diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation.yml
index 2718e3254430..2c10970abd1d 100644
--- a/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation.yml
+++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation.yml
@@ -995,6 +995,12 @@ view: |-
}
}
inputs:
+- key: ShouldCloseAutomatically
+ value:
+ simple: "False"
+ required: false
+ description: Whether to close alerts automatically as a false positive. (True/False).
+ playbookInputQuery:
- key: autoAccessKeyRemediation
value:
simple: "False"
@@ -1068,119 +1074,158 @@ inputs:
Delete - For deleting the user.
Disable - For disabling the user.
playbookInputQuery:
-- key: ShouldCloseAutomatically
+- key: ShouldOpenTicket
value:
simple: "False"
required: false
- description: Whether to close alerts automatically as a false positive. (True/False).
+ description: Whether to open a ticket automatically in a ticketing system. (True/False).
playbookInputQuery:
-- key: ShouldOpenTicket
+- key: description
value:
- simple: "False"
+ simple: ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}
required: false
- description: Whether to open a ticket automatically in a ticketing system. (True/False).
- playbookInputQuery: null
+ description: The ticket description.
+ playbookInputQuery:
+- key: CommentToAdd
+ value:
+ simple: '${alert.name}. Alert ID: ${alert.id}'
+ required: false
+ description: Comment for the ticket.
+ playbookInputQuery:
+- key: addCommentPerEndpoint
+ value:
+ simple: "True"
+ required: false
+ description: 'Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.'
+ playbookInputQuery:
- key: serviceNowShortDescription
value:
simple: XSIAM Incident ID - ${parentIncidentFields.incident_id}
required: false
description: A short description of the ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: serviceNowImpact
value: {}
required: false
description: The impact for the new ticket. Leave empty for ServiceNow default impact.
- playbookInputQuery: null
+ playbookInputQuery:
- key: serviceNowUrgency
value: {}
required: false
description: The urgency of the new ticket. Leave empty for ServiceNow default urgency.
- playbookInputQuery: null
+ playbookInputQuery:
- key: serviceNowSeverity
value: {}
required: false
- description: The severity of the new ticket. Leave empty for ServiceNow default
- severity.
- playbookInputQuery: null
+ description: The severity of the new ticket. Leave empty for ServiceNow default severity.
+ playbookInputQuery:
- key: serviceNowTicketType
value: {}
required: false
- description: The ServiceNow ticket type. Options are "incident", "problem", "change_request",
- "sc_request", "sc_task", or "sc_req_item". Default is "incident".
- playbookInputQuery: null
+ description: The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
+ playbookInputQuery:
- key: serviceNowCategory
value: {}
required: false
description: The category of the ServiceNow ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: serviceNowAssignmentGroup
value: {}
required: false
description: The group to which to assign the new ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskPriority
value: {}
required: false
- description: The urgency with which the ticket should be addressed. Allowed values
- are "urgent", "high", "normal", or "low".
- playbookInputQuery: null
+ description: The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
+ playbookInputQuery:
- key: ZendeskRequester
value: {}
required: false
description: The user who requested this ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskStatus
value: {}
required: false
- description: The state of the ticket. Allowed values are "new", "open", "pending",
- "hold", "solved", or "closed".
- playbookInputQuery: null
+ description: The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
+ playbookInputQuery:
- key: ZendeskSubject
value:
simple: XSIAM Incident ID - ${parentIncidentFields.incident_id}
required: false
description: The value of the subject field for this ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskTags
value: {}
required: false
description: The array of tags applied to this ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskType
value: {}
required: false
- description: The type of this ticket. Allowed values are "problem", "incident",
- "question", or "task".
- playbookInputQuery: null
+ description: The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
+ playbookInputQuery:
- key: ZendeskAssigne
value: {}
required: false
description: The agent currently assigned to the ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskCollaborators
value: {}
required: false
description: The users currently CC'ed on the ticket.
