playbook-NGFW_Scan.yml

id: NGFW Scan
version: -1
name: NGFW Scan
description: |-
  This playbook handles external and internal scanning alerts.

  **Attacker's Goals:**

  Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.

  **Investigative Actions:**

  Investigate the scanner IP address using:

  * IP enrichment:
  * NGFW Internal Scan playbook
  * Endpoint Investigation Plan playbook
  * Entity enrichment

  **Response Actions**

  The playbook's response actions are based on the initial data provided within the alert. In that phase, the playbook will execute:

  * Automatically block IP address
  * Report IP address (If configured as true in the playbook inputs)

  When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes the Containment Plan playbook, is executed.
  This phase will execute the following containment actions:

  * Automatically isolate involved endpoint
  * Manual block indicators
  * Manual file quarantine
  * Manual disable user

  **External resources:**

  [Mitre technique T1046 - Network Service Scanning](https://attack.mitre.org/techniques/T1046/)

  [Port Scan](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Port-Scan)
starttaskid: "0"
tasks:
  "0":
    id: "0"
    taskid: 40079701-e9d2-442a-877b-bc4609b5b687
    type: start
    task:
      id: 40079701-e9d2-442a-877b-bc4609b5b687
      version: -1
      name: ""
      iscommand: false
      brand: ""
      description: ''
    nexttasks:
      '#none#':
      - "4"
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 480,
          "y": -1140
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "4":
    id: "4"
    taskid: fc3beac8-29a6-4c5e-860a-88da98d2f465
    type: condition
    task:
      id: fc3beac8-29a6-4c5e-860a-88da98d2f465
      version: -1
      name: Check if scanner IP Address is external
      description: Checks whether the scanner IP address is internal or external.
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "11"
      Internal:
      - "33"
    separatecontext: false
    conditions:
    - label: Internal
      condition:
      - - operator: IsInCidrRanges
          left:
            value:
              complex:
                root: inputs.scannerIP
            iscontext: true
          right:
            value:
              simple: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
    view: |-
      {
        "position": {
          "x": 480,
          "y": -1010
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "5":
    id: "5"
    taskid: 6e60d2b5-da62-4e51-8288-fa36e88a3b43
    type: title
    task:
      id: 6e60d2b5-da62-4e51-8288-fa36e88a3b43
      version: -1
      name: Done
      type: title
      iscommand: false
      brand: ""
      description: ''
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 20,
          "y": 3010
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "10":
    id: "10"
    taskid: 81114969-0dc4-4f7c-846d-9463dee9fabf
    type: title
    task:
      id: 81114969-0dc4-4f7c-846d-9463dee9fabf
      version: -1
      name: Mitigation
      type: title
      iscommand: false
      brand: ""
      description: ''
    nexttasks:
      '#none#':
      - "23"
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 480,
          "y": 530
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "11":
    id: "11"
    taskid: eb6213f6-9508-4f40-8b7b-57f4fd29a859
    type: title
    task:
      id: eb6213f6-9508-4f40-8b7b-57f4fd29a859
      version: -1
      name: Anaylsis
      type: title
      iscommand: false
      brand: ""
      description: ''
    nexttasks:
      '#none#':
      - "50"
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 480,
          "y": -800
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "14":
    id: "14"
    taskid: b54cde0f-11ea-44c2-8b0f-68b2e5e77897
    type: title
    task:
      id: b54cde0f-11ea-44c2-8b0f-68b2e5e77897
      version: -1
      name: Investigation
      type: title
      iscommand: false
      brand: ""
      description: ''
    nexttasks:
      '#none#':
      - "51"
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 480,
          "y": 1380
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "17":
    id: "17"
    taskid: cc50c64f-41c7-49cb-873b-88891bef19e6
    type: condition
    task:
      id: cc50c64f-41c7-49cb-873b-88891bef19e6
      version: -1
      name: Found additional activity for the attacker IP Address?
      description: Checks if any other activity was found for the scanner IP address.
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "46"
      "yes":
      - "19"
    separatecontext: false
    conditions:
    - label: "yes"
      condition:
      - - operator: isNotEmpty
          left:
            value:
              complex:
                root: foundIncidents
            iscontext: true
          right:
            value: {}
    view: |-
      {
        "position": {
          "x": 480,
          "y": 1670
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "19":
    id: "19"
    taskid: 79f7f934-3b5f-4db6-8705-238fc63a2f1a
    type: regular
    task:
      id: 79f7f934-3b5f-4db6-8705-238fc63a2f1a
      version: -1
      name: Notify the SOC
      description: Sends an email using EWS.
      script: '|||send-mail'
      type: regular
      iscommand: true
      brand: ""
    nexttasks:
      '#none#':
      - "40"
    scriptarguments:
      body:
        simple: |-
          XSIAM has identified a malicious scanner activity.

