diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_Response_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_Response_-_Generic.yml index b010e5161e41..c1521eca2583 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_Response_-_Generic.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Cloud_Response_-_Generic.yml @@ -240,6 +240,9 @@ tasks: username: complex: root: inputs.username + sourceIP: + complex: + root: inputs.sourceIP separatecontext: false continueonerrortype: "" loop: @@ -302,6 +305,9 @@ tasks: username: complex: root: inputs.username + sourceIP: + complex: + root: inputs.sourceIP separatecontext: false continueonerrortype: "" loop: diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_6_29.md b/Packs/CommonPlaybooks/ReleaseNotes/2_6_29.md new file mode 100644 index 000000000000..c9efb611f275 --- /dev/null +++ b/Packs/CommonPlaybooks/ReleaseNotes/2_6_29.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### Cloud Response - Generic + +Added the source IP address to block for 'Cloud Response - AWS' and 'Cloud Response - Azure' playbooks. diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json index 203d0f9c838d..89388d19fbd5 100644 --- a/Packs/CommonPlaybooks/pack_metadata.json +++ b/Packs/CommonPlaybooks/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Playbooks", "description": "Frequently used playbooks pack.", "support": "xsoar", - "currentVersion": "2.6.28", + "currentVersion": "2.6.29", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CommonTypes/.pack-ignore b/Packs/CommonTypes/.pack-ignore index 91021162256d..91c409f2aa8c 100644 --- a/Packs/CommonTypes/.pack-ignore +++ b/Packs/CommonTypes/.pack-ignore @@ -204,6 +204,9 @@ ignore=IF115 [file:incidentfield-Alert_Source.json] ignore=IF100 +[file:incidentfield-Alert_Rules.json] +ignore=IF100 + [file:incidentfield-Use_Case_Description.json] ignore=IF100 diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Alert_Rules.json b/Packs/CommonTypes/IncidentFields/incidentfield-Alert_Rules.json new file mode 100644 index 000000000000..ff528b0a8378 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Alert_Rules.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "alertrules", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_alertrules", + "isReadOnly": false, + "locked": false, + "name": "Alert Rules", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "markdown", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-CVE_ID.json b/Packs/CommonTypes/IncidentFields/incidentfield-CVE_ID.json new file mode 100644 index 000000000000..5e748cb5f9df --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-CVE_ID.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "cveid", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_cveid", + "isReadOnly": false, + "locked": false, + "name": "CVE ID", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-CVE_Published.json b/Packs/CommonTypes/IncidentFields/incidentfield-CVE_Published.json new file mode 100644 index 000000000000..08b2eadd02a5 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-CVE_Published.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "cvepublished", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_cvepublished", + "isReadOnly": false, + "locked": false, + "name": "CVE Published", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Policy_Recommendation.json b/Packs/CommonTypes/IncidentFields/incidentfield-Policy_Recommendation.json index 4aac88a0d7ea..59c40327bbf3 100644 --- a/Packs/CommonTypes/IncidentFields/incidentfield-Policy_Recommendation.json +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Policy_Recommendation.json @@ -42,6 +42,7 @@ "useAsKpi": false, "validationRegex": "", "version": -1, - "fromVersion": "5.0.0" + "fromVersion": "5.0.0", + "x2_fields": "policy_recommendation" } diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Policy_Type.json b/Packs/CommonTypes/IncidentFields/incidentfield-Policy_Type.json index 4715330dd3d8..0145834a889d 100644 --- a/Packs/CommonTypes/IncidentFields/incidentfield-Policy_Type.json +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Policy_Type.json @@ -43,6 +43,7 @@ "useAsKpi": false, "validationRegex": "", "version": -1, - "fromVersion": "5.0.0" + "fromVersion": "5.0.0", + "x2_fields": "policy_type" } diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Resource_URL.json b/Packs/CommonTypes/IncidentFields/incidentfield-Resource_URL.json new file mode 100644 index 000000000000..a0defefa068e --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Resource_URL.json @@ -0,0 +1,26 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "resourceurl", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_resourceurl", + "isReadOnly": false, + "locked": false, + "name": "Resource URL", + "neverSetAsRequired": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "5.0.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-User_Anomaly_Count.json b/Packs/CommonTypes/IncidentFields/incidentfield-User_Anomaly_Count.json new file mode 100644 index 000000000000..a87aacf31c32 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-User_Anomaly_Count.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "useranomalycount", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_useranomalycount", + "isReadOnly": false, + "locked": false, + "name": "User Anomaly Count", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/IncidentFields/incidentfield-Vulnerable_Product.json b/Packs/CommonTypes/IncidentFields/incidentfield-Vulnerable_Product.json new file mode 100644 index 000000000000..d57400e93572 --- /dev/null +++ b/Packs/CommonTypes/IncidentFields/incidentfield-Vulnerable_Product.json @@ -0,0 +1,27 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "vulnerableproduct", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_vulnerableproduct", + "isReadOnly": false, + "locked": false, + "name": "Vulnerable Product", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/CommonTypes/ReleaseNotes/3_4_10.md b/Packs/CommonTypes/ReleaseNotes/3_4_10.md new file mode 100644 index 000000000000..1eef90dd89b0 --- /dev/null +++ b/Packs/CommonTypes/ReleaseNotes/3_4_10.md @@ -0,0 +1,11 @@ + +#### Incident Fields + +- **Policy Type** +- New: **CVE ID** +- New: **Resource URL** +- New: **User Anomaly Count** +- New: **CVE Published** +- **Policy Recommendation** +- New: **Vulnerable Product** +- New: **Alert Rules** diff --git a/Packs/CommonTypes/pack_metadata.json b/Packs/CommonTypes/pack_metadata.json index 5a228d1eb85f..30224766fa04 100644 --- a/Packs/CommonTypes/pack_metadata.json +++ b/Packs/CommonTypes/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Types", "description": "This Content Pack will get you up and running in no-time and provide you with the most commonly used incident & indicator fields and types.", "support": "xsoar", - "currentVersion": "3.4.9", + "currentVersion": "3.4.10", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/PrismaCloud/.pack-ignore b/Packs/PrismaCloud/.pack-ignore index 5a9dd88b582d..8d13f2631d4a 100644 --- a/Packs/PrismaCloud/.pack-ignore +++ b/Packs/PrismaCloud/.pack-ignore @@ -10,6 +10,9 @@ ignore=RM102 [file:layoutscontainer-AWS_CloudTrail_Misconfiguration.json] ignore=BA101 +[file:playbook-Prisma_Cloud_-_Network__API_and_Anomaly_Incidents.yml] +ignore=PB106 + [file:layoutscontainer-AWS_EC2_Instance_Misconfiguration.json] ignore=BA101 diff --git a/Packs/PrismaCloud/LayoutRules/Prisma_Cloud_Network_API_and_Anomaly.json b/Packs/PrismaCloud/LayoutRules/Prisma_Cloud_Network_API_and_Anomaly.json new file mode 100644 index 000000000000..d43dfe6193e8 --- /dev/null +++ b/Packs/PrismaCloud/LayoutRules/Prisma_Cloud_Network_API_and_Anomaly.json @@ -0,0 +1,32 @@ +{ + "rule_id": "Prisma_Cloud_Network_API_and_Anomaly", + "layout_id": "Prisma Cloud - Network API and Anomaly Incident Layout", + "description": "display for Prisma Cloud Network API and Anomaly alerts.", + "rule_name": "Prisma Cloud Network API and