diff --git a/Packs/CloudIncidentResponse/LayoutRules/layoutrule-Cloud_Alerts.json b/Packs/CloudIncidentResponse/LayoutRules/layoutrule-Cloud_Alerts.json new file mode 100644 index 000000000000..b22984f07846 --- /dev/null +++ b/Packs/CloudIncidentResponse/LayoutRules/layoutrule-Cloud_Alerts.json @@ -0,0 +1,46 @@ +{ + "rule_id": "Cloud_Alerts_rule", + "layout_id": "Cloud Alerts", + "description": "Default display for Cloud Alerts generated by XDR Analytics.", + "rule_name": "Cloud Alerts Layout Rule", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "cloud_provider", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "AWS" + }, + { + "SEARCH_FIELD": "cloud_provider", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "AZURE" + }, + { + "SEARCH_FIELD": "cloud_provider", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "GCP" + } + ] + }, + { + "OR": [ + { + "SEARCH_FIELD": "alert_source", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "ANALYTICS_BIOC" + }, + { + "SEARCH_FIELD": "alert_source", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "MAGNIFIER" + } + ] + } + ] + } + }, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/CloudIncidentResponse/Layouts/layoutscontainer-Cloud_Alerts.json b/Packs/CloudIncidentResponse/Layouts/layoutscontainer-Cloud_Alerts.json new file mode 100644 index 000000000000..a0bb2f268d22 --- /dev/null +++ b/Packs/CloudIncidentResponse/Layouts/layoutscontainer-Cloud_Alerts.json @@ -0,0 +1,1390 @@ +{ + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Alert Details", + "sections": [ + { + "displayType": "ROW", + "h": 4, + "i": "caseinfoid-psvkrie7fh-field-changed-caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-psvkrie7fh-field-changed-caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "items": [ + { + "dropEffect": "move", + "endCol": 3, + "fieldId": "details", + "height": 52, + "id": "df4e6650-ffa4-11ed-8065-135924776b58", + "index": 0, + "listId": "caseinfoid-psvkrie7fh-field-changed-caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "xdrdescription", + "height": 26, + "id": "a79303f0-0d99-11ec-83df-e184d3cc52d9", + "index": 1, + "listId": "caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "xdrincidentid", + "height": 26, + "id": "c2e0ea00-0d99-11ec-83df-e184d3cc52d9", + "index": 1, + "listId": "caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "xdrurl", + "height": 26, + "id": "b2f7e2b0-0d99-11ec-83df-e184d3cc52d9", + "index": 1, + "listId": "caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "xdralertcategory", + "height": 26, + "id": "a3301f00-0d99-11ec-83df-e184d3cc52d9", + "index": 1, + "listId": "caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "xdralertname", + "height": 26, + "id": "a5953820-0d99-11ec-83df-e184d3cc52d9", + "index": 1, + "listId": "caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "xdrdetectiontime", + "height": 26, + "id": "a9356950-0d99-11ec-83df-e184d3cc52d9", + "index": 1, + "listId": "caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "dbotcreated", + "height": 26, + "id": "incident-created-field", + "index": 1, + "listId": "caseinfoid-psvkrie7fh-field-changed-caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "categoryname", + "height": 26, + "id": "298513a0-ffa4-11ed-8065-135924776b58", + "index": 2, + "listId": "caseinfoid-psvkrie7fh-field-changed-caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "severity", + "height": 26, + "id": "incident-severity-field", + "index": 3, + "listId": "caseinfoid-psvkrie7fh-field-changed-caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "xdrhostcount", + "height": 26, + "id": "d50dc6d0-0d99-11ec-83df-e184d3cc52d9", + "index": 4, + "listId": "caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "xdrusercount", + "height": 26, + "id": "cf9fda80-0d99-11ec-83df-e184d3cc52d9", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "xdralertcount", + "height": 26, + "id": "a4bba100-0d99-11ec-83df-e184d3cc52d9", + "index": 4, + "listId": "caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "xdrhighseverityalertcount", + "height": 