diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Affected_Targets.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Affected_Targets.json index 165f2145f823..5f64e225ac0b 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Affected_Targets.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Affected_Targets.json @@ -3,7 +3,6 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachaffectedtargets", "closeForm": false, @@ -51,7 +50,6 @@ ], "description": "List of the affected target simulators (name, IP, number of remediation data points)", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachaffectedtargets", @@ -60,19 +58,14 @@ "name": "SafeBreach Affected Targets", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "grid", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Affected_Targets_Count.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Affected_Targets_Count.json index 5a970ce3bd3b..f25909112ca1 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Affected_Targets_Count.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Affected_Targets_Count.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachaffectedtargetscount", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Number of the affected target simulators by this Insight", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachaffectedtargetscount", @@ -21,19 +17,14 @@ "name": "SafeBreach Affected Targets Count", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "number", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Attack_Count.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Attack_Count.json index 8cede50e6934..7c9e4eb2e331 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Attack_Count.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Attack_Count.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachattackcount", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Number of attacks that were simulated", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachattackcount", @@ -21,19 +17,14 @@ "name": "SafeBreach Attack Count", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "number", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Attack_Ids.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Attack_Ids.json index 0213ad6f87cc..e682c4dec34b 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Attack_Ids.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Attack_Ids.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachattackids", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "List of SafeBreach attack ids that were simulated", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachattackids", @@ -21,9 +17,7 @@ "name": "SafeBreach Attack Ids", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", "selectValues": [ "1233", "33345", @@ -325,13 +319,11 @@ ], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "tagsSelect", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Category.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Category.json index 0eb3f26831c3..f3fb147c0f38 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Category.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Category.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachinsightcategory", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Security control category of the Insight", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachinsightcategory", @@ -21,22 +17,17 @@ "name": "SafeBreach Insight Category", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "shortText", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": true, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0", "marketplaces": [ - "xsoar" - ] + "xsoar" + ] } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Id.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Id.json index c0dc5663d709..1fcba44255a7 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Id.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Id.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachinsightid", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Unique identification number of the Insight", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachinsightid", @@ -21,19 +17,14 @@ "name": "SafeBreach Insight Id", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "number", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Name.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Name.json index 8f5e2f01e3e2..8334403b94ae 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Name.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Name.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachinsightname", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Insight name representing the security issue exposed", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachinsightname", @@ -21,19 +17,14 @@ "name": "SafeBreach Insight Name", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "shortText", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Risk_Impact.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Risk_Impact.json index 53f19d6fa480..f342a9371d9d 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Risk_Impact.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Insight_Risk_Impact.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachinsightriskimpact", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Risk impact of the Insight on the whole environment", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachinsightriskimpact", @@ -21,19 +17,14 @@ "name": "SafeBreach Insight Risk Impact", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "number", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Latest_Simulation.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Latest_Simulation.json index 02acc3f19218..2b3711762178 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Latest_Simulation.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Latest_Simulation.