diff --git a/Packs/CloudIncidentResponse/Layouts/layoutscontainer-CLOUD_Token_Theft.json b/Packs/CloudIncidentResponse/Layouts/layoutscontainer-CLOUD_Token_Theft.json index 44229901d3c6..e25fb4202195 100644 --- a/Packs/CloudIncidentResponse/Layouts/layoutscontainer-CLOUD_Token_Theft.json +++ b/Packs/CloudIncidentResponse/Layouts/layoutscontainer-CLOUD_Token_Theft.json @@ -478,7 +478,7 @@ "minH": 1, "moved": false, "name": "Malicious or Suspicious Indicators", - "query": "reputation:Benign OR reputation:Suspicious OR reputation:Malicious", + "query": "reputation:Suspicious OR reputation:Malicious", "queryType": "input", "static": false, "type": "indicators", @@ -571,7 +571,7 @@ "minH": 1, "moved": false, "name": "Cloud Indicators", - "query": "99900222-7570-4e56-8fa6-1206e76be060", + "query": "displayCloudIndicators", "queryType": "script", "static": false, "type": "dynamic", @@ -1404,5 +1404,6 @@ "system": false, "version": -1, "fromVersion": "6.8.0", + "marketplaces": ["marketplacev2"], "description": "" } \ No newline at end of file diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_Token_Theft_-_Set_Verdict.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_Token_Theft_-_Set_Verdict.yml index f0b428aea60c..855d81b00221 100644 --- a/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_Token_Theft_-_Set_Verdict.yml +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_Token_Theft_-_Set_Verdict.yml @@ -607,4 +607,5 @@ outputs: quiet: false tests: - No tests (auto formatted) +marketplaces: ["marketplacev2"] fromversion: 6.8.0 diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_Token_Theft_Response.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_Token_Theft_Response.yml index 2dc27e624037..34d55330db46 100644 --- a/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_Token_Theft_Response.yml +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_Token_Theft_Response.yml @@ -2065,4 +2065,5 @@ inputs: outputs: [] tests: - No tests (auto formatted) +marketplaces: ["marketplacev2"] fromversion: 6.8.0 diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict.yml new file mode 100644 index 000000000000..ddbfe726065e --- /dev/null +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict.yml @@ -0,0 +1,649 @@ +id: Cortex XDR - XCloud Token Theft - Set Verdict +version: -1 +name: Cortex XDR - XCloud Token Theft - Set Verdict +description: |- + --- + + ## Cloud Token Theft - Set Verdict Playbook + + The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious. + + ### Event Search + + The playbook searches for events based on the attacker's IP address within the last two hours. + + ### Tests Performed + + The following tests are performed on the observed activity: + + 1. **Malicious IP Check**: Determines if the IP address is malicious. + 2. **CSP ASN Check**: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs). + 3. **IP and ASN History Check**: Verifies if the IP address and ASN have been previously observed. + 4. **Region Check**: Determines if the API call was made from outside the recognized region. + 5. **Anomalous State Check**: Checks if the API call was made from an anomalous state. + 6. **Alert Check**: Looks for any related alerts around the event, including: + - Possible cloud instance metadata service (IMDS) abuse. + - Impossible Traveler by cloud identity. + + --- +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 5cb65176-16ca-4a17-8223-b263a5faee7c + type: start + task: + id: 5cb65176-16ca-4a17-8223-b263a5faee7c + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "3" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 100, + "y": 570 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 1d10af0b-7d60-4562-8778-0a0ee87d460c + type: condition + task: + id: 1d10af0b-7d60-4562-8778-0a0ee87d460c + version: -1 + name: Check caller IP reputation + description: Checks the verdict logic. Please refer to the playbook description for detailed information. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + Malicious: + - "4" + separatecontext: false + conditions: + - label: Malicious + condition: + - - operator: greaterThanOrEqual + left: + value: + complex: + root: DBotScore + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Indicator + iscontext: true + right: + value: + simple: inputs.sourceIP + iscontext: true + accessor: Score + iscontext: true + right: + value: + simple: "2" + continueonerrortype: "" + view: |- + { + "position": { + "x": 100, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 980777c8-d213-4f10-848b-290d9e700bba + type: regular + task: + id: 980777c8-d213-4f10-848b-290d9e700bba + version: -1 + name: Get additional alerts + description: |- + Searches Demisto incidents. A summarized version of this scrips is avilable with the summarizedversion argument. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: SearchIncidentsV2 + type: regular + iscommand: false + brand: Builtin + nexttasks: + '#none#': + - "2" + scriptarguments: + custom_filter: + simple: |- + { + "OR": [ + { + "AND": [ + { + "SEARCH_FIELD": "agent_ip_addresses", + "SEARCH_TYPE": "IPLIST_MATCH", + "SEARCH_VALUE": "${inputs.sourceIP}" + } + ] + }, + { + "AND": [ + { + "SEARCH_FIELD": "action_local_ip", + "SEARCH_TYPE": "IP_MATCH", + "SEARCH_VALUE": "${inputs.sourceIP}" + } + ] + }, + { + "AND": [ + { + "SEARCH_FIELD": "action_remote_ip", + "SEARCH_TYPE": "IP_MATCH", + "SEARCH_VALUE": "${inputs.sourceIP}" + } + ] + } + ] + } + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 100, + "y": 700 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: XDR Alert Search Results + output: + complex: + root: PaloAltoNetworksXDR + accessor: Alert + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 23a75037-8637-4ffb-83ca-9801253b1150 + type: regular + task: + id: 23a75037-8637-4ffb-83ca-9801253b1150 + version: -1 + name: Set verdict - Malicious + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "16" + scriptarguments: + key: + simple: alertVerdict + value: + simple: Malicious + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 100, + "y": 2110 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: c7fb9a98-b0bf-4de4-8989-376c2a6f7f29 + type: regular + task: + id: c7fb9a98-b0bf-4de4-8989-376c2a6f7f29 + version: -1 + name: Set verdict - User verification + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "16" + scriptarguments: + key: + simple: alertVerdict + value: + simple: userVerification + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -780, + "y": 2110 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: c133ff88-9860-4f38-8d90-3fc6a0111cc4 + type: condition + task: + id: c133ff88-9860-4f38-8d90-3fc6a0111cc4 + version: -1 + name: Check source ASN + description: Detailed explanation available in the playbook description. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "11" + Cloud ASN: + - "5" + separatecontext: false + conditions: + - label: Cloud ASN + condition: + - - operator: containsGeneral + left: + value: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: caller_ip_asn_org + iscontext: true + right: + value: + simple: GOOGLE + ignorecase: true + - operator: containsGeneral + left: + value: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: caller_ip_asn_org + iscontext: true + right: + value: + simple: MICROSOFT + - operator: containsGeneral + left: + value: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: caller_ip_asn_org + iscontext: true + right: + value: + simple: AMAZON + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -780, + "y": 1030 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: f3f098de-ec20-4686-8e98-e2d429276f48 + type: condition + task: + id: f3f098de-ec20-4686-8e98-e2d429276f48 + version: -1 + name: Check ASN & Agent IP popularity + description: Checks the verdict logic. Please refer to the playbook description for detailed information. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "12" + Malicious: + - "4" + separatecontext: false + conditions: + - label: Malicious + condition: + - - operator: isEqualNumber + left: + value: + complex: + root: alertJson.raw_abioc.event + accessor: cloud_agent_external_ip_days_seen_count + iscontext: true + right: + value: + simple: "0" + - - operator: isEqualNumber + left: + value: + complex: + root: alertJson.raw_abioc.event + accessor: cloud_caller_ip_asn_count_distinct_cloud_best_identity + iscontext: true + right: + value: + simple: "0" + continueonerrortype: "" + view: |- + { + "position": { + "x": -390, + "y": 1200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: 648c1de2-72be-46cb-8b08-174171300a61 + type: condition + task: + id: 648c1de2-72be-46cb-8b08-174171300a61 + version: -1 + name: Check for API call executed outside the instance region + description: Detailed explanation available in the playbook description. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "13" + Malicious: + - "4" + separatecontext: false + conditions: + - label: Malicious + condition: + - - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Alert.alert_name + iscontext: true + right: + value: + simple: A compute-attached identity executed API calls outside the instance's region + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -390, + "y": 1380 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: bbb0beba-0cd1-4d6f-8e7d-52feb1686556 + type: condition + task: + id: bbb0beba-0cd1-4d6f-8e7d-52feb1686556 + version: -1 + name: Check for API call from unusual country + description: Detailed explanation available in the playbook description. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "14" + Malicious: + - "4" + separatecontext: false + conditions: + - label: Malicious + condition: + - - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Alert.alert_name + iscontext: true + right: + value: + simple: A cloud identity executed an API call from an unusual country + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -390, + "y": 1560 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: 69619ff1-8fcc-4fa3-802f-5acd7edef159 + type: condition + task: + id: 69619ff1-8fcc-4fa3-802f-5acd7edef159 + version: -1 + name: Check for IMDS Access alert + description: Detailed explanation available in the playbook description. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "15" + Malicious: + - "4" + separatecontext: false + conditions: + - label: Malicious + condition: + - - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Alert.alert_name + iscontext: true + right: + value: + simple: Possible Cloud Instance Metadata Service (IMDS) Abuse + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -390, + "y": 1740 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 4e1d2cbd-8ada-4fd8-83ff-1144e09d4220 + type: condition + task: + id: 4e1d2cbd-8ada-4fd8-83ff-1144e09d4220 + version: -1 + name: Check for Impossible Traveler alert + description: Detailed explanation available in the playbook description. