demisto · idovandijk · Nov 12, 2023 · Oct 27, 2023 · Oct 31, 2023 · Nov 1, 2023
@@ -1,18 +1,17 @@
 id: Block Indicators - Generic v3
 version: -1
 contentitemexportablefields:
   contentitemfields: {}
 name: Block Indicators - Generic v3
-description: |+
+description: |-
   This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks:
 
   - Block URL - Generic v2
   - Block Account - Generic v2
   - Block IP - Generic v3
   - Block File - Generic v2
   - Block Email - Generic v2
-  - Block Domain - Generic v2
-
+  - Block Domain - Generic v2.
 starttaskid: "0"
 tasks:
   "0":
@@ -186,6 +185,7 @@
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+    continueonerrortype: ""
   "13":
     id: "13"
     taskid: 53c7faa6-ec4b-46c0-8322-71972e65dad0
@@ -1128,7 +1128,6 @@
       type: condition
       iscommand: false
       brand: ""
-      description: ''
     nexttasks:
       '#default#':
       - "14"
@@ -1488,7 +1487,8 @@
     product: Proofpoint Threat Response
   playbookInputQuery:
 - key: Tag
-  value: {}
+  value:
+    simple: Blocked Indicator In Systems
   required: false
   description: Insert a tag name with which indicators will get tagged. This tag can be used later in the External Dynamic Lists integration by using the tag for filtering IPs in the indicator query.
   playbookInputQuery:
@@ -1589,13 +1589,13 @@
 - contextPath: CheckpointFWRule.Hits
   description: Rule hits count.
 - contextPath: PanoramaRule.Direction
-  description: Direction of the Panorama rule. Can be 'to','from', 'both'
+  description: Direction of the Panorama rule. Can be 'to','from', 'both'.
   type: string
 - contextPath: PanoramaRule.IP
-  description: The IP the Panorama rule blocks
+  description: The IP the Panorama rule blocks.
   type: string
 - contextPath: PanoramaRule.Name
-  description: Name of the Panorama rule
+  description: Name of the Panorama rule.
   type: string
 - contextPath: CheckpointFWRule.Data.Name
   description: Rule data object name.
@@ -1614,15 +1614,15 @@
 - contextPath: CheckpointFWRule.Hits.Level
   description: Level of rule hits.
 - contextPath: CheckpointFWRule.Hits.Percentage
-  description: Percentage of rule hits
+  description: Percentage of rule hits.
 - contextPath: CheckpointFWRule.Hits.Value
   description: Value of rule hits.
 - contextPath: IndicatorsToBlock
-  description: Selected indicators to block
+  description: Selected indicators to block.
   type: unknown
 tests:
 - Block IP - Generic V3_Test
 fromversion: 6.5.0
 marketplaces:
-  - xsoar
-  - marketplacev2
+- xsoar
+- marketplacev2
@@ -5,9 +5,7 @@ This playbook blocks malicious indicators using all integrations that are enable
 - Block IP - Generic v3
 - Block File - Generic v2
 - Block Email - Generic v2
-- Block Domain - Generic v2
-
-
+- Block Domain - Generic v2.
 
 ## Dependencies
 
@@ -16,11 +14,11 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 ### Sub-playbooks
 
 * Block File - Generic v2
-* Block Account - Generic v2
 * Block Email - Generic v2
-* Block URL - Generic v2
-* Block IP - Generic v3
 * Block Domain - Generic v2
+* Block Account - Generic v2
+* Block IP - Generic v3
+* Block URL - Generic v2
 
 ### Integrations
 
@@ -32,7 +30,7 @@ This playbook does not use any integrations.
 