- playbookInputQuery: null
-- key: description
- value:
- simple: ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}
- required: false
- description: The ticket description.
- playbookInputQuery: null
-- key: addCommentPerEndpoint
- value:
- simple: "True"
- required: false
- description: 'Whether to append a new comment to the ticket for each endpoint in the incident.
- Possible values: True/False.'
- playbookInputQuery: null
-- key: CommentToAdd
- value:
- simple: '${alert.name}. Alert ID: ${alert.id}'
- required: false
- description: Comment for the ticket.
- playbookInputQuery: null
+ playbookInputQuery:
+inputSections:
+- inputs:
+ - ShouldCloseAutomatically
+ name: Alert Management
+ description: Alert management settings and data, including escalation processes, user engagements, and ticketing methods.
+- inputs:
+ - autoAccessKeyRemediation
+ - autoBlockIndicators
+ - autoUserRemediation
+ name: Remediation
+ description: Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+ - AWS-accessKeyRemediationType
+ - AWS-userRemediationType
+ name: AWS Remediation
+ description: AWS Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+ - Azure-userRemediationType
+ name: Azure Remediation
+ description: Azure Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+ - GCP-accessKeyRemediationType
+ - GCP-userRemediationType
+ name: GCP Remediation
+ description: GCP Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+ - ShouldOpenTicket
+ - description
+ - CommentToAdd
+ - addCommentPerEndpoint
+ - serviceNowShortDescription
+ - serviceNowImpact
+ - serviceNowUrgency
+ - serviceNowSeverity
+ - serviceNowTicketType
+ - serviceNowCategory
+ - serviceNowAssignmentGroup
+ - ZendeskPriority
+ - ZendeskRequester
+ - ZendeskStatus
+ - ZendeskSubject
+ - ZendeskTags
+ - ZendeskType
+ - ZendeskAssigne
+ - ZendeskCollaborators
+ name: Ticket Management
+ description: Ticket management settings and data.
+outputSections:
+- outputs: []
+ name: General (Outputs group)
+ description: Generic group for outputs
outputs: []
tests:
- No tests (auto formatted)
diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation_README.md
index ab04e6c72156..73ef71a75b89 100644
--- a/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation_README.md
+++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation_README.md
@@ -10,15 +10,15 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
### Sub-playbooks
+* Ticket Management - Generic
* Cloud IAM Enrichment - Generic
-* Handle False Positive Alerts
-* Enrichment for Verdict
* Cloud Response - Generic
-* Ticket Management - Generic
+* Enrichment for Verdict
+* Handle False Positive Alerts
### Integrations
-* CortexCoreIR
+This playbook does not use any integrations.
### Scripts
@@ -26,9 +26,9 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
### Commands
-* setParentIncidentFields
-* closeInvestigation
* core-get-cloud-original-alerts
+* closeInvestigation
+* setParentIncidentFields
## Playbook Inputs
@@ -36,6 +36,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
| **Name** | **Description** | **Default Value** | **Required** |
| --- | --- | --- | --- |
+| ShouldCloseAutomatically | Whether to close alerts automatically as a false positive. \(True/False\). | False | Optional |
| autoAccessKeyRemediation | Whether to execute the user remediation flow automatically. | False | Optional |
| autoBlockIndicators | Whether to block the indicators automatically. | True | Optional |
| autoUserRemediation | Whether to execute the user remediation flow automatically. | False | Optional |
@@ -44,8 +45,10 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
| Azure-userRemediationType | Choose the remediation type for the user involved.
Azure available types:
Disable - for disabling the user.
Delete - for deleting the user. | Disable | Optional |
| GCP-accessKeyRemediationType | Choose the remediation type for the user's access key.
GCP available types:
Disable - For disabling the user's access key.
Delete - For deleting the user's access key. | Disable | Optional |
| GCP-userRemediationType | Choose the remediation type for the user involved.
