From e515006c0dbadd39978dbf123f84b03163676577 Mon Sep 17 00:00:00 2001 From: Yaroslav Nestor Date: Thu, 14 Sep 2023 17:33:48 +0300 Subject: [PATCH 1/5] Update Threat actor search playbook. --- ...ok-Recorded_Future_Threat_Actor_Search.yml | 204 ++++++++++++++---- 1 file changed, 160 insertions(+), 44 deletions(-) diff --git a/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml b/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml index efad18c0a809..f1126d992148 100644 --- a/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml +++ b/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml @@ -1,20 +1,32 @@ id: Recorded Future - Threat Actor Search -version: -1 -description: Template playbook to initiate an Automated Threat Hunt based on the Threat Map in Recorded Future. The Playbook fetches links related to the Threat Actors part of the Threat Map from Recorded Future and launches a hunt in the SIEM for any detections within the environment. +version: 8 +contentitemexportablefields: + contentitemfields: + packID: "" + packName: Recorded Future Intelligence + itemVersion: 1.7.1 + fromServerVersion: 6.9.0 + toServerVersion: "" + definitionid: "" + prevname: "" +vcShouldKeepItemLegacyProdMachine: false name: Recorded Future - Threat Actor Search +description: Template playbook to initiate an Automated Threat Hunt based on the Threat + Map in Recorded Future. The Playbook fetches links related to the Threat Actors + part of the Threat Map from Recorded Future and launches a hunt in the SIEM for + any detections within the environment. starttaskid: "0" tasks: "0": id: "0" - taskid: 77c2800f-5bc5-4e58-89dc-59acb3d6e189 + taskid: cf5f9856-0a23-432a-8212-ba8094180132 type: start task: - id: 77c2800f-5bc5-4e58-89dc-59acb3d6e189 + id: cf5f9856-0a23-432a-8212-ba8094180132 version: -1 name: "" iscommand: false brand: "" - description: '' nexttasks: '#none#': - "20" @@ -36,10 +48,10 @@ tasks: isautoswitchedtoquietmode: false "1": id: "1" - taskid: 5e6d35e2-073b-47b6-8a96-443fe44fb82a + taskid: e61b2aaa-4e80-4929-872c-465a8c274f27 type: regular task: - id: 5e6d35e2-073b-47b6-8a96-443fe44fb82a + id: e61b2aaa-4e80-4929-872c-465a8c274f27 version: -1 name: Threat Actor Map Search description: Get threat actors map. @@ -74,10 +86,10 @@ tasks: isautoswitchedtoquietmode: false "2": id: "2" - taskid: b936a7ba-c115-4cfc-835b-b4fc75ce964e + taskid: 73169a99-6161-460d-8565-9ea07375a5bd type: regular task: - id: b936a7ba-c115-4cfc-835b-b4fc75ce964e + id: 73169a99-6161-460d-8565-9ea07375a5bd version: -1 name: Threat Actor Links Search description: Search links @@ -112,10 +124,10 @@ tasks: isautoswitchedtoquietmode: false "3": id: "3" - taskid: 8400c994-4dc0-44ed-8486-753319712b53 + taskid: f0c59c28-9ca2-4c2b-89ff-40f3efcd9956 type: condition task: - id: 8400c994-4dc0-44ed-8486-753319712b53 + id: f0c59c28-9ca2-4c2b-89ff-40f3efcd9956 version: -1 name: Detection Rules Returned? description: Was there a detection rule found? @@ -155,10 +167,10 @@ tasks: isautoswitchedtoquietmode: false "4": id: "4" - taskid: 6e2d72df-a069-439c-80c7-870316314aba + taskid: a6e735b4-474a-4206-8cbb-c729bff52021 type: condition task: - id: 6e2d72df-a069-439c-80c7-870316314aba + id: a6e735b4-474a-4206-8cbb-c729bff52021 version: -1 name: IoCs Returned? description: Were IoCs returned for the threat actor? @@ -198,13 +210,14 @@ tasks: isautoswitchedtoquietmode: false "6": id: "6" - taskid: 933d18a0-ca4e-45a2-8765-d8249a85e029 + taskid: a7cf5f80-ac05-4cd9-881e-859bfb41fd76 type: regular task: - id: 933d18a0-ca4e-45a2-8765-d8249a85e029 + id: