Inputs groups core playbooks improvement xsiam

Packs/CommonPlaybooks/.pack-ignore

@@ -115,3 +115,6 @@ ignore=RM108
 
 [file:playbook-Get_File_Sample_By_Hash_-_Generic_v2_README.md]
 ignore=RM108
+
+[file:playbook-Containment_Plan_-_Block_Indicators.yml]
+ignore=PB118

Packs/CommonPlaybooks/Playbooks/playbook-Block_Indicators_-_Generic_v3.yml

@@ -822,11 +822,16 @@ tasks:
           - operator: uniq
           - operator: SetIfEmpty
             args:
-              applyIfEmpty: {}
+              applyIfEmpty:
+                value:
+                  simple: "false"
               defaultValue:
                 value:
                   simple: No indicators to block
-    separatecontext: false
+          - operator: RemoveEmpty
+            args:
+              empty_values: {}
+              remove_keys: {}
     reputationcalc: 2
     continueonerrortype: ""
     view: |-
@@ -911,10 +916,16 @@ tasks:
           - operator: uniq
           - operator: SetIfEmpty
             args:
-              applyIfEmpty: {}
+              applyIfEmpty:
+                value:
+                  simple: "false"
               defaultValue:
                 value:
                   simple: No indicators to block
+          - operator: RemoveEmpty
+            args:
+              empty_values: {}
+              remove_keys: {}
     separatecontext: false
     continueonerrortype: ""
     view: |-

Packs/CommonPlaybooks/Playbooks/playbook-Containment_Plan_-_Block_Indicators.yml

@@ -122,8 +122,8 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 800,
-          "y": 1330
+          "x": 680,
+          "y": 1520
         }
       }
     note: false
@@ -246,7 +246,7 @@ tasks:
       {
         "position": {
           "x": 230,
-          "y": 1160
+          "y": 1350
         }
       }
     note: false
@@ -482,7 +482,7 @@ tasks:
       brand: ""
     nexttasks:
       '#none#':
-      - "11"
+      - "30"
     scriptarguments:
       AutoBlockIndicators:
         complex:
@@ -661,19 +661,62 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+  "30":
+    id: "30"
+    taskid: 0a63acdb-6497-4f96-8318-5231aefde427
+    type: condition
+    task:
+      id: 0a63acdb-6497-4f96-8318-5231aefde427
+      version: -1
+      name: Are there any indicators that are blocked?
+      description: Check if there are any indicators that are blocked.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "2"
+      "yes":
+      - "11"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              simple: IndicatorsToBlock
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 230,
+          "y": 1160
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
 view: |-
   {
     "linkLabelsPosition": {
       "24_1_yes": 0.44,
       "24_28_#default#": 0.24,
       "26_28_#default#": 0.29,
+      "30_11_yes": 0.52,
+      "30_2_#default#": 0.38,
       "3_25_yes": 0.43,
       "3_2_#default#": 0.12
     },
     "paper": {
       "dimensions": {
-        "height": 1585,
-        "width": 1190,
+        "height": 1775,
+        "width": 1070,
         "x": -10,
         "y": -190
       }

Packs/CommonPlaybooks/ReleaseNotes/2_6_1.md

@@ -0,0 +1,11 @@
+
+#### Playbooks
+
+##### Block Indicators - Generic v3
+
+Updated the tasks 'Set indicators to block - Auto' and 'Set indicators to block - Manual' to remove empty values from the key `IndicatorsToBlock`.
+
+##### Containment Plan - Block Indicators
+
+Added a conditional task to check if there are any indicators that are blocked before setting those indicators in the incident context.
+

Packs/CommonPlaybooks/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Common Playbooks",
     "description": "Frequently used playbooks pack.",
     "support": "xsoar",
-    "currentVersion": "2.6.0",
+    "currentVersion": "2.6.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/Core/Playbooks/playbook-IOC_Alert.yml

@@ -1495,6 +1495,47 @@ inputs:
   required: false
   description: Comment for the ticket.
   playbookInputQuery: null
+inputSections:
+- inputs:
+  - ShouldCloseAutomatically
+  - ShouldHandleFPautomatically
+  name: Alert Management
+  description: Alert management settings and data, including escalation processes, and user engagements.
+- inputs:
+  - PreHostContainment
+  - AutoEradication
+  - AutoContainment
+  - BlockIndicatorsAutomatically
+  - FileRemediation
+  - AutoRestoreEndpoint
+  name: Remediation
+  description: Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - ShouldOpenTicket
+  - serviceNowShortDescription
+  - serviceNowImpact
+  - serviceNowUrgency
+  - serviceNowSeverity
+  - serviceNowTicketType
+  - serviceNowCategory
+  - serviceNowAssignmentGroup
+  - ZendeskPriority
+  - ZendeskRequester
+  - ZendeskStatus
+  - ZendeskSubject
+  - ZendeskTags
+  - ZendeskType
+  - ZendeskAssigne
+  - ZendeskCollaborators
+  - description
+  - addCommentPerEndpoint
+  - CommentToAdd
+  name: Ticket Management
+  description: Ticket management settings and data.
+outputSections:
+- outputs: []
+  name: General (Outputs group)
+  description: Generic group for outputs
 outputs: []
 tests:
 - No tests (auto formatted)