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + Malicious: + - "4" + separatecontext: false + conditions: + - label: Malicious + condition: + - - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Alert.alert_name + iscontext: true + right: + value: + simple: Impossible travel by cloud identity + continueonerrortype: "" + view: |- + { + "position": { + "x": -390, + "y": 1925 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: 8ae2cf69-0978-4d75-8104-2442bb959263 + type: title + task: + id: 8ae2cf69-0978-4d75-8104-2442bb959263 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -780, + "y": 2290 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "11_12_#default#": 0.39, + "11_4_Malicious": 0.22, + "12_13_#default#": 0.4, + "12_4_Malicious": 0.26, + "13_14_#default#": 0.42, + "13_4_Malicious": 0.31, + "14_15_#default#": 0.41, + "14_4_Malicious": 0.41, + "15_4_Malicious": 0.51, + "15_5_#default#": 0.13, + "2_4_Malicious": 0.1, + "2_6_#default#": 0.1, + "6_5_Cloud ASN": 0.11 + }, + "paper": { + "dimensions": { + "height": 1785, + "width": 1260, + "x": -780, + "y": 570 + } + } + } +inputs: +- key: sourceIP + value: {} + required: false + description: The source IP to search by additional alerts. + playbookInputQuery: +- key: fromDate + value: {} + required: false + description: |- + The start date for the search additional alerts task. + + Filter by from date (e.g. "3 days ago" or 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z) + playbookInputQuery: +outputs: +- contextPath: alertVerdict + description: The alert verdict. + type: unknown +- contextPath: PaloAltoNetworksXDR.Alert + description: The additional alerts found. + type: unknown +tests: +- No tests (auto formatted) +marketplaces: ["xsoar"] +fromversion: 6.8.0 diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict_README.md new file mode 100644 index 000000000000..08442ab2351b --- /dev/null +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict_README.md @@ -0,0 +1,69 @@ +--- + +## Cloud Token Theft - Set Verdict Playbook + +The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious. + +### Event Search + +The playbook searches for events based on the attacker's IP address within the last two hours. + +### Tests Performed + +The following tests are performed on the observed activity: + +1. **Malicious IP Check**: Determines if the IP address is malicious. +2. **CSP ASN Check**: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs). +3. **IP and ASN History Check**: Verifies if the IP address and ASN have been previously observed. +4. **Region Check**: Determines if the API call was made from outside the recognized region. +5. **Anomalous State Check**: Checks if the API call was made from an anomalous state. +6. **Alert Check**: Looks for any related alerts around the event, including: + - Possible cloud instance metadata service (IMDS) abuse. + - Impossible Traveler by cloud identity. + +--- + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +* SearchIncidentsV2 +* Set + +### Commands + +This playbook does not use any commands. + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| sourceIP | The source IP to search by additional alerts. | | Optional | +| fromDate | The start date for the search additional alerts task.

Filter by from date \(e.g. "3 days ago" or 2006-01-02T15:04:05\+07:00 or 2006-01-02T15:04:05Z\) | | Optional | + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| alertVerdict | The alert verdict. | unknown | +| PaloAltoNetworksXDR.Alert | The additional alerts found. | unknown | + +## Playbook Image + +--- + +![Cortex XDR - XCloud Token Theft - Set Verdict](../doc_files/Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict.png) diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_Response.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_Response.yml new file mode 100644 index 000000000000..4c02d60b2731 --- /dev/null +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_Response.yml @@ -0,0 +1,2319 @@ +id: Cortex XDR - XCloud Token Theft Response +version: -1 +name: Cortex XDR - XCloud Token Theft Response +description: |- + --- + + ## Cloud Token Theft Response Playbook + + The **Cloud Token Theft Response Playbook** provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: + + **Cloud Enrichment:** + - Enriches the involved resources. + - Enriches the involved identities. + - Enriches the involved IPs. + + **Verdict Decision Tree:** + - Determines the appropriate verdict based on the investigation findings. + + **Early Containment using the Cloud Response - Generic Playbook:** + - Implements early containment measures to prevent further impact. + + **Cloud Persistence Threat Hunting:** + - Conducts threat hunting activities to identify any cloud persistence techniques. + + **Enriching and Responding to Hunting Findings:** + - Performs additional enrichment and responds to the findings from threat hunting. + + **Verdict Handling:** + - Handles false positives identified during the investigation. + - Handles true positives by initiating appropriate response actions. + + --- +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 7c995b30-f3e5-4496-832f-fbc380441190 + type: start + task: + id: 7c995b30-f3e5-4496-832f-fbc380441190 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": -1470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 68f23ebd-334f-47c3-858d-32cf6ee802ca + type: regular + task: + id: 68f23ebd-334f-47c3-858d-32cf6ee802ca + version: -1 + name: Fetch alert extra data + description: Returns information about each alert ID. + script: '|||xdr-get-cloud-original-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + alert_ids: + complex: + root: incident.xdralerts + filters: + - - operator: inList + left: + value: + simple: incident.xdralerts.name + iscontext: true + right: + value: + simple: Suspicious usage of EC2 token, Suspicious usage of VM Service Account token, Suspicious usage of AWS Lambda’s token, Suspicious usage of AWS Lambda’s role, Remote usage of an AWS service token, Remote usage of an AWS EKS token, Suspicious usage of an AWS EKS token, Suspicious usage of an AWS ECS token, Remote usage of an AWS ECS token, Suspicious usage of AWS service token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token, Remote usage of VM Service Account token, Suspicious usage of VM Service Account token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token + ignorecase: true + accessor: alertid + extend-context: + simple: alertData= + ignore-outputs: + simple: "false" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": -1340 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: ASN + output: + simple: ${PaloAltoNetworksXDR.OriginalAlert.event.caller_ip_asn} + - incidentfield: ASN Name + output: + simple: ${PaloAltoNetworksXDR.OriginalAlert.event.caller_ip_asn_org} + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 3414e15e-a296-4440-857e-b67e8d110e51 + type: regular + task: + id: 3414e15e-a296-4440-857e-b67e8d110e51 + version: -1 + name: Load alert JSON + description: Loads a JSON from a string input, and returns a JSON object result. + scriptName: LoadJSON + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + extend-context: + simple: alertJson= + ignore-outputs: + simple: "true" + input: + complex: + root: alertData.alerts + accessor: original_alert_json + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": -1180 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: ASN + output: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: caller_ip_asn + transformers: + - operator: uniq + - incidentfield: ASN Name + output: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: caller_ip_asn_org + transformers: + - operator: uniq + - incidentfield: Country + output: + complex: + root: PaloAltoNetworksXDR.Incident.alerts + accessor: action_country + transformers: + - operator: uniq + - incidentfield: Operation Type + output: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: operation_name + transformers: + - operator: uniq + - incidentfield: Operation Name + output: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: operation_name_orig + transformers: + - operator: uniq + - incidentfield: Project ID + output: + complex: + root: PaloAltoNetworksXDR.Incident.alerts + filters: + - - operator: inList + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of EC2 token, Suspicious usage of VM Service Account token, Suspicious usage of AWS Lambda’s token, Suspicious usage of AWS Lambda’s role, Remote usage of an AWS service token, Remote usage of an AWS EKS token, Suspicious usage of an AWS EKS token, Suspicious usage of an AWS ECS token, Remote usage of an AWS ECS token, Suspicious usage of AWS service token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token, Remote usage of VM Service Account token, Suspicious usage of VM Service Account token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token + accessor: project + - incidentfield: Identity Type + output: + complex: + root: PaloAltoNetworksXDR.Incident.alerts + filters: + - - operator: inList + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of EC2 token, Suspicious usage of VM Service Account token, Suspicious usage of AWS Lambda’s token, Suspicious usage of AWS Lambda’s role, Remote usage of an AWS service token, Remote usage of an AWS EKS token, Suspicious usage of an AWS EKS token, Suspicious usage of an AWS ECS token, Remote usage of an AWS ECS token, Suspicious usage of AWS service token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token, Remote usage of VM Service Account token, Suspicious usage of VM Service Account token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token + accessor: identity_type + transformers: + - operator: uniq + - incidentfield: Source IP + output: + complex: + root: incident.xdralerts + filters: + - - operator: inList + left: + value: + simple: incident.xdralerts.name + iscontext: true + right: + value: + simple: Suspicious usage of EC2 token, Suspicious usage of VM Service Account token, Suspicious usage of AWS Lambda’s token, Suspicious usage of AWS Lambda’s role, Remote usage of an AWS service token, Remote usage of an AWS EKS token, Suspicious usage of an AWS EKS token, Suspicious usage of an AWS ECS token, Remote usage of an AWS ECS token, Suspicious usage of AWS service token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token, Remote usage of VM Service Account token, Suspicious usage of VM Service Account token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token + accessor: hostip + transformers: + - operator: uniq + - incidentfield: Resource Type + output: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: resource_type_orig + transformers: + - operator: uniq + - incidentfield: Region + output: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: region + transformers: + - operator: uniq + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: c3da330a-98cc-4a24-8440-7eca8182a113 + type: title + task: + id: c3da330a-98cc-4a24-8440-7eca8182a113 + version: -1 + name: Check VPN + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "54" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": -1020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: b989322c-a5b7-419a-834a-b4b7220018fc + type: playbook + task: + id: b989322c-a5b7-419a-834a-b4b7220018fc + version: -1 + name: Cloud Enrichment - Generic + description: |2- + + ## Generic Cloud Enrichment Playbook + + The **Cloud Enrichment - Generic Playbook** is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. + + ### Supported Blocks + + 1. **Cloud IAM Enrichment - Generic** + - Enriches information related to Identity and Access Management (IAM) in the cloud. + + 2. **Cloud Compute Enrichment - Generic** + - Enriches information related to cloud compute resources. + + The playbook supports a single CSP enrichment at a time. + playbookName: Cloud Enrichment - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + cloudProvider: + complex: + root: incident.xdralerts + accessor: cloudprovider + transformers: + - operator: uniq + username: + complex: + root: incident.xdralerts + accessor: username + transformers: + - operator: uniq + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -640, + "y": 280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 6ff14f4f-ff2e-4fe0-80b5-fbacf492d5c3 + type: title + task: + id: 6ff14f4f-ff2e-4fe0-80b5-fbacf492d5c3 + version: -1 + name: Threat Hunting + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "44" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1570 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: ebc71199-7f11-4ac4-8b8f-bd9a3977f3f6 + type: title + task: + id: ebc71199-7f11-4ac4-8b8f-bd9a3977f3f6 + version: -1 + name: Analysis + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "42" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": 450 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 258b5261-54ce-4175-898e-49f06934fa4b + type: condition + task: + id: 258b5261-54ce-4175-898e-49f06934fa4b + version: -1 + name: Check verdict resolution + description: Checks which verdict was received by the Cloud Token Theft - Set Verdict playbook. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "49" + Malicious: + - "50" + separatecontext: false + conditions: + - label: Malicious + condition: + - - operator: isEqualString + left: + value: + complex: + root: alertVerdict + iscontext: true + right: + value: + simple: Malicious + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": 750 + } + } + note: false + timertriggers: + - fieldname: triagesla + action: stop + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: e8e43851-9d56-4d01-8fb9-0403519aecec + type: playbook + task: + id: e8e43851-9d56-4d01-8fb9-0403519aecec + version: -1 + name: Cloud Response - Generic + description: |- + This playbook provides response playbooks for: + - AWS + - Azure + - GCP + + The response actions available are: + - Terminate/Shut down/Power off an instance. + - Delete/Disable a user. + - Delete/Revoke/Disable credentials. + - Block indicators + playbookName: Cloud Response - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + AWS-userRemediationType: + simple: Revoke + Azure-userRemediationType: + simple: Disable + GCP-accessKeyRemediationType: + simple: Disable + GCP-userRemediationType: + simple: Disable + autoAccessKeyRemediation: + complex: + root: inputs.autoAccessKeyRemediation + autoBlockIndicators: + complex: + root: inputs.autoBlockIndicators + autoResourceRemediation: + complex: + root: inputs.autoResourceRemediation + autoUserRemediation: + complex: + root: inputs.autoUserRemediation + cloudProvider: + complex: + root: incident.xdralerts + accessor: cloudprovider + transformers: + - operator: uniq + username: + complex: + root: incident.xdralerts + accessor: username + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 450, + "y": 1410 + } + } + note: false + timertriggers: + - fieldname: containmentsla + action: pause + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: b24a7b45-f6e0-4081-8d77-da872f2c1d66 + type: title + task: + id: b24a7b45-f6e0-4081-8d77-da872f2c1d66 + version: -1 + name: Early Containment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "10" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1280 + } + } + note: false + timertriggers: + - fieldname: containmentsla + action: start + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: 5116b858-f35c-4532-8d79-34fa42f33317 + type: title + task: + id: 5116b858-f35c-4532-8d79-34fa42f33317 + version: -1 + name: Enrich IoCs + description: This script will extract indicators from the given AWS CloudTrail, GCP Logging, or Azure Log Analytics event data. + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "47" + - "46" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1890 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 18869c45-ac1e-4c49-8069-907603000fb2 + type: title + task: + id: 18869c45-ac1e-4c49-8069-907603000fb2 + version: -1 + name: Containment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "51" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 890, + "y": 2530 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: f9057961-2c94-4cf2-8dc2-e39faa217c59 + type: condition + task: + id: f9057961-2c94-4cf2-8dc2-e39faa217c59 + version: -1 + name: Persistence activity or suspicious IoCs found? + description: Checks if one of the extracted indicators is suspicious or malicious, or if there are any results from the Cloud Threat Hunting - Persistence playbook. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "20" + "yes": + - "15" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: DBotScore + filters: + - - operator: greaterThanOrEqual + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "2" + accessor: Indicator + iscontext: true + right: + value: {} + - operator: isNotEmpty + left: + value: + complex: + root: AWSQuery + transformers: + - operator: append + args: + item: + value: + simple: GCPQuery + iscontext: true + - operator: append + args: + item: + value: + simple: AzureQuery + iscontext: true + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 0cd67bd7-0167-4cd5-8ab4-7334b89cfc95 + type: title + task: + id: 0cd67bd7-0167-4cd5-8ab4-7334b89cfc95 + version: -1 + name: Manual invetigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "22" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2530 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 62e1dca7-e5b4-4514-8044-b487db46bd6c + type: regular + task: + id: 62e1dca7-e5b4-4514-8044-b487db46bd6c + version: -1 + name: Investigate the data collected + description: You should investigate the data collected manually and choose how the playbook should continue. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "23" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2665 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: ae06dcd7-e93a-4126-88e0-afad189dc889 + type: condition + task: + id: ae06dcd7-e93a-4126-88e0-afad189dc889 + version: -1 + name: Should contain the threats? + description: Whether to contain the threats found. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "61" + "Yes": + - "51" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2830 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: b4dcc788-ab52-4be8-80d0-08abb1e73d3a + type: title + task: + id: b4dcc788-ab52-4be8-80d0-08abb1e73d3a + version: -1 + name: Eradication + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "36" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 3180 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: e3fafcf7-3d5d-47bc-8059-a9f8337ea358 + type: playbook + task: + id: e3fafcf7-3d5d-47bc-8059-a9f8337ea358 + version: -1 + name: Cloud Response - Generic + description: |- + This playbook provides response playbooks for: + - AWS + - Azure + - GCP + + The response actions available are: + - Terminate/Shut down/Power off an instance. + - Delete/Disable a user. + - Delete/Revoke/Disable credentials. + - Block indicators. + playbookName: Cloud Response - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "37" + scriptarguments: + AWS-accessKeyRemediationType: + simple: Delete + AWS-resourceRemediationType: + simple: Terminate + AWS-userRemediationType: + simple: Delete + Azure-resourceRemediationType: + simple: Delete + Azure-userRemediationType: + simple: Delete + GCP-accessKeyRemediationType: + simple: Delete + GCP-resourceRemediationType: + simple: Delete + GCP-userRemediationType: + simple: Delete + accessKeyId: + complex: + root: CloudIndicators + accessor: access_key_id + autoAccessKeyRemediation: + simple: "False" + autoBlockIndicators: + simple: "False" + autoResourceRemediation: + simple: "False" + autoUserRemediation: + simple: "False" + cloudProvider: + complex: + root: incident.xdralerts + accessor: cloudprovider + transformers: + - operator: uniq + region: + complex: + root: Core.OriginalAlert.event + accessor: region + resourceName: + complex: + root: CloudIndicators + accessor: resource_name + username: + complex: + root: CloudIndicators + accessor: username + separatecontext: false + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 450, + "y": 3490 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: a53b6b07-5ceb-4e3c-8cc7-6714f66cf15a + type: condition + task: + id: a53b6b07-5ceb-4e3c-8cc7-6714f66cf15a + version: -1 + name: Should eradicate the threats? + description: Whether to eradicate the threats. This playbook should be treated with care as its actions are irreversible. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "37" + "Yes": + - "35" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 3310 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: ad8fb161-f9ea-463b-831f-37742872c592 + type: title + task: + id: ad8fb161-f9ea-463b-831f-37742872c592 + version: -1 + name: Resolution + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "38" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 230, + "y": 3660 + } + } + note: false + timertriggers: + - fieldname: containmentsla + action: stop + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: 8564c719-44a0-49c3-878a-799670c7aa44 + type: condition + task: + id: 8564c719-44a0-49c3-878a-799670c7aa44 + version: -1 + name: Is manual investigation required to complete the resolution process? + description: Whether to continue with the investigation manually or close the alert. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "40" + "Yes": + - "39" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 230, + "y": 3790 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: fc3876ba-e3b4-4cfe-8ebf-5abbe773bc95 + type: regular + task: + id: fc3876ba-e3b4-4cfe-8ebf-5abbe773bc95 + version: -1 + name: Investigate further + description: Continue to investigate manually. