Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for 'MDE Malware - Incident Enrichment' playbook #29842

Merged
merged 13 commits into from
Oct 1, 2023
Merged

Fix for 'MDE Malware - Incident Enrichment' playbook #29842

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
d1cbf9a
Fix for 'MDE Malware - Incident Enrichment' playbook
TalNos Sep 26, 2023
1adc00e
updated PNG playbook file
TalNos Sep 26, 2023
30cda59
RN
TalNos Sep 26, 2023
63037af
Merge branch 'master' of github.com:demisto/content into Fixes_for_MD…
TalNos Sep 26, 2023
7dad45d
RN
TalNos Sep 26, 2023
5aa5726
removed the new conditional task and changed the DT expression within…
TalNos Sep 26, 2023
69b3e0d
DT was removed from the playbook
TalNos Sep 26, 2023
02b8cd5
Merge branch 'master' of github.com:demisto/content into Fixes_for_MD…
TalNos Sep 27, 2023
35b3b52
re-added changes after merging from master
TalNos Sep 27, 2023
2fb56e2
DT was removed from the problematic playbook tasks & added new condit…
TalNos Sep 27, 2023
dce87bc
removed the validation for 'MicrosoftATP.Alert.Evidence' context key …
TalNos Sep 27, 2023
32a6106
changed the name, description and condition for task number 56. added…
TalNos Oct 1, 2023
56d2d80
Merge branch 'master' of github.com:demisto/content into Fixes_for_MD…
TalNos Oct 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
131 changes: 79 additions & 52 deletions ...DefenderAdvancedThreatProtection/Playbooks/playbook-MDE_Malware_-_Incident_Enrichment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,13 +218,13 @@ tasks:
skipunavailable: false
task:
brand: ''
description: Check if evidence was fetched?
id: 19cc7fd9-f64e-467d-8e95-50b3a4b27cef
description: Check if evidence was fetched.
id: 0fbc6600-7772-43e6-80b4-9fd36fd8bd2a
iscommand: false
name: Check if Evidence was fetched?
name: Check if Evidence was fetched
type: condition
version: -1
taskid: 19cc7fd9-f64e-467d-8e95-50b3a4b27cef
taskid: 0fbc6600-7772-43e6-80b4-9fd36fd8bd2a
timertriggers: []
type: condition
view: |-
Expand Down Expand Up @@ -324,7 +324,7 @@ tasks:
{
"position": {
"x": 460,
"y": 2330
"y": 2350
}
}
continueonerrortype: ""
Expand Down Expand Up @@ -440,7 +440,7 @@ tasks:
{
"position": {
"x": 20,
"y": 1990
"y": 2010
}
}
continueonerrortype: ""
Expand Down Expand Up @@ -519,7 +519,7 @@ tasks:
{
"position": {
"x": -210,
"y": 2160
"y": 2180
}
}
continueonerrortype: ""
Expand Down Expand Up @@ -1118,14 +1118,13 @@ tasks:
description: ''
nexttasks:
'#none#':
- '46'
- '47'
- "56"
separatecontext: false
view: |-
{
"position": {
"x": 1080,
"y": 1695
"x": 900,
"y": 1700
}
}
note: false
Expand All @@ -1138,10 +1137,10 @@ tasks:
continueonerrortype: ""
'46':
id: '46'
taskid: 32da064c-4064-4349-82d7-080ed44dab60
taskid: df8a4e9b-fab5-45b3-870c-e7d659bea5a4
type: regular
task:
id: 32da064c-4064-4349-82d7-080ed44dab60
id: df8a4e9b-fab5-45b3-870c-e7d659bea5a4
version: -1
name: Set Alert Name
description: |-
Expand All @@ -1161,25 +1160,19 @@ tasks:
append:
simple: 'true'
key:
simple: MicrosoftATP.Alert.Evidence(val.entityType.length>0).AlertName
simple: MicrosoftATP.Alert.Evidence.AlertName
value:
complex:
root: incident
accessor: alertname
transformers:
- operator: FirstArrayElement
- operator: SetIfEmpty
args:
applyIfEmpty: {}
defaultValue:
value:
simple: N/A
separatecontext: false
view: |-
{
"position": {
"x": 880,
"y": 1840
"x": 900,
"y": 2010
}
}
note: false
Expand All @@ -1192,10 +1185,10 @@ tasks:
continueonerrortype: ""
'47':
id: '47'
taskid: 88743573-435d-4323-8b1f-b8d0270ddd77
taskid: 77fde48d-c2d7-473d-8265-18c1f67c5b4f
type: regular
task:
id: 88743573-435d-4323-8b1f-b8d0270ddd77
id: 77fde48d-c2d7-473d-8265-18c1f67c5b4f
version: -1
name: Set Device Name
description: |-
Expand All @@ -1215,25 +1208,19 @@ tasks:
append:
simple: 'true'
key:
simple: MicrosoftATP.Alert.Evidence(val.entityType.length>0).device_name
TalNos marked this conversation as resolved.
Show resolved Hide resolved
simple: MicrosoftATP.Alert.Evidence.device_name
value:
complex:
root: incident
accessor: hostnames
transformers:
- operator: FirstArrayElement
- operator: SetIfEmpty
args:
applyIfEmpty: {}
defaultValue:
value:
simple: N/A
separatecontext: false
view: |-
{
"position": {
"x": 1290,
"y": 1840
"x": 1310,
"y": 2010
}
}
note: false
Expand All @@ -1246,10 +1233,10 @@ tasks:
continueonerrortype: ""
'48':
id: '48'
taskid: 61d0f3a5-0fee-431d-87d9-de9d1b2429e2
taskid: 2e4a7d82-de1c-4af4-8a60-1fe3a41f32fb
type: regular
task:
id: 61d0f3a5-0fee-431d-87d9-de9d1b2429e2
id: 2e4a7d82-de1c-4af4-8a60-1fe3a41f32fb
version: -1
name: Set Alerts Table Info in the Layout
description: Creates a Grid table from items or key-value pairs.
Expand All @@ -1275,8 +1262,8 @@ tasks:
view: |-
{
"position": {
"x": 1080,
"y": 2010
"x": 1110,
"y": 2180
}
}
note: false
Expand Down Expand Up @@ -1489,26 +1476,14 @@ tasks:
then:
value:
simple: IAM.UserProfile.profile.login
manageremailaddress:
TalNos marked this conversation as resolved.
Show resolved Hide resolved
complex:
root: UserManagerEmail
filters:
- - operator: isNotEmpty
left:
value:
simple: UserManagerEmail
iscontext: true
transformers:
- operator: uniq
- operator: FirstArrayElement
separatecontext: false
continueonerror: true
continueonerrortype: ""
view: |-
{
"position": {
"x": 460,
"y": 1990
"y": 2010
}
}
note: false
Expand Down Expand Up @@ -1568,6 +1543,59 @@ tasks:
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"56":
id: "56"
taskid: 75a12361-2f13-4b7e-8179-917b1e74712a
type: condition
task:
id: 75a12361-2f13-4b7e-8179-917b1e74712a
version: -1
name: Check if Alert Info was Fetched to Incident Fields
description: Ensure that the device name and alert name incident fields are not empty.
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "16"
"yes":
- "46"
- "47"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
complex:
root: incident
TalNos marked this conversation as resolved.
Show resolved Hide resolved
accessor: hostnames
iscontext: true
right:
value: {}
- - operator: isNotEmpty
left:
value:
complex:
root: incident
accessor: alertname
iscontext: true
continueonerrortype: ""
view: |-
{
"position": {
"x": 900,
"y": 1840
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
version: -1
view: |-
{
Expand All @@ -1576,7 +1604,7 @@ view: |-
},
"paper": {
"dimensions": {
"height": 2165,
"height": 2185,
"width": 1950,
"x": -230,
"y": 230
Expand All @@ -1586,4 +1614,3 @@ view: |-
tests:
- Test Playbook - MDE Malware - Incident Enrichment
fromversion: 6.5.0
system: true
22 changes: 17 additions & 5 deletions ...ThreatProtection/Playbooks/playbook-MDE_Malware_-_Incident_Enrichment_README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,35 @@ This playbook is part of the 'Malware Investigation And Response' pack. For more
This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout.

## Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

### Sub-playbooks
* Malware Investigation and Response - Set Alerts Grid

* Mitre Attack - Extract Technique Information From ID
* Account Enrichment - Generic v2.1

### Integrations

* MicrosoftDefenderAdvancedThreatProtection
* Microsoft365DefenderEventCollector

### Scripts
* SetAndHandleEmpty

* isError
* SetAndHandleEmpty
* SetGridField

### Commands
* setIncident

* endpoint
* microsoft-atp-get-alert-by-id
* setIncident
* extractIndicators
* file
* endpoint

## Playbook Inputs

---

| **Name** | **Description** | **Default Value** | **Required** |
Expand All @@ -30,6 +39,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
| AlertID | The Microsoft Defender For Endpoint alert ID. | ${incident.externalsystemid} | Optional |

## Playbook Outputs

---

| **Path** | **Description** | **Type** |
Expand All @@ -40,5 +50,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
| Endpoint | The endpoint information. | unknown |

## Playbook Image

---
![MDE Malware - Incident Enrichment](../doc_files/MDE_Malware_-_Incident_Enrichment.png)

![MDE Malware - Incident Enrichment](../doc_files/MDE_Malware_-_Incident_Enrichment.png)
6 changes: 6 additions & 0 deletions Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_16_11.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Playbooks

##### MDE Malware - Incident Enrichment

- Added a task to verify that the incident fields necessary to set alerts table info to the layout are not empty.
TalNos marked this conversation as resolved.
Show resolved Hide resolved