Inputs groups playbooks improvement xsiam

Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation.yml

@@ -1181,6 +1181,57 @@ inputs:
   required: false
   description: Comment for the ticket.
   playbookInputQuery: null
+inputSections:
+- inputs:
+  - ShouldCloseAutomatically
+  name: Alert Management
+  description: Alert management settings and data, including escalation processes, user engagements, and ticketing methods
+- inputs:
+  - autoAccessKeyRemediation
+  - autoBlockIndicators
+  - autoUserRemediation
+  name: Remediation
+  description: Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - AWS-accessKeyRemediationType
+  - AWS-userRemediationType
+  name: AWS Remediation
+  description: AWS Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - Azure-userRemediationType
+  name: Azure Remediation
+  description: Azure Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - GCP-accessKeyRemediationType
+  - GCP-userRemediationType
+  name: GCP Remediation
+  description: GCP Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - ShouldOpenTicket
+  - description
+  - CommentToAdd
+  - addCommentPerEndpoint
+  - serviceNowShortDescription
+  - serviceNowImpact
+  - serviceNowUrgency
+  - serviceNowSeverity
+  - serviceNowTicketType
+  - serviceNowCategory
+  - serviceNowAssignmentGroup
+  - ZendeskPriority
+  - ZendeskRequester
+  - ZendeskStatus
+  - ZendeskSubject
+  - ZendeskTags
+  - ZendeskType
+  - ZendeskAssigne
+  - ZendeskCollaborators
+  name: Ticket Management
+  description: Ticket management settings and data.
+outputSections:
+- outputs: []
+  name: General (Outputs group)
+  description: Generic group for outputs
 outputs: []
 tests:
 - No tests (auto formatted)

Packs/CloudIncidentResponse/Playbooks/playbook-Cloud_IAM_User_Access_Investigation_README.md

@@ -10,15 +10,15 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
 
-* Cloud IAM Enrichment - Generic
-* Handle False Positive Alerts
+* Ticket Management - Generic
 * Enrichment for Verdict
 * Cloud Response - Generic
-* Ticket Management - Generic
+* Handle False Positive Alerts
+* Cloud IAM Enrichment - Generic
 
 ### Integrations
 
-* CortexCoreIR
+This playbook does not use any integrations.
 
 ### Scripts
 

Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining.yml

@@ -1265,6 +1265,74 @@ inputs:
   required: false
   description: Comment for the ticket.
   playbookInputQuery: null
+inputSections:
+- inputs:
+  - SOCEmailAddress
+  - requireAnalystReview
+  - ShouldCloseAutomatically
+  - ShouldHandleFPautomatically
+  name: Alert Management
+  description: Alert management settings and data, including escalation processes, user engagements, and ticketing methods
+- inputs:
+  - ResolveIP
+  - InternalRange
+  name: Enrichment
+  description: Enrichment settings and data, including assets and indicators enrichment using third-side enrichers.
+- inputs:
+  - autoAccessKeyRemediation
+  - autoBlockIndicators
+  - autoResourceRemediation
+  - autoUserRemediation
+  name: Remediation
+  description: Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - AWS-accessKeyRemediationType
+  - AWS-resourceRemediationType
+  - AWS-userRemediationType
+  name: AWS Remediation
+  description: AWS Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - Azure-resourceRemediationType
+  - Azure-userRemediationType
+  name: Azure Remediation
+  description: Azure Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - GCP-accessKeyRemediationType
+  - GCP-resourceRemediationType
+  - GCP-userRemediationType
+  name: GCP Remediation
+  description: GCP Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - alert_id
+  - cloudProvider
+  name: Alert Data
+  description: Alert details and metadata.
+- inputs:
+  - ShouldOpenTicket
+  - serviceNowShortDescription
+  - serviceNowImpact
+  - serviceNowUrgency
+  - serviceNowSeverity
+  - serviceNowTicketType
+  - serviceNowCategory
+  - serviceNowAssignmentGroup
+  - ZendeskPriority
+  - ZendeskRequester
+  - ZendeskStatus
+  - ZendeskSubject
+  - ZendeskTags
+  - ZendeskType
+  - ZendeskAssigne
+  - ZendeskCollaborators
+  - description
+  - addCommentPerEndpoint
+  - CommentToAdd
+  name: Ticket Management
+  description: Ticket management settings and data.
+outputSections:
+- outputs: []
+  name: General (Outputs group)
+  description: Generic group for outputs
 outputs: []
 tests:
 - No tests (auto formatted)

Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_README.md

@@ -29,27 +29,27 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
 
-* Handle False Positive Alerts
 * Cloud Response - Generic
-* Ticket Management - Generic
-* XCloud Cryptojacking - Set Verdict
 * XCloud Alert Enrichment
+* XCloud Cryptojacking - Set Verdict
+* Ticket Management - Generic
+* Handle False Positive Alerts
 
 ### Integrations
 
-* CortexCoreIR
+This playbook does not use any integrations.
 
 ### Scripts
 
-* LoadJSON
 * IncreaseIncidentSeverity
+* LoadJSON
 
 ### Commands
 
-* closeInvestigation
-* core-get-cloud-original-alerts
 * send-mail
 * setParentIncidentField
+* closeInvestigation
+* core-get-cloud-original-alerts
 
 ## Playbook Inputs
 

Packs/CloudIncidentResponse/ReleaseNotes/1_0_11.md

@@ -0,0 +1,10 @@
+
+#### Playbooks
+
+##### Cloud IAM User Access Investigation
+
+Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).
+
+##### XCloud Cryptojacking
+
+Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

Packs/CloudIncidentResponse/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cloud Incident Response",
     "description": "This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.",
     "support": "xsoar",
-    "currentVersion": "1.0.10",
+    "currentVersion": "1.0.11",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling.yml

@@ -1647,6 +1647,26 @@ inputs:
     Whether to clear the user's active Okta sessions using the 'Containment Plan' su-playbook.
     Possible values are: "True" and "False".
   playbookInputQuery:
+inputSections:
+- inputs:
+  - RelatedAlertsThreshold
+  - FailedLogonThreshold
+  - OktaSuspiciousEventsThreshold
+  - AzureMfaFailedLogonThreshold
+  name: Investigation
+  description: Investigation settings and data, including any deep dive incident investigation and verdict determination.
+- inputs:
+  - AutoRemediation
+  - AutoContainment
+  - UserContainment
+  - ClearUserSessions
+  - IAMRemediationType
+  name: Remediation
+  description: Remediation settings and data, including containment, eradication, and recovery.
+outputSections:
+- outputs: []
+  name: General (Outputs group)
+  description: Generic group for outputs
 outputs: []
 tests:
 - No tests (auto formatted)

Packs/Core/Playbooks/playbook-Identity_Analytics_-_Alert_Handling_README.md

@@ -1,13 +1,13 @@
 The `Identity Analytics - Alert Handling` playbook is designed to handle Identity Analytics alerts and executes the following:
 
 Analysis:
-Enriches the IP and the account, providing additional context and information about these indicators.
+- Enriches the IP and the account, providing additional context and information about these indicators.
 
 Verdict:
-Determines the appropriate verdict based on the data collected from the enrichment phase.
+- Determines the appropriate verdict based on the data collected from the enrichment phase.
 
 Investigation:
-- Checks for related Cortex XDR alerts to the user by Mitre tactics to identify malicious activity.
+- Checks for related XDR alerts to the user by Mitre tactics to identify malicious activity.
 - Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook.
 - Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook.
 
@@ -21,13 +21,13 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
 
-* Cloud IAM Enrichment - Generic
+* Containment Plan
 * Cloud Credentials Rotation - Azure
-* Azure - User Investigation
 * Okta - User Investigation
-* Containment Plan
-* Account Enrichment - Generic v2.1
+* Azure - User Investigation
 * Get entity alerts by MITRE tactics
+* Account Enrichment - Generic v2.1
+* Cloud IAM Enrichment - Generic
 