          The malicious scanner IP address, ${inputs.scannerIP}, has been blocked and an investigation on the targeted endpoint.
          The endpoint investigation playbook raised other suspicious activity related to the IP address.

          We advise you to review alert ID ${alert.id} due to the identified activity.

          XSIAM
      subject:
        simple: XSIAM - detected suspicious scanner activity
      to:
        complex:
          root: inputs.SOCEmailAddress
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 1000,
          "y": 1840
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "23":
    id: "23"
    taskid: f6288d7e-39f3-4da3-8a9e-5c5ffcd318b1
    type: playbook
    task:
      id: f6288d7e-39f3-4da3-8a9e-5c5ffcd318b1
      version: -1
      name: Block IP - Generic v3
      description: "This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing)\nNote the following:\n-  some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects.\n- Note that the appended network objects should be specified in blocking rules inside the system later on. \n\n\nSupported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]: \n\n* Check Point Firewall\n* Palo Alto Networks PAN-OS\n* Zscaler\n* FortiGate\n* Aria Packet Intelligence\n* Cisco Firepower \n* Cisco Secure Cloud Analytics\n* Cisco ASA\n* Akamai WAF\n* F5 SilverLine\n* ThreatX\n* Signal Sciences WAF\n* Sophos Firewall\n\n"
      playbookName: Block IP - Generic v3
      type: playbook
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "55"
    scriptarguments:
      AutoCommit:
        simple: "No"
      CustomBlockRule:
        simple: "True"
      IP:
        complex:
          root: inputs.scannerIP
      InputEnrichment:
        simple: "False"
      RuleDirection:
        simple: outbound
      RuleName:
        simple: XSOAR - Block IP playbook - ${incident.id}
      UserVerification:
        complex:
          root: inputs.UserVerification
      Folder:
        simple: Shared
    separatecontext: true
    loop:
      iscommand: false
      exitCondition: ""
      wait: 1
      max: 100
    view: |-
      {
        "position": {
          "x": 480,
          "y": 670
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "26":
    id: "26"
    taskid: 93f61f2a-d50e-4916-8221-2d83b81f4331
    type: condition
    task:
      id: 93f61f2a-d50e-4916-8221-2d83b81f4331
      version: -1
      name: Was the IP Address identified as malicious?
      description: Checks if the IP address was identified as malicious.
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "28"
      "yes":
      - "57"
    separatecontext: false
    conditions:
    - label: "yes"
      condition:
      - - operator: greaterThanOrEqual
          left:
            value:
              complex:
                root: DBotScore
                filters:
                - - operator: isEqualString
                    left:
                      value:
                        simple: DBotScore.Indicator
                      iscontext: true
                    right:
                      value:
                        simple: inputs.scannerIP
                      iscontext: true
                accessor: Score
            iscontext: true
          right:
            value:
              simple: "2"
    view: |-
      {
        "position": {
          "x": 480,
          "y": -350
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "27":
    id: "27"
    taskid: 37657fa8-531d-4142-8b8e-6bfe4b2b63ae
    type: title
    task:
      id: 37657fa8-531d-4142-8b8e-6bfe4b2b63ae
      version: -1
      name: Done
      type: title
      iscommand: false
      brand: ""
      description: ''
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 1000,
          "y": -655
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "28":
    id: "28"
    taskid: d5aa0ea2-289c-4fe0-8dfb-c64b2e52fd19
    type: condition
    task:
      id: d5aa0ea2-289c-4fe0-8dfb-c64b2e52fd19
      version: -1
      name: Should block repetitive scanning from benign IP Address?
      description: Checks whether repetitive scanning from benign IP addresses should be blocked.
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "47"
      "yes":
      - "57"
    separatecontext: false
    conditions:
    - label: "yes"
      condition:
      - - operator: greaterThanOrEqual
          left:
            value:
              complex:
                root: foundIncidents
                transformers:
                - operator: count
            iscontext: true
          right:
            value:
              simple: "5"
      - - operator: isEqualString
          left:
            value:
              complex:
                root: inputs.blockKnownScanner
            iscontext: true
          right:
            value:
              simple: "true"
          ignorecase: true
    view: |-
      {
        "position": {
          "x": 20,
          "y": -180
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "33":
    id: "33"
    taskid: d59bde26-4667-41ec-8e8a-c38c87a3b7a4
    type: playbook
    task:
      id: d59bde26-4667-41ec-8e8a-c38c87a3b7a4
      version: -1
      name: NGFW Internal Scan
      description: |-
        This playbook investigate a scan where the source is an internal IP address.

