Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endpoint investigation plan enhancement #32007

Merged
merged 49 commits into from Feb 11, 2024
Merged

Endpoint investigation plan enhancement #32007

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
c1d02ab
changed the investigation actions by performing the investigation tas…
OmriItzhak Jan 7, 2024
005349f
RN - Changed the investigation actions by performing the investigatio…
OmriItzhak Jan 7, 2024
49f1de3
Merged master into current branch.
Jan 7, 2024
52d9c2a
Bump pack from version CommonPlaybooks to 2.5.6.
Jan 7, 2024
e0dec97
Ignore - [PB118] - Playbook Endpoint Investigation Plan contains inp…
OmriItzhak Jan 7, 2024
eb6ed64
Merge remote-tracking branch 'origin/endpoint_investigation_plan_enha…
OmriItzhak Jan 7, 2024
400f6f3
Merge branch 'master' into endpoint_investigation_plan_enhancement
OmriItzhak Jan 8, 2024
a349d8c
Merged master into current branch.
Jan 8, 2024
2a9fa18
Bump pack from version CommonPlaybooks to 2.5.7.
Jan 8, 2024
55bd377
Merged master into current branch.
Jan 8, 2024
247c87b
Bump pack from version CommonPlaybooks to 2.5.8.
Jan 8, 2024
00640d1
Merge branch 'master' of github.com:demisto/content into endpoint_inv…
OmriItzhak Jan 14, 2024
bb4d2b6
Removed the unnecessary input 'timeRange' from the endpoint investig…
OmriItzhak Jan 14, 2024
b2054e2
RN - Removed the unnecessary input 'timeRange' from the endpoint inv…
Jan 14, 2024
0f50020
Merge remote-tracking branch 'origin/endpoint_investigation_plan_enha…
Jan 14, 2024
dc5e09a
Merge branch 'master' of github.com:demisto/content into endpoint_inv…
Jan 14, 2024
a7bc7fa
fix conflict
OmriItzhak Jan 14, 2024
f77b3fa
fix conflict
OmriItzhak Jan 14, 2024
a945c8e
fix conflict pack metadata
OmriItzhak Jan 14, 2024
81c3f17
Merge branch 'master' of github.com:demisto/content into endpoint_inv…
OmriItzhak Jan 17, 2024
fb2c445
fixes after review
OmriItzhak Jan 17, 2024
0a5551a
Merge branch 'master' of github.com:demisto/content into endpoint_inv…
OmriItzhak Jan 22, 2024
eeac6f5
fix conflicts
OmriItzhak Jan 22, 2024
63061f3
Merge branch 'master' into endpoint_investigation_plan_enhancement
OmriItzhak Jan 22, 2024
1113fca
Merge branch 'master' into endpoint_investigation_plan_enhancement
OmriItzhak Jan 22, 2024
b09c479
check build with test playbooks ngfw scan
OmriItzhak Jan 22, 2024
907abcf
Merge remote-tracking branch 'origin/endpoint_investigation_plan_enha…
OmriItzhak Jan 22, 2024
ca961f8
Merged master into current branch.
Jan 22, 2024
d4a1e46
Bump pack from version Core to 3.0.16.
Jan 22, 2024
7aaec7d
Bump pack from version CommonPlaybooks to 2.6.5.
Jan 22, 2024
f4291b2
Merged master into current branch.
Jan 23, 2024
f75dfa1
Bump pack from version CommonPlaybooks to 2.6.6.
Jan 23, 2024
8a5ca58
Merged master into current branch.
Jan 23, 2024
90b1b05
Bump pack from version CommonPlaybooks to 2.6.7.
Jan 23, 2024
5d6eedd
remove destinationhostname from the query
OmriItzhak Jan 24, 2024
df64863
Merge branch 'master' into endpoint_investigation_plan_enhancement
OmriItzhak Jan 24, 2024
e9b9c0e
Merged master into current branch.
Jan 25, 2024
3f4a9af
Bump pack from version Core to 3.0.17.
Jan 25, 2024
cb3daa3
edit queries
OmriItzhak Jan 25, 2024
52df31c
Update playbook-Endpoint_Investigation_Plan.yml
OmriItzhak Jan 25, 2024
3774e0f
Merge branch 'master' into endpoint_investigation_plan_enhancement
OmriItzhak Jan 25, 2024
bb9beb5
Merge branch 'endpoint_investigation_plan_enhancement' of github.com:…
OmriItzhak Feb 6, 2024
19d7505
add new task for search alert by source ip
OmriItzhak Feb 6, 2024
72dd87d
Merge branch 'master' into endpoint_investigation_plan_enhancement
OmriItzhak Feb 6, 2024
65ce309
fix conflict
OmriItzhak Feb 6, 2024
90c1233
Merged master into current branch.
Feb 7, 2024
c5b4714
Bump pack from version CommonPlaybooks to 2.6.10.
Feb 7, 2024
d99ac89
change searchalerts to searchincidents
OmriItzhak Feb 7, 2024
00ccf3c
Merge branch 'endpoint_investigation_plan_enhancement' of github.com:…
OmriItzhak Feb 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
259 changes: 156 additions & 103 deletions Packs/CommonPlaybooks/Playbooks/playbook-Endpoint_Investigation_Plan.yml
View file
Open in desktop