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachlatestsimulation", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "The latest simulation time related to this Insight", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachlatestsimulation", @@ -21,19 +17,14 @@ "name": "SafeBreach Latest Simulation", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "date", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Action.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Action.json index 9a3dd8aacc8a..7679fd8303e7 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Action.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Action.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachremediationaction", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Suggested remediation action to be taken to fix the issue", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachremediationaction", @@ -23,17 +19,13 @@ "ownerOnly": false, "placeholder": "Suggested remediation actions to take for the Insight", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "shortText", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Data.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Data.json index 7b629ec3ff96..6f7ade5a3357 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Data.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Data.json @@ -3,7 +3,6 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachremediationdata", "closeForm": false, @@ -41,7 +40,6 @@ ], "description": "Vendor specific remediation data for Insight resolution", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachremediationdata", @@ -50,19 +48,14 @@ "name": "SafeBreach Remediation Data", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "grid", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Data_Count.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Data_Count.json index 5df6e2106912..73a2e71abc2d 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Data_Count.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Data_Count.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachremediationdatacount", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Total number of indicators that were tested and represent the Insight issue", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachremediationdatacount", @@ -21,19 +17,14 @@ "name": "SafeBreach Remediation Data Count", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "number", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Status.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Status.json index 7e025e83fb58..43166ee31dd8 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Status.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Remediation_Status.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachremediationstatus", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Status of the Insight within XSOAR (New, Remediated, Not Remediated, Ignored)", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachremediationstatus", @@ -21,9 +17,7 @@ "name": "SafeBreach Remediation Status", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", "selectValues": [ "New", "Remediated", @@ -32,13 +26,11 @@ ], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "singleSelect", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Results_Link.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Results_Link.json index dcf0f01e51d7..ca3c933c0dc1 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Results_Link.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Results_Link.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachresultslink", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Link to the SafeBreach platform results page with all the related simulation results", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachresultslink", @@ -21,19 +17,14 @@ "name": "SafeBreach Results Link", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "url", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Severity.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Severity.json index 52f5613d323c..34e1a3737e2e 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Severity.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Severity.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachseverity", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "A compound severity assigned to the Insight", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachseverity", @@ -21,9 +17,7 @@ "name": "SafeBreach Severity", "neverSetAsRequired": false, "ownerOnly": true, - "placeholder": "", "required": false, - "script": "", "selectValues": [ "High", "Medium", @@ -31,13 +25,11 @@ ], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "singleSelect", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": true, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Severity_Score.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Severity_Score.json index 27eca46a0b2b..8004d29f146e 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Severity_Score.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Severity_Score.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachseverityscore", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "A compound severity score calculated for this Insight", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachseverityscore", @@ -21,19 +17,14 @@ "name": "SafeBreach Severity Score", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "number", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Simulation_Id.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Simulation_Id.json index c13296b3f777..8f166c83395e 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Simulation_Id.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Simulation_Id.json @@ -3,16 +3,11 @@ "associatedTypes": [ "SafeBreach Simulation" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachsimulationid", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, - "description": "", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachsimulationid", @@ -21,19 +16,14 @@ "name": "SafeBreach Simulation Id", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": null, "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "shortText", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Simulation_Number.