        An attacker might initiate an internal scan for discovery, lateral movement and more.

        **Attacker's Goals:**

        An attacker can leverage a scan for open ports and vulnerable systems on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

        **Investigative Actions:**

        * Endpoint Investigation Plan playbook

        **Response Actions:**

        * Endpoint isolation
        * Block indicators
      playbookName: NGFW Internal Scan
      type: playbook
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "27"
    scriptarguments:
      AutoCloseAlert:
        simple: "false"
      AutoContainment:
        simple: "false"
      HostAutoContainment:
        simple: "true"
      scannerIP:
        complex:
          root: inputs.scannerIP
    separatecontext: true
    loop:
      iscommand: false
      exitCondition: ""
      wait: 1
      max: 100
    view: |-
      {
        "position": {
          "x": 1000,
          "y": -815
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "34":
    id: "34"
    taskid: 12c20106-b5a4-4d4e-8f08-c81cf9ce2feb
    type: regular
    task:
      id: 12c20106-b5a4-4d4e-8f08-c81cf9ce2feb
      version: -1
      name: Search scan alerts from the attacker IP
      description: |-
        Searches XSIAM alerts.

        This automation runs using the default Limited User role, unless you explicitly change the permissions.
        For more information, see the section about permissions here:
        https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
      scriptName: SearchIncidentsV2
      type: regular
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "26"
    scriptarguments:
      fromdate:
        simple: 7 days ago
      query:
        simple: name:*scan* and localip:${inputs.scannerIP}
      size:
        simple: "10"
      trimevents:
        simple: "1"
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 480,
          "y": -510
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "40":
    id: "40"
    taskid: 06dcc969-335b-4309-8e46-5979aeff8158
    type: playbook
    task:
      id: 06dcc969-335b-4309-8e46-5979aeff8158
      version: -1
      name: Containment Plan
      description: |-
        This playbook handles all the containment actions available with Cortex XSIAM.
        The playbook allows to contain the alert with one of the following tasks:
        * Isolate endpoint
        * Disable account
        * Quarantine file
        * Block indicators
        * Clear user session (currently, the playbook supports only Okta)

