Bugfix/XSUP-30713/add-InternalIPRanges-as-playbook-input

Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml

@@ -342,6 +342,9 @@ tasks:
       xdr_alert_id:
         complex:
           root: inputs.alert_id
+      InternalIPRanges:
+        complex:
+          root: inputs.InternalIPRanges
     separatecontext: true
     continueonerrortype: ""
     loop:
@@ -1459,6 +1462,25 @@ inputs:
   required: false
   description: Alert ID.
   playbookInputQuery:
+- key: InternalIPRanges
+  value:
+    complex:
+      root: lists
+      accessor: PrivateIPs
+      transformers:
+      - operator: RegexReplace
+        args:
+          action_dt: {}
+          ignore_case: {}
+          multi_line: {}
+          output_format: {}
+          period_matches_newline: {}
+          regex:
+            value:
+              simple: IANA_Private_Address
+  required: false
+  description: 'A list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).'
+  playbookInputQuery:
 outputs:
 - contextPath: PaloAltoNetworksXDR.Incident.incident_id
   description: Unique ID assigned to each returned incident.

Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling_README.md

@@ -46,6 +46,7 @@ This playbook does not use any scripts.
 | --- | --- | --- | --- |
 | incident_id | Incident ID. | PaloAltoNetworksXDR.Incident.incident_id | Optional |
 | alert_id | Alert ID. | PaloAltoNetworksXDR.Incident.alerts.alert_id | Optional |
+| InternalIPRanges | A list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). If a list is not provided, will use default list provided in the IsIPInRanges script \(the known IPv4 private address ranges\). | lists.PrivateIPs | Optional |
 
 ## Playbook Outputs
 

Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml

@@ -1608,6 +1608,9 @@ tasks:
       '#none#':
       - "79"
     scriptarguments:
+      InternalIPRanges:
+        complex:
+          root: inputs.InternalRange
       alert_id:
         complex:
           root: PaloAltoNetworksXDR.Incident.alerts
@@ -2013,7 +2016,21 @@ inputs:
   description: This input indicates whether the playbook will hunt for related IOCs. Specify Yes/No.
   playbookInputQuery:
 - key: InternalRange
-  value: {}
+  value:
+    complex:
+      root: lists
+      accessor: PrivateIPs
+      transformers:
+      - operator: RegexReplace
+        args:
+          action_dt: {}
+          ignore_case: {}
+          multi_line: {}
+          output_format: {}
+          period_matches_newline: {}
+          regex:
+            value:
+              simple: IANA_Private_Address
   required: false
   description: "A comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. An example of a list \n\"172.16.0.0/12,10.0.0.0/8,192.168.0.0/16\" (without quotes). \nIf a list is not provided, will use the default list provided in the IsIPInRanges."
   playbookInputQuery:

Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5_README.md

@@ -45,7 +45,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 | incident_id | Incident ID. | incident.xdrincidentid | Optional |
 | LinkSimilarIncidents | This input indicates whether the playbook will link similar incidents. To link similar incidents, specify Yes/No. | Yes | Optional |
 | Hunting | This input indicates whether the playbook will hunt for related IOCs. Specify Yes/No. | Yes | Optional |
-| InternalRange | A comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. An example of a list <br/>"172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). <br/>If a list is not provided, will use the default list provided in the IsIPInRanges. |  | Optional |
+| InternalRange | A comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. An example of a list <br/>"172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" \(without quotes\). <br/>If a list is not provided, will use the default list provided in the IsIPInRanges. | lists.PrivateIPs | Optional |
 | CriticalUsernames | A comma-separated list of names of critical users in the organization.<br/>This will affect the calculated severity of the incident. | admin,administrator | Optional |
 | CriticalHostnames | A comma-separated list of names of critical endpoints in the organization. This will affect the calculated severity of the incident. |  | Optional |
 | CriticalADGroups | A comma-separated list of DN names of critical Active Directory groups. This will affect the severity calculated for this incident. |  | Optional |

Packs/CortexXDR/ReleaseNotes/6_0_8.md

@@ -0,0 +1,10 @@
+
+#### Playbooks
+
+##### Cortex XDR incident handling v3
+
+- Updated the "Port Scan" sub-playbook to get Internal IP ranges from inputs instead of static value.
+
+##### Cortex XDR Alerts Handling
+
+- Added a new playbook input for Internal IP ranges.

Packs/CortexXDR/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "6.0.7",
+    "currentVersion": "6.0.8",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",