GCP available types:
Delete - For deleting the user.
Disable - For disabling the user. | Disable | Optional |
-| ShouldCloseAutomatically | Whether to close alerts automatically as a false positive. \(True/False\). | False | Optional |
| ShouldOpenTicket | Whether to open a ticket automatically in a ticketing system. \(True/False\). | False | Optional |
+| description | The ticket description. | ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url} | Optional |
+| CommentToAdd | Comment for the ticket. | ${alert.name}. Alert ID: ${alert.id} | Optional |
+| addCommentPerEndpoint | Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False. | True | Optional |
| serviceNowShortDescription | A short description of the ticket. | XSIAM Incident ID - ${parentIncidentFields.incident_id} | Optional |
| serviceNowImpact | The impact for the new ticket. Leave empty for ServiceNow default impact. | | Optional |
| serviceNowUrgency | The urgency of the new ticket. Leave empty for ServiceNow default urgency. | | Optional |
@@ -61,9 +64,6 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
| ZendeskType | The type of this ticket. Allowed values are "problem", "incident", "question", or "task". | | Optional |
| ZendeskAssigne | The agent currently assigned to the ticket. | | Optional |
| ZendeskCollaborators | The users currently CC'ed on the ticket. | | Optional |
-| description | The ticket description. | ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url} | Optional |
-| addCommentPerEndpoint | Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False. | True | Optional |
-| CommentToAdd | Comment for the ticket. | ${alert.name}. Alert ID: ${alert.id} | Optional |
## Playbook Outputs
diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining.yml
index ac373c2492dc..a72d764c378d 100644
--- a/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining.yml
+++ b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining.yml
@@ -997,14 +997,8 @@ view: |-
}
}
inputs:
-- key: alert_id
- value: {}
- required: false
- description: The alert ID.
- playbookInputQuery:
- key: SOCEmailAddress
- value:
- simple:
+ value: {}
required: false
description: The SOC email address to use for the alert status notification.
playbookInputQuery:
@@ -1026,6 +1020,30 @@ inputs:
required: false
description: Should we automatically handle false positive alerts? Specify true/false.
playbookInputQuery:
+- key: cloudProvider
+ value:
+ complex:
+ root: alert
+ accessor: cloudprovider
+ required: false
+ description: The cloud service provider involved.
+ playbookInputQuery:
+- key: alert_id
+ value: {}
+ required: false
+ description: The alert ID.
+ playbookInputQuery:
+- key: ResolveIP
+ value:
+ simple: "True"
+ required: false
+ description: Determines whether to convert the IP address to a hostname using a DNS query (True/ False).
+ playbookInputQuery:
+- key: InternalRange
+ value: {}
+ required: false
+ description: "A list of internal IP ranges to check IP addresses against. \nFor IP Enrichment - Generic v2 playbook."
+ playbookInputQuery:
- key: autoAccessKeyRemediation
value:
simple: "False"
@@ -1105,14 +1123,6 @@ inputs:
Disable - for disabling the user.
Delete - for deleting the user.
playbookInputQuery:
-- key: cloudProvider
- value:
- complex:
- root: alert
- accessor: cloudprovider
- required: false
- description: The cloud service provider involved.
- playbookInputQuery:
- key: GCP-accessKeyRemediationType
value:
simple: Disable
@@ -1146,125 +1156,172 @@ inputs:
Delete - For deleting the user.
Disable - For disabling the user.
playbookInputQuery:
-- key: ResolveIP
- value:
- simple: "True"
- required: false
- description: Determines whether to convert the IP address to a hostname using a DNS query (True/ False).
- playbookInputQuery:
-- key: InternalRange
- value: {}
- required: false
- description: "A list of internal IP ranges to check IP addresses against. \nFor
- IP Enrichment - Generic v2 playbook."