        The playbook inputs allows you to manipulate the execution flow. Review the inputs description.
      playbookName: Containment Plan
      type: playbook
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "46"
    scriptarguments:
      AutoContainment:
        complex:
          root: inputs.AutoContainment
      BlockIndicators:
        simple: "True"
      ClearUserSessions:
        simple: Fasle
      EndpointID:
        complex:
          root: foundIncidents.CustomFields
          accessor: agentid
      FileContainment:
        simple: "True"
      FileHash:
        complex:
          root: foundIncidents.CustomFields
          filters:
          - - operator: isNotEqualString
              left:
                value:
                  simple: foundIncidents.CustomFields.initiatorpath
                iscontext: true
              right:
                value:
                  simple: c:\windows\explorer.exe
              ignorecase: true
          accessor: initiatorsha256
      FilePath:
        complex:
          root: foundIncidents.CustomFields.initiatorpath
          filters:
          - - operator: isNotEqualString
              left:
                value:
                  simple: foundIncidents.CustomFields.initiatorpath
                iscontext: true
              right:
                value:
                  simple: c:\windows\explorer.exe
              ignorecase: true
      FileRemediation:
        simple: Quarantine
      HostAutoContainment:
        complex:
          root: inputs.HostAutoContainment
      IAMUserDomain:
        simple: '@demisto.com'
      UserContainment:
        simple: Fasle
    separatecontext: true
    loop:
      iscommand: false
      exitCondition: ""
      wait: 1
      max: 100
    view: |-
      {
        "position": {
          "x": 1000,
          "y": 2010
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "41":
    id: "41"
    taskid: 7284fa76-6c8d-45f9-8edf-f32abd30d498
    type: regular
    task:
      id: 7284fa76-6c8d-45f9-8edf-f32abd30d498
      version: -1
      name: Close alert
      description: commands.local.cmd.close.inv
      script: Builtin|||closeInvestigation
      type: regular
      iscommand: true
      brand: Builtin
    nexttasks:
      '#none#':
      - "5"
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 480,
          "y": 2840
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "42":
    id: "42"
    taskid: 9d36e4d2-085a-49ec-835a-c1cafe1e89d1
    type: condition
    task:
      id: 9d36e4d2-085a-49ec-835a-c1cafe1e89d1
      version: -1
      name: Should execute recovery plan?
      description: Whether to execute the recovery plan.
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "60"
      "yes":
      - "45"
    separatecontext: false
    conditions:
    - label: "yes"
      condition:
      - - operator: isEqualString
          left:
            value:
              complex:
                root: inputs.AutoRecovery
            iscontext: true
          right:
            value:
              simple: "true"
          ignorecase: true
    view: |-
      {
        "position": {
          "x": 480,
          "y": 2315
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "45":
    id: "45"
    taskid: b84fcf1d-129f-4b82-822a-be68527e7710
    type: playbook
    task:
      id: b84fcf1d-129f-4b82-822a-be68527e7710
      version: -1
      name: Recovery Plan
      description: |-
        This playbook handles all the recovery actions available with Cortex XSIAM.
        The playbook enables you to recover from the alert with one of the following tasks:
        * Unisolate endpoint
        * Restore quarantined file