26, + "id": "16aacde0-0d9a-11ec-83df-e184d3cc52d9", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "xdrmediumseverityalertcount", + "height": 26, + "id": "23c76ec0-0d9a-11ec-83df-e184d3cc52d9", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "xdrlowseverityalertcount", + "height": 26, + "id": "25413d80-0d9a-11ec-83df-e184d3cc52d9", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "playbookid", + "height": 26, + "id": "incident-playbookId-field", + "index": 4, + "listId": "caseinfoid-psvkrie7fh-field-changed-caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 6, + "fieldId": "mitreattcktactic", + "height": 26, + "id": "41242d10-ffa5-11ed-8065-135924776b58", + "index": 0, + "listId": "caseinfoid-psvkrie7fh-field-changed-caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 4 + }, + { + "dropEffect": "move", + "endCol": 6, + "fieldId": "mitreattcktechnique", + "height": 26, + "id": "42aceff0-ffa5-11ed-8065-135924776b58", + "index": 1, + "listId": "caseinfoid-psvkrie7fh-field-changed-caseinfoid-9d68c810-0d99-11ec-83df-e184d3cc52d9", + "sectionItemType": "field", + "startCol": 4 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Alert Information", + "static": false, + "w": 2, + "x": 0, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-1ef783c0-4012-11ed-bd56-1f5a2b2d17b4", + "items": [ + { + "endCol": 2, + "fieldId": "xdralerts", + "height": 26, + "id": "22a151e0-4012-11ed-bd56-1f5a2b2d17b4", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "cloudaccountid", + "height": 26, + "id": "45d156e0-ffa4-11ed-8065-135924776b58", + "index": 0, + "listId": "caseinfoid-1ef783c0-4012-11ed-bd56-1f5a2b2d17b4", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "cloudproject", + "height": 26, + "id": "671bd4b0-ffa4-11ed-8065-135924776b58", + "index": 1, + "listId": "caseinfoid-1ef783c0-4012-11ed-bd56-1f5a2b2d17b4", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "cloudidentitytype", + "height": 26, + "id": "38114a10-ffa4-11ed-8065-135924776b58", + "index": 2, + "listId": "caseinfoid-1ef783c0-4012-11ed-bd56-1f5a2b2d17b4", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "cloudoperationtype", + "height": 26, + "id": "5f71db10-ffa4-11ed-8065-135924776b58", + "index": 3, + "listId": "caseinfoid-1ef783c0-4012-11ed-bd56-1f5a2b2d17b4", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "cloudresourcetype", + "height": 26, + "id": "74d59ff0-ffa4-11ed-8065-135924776b58", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "cloudreferencedresource", + "height": 26, + "id": "6bc00860-ffa4-11ed-8065-135924776b58", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "cloudinstanceid", + "height": 26, + "id": "5cff5470-ffa4-11ed-8065-135924776b58", + "index": 6, + "listId": "caseinfoid-1ef783c0-4012-11ed-bd56-1f5a2b2d17b4", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Cloud Extra Data", + "static": false, + "w": 1, + "x": 0, + "y": 2 + }, + { + "h": 4, + "hideName": true, + "i": "caseinfoid-3f0c19a0-4012-11ed-bd56-1f5a2b2d17b4", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Alert Extended Information", + "query": "CortexXDRAdditionalAlertInformationWidget", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 3, + "x": 0, + "y": 4 + }, + { + "h": 2, + "hideName": true, + "i": "caseinfoid-76a49540-4012-11ed-bd56-1f5a2b2d17b4", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Cloud Provider", + "query": "XCloudProviderWidget", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 1, + "x": 1, + "y": 2 + } + ], + "type": "custom" + }, + { + "hidden": false, + "id": "xmrrsnmlfj", + "name": "Technical Details", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-be53e110-3992-11ed-9adb-83e728f46893", + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "hostip", + "height": 26, + "id": "aeeee620-ffbc-11ed-91cb-b704c053731a", + "index": 0, + "listId": "caseinfoid-be53e110-3992-11ed-9adb-83e728f46893", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "isvpnipaddress", + "height": 