DENIED + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 180, + "y": 1330 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: ff305da6-1801-48ee-80a9-68852fcde7b0 + type: title + task: + id: ff305da6-1801-48ee-80a9-68852fcde7b0 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 430, + "y": 1500 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 12ef48ca-c429-4891-885e-150e47f6cc47 + type: condition + task: + id: 12ef48ca-c429-4891-885e-150e47f6cc47 + version: -1 + name: Is Slack v3 enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + "no": + - "14" + "yes": + - "1" + scriptarguments: + brandname: + simple: SlackV3 + results: + - brandInstances + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 880, + "y": 280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: cb5b1ea5-66b5-4b8e-8c95-06cdc8712756 + type: condition + task: + id: cb5b1ea5-66b5-4b8e-8c95-06cdc8712756 + version: -1 + name: Is Microsoft Teams enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + "no": + - "14" + "yes": + - "12" + scriptarguments: + brandname: + simple: Microsoft Teams + results: + - brandInstances + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -10, + "y": 280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: db514c79-bc38-4171-85ae-84ad808c4df8 + type: regular + task: + id: db514c79-bc38-4171-85ae-84ad808c4df8 + version: -1 + name: Get approval via Teams + description: Send a team member or channel a question with predefined response options on Microsoft Teams. The response can be used to close a task (might be conditional) in a playbook. + scriptName: MicrosoftTeamsAsk + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + message: + simple: "**DLP Exemption Request**\n\nHello ${inputs.approver}, \n\nThe user ${incident.sourceusername} is asking to exclude this file:\n\n**${incident.filename}**\n\nwhich was blocked by:\n\n**${incident.pandlpdataprofilename}** data profile on *${incident.app}*. \n\n${inputs.Detections}\n\nPlease choose \"Yes\" to approve. Otherwise, please choose \"No\"." + task_id: + simple: AwaitApproval + team_member: + complex: + root: inputs.Approver + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": -10, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: 37c94790-901c-41c8-8c50-d9f5f6b1ec85 + type: condition + task: + id: 37c94790-901c-41c8-8c50-d9f5f6b1ec85 + description: "" + version: -1 + name: Ask approver via email + type: condition + iscommand: false + brand: "" + nexttasks: + "No": + - "6" + "Yes": + - "5" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 420, + "y": 930 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + simple: ${inputs.Approver} + subject: + simple: DLP - Exemption approval request + body: + simple: |- + Hello ${inputs.approver}, + + The user ${incident.sourceusername} is asking to get a temporary exemption for this file: "${incident.filename}" which was blocked by "${incident.pandlpdataprofilename}" DLP data profile on *${incident.app}*. + + ${inputs.Detections} + + Do you approve the above exemption request? + methods: + - email + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + replyOptions: + - "Yes" + - "No" + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: 4a002891-e526-4871-87a6-13dcfc17fb10 + type: condition + task: + id: 4a002891-e526-4871-87a6-13dcfc17fb10 + description: "" + version: -1 + name: What is the selected message app? + type: condition + iscommand: false + brand: "" + nexttasks: + Email: + - "14" + MSTeams: + - "11" + Slack: + - "10" + separatecontext: false + conditions: + - label: Slack + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.ApproverMessageApp + iscontext: true + right: + value: + simple: Slack + ignorecase: true + - label: MSTeams + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.ApproverMessageApp + iscontext: true + right: + value: + simple: Microsoft Teams + ignorecase: true + - label: Email + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.ApproverMessageApp + iscontext: true + right: + value: + simple: Email + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 420, + "y": 60 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: 66885f5a-50c1-4bb0-8610-fb8890cbe8ed + type: condition + task: + id: 66885f5a-50c1-4bb0-8610-fb8890cbe8ed + description: "" + version: -1 + name: Manual approval? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "27" + "yes": + - "29" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.Approver + iscontext: true + right: + value: + simple: Manual + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 420, + "y": -180 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: 532527d5-f4df-4c1c-80c9-2a0e3e80c38c + type: collection + task: + id: 532527d5-f4df-4c1c-80c9-2a0e3e80c38c + description: "" + version: -1 + name: Manually approve + type: collection + iscommand: false + brand: "" + nexttasks: + '#none#': + - "30" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": 60 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + subject: + body: + simple: Manual exemption review + methods: [] + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: Do you approve the exemption? + required: false + gridcolumns: [] + defaultrows: [] + type: singleSelect + options: [] + optionsarg: + - simple: "Yes" + - simple: "No" + fieldassociated: "" + placeholder: "" + tooltip: "" + readonly: false + title: Manual exemption review + description: Please review the exemption request and either approve or deny the request. + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: ae9772ce-3753-41a2-84a2-a1e0180d506d + type: condition + task: + id: ae9772ce-3753-41a2-84a2-a1e0180d506d + description: "" + version: -1 + name: Manual exemption approved? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: Manual exemption review.Answers + accessor: "0" + iscontext: true + right: + value: + simple: "Yes" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": 1145 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "10_14_no": 0.1, + "10_1_yes": 0.42, + "11_12_yes": 0.45, + "11_14_no": 0.23, + "27_14_Email": 0.22, + "28_27_#default#": 0.59, + "30_5_yes": 0.35, + "30_6_#default#": 0.46, + "4_5_Yes": 0.51, + "4_6_#default#": 0.51 + }, + "paper": { + "dimensions": { + "height": 1895, + "width": 1490, + "x": -230, + "y": -330 + } + } + } +inputs: +- key: Approver + value: {} + required: false + description: The email address of the approver. + playbookInputQuery: +- key: SendMailInstance + value: {} + required: false + description: The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used (default). + playbookInputQuery: +- key: ApproverMessageApp + value: {} + required: false + description: |- + The communication method with the approver. + Can be one of the following: + + - Slack + - Microsoft Teams + - Email + + If you choose to set "Email", it's also possible to set the relevant email integration instance with the "SendEmailInstance" input. + playbookInputQuery: +- key: Detections + value: {} + required: false + description: Detected violation snippets. + playbookInputQuery: +outputs: [] +tests: +- No tests (auto formatted) +fromversion: 6.8.0 diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_Approval_README.md b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_Approval_README.md new file mode 100644 index 000000000000..1677ffe8bde3 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_Approval_README.md @@ -0,0 +1,46 @@ +Get an approver response for an exemption request from a user. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +SlackV3 + +### Scripts + +* IsIntegrationAvailable +* MicrosoftTeamsAsk +* SlackAskV2 + +### Commands + +* setIncident +* slack-get-user-details + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| Approver | The email address of the approver. | | Optional | +| SendMailInstance | The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used \(default\). | | Optional | +| ApproverMessageApp | The communication method with the approver.