Packs/Core/Playbooks/playbook-IOC_Alert_README.md

@@ -28,13 +28,13 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
 
+* Recovery Plan
 * Eradication Plan
+* Ticket Management - Generic
 * Endpoint Investigation Plan
+* Enrichment for Verdict
 * Containment Plan
 * Handle False Positive Alerts
-* Enrichment for Verdict
-* Ticket Management - Generic
-* Recovery Plan
 
 ### Integrations
 
@@ -46,9 +46,9 @@ This playbook does not use any scripts.
 
 ### Commands
 
-* setParentIncidentFields
 * extractIndicators
 * closeInvestigation
+* setParentIncidentFields
 
 ## Playbook Inputs
 

Packs/Core/Playbooks/playbook-Impossible_Traveler.yml

@@ -23,7 +23,7 @@ tasks:
       {
         "position": {
           "x": -30,
-          "y": -10
+          "y": -50
         }
       }
     note: false
@@ -85,7 +85,7 @@ tasks:
       {
         "position": {
           "x": -30,
-          "y": 120
+          "y": 80
         }
       }
     note: false
@@ -621,7 +621,7 @@ tasks:
       {
         "position": {
           "x": -30,
-          "y": 400
+          "y": 390
         }
       }
     note: false
@@ -702,7 +702,7 @@ tasks:
       {
         "position": {
           "x": -30,
-          "y": 240
+          "y": 220
         }
       }
     note: false
@@ -928,7 +928,7 @@ tasks:
       HostAutoContainment:
         simple: "False"
       IAMUserDomain:
-        simple: '@demisto.com'
+        simple: ''
       IP:
         complex:
           root: ImpossibleTravelerIPs
@@ -992,7 +992,7 @@ tasks:
       HostAutoContainment:
         simple: "False"
       IAMUserDomain:
-        simple: '@demisto.com'
+        simple: ''
       IP:
         complex:
           root: ImpossibleTravelerIPs
@@ -1277,10 +1277,10 @@ view: |-
     },
     "paper": {
       "dimensions": {
-        "height": 4105,
+        "height": 4145,
         "width": 1490,
         "x": -310,
-        "y": -10
+        "y": -50
       }
     }
   }
@@ -1447,6 +1447,72 @@ inputs:
   required: false
   description: Comment for the ticket.
   playbookInputQuery: null
+inputSections:
+- inputs:
+  - domain
+  - username
+  - ContactUserManager
+  name: Alert Management
+  description: Alert management settings and data, including escalation processes, and user engagements.
+- inputs:
+  - WhitelistedIPs
+  - AllowlistCIDR
+  - MaxMilesPerHourAllowed
+  name: Investigation
+  description: Investigation settings and data, including any deep dive alert investigation and verdict determination.
+- inputs:
+  - preInvestigationContainment
+  - AutoContainment
+  - AbuseIPDBThreshold
+  name: Remediation
+  description: Remediation settings and data, including containment, eradication, and recovery.
+- inputs:
+  - ShouldOpenTicket
+  - serviceNowShortDescription
+  - serviceNowImpact
+  - serviceNowUrgency
+  - serviceNowSeverity
+  - serviceNowTicketType
+  - serviceNowCategory
+  - serviceNowAssignmentGroup
+  - ZendeskPriority
+  - ZendeskRequester
+  - ZendeskStatus
+  - ZendeskSubject
+  - ZendeskTags
+  - ZendeskType
+  - ZendeskAssigne
+  - ZendeskCollaborators
+  - description
+  - addCommentPerEndpoint
+  - CommentToAdd
+  name: Ticket Management
+  description: Ticket management settings and data.
+outputSections:
+- outputs:
+  - Account.Email.Address
+  - DBotScore
+  - Account.ID
+  - Account.Username
+  - Account.Email
+  - Account.Type
+  - Account.Groups
+  - Account
+  - Account.DisplayName
+  - Account.Manager
+  - DBotScore.Indicator
+  - DBotScore.Type
+  - DBotScore.Vendor
+  - DBotScore.Score
+  - IP
+  - Endpoint
+  - Endpoint.Hostname
+  - Endpoint.OS
+  - Endpoint.IP
+  - Endpoint.MAC
+  - Endpoint.Domain
+  name: General (Outputs group)
+  description: Generic group for outputs
 outputs:
 - contextPath: Account.Email.Address
   description: The email address object associated with the Account.