        The playbook inputs enable you to manipulate the execution flow. Review the inputs description.
      playbookName: Recovery Plan
      type: playbook
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "60"
    scriptarguments:
      releaseFile:
        simple: "false"
      unIsolateEndpoint:
        simple: "false"
    separatecontext: true
    loop:
      iscommand: false
      exitCondition: ""
      wait: 1
      max: 100
    view: |-
      {
        "position": {
          "x": 1000,
          "y": 2490
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "46":
    id: "46"
    taskid: c506b4fc-df2d-4f21-8414-d2a062e80aad
    type: title
    task:
      id: c506b4fc-df2d-4f21-8414-d2a062e80aad
      version: -1
      name: Recovery
      type: title
      iscommand: false
      brand: ""
      description: ''
    nexttasks:
      '#none#':
      - "42"
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 480,
          "y": 2180
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "47":
    id: "47"
    taskid: 6823d96c-3b1f-4738-855f-79eceff629d5
    type: condition
    task:
      id: 6823d96c-3b1f-4738-855f-79eceff629d5
      version: -1
      name: Should add alert exclusion?
      description: Checks whether to add an alert exclusion or not.
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "5"
      "Yes":
      - "48"
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 20,
          "y": 670
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "48":
    id: "48"
    taskid: c61bb207-387d-49a5-8083-409ca876e978
    type: playbook
    task:
      id: c61bb207-387d-49a5-8083-409ca876e978
      version: -1
      name: Handle False Positive Alerts
      description: |
        This playbook handles false positive alerts.
      playbookName: Handle False Positive Alerts
      type: playbook
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "5"
    scriptarguments:
      ShouldCloseAutomatically:
        complex:
          root: inputs.AutoCloseAlert
      alertName:
        complex:
          root: alert
          accessor: name
      sourceIP:
        complex:
          root: inputs.scannerIP
    separatecontext: true
    loop:
      iscommand: false
      exitCondition: ""
      wait: 1
      max: 100
    view: |-
      {
        "position": {
          "x": -240,
          "y": 1365
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "50":
    id: "50"
    taskid: 510b6f41-c6c3-4a59-8e41-ab1562467fe4
    type: regular
    task:
      id: 510b6f41-c6c3-4a59-8e41-ab1562467fe4
      version: -1
      name: Enrich scanner IP Address
      description: Checks the reputation of an IP address.
      script: '|||ip'
      type: regular
      iscommand: true
      brand: ""
    nexttasks:
      '#none#':
      - "34"
    scriptarguments:
      ip:
        complex:
          root: inputs.scannerIP
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 480,
          "y": -670
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "51":
    id: "51"
    taskid: edd23e16-504a-450d-857b-1c93cd09c0d2
    type: playbook
    task:
      id: edd23e16-504a-450d-857b-1c93cd09c0d2
      version: -1
      name: Endpoint Investigation Plan
      description: |-
        This playbook handles all the endpoint investigation actions available with Cortex XSIAM.
        The playbook enables you to investigate and hunt for more information using one of the following tasks:
        * Pre-defined MITRE Tactics
        * Host fields (Host ID)
        * Attacker fields (Attacker IP, External host)
        * MITRE techniques
        * File hash (currently, the playbook supports only SHA256)