Can be one of the following:

- Slack
- Microsoft Teams
- Email

If you choose to set "Email", it's also possible to set the relevant email integration instance with the "SendEmailInstance" input. | | Optional | +| Detections | Detected violation snippets. | | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![DLP - Get Approval](../doc_files/DLP_-_Get_Approval.png) diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback.yml b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback.yml new file mode 100644 index 000000000000..cae5e82bc493 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback.yml @@ -0,0 +1,1090 @@ +id: DLP - Get User Feedback +version: -1 +contentitemexportablefields: + contentitemfields: {} +name: DLP - Get User Feedback +description: Get the user feedback on a blocked file, whether it is false or true positive and if an exemption is needed. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 5ac6e371-5e4a-48ff-83b1-c850c9e5f71b + type: start + task: + id: 5ac6e371-5e4a-48ff-83b1-c850c9e5f71b + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "9" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1072.5, + "y": 750 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 5259d029-62d3-4c1c-8780-bab1a39a125c + type: regular + task: + id: 5259d029-62d3-4c1c-8780-bab1a39a125c + version: -1 + name: Set feedback to "true positive" + description: Set incident feedback to "true positive" + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "5" + scriptarguments: + pandlpincidentfeedback: + simple: CONFIRMED_SENSITIVE + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1910, + "y": 1995 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: f60c42d0-2d84-47e6-882c-d31f9e61eea1 + type: regular + task: + id: f60c42d0-2d84-47e6-882c-d31f9e61eea1 + version: -1 + name: Set feedback to "False Positive" + description: Set feedback to "False Positive" + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "5" + scriptarguments: + pandlpincidentfeedback: + simple: CONFIRMED_FALSE_POSITIVE + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 1995 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 718b2150-b5f9-427f-876f-a3b420aba94b + type: condition + task: + id: 718b2150-b5f9-427f-876f-a3b420aba94b + description: "" + version: -1 + name: User answered "Yes"? + tags: + - AwaitFileInfo + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "Yes": + - "1" + separatecontext: false + sla: + minutes: 0 + hours: 6 + days: 0 + weeks: 0 + slareminder: + minutes: 0 + hours: 1 + days: 0 + weeks: 0 + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 1790 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 2cf63c10-e1f8-4201-8b1f-0de87b4bf0bf + type: regular + task: + id: 2cf63c10-e1f8-4201-8b1f-0de87b4bf0bf + version: -1 + name: 'Set feedback status to "Pending" ' + description: Set feedback status to "Pending". + script: '|||pan-dlp-update-incident' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + feedback: + simple: PENDING_RESPONSE + incident_id: + simple: ${incident.pandlpincidentid} + region: + simple: ${incident.pandlpincidentregion} + user_id: + simple: ${incident.sourceusername} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 1595 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 8825f846-2a29-4ff2-8f64-d20891d9b71d + type: regular + task: + id: 8825f846-2a29-4ff2-8f64-d20891d9b71d + version: -1 + name: Save feedback to DLP + description: Updates a DLP incident with user feedback. + script: '|||pan-dlp-update-incident' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "13" + scriptarguments: + feedback: + simple: ${incident.pandlpincidentfeedback} + incident_id: + simple: ${incident.pandlpincidentid} + region: + simple: ${incident.pandlpincidentregion} + user_id: + simple: ${incident.sourceusername} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 2200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 3c30c49b-335c-4af2-852d-4495fbaa4532 + type: regular + task: + id: 3c30c49b-335c-4af2-852d-4495fbaa4532 + description: "" + version: -1 + name: Ask user if file contains sensitive info + scriptName: DlpAskFeedback + type: regular + iscommand: false + brand: SlackV3 + nexttasks: + '#none#': + - "4" + scriptarguments: + app_name: + simple: ${incident.app} + data_profile_name: + simple: ${incident.pandlpdataprofilename} + file_name: + simple: ${incident.filename} + include_violation_detail: + simple: "True" + is_follow_up: + simple: "False" + messenger: + complex: + root: inputs.MessageApp + question_type: + simple: ABOUT_FILE + snippets: + complex: + root: inputs.Detections + task: + simple: AwaitFileInfo + user: + simple: ${incident.sourceusername} + user_display_name: + complex: + root: inputs.UserDisplayName + user_id: + complex: + root: inputs.UserEmail + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: incident.sourceusername + iscontext: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 1360 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: ed465bf1-d399-4964-8d83-755bf6ae769e + type: regular + task: + id: ed465bf1-d399-4964-8d83-755bf6ae769e + version: -1 + name: Get eligibility for exemption + description: Determines whether the exemption can be granted on incidents from a certain data profile. + script: '|||pan-dlp-exemption-eligible' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + data_profile: + simple: ${incident.pandlpdataprofilename} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 2650 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: d92324f6-40c6-4164-82d3-8577f5914bf9 + type: condition + task: + id: d92324f6-40c6-4164-82d3-8577f5914bf9 + description: "" + version: -1 + name: Is eligible? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "15" + "yes": + - "21" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isTrue + left: + value: + simple: DLP.exemption.eligible + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 2860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 836de274-78a8-45a7-8620-ca5e46c11d00 + type: condition + task: + id: 836de274-78a8-45a7-8620-ca5e46c11d00 + description: "" + version: -1 + name: Is there a previous notification for the file? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "10" + "no": + - "20" + separatecontext: false + conditions: + - label: "no" + condition: + - - operator: isEmpty + left: + value: + simple: incident.pandlppreviousfeedback + iscontext: true + right: + value: {} + - operator: isEqualString + left: + value: + simple: incident.pandlppreviousfeedback + iscontext: true + right: + value: + simple: Pending response + continueonerrortype: "" + view: |- + { + "position": { + "x": 1072.5, + "y": 900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 4af13c70-609f-4a0a-8f5a-ac71e07c3b5f + type: condition + task: + id: 4af13c70-609f-4a0a-8f5a-ac71e07c3b5f + description: "" + version: -1 + name: Did user ask for exemption? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "15" + "No": + - "14" + separatecontext: false + conditions: + - label: "No" + condition: + - - operator: isEqualString + left: + value: + simple: incident.pandlppreviousfeedback + iscontext: true + right: + value: + simple: Confirmed sensitive + - operator: isEqualString + left: + value: + simple: incident.pandlppreviousfeedback + iscontext: true + right: + value: + simple: Confirmed false positive + - operator: isEqualString + left: + value: + simple: incident.pandlppreviousfeedback + iscontext: true + right: + value: + simple: Exception not requested + continueonerrortype: "" + view: |- + { + "position": { + "x": 670, + "y": 1360 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 706c9b4d-4795-40fc-85a4-52aebb2f1265 + type: regular + task: + id: 706c9b4d-4795-40fc-85a4-52aebb2f1265 + version: -1 + name: 'Set feedback status to "Pending" ' + description: Set feedback status to "Pending". + script: '|||pan-dlp-update-incident' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "16" + scriptarguments: + feedback: + simple: PENDING_RESPONSE + incident_id: + simple: ${incident.pandlpincidentid} + region: + simple: ${incident.pandlpincidentregion} + user_id: + simple: ${incident.sourceusername} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 3470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: af4e4b82-c884-400d-817a-339db9b894e9 + type: regular + task: + id: af4e4b82-c884-400d-817a-339db9b894e9 + description: "" + version: -1 + name: Ask user if exemption needed + scriptName: DlpAskFeedback + type: regular + iscommand: false + brand: SlackV3 + nexttasks: + '#none#': + - "11" + scriptarguments: + app_name: + simple: ${incident.app} + data_profile_name: + simple: ${incident.pandlpdataprofilename} + file_name: + simple: ${incident.filename} + include_violation_detail: + simple: ${include_violation_detail} + is_follow_up: + simple: "False" + messenger: + complex: + root: inputs.MessageApp + question_type: + simple: ABOUT_EXEMPTION + task: + simple: AwaitFileExemption + user: + simple: ${incident.sourceusername} + user_display_name: + complex: + root: inputs.UserDisplayName + user_id: + complex: + root: inputs.UserEmail + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: incident.sourceusername + iscontext: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 3280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: 32e1dcba-d9e4-4e08-88a5-f4c6ffa6d7cf + type: regular + task: + id: 32e1dcba-d9e4-4e08-88a5-f4c6ffa6d7cf + version: -1 + name: Set include_violation_detail to False + description: Set include_violation_detail to False. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + scriptarguments: + append: + simple: "false" + key: + simple: include_violation_detail + stringify: + simple: "true" + value: + simple: "False" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 2410 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: bc30231f-272d-4d67-84dd-71ddc3a8ea22 + type: regular + task: + id: bc30231f-272d-4d67-84dd-71ddc3a8ea22 + version: -1 + name: Set include_violation_detail to True + description: Set include_violation_detail to True. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + scriptarguments: + append: + simple: "false" + key: + simple: include_violation_detail + stringify: + simple: "true" + value: + simple: "True" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 920, + "y": 1595 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 8d9343fe-43e9-45af-8352-8a708ceddcfb + type: title + task: + id: 8d9343fe-43e9-45af-8352-8a708ceddcfb + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 670, + "y": 4150 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: 30f5bb1d-8185-48ff-82a8-b7b3a36f195e + type: condition + task: + id: 30f5bb1d-8185-48ff-82a8-b7b3a36f195e + description: "" + version: -1 + name: User requested exemption? + tags: + - AwaitFileExemption + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "18" + "Yes": + - "17" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 3665 