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "40" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 3960 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: a644f393-2a73-4636-87ff-268d5749c0a9 + type: regular + task: + id: a644f393-2a73-4636-87ff-268d5749c0a9 + version: -1 + name: Resolve the alert + description: commands.local.cmd.close.inv + script: Builtin|||closeInvestigation + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "41" + scriptarguments: + closeReason: + simple: True Positive + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 230, + "y": 4130 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 96dc1d91-027c-42df-8583-147db90ef748 + type: title + task: + id: 96dc1d91-027c-42df-8583-147db90ef748 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": 4300 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 5f62213f-792b-48f0-8634-5ff19c956128 + type: playbook + task: + id: 5f62213f-792b-48f0-8634-5ff19c956128 + version: -1 + name: Cortex XDR - XCloud Token Theft - Set Verdict + description: |- + --- + + ## Cloud Token Theft - Set Verdict Playbook + + The playbook is built from a decision tree whose ultimate goal is to decide whether the observed activity is malicious. + + ### Event Search + + The playbook searches for events based on the attacker's IP address within the last two hours. + + ### Tests Performed + + The following tests are performed on the observed activity: + + 1. **Malicious IP Check**: Determines if the IP address is malicious. + 2. **CSP ASN Check**: Checks if the activity was performed from an Autonomous System Number (ASN) belonging to one of the Cloud Service Providers (CSPs). + 3. **IP and ASN History Check**: Verifies if the IP address and ASN have been previously observed. + 4. **Region Check**: Determines if the API call was made from outside the recognized region. + 5. **Anomalous State Check**: Checks if the API call was made from an anomalous state. + 6. **Alert Check**: Looks for any related alerts around the event, including: + - Possible cloud instance metadata service (IMDS) abuse. + - Impossible Traveler by cloud identity. + + --- + playbookName: Cortex XDR - XCloud Token Theft - Set Verdict + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + fromDate: + complex: + root: incident + accessor: occurred + transformers: + - operator: ModifyDateTime + args: + variation: + value: + simple: 2 hours ago + sourceIP: + complex: + root: incident.xdralerts + filters: + - - operator: isEqualString + left: + value: + simple: incident.xdralerts.alert_id + iscontext: true + right: + value: + simple: inputs.alert_id + iscontext: true + ignorecase: true + accessor: hostip + separatecontext: false + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -230, + "y": 585 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: c91dd6e8-1997-4356-8956-1da70003f6a6 + type: playbook + task: + id: c91dd6e8-1997-4356-8956-1da70003f6a6 + version: -1 + name: IP Enrichment - Generic v2 + description: |- + Enrich IP addresses using one or more integrations. + + - Resolve IP addresses to hostnames (DNS). + - Provide threat information. + - Separate internal and external IP addresses. + - For internal IP addresses, get host information. + playbookName: IP Enrichment - Generic v2 + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + IP: + complex: + root: PaloAltoNetworksXDR.Incident.alerts + filters: + - - operator: isEqualString + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.alert_id + iscontext: true + right: + value: + simple: inputs.alert_id + iscontext: true + accessor: host_ip + transformers: + - operator: uniq + InternalRange: + complex: + root: inputs.InternalRange + transformers: + - operator: uniq + ResolveIP: + complex: + root: inputs.ResolveIP + UseReputationCommand: + simple: "True" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 190, + "y": 280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 7a696e2d-c5ad-468f-8f3d-acc1821178a9 + type: playbook + task: + id: 7a696e2d-c5ad-468f-8f3d-acc1821178a9 + version: -1 + name: Cloud Threat Hunting - Persistence + description: |- + --- + + ## Cloud Threat Hunting - Persistence Playbook + + The playbook is responsible for hunting persistence activity in the cloud. It supports AWS, GCP, and Azure. + + ### Hunting Queries + + The playbook executes hunting queries for each provider related to each of the following: + + 1. IAM + 2. Compute Resources + 3. Compute Functions + + ### Indicator Extraction + + If relevant events are found during the search, indicators will be extracted using the `ExtractIndicators-CloudLogging` script. + + --- + playbookName: Cloud Threat Hunting - Persistence + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "14" + scriptarguments: + AWSAccessKeyID: + complex: + root: alertJson.raw_abioc.event._aws_specific_fields + accessor: access_key_id + AWSTimespan: + complex: + root: incident + accessor: occurred + transformers: + - operator: ModifyDateTime + args: + variation: + value: + simple: 2 hours ago + - operator: Cut + args: + delimiter: + value: + simple: + + fields: + value: + simple: "1" + AzureTimespan: + simple: 2h + GCPTimespan: + complex: + root: incident + accessor: occurred + transformers: + - operator: ModifyDateTime + args: + variation: + value: + simple: 2 hours ago + - operator: replace + args: + limit: {} + replaceWith: + value: + simple: Z + toReplace: + value: + simple: "+00:00" + cloudProvider: + complex: + root: incident.xdralerts + accessor: cloudprovider + transformers: + - operator: uniq + projectName: + complex: + root: incident + accessor: cloudproject + region: + complex: + root: PaloAltoNetworksXDR.OriginalAlert.event + accessor: region + transformers: + - operator: uniq + username: + complex: + root: incident.xdralerts + accessor: username + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 450, + "y": 1710 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: bf91fff7-ddf2-4d82-834b-ff04fb7855dc + type: playbook + task: + id: bf91fff7-ddf2-4d82-834b-ff04fb7855dc + version: -1 + name: Entity Enrichment - Generic v3 + description: Enrich entities using one or more integrations. + playbookName: Entity Enrichment - Generic v3 + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "19" + scriptarguments: + CVE: + complex: + root: CVE + accessor: ID + Domain: + complex: + root: Domain + accessor: Name + transformers: + - operator: uniq + Email: + complex: + root: Account + accessor: Email.Address + transformers: + - operator: uniq + Hostname: + complex: + root: Endpoint + accessor: Hostname + transformers: + - operator: uniq + IP: + complex: + root: CloudIndicators + accessor: source_ip + transformers: + - operator: uniq + MD5: + complex: + root: File + accessor: MD5 + transformers: + - operator: uniq + ResolveIP: + simple: "False" + SHA1: + complex: + root: File + accessor: SHA1 + transformers: + - operator: uniq + SHA256: + complex: + root: File + accessor: SHA256 + transformers: + - operator: uniq + URL: + complex: + root: URL + accessor: Data + transformers: + - operator: uniq + Username: + complex: + root: CloudIndicators + accessor: username + transformers: + - operator: uniq + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 660, + "y": 2050 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "47": + id: "47" + taskid: ee15ff26-c492-40db-81da-fb0628d52216 + type: playbook + task: + id: ee15ff26-c492-40db-81da-fb0628d52216 + version: -1 + name: Cloud Enrichment - Generic + description: |2- + + ## Generic Cloud Enrichment Playbook + + The **Cloud Enrichment - Generic Playbook** is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. + + ### Supported Blocks + + 1. **Cloud IAM Enrichment - Generic** + - Enriches information related to Identity and Access Management (IAM) in the cloud. + + 2. **Cloud Compute Enrichment - Generic** + - Enriches information related to cloud compute resources. + + The playbook supports a single CSP enrichment at a time. + playbookName: Cloud Enrichment - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "19" + scriptarguments: + cloudProvider: + complex: + root: incident.xdralerts + accessor: cloudprovider + transformers: + - operator: uniq + instanceName: + complex: + root: CloudIndicators + accessor: resource_name + username: + complex: + root: CloudIndicators + accessor: username + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 240, + "y": 2050 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "49": + id: "49" + taskid: 28affdfa-fc9e-450b-8148-ed1f29bfa1f4 + type: condition + task: + id: 28affdfa-fc9e-450b-8148-ed1f29bfa1f4 + version: -1 + name: Investigate and set verdict + description: You should investigate the data collected manually and choose how the playbook should continue. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "61" + Malicious: + - "50" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": 920 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "50": + id: "50" + taskid: c0f0c235-a092-4f49-81d6-642230c1e69a + type: condition + task: + id: c0f0c235-a092-4f49-81d6-642230c1e69a + version: -1 + name: Should execute early containment? + description: Whether to execute early containment and block the IP address and respond to the username involved. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "yes": + - "11" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.earlyContainment + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1100 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "51": + id: "51" + taskid: 7e6cfe98-fc45-421f-83a9-54b233392498 + type: playbook + task: + id: 7e6cfe98-fc45-421f-83a9-54b233392498 + version: -1 + name: Cloud Response - Generic + description: |- + This playbook provides response playbooks for: + - AWS + - Azure + - GCP + + The response actions available are: + - Terminate/Shut down/Power off an instance. + - Delete/Disable a user. + - Delete/Revoke/Disable credentials. + - Block indicators. + playbookName: Cloud Response - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "34" + scriptarguments: + AWS-accessKeyRemediationType: + simple: Disable + AWS-resourceRemediationType: + simple: Stop + AWS-userRemediationType: + simple: Revoke + Azure-resourceRemediationType: + simple: Poweroff + Azure-userRemediationType: + simple: Disable + GCP-resourceRemediationType: + simple: Stop + GCP-userRemediationType: + simple: Disable + accessKeyId: + complex: + root: CloudIndicators + accessor: access_key_id + autoAccessKeyRemediation: + complex: + root: inputs.autoAccessKeyRemediation + autoBlockIndicators: + complex: + root: inputs.autoBlockIndicators + autoResourceRemediation: + complex: + root: inputs.autoResourceRemediation + autoUserRemediation: + complex: + root: inputs.autoUserRemediation + cloudProvider: + complex: + root: incident.xdralerts + accessor: cloudprovider + transformers: + - operator: uniq + username: + complex: + root: CloudIndicators + accessor: username + separatecontext: false + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 890, + "y": 3005 + } + } + note: false + timertriggers: + - fieldname: containmentsla + action: start + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "52": + id: "52" + taskid: 3355a9b9-c68a-4851-8dd3-9020c4e35043 + type: condition + task: + id: 3355a9b9-c68a-4851-8dd3-9020c4e35043 + version: -1 + name: Check the VPN list type + description: Checks if the provided data is comma separated or an URL. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "55" + URL: + - "53" + separatecontext: false + conditions: + - label: URL + condition: + - - operator: startWith + left: + value: + complex: + root: inputs.VPNIPList + iscontext: true + right: + value: + simple: http:// + ignorecase: true + - operator: startWith + left: + value: + complex: + root: inputs.VPNIPList + iscontext: true + right: + value: + simple: https:// + continueonerrortype: "" + view: |- + { + "position": { + "x": -630, + "y": -720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "53": + id: "53" + taskid: 6d1c856f-4737-4871-8144-a2190b328b79 + type: regular + task: + id: 6d1c856f-4737-4871-8144-a2190b328b79 + version: -1 + name: Process the VPN IP list + description: This script will extract indicators from a given HTML and will handle bad top-level domains to avoid false positives caused by file extensions. + scriptName: ParseHTMLIndicators + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "55" + scriptarguments: + ignore-outputs: + simple: "false" + url: + complex: + root: inputs.VPNIPList + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -630, + "y": -540 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: Device External IPs + output: + simple: ${http.parsedBlog.indicators} + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "54": + id: "54" + taskid: 4d99ecaf-00c7-456c-8a4a-4bbb508f739f + type: condition + task: + id: 4d99ecaf-00c7-456c-8a4a-4bbb508f739f + version: -1 + name: Was a VPN list provided? + description: Checks if data was provided for the VPNIPList input. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "59" + "yes": + - "52" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.VPNIPList + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": -890 + } + } + note: false + timertriggers: + - fieldname: triagesla + action: start + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "55": + id: "55" + taskid: 032a1d38-1285-47a9-812f-60ed54a62e73 + type: condition + task: + id: 032a1d38-1285-47a9-812f-60ed54a62e73 + version: -1 + name: 'Is the attacker IP matches a VPN IP? ' + description: Checks if the attacker's IP address is part of the VPN IP list. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "59" + "yes": + - "57" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: in + left: + value: + complex: + root: PaloAltoNetworksXDR.Incident.alerts + filters: + - - operator: isEqualString + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.alert_id + iscontext: true + right: + value: + simple: inputs.alert_id + iscontext: true + accessor: host_ip + iscontext: true + right: + value: + complex: + root: inputs.VPNIPList + iscontext: true + ignorecase: true + - operator: in + left: + value: + complex: + root: PaloAltoNetworksXDR.Incident.alerts + filters: + - - operator: isEqualString + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.alert_id + iscontext: true + right: + value: + simple: inputs.alert_id + iscontext: true + accessor: host_ip + iscontext: true + right: + value: + simple: VPNIPList + iscontext: true + - operator: IsInCidrRanges + left: + value: + complex: + root: PaloAltoNetworksXDR.Incident.alerts + filters: + - - operator: isEqualString + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.alert_id + iscontext: true + right: + value: + simple: inputs.alert_id + iscontext: true + accessor: host_ip + iscontext: true + right: + value: + complex: + root: inputs.VPNIPList + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -630, + "y": -380 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "56": + id: "56" + taskid: 659e9b8b-7fee-4154-8818-0c76ebf9c894 + type: condition + task: + id: 659e9b8b-7fee-4154-8818-0c76ebf9c894 + version: -1 + name: Should continue and investigate a known VPN IP address? + description: Once the attacker's IP address is part of the VPN IP list, the analyst will be required to decide whether to continue with the investigation. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "61" + "Yes": + - "59" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -860, + "y": -30 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "57": + id: "57" + taskid: c9552aee-9a61-416d-8217-50159012012d + type: regular + task: + id: c9552aee-9a61-416d-8217-50159012012d + version: -1 + name: Set Is VPN IP Address to true + description: commands.local.cmd.set.incident + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "56" + scriptarguments: + isvpnipaddress: + simple: "true" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -630, + "y": -200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "58": + id: "58" + taskid: d076f779-e719-456f-8162-f3ad783c08cd + type: playbook + task: + id: d076f779-e719-456f-8162-f3ad783c08cd + version: -1 + name: TIM - Indicator Relationships Analysis + description: |- + This playbook is designed to assist with a security investigation by providing an analysis of indicator relationships. The following information is included: + - Indicators of compromise (IOCs) related to the investigation. + - Attack patterns related to the investigation. + - Campaigns related to the investigation. + - IOCs associated with the identified campaigns. + - Reports containing details on the identified campaigns. + playbookName: TIM - Indicator Relationships Analysis + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + Indicator: + complex: + root: PaloAltoNetworksXDR.Incident.alerts + filters: + - - operator: isEqualString + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.alert_id + iscontext: true + right: + value: + simple: inputs.alert_id + iscontext: true + accessor: host_ip + LimitResults: + simple: "200" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -230, + "y": 280 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "59": + id: "59" + taskid: f404a3f8-a421-44e3-8818-81b83865e654 + type: title + task: + id: f404a3f8-a421-44e3-8818-81b83865e654 + version: -1 + name: Enrichment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "4" + - "58" + - "43" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -230, + "y": 140 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "61": + id: "61" + taskid: 043be677-29be-4c9f-894a-801024ade783 + type: regular + task: + id: 043be677-29be-4c9f-894a-801024ade783 + version: -1 + name: Closer XDR incident as False Positive + description: Updates one or more fields of a specified incident. Missing fields will be ignored. To remove the assignment for an incident, pass a null value in the assignee email argument. + script: '|||xdr-update-incident' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "62" + scriptarguments: + incident_id: + complex: + root: incident + accessor: xdrincidentid + resolve_comment: + simple: Resolved using Cortex XSOAR in incident id ${incident.investigationId} + status: + simple: RESOLVED_FALSE_POSITIVE + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -860, + "y": 3010 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "62": + id: "62" + taskid: eefcea6e-32df-4efe-868a-982db65eaadf + type: regular + task: + id: eefcea6e-32df-4efe-868a-982db65eaadf + version: -1 + name: Close XSOAR incident as False Positive + description: commands.local.cmd.close.inv + script: Builtin|||closeInvestigation + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "41" + scriptarguments: + closeReason: + simple: False Positive + id: + complex: + root: incident + accessor: id + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -860, + "y": 3185 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "19_15_yes": 0.65, + "19_20_#default#": 0.48, + "23_51_Yes": 0.61, + "36_35_Yes": 0.41, + "36_37_#default#": 0.8, + "38_39_Yes": 0.42, + "49_61_#default#": 0.1, + "54_59_#default#": 0.11, + "55_57_yes": 0.43, + "55_59_#default#": 0.21, + "56_61_#default#": 0.14, + "8_49_#default#": 0.48, + "8_50_Malicious": 0.63 + }, + "paper": { + "dimensions": { + "height": 5835, + "width": 2130, + "x": -860, + "y": -1470 + } + } + } +inputs: +- key: alert_id + value: + complex: + root: alert + accessor: investigationId + required: false + description: The alert ID. + playbookInputQuery: +- key: InternalRange + value: {} + required: false + description: A comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. + playbookInputQuery: +- key: ResolveIP + value: + simple: "False" + required: false + description: Determines whether to convert the IP address to a hostname using a DNS query (True/ False). + playbookInputQuery: +- key: earlyContainment + value: + simple: "True" + required: false + description: |- + Whether to execute early containment. + This action allows you to respond rapidly but have higher probability for false positives. + playbookInputQuery: +- key: VPNIPList + value: {} + required: false + description: |- + This input can process two types of data: + 1. A comma-separated list of internal IPs assigned by the VPN provider using a XSIAM list or an hardcoded array. + 2. A link to an IP list which will be processed and extract the IP dynamically which each execution. + + For CIDRs, use the InternalRange input. + playbookInputQuery: +- key: autoResourceRemediation + value: + simple: "False" + required: false + description: Whether to execute the resource remediation automatically. + playbookInputQuery: +- key: autoAccessKeyRemediation + value: + simple: "False" + required: false + description: Whether to execute the access key remediation automatically. + playbookInputQuery: +- key: autoUserRemediation + value: + simple: "False" + required: false + description: Whether to execute the user remediation automatically. + playbookInputQuery: +- key: autoBlockIndicators + value: + simple: "False" + required: false + description: Whether to execute the indicators remediation automatically. + playbookInputQuery: +outputs: [] +tests: +- No tests (auto formatted) +marketplaces: ["xsoar"] +fromversion: 6.8.0 diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_Response_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_Response_README.md new file mode 100644 index 000000000000..a5152c8bbe0a --- /dev/null +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_XCloud_Token_Theft_Response_README.md @@ -0,0 +1,103 @@ +--- + +## Cloud Token Theft Response Playbook + +The **Cloud Token Theft Response Playbook** provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: + +**Cloud Enrichment:** +- Enriches the involved resources. +- Enriches the involved identities. +- Enriches the involved IPs. + +**Verdict Decision Tree:** +- Determines the appropriate verdict based on the investigation findings. + +**Early Containment using the Cloud Response - Generic Playbook:** +- Implements early containment measures to prevent further impact. + +**Cloud Persistence Threat Hunting:** +- Conducts threat hunting activities to identify any cloud persistence techniques. + +**Enriching and Responding to Hunting Findings:** +- Performs additional enrichment and responds to the findings from threat hunting. + +**Verdict Handling:** +- Handles false positives identified during the investigation. +- Handles true positives by initiating appropriate response actions. + +### Supported Alerts + +| Alert Name | CSP | +|----------------------------------------------------|-------| +| Suspicious usage of AWS Lambda’s token | AWS | +| Suspicious usage of AWS Lambda’s role | AWS | +| Suspicious usage of EC2 token | AWS | +| Remote usage of an AWS service token | AWS | +| Remote usage of an AWS EKS token | AWS | +| Suspicious usage of an AWS EKS token | AWS | +| Suspicious usage of an AWS ECS token | AWS | +| Remote usage of an AWS ECS token | AWS | +| Suspicious usage of AWS service token | AWS | +| Remote usage of an App engine Service Account token | GCP | +| Suspicious usage of App engine Service Account token| GCP | +| Remote usage of VM Service Account token | GCP | +| Suspicious usage of VM Service Account toke | GCP | + +--- + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +* IP Enrichment - Generic v2 +* Cloud Threat Hunting - Persistence +* Cortex XDR - XCloud Token Theft - Set Verdict +* TIM - Indicator Relationships Analysis +* Entity Enrichment - Generic v3 +* Cloud Enrichment - Generic +* Cloud Response - Generic + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +* ParseHTMLIndicators +* LoadJSON + +### Commands + +* xdr-get-cloud-original-alerts +* xdr-update-incident +* setIncident +* closeInvestigation + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| alert_id | The alert ID. | alert.investigationId | Optional | +| InternalRange | A comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. | | Optional | +| ResolveIP | Determines whether to convert the IP address to a hostname using a DNS query \(True/ False\). | False | Optional | +| earlyContainment | Whether to execute early containment.