- playbookInputQuery: null
- key: ShouldOpenTicket
value:
simple: "False"
required: false
description: Whether to open a ticket automatically in a ticketing system. (True/False).
- playbookInputQuery: null
+ playbookInputQuery:
- key: serviceNowShortDescription
value:
simple: XSIAM Incident ID - ${parentIncidentFields.incident_id}
required: false
description: A short description of the ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: serviceNowImpact
value: {}
required: false
description: The impact for the new ticket. Leave empty for ServiceNow default impact.
- playbookInputQuery: null
+ playbookInputQuery:
- key: serviceNowUrgency
value: {}
required: false
description: The urgency of the new ticket. Leave empty for ServiceNow default urgency.
- playbookInputQuery: null
+ playbookInputQuery:
- key: serviceNowSeverity
value: {}
required: false
- description: The severity of the new ticket. Leave empty for ServiceNow default
- severity.
- playbookInputQuery: null
+ description: The severity of the new ticket. Leave empty for ServiceNow default severity.
+ playbookInputQuery:
- key: serviceNowTicketType
value: {}
required: false
- description: The ServiceNow ticket type. Options are "incident", "problem", "change_request",
- "sc_request", "sc_task", or "sc_req_item". Default is "incident".
- playbookInputQuery: null
+ description: The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
+ playbookInputQuery:
- key: serviceNowCategory
value: {}
required: false
description: The category of the ServiceNow ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: serviceNowAssignmentGroup
value: {}
required: false
description: The group to which to assign the new ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskPriority
value: {}
required: false
- description: The urgency with which the ticket should be addressed. Allowed values
- are "urgent", "high", "normal", or "low".
- playbookInputQuery: null
+ description: The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
+ playbookInputQuery:
- key: ZendeskRequester
value: {}
required: false
description: The user who requested this ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskStatus
value: {}
required: false
- description: The state of the ticket. Allowed values are "new", "open", "pending",
- "hold", "solved", or "closed".
- playbookInputQuery: null
+ description: The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
+ playbookInputQuery:
- key: ZendeskSubject
value:
simple: XSIAM Incident ID - ${parentIncidentFields.incident_id}
required: false
description: The value of the subject field for this ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskTags
value: {}
required: false
description: The array of tags applied to this ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskType
value: {}
required: false
- description: The type of this ticket. Allowed values are "problem", "incident",
- "question", or "task".
- playbookInputQuery: null
+ description: The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
+ playbookInputQuery:
- key: ZendeskAssigne
value: {}
required: false
description: The agent currently assigned to the ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: ZendeskCollaborators
value: {}
required: false
description: The users currently CC'ed on the ticket.
- playbookInputQuery: null
+ playbookInputQuery:
- key: description
value:
simple: ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}
required: false
description: The ticket description.
- playbookInputQuery: null
+ playbookInputQuery:
- key: addCommentPerEndpoint
value:
simple: "True"
required: false
- description: 'Whether to append a new comment to the ticket for each endpoint in the incident.
- Possible values: True/False.'
- playbookInputQuery: null
+ description: 'Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.'
+ playbookInputQuery:
- key: CommentToAdd
value:
simple: '${alert.name}. Alert ID: ${alert.id}'
required: false
description: Comment for the ticket.
- playbookInputQuery: null
+ playbookInputQuery:
+inputSections:
+- inputs:
+ - SOCEmailAddress
+ - requireAnalystReview
+ - ShouldCloseAutomatically
+ - ShouldHandleFPautomatically
+ - cloudProvider
+ - alert_id
+ name: Alert Management
+ description: Alert management settings and data, including escalation processes, user engagements, and ticketing methods.
+- inputs:
+ - ResolveIP
+ - InternalRange
+ name: Enrichment
+ description: Enrichment settings and data, including assets and indicators enrichment using third-party enrichers.