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: cc2b6a1e-6cb9-40dc-8d92-76d2f45a0f4f + type: regular + task: + id: cc2b6a1e-6cb9-40dc-8d92-76d2f45a0f4f + version: -1 + name: 'Save user answer ' + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "15" + scriptarguments: + key: + simple: UserRequestedExemption + value: + simple: "True" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1720, + "y": 3860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 79a0bc7d-1f74-4108-87d8-84950e2000bc + type: regular + task: + id: 79a0bc7d-1f74-4108-87d8-84950e2000bc + version: -1 + name: 'Save user answer ' + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "15" + scriptarguments: + key: + simple: UserRequestedExemption + value: + simple: "False" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1260, + "y": 3860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 542df324-ec0e-4bdc-88bb-2597ded24c64 + type: playbook + task: + id: 542df324-ec0e-4bdc-88bb-2597ded24c64 + version: -1 + name: DLP - Get User Feedback via Email + playbookName: DLP - Get User Feedback via Email + type: playbook + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "5" + scriptarguments: + SendMailInstance: + complex: + root: inputs.SendMailInstance + Snippets: + complex: + root: inputs.Detections + UserDisplayName: + complex: + root: inputs.UserDisplayName + UserEmail: + complex: + root: inputs.UserEmail + data_profile_name: + complex: + root: incident + accessor: pandlpdataprofilename + file_name: + complex: + root: incident + accessor: filename + question_type: + simple: ABOUT_FILE + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 1910, + "y": 1360 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: a28ce6da-2891-44a2-8ea2-6039fba476ec + type: condition + task: + id: a28ce6da-2891-44a2-8ea2-6039fba476ec + description: "" + version: -1 + name: Get user feedback by email? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "yes": + - "19" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.MessageApp + iscontext: true + right: + value: + simple: Email + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 1140 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: b3bc2121-212c-4ba3-8f8c-25cdc75cb9a1 + type: condition + task: + id: b3bc2121-212c-4ba3-8f8c-25cdc75cb9a1 + description: "" + version: -1 + name: Get user feedback by email? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "12" + "yes": + - "22" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.MessageApp + iscontext: true + right: + value: + simple: Email + continueonerrortype: "" + view: |- + { + "position": { + "x": 1492.5, + "y": 3070 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: fe450185-759c-4239-8ec4-c13ad295257f + type: playbook + task: + id: fe450185-759c-4239-8ec4-c13ad295257f + version: -1 + name: DLP - Get User Feedback via Email + playbookName: DLP - Get User Feedback via Email + type: playbook + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "15" + scriptarguments: + SendMailInstance: + complex: + root: inputs.SendMailInstance + UserDisplayName: + complex: + root: inputs.UserDisplayName + UserEmail: + complex: + root: inputs.UserEmail + data_profile_name: + complex: + root: incident + accessor: pandlpdataprofilename + file_name: + complex: + root: incident + accessor: filename + question_type: + simple: ABOUT_EXEMPTION + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 1910, + "y": 3280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": { + "10_14_No": 0.33, + "10_15_#default#": 0.1, + "21_12_#default#": 0.44, + "8_15_#default#": 0.1 + }, + "paper": { + "dimensions": { + "height": 3465, + "width": 1620, + "x": 670, + "y": 750 + } + } + } +inputs: +- key: UserDisplayName + value: {} + required: false + description: The display name of the user. + playbookInputQuery: +- key: MessageApp + value: {} + required: false + description: "Choose the application to communicate with the users.\nAvailable options:\n- Slack \n- Microsoft Teams" + playbookInputQuery: +- key: SendMailInstance + value: {} + required: false + description: The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used (default). + playbookInputQuery: +- key: UserEmail + value: {} + required: false + description: The user email address. + playbookInputQuery: +- key: Detections + value: {} + required: false + description: Detected violation snippets. + playbookInputQuery: +outputs: +- contextPath: UserRequestedExemption + description: Whether the user requested exemption or not. + type: unknown +tests: +- No tests (auto formatted) +fromversion: 6.8.0 diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback_README.md b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback_README.md new file mode 100644 index 000000000000..04febcecb706 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback_README.md @@ -0,0 +1,52 @@ +Get the user feedback on a blocked file, whether it is false or true positive and if an exemption is needed. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +DLP - Get User Feedback via Email + +### Integrations + +Palo_Alto_Networks_Enterprise_DLP + +### Scripts + +* Set +* SetAndHandleEmpty +* DlpAskFeedback + +### Commands + +* pan-dlp-get-report +* setIncident +* pan-dlp-exemption-eligible +* pan-dlp-update-incident + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| UserDisplayName | The display name of the user. | | Optional | +| MessageApp | Choose the application to communicate with the users.