a7cf5f80-ac05-4cd9-881e-859bfb41fd76 version: -1 name: Download Detection Rules Manually - description: Utilize the Recorded Future portal to download any detection rules found. + description: Utilize the Recorded Future portal to download any detection rules + found. type: regular iscommand: false brand: "" @@ -229,10 +242,10 @@ tasks: isautoswitchedtoquietmode: false "7": id: "7" - taskid: 1d9d1382-eb04-476f-8fff-2ea959e22595 + taskid: 54acb585-d715-4d0b-88bf-1ea8848b3f88 type: title task: - id: 1d9d1382-eb04-476f-8fff-2ea959e22595 + id: 54acb585-d715-4d0b-88bf-1ea8848b3f88 version: -1 name: Done description: Post detection to collective insight @@ -257,10 +270,10 @@ tasks: isautoswitchedtoquietmode: false "10": id: "10" - taskid: 61d221dc-4277-48da-8449-a744852c542d + taskid: 5723c0e2-d186-40e5-8bd5-d56479395f6e type: condition task: - id: 61d221dc-4277-48da-8449-a744852c542d + id: 5723c0e2-d186-40e5-8bd5-d56479395f6e version: -1 name: Is SIEM enabled? description: Checks if there is an active instance of Splunk or QRadar enabled. @@ -349,10 +362,10 @@ tasks: isautoswitchedtoquietmode: false "11": id: "11" - taskid: 355ec7d4-87c8-4019-8bac-d32e178adafa + taskid: 25aa6fb9-6529-4575-8371-8c390455012e type: playbook task: - id: 355ec7d4-87c8-4019-8bac-d32e178adafa + id: 25aa6fb9-6529-4575-8371-8c390455012e version: -1 name: Splunk Indicator Hunting description: This playbook queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. It outputs detected users, ip addresses, and hostnames related to the indicators. @@ -363,6 +376,60 @@ tasks: nexttasks: '#none#': - "7" + scriptarguments: + IPAddress: + complex: + root: ExtractedIndicators + accessor: IP + IndexName: + simple: '*' + MD5: + complex: + root: ExtractedIndicators.File + filters: + - - operator: stringHasLength + left: + value: + simple: ExtractedIndicators.File + iscontext: true + right: + value: + simple: "32" + SHA1: + complex: + root: ExtractedIndicators.File + filters: + - - operator: stringHasLength + left: + value: + simple: ExtractedIndicators.File + iscontext: true + right: + value: + simple: "40" + SHA256: + complex: + root: ExtractedIndicators + filters: + - - operator: stringHasLength + left: + value: + simple: ExtractedIndicators + iscontext: true + right: + value: + simple: "64" + accessor: File + SelectFields: + simple: source,timestamp + URLDomain: + complex: + root: ExtractedIndicators + accessor: Domain + earliest_time: + simple: -1d + event_limit: + simple: "100" separatecontext: true continueonerrortype: "" loop: @@ -386,10 +453,10 @@ tasks: isautoswitchedtoquietmode: false "15": id: "15" - taskid: 7f2917d3-1b3a-40a6-81d8-6d60cbdf36dd + taskid: cbc77fcb-3070-46ee-8955-3d4d2fee8069 type: regular task: - id: 7f2917d3-1b3a-40a6-81d8-6d60cbdf36dd + id: cbc77fcb-3070-46ee-8955-3d4d2fee8069 version: -1 name: Detection Rules Search description: Search detection rules. @@ -406,6 +473,7 @@ tasks: root: RecordedFuture.Links.entity accessor: id separatecontext: false + continueonerror: true continueonerrortype: "" view: |- { @@ -423,16 +491,15 @@ tasks: isautoswitchedtoquietmode: false "20": id: "20" - taskid: 5fa4d495-bb82-4308-8ecc-71725f6bb7c0 + taskid: 38ddcab4-52a3-40c7-814d-d575a6a6058f type: title task: - id: 5fa4d495-bb82-4308-8ecc-71725f6bb7c0 + id: 38ddcab4-52a3-40c7-814d-d575a6a6058f version: -1 name: Enrich Threat Actor type: title iscommand: false brand: "" - description: '' nexttasks: '#none#': - "1" @@ -454,16 +521,15 @@ tasks: isautoswitchedtoquietmode: false "21": id: "21" - taskid: 9d406a87-005a-43b0-8dbd-3476f0e2e73d + taskid: f6809841-9522-4670-88c7-288cd4195f59 type: title task: - id: 9d406a87-005a-43b0-8dbd-3476f0e2e73d + id: f6809841-9522-4670-88c7-288cd4195f59 version: -1 name: Look For Detection Rules type: title iscommand: false brand: "" - description: '' nexttasks: '#none#': - "15" @@ -485,16 +551,15 @@ tasks: isautoswitchedtoquietmode: false "22": id: "22" - taskid: 177272bf-3c22-439d-8a59-522a344b8dd3 + taskid: 74075289-0069-4213-8ebf-8a8582f5b050 type: title task: - id: 177272bf-3c22-439d-8a59-522a344b8dd3 + id: 74075289-0069-4213-8ebf-8a8582f5b050 version: -1 name: Hunt Related IoCs type: title iscommand: false brand: "" - description: '' nexttasks: '#none#': - "10" @@ -516,10 +581,10 @@ tasks: isautoswitchedtoquietmode: false "24": id: "24" - taskid: 1d9af62d-bd63-47bc-8fa2-7235af3f1291 + taskid: 77f210d3-8f9e-46ab-899a-42f86aaaf632 type: regular task: - id: 1d9af62d-bd63-47bc-8fa2-7235af3f1291 + id: 77f210d3-8f9e-46ab-899a-42f86aaaf632 version: -1 name: Hunt Indicators Manually description: Review the indicators and initiate a manual investigation. @@ -547,10 +612,10 @@ tasks: isautoswitchedtoquietmode: false "25": id: "25" - taskid: 16c113eb-688f-4bef-8591-b7ee0e05d881 + taskid: 7aabdcb7-1c4a-40c5-8edf-0fb230d0e86d type: regular task: - id: 16c113eb-688f-4bef-8591-b7ee0e05d881 + id: 7aabdcb7-1c4a-40c5-8edf-0fb230d0e86d version: -1 name: Extract Links description: commands.local.cmd.extract.indicators @@ -584,13 +649,14 @@ tasks: isautoswitchedtoquietmode: false "26": id: "26" - taskid: f3e9b929-1dc3-4472-8dc3-b137e27f26f8 + taskid: 5e4a56e0-974d-4aa3-8f87-4f01107f13dd type: playbook task: - id: f3e9b929-1dc3-4472-8dc3-b137e27f26f8 + id: 5e4a56e0-974d-4aa3-8f87-4f01107f13dd version: -1 name: QRadar Indicator Hunting V2 - description: 'The Playbook queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, or urls. ' + description: 'The Playbook queries QRadar SIEM for indicators such as file hashes, + IP addresses, domains, or urls. ' playbookName: QRadar Indicator Hunting V2 type: playbook iscommand: false @@ -598,6 +664,59 @@ tasks: nexttasks: '#none#': - "7" + scriptarguments: + IPAddress: + complex: + root: ExtractedIndicators + accessor: IP + InvestigationIPFields: + simple: sourceip,destinationip + InvestigationUserFields: + simple: username + MD5: + complex: + root: ExtractedIndicators.File + filters: + - - operator: stringHasLength + left: + value: + simple: ExtractedIndicators.File + iscontext: true + right: + value: + simple: "32" + QradarIPfield: + simple: sourceip,destinationip + SHA1: + complex: + root: ExtractedIndicators.File + filters: + - - operator: stringHasLength + left: + value: + simple: ExtractedIndicators.File + iscontext: true + right: + value: + simple: "40" + SHA256: + complex: + root: ExtractedIndicators.File + filters: + - - operator: stringHasLength + left: + value: + simple: ExtractedIndicators.File + iscontext: true + right: + value: + simple: "64" + TimeFrame: + simple: LAST 7 DAYS + URLDomain: + complex: + root: ExtractedIndicators + accessor: Domain separatecontext: true continueonerrortype: "" loop: @@ -641,8 +760,5 @@ inputs: value: {} required: false description: The threat actor to enrich & hunt indicators for. - playbookInputQuery: + playbookInputQuery: null outputs: [] -tests: -- No tests (auto formatted) -fromversion: 6.9.0 From ea879720da047926de0852db897060ebbf7c2201 Mon Sep 17 00:00:00 2001 From: Yaroslav Nestor Date: Thu, 14 Sep 2023 17:39:16 +0300 Subject: [PATCH 2/5] Add release notes --- Packs/RecordedFuture/ReleaseNotes/1_7_1.md | 7 +++++++ Packs/RecordedFuture/pack_metadata.json | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 Packs/RecordedFuture/ReleaseNotes/1_7_1.md diff --git a/Packs/RecordedFuture/ReleaseNotes/1_7_1.md b/Packs/RecordedFuture/ReleaseNotes/1_7_1.md new file mode 100644 index 000000000000..3933d71ea600 --- /dev/null +++ b/Packs/RecordedFuture/ReleaseNotes/1_7_1.md @@ -0,0 +1,7 @@ + +#### Playbooks + +##### Recorded Future - Threat Actor Search + +- Modify the detections rules "on error" handling to continue because if no detection rule is brought back the playbook errors out which we don't want +- Add the inputs into the sub playbooks for Splunk and QRadar diff --git a/Packs/RecordedFuture/pack_metadata.json b/Packs/RecordedFuture/pack_metadata.json index b43d107b9765..54a3ea3269c9 100644 --- a/Packs/RecordedFuture/pack_metadata.json +++ b/Packs/RecordedFuture/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Recorded Future Intelligence", "description": "Recorded Future App, this pack is previously known as 'RecordedFuture v2'", "support": "partner", - "currentVersion": "1.7.0", + "currentVersion": "1.7.1", "author": "Recorded Future", "url": "https://www.recordedfuture.com/support/demisto-integration/", "email": "support@recordedfuture.com", From 2739d976cec0da71767323f6cf107e1cab43cdbe Mon Sep 17 00:00:00 2001 From: Yaroslav Nestor Date: Thu, 14 Sep 2023 18:31:19 +0300 Subject: [PATCH 3/5] Fix formatting --- ...ok-Recorded_Future_Threat_Actor_Search.yml | 120 +++++++++--------- 1 file changed, 57 insertions(+), 63 deletions(-) diff --git a/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml b/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml index f1126d992148..7b513c636f00 100644 --- a/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml +++ b/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml @@ -1,20 +1,7 @@ id: Recorded Future - Threat Actor Search -version: 8 -contentitemexportablefields: - contentitemfields: - packID: "" - packName: Recorded Future Intelligence - itemVersion: 1.7.1 - fromServerVersion: 6.9.0 - toServerVersion: "" - definitionid: "" - prevname: "" -vcShouldKeepItemLegacyProdMachine: false +version: -1 +description: Template playbook to initiate an Automated Threat Hunt based on the Threat Map in Recorded Future. The Playbook fetches links related to the Threat Actors part of the Threat Map from Recorded Future and launches a hunt in the SIEM for any detections within the environment. name: Recorded Future - Threat Actor Search -description: Template playbook to initiate an Automated Threat Hunt based on the Threat - Map in Recorded Future. The Playbook fetches links related to the Threat Actors - part of the Threat Map from Recorded Future and launches a hunt in the SIEM for - any detections within the environment. starttaskid: "0" tasks: "0": @@ -27,6 +14,7 @@ tasks: name: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "20" @@ -216,8 +204,7 @@ tasks: id: a7cf5f80-ac05-4cd9-881e-859bfb41fd76 version: -1 name: Download Detection Rules Manually - description: Utilize the Recorded Future portal to download any detection rules - found. + description: Utilize the Recorded Future portal to download any detection rules found. type: regular iscommand: false brand: "" @@ -376,6 +363,27 @@ tasks: nexttasks: '#none#': - "7" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 872.5, + "y": 1320 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false scriptarguments: IPAddress: complex: @@ -430,27 +438,6 @@ tasks: simple: -1d event_limit: simple: "100" - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 - view: |- - { - "position": { - "x": 872.5, - "y": 1320 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false "15": id: "15" taskid: cbc77fcb-3070-46ee-8955-3d4d2fee8069 @@ -473,7 +460,6 @@ tasks: root: RecordedFuture.Links.entity accessor: id separatecontext: false - continueonerror: true continueonerrortype: "" view: |- { @@ -489,6 +475,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerror: true "20": id: "20" taskid: 38ddcab4-52a3-40c7-814d-d575a6a6058f @@ -500,6 +487,7 @@ tasks: type: title iscommand: false brand: "" + description: '' nexttasks: '#none#': - "1" @@ -530,6 +518,7 @@ tasks: type: title iscommand: false brand: "" + description: '' nexttasks: '#none#': - "15" @@ -560,6 +549,7 @@ tasks: type: title iscommand: false brand: "" + description: '' nexttasks: '#none#': - "10" @@ -655,8 +645,7 @@ tasks: id: 5e4a56e0-974d-4aa3-8f87-4f01107f13dd version: -1 name: QRadar Indicator Hunting V2 - description: 'The Playbook queries QRadar SIEM for indicators such as file hashes, - IP addresses, domains, or urls. ' + description: 'The Playbook queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, or urls. ' playbookName: QRadar Indicator Hunting V2 type: playbook iscommand: false @@ -664,6 +653,27 @@ tasks: nexttasks: '#none#': - "7" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 1262.5, + "y": 1320 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false scriptarguments: IPAddress: complex: @@ -717,27 +727,6 @@ tasks: complex: root: ExtractedIndicators accessor: Domain - separatecontext: true - continueonerrortype: "" - loop: - iscommand: false - exitCondition: "" - wait: 1 - max: 100 - view: |- - { - "position": { - "x": 1262.5, - "y": 1320 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": { @@ -760,5 +749,10 @@ inputs: value: {} required: false description: The threat actor to enrich & hunt indicators for. - playbookInputQuery: null + playbookInputQuery: outputs: [] +tests: +- No tests (auto formatted) +fromversion: 6.9.0 +contentitemexportablefields: + contentitemfields: {} From 45118c23b06c6455d2b90ac615683f7eaaa17583 Mon Sep 17 00:00:00 2001 From: Yaroslav Nestor Date: Mon, 18 Sep 2023 17:26:12 +0300 Subject: [PATCH 4/5] Change ExtractedIndicators to ExtractedIndicators\.File --- .../Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml b/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml index 7b513c636f00..655ac535e80b 100644 --- a/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml +++ b/Packs/RecordedFuture/Playbooks/playbook-Recorded_Future_Threat_Actor_Search.yml @@ -422,7 +422,7 @@ tasks: - - operator: stringHasLength left: value: - simple: ExtractedIndicators + simple: ExtractedIndicators.File iscontext: true right: value: From a5c69040043cd6c0ad58659f8993b397ce60d3bd Mon Sep 17 00:00:00 2001 From: Yaroslav Nestor Date: Thu, 21 Sep 2023 10:02:37 +0300 Subject: [PATCH 5/5] Fix release notes --- Packs/RecordedFuture/ReleaseNotes/1_7_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/RecordedFuture/ReleaseNotes/1_7_1.md b/Packs/RecordedFuture/ReleaseNotes/1_7_1.md index 3933d71ea600..e5df6c56ed3d 100644 --- a/Packs/RecordedFuture/ReleaseNotes/1_7_1.md +++ b/Packs/RecordedFuture/ReleaseNotes/1_7_1.md @@ -3,5 +3,5 @@ ##### Recorded Future - Threat Actor Search -- Modify the detections rules "on error" handling to continue because if no detection rule is brought back the playbook errors out which we don't want +- Modify the detections rules command "on error" handling - Add the inputs into the sub playbooks for Splunk and QRadar