Large diffs are not rendered by default.

14 changes: 11 additions & 3 deletions Packs/CommonPlaybooks/Playbooks/playbook-Endpoint_Investigation_Plan_README.md
View file
Open in desktop
@@ -1,4 +1,4 @@
This playbook handles all the endpoint investigation actions available with Cortex XSIAM, including the following tasks:
This playbook handles all the endpoint investigation actions by performing the following tasks on every alert associated with the incident:
* Pre-defined MITRE Tactics
* Host fields (Host ID)
* Attacker fields (Attacker IP, External host)
Expand All @@ -8,21 +8,27 @@ This playbook handles all the endpoint investigation actions available with Cort
Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

## Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

### Sub-playbooks

This playbook does not use any sub-playbooks.

### Integrations

This playbook does not use any integrations.

### Scripts

* SearchIncidentsV2

### Commands

This playbook does not use any commands.

## Playbook Inputs

---

| **Name** | **Description** | **Default Value** | **Required** |
Expand All @@ -47,12 +53,14 @@ This playbook does not use any commands.
| attackerExternalHost | The external host used by the attacker. The 'HuntAttacker' inputs should also be set to True. | | Optional |
| mitreTechniqueID | A MITRE technique identifier. The 'HuntByTechnique' inputs should also be set to True. | | Optional |
| FileSHA256 | The file SHA256. The 'HuntByFile' inputs should also be set to True. | | Optional |
| timeRange | A time range to execute the hunting in.<br/>The input should be in the following format:<br/>\* 1 day ago<br/>\* 2 minutes ago<br/>\* 4 hours ago<br/>\* 8 days ago<br/>etc. | 2 hours ago | Optional |

## Playbook Outputs

---
There are no outputs for this playbook.

## Playbook Image

---
![Endpoint Investigation Plan](../doc_files/Endpoint_Investigation_Plan.png)

![Endpoint Investigation Plan](../doc_files/Endpoint_Investigation_Plan.png)
7 changes: 7 additions & 0 deletions Packs/CommonPlaybooks/ReleaseNotes/2_6_10.md
View file
Open in desktop
@@ -0,0 +1,7 @@