+- inputs:
+ - autoAccessKeyRemediation
+ - autoBlockIndicators
+ - autoResourceRemediation
+ - autoUserRemediation
+ name: Remediation
+ description: Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+ - AWS-accessKeyRemediationType
+ - AWS-resourceRemediationType
+ - AWS-userRemediationType
+ name: AWS Remediation
+ description: AWS Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+ - Azure-resourceRemediationType
+ - Azure-userRemediationType
+ name: Azure Remediation
+ description: Azure Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+ - GCP-accessKeyRemediationType
+ - GCP-resourceRemediationType
+ - GCP-userRemediationType
+ name: GCP Remediation
+ description: GCP Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+ - ShouldOpenTicket
+ - serviceNowShortDescription
+ - serviceNowImpact
+ - serviceNowUrgency
+ - serviceNowSeverity
+ - serviceNowTicketType
+ - serviceNowCategory
+ - serviceNowAssignmentGroup
+ - ZendeskPriority
+ - ZendeskRequester
+ - ZendeskStatus
+ - ZendeskSubject
+ - ZendeskTags
+ - ZendeskType
+ - ZendeskAssigne
+ - ZendeskCollaborators
+ - description
+ - addCommentPerEndpoint
+ - CommentToAdd
+ name: Ticket Management
+ description: Ticket management settings and data.
+outputSections:
+- outputs: []
+ name: General (Outputs group)
+ description: Generic group for outputs
outputs: []
tests:
- No tests (auto formatted)
diff --git a/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_README.md
index b43ab74421f3..d1c154e3bb7b 100644
--- a/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_README.md
+++ b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_README.md
@@ -29,26 +29,26 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
### Sub-playbooks
-* Handle False Positive Alerts
-* Cloud Response - Generic
-* Ticket Management - Generic
* XCloud Cryptojacking - Set Verdict
* XCloud Alert Enrichment
+* Ticket Management - Generic
+* Cloud Response - Generic
+* Handle False Positive Alerts
### Integrations
-* CortexCoreIR
+This playbook does not use any integrations.
### Scripts
-* LoadJSON
* IncreaseIncidentSeverity
+* LoadJSON
### Commands
* closeInvestigation
-* core-get-cloud-original-alerts
* send-mail
+* core-get-cloud-original-alerts
* setParentIncidentField
## Playbook Inputs
@@ -57,11 +57,14 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
| **Name** | **Description** | **Default Value** | **Required** |
| --- | --- | --- | --- |
-| alert_id | The alert ID. | | Optional |
-| SOCEmailAddress | The SOC email address to use for the alert status notification. | None | Optional |
+| SOCEmailAddress | The SOC email address to use for the alert status notification. | | Optional |
| requireAnalystReview | Whether to require an analyst review after the alert remediation. | True | Optional |
| ShouldCloseAutomatically | Should we automatically close false positive alerts? Specify true/false. | False | Optional |
| ShouldHandleFPautomatically | Should we automatically handle false positive alerts? Specify true/false. | False | Optional |
+| cloudProvider | The cloud service provider involved. | alert.cloudprovider | Optional |
+| alert_id | The alert ID. | | Optional |
+| ResolveIP | Determines whether to convert the IP address to a hostname using a DNS query \(True/ False\). | True | Optional |
+| InternalRange | A list of internal IP ranges to check IP addresses against.
For IP Enrichment - Generic v2 playbook. | | Optional |
| autoAccessKeyRemediation | Whether to execute the user remediation flow automatically. | False | Optional |
| autoBlockIndicators | Whether to block the indicators automatically. | False | Optional |
| autoResourceRemediation | Whether to execute the resource remediation flow automatically. | False | Optional |
@@ -71,12 +74,9 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
| AWS-userRemediationType | Choose the remediation type for the user involved.
AWS available types:
Delete - for the user deletion.
Revoke - for revoking the user's credentials. | Revoke | Optional |
| Azure-resourceRemediationType | Choose the remediation type for the instances created.
Azure available types:
Poweroff - for shutting down the instances.
