diff --git a/Packs/CloudIncidentResponse/.pack-ignore b/Packs/CloudIncidentResponse/.pack-ignore index 7f0b0fa8a36d..ea2b67a62166 100644 --- a/Packs/CloudIncidentResponse/.pack-ignore +++ b/Packs/CloudIncidentResponse/.pack-ignore @@ -23,4 +23,19 @@ ignore=GR101 ignore=RM108 [file:incidentfield-Is_VPN_IP_Address.json] -ignore=IF113 \ No newline at end of file +ignore=IF113 + +[file:playbook-XCloud_Cryptomining_-_Set_Verdict.yml] +ignore=BA101 + +[file:playbook-XCloud_Cryptomining.yml] +ignore=BA101 + +[file:playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict.yml] +ignore=BA101 + +[file:playbook-Cortex_XDR_-_Cloud_Cryptomining.yml] +ignore=BA101 + +[file:layoutscontainer-Cortex_XDR_-_XCLOUD_Cryptomining.json] +ignore=BA101 \ No newline at end of file diff --git a/Packs/CortexXDR/Layouts/layoutscontainer-Cortex_XDR_-_XCLOUD_Cryptomining.json b/Packs/CloudIncidentResponse/Layouts/layoutscontainer-Cortex_XDR_-_XCLOUD_Cryptomining.json similarity index 92% rename from Packs/CortexXDR/Layouts/layoutscontainer-Cortex_XDR_-_XCLOUD_Cryptomining.json rename to Packs/CloudIncidentResponse/Layouts/layoutscontainer-Cortex_XDR_-_XCLOUD_Cryptomining.json index 6507d63788f7..78857ac1b6fe 100644 --- a/Packs/CortexXDR/Layouts/layoutscontainer-Cortex_XDR_-_XCLOUD_Cryptomining.json +++ b/Packs/CloudIncidentResponse/Layouts/layoutscontainer-Cortex_XDR_-_XCLOUD_Cryptomining.json @@ -322,92 +322,6 @@ ], "type": "custom" }, - { - "hidden": true, - "id": "psvkrie7fh", - "name": "Alert Info", - "sections": [ - { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-psvkrie7fh-field-changed-psvkrie7fh-caseinfoid-swtuqptgvs-075ee440-cc9a-11e9-afca-8792f3871db0", - "items": [ - { - "dropEffect": "move", - "endCol": 6, - "fieldId": "xdralerts", - "height": 106, - "id": "1b6eb1e0-cc9a-11e9-afca-8792f3871db0", - "index": 0, - "listId": "swtuqptgvs-075ee440-cc9a-11e9-afca-8792f3871db0", - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "moved": false, - "name": "XDR Alerts", - "static": false, - "w": 3, - "x": 0, - "y": 0 - }, - { - "h": 4, - "hideName": true, - "i": "caseinfoid-psvkrie7fh-field-changed-psvkrie7fh-caseinfoid-e9e2edb0-3af3-11ec-b014-a9a9af2fb426", - "items": [], - "maxW": 3, - "minH": 1, - "moved": false, - "name": "Additional alert information", - "query": "CortexXDRAdditionalAlertInformationWidget", - "queryType": "script", - "static": false, - "type": "dynamic", - "w": 3, - "x": 0, - "y": 2 - }, - { - "h": 3, - "hideName": true, - "i": "caseinfoid-psvkrie7fh-field-changed-psvkrie7fh-caseinfoid-0a9a5340-3af4-11ec-b014-a9a9af2fb426", - "items": [], - "maxW": 3, - "minH": 1, - "moved": false, - "name": "Identity Information", - "query": "CortexXDRIdentityInformationWidget", - "queryType": "script", - "static": false, - "type": "dynamic", - "w": 1, - "x": 0, - "y": 6 - }, - { - "h": 3, - "hideName": true, - "i": "caseinfoid-psvkrie7fh-field-changed-psvkrie7fh-caseinfoid-25b394c0-3af4-11ec-b014-a9a9af2fb426", - "items": [], - "maxW": 3, - "minH": 1, - "moved": false, - "name": "Remediation Actions", - "query": "CortexXDRRemediationActionsWidget", - "queryType": "script", - "static": false, - "type": "dynamic", - "w": 2, - "x": 1, - "y": 6 - } - ], - "type": "custom" - }, { "hidden": false, "id": "xmrrsnmlfj", @@ -1051,14 +965,6 @@ "fieldId": "incident_incomingmirrorerror", "isVisible": true }, - { - "fieldId": "incident_indicatorstype", - "isVisible": true - }, - { - "fieldId": "incident_indicatortypes", - "isVisible": true - }, { "fieldId": "incident_investigationstage", "isVisible": true @@ -1347,14 +1253,6 @@ "fieldId": "incident_state", "isVisible": true }, - { - "fieldId": "incident_stringsifter", - "isVisible": true - }, - { - "fieldId": "incident_stringssimilarity", - "isVisible": true - }, { "fieldId": "incident_subcategory", "isVisible": true @@ -1491,5 +1389,6 @@ "system": false, "version": -1, "fromVersion": "6.5.0", + "marketplaces": ["xsoar"], "description": "" } \ No newline at end of file diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml similarity index 99% rename from Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml rename to Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml index b2c041997add..3c3a5b022dc5 100644 --- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining.yml @@ -1166,4 +1166,5 @@ inputs: outputs: [] tests: - No tests (auto formatted) +marketplaces: ["xsoar"] fromversion: 6.5.0 diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict.yml similarity index 99% rename from Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict.yml rename to Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict.yml index 623dfe099354..caefe22ed1ea 100644 --- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict.yml +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict.yml @@ -499,4 +499,5 @@ outputs: quiet: true tests: - No tests (auto formatted) +marketplaces: ["xsoar"] fromversion: 6.5.0 diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict_README.md similarity index 100% rename from Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict_README.md rename to Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict_README.md diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_README.md similarity index 100% rename from Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_README.md rename to Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Cryptomining_README.md diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment.yml similarity index 99% rename from Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment.yml rename to Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment.yml index 5513816a3c17..de5e62b0a315 100644 --- a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment.yml +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment.yml @@ -986,4 +986,5 @@ outputs: type: unknown tests: - No tests (auto formatted) +marketplaces: ["xsoar"] fromversion: 6.5.0 diff --git a/Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment_README.md similarity index 100% rename from Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment_README.md rename to Packs/CloudIncidentResponse/Playbooks/playbook-Cortex_XDR_-_Cloud_Enrichment_README.md diff --git a/Packs/Core/Playbooks/playbook-XCloud_Alert_Enrichment.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Alert_Enrichment.yml similarity index 99% rename from Packs/Core/Playbooks/playbook-XCloud_Alert_Enrichment.yml rename to Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Alert_Enrichment.yml index d0682a216236..4319d7f69000 100644 --- a/Packs/Core/Playbooks/playbook-XCloud_Alert_Enrichment.yml +++ b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Alert_Enrichment.yml @@ -532,6 +532,5 @@ outputs: type: unknown tests: - No tests (auto formatted) -marketplaces: -- marketplacev2 +marketplaces: ["marketplacev2"] fromversion: 6.6.0 diff --git a/Packs/Core/Playbooks/playbook-XCloud_Alert_Enrichment_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Alert_Enrichment_README.md similarity index 100% rename from Packs/Core/Playbooks/playbook-XCloud_Alert_Enrichment_README.md rename to Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Alert_Enrichment_README.md diff --git a/Packs/Core/Playbooks/playbook-XCloud_Cryptomining.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining.yml similarity index 100% rename from Packs/Core/Playbooks/playbook-XCloud_Cryptomining.yml rename to Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining.yml diff --git a/Packs/Core/Playbooks/playbook-XCloud_Cryptomining_-_Set_Verdict.yml b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_-_Set_Verdict.yml similarity index 100% rename from Packs/Core/Playbooks/playbook-XCloud_Cryptomining_-_Set_Verdict.yml rename to Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_-_Set_Verdict.yml diff --git a/Packs/Core/Playbooks/playbook-XCloud_Cryptomining_-_Set_Verdict_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_-_Set_Verdict_README.md similarity index 100% rename from Packs/Core/Playbooks/playbook-XCloud_Cryptomining_-_Set_Verdict_README.md rename to Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_-_Set_Verdict_README.md diff --git a/Packs/Core/Playbooks/playbook-XCloud_Cryptomining_README.md b/Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_README.md similarity index 100% rename from Packs/Core/Playbooks/playbook-XCloud_Cryptomining_README.md rename to Packs/CloudIncidentResponse/Playbooks/playbook-XCloud_Cryptomining_README.md diff --git a/Packs/CloudIncidentResponse/ReleaseNotes/1_0_4.md