Available options:
- Slack
- Microsoft Teams | | Optional | +| SendMailInstance | The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used \(default\). | | Optional | +| UserEmail | The user email address. | | Optional | +| Detections | Detected violation snippets. | | Optional | + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| UserRequestedExemption | Whether the user requested exemption or not. | unknown | + +## Playbook Image + +--- + +![DLP - Get User Feedback](../doc_files/DLP_-_Get_User_Feedback.png) diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback_via_Email.yml b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback_via_Email.yml new file mode 100644 index 000000000000..11f040ec08aa --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback_via_Email.yml @@ -0,0 +1,494 @@ +id: DLP - Get User Feedback via Email +version: -1 +name: DLP - Get User Feedback via Email +description: Get the user feedback via email on a blocked file, whether it is false or true positive and if an exemption is needed. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 77f61963-270e-47b1-8756-3523f1ba8427 + type: start + task: + id: 77f61963-270e-47b1-8756-3523f1ba8427 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "8" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 430, + "y": 320 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: c9a7e715-455b-40fa-8f7f-88b022820dbb + type: condition + task: + id: c9a7e715-455b-40fa-8f7f-88b022820dbb + description: "" + version: -1 + name: Check question type + type: condition + iscommand: false + brand: "" + nexttasks: + About-File: + - "13" + Exemption: + - "14" + separatecontext: false + conditions: + - label: About-File + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.question_type + iscontext: true + right: + value: + simple: ABOUT_FILE + - label: Exemption + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.question_type + iscontext: true + right: + value: + simple: ABOUT_EXEMPTION + continueonerrortype: "" + view: |- + { + "position": { + "x": 430, + "y": 660 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 4079e400-3d9d-4804-854e-e0fdc938c8f4 + type: title + task: + id: 4079e400-3d9d-4804-854e-e0fdc938c8f4 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 430, + "y": 1260 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 4424314b-6370-45eb-81b7-54731141f854 + type: regular + task: + id: 4424314b-6370-45eb-81b7-54731141f854 + version: -1 + name: Set feedback to "true positive" + description: Set incident feedback to "true positive". + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "4" + scriptarguments: + pandlpincidentfeedback: + simple: CONFIRMED_SENSITIVE + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1130, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 0190e04d-589a-4b88-8a31-69baf349a053 + type: regular + task: + id: 0190e04d-589a-4b88-8a31-69baf349a053 + version: -1 + name: Set feedback to "False Positive" + description: Set feedback to "False Positive". + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "4" + scriptarguments: + pandlpincidentfeedback: + simple: CONFIRMED_FALSE_POSITIVE + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 640, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 4ad1815a-3671-4cfc-8dee-90ae6dd38e61 + type: regular + task: + id: 4ad1815a-3671-4cfc-8dee-90ae6dd38e61 + version: -1 + name: 'Set feedback status to "Pending" ' + description: Set feedback status to "Pending". + script: '|||pan-dlp-update-incident' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "1" + scriptarguments: + feedback: + simple: PENDING_RESPONSE + incident_id: + simple: ${incident.pandlpincidentid} + region: + simple: ${incident.pandlpincidentregion} + user_id: + simple: ${incident.sourceusername} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 430, + "y": 480 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: c7390cc7-b0eb-4312-877b-2044dbd1a04a + type: regular + task: + id: c7390cc7-b0eb-4312-877b-2044dbd1a04a + version: -1 + name: 'Save user answer ' + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + key: + simple: UserRequestedExemption + value: + simple: "True" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 210, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: 47013d2e-6c18-4317-8df7-15ab1c1e2628 + type: regular + task: + id: 47013d2e-6c18-4317-8df7-15ab1c1e2628 + version: -1 + name: 'Save user answer ' + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + key: + simple: UserRequestedExemption + value: + simple: "False" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -250, + "y": 1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: 3b82d100-08c7-4f47-85e3-00e20f2db8d0 + type: condition + task: + id: 3b82d100-08c7-4f47-85e3-00e20f2db8d0 + description: "" + version: -1 + name: Ask file-info via email + type: condition + iscommand: false + brand: "" + nexttasks: + "No": + - "6" + "Yes": + - "5" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 880, + "y": 840 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + simple: ${inputs.UserEmail} + subject: + simple: DLP Feedback - File Info + body: + simple: |- + Hi ${inputs.UserDisplayName}, + + We need your feedback:
+ + Your activity on "${incident.app}" was blocked due to company policy.
+ The data in this activity contains sensitive information which violates ${inputs.data_profile_name}" policy.
+ filename - "${inputs.file_name}"

+ + ${inputs.Snippets} + +

+ Please confirm if this file contains sensitive information: + methods: + - email + format: html + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + replyOptions: + - "Yes" + - "No" + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: e619044c-88ec-4f9e-86c5-fd9e78ad3c56 + type: condition + task: + id: e619044c-88ec-4f9e-86c5-fd9e78ad3c56 + description: "" + version: -1 + name: Ask exemption via email + type: condition + iscommand: false + brand: "" + nexttasks: + "No": + - "12" + "Yes": + - "11" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -20, + "y": 840 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + simple: ${inputs.UserEmail} + subject: + simple: DLP Feedback - File Exemption + body: + simple: |- + Hi ${inputs.UserDisplayName}, + + Do you want to request a temporary exemption for "${inputs.file_name}"? + methods: + - email + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + replyOptions: + - "Yes" + - "No" + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1005, + "width": 1760, + "x": -250, + "y": 320 + } + } + } +inputs: +- key: UserDisplayName + value: {} + required: false + description: The display name of the user. + playbookInputQuery: +- key: data_profile_name + value: {} + required: false + description: The name of the DLP data profile that detected the violation. + playbookInputQuery: +- key: file_name + value: {} + required: false + description: The name of the file that triggered the incident. + playbookInputQuery: +- key: question_type + value: {} + required: false + description: Whether to ask the user about the file content or about an exemption. + playbookInputQuery: +- key: SendMailInstance + value: {} + required: false + description: The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used (default). + playbookInputQuery: +- key: UserEmail + value: {} + required: false + description: The user email address. + playbookInputQuery: +- key: Snippets + value: {} + required: false + description: The snippets of the violation. + playbookInputQuery: +outputs: +- contextPath: UserRequestedExemption + type: unknown + description: Whether the user requested exemption or not. +tests: +- No tests (auto formatted) +fromversion: 6.8.0 diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback_via_Email_README.md b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback_via_Email_README.md new file mode 100644 index 000000000000..c38a32b29eda --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_Get_User_Feedback_via_Email_README.md @@ -0,0 +1,50 @@ +Get the user feedback via email on a blocked file, whether it is false or true positive and if an exemption is needed. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +Palo_Alto_Networks_Enterprise_DLP + +### Scripts + +SetAndHandleEmpty + +### Commands + +* setIncident +* pan-dlp-update-incident + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| UserDisplayName | The display name of the user. | | Optional | +| data_profile_name | The name of the DLP data profile that detected the violation. | | Optional | +| file_name | The name of the file that triggered the incident. | | Optional | +| question_type | Whether to ask the user about the file content or about an exemption. | | Optional | +| SendMailInstance | The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used \(default\). | | Optional | +| UserEmail | The user email address. | | Optional | +| Snippets | The snippets of the violation. | | Optional | + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| UserRequestedExemption | Whether the user requested exemption or not. | unknown | + +## Playbook Image + +--- + +![DLP - Get User Feedback via Email](../doc_files/DLP_-_Get_User_Feedback_via_Email.png) diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_User_Message_App_Check.yml b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_User_Message_App_Check.yml new file mode 100644 index 000000000000..b983a97dddc1 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_User_Message_App_Check.yml @@ -0,0 +1,591 @@ +id: DLP - User Message App Check +version: -1 +name: DLP - User Message App Check +description: Check if the given message app exists and is configured and retrieve the user details from it. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 19727acc-e5df-4907-8890-aaadd67a4e95 + type: start + task: + id: 19727acc-e5df-4907-8890-aaadd67a4e95 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "16" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1200, + "y": -120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 7d96386d-2657-44ae-819a-7346c6124fe7 + type: condition + task: + id: 7d96386d-2657-44ae-819a-7346c6124fe7 + version: -1 + name: Is Slack v3 enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + "no": + - "3" + "yes": + - "2" + scriptarguments: + brandname: + simple: SlackV3 + results: + - brandInstances + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1740, + "y": 310 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 6e29fdb0-1cb4-4c33-89fb-b89d0c882334 + type: regular + task: + id: 6e29fdb0-1cb4-4c33-89fb-b89d0c882334 + version: -1 + name: Find user on slack + description: Gets details about a specified user. + script: SlackV3|||slack-get-user-details + type: regular + iscommand: true + brand: SlackV3 + nexttasks: + '#none#': + - "8" + scriptarguments: + user: + simple: ${incident.sourceusername} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1740, + "y": 550 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 08f87b86-f565-41be-8e72-f32d56778f24 + type: regular + task: + id: 08f87b86-f565-41be-8e72-f32d56778f24 + version: -1 + name: Update feedback status via API to "SEND_NOTIFICATION_FAILURE" + description: Set feedback status to "SEND_NOTIFICATION_FAILURE". + script: '|||pan-dlp-update-incident' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "15" + scriptarguments: + error_details: + simple: User ${incident.sourceusername} not found on Slack + feedback: + simple: SEND_NOTIFICATION_FAILURE + incident_id: + simple: ${incident.pandlpincidentid} + region: + simple: ${incident.pandlpincidentregion} + user_id: + simple: ${incident.sourceusername} + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 710, + "y": 1000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 984daff2-f3cf-4fbc-8438-005a57b0c84f + type: condition + task: + id: 984daff2-f3cf-4fbc-8438-005a57b0c84f + version: -1 + name: Is Microsoft Teams enabled? + description: Returns 'yes' if integration brand is available. Otherwise returns 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + "no": + - "3" + "yes": + - "6" + scriptarguments: + brandname: + simple: Microsoft Teams + results: + - brandInstances + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1200, + "y": 310 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: c6296856-7a2a-4ec1-8a58-c0eb56fbc689 + type: regular + task: + id: c6296856-7a2a-4ec1-8a58-c0eb56fbc689 + version: -1 + name: Set user display name (Slack) + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "9" + scriptarguments: + append: + simple: "false" + key: + simple: user_display_name + value: + complex: + root: Slack.User + accessor: Name + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1740, + "y": 1075 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: bb2f3f8f-d83b-4180-820c-14083cc3fbc0 + type: regular + task: + id: bb2f3f8f-d83b-4180-820c-14083cc3fbc0 + version: -1 + name: Set user display name (Email/MSTeams) + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "9" + scriptarguments: + append: + simple: "false" + key: + simple: user_display_name + value: + complex: + root: inputs.UserDisplayName + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: incident.sourceusername + iscontext: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1200, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 8cce0aab-62c9-483e-8793-4c868f041c1e + type: condition + task: + id: 8cce0aab-62c9-483e-8793-4c868f041c1e + description: "" + version: -1 + name: User exists on Slack? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: Slack.User.ID + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1740, + "y": 740 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 59226be6-39e5-4361-87c5-fa1fa030361d + type: title + task: + id: 59226be6-39e5-4361-87c5-fa1fa030361d + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1200, + "y": 1410 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: cad55a70-43ec-4948-8c4b-201495141c5b + type: condition + task: + id: cad55a70-43ec-4948-8c4b-201495141c5b + description: "" + version: -1 + name: User email exist? