Fix for 'MDE Malware - Incident Enrichment' playbook (demisto#29842)

* Fix for 'MDE Malware - Incident Enrichment' playbook

* updated PNG playbook file

* RN

* RN

* removed the new conditional task and changed the DT expression within the 'key' value of tasks 46 and 47.

* DT was removed from the playbook

* re-added changes after merging from master

* DT was removed from the problematic playbook tasks & added new conditional task to check the incident fields value before setting the new keys

* removed the validation for 'MicrosoftATP.Alert.Evidence' context key from the test playbook file. removed the 'SetIfEmpty' transformer from tasks number 46 & 47 within the MDE playbook file.

* changed the name, description and condition for task number 56. added the 'manageremailaddress' incident field to the 'setIncident' automation used within task number 52.

Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_Malware_-_Incident_Enrichment.yml

@@ -218,13 +218,13 @@ tasks:
     skipunavailable: false
     task:
       brand: ''
-      description: Check if evidence was fetched?
-      id: 19cc7fd9-f64e-467d-8e95-50b3a4b27cef
+      description: Check if evidence was fetched.
+      id: 0fbc6600-7772-43e6-80b4-9fd36fd8bd2a
       iscommand: false
-      name: Check if Evidence was fetched?
+      name: Check if Evidence was fetched
       type: condition
       version: -1
-    taskid: 19cc7fd9-f64e-467d-8e95-50b3a4b27cef
+    taskid: 0fbc6600-7772-43e6-80b4-9fd36fd8bd2a
     timertriggers: []
     type: condition
     view: |-
@@ -324,7 +324,7 @@ tasks:
       {
         "position": {
           "x": 460,
-          "y": 2330
+          "y": 2350
         }
       }
     continueonerrortype: ""
@@ -440,7 +440,7 @@ tasks:
       {
         "position": {
           "x": 20,
-          "y": 1990
+          "y": 2010
         }
       }
     continueonerrortype: ""
@@ -519,7 +519,7 @@ tasks:
       {
         "position": {
           "x": -210,
-          "y": 2160
+          "y": 2180
         }
       }
     continueonerrortype: ""
@@ -1118,14 +1118,13 @@ tasks:
       description: ''
     nexttasks:
       '#none#':
-      - '46'
-      - '47'
+      - "56"
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 1080,
-          "y": 1695
+          "x": 900,
+          "y": 1700
         }
       }
     note: false
@@ -1138,10 +1137,10 @@ tasks:
     continueonerrortype: ""
   '46':
     id: '46'
-    taskid: 32da064c-4064-4349-82d7-080ed44dab60
+    taskid: df8a4e9b-fab5-45b3-870c-e7d659bea5a4
     type: regular
     task:
-      id: 32da064c-4064-4349-82d7-080ed44dab60
+      id: df8a4e9b-fab5-45b3-870c-e7d659bea5a4
       version: -1
       name: Set Alert Name
       description: |-
@@ -1161,25 +1160,19 @@ tasks:
       append:
         simple: 'true'
       key:
-        simple: MicrosoftATP.Alert.Evidence(val.entityType.length>0).AlertName
+        simple: MicrosoftATP.Alert.Evidence.AlertName
       value:
         complex:
           root: incident
           accessor: alertname
           transformers:
           - operator: FirstArrayElement
-          - operator: SetIfEmpty
-            args:
-              applyIfEmpty: {}
-              defaultValue:
-                value:
-                  simple: N/A
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 880,
-          "y": 1840
+          "x": 900,
+          "y": 2010
         }
       }
     note: false
@@ -1192,10 +1185,10 @@ tasks:
     continueonerrortype: ""
   '47':
     id: '47'
-    taskid: 88743573-435d-4323-8b1f-b8d0270ddd77
+    taskid: 77fde48d-c2d7-473d-8265-18c1f67c5b4f
     type: regular
     task:
-      id: 88743573-435d-4323-8b1f-b8d0270ddd77
+      id: 77fde48d-c2d7-473d-8265-18c1f67c5b4f
       version: -1
       name: Set Device Name
       description: |-
@@ -1215,25 +1208,19 @@ tasks:
       append:
         simple: 'true'
       key:
-        simple: MicrosoftATP.Alert.Evidence(val.entityType.length>0).device_name
+        simple: MicrosoftATP.Alert.Evidence.device_name
       value:
         complex:
           root: incident
           accessor: hostnames
           transformers:
           - operator: FirstArrayElement
-          - operator: SetIfEmpty
-            args:
-              applyIfEmpty: {}
-              defaultValue:
-                value:
-                  simple: N/A
     separatecontext: false
     view: |-
       {
         "position": {
-          "x": 1290,
-          "y": 1840
+          "x": 1310,
+          "y": 2010
         }
       }
     note: false
@@ -1246,10 +1233,10 @@ tasks:
     continueonerrortype: ""
   '48':
     id: '48'
-    taskid: 61d0f3a5-0fee-431d-87d9-de9d1b2429e2
+    taskid: 2e4a7d82-de1c-4af4-8a60-1fe3a41f32fb
     type: regular
     task:
-      id: 61d0f3a5-0fee-431d-87d9-de9d1b2429e2
+      id: 2e4a7d82-de1c-4af4-8a60-1fe3a41f32fb
       version: -1
       name: Set Alerts Table Info in the Layout
       description: Creates a Grid table from items or key-value pairs.
@@ -1275,8 +1262,8 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 1080,
-          "y": 2010
+          "x": 1110,
+          "y": 2180
         }
       }
     note: false
@@ -1320,10 +1307,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "52":
     id: "52"
-    taskid: 27765ebf-baec-440a-8c0b-26fc588a2571
+    taskid: 6a2fe6be-eadf-4996-8977-71e101ec1d13
     type: regular
     task:
-      id: 27765ebf-baec-440a-8c0b-26fc588a2571
+      id: 6a2fe6be-eadf-4996-8977-71e101ec1d13
       version: -1
       name: Set Account information to layout
       description: commands.local.cmd.set.incident
@@ -1489,26 +1476,26 @@ tasks:
               then:
                 value:
                   simple: IAM.UserProfile.profile.login
-        manageremailaddress:
-          complex:
-            root: UserManagerEmail
-            filters:
-              - - operator: isNotEmpty
-                  left:
-                    value:
-                      simple: UserManagerEmail
-                    iscontext: true
-            transformers:
-              - operator: uniq
-              - operator: FirstArrayElement
+      manageremailaddress:
+        complex:
+          root: UserManagerEmail
+          filters:
+          - - operator: isNotEmpty
+              left:
+                value:
+                  simple: UserManagerEmail
+                iscontext: true
+          transformers:
+          - operator: uniq
+          - operator: FirstArrayElement
     separatecontext: false
     continueonerror: true
     continueonerrortype: ""
     view: |-
       {
         "position": {
           "x": 460,
-          "y": 1990
+          "y": 2010
         }
       }
     note: false
@@ -1568,6 +1555,52 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+  "56":
+    id: "56"
+    taskid: 011fec58-d50d-4b4e-8185-d4ef53fb713c
+    type: condition
+    task:
+      id: 011fec58-d50d-4b4e-8185-d4ef53fb713c
+      version: -1
+      name: Check if Alert Evidence Exists
+      description: Ensure that the alert evidence information exists.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "16"
+      "yes":
+      - "46"
+      - "47"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: MicrosoftATP.Alert
+                accessor: Evidence
+            iscontext: true
+          right:
+            value: {}
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 900,
+          "y": 1840
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
 version: -1
 view: |-
   {
@@ -1576,7 +1609,7 @@ view: |-
     },
     "paper": {
       "dimensions": {
-        "height": 2165,
+        "height": 2185,
         "width": 1950,
         "x": -230,
         "y": 230
@@ -1586,4 +1619,3 @@ view: |-
 tests:
 - Test Playbook - MDE Malware - Incident Enrichment
 fromversion: 6.5.0
-system: true

Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_Malware_-_Incident_Enrichment_README.md

@@ -2,26 +2,35 @@ This playbook is part of the 'Malware Investigation And Response' pack. For more
 This playbook enriches Microsoft Defender For Endpoint alerts. The enrichment is done on the involved endpoint and Mitre technique ID information, and it sets the 'Malware-Investigation and Response' layout.
 
 ## Dependencies
+
 This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
-* Malware Investigation and Response - Set Alerts Grid
+
 * Mitre Attack - Extract Technique Information From ID
+* Account Enrichment - Generic v2.1
 
 ### Integrations
+
+* Microsoft365DefenderEventCollector
 * MicrosoftDefenderAdvancedThreatProtection
 
 ### Scripts
-* SetAndHandleEmpty
+
+* SetGridField
 * isError
+* SetAndHandleEmpty
 
 ### Commands
-* setIncident
+
 * microsoft-atp-get-alert-by-id
-* file
+* setIncident
 * endpoint
+* extractIndicators
+* file
 
 ## Playbook Inputs
+
 ---
 
 | **Name** | **Description** | **Default Value** | **Required** |
@@ -30,6 +39,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 | AlertID | The Microsoft Defender For Endpoint alert ID. | ${incident.externalsystemid} | Optional |
 
 ## Playbook Outputs
+
 ---
 
 | **Path** | **Description** | **Type** |
@@ -40,5 +50,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 | Endpoint | The endpoint information. | unknown |
 
 ## Playbook Image
+
 ---
-![MDE Malware - Incident Enrichment](../doc_files/MDE_Malware_-_Incident_Enrichment.png)
+
+![MDE Malware - Incident Enrichment](../doc_files/MDE_Malware_-_Incident_Enrichment.png)

Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_16_11.md

@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### MDE Malware - Incident Enrichment
+
+- Added a task to ensure that Evidence information should be displayed in the *"Alerts and Related info"*.