b/Packs/CloudIncidentResponse/ReleaseNotes/1_0_4.md new file mode 100644 index 000000000000..1434316e4f9f --- /dev/null +++ b/Packs/CloudIncidentResponse/ReleaseNotes/1_0_4.md @@ -0,0 +1,34 @@ + +#### Playbooks + +##### New: Cortex XDR - Cloud Enrichment + +- Moved the playbook from the Cortex XDR pack to the Cloud Incident Response pack. + +##### New: Cortex XDR - XCloud Cryptojacking + +- Moved the playbook from the Cortex XDR pack to the Cloud Incident Response pack. + +##### New: Cortex XDR - XCloud Cryptojacking - Set Verdict + +- Moved the playbook from the Cortex XDR pack to the Cloud Incident Response pack. + +##### XCloud Cryptojacking + +- Moved the playbook from the Core pack to the Cloud Incident Response pack. +##### XCloud Alert Enrichment + +- Moved the playbook from the Core pack to the Cloud Incident Response pack. +##### XCloud Cryptojacking - Set Verdict + +- Moved the playbook from the Core pack to the Cloud Incident Response pack. + +#### Triggers Recommendations + +- New: **XCloud Cryptojacking** + +#### Layouts + +##### New: Cortex XDR - XCLOUD Cryptojacking + +- Moved the layout from the Cortex XDR pack to the Cloud Incident Response pack. diff --git a/Packs/Core/Triggers/Trigger_-_XCloud_Cryptojacking.json b/Packs/CloudIncidentResponse/Triggers/Trigger_-_XCloud_Cryptojacking.json similarity index 100% rename from Packs/Core/Triggers/Trigger_-_XCloud_Cryptojacking.json rename to Packs/CloudIncidentResponse/Triggers/Trigger_-_XCloud_Cryptojacking.json diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Cloud_Cryptomining.png b/Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_Cloud_Cryptomining.png similarity index 100% rename from Packs/CortexXDR/doc_files/Cortex_XDR_-_Cloud_Cryptomining.png rename to Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_Cloud_Cryptomining.png diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Cloud_Enrichment.png b/Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_Cloud_Enrichment.png similarity index 100% rename from Packs/CortexXDR/doc_files/Cortex_XDR_-_Cloud_Enrichment.png rename to Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_Cloud_Enrichment.png diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_-_Cryptomining_-_Set_Verdict.png b/Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_Cryptomining_-_Set_Verdict.png similarity index 100% rename from Packs/CortexXDR/doc_files/Cortex_XDR_-_Cryptomining_-_Set_Verdict.png rename to Packs/CloudIncidentResponse/doc_files/Cortex_XDR_-_Cryptomining_-_Set_Verdict.png diff --git a/Packs/Core/doc_files/XCloud_Alert_Enrichment.png b/Packs/CloudIncidentResponse/doc_files/XCloud_Alert_Enrichment.png similarity index 100% rename from Packs/Core/doc_files/XCloud_Alert_Enrichment.png rename to Packs/CloudIncidentResponse/doc_files/XCloud_Alert_Enrichment.png diff --git a/Packs/Core/doc_files/XCloud_Cryptomining.png b/Packs/CloudIncidentResponse/doc_files/XCloud_Cryptomining.png similarity index 100% rename from Packs/Core/doc_files/XCloud_Cryptomining.png rename to Packs/CloudIncidentResponse/doc_files/XCloud_Cryptomining.png diff --git a/Packs/Core/doc_files/XCloud_Cryptomining_-_Set_Verdict.png b/Packs/CloudIncidentResponse/doc_files/XCloud_Cryptomining_-_Set_Verdict.png similarity index 100% rename from Packs/Core/doc_files/XCloud_Cryptomining_-_Set_Verdict.png rename to Packs/CloudIncidentResponse/doc_files/XCloud_Cryptomining_-_Set_Verdict.png diff --git a/Packs/CloudIncidentResponse/pack_metadata.json b/Packs/CloudIncidentResponse/pack_metadata.json index 59736948258b..176a92fac0f1 100644 --- a/Packs/CloudIncidentResponse/pack_metadata.json +++ b/Packs/CloudIncidentResponse/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cloud Incident Response", "description": "This content Pack helps you automate collection, investigation, and remediation of incidents related to cloud infrastructure activities in AWS, Azure, and GCP.", "support": "xsoar", - "currentVersion": "1.0.3", + "currentVersion": "1.0.4", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Core/ReleaseNotes/2_0_0.json b/Packs/Core/ReleaseNotes/2_0_0.json new file mode 100644 index 000000000000..02073a922add --- /dev/null +++ b/Packs/Core/ReleaseNotes/2_0_0.json @@ -0,0 +1 @@ +{"breakingChanges":true,"breakingChangesNotes":"**Important Note**:The following playbooks have been moved to the 'Cloud Incident Response' pack. The 'Cloud Incident Resopnse' pack will be installed as a dependency of the 'Core' pack."