demisto · idovandijk · Sep 13, 2023 · Sep 7, 2023 · Sep 7, 2023 · Sep 8, 2023
diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml b/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_Malware_-_Incident_Enrichment.yml
@@ -831,7 +831,7 @@ tasks:
       description: ''
     nexttasks:
       '#none#':
-      - "29"
+      - "33"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -1075,10 +1075,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "29":
     id: "29"
-    taskid: 779567f1-efb5-4c7c-86e8-47217bd39bef
+    taskid: 671b36a2-ee6a-4eee-8ab4-59a0585d4512
     type: playbook
     task:
-      id: 779567f1-efb5-4c7c-86e8-47217bd39bef
+      id: 671b36a2-ee6a-4eee-8ab4-59a0585d4512
       version: -1
       name: Account Enrichment - Generic v2.1
       playbookName: Account Enrichment - Generic v2.1
@@ -1105,6 +1105,13 @@ tasks:
         complex:
           root: incident
           transformers:
+          - operator: AppendIfNotEmpty
+            args:
+              item:
+                value:
+                  simple: SplitUsernames
+                iscontext: true
+              raw: {}
           - operator: uniq
           accessor: users
     separatecontext: true
@@ -1118,7 +1125,7 @@ tasks:
       {
         "position": {
           "x": 1300,
-          "y": 960
+          "y": 1320
         }
       }
     note: false
@@ -1283,6 +1290,115 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+  "33":
+    id: "33"
+    taskid: 7ba91df0-f5e8-4678-8608-38e7101b14a0
+    type: condition
+    task:
+      id: 7ba91df0-f5e8-4678-8608-38e7101b14a0
+      version: -1
+      name: Is there a domain user?
+      description: Checks if a user is involved in the incident.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "29"
+      "yes":
+      - "34"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: incident.users
+                filters:
+                - - operator: containsGeneral
+                    left:
+                      value:
+                        simple: incident.users
+                      iscontext: true
+                    right:
+                      value:
+                        simple: \
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1300,
+          "y": 970
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "34":
+    id: "34"
+    taskid: 202387d2-73d5-4fae-8768-82fa0c9465de
+    type: regular
+    task:
+      id: 202387d2-73d5-4fae-8768-82fa0c9465de
+      version: -1
+      name: Split and save usernames
+      description: Splits the usernames from the domains and saves the usernames without the domain prefix in a separate context key, to allow for enrichment of usernames in integrations that do not yet support the domain prefix.
+      scriptName: Set
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "29"
+    scriptarguments:
+      key:
+        simple: SplitUsernames
+      value:
+        complex:
+          root: incident.users
+          filters:
+          - - operator: containsGeneral
+              left:
+                value:
+                  simple: incident.users
+                iscontext: true
+              right:
+                value:
+                  simple: \
+          transformers:
+          - operator: RegexExtractAll
+            args:
+              error_if_no_match: {}
+              ignore_case: {}
+              multi_line: {}
+              period_matches_newline: {}
+              regex:
+                value:
+                  simple: ([^\\]+$)
+              unpack_matches: {}
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 1550,
+          "y": 1150
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
 version: -1
 view: |-
   {
@@ -1295,15 +1411,14 @@ view: |-
     "paper": {
       "dimensions": {
         "height": 2015,
-        "width": 2140,
+        "width": 2390,
         "x": -460,
         "y": 190
       }
     }
   }
 tests:
 - Test Playbook - Cortex XDR Malware - Incident Enrichment
-- Test XDR Playbook general commands
 - Test XDR Playbook
 fromversion: 6.5.0
 description: |-

diff --git a/Packs/CortexXDR/ReleaseNotes/5_1_6.md b/Packs/CortexXDR/ReleaseNotes/5_1_6.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Cortex XDR Malware - Incident Enrichment
+
+Added tasks to extract usernames from domain usernames in order to allow enrichment with both integrations that accept domain usernames and integrations that accept only usernames for enrichment.
diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_Malware_-_Incident_Enrichment.png b/Packs/CortexXDR/doc_files/Cortex_XDR_Malware_-_Incident_Enrichment.png
diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "5.1.5",
+    "currentVersion": "5.1.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",