#### Playbooks

##### Endpoint Investigation Plan

- Updated the playbook to perform investigation only on the alerts associated with the incident.
- Removed the unnecessary input 'timeRange'.
Binary file modified Packs/CommonPlaybooks/doc_files/Endpoint_Investigation_Plan.png
View file
Open in desktop
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion Packs/CommonPlaybooks/pack_metadata.json
View file
Open in desktop
Expand Up @@ -2,7 +2,7 @@
"name": "Common Playbooks",
"description": "Frequently used playbooks pack.",
"support": "xsoar",
"currentVersion": "2.6.9",
"currentVersion": "2.6.10",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
2 changes: 0 additions & 2 deletions Packs/Core/Playbooks/playbook-IOC_Alert.yml
View file
Open in desktop
Expand Up @@ -566,8 +566,6 @@ tasks:
complex:
root: alert
accessor: agentid
timeRange:
simple: 2 hours ago
separatecontext: false
continueonerrortype: ""
loop:
Expand Down
2 changes: 0 additions & 2 deletions Packs/Core/Playbooks/playbook-Local_Analysis_alert_Investigation.yml
View file
Open in desktop
Expand Up @@ -1116,8 +1116,6 @@ tasks:
complex:
root: alert
accessor: agentid
timeRange:
simple: 2 hours ago
separatecontext: false
loop:
iscommand: false
Expand Down
2 changes: 0 additions & 2 deletions Packs/Core/Playbooks/playbook-NGFW_Internal_Scan.yml
View file
Open in desktop
Expand Up @@ -589,8 +589,6 @@ tasks:
attackerRemoteIP:
complex:
root: inputs.scannerIP
timeRange:
simple: 24 hours ago
separatecontext: false
loop:
iscommand: false
Expand Down
2 changes: 0 additions & 2 deletions Packs/Core/Playbooks/playbook-NGFW_Scan.yml
View file
Open in desktop
Expand Up @@ -1061,8 +1061,6 @@ tasks:
attackerRemoteIP:
complex:
root: inputs.scannerIP
timeRange:
simple: 2 hours ago
separatecontext: false
loop:
iscommand: false
Expand Down
2 changes: 0 additions & 2 deletions Packs/Core/Playbooks/playbook-Ransomware_Response.yml
View file
Open in desktop
Expand Up @@ -1153,8 +1153,6 @@ tasks:
complex:
root: alert
accessor: agentid
timeRange:
simple: 2 hours ago
separatecontext: false
loop:
iscommand: false
Expand Down
2 changes: 0 additions & 2 deletions Packs/Core/Playbooks/playbook-T1036_-_Masquerading.yml
View file
Open in desktop
Expand Up @@ -1228,8 +1228,6 @@ tasks:
complex:
root: alert
accessor: agentid
timeRange:
simple: 2 hours ago
separatecontext: true
loop:
iscommand: false
Expand Down
2 changes: 0 additions & 2 deletions Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml
View file
Open in desktop
Expand Up @@ -783,8 +783,6 @@ tasks:
complex:
root: alert
accessor: agentid
timeRange:
simple: 2 hours ago
separatecontext: true
loop:
iscommand: false
Expand Down
2 changes: 0 additions & 2 deletions Packs/Core/Playbooks/playbook-WildFire_Malware.yml
View file
Open in desktop
Expand Up @@ -1273,8 +1273,6 @@ tasks:
complex:
root: alert
accessor: agentid
timeRange:
simple: 24 hours ago
separatecontext: true
loop:
iscommand: false
Expand Down
26 changes: 26 additions & 0 deletions Packs/Core/ReleaseNotes/3_0_18.md
View file
Open in desktop
@@ -0,0 +1,26 @@

#### Playbooks

##### Ransomware Response
Removed the unnecessary input `timeRange` used by the sub-playbook **Endpoint Investigation Plan**.

##### T1059 - Command and Scripting Interpreter
Removed the unnecessary input `timeRange` used by the sub-playbook **Endpoint Investigation Plan**.

##### IOC Alert
Removed the unnecessary input `timeRange` used by the sub-playbook **Endpoint Investigation Plan**.

##### NGFW Scan
Removed the unnecessary input `timeRange` used by the sub-playbook **Endpoint Investigation Plan**.

##### NGFW Internal Scan
Removed the unnecessary input `timeRange` used by the sub-playbook **Endpoint Investigation Plan**.

##### Local Analysis alert Investigation
Removed the unnecessary input `timeRange` used by the sub-playbook **Endpoint Investigation Plan**.

##### T1036 - Masquerading
Removed the unnecessary input `timeRange` used by the sub-playbook **Endpoint Investigation Plan**.

##### WildFire Malware
Removed the unnecessary input `timeRange` used by the sub-playbook **Endpoint Investigation Plan**.
2 changes: 1 addition & 1 deletion Packs/Core/TestPlaybooks/Test_Playbook_-_NGFW_Scan.yml
View file
Open in desktop
Expand Up @@ -625,7 +625,7 @@ tasks:
AutoCloseAlert:
simple: "false"
AutoContainment:
simple: "True"
simple: "true"
AutoRecovery:
simple: "false"
CommentToAdd:
Expand Down
2 changes: 1 addition & 1 deletion Packs/Core/pack_metadata.json
View file
Open in desktop
Expand Up @@ -2,7 +2,7 @@
"name": "Core - Investigation and Response",
"description": "Automates incident response",
"support": "xsoar",
"currentVersion": "3.0.17",
"currentVersion": "3.0.18",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down