} \ No newline at end of file diff --git a/Packs/Core/ReleaseNotes/2_0_0.md b/Packs/Core/ReleaseNotes/2_0_0.md new file mode 100644 index 000000000000..d597d219da31 --- /dev/null +++ b/Packs/Core/ReleaseNotes/2_0_0.md @@ -0,0 +1,3 @@ +##### Core + +- **Important Note**: The following playbooks: **XCloud Cryptojacking**, **XCloud Cryptojacking - Set Verdict** and **XCloud Alert Enrichment**, and the **XCloud Cryptojacking trigger** have been moved to the 'Cloud Incident Response' pack. The 'Cloud Incident Response' pack will be installed as a dependency of the 'Core' pack. diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index ed0baf7bf347..10e5426dd18f 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,13 +2,19 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "1.4.4", + "currentVersion": "2.0.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", "categories": [ "Endpoint" ], + "dependencies": { + "CloudIncidentResponse": { + "mandatory": true, + "display_name": "Cloud Incident Response" + } + }, "excludedDependencies": [ "Dropbox" ], diff --git a/Packs/CortexXDR/.pack-ignore b/Packs/CortexXDR/.pack-ignore index ebfefa1d30b3..d3c322ef55fc 100644 --- a/Packs/CortexXDR/.pack-ignore +++ b/Packs/CortexXDR/.pack-ignore @@ -67,15 +67,6 @@ ignore=PB121 [file:Cortex_XDR_incident_handling_v3.yml] ignore=PB121 -[file:playbook-Cortex_XDR_-_Cloud_Cryptomining_-_Set_Verdict.yml] -ignore=BA101 - -[file:playbook-Cortex_XDR_-_Cloud_Cryptomining.yml] -ignore=BA101 - -[file:layoutscontainer-Cortex_XDR_-_XCLOUD_Cryptomining.json] -ignore=BA101 - [file:Cortex_XDR_incident_handling_v2_README.md] ignore=RM106 diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml index 83adf51ac73a..6adb4da1dde8 100644 --- a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml +++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling.yml @@ -1,7 +1,9 @@ id: Cortex XDR Alerts Handling version: -1 +contentitemexportablefields: + contentitemfields: {} name: Cortex XDR Alerts Handling -description: "This playbook is used to loop over every alert in a Cortex XDR incident. \nSupported alert categories:\n- Malware\n- Port Scan\n- Cryptojacking\n- RDP Brute-Force\n- First SSO Access\n- Cloud IAM User Access Investigation" +description: "This playbook is used to loop over every alert in a Cortex XDR incident. \nSupported alert categories:\n- Malware\n- Port Scan\n- Cloud Cryptojacking\n- Cloud Token Theft\n- RDP Brute-Force\n- First SSO Access\n- Cloud IAM User Access Investigation" starttaskid: "0" tasks: "0": @@ -19,6 +21,7 @@ tasks: '#none#': - "6" separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -31,6 +34,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "1": id: "1" taskid: a47291e4-58cb-40b4-8eb5-306b2ffbbd0b @@ -209,6 +214,7 @@ tasks: brand: "" description: '' separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -221,6 +227,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "6": id: "6" taskid: 12258730-025a-4931-8da9-9f68bfb6a32c @@ -243,6 +251,7 @@ tasks: complex: root: inputs.incident_id separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -255,6 +264,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "7": id: "7" taskid: 73393504-1664-4f81-8baf-f5e29f222cea @@ -271,11 +282,12 @@ tasks: '#none#': - "5" separatecontext: false + continueonerrortype: "" view: |- { "position": { "x": 1360, - "y": 565 + "y": 575 } } note: false @@ -283,6 +295,8 @@ tasks: ignoreworker: false skipunavailable: false quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "8": id: "8" taskid: dbf4c20e-2308-41d5-88df-477133c8e571 @@ -308,6 +322,7 @@ tasks: complex: root: inputs.alert_id separatecontext: true + continueonerrortype: "" loop: iscommand: false exitCondition: "" @@ -317,7 +332,7 @@ tasks: { "position": { "x": 920, - "y": 565 + "y": 575 } } note: false @@ -453,7 +468,7 @@ tasks: { "position": { "x": 480, - "y": 565 + "y": 575 } } note: false @@ -480,8 +495,6 @@ tasks: '#none#': - "5" scriptarguments: - SOCEmailAddress: - simple: alert_id: complex: root: PaloAltoNetworksXDR.Incident.alerts @@ -511,7 +524,7 @@ tasks: view: |- { "position": { - "x": -750, + "x": -730, "y": 