26, + "id": "b65ebae0-141e-11ee-82aa-79d0d6f9a441", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "useragent", + "height": 26, + "id": "3e2d8e60-3fef-11ed-8b45-b1684b1bfc04", + "index": 2, + "listId": "caseinfoid-be53e110-3992-11ed-9adb-83e728f46893", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "asnname", + "height": 26, + "id": "7bbf2660-ffbd-11ed-91cb-b704c053731a", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "asn", + "height": 26, + "id": "74d9fc50-3fef-11ed-bd56-1f5a2b2d17b4", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "country", + "height": 26, + "id": "4c8d5610-0f52-11ee-81b3-5b1a51073e91", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Attacker Extra Data", + "static": false, + "w": 1, + "x": 1, + "y": 0 + }, + { + "h": 1, + "hideName": false, + "i": "caseinfoid-90fd3b10-3e3f-11ed-ba28-af31a2402b20", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Regions", + "query": "EntryWidgetRegionNameXCLOUD", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 1, + "x": 2, + "y": 0 + }, + { + "h": 3, + "i": "caseinfoid-944f47f0-3fce-11ed-81fb-f98f11f06b6f", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Malicious or Suspicious Indicators", + "query": "reputation:Suspicious OR reputation:Malicious", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 2 + }, + { + "h": 1, + "hideName": false, + "i": "caseinfoid-4d1a5360-4a0b-11ed-b8e1-8fa90b5d349b", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Resource Type", + "query": "EntryWidgetResourceTypeXCLOUD", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 1, + "x": 2, + "y": 1 + }, + { + "description": "", + "h": 3, + "hideName": true, + "i": "caseinfoid-270d9710-ffbc-11ed-91cb-b704c053731a", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Related Alerts", + "query": "XCloudRelatedAlertsWidget", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 3, + "x": 0, + "y": 5 + }, + { + "h": 2, + "hideName": true, + "i": "caseinfoid-eb9e4280-ffbe-11ed-8455-4ba42b17a94b", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Identity Table", + "query": "XCloudIdentitiesWidget", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 3, + "i": "caseinfoid-738a28d0-ffd3-11ed-94b9-ab17767bb4e7", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Hunting Results", + "query": { + "categories": [ + "tags" + ], + "preDefinedFilters": true, + "tags": [ + "PersistenceHunting" + ] + }, + "queryType": "warRoomFilter", + "static": false, + "type": "invTimeline", + "w": 1, + "x": 2, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + } + ] + }, + "group": "incident", + "id": "Cloud Alerts", + "name": "Cloud Alerts", + "quickView": { + "sections": [ + { + "description": "", + "fields": [ + { + "fieldId": "incident_type", + "isVisible": true + }, + { + "fieldId": "incident_severity", + "isVisible": true + }, + { + "fieldId": "incident_owner", + "isVisible": true + }, + { + "fieldId": "incident_dbotstatus", + "isVisible": true + }, + { + "fieldId": "incident_sourcebrand", + "isVisible": true + }, + { + "fieldId": "incident_sourceinstance", + "isVisible": true + }, + { + "fieldId": "incident_playbookid", + "isVisible": true + }, + { + "fieldId": "incident_phase", + "isVisible": true + }, + { + "fieldId": "incident_roles", + "isVisible": true + } + ], + "isVisible": true, + "name": "Basic Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "" + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_occurred", + "isVisible": true + }, + { + "fieldId": "incident_dbotcreated", + "isVisible": true + }, + { + "fieldId": "incident_dbotduedate", + "isVisible": true + }, + { + "fieldId": "incident_dbotmodified", + "isVisible": true + }, + { + "fieldId": "incident_dbottotaltime", + "isVisible": true + } + ], + "isVisible": true, + "name": "Timeline Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "" + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_additionaldata", + "isVisible": true + }, + { + "fieldId": "incident_agentid", + "isVisible": true + }, + { + "fieldId": "incident_agentsid", + "isVisible": true + }, + { + "fieldId": "incident_agentversion", + "isVisible": true + }, + { + "fieldId": "incident_alertcategory", + "isVisible": true + }, + { + "fieldId": "incident_alerttypeid", + "isVisible": true + }, + { + "fieldId": "incident_app", + "isVisible": true + }, + { + "fieldId": "incident_appchannelname", + "isVisible": true + }, + { + "fieldId": "incident_appmessage", + "isVisible": true + }, + { + "fieldId": "incident_assigneduser", + "isVisible": true + }, + { + "fieldId": "incident_assignmentgroup", + "isVisible": true + }, + { + "fieldId": "incident_birthday", + "isVisible": true + }, + { + "fieldId": "incident_caller", + "isVisible": true + }, + { + "fieldId": "incident_categories", + "isVisible": true + }, + { + "fieldId": "incident_changed", + "isVisible": true + }, + { + "fieldId": "incident_childprocess", + "isVisible": true + }, + { + "fieldId": "incident_classification", + "isVisible": true + }, + { + "fieldId": "incident_cloudaccountid", + "isVisible": true + }, + { + "fieldId": "incident_cloudinstanceid", + "isVisible": true + }, + { + "fieldId": "incident_cmd", + "isVisible": true + }, + { + "fieldId": "incident_cmdline", + "isVisible": true + }, + { + "fieldId": "incident_commandline", + "isVisible": true + }, + { + "fieldId": "incident_comment", + "isVisible": true + }, + { + "fieldId": "incident_containmentsla", + "isVisible": true + }, + { + "fieldId": "incident_country", + "isVisible": true + }, + { + "fieldId": "incident_countrycode", + "isVisible": true + }, + { + "fieldId": "incident_countrycodenumber", + "isVisible": true + }, + { + "fieldId": "incident_destinationhostname", + "isVisible": true + }, + { + "fieldId": "incident_destinationip", + "isVisible": true + }, + { + "fieldId": "incident_destinationnetwork", + "isVisible": true + }, + { + "fieldId": "incident_destinationnetworks", + "isVisible": true + }, + { + "fieldId": "incident_destinationport", + "isVisible": true + }, + { + "fieldId": "incident_detectedendpoints", + "isVisible": true + }, + { + "fieldId": "incident_detecteduser", + "isVisible": true + }, + { + "fieldId": "incident_detectionsla", + "isVisible": true + }, + { + "fieldId": "incident_detectionurl", + "isVisible": true + }, + { + "fieldId": "incident_deviceexternalip", + "isVisible": true + }, + { + "fieldId": "incident_deviceexternalips", + "isVisible": true + }, + { + "fieldId": "incident_devicehash", + "isVisible": true + }, + { + "fieldId": "incident_deviceid", + "isVisible": true + }, + { + "fieldId": "incident_deviceinternalips", + "isVisible": true + }, + { + "fieldId": "incident_devicelocalip", + "isVisible": true + }, + { + "fieldId": "incident_devicemacaddress", + "isVisible": true + }, + { + "fieldId": "incident_devicemodel", + "isVisible": true + }, + { + "fieldId": "incident_devicename", + "isVisible": true + }, + { + "fieldId": "incident_deviceosname", + "isVisible": true + }, + { + "fieldId": "incident_deviceosversion", + "isVisible": true + }, + { + "fieldId": "incident_deviceou", + "isVisible": true + }, + { + "fieldId": "incident_deviceusername", + "isVisible": true + }, + { + "fieldId": "incident_domainname", + "isVisible": true + }, + { + "fieldId": "incident_dsts", + "isVisible": true + }, + { + "fieldId": "incident_escalation", + "isVisible": true + }, + { + "fieldId": "incident_eventid", + "isVisible": true + }, + { + "fieldId": "incident_eventtype", + "isVisible": true + }, + { + "fieldId": "incident_externalcategoryid", + "isVisible": true + }, + { + "fieldId": "incident_externalcategoryname", + "isVisible": true + }, + { + "fieldId": "incident_externalconfidence", + "isVisible": true + }, + { + "fieldId": "incident_externalendtime", + "isVisible": true + }, + { + "fieldId": "incident_externallink", + "isVisible": true + }, + { + "fieldId": "incident_externalseverity", + "isVisible": true + }, + { + "fieldId": "incident_externalstarttime", + "isVisible": true + }, + { + "fieldId": "incident_externalstatus", + "isVisible": true + }, + { + "fieldId": "incident_externalsubcategoryid", + "isVisible": true + }, + { + "fieldId": "incident_externalsubcategoryname", + "isVisible": true + }, + { + "fieldId": "incident_externalsystemid", + "isVisible": true + }, + { + "fieldId": "incident_filehash", + "isVisible": true + }, + { + "fieldId": "incident_filemd5", + "isVisible": true + }, + { + "fieldId": "incident_filename", + "isVisible": true + }, + { + "fieldId": "incident_filenames", + "isVisible": true + }, + { + "fieldId": "incident_filepath", + "isVisible": true + }, + { + "fieldId": "incident_filepaths", + "isVisible": true + }, + { + "fieldId": "incident_filesha1", + "isVisible": true + }, + { + "fieldId": "incident_filesha256", + "isVisible": true + }, + { + "fieldId": "incident_filesize", + "isVisible": true + }, + { + "fieldId": "incident_firstname", + "isVisible": true + }, + { + "fieldId": "incident_fullname", + "isVisible": true + }, + { + "fieldId": "incident_hostnames", + "isVisible": true + }, + { + "fieldId": "incident_incidentlink", + "isVisible": true + }, + { + "fieldId": "incident_incomingmirrorerror", + "isVisible": true + }, + { + "fieldId": "incident_investigationstage", + "isVisible": true + }, + { + "fieldId": "incident_isactive", + "isVisible": true + }, + { + "fieldId": "incident_lastname", + "isVisible": true + }, + { + "fieldId": "incident_logsource", + "isVisible": true + }, + { + "fieldId": "incident_lowlevelcategoriesevents", + "isVisible": true + }, + { + "fieldId": "incident_macaddress", + "isVisible": true + }, + { + "fieldId": "incident_md5", + "isVisible": true + }, + { + "fieldId": "incident_mitretacticid", + "isVisible": true + }, + { + "fieldId": "incident_mitretacticname", + "isVisible": true + }, + { + "fieldId": "incident_mitretechniqueid", + "isVisible": true + }, + { + "fieldId": "incident_mitretechniquename", + "isVisible": true + }, + { + "fieldId": "incident_mobiledevicemodel", + "isVisible": true + }, + { + "fieldId": "incident_objective", + "isVisible": true + }, + { + "fieldId": "incident_orglevel1", + "isVisible": true + }, + { + "fieldId": "incident_orglevel2", + "isVisible": true + }, + { + "fieldId": "incident_orglevel3", + "isVisible": true + }, + { + "fieldId": "incident_orgunit", + "isVisible": true + }, + { + "fieldId": "incident_os", + "isVisible": true + }, + { + "fieldId": "incident_ostype", + "isVisible": true + }, + { + "fieldId": "incident_osversion", + "isVisible": true + }, + { + "fieldId": "incident_outgoingmirrorerror", + "isVisible": true + }, + { + "fieldId": "incident_parentcmdline", + "isVisible": true + }, + { + "fieldId": "incident_parentprocess", + "isVisible": true + }, + { + "fieldId": "incident_parentprocesscmd", + "isVisible": true + }, + { + "fieldId": "incident_parentprocessfilepath", + "isVisible": true + }, + { + "fieldId": "incident_parentprocessids", + "isVisible": true + }, + { + "fieldId": "incident_parentprocessmd5", + "isVisible": true + }, + { + "fieldId": "incident_parentprocessname", + "isVisible": true + }, + { + "fieldId": "incident_parentprocesspath", + "isVisible": true + }, + { + "fieldId": "incident_parentprocesssha256", + "isVisible": true + }, + { + "fieldId": "incident_phonenumber", + "isVisible": true + }, + { + "fieldId": "incident_pid", + "isVisible": true + }, + { + "fieldId": "incident_policyactions", + "isVisible": true + }, + { + "fieldId": "incident_processcmd", + "isVisible": true + }, + { + "fieldId": "incident_processcreationtime", + "isVisible": true + }, + { + "fieldId": "incident_processid", + "isVisible": true + }, + { + "fieldId": "incident_processmd5", + "isVisible": true + }, + { + "fieldId": "incident_processname", + "isVisible": true + }, + { + "fieldId": "incident_processnames", + "isVisible": true + }, + { + "fieldId": "incident_processpath", + "isVisible": true + }, + { + "fieldId": "incident_processpaths", + "isVisible": true + }, + { + "fieldId": "incident_processsha256", + "isVisible": true + }, + { + "fieldId": "incident_protocol", + "isVisible": true + }, + { + "fieldId": "incident_protocolnames", + "isVisible": true + }, + { + "fieldId": "incident_registryhive", + "isVisible": true + }, + { + "fieldId": "incident_registrykey", + "isVisible": true + }, + { + "fieldId": "incident_registryvalue", + "isVisible": true + }, + { + "fieldId": "incident_registryvaluetype", + "isVisible": true + }, + { + "fieldId": "incident_remediationsla", + "isVisible": true + }, + { + "fieldId": "incident_renderedhtml", + "isVisible": true + }, + { + "fieldId": "incident_rulename", + "isVisible": true + }, + { + "fieldId": "incident_scenario", + "isVisible": true + }, + { + "fieldId": "incident_sha1", + "isVisible": true + }, + { + "fieldId": "incident_sha256", + "isVisible": true + }, + { + "fieldId": "incident_sha512", + "isVisible": true + }, + { + "fieldId": "incident_similarincidents", + "isVisible": true + }, + { + "fieldId": "incident_similarincidentsdbot", + "isVisible": true + }, + { + "fieldId": "incident_sourcecategory", + "isVisible": true + }, + { + "fieldId": "incident_sourcecreatedby", + "isVisible": true + }, + { + "fieldId": "incident_sourcecreatetime", + "isVisible": true + }, + { + "fieldId": "incident_sourceexternalips", + "isVisible": true + }, + { + "fieldId": "incident_sourcehostname", + "isVisible": true + }, + { + "fieldId": "incident_sourceip", + "isVisible": true + }, + { + "fieldId": "incident_sourcenetwork", + "isVisible": true + }, + { + "fieldId": "incident_sourcenetworks", + "isVisible": true + }, + { + "fieldId": "incident_sourceport", + "isVisible": true + }, + { + "fieldId": "incident_sourcepriority", + "isVisible": true + }, + { + "fieldId": "incident_sourcestatus", + "isVisible": true + }, + { + "fieldId": "incident_sourceusername", + "isVisible": true + }, + { + "fieldId": "incident_srcs", + "isVisible": true + }, + { + "fieldId": "incident_state", + "isVisible": true + }, + { + "fieldId": "incident_subcategory", + "isVisible": true + }, + { + "fieldId": "incident_tactic", + "isVisible": true + }, + { + "fieldId": "incident_tacticid", + "isVisible": true + }, + { + "fieldId": "incident_teamname", + "isVisible": true + }, + { + "fieldId": "incident_technique", + "isVisible": true + }, + { + "fieldId": "incident_techniqueid", + "isVisible": true + }, + { + "fieldId": "incident_tenantname", + "isVisible": true + }, + { + "fieldId": "incident_threatfamilyname", + "isVisible": true + }, + { + "fieldId": "incident_threathuntingdetectedhostnames", + "isVisible": true + }, + { + "fieldId": "incident_threathuntingdetectedip", + "isVisible": true + }, + { + "fieldId": "incident_threatname", + "isVisible": true + }, + { + "fieldId": "incident_ticketacknowledgeddate", + "isVisible": true + }, + { + "fieldId": "incident_ticketcloseddate", + "isVisible": true + }, + { + "fieldId": "incident_ticketnumber", + "isVisible": true + }, + { + "fieldId": "incident_ticketopeneddate", + "isVisible": true + }, + { + "fieldId": "incident_timetoassignment", + "isVisible": true + }, + { + "fieldId": "incident_triagesla", + "isVisible": true + }, + { + "fieldId": "incident_urls", + "isVisible": true + }, + { + "fieldId": "incident_urlsslverification", + "isVisible": true + }, + { + "fieldId": "incident_usecasedescription", + "isVisible": true + }, + { + "fieldId": "incident_useraccountcontrol", + "isVisible": true + }, + { + "fieldId": "incident_users", + "isVisible": true + }, + { + "fieldId": "incident_usersid", + "isVisible": true + } + ], + "isVisible": true, + "name": "Custom Fields", + "query": null, + "queryType": "", + "readOnly": false, + "type": "" + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_labels", + "isVisible": true + } + ], + "isVisible": true, + "name": "Labels", + "query": null, + "queryType": "", + "readOnly": true, + "type": "labels" + } + ] + }, + "system": false, + "version": -1, + "fromVersion": "6.10.0", + "marketplaces": ["marketplacev2"], + "description": "" +} \ No newline at end of file diff --git a/Packs/CloudIncidentResponse/ReleaseNotes/1_0_10.md b/Packs/CloudIncidentResponse/ReleaseNotes/1_0_10.md new file mode 100644 