Delete - for deleting the instances. | Poweroff | Optional |
| Azure-userRemediationType | Choose the remediation type for the user involved.
Azure available types:
Disable - for disabling the user.
Delete - for deleting the user. | Disable | Optional |
-| cloudProvider | The cloud service provider involved. | alert.cloudprovider | Optional |
| GCP-accessKeyRemediationType | Choose the remediation type for the user's access key.
GCP available types:
Disable - For disabling the user's access key.
Delete - For the deleting user's access key. | Disable | Optional |
| GCP-resourceRemediationType | Choose the remediation type for the instances created.
GCP available types:
Stop - For stopping the instances.
Delete - For deleting the instances. | Stop | Optional |
| GCP-userRemediationType | Choose the remediation type for the user involved.
GCP available types:
Delete - For deleting the user.
Disable - For disabling the user. | Disable | Optional |
-| ResolveIP | Determines whether to convert the IP address to a hostname using a DNS query \(True/ False\). | True | Optional |
-| InternalRange | A list of internal IP ranges to check IP addresses against.
For IP Enrichment - Generic v2 playbook. | | Optional |
| ShouldOpenTicket | Whether to open a ticket automatically in a ticketing system. \(True/False\). | False | Optional |
| serviceNowShortDescription | A short description of the ticket. | XSIAM Incident ID - ${parentIncidentFields.incident_id} | Optional |
| serviceNowImpact | The impact for the new ticket. Leave empty for ServiceNow default impact. | | Optional |
diff --git a/Packs/CloudIncidentResponse/ReleaseNotes/1_0_12.md b/Packs/CloudIncidentResponse/ReleaseNotes/1_0_12.md
new file mode 100644
index 000000000000..c3d2b58fb8a7
--- /dev/null
+++ b/Packs/CloudIncidentResponse/ReleaseNotes/1_0_12.md
@@ -0,0 +1,10 @@
+
+#### Playbooks
+
+##### Cloud IAM User Access Investigation
+
+Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).
+
+##### XCloud Cryptojacking
+
+Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).
diff --git a/Packs/CloudIncidentResponse/pack_metadata.json b/Packs/CloudIncidentResponse/pack_metadata.json
index 8ff44b1c8b58..3a2d09e0107e 100644
--- a/Packs/CloudIncidentResponse/pack_metadata.json
+++ b/Packs/CloudIncidentResponse/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Cloud Incident Response",
"description": "This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.",
"support": "xsoar",
- "currentVersion": "1.0.11",
+ "currentVersion": "1.0.12",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
diff --git a/Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling.yml b/Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling.yml
index b6e54225278d..a232a280e28a 100644
--- a/Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling.yml
+++ b/Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling.yml
@@ -1569,14 +1569,6 @@ view: |-
}
}
inputs:
-- key: AutoRemediation
- value:
- simple: "False"
- required: false
- description: |-
- Whether to execute the remediation flow automatically.
- Possible values are: "True" and "False".
- playbookInputQuery:
- key: RelatedAlertsThreshold
value:
simple: "5"
@@ -1610,18 +1602,13 @@ inputs:
required: false
description: This is the minimum threshold for MFA failed logins by the user in the last 1 day. Required to determine how many MFA failed logon events count as malicious events.
playbookInputQuery:
-- key: IAMRemediationType
+- key: AutoRemediation
value:
- simple: Revoke
+ simple: "False"
required: false
description: |-
- The response on 'Cloud Credentials Rotation - Azure' sub-playbook provides the following remediation actions using MSGraph Users:
-
- Reset: By entering "Reset" in the input, the playbook will execute password reset.
-
- Revoke: By entering "Revoke" in the input, the playbook will revoke the user's session.
-
- ALL: By entering "ALL" in the input, the playbook will execute the reset password and revoke session tasks.
+ Whether to execute the remediation flow automatically.