Anomaly", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "policy_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "network" + }, + { + "SEARCH_FIELD": "policy_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "api" + }, + { + "SEARCH_FIELD": "policy_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "anomaly" + } + ] + } + ] + } + }, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Layouts/layoutscontainer-Prisma_Cloud_-_Network_Incident_Layout.json b/Packs/PrismaCloud/Layouts/layoutscontainer-Prisma_Cloud_-_Network_Incident_Layout.json new file mode 100644 index 000000000000..8d9291d127cf --- /dev/null +++ b/Packs/PrismaCloud/Layouts/layoutscontainer-Prisma_Cloud_-_Network_Incident_Layout.json @@ -0,0 +1,843 @@ +{ + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Alert Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 26, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 26, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 26, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 26, + "id": "incident-sourceBrand-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 26, + "id": "incident-sourceInstance-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 26, + "id": "incident-playbookId-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 3, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 53, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 53, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 53, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 53, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 53, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 26, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 26, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 26, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 3, + "x": 0, + "y": 5 + }, + { + "h": 3, + "i": "caseinfoid-d8abd8e0-d47f-11ee-9996-fd1cc96b85a8", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "War Room Entries", + "query": { + "categories": [ + "chats" + ], + "preDefinedFilters": true, + "tags": [] + }, + "queryType": "warRoomFilter", + "static": false, + "type": "invTimeline", + "w": 2, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "hidden": false, + "id": "uhhnxuwhtu", + "name": "Alert Data", + "sections": [ + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "uhhnxuwhtu-4b0b4c60-d483-11ee-9421-a33fe2480cb6", + "items": [ + { + "endCol": 2, + "fieldId": "mitreattcktechnique", + "height": 26, + "id": "7c015350-d483-11ee-9421-a33fe2480cb6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "username", + "height": 26, + "id": "ea78b3b0-f0c0-11ee-85e6-d937c0f6c662", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, +{ + "endCol": 2, + "fieldId": "userrisklevel", + "height": 26, + "id": "457a0c10-f71e-11ee-9d99-b7538facaeb2", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "hostname", + "height": 26, + "id": "ee11b8f0-f0c0-11ee-85e6-d937c0f6c662", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "remoteip", + "height": 26, + "id": "f762abd0-f0c0-11ee-85e6-d937c0f6c662", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Involved Assets", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "uhhnxuwhtu-08b78300-d484-11ee-9421-a33fe2480cb6", + "items": [ + { + "endCol": 2, + "fieldId": "policyid", + "height": 26, + "id": "635f0fd0-d484-11ee-9421-a33fe2480cb6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "policytype", + "height": 26, + "id": "74475090-f181-11ee-a63e-41ee073f02a5", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "lastmodifiedon", + "height": 26, + "id": "e8c47940-e144-11ee-812a-f591cc834b0c", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "lastseen", + "height": 26, + "id": "f45486b0-e144-11ee-812a-f591cc834b0c", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "lastmodifiedby", + "height": 26, + "id": "ecd48340-e144-11ee-812a-f591cc834b0c", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "policyrecommendation", + "height": 52, + "id": "72c51d60-f181-11ee-a63e-41ee073f02a5", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Policy Details", + "static": false, + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "uhhnxuwhtu-e5834120-d484-11ee-9421-a33fe2480cb6", + "items": [ + { + "endCol": 2, + "fieldId": "cloudprovider", + "height": 26, + "id": "ea2811a0-e128-11ee-8f3a-1dc23182d8c9", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "resourcename", + "height": 26, + "id": "d372c030-e53e-11ee-8b35-c146549db64c", + "index": 1, + "listId": "uhhnxuwhtu-e5834120-d484-11ee-9421-a33fe2480cb6", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "accountid", + "height": 26, + "id": "f1751da0-d484-11ee-9421-a33fe2480cb6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "referencedresourcename", + "height": 26, + "id": "1edfdaf0-d485-11ee-9421-a33fe2480cb6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "cloudresourcetype", + "height": 26, + "id": "2f7c7ad0-d485-11ee-9421-a33fe2480cb6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "region", + "height": 26, + "id": "36e5c1f0-d485-11ee-9421-a33fe2480cb6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "regionid", + "height": 26, + "id": "3900d9c0-d485-11ee-9421-a33fe2480cb6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "resourceurl", + "height": 26, + "id": "847b56a0-e146-11ee-a77a-d1a8843f90d4", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "resourcetype", + "height": 26, + "id": "4d60c590-e5d0-11ee-9aa9-851b49d26681", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Cloud Resource Details", + "static": false, + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 4, + "hideItemTitleOnlyOne": true, + "hideName": false, + "i": "uhhnxuwhtu-45b1e790-d485-11ee-9421-a33fe2480cb6", + "items": [ + { + "dropEffect": "move", + "endCol": 6, + "fieldId": "alertrules", + "height": 52, + "id": "74a05680-e5cf-11ee-9aa9-851b49d26681", + "index": 0, + "listId": "uhhnxuwhtu-45b1e790-d485-11ee-9421-a33fe2480cb6", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Prisma Cloud Related Rules", + "static": false, + "w": 3, + "x": 0, + "y": 3 + } + ], + "type": "custom" + }, + { + "hidden": false, + "id": "zihqpezlwt", + "name": "Work Plan Summary", + "sections": [ + { + "h": 2, + "i": "zihqpezlwt-3c155f00-d480-11ee-9996-fd1cc96b85a8", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Investigation Verdict", + "query": "VerdictResult", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 1, + "x": 0, + "y": 0 + }, + { + "displayType": "CARD", + "h": 4, + "hideName": false, + "i": "zihqpezlwt-5cf18aa0-d480-11ee-9996-fd1cc96b85a8", + "items": [ + { + "endCol": 2, + "fieldId": "ipreputation", + "height": 53, + "id": "3a1ddf50-d481-11ee-9421-a33fe2480cb6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcegeolocation", + "height": 53, + "id": "0cc024e0-d482-11ee-9421-a33fe2480cb6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, +{ + "endCol": 2, + "fieldId": "userrisklevel", + "height": 26, + "id": "56b005c0-f71e-11ee-9d99-b7538facaeb2", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "cveid", + "height": 53, + "id": "4c9733c0-f033-11ee-ac36-c7fff22f5e19", + "index": 0, + "sectionItemType": "field", + "startCol": 2 + }, + { + "dropEffect": "move", + "endCol": 4, + "fieldId": "cvss", + "height": 53, + "id": "23e9f930-d481-11ee-9421-a33fe2480cb6", + "index": 1, + "listId": "zihqpezlwt-5cf18aa0-d480-11ee-9996-fd1cc96b85a8", + "sectionItemType": "field", + "startCol": 2 + }, + { + "endCol": 4, + "fieldId": "cvedescription", + "height": 53, + "id": "b2269b60-f018-11ee-91a8-4bbcbf7a699c", + "index": 2, + "sectionItemType": "field", + "startCol": 2 + }, + { + "dropEffect": "move", + "endCol": 4, + "fieldId": "cvepublished", + "height": 53, + "id": "a4a4a900-f018-11ee-91a8-4bbcbf7a699c", + "index": 2, + "listId": "zihqpezlwt-5cf18aa0-d480-11ee-9996-fd1cc96b85a8", + "sectionItemType": "field", + "startCol": 2 + }, + { + "endCol": 4, + "fieldId": "vulnerableproduct", + "height": 53, + "id": "a13747a0-f018-11ee-91a8-4bbcbf7a699c", + "index": 3, + "sectionItemType": "field", + "startCol": 2 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Investigation Results", + "static": false, + "w": 2, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "zihqpezlwt-6bea1770-d480-11ee-9996-fd1cc96b85a8", + "items": [ + { + "endCol": 2, + "fieldId": "ipblockedstatus", + "height": 