 ### Commands
 
-* setIndicators
+* appendIndicatorField
 
 ## Playbook Inputs
 
@@ -58,7 +56,7 @@ This playbook does not use any integrations.
 | device-group | Device group for the Custom URL Category \(Panorama instances\). |  | Optional |
 | categories | The list of categories. Relevant from PAN-OS v9.x. |  | Optional |
 | DomainBlackListID | The Domain List ID to add the Domain to.<br/>product: Proofpoint Threat Response |  | Optional |
-| Tag | Insert a tag name with which indicators will get tagged. This tag can be used later in the External Dynamic Lists integration by using the tag for filtering IPs in the indicator query. |  | Optional |
+| Tag | Insert a tag name with which indicators will get tagged. This tag can be used later in the External Dynamic Lists integration by using the tag for filtering IPs in the indicator query. | Blocked Indicator In Systems | Optional |
 | DAG | This input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used.<br/>Specify the Dynamic Address Group tag name for IPs list handling. |  | Optional |
 | UserVerification | Possible values: True/False.  Default: True.<br/>Whether to provide user verification for blocking those IPs. <br/><br/>False - No prompt will be displayed to the user.<br/>True - The server will ask the user for blocking verification and will display the blocking list. | True | Optional |
 | InternalRange | A list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). If a list is not provided, will use the default list provided in the IsIPInRanges script \(the known IPv4 private address ranges\). |  | Optional |
@@ -90,9 +88,9 @@ This playbook does not use any integrations.
 | CheckpointFWRule.DataDirection | Rule data direction. | unknown |
 | CheckpointFWRule.DataNegate | Rule data negate status \(True/False\). | unknown |
 | CheckpointFWRule.Hits | Rule hits count. | unknown |
-| PanoramaRule.Direction | Direction of the Panorama rule. Can be 'to','from', 'both' | string |
-| PanoramaRule.IP | The IP the Panorama rule blocks | string |
-| PanoramaRule.Name | Name of the Panorama rule | string |
+| PanoramaRule.Direction | Direction of the Panorama rule. Can be 'to','from', 'both'. | string |
+| PanoramaRule.IP | The IP the Panorama rule blocks. | string |
+| PanoramaRule.Name | Name of the Panorama rule. | string |
 | CheckpointFWRule.Data.Name | Rule data object name. | unknown |
 | CheckpointFWRule.Data.Domain | Information about the domain the data object belongs to. | unknown |
 | CheckpointFWRule.Domain.Name | Rule domain name. | unknown |
@@ -101,9 +99,9 @@ This playbook does not use any integrations.
 | CheckpointFWRule.Hits.FirstDate | The date of the first hit for the rule. | unknown |
 | CheckpointFWRule.Hits.LastDate | The date of the last hit for the rule. | unknown |
 | CheckpointFWRule.Hits.Level | Level of rule hits. | unknown |
-| CheckpointFWRule.Hits.Percentage | Percentage of rule hits | unknown |
+| CheckpointFWRule.Hits.Percentage | Percentage of rule hits. | unknown |
 | CheckpointFWRule.Hits.Value | Value of rule hits. | unknown |
-| IndicatorsToBlock | Selected indicators to block | unknown |
+| IndicatorsToBlock | Selected indicators to block. | unknown |
 
 ## Playbook Image
 

diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_4_14.md b/Packs/CommonPlaybooks/ReleaseNotes/2_4_14.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Block Indicators - Generic v3
+
+Added a default value for the "Tag" input. This will tag blocked indicators with a tag which is then used by the Phishing alert layout in XSOAR and XSIAM to display the blocked indicators.
@@ -2,7 +2,7 @@
     "name": "Common Playbooks",
     "description": "Frequently used playbooks pack.",
     "support": "xsoar",
-    "currentVersion": "2.4.13",
+    "currentVersion": "2.4.14",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/Phishing/IncidentFields/incidentfield-MaliciousURLViewed.json b/Packs/Phishing/IncidentFields/incidentfield-MaliciousURLViewed.json
@@ -4,7 +4,7 @@
     "modified": "2022-12-25T08:52:45.407835633Z",
     "name": "Malicious URL Viewed",
     "ownerOnly": false,
-    "description": "Whether a malicious url was viewed by the user, for example in a scenario where  a user clicked on a malicious url inside an email and was able to view a malicious site.",
+    "description": "Whether a malicious url was viewed by the user, for example in a scenario where  a user clicked on a malicious url inside an email and was able to view a malicious site. The value will be True also in a scenario where the URL was blocked initially, but the user decided to proceed and view the URL anyway.",
     "cliName": "maliciousurlviewed",
     "type": "shortText",
     "closeForm": false,

diff --git a/Packs/Phishing/LayoutRules/Phishing.json b/Packs/Phishing/LayoutRules/Phishing.json
@@ -0,0 +1,18 @@
+{
+  "rule_id": "Phishing_Layout_Rule",
+  "layout_id": "Phishing Layout",
+  "description": "Default display for phishing alerts.",
+  "rule_name": "Phishing Layout Rule",
+  "alerts_filter": {
+    "filter": {
+      "AND": [
+        {
+            "SEARCH_FIELD": "alert_type",
+            "SEARCH_TYPE": "EQ",
+            "SEARCH_VALUE": "Phishing"
+        }
+      ]
+    }
+  },
+  "fromVersion": "6.10.0"
+}