+ Possible values are: "True" and "False".
playbookInputQuery:
- key: AutoContainment
value:
@@ -1647,6 +1634,39 @@ inputs:
Whether to clear the user's active Okta sessions using the 'Containment Plan' su-playbook.
Possible values are: "True" and "False".
playbookInputQuery:
+- key: IAMRemediationType
+ value:
+ simple: Revoke
+ required: false
+ description: |-
+ The response on 'Cloud Credentials Rotation - Azure' sub-playbook provides the following remediation actions using MSGraph Users:
+
+ Reset: By entering "Reset" in the input, the playbook will execute password reset.
+
+ Revoke: By entering "Revoke" in the input, the playbook will revoke the user's session.
+
+ ALL: By entering "ALL" in the input, the playbook will execute the reset password and revoke session tasks.
+ playbookInputQuery:
+inputSections:
+- inputs:
+ - RelatedAlertsThreshold
+ - FailedLogonThreshold
+ - OktaSuspiciousEventsThreshold
+ - AzureMfaFailedLogonThreshold
+ name: Investigation
+ description: Investigation settings and data, including any deep dive incident investigation and verdict determination.
+- inputs:
+ - AutoRemediation
+ - AutoContainment
+ - UserContainment
+ - ClearUserSessions
+ - IAMRemediationType
+ name: Remediation
+ description: Remediation settings and data, including containment, eradication, and recovery.
+outputSections:
+- outputs: []
+ name: General (Outputs group)
+ description: Generic group for outputs
outputs: []
tests:
- No tests (auto formatted)
diff --git a/Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling_README.md b/Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling_README.md
index 94ffb30130e6..557970410c7c 100644
--- a/Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling_README.md
+++ b/Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling_README.md
@@ -1,13 +1,13 @@
The `Identity Analytics - Alert Handling` playbook is designed to handle Identity Analytics alerts and executes the following:
Analysis:
-Enriches the IP and the account, providing additional context and information about these indicators.
+- Enriches the IP and the account, providing additional context and information about these indicators.
Verdict:
-Determines the appropriate verdict based on the data collected from the enrichment phase.
+- Determines the appropriate verdict based on the data collected from the enrichment phase.
Investigation:
-- Checks for related Cortex XDR alerts to the user by Mitre tactics to identify malicious activity.
+- Checks for related XDR alerts to the user by Mitre tactics to identify malicious activity.
- Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook.
- Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook.
@@ -21,13 +21,13 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
### Sub-playbooks
-* Cloud IAM Enrichment - Generic
* Cloud Credentials Rotation - Azure
-* Azure - User Investigation
-* Okta - User Investigation
* Containment Plan
-* Account Enrichment - Generic v2.1
+* Okta - User Investigation
+* Azure - User Investigation
* Get entity alerts by MITRE tactics
+* Cloud IAM Enrichment - Generic
+* Account Enrichment - Generic v2.1
### Integrations
@@ -51,15 +51,15 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
| **Name** | **Description** | **Default Value** | **Required** |
| --- | --- | --- | --- |
+| RelatedAlertsThreshold | This is the minimum threshold for XSIAM related alerts of medium severity or higher, based on MITRE tactics used to identify malicious activity by the user in the last 1 day.
Example: If this input is set to '5' and it detects '6' XSIAM related alerts, it will classify this check as indicating malicious activity.
The default value is '5'. | 5 | Optional |
+| FailedLogonThreshold | This is the minimum threshold for user login failures within the last 1 day.
example: If this input is set to '30', and the 'Okta - User Investigation' or the 'Azure - User Investigation' sub-playbooks have found 31 failed login attempts - It will classify this behavior as malicious activity.
The default value is '30'. | 30 | Optional |
+| OktaSuspiciousEventsThreshold | This is the minimum threshold for suspicious Okta activity events by the user in the last 1 day.
example: If this input is set to '5', and the 'Okta - User Investigation' sub-playbooks have found 6 events of suspicious activity by the user - It will classify this behavior as malicious activity.