920 } } @@ -568,8 +581,8 @@ tasks: view: |- { "position": { - "x": -520, - "y": 565 + "x": -730, + "y": 575 } } note: false @@ -594,13 +607,15 @@ tasks: nexttasks: '#default#': - "5" - 'Cryptojacking': + Cryptojacking: - "10" IAM User Access: - "15" + Token Theft: + - "16" separatecontext: false conditions: - - label: 'Cryptojacking' + - label: Cryptojacking condition: - - operator: containsGeneral left: @@ -645,11 +660,166 @@ tasks: right: value: simple: Penetration testing tool attempt + - label: Token Theft + condition: + - - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of EC2 token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of VM Service Account token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of AWS Lambda’s token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of AWS Lambda’s role + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Remote usage of an AWS service token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Remote usage of an AWS EKS token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of an AWS EKS token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of an AWS ECS token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Remote usage of an AWS ECS token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of AWS service token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Remote usage of an App engine Service Account token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of App engine Service Account token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of App engine Service Account token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of VM Service Account token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Remote usage of an App engine Service Account token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of App engine Service Account token + ignorecase: true + - operator: containsGeneral + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Remote usage of VM Service Account token + ignorecase: true continueonerrortype: "" view: |- { "position": { - "x": -520, + "x": -730, "y": 730 } } @@ -791,7 +961,7 @@ tasks: { "position": { "x": 40, - "y": 565 + "y": 575 } } note: false @@ -926,8 +1096,8 @@ tasks: view: |- { "position": { - "x": -1100, - "y": 565 + "x": -1430, + "y": 575 } } note: false @@ -1002,6 +1172,90 @@ tasks: quietmode: 2 isoversize: false isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: ad830609-c796-44fc-8de4-76d6ec8ce8dd + type: playbook + task: + id: ad830609-c796-44fc-8de4-76d6ec8ce8dd + version: -1 + name: Cortex XDR - XCloud Token Theft Response + description: |- + --- + + ## Cloud Token Theft Response Playbook + + The **Cloud Token Theft Response Playbook** provides a structured and comprehensive flow to effectively respond to and mitigate alerts involving the theft of cloud tokens. The playbook supports AWS, GCP, and Azure and executes the following: + + **Cloud Enrichment:** + - Enriches the involved resources + - Enriches the involved identities + - Enriches the involved IPs + + **Verdict Decision Tree:** + - Determines the appropriate verdict based on the investigation findings + + **Early Containment using the Cloud Response - Generic Playbook:** + - Implements early containment measures to prevent further impact + + **Cloud Persistence Threat Hunting:** + - Conducts threat hunting activities to identify any cloud persistence techniques + + **Enriching and Responding to Hunting Findings:** + - Performs additional enrichment and responds to the findings from threat hunting + + **Verdict Handling:** + - Handles false positives identified during the investigation + - Handles true positives by initiating appropriate response actions + + --- + playbookName: Cortex XDR - XCloud Token Theft Response + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + ResolveIP: + simple: "True" + alert_id: + complex: + root: PaloAltoNetworksXDR.Incident.alerts + filters: + - - operator: inList + left: + value: + simple: PaloAltoNetworksXDR.Incident.alerts.name + iscontext: true + right: + value: + simple: Suspicious usage of EC2 token, Suspicious usage of VM Service Account token, Suspicious usage of AWS Lambda’s token, Suspicious usage of AWS Lambda’s role, Remote usage of an AWS service