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "6" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.UserEmail + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 710, + "y": 310 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 4e4989f1-ac4b-4289-8901-c23526126cec + type: regular + task: + id: 4e4989f1-ac4b-4289-8901-c23526126cec + version: -1 + name: Set incident feedback status to "Send notification failure" + description: Set feedback to "Exception not requested". + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "9" + scriptarguments: + pandlpincidentfeedback: + simple: Send notification failure + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 710, + "y": 1185 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: 34d95494-4d6b-4af9-8ed2-620a2e651b3a + type: condition + task: + id: 34d95494-4d6b-4af9-8ed2-620a2e651b3a + description: "" + version: -1 + name: What is the selected message app? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "17" + Email: + - "13" + MSTeams: + - "4" + Slack: + - "1" + separatecontext: false + conditions: + - label: Slack + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UserMessageApp + iscontext: true + right: + value: + simple: Slack + ignorecase: true + - label: MSTeams + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UserMessageApp + iscontext: true + right: + value: + simple: Microsoft Teams + ignorecase: true + - label: Email + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UserMessageApp + iscontext: true + right: + value: + simple: Email + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1200, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: 1858ad0a-6ded-4067-8823-c76754b263dc + type: title + task: + id: 1858ad0a-6ded-4067-8823-c76754b263dc + version: -1 + name: No message app - failure + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "3" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 260, + "y": 310 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "13_3_#default#": 0.17, + "13_6_yes": 0.17, + "16_4_MSTeams": 0.53, + "1_2_yes": 0.43, + "1_3_no": 0.1, + "4_3_no": 0.11, + "4_6_yes": 0.15, + "8_3_#default#": 0.12, + "8_5_yes": 0.51 + }, + "paper": { + "dimensions": { + "height": 1595, + "width": 1860, + "x": 260, + "y": -120 + } + } + } +inputs: +- key: UserEmail + value: {} + required: false + description: The user email address that will be used through email communication in case both Slack and MS Teams are not enabled. + playbookInputQuery: +- key: UserDisplayName + value: {} + required: false + description: The display name of the user. Will be used in case MS Teams or Email are the message app. + playbookInputQuery: +- key: UserMessageApp + value: {} + required: false + description: |- + The communication method with the user. + Can be one of the following: + + - Slack + - Microsoft Teams + - Email + + If you choose to set "Email", it's also possible to set the relevant email integration instance with the "SendEmailInstance" input. + playbookInputQuery: +outputs: +- contextPath: user_display_name + description: The user display name. + type: unknown +- contextPath: Slack.User + type: unknown + description: The user name returned from Slack. +tests: +- No tests (auto formatted) +fromversion: 6.8.0 diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_User_Message_App_Check_README.md b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_User_Message_App_Check_README.md new file mode 100644 index 000000000000..1c7e12e40c59 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Playbooks/playbook-DLP_-_User_Message_App_Check_README.md @@ -0,0 +1,50 @@ +Check if the given message app exists and is configured and retrieve the user details from it. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +* SlackV3 +* Palo_Alto_Networks_Enterprise_DLP + +### Scripts + +* IsIntegrationAvailable +* Set + +### Commands + +* pan-dlp-update-incident +* setIncident +* slack-get-user-details + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| UserEmail | The user email address that will be used through email communication in case both Slack and MS Teams are not enabled. | | Optional | +| UserDisplayName | The display name of the user. Will be used in case MS Teams or Email are the message app. | | Optional | +| UserMessageApp | The communication method with the user.
Can be one of the following:

- Slack
- Microsoft Teams
- Email

If you choose to set "Email", it's also possible to set the relevant email integration instance with the "SendEmailInstance" input. | | Optional | + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| user_display_name | The user display name. | unknown | +| Slack.User | The user name returned from Slack. | unknown | + +## Playbook Image + +--- + +![DLP - User Message App Check](../doc_files/DLP_-_User_Message_App_Check.png) diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/README.md b/Packs/Palo_Alto_Networks_Enterprise_DLP/README.md index 73992f3f1176..585f63dd0c57 100644 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/README.md +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/README.md @@ -1,6 +1,6 @@ ## Palo Alto Networks Enterprise DLP Content Pack -This content pack enables Cortex XSOAR to integrate with Palo Alto Networks Enterprise DLP. Using this content pack, you can fetch DLP incidents using the long running instance and update DLP incidents with user feedback. This pack includes the **Palo Alto Networks Enterprise DLP** integration and a sample Playbook to gather user feedback for a DLP incident using Slack. +This content pack enables Cortex XSOAR to integrate with Palo Alto Networks Enterprise DLP. Using this content pack, you can fetch DLP incidents using the `Long running instance` checkbox and update DLP incidents with user feedback. This pack includes the **Palo Alto Networks Enterprise DLP** integration and a sample playbook to gather user feedback for a DLP incident using Slack. ### Palo Alto Networks Enterprise DLP Integration @@ -11,7 +11,8 @@ The integration includes commands to: - Fetch DLP incidents as a long running instance. - Fetch DLP reports with data pattern match details. - Fetch DLP reports with data pattern match details and snippets from the file. - - Update a DLP incident with user feedback. + - Update a DLP incident with user feedback and approval process. - Check if the option to exempt the violation should be provided for a given DLP data profile name. + - Get approval for any exemption requests. - Send a customized Slack bot message to the user to ask for feedback. - Reset the last run. diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/ReleaseNotes/2_0_0.md b/Packs/Palo_Alto_Networks_Enterprise_DLP/ReleaseNotes/2_0_0.md new file mode 100644 index 000000000000..d92b4332f316 --- /dev/null +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/ReleaseNotes/2_0_0.md @@ -0,0 +1,91 @@ +#### Incident Fields + +- New: **DLP Detections** + +#### Integrations + +##### Palo Alto Networks Enterprise DLP +- Updated the Docker image to: *demisto/python3:3.10.12.63474*. + +- Updated command descriptions to a more generic use case and not just upload violations. +- Updated the command ***pan-dlp-update-incident*** to include the feedback `EXCEPTION_DENIED`. + +#### Layouts + +##### Palo Alto Networks Enterprise DLP Incident Layout + +Available from Cortex XSOAR 6.8.0: +- Removed the *Incident Details* section. +- Added the *User Enrichment* section. +- Added additional fields to the *Case Details* section. +- Added the *Feedback and approvals* section. +- Added the *Detections* section. + +#### Playbooks + +##### New: DLP - Get Approval + +- New: Get an approver response for an exemption request from a user. + +##### New: DLP - Get User Feedback + +- New: Get the user feedback on a blocked file, whether it is false or true positive and if an exemption is needed. + +##### New: DLP - Get User Feedback via Email + +- New: Get the user feedback via email on a blocked file, whether it is false or true positive and if an exemption is needed. + +##### New: DLP - User Message App Check + +- New: Check if the given message app exists and is configured and retrieve the user details from it. + +##### New: DLP - Get Approval + +New: Get an approver response for an exemption request from a user. + +##### New: DLP - Get User Feedback + +New: Get the user feedback on a blocked file, whether it is false or true positive and if an exemption is needed. + +##### New: DLP - Get User Feedback via Email + +New: Get the user feedback via email on a blocked file, whether it is false or true positive and if an exemption is needed. + +##### New: DLP - User Message App Check + +New: Check if the given message app exists and is configured and retrieve the user details from it. + +##### New: DLP - Get Approval + +New: Get an approver response for an exemption request from a user. (Available from Cortex XSOAR 6.8.0). +##### New: DLP - Get User Feedback via Email + +New: Get the user feedback via email on a blocked file, whether it is false or true positive and if an exemption is needed. (Available from Cortex XSOAR 6.8.0). +##### New: DLP - Get User Feedback + +New: Get the user feedback on a blocked file, whether it is false or true positive and if an exemption is needed. (Available from Cortex XSOAR 6.8.0). +##### DLP Incident Feedback Loop + +Available from Cortex XSOAR 6.8.0: +Updated the main playbook with the following changes: + - 6 new playbook inputs: + - ApprovalTarget + - ActionOnApproverNotFound + - SendMailInstance + - UserMessageApp + - ApproverMessageApp + - DenyMessage + - Added an approval process. + - Added user details and file report in an Enrichment section. + - Communications with the user and the manager had been configured separately. + - Added an email communication channel. +##### New: DLP - User Message App Check + +New: Check if the given message app exists and is configured and retrieve the user details from it. (Available from Cortex XSOAR 6.8.0). + +#### Scripts + +##### DlpAskFeedback +- Updated the Docker image to: *demisto/python3:3.10.12.63474*. + +- Updated descriptions to a more generic use case and not just upload violations. \ No newline at end of file diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/Scripts/DlpAskFeedback/DlpAskFeedback.yml b/Packs/Palo_Alto_Networks_Enterprise_DLP/Scripts/DlpAskFeedback/DlpAskFeedback.yml index 202330adb934..a6bcd7aed232 100644 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/Scripts/DlpAskFeedback/DlpAskFeedback.yml +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/Scripts/DlpAskFeedback/DlpAskFeedback.yml @@ -6,7 +6,7 @@ script: '' type: python tags: [] enabled: true -comment: Sends a message via Slack or MS Teams to the user whose file upload violated DLP policies and triggered the incident. +comment: Sends a message via Slack or MS Teams to the user whose activity violated DLP policies and triggered the incident. args: - name: messenger required: false @@ -23,7 +23,7 @@ args: required: true description: The name of the DLP data profile that detected the violation. - name: app_name - description: The application that performed the upload. + description: The application that performed the activity. required: false - name: task description: A manual task that this task can close. @@ -60,7 +60,7 @@ dependson: should: - SlackV3|||send-notification runonce: false -dockerimage: demisto/python3:3.10.4.30607 +dockerimage: demisto/python3:3.10.12.63474 runas: DBotWeakRole fromversion: 5.5.0 tests: diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_Get_Approval.png b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_Get_Approval.png new file mode 100644 index 000000000000..8245b62ffee7 Binary files /dev/null and b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_Get_Approval.png differ diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_Get_User_Feedback.png b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_Get_User_Feedback.png new file mode 100644 index 000000000000..31569b6b7396 Binary files /dev/null and b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_Get_User_Feedback.png differ diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_Get_User_Feedback_via_Email.png b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_Get_User_Feedback_via_Email.png new file mode 100644 index 000000000000..b3af2668e759 Binary files /dev/null and b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_Get_User_Feedback_via_Email.png differ diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_User_Message_App_Check.png b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_User_Message_App_Check.png new file mode 100644 index 000000000000..2677c1caf618 Binary files /dev/null and b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_-_User_Message_App_Check.png differ diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_Incident_Feedback_Loop.png b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_Incident_Feedback_Loop.png new file mode 100644 index 000000000000..1c520d3811b2 Binary files /dev/null and b/Packs/Palo_Alto_Networks_Enterprise_DLP/doc_files/DLP_Incident_Feedback_Loop.png differ diff --git a/Packs/Palo_Alto_Networks_Enterprise_DLP/pack_metadata.json b/Packs/Palo_Alto_Networks_Enterprise_DLP/pack_metadata.json index a848138d5c6d..f366eb87ec6e 100644 --- a/Packs/Palo_Alto_Networks_Enterprise_DLP/pack_metadata.json +++ b/Packs/Palo_Alto_Networks_Enterprise_DLP/pack_metadata.json @@ -5,7 +5,7 @@ "support": "xsoar", "author": "Palo Alto Networks Enterprise DLP", "url": "https://www.paloaltonetworks.com/enterprise-data-loss-prevention", - "currentVersion": "1.2.8", + "currentVersion": "2.0.0", "categories": [ "Network Security" ], @@ -18,5 +18,8 @@ "xsoar", "marketplacev2" ], - "itemPrefix": "PAN" + "itemPrefix": [ + "PAN", + "DLP" + ] } \ No newline at end of file