The default value is '5'. | 5 | Optional |
+| AzureMfaFailedLogonThreshold | This is the minimum threshold for MFA failed logins by the user in the last 1 day. Required to determine how many MFA failed logon events count as malicious events. | 10 | Optional |
| AutoRemediation | Whether to execute the remediation flow automatically.
Possible values are: "True" and "False". | False | Optional |
-| RelatedAlertsThreshold | This is the minimum threshold for Cortex XSIAM related alerts of medium severity or higher, based on MITRE tactics used to identify malicious activity by the user in the last day.
Example: If this input is set to '5' and it detects '6' XSIAM related alerts, it will classify this check as indicating malicious activity. | 5 | Optional |
-| FailedLogonThreshold | This is the minimum threshold for user login failures within the last day.
Example: If this input is set to '30', and the 'Okta - User Investigation' or the 'Azure - User Investigation' sub-playbooks have found 31 failed login attempts - It will classify this behavior as malicious activity. | 30 | Optional |
-| OktaSuspiciousEventsThreshold | This is the minimum threshold for suspicious Okta activity events by the user in the last day.
example: If this input is set to '5', and the 'Okta - User Investigation' sub-playbooks have found 6 events of suspicious activity by the user - It will classify this behavior as malicious activity. | 5 | Optional |
-| AzureMfaFailedLogonThreshold | This is the minimum threshold for MFA failed logins by the user in the last day. Required to determine how many MFA failed logon events count as malicious events. | 10 | Optional |
-| IAMRemediationType | The response on 'Cloud Credentials Rotation - Azure' sub-playbook provides the following remediation actions using MSGraph Users:
Reset: By entering "Reset" in the input, the playbook will execute password reset.
Revoke: By entering "Revoke" in the input, the playbook will revoke the user's session.
ALL: By entering "ALL" in the input, the playbook will execute the reset password and revoke session tasks. | Revoke | Optional |
| AutoContainment | Whether to execute containment plan \(except isolation\) automatically.
Possible values are: "True" and "False". | False | Optional |
-| UserContainment | Whether to disable the user account using the 'Containment Plan' sbu-playbook.
Possible values are: "True" and "False". | False | Optional |
-| ClearUserSessions | Whether to clear the user's active Okta sessions using the 'Containment Plan' sub-playbook.
Possible values are: "True" and "False". | True | Optional |
+| UserContainment | Whether to disable the user account using the 'Containment Plan' su-playbook.
Possible values are: "True" and "False". | False | Optional |
+| ClearUserSessions | Whether to clear the user's active Okta sessions using the 'Containment Plan' su-playbook.
Possible values are: "True" and "False". | True | Optional |
+| IAMRemediationType | The response on 'Cloud Credentials Rotation - Azure' sub-playbook provides the following remediation actions using MSGraph Users:
Reset: By entering "Reset" in the input, the playbook will execute password reset.
Revoke: By entering "Revoke" in the input, the playbook will revoke the user's session.
ALL: By entering "ALL" in the input, the playbook will execute the reset password and revoke session tasks. | Revoke | Optional |
## Playbook Outputs
diff --git a/Packs/Core/ReleaseNotes/3_0_6.md b/Packs/Core/ReleaseNotes/3_0_6.md
new file mode 100644
index 000000000000..6819501b376e
--- /dev/null
+++ b/Packs/Core/ReleaseNotes/3_0_6.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Identity Analytics - Alert Handling
+
+Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).
\ No newline at end of file
diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json
index 83f42984c28b..075d2bd12999 100644
--- a/Packs/Core/pack_metadata.json
+++ b/Packs/Core/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "Core - Investigation and Response",
"description": "Automates incident response",
"support": "xsoar",
- "currentVersion": "3.0.5",
+ "currentVersion": "3.0.6",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",