        The playbook inputs enable you to manipulate the execution flow. Review the inputs description.
      playbookName: Endpoint Investigation Plan
      type: playbook
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "17"
    scriptarguments:
      HuntAttacker:
        simple: "True"
      HuntCnCTechniques:
        simple: "False"
      HuntCollectionTechniques:
        simple: "False"
      HuntDefenseEvasionTechniques:
        simple: "False"
      HuntDiscoveryTechniques:
        simple: "False"
      HuntExecutionTechniques:
        simple: "False"
      HuntImpactTechniques:
        simple: "False"
      HuntInitialAccessTechniques:
        simple: "False"
      HuntLateralMovementTechniques:
        simple: "False"
      HuntPersistenceTechniques:
        simple: "False"
      HuntPrivilegeEscalationTechniques:
        simple: "False"
      HuntReconnaissanceTechniques:
        simple: "False"
      agentID:
        complex:
          root: alert
          accessor: agentid
      attackerRemoteIP:
        complex:
          root: inputs.scannerIP
      timeRange:
        simple: 2 hours ago
    separatecontext: false
    loop:
      iscommand: false
      exitCondition: ""
      wait: 1
      max: 100
    view: |-
      {
        "position": {
          "x": 480,
          "y": 1510
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "54":
    id: "54"
    taskid: 0caa2762-5a38-4642-8525-edd7f4924807
    type: regular
    task:
      id: 0caa2762-5a38-4642-8525-edd7f4924807
      version: -1
      name: Report IP address to AbuseIPDB
      description: Reports an IP address to AbuseIPDB.
      script: '|||abuseipdb-report-ip'
      type: regular
      iscommand: true
      brand: ""
    nexttasks:
      '#none#':
      - "14"
    scriptarguments:
      categories:
        simple: "14"
      ip:
        complex:
          root: inputs.scannerIP
    separatecontext: false
    view: |-
      {
        "position": {
          "x": 1000,
          "y": 1210
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: true
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "55":
    id: "55"
    taskid: b0f3e23a-43a5-4394-806c-b097064ea017
    type: condition
    task:
      id: b0f3e23a-43a5-4394-806c-b097064ea017
      version: -1
      name: Should report the IP to AbuseIPDB ?
      description: Whether to report the IP the AbuseIPDB or not
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "14"
      "yes":
      - "56"
    separatecontext: false
    conditions:
    - label: "yes"
      condition:
      - - operator: isEqualString
          left:
            value:
              complex:
                root: inputs.reportIPAddress
            iscontext: true
          right:
            value:
              simple: "true"
          ignorecase: true
    view: |-
      {
        "position": {
          "x": 480,
          "y": 830
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "56":
    id: "56"
    taskid: 6958506f-7785-4f9c-87d1-e5c2a9a38cfd
    type: condition
    task:
      id: 6958506f-7785-4f9c-87d1-e5c2a9a38cfd
      version: -1
      name: Is AbuseIPDB enabled?
      description: Returns 'yes' if integration brand is available. Otherwise returns 'no'
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "14"
      "yes":
      - "54"
    separatecontext: false
    conditions:
    - label: "yes"
      condition:
      - - operator: isExists
          left:
            value:
              complex:
                root: modules
                filters:
                - - operator: isEqualString
                    left:
                      value:
                        simple: modules.brand
                      iscontext: true
                    right:
                      value:
                        simple: abuseipdb
                    ignorecase: true
                - - operator: isEqualString
                    left:
                      value:
                        simple: modules.state
                      iscontext: true
                    right:
                      value:
                        simple: active
            iscontext: true
    view: |-
      {
        "position": {
          "x": 1000,
          "y": 1000
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
    continueonerrortype: ""
  "57":
    id: "57"
    taskid: 98a8bfdb-f55b-4948-8b31-0a11d8aef7c6
    type: regular
    task:
      id: 98a8bfdb-f55b-4948-8b31-0a11d8aef7c6
      version: -1
      name: Set Alert Severity to High
      description: commands.local.cmd.set.parent.alert.field
      script: Builtin|||setParentIncidentFields
      type: regular
      iscommand: true
      brand: Builtin
    nexttasks:
      '#none#':
      - "58"
    scriptarguments:
      manual_severity:
        simple: high
    separatecontext: false
    continueonerrortype: ""
    view: |-
      {
        "position": {
          "x": 480,
          "y": -5