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Simulation_Number.json index 8103a3faaab5..eac7a6b67300 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Simulation_Number.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Simulation_Number.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachsimulationnumber", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Number of simulations executed as part of this Insight", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachsimulationnumber", @@ -21,19 +17,14 @@ "name": "SafeBreach Simulation Number", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "number", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Threat_Groups.json b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Threat_Groups.json index 39e19cf908f0..de12bac54e9d 100644 --- a/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Threat_Groups.json +++ b/Packs/SafeBreach/IncidentFields/incidentfield-SafeBreach_Threat_Groups.json @@ -3,16 +3,12 @@ "associatedTypes": [ "SafeBreach Insight" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachthreatgroups", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "List of attack groups (APTs) associated with the attacks simulated for this Insight", "editForm": true, - "fieldCalcScript": "", "group": 0, "hidden": false, "id": "incident_safebreachthreatgroups", @@ -21,9 +17,7 @@ "name": "SafeBreach Threat Groups", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", "selectValues": [ "Magic Hound", "APT1", @@ -102,13 +96,11 @@ ], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "tagsSelect", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IncidentTypes/incidenttype-SafeBreach_Insight.json b/Packs/SafeBreach/IncidentTypes/incidenttype-SafeBreach_Insight.json index 91562a4f8c1a..0b9e48e399ac 100644 --- a/Packs/SafeBreach/IncidentTypes/incidenttype-SafeBreach_Insight.json +++ b/Packs/SafeBreach/IncidentTypes/incidenttype-SafeBreach_Insight.json @@ -1,6 +1,5 @@ { "autorun": true, - "closureScript": "", "color": "#753ffa", "days": 0, "daysR": 0, @@ -11,10 +10,8 @@ "id": "SafeBreach Insight", "locked": false, "name": "SafeBreach Insight", - "preProcessingScript": "", "readonly": false, "reputationCalc": 1, - "sortValues": null, "system": false, "version": -1, "weeks": 0, diff --git a/Packs/SafeBreach/IncidentTypes/incidenttype-SafeBreach_Simulation.json b/Packs/SafeBreach/IncidentTypes/incidenttype-SafeBreach_Simulation.json index 19ff353b9f48..fa284a959dbe 100644 --- a/Packs/SafeBreach/IncidentTypes/incidenttype-SafeBreach_Simulation.json +++ b/Packs/SafeBreach/IncidentTypes/incidenttype-SafeBreach_Simulation.json @@ -1,6 +1,5 @@ { "autorun": false, - "closureScript": "", "color": "#18DEE5", "days": 0, "daysR": 0, @@ -11,10 +10,8 @@ "id": "SafeBreach Simulation", "locked": false, "name": "SafeBreach Simulation", - "preProcessingScript": "", "readonly": false, "reputationCalc": 0, - "sortValues": null, "system": false, "version": -1, "weeks": 0, diff --git a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Attack_Ids.json b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Attack_Ids.json index 3501667dda5e..6ca01f6897e4 100644 --- a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Attack_Ids.json +++ b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Attack_Ids.json @@ -7,16 +7,12 @@ "SafeBreach Protocol", "SafeBreach Registry" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachattackids", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "List of SafeBreach attack ids simulated", "editForm": true, - "fieldCalcScript": "", "group": 2, "hidden": false, "id": "indicator_safebreachattackids", @@ -25,9 +21,7 @@ "name": "SafeBreach Attack Ids", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", "selectValues": [ "137", "192", @@ -424,13 +418,11 @@ ], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "tagsSelect", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Insight_Ids.json b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Insight_Ids.json index e61c6179094d..43ff2f2382d0 100644 --- a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Insight_Ids.json +++ b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Insight_Ids.json @@ -7,16 +7,12 @@ "SafeBreach Protocol", "SafeBreach Registry" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachinsightids", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "List of the related SafeBreach Insight ids", "editForm": true, - "fieldCalcScript": "", "group": 2, "hidden": false, "id": "indicator_safebreachinsightids", @@ -25,9 +21,7 @@ "name": "SafeBreach Insight Ids", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", "selectValues": [ "15", "5", @@ -45,13 +39,11 @@ ], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "tagsSelect", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Is_Behavioral.json b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Is_Behavioral.json index de0ec07ca843..1dd94717cadf 100644 --- a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Is_Behavioral.json +++ b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Is_Behavioral.json @@ -7,16 +7,12 @@ "SafeBreach Protocol", "SafeBreach Registry" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachisbehavioral", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Indicates whether the SafeBreach indicator is a behavioral or not", "editForm": true, - "fieldCalcScript": "", "group": 2, "hidden": false, "id": "indicator_safebreachisbehavioral", @@ -25,19 +21,14 @@ "name": "SafeBreach Is Behavioral", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "boolean", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Remediation_Status.json b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Remediation_Status.json index 