This action allows you to respond rapidly but have higher probability for false positives. | True | Optional | +| VPNIPList | This input can process two types of data:
1. A comma-separated list of internal IPs assigned by the VPN provider using a XSIAM list or an hardcoded array.
2. A link to an IP list which will be processed and extract the IP dynamically which each execution.

For CIDRs, use the InternalRange input. | | Optional | +| autoResourceRemediation | Whether to execute the resource remediation automatically. | False | Optional | +| autoAccessKeyRemediation | Whether to execute the access key remediation automatically. | False | Optional | +| autoUserRemediation | Whether to execute the user remediation automatically. | False | Optional | +| autoBlockIndicators | Whether to execute the indicators remediation automatically. | False | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![Cortex XDR - XCloud Token Theft Response](../doc_files/Cortex_XDR_-_XCloud_Token_Theft_Response.png) diff --git a/Packs/CloudIncidentResponse/README.md b/Packs/CloudIncidentResponse/README.md index f1b1133f5c1a..ecada17ada4f 100644 --- a/Packs/CloudIncidentResponse/README.md +++ b/Packs/CloudIncidentResponse/README.md @@ -1,9 +1,5 @@ # Cloud Incident Response -**Short Description:** This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP. - -**Pack Description:** - As enterprise resources are moving to the cloud, attackers develop dedicated attacks to be able to access, manipulate, and exfiltrate cloud information and resources. Adequate response and remediation of such attacks requires cloud knowledge and extensive context. This content pack helps you automate collection from cloud logs and then perform investigation and automated remediation of incidents based on cloud infrastructure activities in AWS, Azure, and GCP. It does not require an agent, resulting in a shorter time to resolution for cloud incidents. diff --git a/Packs/CloudIncidentResponse/ReleaseNotes/1_0_3.md b/Packs/CloudIncidentResponse/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..3f6ad49c3d0f --- /dev/null +++ b/Packs/CloudIncidentResponse/ReleaseNotes/1_0_3.md @@ -0,0 +1,27 @@ + +#### Layouts + +##### CLOUD Token Theft + +Restricted the content for XSIAM only. + +#### Playbooks + +##### Cloud Token Theft - Set Verdict + +Restricted the content for XSIAM only. +##### Cloud Token Theft Response + +- Restricted the content for XSIAM only. +##### New: Cortex XDR - XCloud Token Theft Response + + +##### New: Cortex XDR - XCloud Token Theft - Set Verdict + + + +#### Scripts + +##### displayCloudIndicators + +Added a code block that converts the input to a list if it's not. diff --git a/Packs/CloudIncidentResponse/Scripts/displayCloudIndicators/displayCloudIndicators.py b/Packs/CloudIncidentResponse/Scripts/displayCloudIndicators/displayCloudIndicators.py index 7af260661ee7..7da6bc11aa67 100644 --- a/Packs/CloudIncidentResponse/Scripts/displayCloudIndicators/displayCloudIndicators.py +++ b/Packs/CloudIncidentResponse/Scripts/displayCloudIndicators/displayCloudIndicators.py @@ -51,6 +51,10 @@ def main(): # Fetch alert mapped fields fields_list = demisto.context().get('CloudIndicators', []) + # Check if fields_list is a list, if not, convert it to a list + if not isinstance(fields_list, list): + fields_list = [fields_list] + # Extract the keys with values items = [] for fields in fields_list: diff --git a/Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict.png b/Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict.png new file mode 100644 index 000000000000..efbb4159d450 Binary files /dev/null and b/Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_XCloud_Token_Theft_-_Set_Verdict.png differ diff --git a/Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_XCloud_Token_Theft_Response.png b/Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_XCloud_Token_Theft_Response.png new file mode 100644 index 000000000000..74f6cdc4dd21 Binary files /dev/null and b/Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_XCloud_Token_Theft_Response.png differ diff --git a/Packs/CloudIncidentResponse/pack_metadata.json b/Packs/CloudIncidentResponse/pack_metadata.json index 9907af82685e..59736948258b 100644 --- a/Packs/CloudIncidentResponse/pack_metadata.json +++ b/Packs/CloudIncidentResponse/pack_metadata.json @@ -1,8 +1,8 @@ { "name": "Cloud Incident Response", - "description": "Automates the collection, investigation, and response of cloud incidents", + "description": "This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.", "support": "xsoar", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -17,9 +17,14 @@ "Cloud", "IR", "Incident Response", - "Token Theft" + "Token Theft", + "Credentials", + "XDR", + "XCloud", + "Response" ], "marketplaces": [ - "marketplacev2" + "marketplacev2", + "xsoar" ] } \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Cloud_Operation_Type.json b/Packs/CommonTypes/IncidentFields/incidentfield-Cloud_Operation_Type.json new file mode 100644 index 000000000000..870baff86c16 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Cloud_Operation_Type.json @@ -0,0 +1,30 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "cloudoperationtype", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_cloudoperationtype", + "isReadOnly": false, + "locked": false, + "name": "Cloud Operation Type", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "marketplaces": [ + "xsoar" + ], + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Identity_Type.json b/Packs/CommonTypes/IncidentFields/incidentfield-Identity_Type.json new file mode 100644 index 000000000000..7d16bb80f047 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Identity_Type.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "identitytype", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_identitytype", + "isReadOnly": false, + "locked": false, + "name": "Identity Type", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Operation_Name.json b/Packs/CommonTypes/IncidentFields/incidentfield-Operation_Name.json new file mode 100644 index 000000000000..15b8c42199df --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Operation_Name.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "operationname", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_operationname", + "isReadOnly": false, + "locked": false, + "name": "Operation Name", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Project_ID.json b/Packs/CommonTypes/IncidentFields/incidentfield-Project_ID.json new file mode 100644 index 000000000000..558b2fea7895 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Project_ID.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "projectid", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_projectid", + "isReadOnly": false, + "locked": false, + "name": "Project ID", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Referenced_Resource_ID.json b/Packs/CommonTypes/IncidentFields/incidentfield-Referenced_Resource_ID.json new file mode 100644 index 000000000000..804ebb0edf62 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Referenced_Resource_ID.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "referencedresourceid", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_referencedresourceid", + "isReadOnly": false, + "locked": false, + "name": "Referenced Resource ID", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Referenced_Resource_Name.json b/Packs/CommonTypes/IncidentFields/incidentfield-Referenced_Resource_Name.json new file mode 100644 index 000000000000..a8cb826df388 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Referenced_Resource_Name.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "referencedresourcename", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_referencedresourcename", + "isReadOnly": false, + "locked": false, + "name": "Referenced Resource Name", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.8.