26, + "id": "7989a3f0-d480-11ee-9996-fd1cc96b85a8", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "userblockstatus", + "height": 26, + "id": "7d600050-d480-11ee-9996-fd1cc96b85a8", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "IR Actions Status", + "static": false, + "w": 1, + "x": 0, + "y": 2 + }, + { + "h": 3, + "i": "zihqpezlwt-78a36d30-d481-11ee-9421-a33fe2480cb6", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Malicious or Suspicious Indicators", + "query": "reputation:Bad or reputation:Suspicious", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 3, + "x": 0, + "y": 4 + } + ], + "type": "custom" + }, + { + "hidden": false, + "id": "9ptdlwdikk", + "name": "Action Center", + "sections": [ + { + "displayType": "CARD", + "h": 3, + "hideName": false, + "i": "9ptdlwdikk-e901e6f0-d48c-11ee-83e4-a5eb92318769", + "items": [ + { + "args": { + "alert_ids": { + "simple": "${alert.external_id}" + } + }, + "dropEffect": "move", + "endCol": 2, + "fieldId": "", + "height": 53, + "id": "5d7b4000-d620-11ee-be03-8b70bb9ce638", + "index": 0, + "listId": "9ptdlwdikk-e901e6f0-d48c-11ee-83e4-a5eb92318769", + "name": "Dismiss Prisma Cloud Alert", + "scriptId": "PrismaCloud v2|||prisma-cloud-alert-dismiss", + "sectionItemType": "button", + "startCol": 0 + }, + { + "args": { + "name": { + "simple": "Prisma Cloud - RQL Execution" + } + }, + "dropEffect": "move", + "endCol": 2, + "fieldId": "", + "height": 53, + "id": "77f92be0-d620-11ee-be03-8b70bb9ce638", + "index": 1, + "listId": "9ptdlwdikk-e901e6f0-d48c-11ee-83e4-a5eb92318769", + "name": "Run Prisma Cloud RQL Query", + "scriptId": "Builtin|||setPlaybook", + "sectionItemType": "button", + "startCol": 0 + }, + { + "args": { + "rrn": { + "simple": "${alert.referencedresourcename}" + } + }, + "dropEffect": "move", + "endCol": 2, + "fieldId": "", + "height": 53, + "id": "13c50d50-d621-11ee-be03-8b70bb9ce638", + "index": 2, + "listId": "9ptdlwdikk-e901e6f0-d48c-11ee-83e4-a5eb92318769", + "name": "Get Prisma Cloud Host Findings", + "scriptId": "PrismaCloud v2|||prisma-cloud-host-finding-list", + "sectionItemType": "button", + "startCol": 0 + }, + { + "args": {}, + "dropEffect": "move", + "endCol": 2, + "fieldId": "", + "height": 53, + "id": "5d2eff50-d621-11ee-be03-8b70bb9ce638", + "index": 3, + "listId": "9ptdlwdikk-e901e6f0-d48c-11ee-83e4-a5eb92318769", + "name": "Trigger Code Secure Scan", + "scriptId": "PrismaCloud v2|||prisma-cloud-trigger-scan", + "sectionItemType": "button", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Actions", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 3, + "i": "9ptdlwdikk-fb16b150-d620-11ee-be03-8b70bb9ce638", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 4, + "hideItemTitleOnlyOne": true, + "hideName": false, + "i": "9ptdlwdikk-ff91b220-d620-11ee-be03-8b70bb9ce638", + "items": [ + { + "endCol": 6, + "fieldId": "customqueryresults", + "height": 106, + "id": "d669c610-f0e4-11ee-ac30-79b4f1e6dd61", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Query Results", + "static": false, + "w": 3, + "x": 0, + "y": 3 + }, + { + "h": 3, + "i": "9ptdlwdikk-0682c130-f0ea-11ee-ac30-79b4f1e6dd61", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Analyst Chat", + "query": { + "categories": [ + "chats" + ], + "preDefinedFilters": true + }, + "queryType": "warRoomFilter", + "static": false, + "type": "invTimeline", + "w": 1, + "x": 2, + "y": 0 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + } + ] + }, + "group": "incident", + "id": "Prisma Cloud - Network API and Anomaly Incident Layout", + "name": "Prisma Cloud - Network API and Anomaly Incident Layout", + "system": false, + "version": -1, + "marketplaces": ["marketplacev2"], + "fromVersion": "6.10.0", + "description": "" +} \ No newline at end of file diff --git a/Packs/PrismaCloud/Playbooks/Prisma_Cloud_-_RQL_Execution.yml b/Packs/PrismaCloud/Playbooks/Prisma_Cloud_-_RQL_Execution.yml new file mode 100644 index 000000000000..13d00fe68dbc --- /dev/null +++ b/Packs/PrismaCloud/Playbooks/Prisma_Cloud_-_RQL_Execution.yml @@ -0,0 +1,607 @@ +id: Prisma Cloud - RQL Execution +version: -1 +name: Prisma Cloud - RQL Execution +description: This playbook enables Prisma Cloud RQL Execution from the alert layout. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: ff36aa70-80f6-4192-810f-5850aa751f09 + type: start + task: + id: ff36aa70-80f6-4192-810f-5850aa751f09 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "11" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -110 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 50db390f-1b68-4cd7-8550-4c7c4f356073 + type: collection + task: + id: 50db390f-1b68-4cd7-8550-4c7c4f356073 + version: -1 + name: Provide Query Details + type: collection + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "2" + scriptarguments: + extend-context: + simple: answers= + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 180 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + subject: + body: + methods: [] + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: Which type of query would you like to execute? + required: false + gridcolumns: [] + defaultrows: [] + type: singleSelect + options: [] + optionsarg: + - simple: Network + - simple: Event + - simple: Config + fieldassociated: "" + placeholder: "" + tooltip: "" + readonly: false + - id: "1" + label: "" + labelarg: + simple: Query + required: true + gridcolumns: [] + defaultrows: [] + type: longText + options: [] + optionsarg: [] + fieldassociated: "" + placeholder: "" + tooltip: Please provide the query you wish to execute + readonly: false + - id: "2" + label: "" + labelarg: + simple: Time Range Unit + required: false + gridcolumns: [] + defaultrows: [] + type: singleSelect + options: [] + optionsarg: + - {} + - simple: hour + - simple: day + - simple: week + - simple: month + fieldassociated: "" + placeholder: "" + tooltip: 'Choose one of the following options: Hour, Day, Week, Month' + readonly: false + - id: "3" + label: "" + labelarg: + simple: Time Range Value + required: false + gridcolumns: [] + defaultrows: [] + type: shortText + options: [] + optionsarg: [] + fieldassociated: "" + placeholder: "" + tooltip: Please provide a number + readonly: false + title: Please Provide Query Details + description: "" + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 6eeec754-6ff9-4b4e-810b-2b853ea93f52 + type: condition + task: + id: 6eeec754-6ff9-4b4e-810b-2b853ea93f52 + version: -1 + name: Prisma Cloud Search Type + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + Config: + - "7" + Event: + - "9" + Network: + - "3" + separatecontext: false + conditions: + - label: Network + condition: + - - operator: isEqualString + left: + value: + simple: Please Provide Query Details.Answers.0 + iscontext: true + right: + value: + simple: Network + ignorecase: true + - label: Config + condition: + - - operator: isEqualString + left: + value: + simple: Please Provide Query Details.Answers.0 + iscontext: true + right: + value: + simple: Config + ignorecase: true + - label: Event + condition: + - - operator: isEqualString + left: + value: + simple: Please Provide Query Details.Answers.0 + iscontext: true + right: + value: + simple: Event + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 340 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 18b8562b-1164-437e-8713-a0a9e52c1c68 + type: regular + task: + id: 18b8562b-1164-437e-8713-a0a9e52c1c68 + version: -1 + name: Prisma Cloud Network Search + description: 'Search networks inventory on the Prisma Cloud platform using RQL language. Use this command for all queries that start with "networks". When no absolute time nor relative time arguments are provided, the default time range is all times. In order to limit the results returned, use "limit search records to" at the end of the RQL query, followed by one of these options: 1, 10, 100, 1000, and 10,000.' + script: '|||prisma-cloud-network-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + query: + simple: ${Please Provide Query Details.Answers.1} + time_range_unit: + simple: ${Please Provide Query Details.Answers.2} + time_range_value: + simple: ${Please Provide Query Details.Answers.3} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 920, + "y": 510 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 094e97f8-49ad-4b53-82e2-a248aa619bce + type: condition + task: + id: 094e97f8-49ad-4b53-82e2-a248aa619bce + version: -1 + name: Has results? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "6" + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: PrismaCloud.Network.Connection + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 920, + "y": 680 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 27b8410b-e99b-40dc-8573-2f34f649b0eb + type: regular + task: + id: 27b8410b-e99b-40dc-8573-2f34f649b0eb + version: -1 + name: Prisma Cloud Search Results + description: Accepts a JSON object and returns a markdown. + scriptName: JsonToTable + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + extend-context: + simple: queryresults= + value: + complex: + root: PrismaCloud.Network + accessor: Connection + transformers: + - operator: append + args: + item: + value: + simple: PrismaCloud.Event + iscontext: true + - operator: append + args: + item: + value: + simple: PrismaCloud.Config + iscontext: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 860 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: Custom Query Results + output: + simple: ${queryresults} + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 9f80e7e7-2894-40df-8a91-ecc09fdec20d + type: title + task: + id: 9f80e7e7-2894-40df-8a91-ecc09fdec20d + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 6edfdfae-f643-4fcb-81e4-35f94cf0936f + type: regular + task: + id: 6edfdfae-f643-4fcb-81e4-35f94cf0936f + version: -1 + name: Prisma Cloud Config Search + description: Search the configuration inventory on the Prisma Cloud platform using RQL language. Use this command for all queries that start with "config". When no absolute time nor relative time arguments are provided, the default time range is all times. + script: '|||prisma-cloud-config-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + query: + simple: ${Please Provide Query Details.Answers.1} + time_range_unit: + simple: ${Please Provide Query Details.Answers.2} + time_range_value: + simple: ${Please Provide Query Details.Answers.3} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 510 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: e137f693-4538-44b4-82df-abefc606651e + type: condition + task: + id: e137f693-4538-44b4-82df-abefc606651e + version: -1 + name: Has results? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "6" + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: PrismaCloud.Config + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 680 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: e819ede2-af35-4c64-8a1f-efb1382866a1 + type: regular + task: + id: e819ede2-af35-4c64-8a1f-efb1382866a1 + version: -1 + name: Prisma Cloud Event Search + description: Search events inventory on the Prisma Cloud platform using RQL language. Use this command for all queries that start with "event". When no absolute time nor relative time arguments are provided, the default time range is all times. In order to reduce the returned data, set the "include_resource_json" argument to "false". + script: '|||prisma-cloud-event-search' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "10" + scriptarguments: + query: + simple: ${Please Provide Query Details.Answers.1} + time_range_unit: + simple: ${Please Provide Query Details.Answers.2} + time_range_value: + simple: ${Please Provide Query Details.Answers.3} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 10, + "y": 510 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: fc290c37-d2fd-4f55-8a86-829a559a948d + type: condition + task: + id: fc290c37-d2fd-4f55-8a86-829a559a948d + version: -1 + name: Has results? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "6" + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: PrismaCloud.Event + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 10, + "y": 680 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: d27e6dac-e2b6-441d-82a8-544d7a67d53a + type: regular + task: + id: d27e6dac-e2b6-441d-82a8-544d7a67d53a + version: -1 + name: Delete Old Context + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.12/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + scriptarguments: + key: + simple: Please Provide Query Details,queryresults,PrismaCloud.Event,PrismaCloud.Config,PrismaCloud.Network + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 20 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1295, + "width": 1290, + "x": 10, + "y": -110 + } + } + } +inputs: [] +outputs: [] +fromversion: 6.10.0 +tests: +- No tests (auto formatted) \ No newline at end of file diff --git a/Packs/PrismaCloud/Playbooks/Prisma_Cloud_-_RQL_Execution_README.md b/Packs/PrismaCloud/Playbooks/Prisma_Cloud_-_RQL_Execution_README.md new file mode 100644 index 000000000000..823d448824c0 --- /dev/null +++ b/Packs/PrismaCloud/Playbooks/Prisma_Cloud_-_RQL_Execution_README.md @@ -0,0 +1,40 @@ +This playbook enables Prisma Cloud RQL Execution from the alert layout. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +PrismaCloudV2 + +### Scripts + +* DeleteContext +* JsonToTable + +### Commands + +* prisma-cloud-event-search +* prisma-cloud-config-search +* prisma-cloud-network-search + +## Playbook Inputs + +--- +There are no inputs for this playbook. + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![Prisma Cloud - RQL Execution](../doc_files/Prisma_Cloud_-_RQL_Execution.png) diff --git a/Packs/PrismaCloud/Playbooks/playbook-Prisma_Cloud_-_Network__API_and_Anomaly_Incidents.yml b/Packs/PrismaCloud/Playbooks/playbook-Prisma_Cloud_-_Network__API_and_Anomaly_Incidents.yml new file mode 100644 index 000000000000..73b255007a41 --- /dev/null +++ b/Packs/PrismaCloud/Playbooks/playbook-Prisma_Cloud_-_Network__API_and_Anomaly_Incidents.yml @@ -0,0 +1,1946 @@ +id: Prisma Cloud - Network API and Anomaly Incidents +version: -1 +name: Prisma Cloud - Network API and Anomaly Incidents +description: |- + This playbook handles incidents of internet exposed services and detect potential risky configurations that can make your cloud environment vulnerable to attacks, and + incidents of unusual network and user activity for all users, and are especially critical for privileged users and assumed roles where detecting unusual activity may indicate the first steps in a potential misuse or account compromise. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 4f11a4c9-0954-4f33-8c2f-3f0c56f2a5a2 + type: start + task: + id: 4f11a4c9-0954-4f33-8c2f-3f0c56f2a5a2 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: ae031fc1-70ad-4363-82a6-93475f9024fb + type: title + task: + id: ae031fc1-70ad-4363-82a6-93475f9024fb + version: -1 + name: Enrichment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "34" + - "33" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -300 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 97f6bc4a-c84f-46c9-89c0-9687b97bbfda + type: regular + task: + id: 97f6bc4a-c84f-46c9-89c0-9687b97bbfda + version: -1 + name: IP Enrichment + description: Checks the reputation of an IP address. + script: '|||ip' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + ip: + simple: ${alert.remoteip} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -40, + "y": 40 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: IP Reputation + output: + complex: + root: DBotScore + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: ip + ignorecase: true + accessor: Score + - incidentfield: Source Geolocation + output: + simple: ${IP.Geo.Country} + - incidentfield: ASN + output: + simple: ${IP.ASN} + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: aaa5c8f1-f0cf-4946-8e4e-b275ae8947ae + type: title + task: + id: aaa5c8f1-f0cf-4946-8e4e-b275ae8947ae + version: -1 + name: Early Containment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "4" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 23f631fe-952d-4904-8bdf-d69285021fa3 + type: condition + task: + id: 23f631fe-952d-4904-8bdf-d69285021fa3 + version: -1 + name: Does IP is malicious? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "9" + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: DBotScore + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: ip + ignorecase: true + accessor: Score + transformers: + - operator: FirstArrayElement + iscontext: true + right: + value: + simple: "3" + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 520 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 684ae017-441c-43da-8110-4aa00320909e + type: condition + task: + id: 684ae017-441c-43da-8110-4aa00320909e + version: -1 + name: Early Containment enabled? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "8" + "yes": + - "6" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.EarlyContainment + iscontext: true + right: + value: + simple: "true" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 30, + "y": 690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 3c1d50e7-8350-4585-86d1-6d000a4db3a8 + type: title + task: + id: 3c1d50e7-8350-4585-86d1-6d000a4db3a8 + version: -1 + name: Early Containment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "25" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -260, + "y": 870 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: f534ab24-4d30-4974-8a22-629c0618a5dd + type: title + task: + id: f534ab24-4d30-4974-8a22-629c0618a5dd + version: -1 + name: Containment Complete + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "9" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 30, + "y": 1360 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: 18d1a970-aee6-4ace-8a48-b07c6e6e1a99 + type: title + task: + id: 18d1a970-aee6-4ace-8a48-b07c6e6e1a99 + version: -1 + name: Investigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "12" + - "13" + - "28" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1500 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: a14d40f5-2bcc-43f4-8577-750c43d57846 + type: playbook + task: + id: a14d40f5-2bcc-43f4-8577-750c43d57846 + version: -1 + name: Cloud User Investigation - Generic + description: | + This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging. + playbookName: Cloud User Investigation - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "44" + scriptarguments: + AwsTimeSearchFrom: + simple: "1" + AzureSearchTime: + simple: ago(1d) + GcpTimeSearchFrom: + simple: "1" + MfaAttemptThreshold: + simple: "10" + Username: + simple: ${alert.usernames} + cloudProvider: + simple: ${alert.cloudprovider.[0]} + failedLogonThreshold: + simple: "20" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 30, + "y": 1770 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 6c232656-52c6-4b24-8918-30776fa31077 + type: playbook + task: + id: 6c232656-52c6-4b24-8918-30776fa31077 + version: -1 + name: Cloud Enrichment - Generic + description: |2- + + ## Generic Cloud Enrichment Playbook + + The **Cloud Enrichment - Generic Playbook** is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments. + + ### Supported Blocks + + 1. **Cloud IAM Enrichment - Generic** + - Enriches information related to Identity and Access Management (IAM) in the cloud. + + 2. **Cloud Compute Enrichment - Generic** + - Enriches information related to cloud compute resources. + + The playbook supports a single CSP enrichment at a time. + playbookName: Cloud Enrichment - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + cloudProvider: + simple: ${alert.cloudprovider.[0]} + instanceID: + simple: ${PrismaCloud.Alert.resource.id} + instanceName: + simple: ${PrismaCloud.Alert.resource.account} + region: + simple: ${PrismaCloud.Alert.resource.regionId} + username: + simple: ${alert.usernames} + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 450, + "y": 40 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: a699ec17-49ce-415f-8606-1966eb79ce46 + type: title + task: + id: a699ec17-49ce-415f-8606-1966eb79ce46 + version: -1 + name: User Investigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "10" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 30, + "y": 1640 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: dcaae03d-4ff1-4da5-8cdb-f82bf89d1df7 + type: title + task: + id: dcaae03d-4ff1-4da5-8cdb-f82bf89d1df7 + version: -1 + name: Vulnerability Enrichment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "43" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 880, + "y": 1640 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 74c75a3e-d86c-4cf5-86b4-952537f330a5 + type: title + task: + id: 74c75a3e-d86c-4cf5-86b4-952537f330a5 + version: -1 + name: Verdict + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "38" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2270 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: bd3672c0-2ab6-4835-8cca-3fdc2b1d2af7 + type: condition + task: + id: bd3672c0-2ab6-4835-8cca-3fdc2b1d2af7 + version: -1 + name: Does response needed? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "27" + "yes": + - "17" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: alert.verdict + iscontext: true + right: + value: + simple: malicious + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2570 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: 900a4aff-dd98-4611-8b66-b6a56945a6fd + type: title + task: + id: 900a4aff-dd98-4611-8b66-b6a56945a6fd + version: -1 + name: Remediation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "21" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 840, + "y": 2780 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: fd02b167-e582-4040-8a9f-302fe467f7be + type: playbook + task: + id: fd02b167-e582-4040-8a9f-302fe467f7be + version: -1 + name: Cloud Response - Generic + description: |- + This playbook provides response playbooks for: + - AWS + - Azure + - GCP + + The response actions available are: + - Terminate/Shut down/Power off an instance + - Delete/Disable a user + - Delete/Revoke/Disable credentials + - Block indicators + playbookName: Cloud Response - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "46" + scriptarguments: + cloudProvider: + simple: ${alert.cloudprovider.[0]} + sourceIP: + complex: + root: DBotScore.Indicator + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "3" + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: ip + ignorecase: true + - - operator: in + left: + value: + simple: DBotScore.Indicator + iscontext: true + right: + value: + simple: alert.remoteip + iscontext: true + username: + simple: ${alert.usernames} + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 840, + "y": 3090 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: 6c693e4e-ede1-46b2-8edf-2e90906e2664 + type: condition + task: + id: 6c693e4e-ede1-46b2-8edf-2e90906e2664 + version: -1 + name: Perform Cloud Response? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "27" + "yes": + - "20" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.CloudResponse + iscontext: true + right: + value: + simple: "true" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 840, + "y": 2920 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: bb6704b2-b3d8-4473-8e26-32cdeed54c20 + type: condition + task: + id: bb6704b2-b3d8-4473-8e26-32cdeed54c20 + version: -1 + name: Pause the playbook to perform policy recommendations? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "24" + "yes": + - "23" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.StopForRecommendations + iscontext: true + right: + value: + simple: "true" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 3770 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 8fe0d4e7-caa6-4776-8a20-0337be0dd38a + type: regular + task: + id: 8fe0d4e7-caa6-4776-8a20-0337be0dd38a + version: -1 + name: Pause the playbook to perform policy recommendations + type: regular + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "24" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 690, + "y": 3940 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: c7d45bdf-b5e9-47ea-82f7-cb356e1c1f7f + type: title + task: + id: c7d45bdf-b5e9-47ea-82f7-cb356e1c1f7f + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 4120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: 9640af49-911a-45a8-8624-da033d349dd2 + type: playbook + task: + id: 9640af49-911a-45a8-8624-da033d349dd2 + version: -1 + name: Block IP - Generic v3 + description: "This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing)\nNote the following:\n- some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects.\n- Note that the appended network objects should be specified in blocking rules inside the system later on. \n\n\nSupported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]: \n\n* Check Point Firewall\n* Palo Alto Networks PAN-OS\n* Zscaler\n* FortiGate\n* Aria Packet Intelligence\n* Cisco Firepower \n* Cisco Secure Cloud Analytics\n* Cisco ASA\n* Akamai WAF\n* F5 SilverLine\n* ThreatX\n* Signal Sciences WAF\n* Sophos Firewall\n\n" + playbookName: Block IP - Generic v3 + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "39" + scriptarguments: + AutoCommit: + simple: "No" + CustomBlockRule: + simple: "True" + Folder: + simple: Shared + IP: + complex: + root: DBotScore.Indicator + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: ip + ignorecase: true + - - operator: isEqualString + left: + value: + simple: DBotScore.Score + iscontext: true + right: + value: + simple: "3" + - - operator: in + left: + value: + simple: DBotScore.Indicator + iscontext: true + right: + value: + simple: alert.remoteip + iscontext: true + InputEnrichment: + simple: "False" + InternalRange: + complex: + root: lists + accessor: PrivateIPs + transformers: + - operator: RegexExtractAll + args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + - operator: join + args: + separator: + value: + simple: ',' + RuleDirection: + simple: outbound + RuleName: + simple: XSIAM - Block IP playbook - ${alert.id} + UserVerification: + simple: "True" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -260, + "y": 1000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: db3a06dc-6674-445a-8fa5-2d5a8e4da825 + type: playbook + task: + id: db3a06dc-6674-445a-8fa5-2d5a8e4da825 + version: -1 + name: Ticket Management - Generic + description: "`Ticket Management - Generic` allows you to open new tickets or update comments to the existing ticket in the following ticketing systems:\n-ServiceNow \n-Zendesk \nusing the following sub-playbooks:\n-`ServiceNow - Ticket Management`\n-`Zendesk - Ticket Management`" + playbookName: Ticket Management - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "22" + scriptarguments: + ZendeskAssigne: + simple: ${inputs.ZendeskAssigne} + ZendeskCollaborators: + simple: ${inputs.ZendeskCollaborators} + ZendeskPriority: + simple: ${inputs.ZendeskPriority} + ZendeskRequester: + simple: ${inputs.ZendeskRequester} + ZendeskStatus: + simple: ${inputs.ZendeskStatus} + ZendeskSubject: + simple: ${inputs.ZendeskSubject} + ZendeskTags: + simple: ${inputs.ZendeskTags} + ZendeskType: + simple: ${inputs.ZendeskType} + addCommentPerEndpoint: + simple: "True" + description: + simple: ${inputs.ZenDeskDescription} + serviceNowAssignmentGroup: + simple: ${inputs.serviceNowAssignmentGroup} + serviceNowCategory: + simple: ${inputs.serviceNowCategory} + serviceNowImpact: + simple: ${inputs.serviceNowImpact} + serviceNowSeverity: + simple: ${inputs.serviceNowSeverity} + serviceNowShortDescription: + simple: ${inputs.serviceNowShortDescription} + serviceNowTicketType: + simple: ${inputs.serviceNowTicketType} + serviceNowUrgency: + simple: ${inputs.serviceNowUrgency} + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 690, + "y": 3600 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: cc2d6c1e-9c5b-4322-8df2-33fecac16230 + type: condition + task: + id: cc2d6c1e-9c5b-4322-8df2-33fecac16230 + version: -1 + name: Create a ticket? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "22" + "yes": + - "26" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.CreateTicket + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 3430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: 1410b003-f2f9-4bdd-804a-865520e77086 + type: title + task: + id: 1410b003-f2f9-4bdd-804a-865520e77086 + version: -1 + name: Risky User + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "29" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1640 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: a57b5f12-570d-463f-8e3e-6e20a7dcbb18 + type: regular + task: + id: a57b5f12-570d-463f-8e3e-6e20a7dcbb18 + version: -1 + name: Check if user is risky by XDR + description: Retrieve the risk score of a specific user or list of users with the highest risk score in the environment along with the reason affecting each score. + script: '|||core-list-risky-users' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "15" + scriptarguments: + user_id: + simple: ${alert.usernames} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1770 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: User Risk Level + output: + simple: ${Core.RiskyUser.risk_level} + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: d0cf5850-da44-4de5-8a7e-d8fde47fd66c + type: regular + task: + id: d0cf5850-da44-4de5-8a7e-d8fde47fd66c + version: -1 + name: Prisma alert enrichment + description: Gets the details of an alert based on the alert ID. + script: '|||prisma-cloud-alert-get-details' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "35" + - "40" + - "11" + scriptarguments: + alert_id: + simple: ${alert.external_id} + detailed: + simple: "true" + using: + simple: ${alert.sourceInstance} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 900, + "y": -130 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: First Seen + output: + simple: ${PrismaCloud.Alert.firstSeen} + - incidentfield: Last Seen + output: + simple: ${PrismaCloud.Alert.lastSeen} + - incidentfield: Alert Rules + output: + simple: ${PrismaCloud.Alert.alertRules} + - incidentfield: Account Name + output: + simple: ${PrismaCloud.Alert.resource.account} + - incidentfield: Account ID + output: + simple: ${PrismaCloud.Alert.resource.accountId} + - incidentfield: Referenced Resource Name + output: + simple: ${PrismaCloud.Alert.resource.rrn} + - incidentfield: Region ID + output: + simple: ${PrismaCloud.Alert.resource.regionId} + - incidentfield: Region + output: + simple: ${alert.prisma_region.[0]} + - incidentfield: Resource Type + output: + simple: ${PrismaCloud.Alert.resource.resourceType} + - incidentfield: System Default Policy + output: + simple: ${PrismaCloud.Alert.policy.systemDefault} + - incidentfield: Resource URL + output: + simple: ${PrismaCloud.Alert.resource.url} + - incidentfield: Last Seen + output: + simple: ${PrismaCloud.Alert.lastSeen} + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: aab9ed40-9025-4883-88f0-c2ab4c7234e6 + type: condition + task: + id: aab9ed40-9025-4883-88f0-c2ab4c7234e6 + version: -1 + name: Does Alert Contains IP? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "3" + "yes": + - "2" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: alert.remoteip + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": -50, + "y": -130 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: 7265dfe6-a8a7-4b86-8066-c118ba872dbe + type: condition + task: + id: 7265dfe6-a8a7-4b86-8066-c118ba872dbe + version: -1 + name: Host RRN has received from Prisma? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "3" + "yes": + - "36" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: PrismaCloud.Alert.resource.rrn + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 900, + "y": 40 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: 84ddcd55-108f-4bcb-8608-6287ad05bffb + type: regular + task: + id: 84ddcd55-108f-4bcb-8608-6287ad05bffb + version: -1 + name: Get host findings + description: Get resource host finding list. + script: '|||prisma-cloud-host-finding-list' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + all_results: + simple: "true" + rrn: + simple: ${PrismaCloud.Alert.resource.rrn} + using: + simple: ${alert.sourceInstance} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 900, + "y": 220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "38": + id: "38" + taskid: 17a38aca-0335-45d3-8b9e-02c7104517d4 + type: regular + task: + id: 17a38aca-0335-45d3-8b9e-02c7104517d4 + version: -1 + name: Determine Verdict + description: commands.local.cmd.set.incident + script: Builtin|||setAlert + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "16" + scriptarguments: + verdict: + complex: + root: ${ + accessor: '}' + transformers: + - operator: If-Elif + args: + conditions: + value: + simple: |- + [ + { + "condition": "#{alert.ipreputation} == '2'", + "return": "Suspicious" + }, + { + "condition": "#{alert.useranomalycount} > '0'", + "return": "Suspicious" + }, + { + "condition": "#{alert.ipreputation} == '3'", + "return": "Malicious" + }, + { + "default": 'Undetermined' + } + ] + flags: + value: + simple: alert.ipreputation + iscontext: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2410 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: 893a8d8d-ae3a-4d65-8399-128b550d4655 + type: regular + task: + id: 893a8d8d-ae3a-4d65-8399-128b550d4655 + version: -1 + name: Set status to layout + description: commands.local.cmd.set.incident + script: Builtin|||setAlert + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "8" + scriptarguments: + ipblockedstatus: + simple: Executed + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -260, + "y": 1160 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 8bab5ef9-fbad-4e40-8750-f235d3e0a15d + type: condition + task: + id: 8bab5ef9-fbad-4e40-8750-f235d3e0a15d + version: -1 + name: Is Part of Alert Rule? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "3" + "yes": + - "41" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: PrismaCloud.Alert.alertRules + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1320, + "y": 40 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: 436263bc-db35-424b-8cf0-051512df12a2 + type: regular + task: + id: 436263bc-db35-424b-8cf0-051512df12a2 + version: -1 + name: Map Alert Rules + description: Accepts a json object and returns a markdown. + scriptName: JsonToTable + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + extend-context: + simple: prismaalertrules= + value: + simple: ${PrismaCloud.Alert.alertRules} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1320, + "y": 220 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: Alert Rules + output: + simple: ${prismaalertrules} + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 3f873b48-5e22-4196-817f-bd02b7a11266 + type: regular + task: + id: 3f873b48-5e22-4196-817f-bd02b7a11266 + version: -1 + name: Get CVE Details + description: Returns CVE information by CVE ID. + script: '|||cve' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "15" + scriptarguments: + cve: + simple: ${CVE.ID} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 880, + "y": 1930 + } + } + note: false + timertriggers: [] + ignoreworker: false + fieldMapping: + - incidentfield: CVSS + output: + simple: ${CVE.CVSS.Score} + - incidentfield: CVE Description + output: + simple: ${CVE.Description} + - incidentfield: CVE Published + output: + simple: ${CVE.Published} + - incidentfield: Vulnerable Product + output: + simple: ${CVE.vulnerableproduct} + - incidentfield: CVE ID + output: + simple: ${CVE.ID} + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: 47f296ff-d425-4a5d-8fec-5ec90f8dc250 + type: condition + task: + id: 47f296ff-d425-4a5d-8fec-5ec90f8dc250 + version: -1 + name: Has related CVE? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "15" + "yes": + - "42" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: CVE + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 880, + "y": 1770 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 2aec9d38-f06a-4694-869f-60f8daa27e8e + type: condition + task: + id: 2aec9d38-f06a-4694-869f-60f8daa27e8e + version: -1 + name: Has Results? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "15" + "yes": + - "45" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: AwsSuspiciousActivitiesCount + iscontext: true + right: + value: {} + - operator: isNotEmpty + left: + value: + simple: GcpAnomalousNetworkTraffic + iscontext: true + - operator: isEqualString + left: + value: + simple: CountAzureEvents.AzureAnomaliesCount + iscontext: true + right: + value: + simple: "true" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 30, + "y": 1930 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: 7837fc50-fa9d-489a-89af-977c5c4100b2 + type: regular + task: + id: 7837fc50-fa9d-489a-89af-977c5c4100b2 + version: -1 + name: Set User Investigation Results + description: commands.local.cmd.set.incident + script: Builtin|||setAlert + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "15" + scriptarguments: + useranomalycount: + complex: + root: CountAzureEvents + accessor: AzureAnomaliesCount + transformers: + - operator: append + args: + item: + value: + simple: AwsSuspiciousActivitiesCount + iscontext: true + - operator: append + args: + item: + value: + simple: GcpAnomalousNetworkTraffic + iscontext: true + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 30, + "y": 2100 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: 59de8147-06f1-4f75-8c2d-ba383f66db0a + type: regular + task: + id: 59de8147-06f1-4f75-8c2d-ba383f66db0a + version: -1 + name: Set status to layout + description: commands.local.cmd.set.incident + script: Builtin|||setAlert + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "27" + scriptarguments: + ipblockedstatus: + simple: Executed + userblockstatus: + simple: Executed + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 840, + "y": 3250 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "35_3_#default#": 0.1, + "40_3_#default#": 0.22, + "4_6_yes": 0.3 + }, + "paper": { + "dimensions": { + "height": 4615, + "width": 1960, + "x": -260, + "y": -430 + } + } + } +inputs: +- key: CreateTicket + value: + simple: "False" + required: false + description: Whether to create a ticket in ZenDesk or ServiceNow. Insert True or False + playbookInputQuery: +- key: StopForRecommendations + value: + simple: "True" + required: false + description: "" + playbookInputQuery: +- key: EarlyContainment + value: + simple: "True" + required: false + description: Whether to perform early containment. + playbookInputQuery: +- key: CloudResponse + value: + simple: "False" + required: false + description: Whether to perform cloud response. + playbookInputQuery: +- key: serviceNowShortDescription + value: {} + required: false + description: A short description of the ticket. + playbookInputQuery: +- key: serviceNowImpact + value: {} + required: false + description: The impact for the new ticket. Leave empty for ServiceNow default impact. + playbookInputQuery: +- key: serviceNowUrgency + value: {} + required: false + description: The urgency of the new ticket. Leave empty for ServiceNow default urgency. + playbookInputQuery: +- key: serviceNowSeverity + value: {} + required: false + description: The severity of the new ticket. Leave empty for ServiceNow default severity. + playbookInputQuery: +- key: serviceNowTicketType + value: {} + required: false + description: The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident". + playbookInputQuery: +- key: serviceNowCategory + value: {} + required: false + description: The category of the ServiceNow ticket. + playbookInputQuery: +- key: serviceNowAssignmentGroup + value: {} + required: false + description: The group to which to assign the new ticket. + playbookInputQuery: +- key: ZendeskPriority + value: {} + required: false + description: The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low". + playbookInputQuery: +- key: ZendeskRequester + value: {} + required: false + description: The user who requested this ticket. + playbookInputQuery: +- key: ZendeskStatus + value: {} + required: false + description: The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed". + playbookInputQuery: +- key: ZendeskSubject + value: {} + required: false + description: The value of the subject field for this ticket. + playbookInputQuery: +- key: ZendeskTags + value: {} + required: false + description: The array of tags applied to this ticket. + playbookInputQuery: +- key: ZendeskType + value: {} + required: false + description: The type of this ticket. Allowed values are "problem", "incident", "question", or "task". + playbookInputQuery: +- key: ZendeskAssigne + value: {} + required: false + description: The agent currently assigned to the ticket. + playbookInputQuery: +- key: ZendeskCollaborators + value: {} + required: false + description: The users currently CC'ed on the ticket. + playbookInputQuery: +- key: ZenDeskDescription + value: {} + required: false + description: The ticket description. + playbookInputQuery: +inputSections: +- inputs: + - CreateTicket + - StopForRecommendations + name: Alert Management + description: | + Alert management settings and data, +- inputs: + - EarlyContainment + - CloudResponse + name: Remediation + description: Remediation settings and data, including containment, eradication, and recovery. +- inputs: + - serviceNowShortDescription + - serviceNowImpact + - serviceNowUrgency + - serviceNowSeverity + - serviceNowTicketType + - serviceNowCategory + - serviceNowAssignmentGroup + name: Ticket Management- ServiceNow + description: Ticket management settings and data for ServiceNow +- inputs: + - ZendeskPriority + - ZendeskRequester + - ZendeskStatus + - ZendeskSubject + - ZendeskTags + - ZendeskType + - ZendeskAssigne + - ZendeskCollaborators + - ZenDeskDescription + name: Ticket Management - ZenDesk + description: Ticket management settings and data for ZenDesk +outputSections: +- outputs: [] + name: General (Outputs group) + description: Generic group for outputs +outputs: [] +tests: +- No tests (auto formatted) +marketplaces: ["marketplacev2"] +fromversion: 6.10.0 diff --git a/Packs/PrismaCloud/Playbooks/playbook-Prisma_Cloud_-_Network__API_and_Anomaly_Incidents_README.md b/Packs/PrismaCloud/Playbooks/playbook-Prisma_Cloud_-_Network__API_and_Anomaly_Incidents_README.md new file mode 100644 index 000000000000..2dc39042980e --- /dev/null +++ b/Packs/PrismaCloud/Playbooks/playbook-Prisma_Cloud_-_Network__API_and_Anomaly_Incidents_README.md @@ -0,0 +1,71 @@ +This playbook handles incidents of internet exposed services and detects potential risky configurations that can make your cloud environment vulnerable to attacks, and +incidents of unusual network and user activity for all users, and are especially critical for privileged users and assumed roles where detecting unusual activity may indicate the first steps in a potential misuse or account compromise. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +* Ticket Management - Generic +* Cloud Enrichment - Generic +* Cloud User Investigation - Generic +* Block IP - Generic v3 +* Cloud Response - Generic + +### Integrations + +* PrismaCloud v2 +* PrismaCloudV2 +* PrismaCloudIAM +* RedLock + +### Scripts + +JsonToTable + +### Commands + +* prisma-cloud-host-finding-list +* core-list-risky-users +* setAlert +* ip +* cve +* prisma-cloud-alert-get-details + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| serviceNowShortDescription | A short description of the ticket. | | Optional | +| serviceNowImpact | The impact for the new ticket. Leave empty for ServiceNow default impact. | | Optional | +| serviceNowUrgency | The urgency of the new ticket. Leave empty for ServiceNow default urgency. | | Optional | +| serviceNowSeverity | The severity of the new ticket. Leave empty for ServiceNow default severity. | | Optional | +| serviceNowTicketType | The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident". | | Optional | +| serviceNowCategory | The category of the ServiceNow ticket. | | Optional | +| serviceNowAssignmentGroup | The group to which to assign the new ticket. | | Optional | +| ZendeskPriority | The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low". | | Optional | +| ZendeskRequester | The user who requested this ticket. | | Optional | +| ZendeskStatus | The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed". | | Optional | +| ZendeskSubject | The value of the subject field for this ticket. | | Optional | +| ZendeskTags | The array of tags applied to this ticket. | | Optional | +| ZendeskType | The type of this ticket. Allowed values are "problem", "incident", "question", or "task". | | Optional | +| ZendeskAssigne | The agent currently assigned to the ticket. | | Optional | +| ZendeskCollaborators | The users currently CC'ed on the ticket. | | Optional | +| ZenDeskDescription | The ticket description. | | Optional | +| CreateTicket | Whether to create a ticket in ZenDesk or ServiceNow. Options are True or False. | False | Optional | +| StopForRecommendations | | True | Optional | +| EarlyContainment | | True | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![Prisma Cloud - Network API and Anomaly Incidents](../doc_files/Prisma_Cloud_-_Network_API_and_Anomaly_Incidents.png) diff --git a/Packs/PrismaCloud/ReleaseNotes/4_3_3.md b/Packs/PrismaCloud/ReleaseNotes/4_3_3.md new file mode 100644 index 000000000000..e3faf09b99e6 --- /dev/null +++ b/Packs/PrismaCloud/ReleaseNotes/4_3_3.md @@ -0,0 +1,28 @@ + +#### Triggers Recommendations + +- New: **Prisma Cloud Network API and Anomaly alerts** + +#### Layout Rules + +##### New: Prisma Cloud Network API and Anomaly + +New: Prisma Cloud Network API and Anomaly (Available on Cortex XSIAM) + +#### Playbooks + +##### New: Prisma Cloud - Network API and Anomaly Incidents + +- New(Available on Cortex XSIAM): This playbook handles incidents of internet exposed services and detect potential risky configurations that can make your cloud environment vulnerable to attacks, and +incidents of unusual network and user activity for all users, and are especially critical for privileged users and assumed roles where detecting unusual activity may indicate the first steps in a potential misuse or account compromise. + +##### New: Prisma Cloud - RQL Execution + +- New(Available on Cortex XSIAM): This playbook enables Prisma Cloud RQL Execution from the alert layout. + +#### Layouts + +##### New: Prisma Cloud - Network API and Anomaly Incident Layout + +New: Prisma Cloud - Network API and Anomaly Incident Layout + diff --git a/Packs/PrismaCloud/Triggers/Prisma_Cloud_Netwok_API_Anomaly.json b/Packs/PrismaCloud/Triggers/Prisma_Cloud_Netwok_API_Anomaly.json new file mode 100644 index 000000000000..010b3adff98b --- /dev/null +++ b/Packs/PrismaCloud/Triggers/Prisma_Cloud_Netwok_API_Anomaly.json @@ -0,0 +1,38 @@ +{ + "trigger_id": "c8a93aad286ff93763120c0e47696f82", + "playbook_id": "Prisma Cloud - Network API and Anomaly Incidents", + "suggestion_reason": "Recommended for Prisma Cloud Network, API and Anomaly alerts", + "description": "This trigger is responsible for handling Prisma Cloud Network, API and Anomaly alerts", + "trigger_name": "Prisma Cloud Network API and Anomaly alerts", + "fromVersion": "6.10.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "policy_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "network" + }, + { + "SEARCH_FIELD": "policy_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "api" + }, + { + "SEARCH_FIELD": "policy_type", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "anomaly" + } + ] + }, + { + "SEARCH_FIELD": "category", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Incident" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/PrismaCloud/doc_files/Prisma_Cloud_-_Network_API_and_Anomaly_Incidents.png b/Packs/PrismaCloud/doc_files/Prisma_Cloud_-_Network_API_and_Anomaly_Incidents.png new file mode 100644 index 000000000000..acd56d871f32 Binary files /dev/null and b/Packs/PrismaCloud/doc_files/Prisma_Cloud_-_Network_API_and_Anomaly_Incidents.png differ diff --git a/Packs/PrismaCloud/doc_files/Prisma_Cloud_-_RQL_Execution.png b/Packs/PrismaCloud/doc_files/Prisma_Cloud_-_RQL_Execution.png new file mode 100644 index 000000000000..d3e8103234fb Binary files /dev/null and b/Packs/PrismaCloud/doc_files/Prisma_Cloud_-_RQL_Execution.png differ diff --git a/Packs/PrismaCloud/pack_metadata.json b/Packs/PrismaCloud/pack_metadata.json index c4d3b0fbef57..6132298cfbb9 100644 --- a/Packs/PrismaCloud/pack_metadata.json +++ b/Packs/PrismaCloud/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Prisma Cloud by Palo Alto Networks", "description": "Automate and unify security incident response across your cloud environments, while still giving a degree of control to dedicated cloud teams.", "support": "xsoar", - "currentVersion": "4.3.2", + "currentVersion": "4.3.3", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",