173781c86dcf..2b7d396bd8fd 100644 --- a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Remediation_Status.json +++ b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Remediation_Status.json @@ -11,16 +11,12 @@ "SafeBreach Domain", "SafeBreach Registry" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachremediationstatus", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "XSOAR assigned status for SafeBreach indicator (New, Remediated, Not Remediated, Ignored)", "editForm": true, - "fieldCalcScript": "", "group": 2, "hidden": false, "id": "indicator_safebreachremediationstatus", @@ -29,9 +25,7 @@ "name": "SafeBreach Remediation Status", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", "selectValues": [ "New", "Remediated", @@ -40,13 +34,11 @@ ], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "singleSelect", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": true, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Severity.json b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Severity.json index 5554b88dc891..0d8a6904105a 100644 --- a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Severity.json +++ b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Severity.json @@ -7,16 +7,12 @@ "SafeBreach Protocol", "SafeBreach Registry" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachseverity", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Highest assigned severity of the related SafeBreach Insights", "editForm": true, - "fieldCalcScript": "", "group": 2, "hidden": false, "id": "indicator_safebreachseverity", @@ -25,19 +21,14 @@ "name": "SafeBreach Severity", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "shortText", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Severity_Score.json b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Severity_Score.json index 02dc1945cfbd..79481846fd6a 100644 --- a/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Severity_Score.json +++ b/Packs/SafeBreach/IndicatorFields/indicatorfield-SafeBreach_Severity_Score.json @@ -7,16 +7,12 @@ "SafeBreach Protocol", "SafeBreach Registry" ], - "breachScript": "", "caseInsensitive": true, "cliName": "safebreachseverityscore", "closeForm": false, - "columns": null, "content": true, - "defaultRows": null, "description": "Maximal severity score of the related SafeBreach Insights", "editForm": true, - "fieldCalcScript": "", "group": 2, "hidden": false, "id": "indicator_safebreachseverityscore", @@ -25,19 +21,14 @@ "name": "SafeBreach Severity Score", "neverSetAsRequired": false, "ownerOnly": false, - "placeholder": "", "required": false, - "script": "", - "selectValues": [], "sla": 0, "system": false, - "systemAssociatedTypes": null, "threshold": 72, "type": "number", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, - "validationRegex": "", "version": -1, "fromVersion": "5.5.0" } \ No newline at end of file diff --git a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Command.json b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Command.json index 64ec1f73ca3a..2c4f3d4480ec 100644 --- a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Command.json +++ b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Command.json @@ -1,23 +1,12 @@ { - "contextPath": "", - "contextValue": "", - "defaultMapping": null, "details": "SafeBreach Command", "disabled": false, - "enhancementScriptNames": [], - "excludedBrands": [], "expiration": 0, "file": false, - "fileHashesPriority": null, - "formatScript": "", "id": "SafeBreach Command", "locked": false, - "manualMapping": {}, "mergeContext": false, "regex": "", - "reputationCommand": "", - "reputationScriptName": "", - "sortValues": null, "system": false, "updateAfter": 0, "version": -1, diff --git a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Domain.json b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Domain.json index 5227f43de506..173fe9ae18f6 100644 --- a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Domain.json +++ b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Domain.json @@ -1,23 +1,12 @@ { - "contextPath": "", - "contextValue": "", - "defaultMapping": null, "details": "SafeBreach Domain", "disabled": true, - "enhancementScriptNames": [], - "excludedBrands": [], "expiration": 0, "file": false, - "fileHashesPriority": null, - "formatScript": "", "id": "SafeBreach Domain", "locked": false, - "manualMapping": {}, "mergeContext": false, "regex": "", - "reputationCommand": "", - "reputationScriptName": "", - "sortValues": null, "system": false, "updateAfter": 0, "version": -1, diff --git a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Hash.json b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Hash.json index bc6c5996f68d..c48ce700ea67 100644 --- a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Hash.json +++ b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Hash.json @@ -1,23 +1,12 @@ { - "contextPath": "", - "contextValue": "", - "defaultMapping": null, "details": "SafeBreach Hash", "disabled": true, - "enhancementScriptNames": [], - "excludedBrands": [], "expiration": 0, "file": false, - "fileHashesPriority": null, - "formatScript": "", "id": "SafeBreach Hash", "locked": false, - "manualMapping": {}, "mergeContext": false, "regex": "", - "reputationCommand": "", - "reputationScriptName": "", - "sortValues": null, "system": false, "updateAfter": 0, "version": -1, diff --git a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_IP.json b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_IP.json index 0e11968c3d9b..fb7c50c42c7a 100644 --- a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_IP.json +++ b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_IP.json @@ -1,23 +1,12 @@ { - "contextPath": "", - "contextValue": "", - "defaultMapping": null, "details": "SafeBreach IP", "disabled": true, - "enhancementScriptNames": [], - "excludedBrands": [], "expiration": 0, "file": false, - "fileHashesPriority": null, - "formatScript": "", "id": "SafeBreach