 ### Integrations
 
@@ -41,9 +41,9 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Commands
 
+* ip
 * core-get-cloud-original-alerts
 * closeInvestigation
-* ip
 
 ## Playbook Inputs
 
@@ -52,14 +52,14 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 | **Name** | **Description** | **Default Value** | **Required** |
 | --- | --- | --- | --- |
 | AutoRemediation | Whether to execute the remediation flow automatically.<br/>Possible values are: "True" and "False". | False | Optional |
-| RelatedAlertsThreshold | This is the minimum threshold for Cortex XSIAM related alerts of medium severity or higher, based on MITRE tactics used to identify malicious activity by the user in the last day.<br/>Example: If this input is set to '5' and it detects '6' XSIAM related alerts, it will classify this check as indicating malicious activity. | 5 | Optional |
-| FailedLogonThreshold | This is the minimum threshold for user login failures within the last day.<br/>Example: If this input is set to '30', and the 'Okta - User Investigation' or the 'Azure - User Investigation' sub-playbooks have found 31 failed login attempts - It will classify this behavior as malicious activity. | 30 | Optional |
-| OktaSuspiciousEventsThreshold | This is the minimum threshold for suspicious Okta activity events by the user in the last day.<br/>example: If this input is set to '5', and the 'Okta - User Investigation' sub-playbooks have found 6 events of suspicious activity by the user - It will classify this behavior as malicious activity. | 5 | Optional |
-| AzureMfaFailedLogonThreshold | This is the minimum threshold for MFA failed logins by the user in the last day. Required to determine how many MFA failed logon events count as malicious events. | 10 | Optional |
+| RelatedAlertsThreshold | This is the minimum threshold for XSIAM related alerts of medium severity or higher, based on MITRE tactics used to identify malicious activity by the user in the last 1 day.<br/>Example: If this input is set to '5' and it detects '6' XSIAM related alerts, it will classify this check as indicating malicious activity.<br/>The default value is '5'. | 5 | Optional |
+| FailedLogonThreshold | This is the minimum threshold for user login failures within the last 1 day.<br/>example: If this input is set to '30', and the 'Okta - User Investigation' or the 'Azure - User Investigation' sub-playbooks have found 31 failed login attempts - It will classify this behavior as malicious activity.<br/>The default value is '30'. | 30 | Optional |
+| OktaSuspiciousEventsThreshold | This is the minimum threshold for suspicious Okta activity events by the user in the last 1 day.<br/>example: If this input is set to '5', and the 'Okta - User Investigation' sub-playbooks have found 6 events of suspicious activity by the user - It will classify this behavior as malicious activity.<br/>The default value is '5'. | 5 | Optional |
+| AzureMfaFailedLogonThreshold | This is the minimum threshold for MFA failed logins by the user in the last 1 day. Required to determine how many MFA failed logon events count as malicious events. | 10 | Optional |
 | IAMRemediationType | The response on 'Cloud Credentials Rotation - Azure' sub-playbook provides the following remediation actions using MSGraph Users:<br/><br/>Reset: By entering "Reset" in the input, the playbook will execute password reset.<br/><br/>Revoke: By entering "Revoke" in the input, the playbook will revoke the user's session.<br/><br/>ALL: By entering "ALL" in the input, the playbook will execute the reset password and revoke session tasks. | Revoke | Optional |
 | AutoContainment | Whether to execute containment plan \(except isolation\) automatically.<br/>Possible values are: "True" and "False". | False | Optional |
-| UserContainment | Whether to disable the user account using the 'Containment Plan' sbu-playbook.<br/>Possible values are: "True" and "False". | False | Optional |
-| ClearUserSessions | Whether to clear the user's active Okta sessions using the 'Containment Plan' sub-playbook.<br/>Possible values are: "True" and "False". | True | Optional |
+| UserContainment | Whether to disable the user account using the 'Containment Plan' su-playbook.<br/>Possible values are: "True" and "False". | False | Optional |
+| ClearUserSessions | Whether to clear the user's active Okta sessions using the 'Containment Plan' su-playbook.<br/>Possible values are: "True" and "False". | True | Optional |
 
 ## Playbook Outputs
 

Packs/Core/ReleaseNotes/3_0_6.md

@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Identity Analytics - Alert Handling
+
+Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

Packs/Core/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "3.0.5",
+    "currentVersion": "3.0.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",