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-User_Agent.json b/Packs/CommonTypes/IncidentFields/incidentfield-User_Agent.json new file mode 100644 index 000000000000..a3bcc7d93354 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-User_Agent.json @@ -0,0 +1,30 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "useragent", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_useragent", + "isReadOnly": false, + "locked": false, + "name": "User Agent", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.8.0", + "marketplaces": [ + "xsoar" + ] +} \ No newline at end of file diff --git a/Packs/CommonTypes/ReleaseNotes/3_3_80.md b/Packs/CommonTypes/ReleaseNotes/3_3_80.md new file mode 100644 index 000000000000..12019da69099 --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/3_3_80.md @@ -0,0 +1,16 @@ + +#### Incident Fields + +- New: **Cloud Operation Type** + +- New: **Identity Type** + +- New: **Operation Name** + +- New: **Project ID** + +- New: **Referenced Resource ID** + +- New: **Referenced Resource Name** + +- New: **User Agent** diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json index 1a6913fcc229..b4183c64055e 100644 --- a/Packs/CommonTypes/pack_metadata.json +++ b/Packs/CommonTypes/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Types", "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.", "support": "xsoar", - "currentVersion": "3.3.79", + "currentVersion": "3.3.80", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CoreAlertFields/IncidentFields/incidentfield-cloudoperationtype.json b/Packs/CoreAlertFields/IncidentFields/incidentfield-cloudoperationtype.json index 52d7b365eaca..b5e31e7ffd53 100644 --- a/Packs/CoreAlertFields/IncidentFields/incidentfield-cloudoperationtype.json +++ b/Packs/CoreAlertFields/IncidentFields/incidentfield-cloudoperationtype.json @@ -27,5 +27,6 @@ "useAsKpi": false, "version": -1, "fromVersion": "6.5.0", - "x2_fields": "operation_name" + "x2_fields": "operation_name", + "marketplaces": ["marketplacev2"] } \ No newline at end of file diff --git a/Packs/CoreAlertFields/IncidentFields/incidentfield-useragent.json b/Packs/CoreAlertFields/IncidentFields/incidentfield-useragent.json index 219e9968759e..e48440696663 100644 --- a/Packs/CoreAlertFields/IncidentFields/incidentfield-useragent.json +++ b/Packs/CoreAlertFields/IncidentFields/incidentfield-useragent.json @@ -28,6 +28,10 @@ "version": -1, "fromVersion": "6.5.0", "x2_fields": "user_agent", + "marketplaces": [ + "marketplacev2", + "xpanse" + ], "Aliases": [ { "cliName": "googlecloudsccfindingsourcepropertiesuseragent", diff --git a/Packs/CoreAlertFields/ReleaseNotes/1_0_26.md b/Packs/CoreAlertFields/ReleaseNotes/1_0_26.md new file mode 100644 index 000000000000..89121e2e4bf1 --- /dev/null +++ b/Packs/CoreAlertFields/ReleaseNotes/1_0_26.md @@ -0,0 +1,6 @@ + +#### Incident Fields + +- **User Agent** + +- **Cloud Operation Type** diff --git a/Packs/CoreAlertFields/pack_metadata.json b/Packs/CoreAlertFields/pack_metadata.json index d3da15ed3216..edf33c0340c8 100644 --- a/Packs/CoreAlertFields/pack_metadata.json +++ b/Packs/CoreAlertFields/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core Alert Fields", "description": "This Content Pack will provide you with the core alert fields.", "support": "xsoar", - "currentVersion": "1.0.25", + "currentVersion": "1.0.26", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CortexXDR/Layouts/layoutscontainer-Cortex_XDR_Incident.json b/Packs/CortexXDR/Layouts/layoutscontainer-Cortex_XDR_Incident.json index ddc33c3a75ad..b825c87e7135 100644 --- a/Packs/CortexXDR/Layouts/layoutscontainer-Cortex_XDR_Incident.json +++ b/Packs/CortexXDR/Layouts/layoutscontainer-Cortex_XDR_Incident.json @@ -152,7 +152,7 @@ } ], "displayType": "ROW", - "h": 1, + "h": 2, "hideName": false, "i": "1vduzkpmlh-lthdv5gwt9-1vduzkpmlh-770ec200-98b1-11e9-97d7-ed26ef9e46c8", "isVisible": true, @@ -165,12 +165,12 @@ "static": false, "type": "linkedIncidents", "w": 1, - "x": 1, + "x": 2, "y": 6 }, { "displayType": "ROW", - "h": 1, + "h": 2, "hideName": false, "i": "1vduzkpmlh-lthdv5gwt9-1vduzkpmlh-842632c0-98b1-11e9-97d7-ed26ef9e46c8", "isVisible": true, @@ -183,8 +183,8 @@ "static": false, "type": "childInv", "w": 1, - "x": 1, - "y": 7 + "x": 2, + "y": 8 }, { "displayType": "ROW", @@ -359,8 +359,8 @@ "name": "Closing Information", "static": false, "w": 1, - "x": 2, - "y": 6 + "x": 0, + "y": 8 }, { "displayType": "ROW", @@ -433,15 +433,6 @@ "sectionItemType": "field", "startCol": 0 }, - { - "endCol": 2, - "fieldId": "userengagement", - "height": 22, - "id": "ea44c6c0-8b6f-11ed-afb3-d73a6f2ed22f", - "index": 7, - "sectionItemType": "field", - "startCol": 0 - }, { "dropEffect": "move", "endCol": 2, @@ -652,8 +643,8 @@ "name": "Mirroring Information", "static": false, "w": 1, - "x": 0, - "y": 8 + "x": 1, + "y": 6 }, { "h": 2, @@ -673,6 +664,46 @@ "type": "custom" }, { + "filters": [ + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "xdralertname" + } + }, + "operator": "notContainsGeneral", + "right": { + "isContext": false, + "value": { + "simple": "token" + } + }, + "type": "multiSelect" + } + ], + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "mitretacticname" + } + }, + "operator": "notContainsGeneral", + "right": { + "isContext": false, + "value": { + "simple": "Credential Access" + } + }, + "type": "multiSelect" + } + ] + ], "hidden": false, "id": "swtuqptgvs", "name": "Investigation", @@ -681,13 +712,11 @@ "displayType": "ROW", "h": 2, "hideName": false, - "i": "lthdv5gwt9-swtuqptgvs-067d4900-98b4-11e9-97d7-ed26ef9e46c8", + "i": "1vduzkpmlh-lthdv5gwt9-swtuqptgvs-067d4900-98b4-11e9-97d7-ed26ef9e46c8", "isVisible": true, "items": [], - "maxH": null, - "maxW": 1, + "maxW": 3, "minH": 1, - "minW": 1, "moved": false, "name": "Incident Files", "query": { @@ -711,13 +740,11 @@ "displayType": "ROW", "h": 4, "hideName": false, - "i": "lthdv5gwt9-swtuqptgvs-cc557320-98b7-11e9-b34a-852d068f44fe", + "i": "1vduzkpmlh-lthdv5gwt9-swtuqptgvs-cc557320-98b7-11e9-b34a-852d068f44fe", "isVisible": true, "items": [], - "maxH": null, - "maxW": 2, + "maxW": 3, "minH": 1, - "minW": 2, "moved": false, "name": "Indicators", "query": "", @@ -733,7 +760,7 @@ "displayType": "ROW", "h": 3, "hideName": false, - "i": "lthdv5gwt9-swtuqptgvs-075ee440-cc9a-11e9-afca-8792f3871db0", + "i": "1vduzkpmlh-lthdv5gwt9-swtuqptgvs-075ee440-cc9a-11e9-afca-8792f3871db0", "items": [ { "dropEffect": "move", @@ -747,10 +774,8 @@ "startCol": 0 } ], - "maxH": null, "maxW": 3, "minH": 1, - "minW": 3, "moved": false, "name": "XDR Alerts", "static": false, @@ -762,7 +787,7 @@ "displayType": "ROW", "h": 3, "hideName": false, - "i": "lthdv5gwt9-swtuqptgvs-2ff499e0-cc9a-11e9-afca-8792f3871db0", + "i": "1vduzkpmlh-lthdv5gwt9-swtuqptgvs-2ff499e0-cc9a-11e9-afca-8792f3871db0", "items": [ { "endCol": 6, @@ -773,10 +798,8 @@ "startCol": 0 } ], - "maxH": null, "maxW": 3, "minH": 1, - "minW": 3, "moved": false, "name": "XDR File Artifacts", "static": false, @@ -789,7 +812,7 @@ "h": 3, "hideItemTitleOnlyOne": false, "hideName": false, - "i": "lthdv5gwt9-swtuqptgvs-3604e0b0-cc9a-11e9-afca-8792f3871db0", + "i": "1vduzkpmlh-lthdv5gwt9-swtuqptgvs-3604e0b0-cc9a-11e9-afca-8792f3871db0", "items": [ { "endCol": 6, @@ -801,10 +824,8 @@ "startCol": 0 } ], - "maxH": null, "maxW": 3, "minH": 1, - "minW": 3, "moved": false, "name": "XDR Network Artifacts", "static": false, @@ -816,7 +837,7 @@ "displayType": "ROW", "h": 2, "hideName": false, - "i": "lthdv5gwt9-swtuqptgvs-4309fd80-453a-11eb-bfbf-0d0f7ea2cc09", + "i": "1vduzkpmlh-lthdv5gwt9-swtuqptgvs-4309fd80-453a-11eb-bfbf-0d0f7ea2cc09", "items": [ { "endCol": 4, @@ -828,10 +849,8 @@ "startCol": 0 } ], - "maxH": null, - "maxW": 2, + "maxW": 3, "minH": 1, - "minW": 2, "moved": false, "name": "XDR Endpoint Device Control Violations", "static": false, @@ -842,6 +861,344 @@ ], "type": "custom" }, + { + "filters": [ + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "xdralertname" + } + }, + "operator": "containsString", + "right": { + "isContext": false, + "value": { + "simple": "token" + } + }, + "type": "multiSelect" + } + ] + ], + "hidden": false, + "id": "tml1wrkxme", + "name": "Technical Details", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "1vduzkpmlh-ohwq8lhsex-caseinfoid-be53e110-3992-11ed-9adb-83e728f46893", + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "hostip", + "height": 22, + "id": "aeeee620-ffbc-11ed-91cb-b704c053731a", + "index": 0, + "listId": "caseinfoid-be53e110-3992-11ed-9adb-83e728f46893", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceip", + "height": 22, + "id": "6c27dc10-1507-11ee-afe1-4bea2a14f94c", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "useragent", + "height": 22, + "id": "cbf13710-18e3-11ee-a005-5968c8362785", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "asnname", + "height": 22, + "id": "7bbf2660-ffbd-11ed-91cb-b704c053731a", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "asn", + "height": 22, + "id": "74d9fc50-3fef-11ed-bd56-1f5a2b2d17b4", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "country", + "height": 22, + "id": "4c8d5610-0f52-11ee-81b3-5b1a51073e91", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Attacker