index 000000000000..587276b9f0dd --- /dev/null +++ b/Packs/CloudIncidentResponse/ReleaseNotes/1_0_10.md @@ -0,0 +1,18 @@ + +#### Layout Rules + +##### New: Cloud Alerts Layout Rule + +- New: Cloud Alerts layout Rule (Available from Cortex XSIAM 2.0). + +#### Layouts + +##### New: Cloud Alerts + +- New: Cloud Alerts layout (Available from Cortex XSIAM 2.0). + +#### Scripts + +##### New: XCloudAdditionalAlertInformationWidget + +- New: This script retrieves additional original alert information from the context. (Available from Cortex XCLOUD). diff --git a/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/README.md b/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/README.md new file mode 100644 index 000000000000..0e3c5c43a79e --- /dev/null +++ b/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/README.md @@ -0,0 +1,30 @@ +This script retrieves additional original alert information from the context. + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | +| Tags | dynamic-section | +| Cortex XSOAR Version | 6.10.0 | + +## Dependencies + +--- +This script uses the following commands and scripts. + +* SetByIncidentId +* core-get-cloud-original-alerts +* Cortex Core - IR + +## Inputs + +--- +There are no inputs for this script. + +## Outputs + +--- +There are no outputs for this script. diff --git a/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.py b/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.py new file mode 100644 index 000000000000..8354f6626322 --- /dev/null +++ b/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.py @@ -0,0 +1,72 @@ +from CommonServerPython import * # noqa: F401 + + +''' COMMAND FUNCTION ''' + + +def get_additonal_info() -> List[Dict]: + alerts = demisto.context().get('Core', {}).get('OriginalAlert') + if not alerts: + raise DemistoException('Original Alert is not configured in context') + if not isinstance(alerts, list): + alerts = [alerts] + + results = [] + for alert in alerts: + alert_event = alert.get('event') + res = {'Alert Full Description': alert.get('alert_full_description'), + 'Detection Module': alert.get('detection_modules'), + 'Vendor': alert_event.get('vendor'), + 'Provider': alert_event.get('cloud_provider'), + 'Log Name': alert_event.get('log_name'), + 'Event Type': demisto.get(alert_event, 'raw_log.eventType'), + 'Caller IP': alert_event.get('caller_ip'), + 'Caller IP Geo Location': alert_event.get('caller_ip_geolocation'), + 'Resource Type': alert_event.get('resource_type'), + 'Identity Name': alert_event.get('identity_name'), + 'Operation Name': alert_event.get('operation_name'), + 'Operation Status': alert_event.get('operation_status'), + 'User Agent': alert_event.get('user_agent')} + results.append(res) + indicators = [res.get('Caller IP') for res in results] + indicators_callable = indicators_value_to_clickable(indicators) + for res in results: + res['Caller IP'] = indicators_callable.get(res.get('Caller IP')) + return results + + +def verify_list_type(original_alert_data): + if isinstance(original_alert_data, list): + res = original_alert_data[0].get('EntryContext') + res['OriginalAlert'] = res.pop('Core.OriginalAlert(val.internal_id && val.internal_id == obj.internal_id)') + if isinstance(res['OriginalAlert'], list): + res['OriginalAlert'] = res['OriginalAlert'][0] + return res + return None + + +''' MAIN FUNCTION ''' + + +def main(): # pragma: no cover + try: + alert_context = demisto.investigation() + core_alert_context = demisto.context().get('Core', {}) + if not core_alert_context.get('OriginalAlert'): + original_alert_data = demisto.executeCommand('core-get-cloud-original-alerts', {"alert_ids": alert_context.get('id')}) + if original_alert_data: + res = verify_list_type(original_alert_data) + demisto.executeCommand('SetByIncidentId', {"key": "Core", "value": res, "id": alert_context.get('id')}) + results = get_additonal_info() + command_results = CommandResults( + readable_output=tableToMarkdown('Original Alert Additional Information', results, + headers=list(results[0].keys()) if