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: true
    quietmode: 2
    isoversize: false
    isautoswitchedtoquietmode: false
  "58":
    id: "58"
    taskid: 89a1d36d-860c-48e6-8f2a-cd9027583c47
    type: condition
    task:
      id: 89a1d36d-860c-48e6-8f2a-cd9027583c47
      version: -1
      name: Should open a ticket automatically in a ticketing system?
      description: Checks whether to open a ticket automatically in a ticketing system.
      type: condition
      iscommand: false
      brand: ""
    nexttasks:
      '#default#':
      - "10"
      "yes":
      - "59"
    separatecontext: false
    conditions:
    - label: "yes"
      condition:
      - - operator: isEqualString
          left:
            value:
              complex:
                root: inputs.ShouldOpenTicket
            iscontext: true
          right:
            value:
              simple: "True"
          ignorecase: true
    continueonerrortype: ""
    view: |-
      {
        "position": {
          "x": 480,
          "y": 160
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
  "59":
    id: "59"
    taskid: 0619c0c5-861a-4dc1-832f-102486fca073
    type: playbook
    task:
      id: 0619c0c5-861a-4dc1-832f-102486fca073
      version: -1
      name: Ticket Management - Generic
      description: "`Ticket Management - Generic` allows you to open new tickets or update comments to the existing ticket in the following ticketing systems:\n-ServiceNow \n-Zendesk \nusing the following sub-playbooks:\n-`ServiceNow - Ticket Management`\n-`Zendesk - Ticket Management`\n"
      playbookName: Ticket Management - Generic
      type: playbook
      iscommand: false
      brand: ""
    nexttasks:
      '#none#':
      - "10"
    scriptarguments:
      CommentToAdd:
        complex:
          root: inputs.CommentToAdd
      ZendeskAssigne:
        complex:
          root: inputs.ZendeskAssigne
      ZendeskCollaborators:
        complex:
          root: inputs.ZendeskCollaborators
      ZendeskPriority:
        complex:
          root: inputs.ZendeskPriority
      ZendeskRequester:
        complex:
          root: inputs.ZendeskRequester
      ZendeskStatus:
        complex:
          root: inputs.ZendeskStatus
      ZendeskSubject:
        complex:
          root: inputs.ZendeskSubject
      ZendeskTags:
        complex:
          root: inputs.ZendeskTags
      ZendeskType:
        complex:
          root: inputs.ZendeskType
      addCommentPerEndpoint:
        complex:
          root: inputs.addCommentPerEndpoint
      description:
        complex:
          root: inputs.description
      serviceNowAssignmentGroup:
        complex:
          root: inputs.serviceNowAssignmentGroup
      serviceNowCategory:
        complex:
          root: inputs.serviceNowCategory
      serviceNowImpact:
        complex:
          root: inputs.serviceNowImpact
      serviceNowSeverity:
        complex:
          root: inputs.serviceNowSeverity
      serviceNowShortDescription:
        complex:
          root: inputs.serviceNowShortDescription
      serviceNowTicketType:
        complex:
          root: inputs.serviceNowTicketType
      serviceNowUrgency:
        complex:
          root: inputs.serviceNowUrgency
    separatecontext: true
    continueonerrortype: ""
    loop:
      iscommand: false
      exitCondition: ""
      wait: 1
      max: 100
    view: |-
      {
        "position": {
          "x": 750,
          "y": 350
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: true
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
  "60":
    id: "60"
    taskid: c0b99b5f-80b6-4423-8e16-a2f9ce2e2a1e
    type: condition
    task:
      id: c0b99b5f-80b6-4423-8e16-a2f9ce2e2a1e
      version: -1
      name: Should close alert automatically?
      description: Whether to close the alert automatically.
      type: condition
      iscommand: false
      brand: Builtin
    nexttasks:
      '#default#':
      - "5"
      "yes":
      - "41"
    separatecontext: false
    conditions:
    - label: "yes"
      condition:
      - - operator: isEqualString
          left:
            value:
              complex:
                root: inputs.AutoCloseAlert
            iscontext: true
          right:
            value:
              simple: "true"
          ignorecase: true
    continueonerrortype: ""
    view: |-
      {
        "position": {
          "x": 480,
          "y": 2665
        }
      }
    note: false
    timertriggers: []
    ignoreworker: false
    skipunavailable: false
    quietmode: 0
    isoversize: false
    isautoswitchedtoquietmode: false
view: |-
  {
    "linkLabelsPosition": {
      "17_19_yes": 0.49,
      "26_28_#default#": 0.47,
      "26_57_yes": 0.48,
      "28_47_#default#": 0.51,
      "28_57_yes": 0.36,
      "42_45_yes": 0.49,
      "47_48_Yes": 0.58,
      "47_5_#default#": 0.12,
      "4_11_#default#": 0.41,
      "4_33_Internal": 0.72,
      "55_14_#default#": 0.28,
      "55_56_yes": 0.48,