token, Remote usage of an AWS EKS token, Suspicious usage of an AWS EKS token, Suspicious usage of an AWS ECS token, Remote usage of an AWS ECS token, Suspicious usage of AWS service token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token, Remote usage of VM Service Account token, Suspicious usage of VM Service Account token, Remote usage of an App engine Service Account token, Suspicious usage of App engine Service Account token + ignorecase: true + accessor: alert_id + earlyContainment: + simple: "False" + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": -1140, + "y": 920 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false system: true view: |- { @@ -1016,8 +1270,8 @@ view: |- "paper": { "dimensions": { "height": 1095, - "width": 2840, - "x": -1100, + "width": 3170, + "x": -1430, "y": 70 } } diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling_README.md b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling_README.md index fde4238c0260..a90dc888867a 100644 --- a/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling_README.md +++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling_README.md @@ -2,7 +2,8 @@ This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories: - Malware - Port Scan -- Cryptojacking +- Cloud Cryptojacking +- Cloud Token Theft - RDP Brute-Force - First SSO Access - Cloud IAM User Access Investigation @@ -13,13 +14,14 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks -* GenericPolling +* Cortex XDR - Possible External RDP Brute-Force +* Cortex XDR - Malware Investigation +* Cortex XDR - XCloud Cryptojacking * Cortex XDR - Port Scan - Adjusted * Cortex XDR - First SSO Access +* Cortex XDR - XCloud Token Theft Response * Cortex XDR - Cloud IAM User Access Investigation -* Cortex XDR - Possible External RDP Brute-Force -* Cortex XDR - XCloud Cryptojacking -* Cortex XDR - Malware Investigation +* GenericPolling ### Integrations diff --git a/Packs/CortexXDR/ReleaseNotes/5_0_0.json b/Packs/CortexXDR/ReleaseNotes/5_0_0.json new file mode 100644 index 000000000000..606f92d3bde6 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/5_0_0.json @@ -0,0 +1 @@ +{"breakingChanges":true,"breakingChangesNotes":"**Important Note**: The following playbooks: **Cortex XDR - Cloud Cryptojacking**, **Cortex XDR - Cloud Cryptojacking - Set Verdict** and **XCortex XDR - Cloud Enrichment**, and the **Cortex XDR - Cloud Cryptojacking layout** have been moved to the 'Cloud Incident Response' pack. The 'Cloud Incident Response' pack will be installed as a dependency of the 'Cortex XDR' pack."} \ No newline at end of file diff --git a/Packs/CortexXDR/ReleaseNotes/5_0_0.md b/Packs/CortexXDR/ReleaseNotes/5_0_0.md new file mode 100644 index 000000000000..64751c3380c9 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/5_0_0.md @@ -0,0 +1,10 @@ +##### CortexXDR + +- **Important Note**: The following playbooks: **Cortex XDR - Cloud Cryptojacking**, **Cortex XDR - Cloud Cryptojacking - Set Verdict** and **XCortex XDR - Cloud Enrichment**, and the **Cortex XDR - Cloud Cryptojacking layout** have been moved to the 'Cloud Incident Response' pack. The 'Cloud Incident Response' pack will be installed as a dependency of the 'Cortex XDR' pack. + +#### Playbooks + +##### Cortex XDR Alerts Handling + +- Added a flow for the new Cloud Token Theft playbook. + diff --git a/Packs/CortexXDR/doc_files/Cortex_XDR_Alerts_Handling.png b/Packs/CortexXDR/doc_files/Cortex_XDR_Alerts_Handling.png index f2b1239430cf..4e513e8f3330 100644 Binary files a/Packs/CortexXDR/doc_files/Cortex_XDR_Alerts_Handling.png and b/Packs/CortexXDR/doc_files/Cortex_XDR_Alerts_Handling.png differ diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json index 7eec80ecd19c..67f9dc4e6ee2 100644 --- a/Packs/CortexXDR/pack_metadata.json +++ b/Packs/CortexXDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex XDR by Palo Alto Networks", "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.", "support": "xsoar", - "currentVersion": "4.11.8", + "currentVersion": "5.0.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", @@ -70,6 +70,10 @@ "Jira": { "mandatory": false, "display_name": "Atlassian Jira" + }, + "CloudIncidentResponse": { + "mandatory": true, + "display_name": "Cloud Incident Response" } }, "marketplaces": [