Extra Data", + "static": false, + "w": 1, + "x": 1, + "y": 0 + }, + { + "h": 3, + "i": "1vduzkpmlh-ohwq8lhsex-caseinfoid-944f47f0-3fce-11ed-81fb-f98f11f06b6f", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Malicious or Suspicious Indicators", + "query": "reputation:Benign OR reputation:Suspicious OR reputation:Malicious", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 2 + }, + { + "h": 2, + "i": "1vduzkpmlh-ohwq8lhsex-caseinfoid-738a28d0-ffd3-11ed-94b9-ab17767bb4e7", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Hunting Results", + "query": { + "categories": [ + "tags" + ], + "preDefinedFilters": true, + "tags": [ + "PersistenceHunting" + ] + }, + "queryType": "warRoomFilter", + "static": false, + "type": "invTimeline", + "w": 1, + "x": 2, + "y": 5 + }, + { + "description": "The indicators extracted from the threat hunting results.", + "h": 3, + "i": "1vduzkpmlh-ohwq8lhsex-caseinfoid-494706a0-063c-11ee-b283-eb5063f641e1", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Cloud Indicators", + "query": "99900222-7570-4e56-8fa6-1206e76be060", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "1vduzkpmlh-d9090e20-158f-11ee-9c72-eb2e3cb3cb42", + "items": [ + { + "endCol": 2, + "fieldId": "projectid", + "height": 22, + "id": "e94dca00-158f-11ee-9c72-eb2e3cb3cb42", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "operationname", + "height": 22, + "id": "f7b7d270-158f-11ee-9c72-eb2e3cb3cb42", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "operationtype", + "height": 22, + "id": "f8abcf60-158f-11ee-9c72-eb2e3cb3cb42", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "identitytype", + "height": 22, + "id": "fc49ddb0-158f-11ee-9c72-eb2e3cb3cb42", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "region", + "height": 22, + "id": "6204ffb0-15b6-11ee-9c72-eb2e3cb3cb42", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "resourcetype", + "height": 22, + "id": "69d67e80-15b6-11ee-9c72-eb2e3cb3cb42", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "referencedresourceid", + "height": 22, + "id": "a6834e20-18be-11ee-a005-5968c8362785", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "referencedresourcename", + "height": 22, + "id": "a7935e90-18be-11ee-a005-5968c8362785", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Cloud Info", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "1vduzkpmlh-a800cd00-15b6-11ee-9c72-eb2e3cb3cb42", + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "triagesla", + "height": 22, + "id": "b474aac0-15b6-11ee-9c72-eb2e3cb3cb42", + "index": 0, + "listId": "1vduzkpmlh-a800cd00-15b6-11ee-9c72-eb2e3cb3cb42", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "containmentsla", + "height": 22, + "id": "b30aba80-15b6-11ee-9c72-eb2e3cb3cb42", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Triage and Containment SLA", + "static": false, + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "1vduzkpmlh-ff06e9b0-1672-11ee-9c72-eb2e3cb3cb42", + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "relatedcampaign", + "height": 22, + "id": "a349d8c0-1673-11ee-9c72-eb2e3cb3cb42", + "index": 0, + "listId": "1vduzkpmlh-ff06e9b0-1672-11ee-9c72-eb2e3cb3cb42", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "relatedreport", + "height": 22, + "id": "a60c7b30-1673-11ee-9c72-eb2e3cb3cb42", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "xdralertsearchresults", + "height": 106, + "id": "83a31520-18be-11ee-a005-5968c8362785", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 4, + "fieldId": "mitretechniquename", + "height": 22, + "id": "5809fe30-1687-11ee-9c72-eb2e3cb3cb42", + "index": 0, + "listId": "1vduzkpmlh-ff06e9b0-1672-11ee-9c72-eb2e3cb3cb42", + "sectionItemType": "field", + "startCol": 2 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Relationships", + "static": false, + "w": 2, + "x": 0, + "y": 5 + } + ], + "type": "custom" + }, { "filters": [ [ @@ -924,7 +1281,7 @@ "fieldId": "detecteduser", "height": 22, "id": "9050c4c0-8b6a-11ed-8534-dd7eadd1d5dd", - "index": 4, + "index": 3, "sectionItemType": "field", "startCol": 0 }, @@ -933,18 +1290,9 @@ "fieldId": "occurred", "height": 22, "id": "99b47c50-8b6a-11ed-8534-dd7eadd1d5dd", - "index": 5, + "index": 4, "sectionItemType": "field", "startCol": 0 - }, - { - "endCol": 4, - "fieldId": "", - "height": 44, - "id": "cc11c830-91bc-11ed-8f3c-a572807a21ae", - "index": 5, - "sectionItemType": "button", - "startCol": 0 } ], "maxW": 3, @@ -1158,10 +1506,10 @@ { "dropEffect": "move", "endCol": 4, - "fieldId": "relatedreports", + "fieldId": "relatedreport", "height": 22, "id": "f782bd20-8c31-11ed-a026-b1d5b381234f", - "index": 1, + "index": 0, "listId": "1vduzkpmlh-b3c63170-8c31-11ed-a026-b1d5b381234f", "sectionItemType": "field", "startCol": 0 @@ -1172,7 +1520,7 @@ "fieldId": "partofcampaign", "height": 22, "id": "0c60e1d0-8c33-11ed-a026-b1d5b381234f", - "index": 2, + "index": 1, "listId": "1vduzkpmlh-e1c742c0-8b6a-11ed-8534-dd7eadd1d5dd", "sectionItemType": "field", "startCol": 0 @@ -1187,15 +1535,6 @@ "listId": "1vduzkpmlh-b3c63170-8c31-11ed-a026-b1d5b381234f", "sectionItemType": "field", "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "verdictdetails", - "height": 22, - "id": "8641c240-9650-11ed-8dd2-65d32e26c83b", - "index": 3, - "sectionItemType": "field", - "startCol": 0 } ], "maxW": 3, diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml index a1cabdad386a..b2c041997add 100644 --- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml +++ b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml @@ -706,7 +706,7 @@ tasks: - "38" scriptarguments: type: - simple: Cortex XDR - XCLOUD Cryptojacking + simple: Cortex XDR - XCLOUD Cryptomining separatecontext: false continueonerrortype: "" view: |- diff --git a/Packs/CortexXDR/ReleaseNotes/4_11_8.md b/Packs/CortexXDR/ReleaseNotes/4_11_8.md new file mode 100644 index 000000000000..b9706bc7f636 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/4_11_8.md @@ -0,0 +1,12 @@ + +#### Layouts + +##### Cortex XDR Incident + +- Added a dedicated tab for Cloud Token Theft alerts handling. + +#### Playbooks + +##### Cortex XDR - XCloud Cryptojacking + +- Fix a typo in the Set Incident 'type' field task. diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json index e6dd32d95536..7eec80ecd19c 100644 --- a/Packs/CortexXDR/pack_metadata.json +++ b/Packs/CortexXDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex XDR by Palo Alto Networks", "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.", "support": "xsoar", - "currentVersion": "4.11.7", + "currentVersion": "4.11.8", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/TIM_Processing/Playbooks/playbook-TIM_-_Indicator_Relationships_Analysis.yml b/Packs/TIM_Processing/Playbooks/playbook-TIM_-_Indicator_Relationships_Analysis.yml index f6c88ffaf643..02f15a40f113 100644 --- a/Packs/TIM_Processing/Playbooks/playbook-TIM_-_Indicator_Relationships_Analysis.yml +++ b/Packs/TIM_Processing/Playbooks/playbook-TIM_-_Indicator_Relationships_Analysis.yml @@ -284,7 +284,7 @@ tasks: view: |- { "position": { - "x": -1060, + "x": -1050, "y": 1150 } } @@ -642,6 +642,11 @@ tasks: note: false timertriggers: [] ignoreworker: false + fieldMapping: + - incidentfield: Related Campaign + output: + complex: + root: RelatedCampaign skipunavailable: false quietmode: 0 isoversize: false @@ -878,6 +883,11 @@ tasks: note: false timertriggers: [] ignoreworker: false + fieldMapping: + - incidentfield: MITRE Technique Name + output: + complex: + root: RelatedAttackPatterns skipunavailable: false quietmode: 0 isoversize: false diff --git a/Packs/TIM_Processing/ReleaseNotes/1_1_20.md b/Packs/TIM_Processing/ReleaseNotes/1_1_20.md new file mode 100644 index 000000000000..a1f50b59e5c5 --- /dev/null +++ b/Packs/TIM_Processing/ReleaseNotes/1_1_20.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### TIM - Indicator Relationships Analysis + +Added incident fields mapping for Related Campaign and Related Attack Patterns. diff --git a/Packs/TIM_Processing/pack_metadata.json b/Packs/TIM_Processing/pack_metadata.json index dec65df02725..5423a0c4ea8c 100644 --- a/Packs/TIM_Processing/pack_metadata.json +++ b/Packs/TIM_Processing/pack_metadata.json @@ -2,7 +2,7 @@ "name": "TIM - Indicator Auto-Processing", "description": "Too many threat feeds? This Content Pack automates the processing of indicators at scale, significantly reducing busywork for your analysts.", "support": "xsoar", - "currentVersion": "1.1.19", + "currentVersion": "1.1.20", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",