      "56_14_#default#": 0.43,
      "56_54_yes": 0.5,
      "60_41_yes": 0.63,
      "60_5_#default#": 0.43
    },
    "paper": {
      "dimensions": {
        "height": 4215,
        "width": 1620,
        "x": -240,
        "y": -1140
      }
    }
  }
inputs:
- key: scannerIP
  value:
    complex:
      root: alert
      accessor: localip
  required: false
  description: The scanner IP address.
  playbookInputQuery:
- key: blockKnownScanner
  value:
    simple: "true"
  required: false
  description: Whether to block the IP address based on previously seen scanning alerts.
  playbookInputQuery:
- key: AutoCloseAlert
  value:
    simple: "false"
  required: false
  description: Whether to close the alert automatically or manually, after an analyst's review.
  playbookInputQuery:
- key: AutoRecovery
  value:
    simple: "false"
  required: false
  description: Whether to execute the Recovery playbook.
  playbookInputQuery:
- key: SOCEmailAddress
  value: {}
  required: false
  description: The SOC email address.
  playbookInputQuery:
- key: reportIPAddress
  value:
    simple: "false"
  required: false
  description: Whether to report the IP address to AbuseIPDB.
  playbookInputQuery:
- key: AutoContainment
  value:
    simple: "false"
  required: false
  description: |-
    Whether to execute automatically or manually the containment plan tasks:
    * Block indicators
    * Quarantine file
    * Disable user
  playbookInputQuery:
- key: HostAutoContainment
  value:
    simple: "false"
  required: false
  description: Whether to execute endpoint isolation automatically or manually.
  playbookInputQuery:
- key: ShouldOpenTicket
  value:
    simple: "False"
  required: false
  description: Whether to open a ticket automatically in a ticketing system. (True/False).
  playbookInputQuery:
- key: serviceNowShortDescription
  value:
    simple: XSIAM Incident ID - ${parentIncidentFields.incident_id}
  required: false
  description: A short description of the ticket.
  playbookInputQuery:
- key: serviceNowImpact
  value: {}
  required: false
  description: The impact for the new ticket. Leave empty for ServiceNow default impact.
  playbookInputQuery:
- key: serviceNowUrgency
  value: {}
  required: false
  description: The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  playbookInputQuery:
- key: serviceNowSeverity
  value: {}
  required: false
  description: The severity of the new ticket. Leave empty for ServiceNow default severity.
  playbookInputQuery:
- key: serviceNowTicketType
  value: {}
  required: false
  description: The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  playbookInputQuery:
- key: serviceNowCategory
  value: {}
  required: false
  description: The category of the ServiceNow ticket.
  playbookInputQuery:
- key: serviceNowAssignmentGroup
  value: {}
  required: false
  description: The group to which to assign the new ticket.
  playbookInputQuery:
- key: ZendeskPriority
  value: {}
  required: false
  description: The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  playbookInputQuery:
- key: ZendeskRequester
  value: {}
  required: false
  description: The user who requested this ticket.
  playbookInputQuery:
- key: ZendeskStatus
  value: {}
  required: false
  description: The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  playbookInputQuery:
- key: ZendeskSubject
  value:
    simple: XSIAM Incident ID - ${parentIncidentFields.incident_id}
  required: false
  description: The value of the subject field for this ticket.
  playbookInputQuery:
- key: ZendeskTags
  value: {}
  required: false
  description: The array of tags applied to this ticket.
  playbookInputQuery:
- key: ZendeskType
  value: {}
  required: false
  description: The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  playbookInputQuery:
- key: ZendeskAssigne
  value: {}
  required: false
  description: The agent currently assigned to the ticket.
  playbookInputQuery:
- key: ZendeskCollaborators
  value: {}
  required: false
  description: The users currently CC'ed on the ticket.
  playbookInputQuery:
- key: description
  value:
    simple: ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}
  required: false
  description: The ticket description.
  playbookInputQuery:
- key: addCommentPerEndpoint
  value:
    simple: "True"
  required: false
  description: 'Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.'
  playbookInputQuery:
- key: CommentToAdd
  value:
    simple: '${alert.name}. Alert ID: ${alert.id}'
  required: false
  description: Comment for the ticket.
  playbookInputQuery:
- key: UserVerification
  value:
    simple: "True"
  required: false
  description: |-
    Possible values: True/False.  Default: True.
    Whether to provide user verification for blocking IP addresses.
  playbookInputQuery:
outputs: []
tests:
- No tests (auto formatted)
marketplaces: ["marketplacev2"]
fromversion: 6.6.0
contentitemexportablefields:
  contentitemfields: {}