results else None)) + return_results(command_results) + except Exception as ex: + return_error(f'Failed to execute AdditionalAlertInformationWidget. Error: {str(ex)}') + + +''' ENTRY POINT ''' + +if __name__ in ('__main__', '__builtin__', 'builtins'): + main() diff --git a/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.yml b/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.yml new file mode 100644 index 000000000000..1756f7738de6 --- /dev/null +++ b/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget.yml @@ -0,0 +1,21 @@ +commonfields: + id: XCloudAdditionalAlertInformationWidget + version: -1 +name: XCloudAdditionalAlertInformationWidget +script: '' +type: python +tags: +- dynamic-section +comment: This script retrieves additional original alert information from the context. +enabled: true +scripttarget: 0 +subtype: python3 +runonce: false +dockerimage: demisto/python3:3.10.13.83255 +runas: DBotWeakRole +engineinfo: {} +fromversion: 6.10.0 +marketplaces: +- marketplacev2 +tests: +- No tests (auto formatted) diff --git a/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget_test.py b/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget_test.py new file mode 100644 index 000000000000..680a79d4c3c8 --- /dev/null +++ b/Packs/CloudIncidentResponse/Scripts/XCloudAdditionalAlertInformationWidget/XCloudAdditionalAlertInformationWidget_test.py @@ -0,0 +1,62 @@ +import unittest +from unittest.mock import patch +from XCloudAdditionalAlertInformationWidget import * + + +class TestXCloudAdditionalAlertInformationWidget(unittest.TestCase): + + @patch('demistomock.context', return_value={'Core': {'OriginalAlert': [{'event': {'alert_full_description': None, + 'detection_modules': None, + 'vendor': 'Vendor1', + 'cloud_provider': 'AWS', + 'log_name': 'SecurityLog', + 'raw_log': {'eventType': 'Event1'}, + 'caller_ip': '192.168.1.1', + 'caller_ip_geolocation': 'Location1', + 'resource_type': 'ResourceType1', + 'identity_name': 'User1', + 'operation_name': 'Operation1', + 'operation_status': 'Success', + 'user_agent': 'Browser1'}}]}}) + def test_get_additonal_info(self, mock_context): + # Test with a mock context containing one original alert + expected_result = [{'Alert Full Description': None, + 'Detection Module': None, + 'Vendor': 'Vendor1', + 'Provider': 'AWS', + 'Log Name': 'SecurityLog', + 'Event Type': 'Event1', + 'Caller IP': None, + 'Caller IP Geo Location': 'Location1', + 'Resource Type': 'ResourceType1', + 'Identity Name': 'User1', + 'Operation Name': 'Operation1', + 'Operation Status': 'Success', + 'User Agent': 'Browser1'}] + + result = get_additonal_info() # Corrected function name + assert result == expected_result + + def test_verify_list_type_dict(self): + input_dict = [{ + "EntryContext": {"Core.OriginalAlert(val.internal_id && val.internal_id == obj.internal_id)": {"id": "123"}}}] + expected_output = {"OriginalAlert": {"id": "123"}} + output = verify_list_type(input_dict) + assert output == expected_output + + def test_verify_list_type_list(self): + input_list = [ + {"EntryContext": {"Core.OriginalAlert(val.internal_id && val.internal_id == obj.internal_id)": {"id": "123"}}}] + expected_output = {"OriginalAlert": {"id": "123"}} + output = verify_list_type(input_list) + assert output == expected_output + + def test_verify_list_type_empty(self): + input = None + expected_output = None + output = verify_list_type(input) + assert output == expected_output + + +if __name__ == '__main__': + unittest.main() diff --git a/Packs/CloudIncidentResponse/pack_metadata.json b/Packs/CloudIncidentResponse/pack_metadata.json index da26f7874a52..a5009ba0f288 100644 --- a/Packs/CloudIncidentResponse/pack_metadata.json +++ b/Packs/CloudIncidentResponse/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cloud Incident Response", "description": "This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.", "support": "xsoar", - "currentVersion": "1.0.9", + "currentVersion": "1.0.10", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",