IP", "locked": false, - "manualMapping": {}, "mergeContext": false, "regex": "", - "reputationCommand": "", - "reputationScriptName": "", - "sortValues": null, "system": false, "updateAfter": 0, "version": -1, diff --git a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Port.json b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Port.json index a86fd38f8b90..864d89f2169e 100644 --- a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Port.json +++ b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Port.json @@ -1,23 +1,12 @@ { - "contextPath": "", - "contextValue": "", - "defaultMapping": null, "details": "SafeBreach Port", "disabled": false, - "enhancementScriptNames": [], - "excludedBrands": [], "expiration": 0, "file": false, - "fileHashesPriority": null, - "formatScript": "", "id": "SafeBreach Port", "locked": false, - "manualMapping": {}, "mergeContext": false, "regex": "", - "reputationCommand": "", - "reputationScriptName": "", - "sortValues": null, "system": false, "updateAfter": 0, "version": -1, diff --git a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Process.json b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Process.json index 6b2de00dba11..00fe30dd23e8 100644 --- a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Process.json +++ b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Process.json @@ -1,23 +1,12 @@ { - "contextPath": "", - "contextValue": "", - "defaultMapping": null, "details": "SafeBreach Process", "disabled": false, - "enhancementScriptNames": [], - "excludedBrands": [], "expiration": 0, "file": false, - "fileHashesPriority": null, - "formatScript": "", "id": "SafeBreach Process", "locked": false, - "manualMapping": {}, "mergeContext": false, "regex": "", - "reputationCommand": "", - "reputationScriptName": "", - "sortValues": null, "system": false, "updateAfter": 0, "version": -1, diff --git a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Protocol.json b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Protocol.json index 071e1c7d6779..96ccca51cdf1 100644 --- a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Protocol.json +++ b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Protocol.json @@ -1,23 +1,12 @@ { - "contextPath": "", - "contextValue": "", - "defaultMapping": null, "details": "SafeBreach Protocol", "disabled": false, - "enhancementScriptNames": [], - "excludedBrands": [], "expiration": 0, "file": false, - "fileHashesPriority": null, - "formatScript": "", "id": "SafeBreach Protocol", "locked": false, - "manualMapping": {}, "mergeContext": false, "regex": "", - "reputationCommand": "", - "reputationScriptName": "", - "sortValues": null, "system": false, "updateAfter": 0, "version": -1, diff --git a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Registry.json b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Registry.json index 86eee656ebf8..fb975d03c52e 100644 --- a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Registry.json +++ b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_Registry.json @@ -1,23 +1,12 @@ { - "contextPath": "", - "contextValue": "", - "defaultMapping": null, "details": "SafeBreach Registry", "disabled": false, - "enhancementScriptNames": [], - "excludedBrands": [], "expiration": 0, "file": false, - "fileHashesPriority": null, - "formatScript": "", "id": "SafeBreach Registry", "locked": false, - "manualMapping": {}, "mergeContext": false, "regex": "", - "reputationCommand": "", - "reputationScriptName": "", - "sortValues": null, "system": false, "updateAfter": 0, "version": -1, diff --git a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_URL.json b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_URL.json index 0faab60c01b4..3541429cb0d8 100644 --- a/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_URL.json +++ b/Packs/SafeBreach/IndicatorTypes/reputation-SafeBreach_URL.json @@ -1,23 +1,12 @@ { - "contextPath": "", - "contextValue": "", - "defaultMapping": null, "details": "SafeBreach URL", "disabled": true, - "enhancementScriptNames": [], - "excludedBrands": [], "expiration": 0, "file": false, - "fileHashesPriority": null, - "formatScript": "", "id": "SafeBreach URL", "locked": false, - "manualMapping": {}, "mergeContext": false, "regex": "", - "reputationCommand": "", - "reputationScriptName": "", - "sortValues": null, "system": false, "updateAfter": 0, "version": -1, diff --git a/Packs/SafeBreach/Integrations/SafeBreach_v2/README.md b/Packs/SafeBreach/Integrations/SafeBreach_v2/README.md index d3b87318998e..6a4a986a6caa 100644 --- a/Packs/SafeBreach/Integrations/SafeBreach_v2/README.md +++ b/Packs/SafeBreach/Integrations/SafeBreach_v2/README.md @@ -1,7 +1,6 @@ -SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker’s Playbook™ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses. +Deprecated. No available replacement. - -## Configure SafeBreach for Cortex XSOAR Integration +## Configure SafeBreach v2 (Deprecated) for Cortex XSOAR Integration 1. Open the **Navigation bar** → … → **CLI Console** 2. Type **config accounts** to find out the account id @@ -12,822 +11,37 @@ Add a new one by typing: **config apikeys add --name ** 5. Use the generated API token as **apiKey** parameter in Cortex XSOAR configuration 6. Use your SafeBreach Management URL as the **url** parameter in Cortex XSOAR configuration -## Configure SafeBreach on Cortex XSOAR +## Configure SafeBreach v2 (Deprecated) on Cortex XSOAR 1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for SafeBreach v2. +2. Search for SafeBreach v2 (Deprecated). 3. Click **Add instance** to create and configure a new integration instance. -4. Click **Test** to validate the URLs, token, and connection. - -| **Parameter** | **Description** | **Required** | -| --- | --- | --- | -| SafeBreach Managment URL | For example, `https://yourorg.safebreach.com` | True | -| Account ID | Obtained with "config accounts" SafeBreach command | True | -| API Key | Generated with "config apikeys add" SafeBreach command | True | -| Insight Category | Network Access,Network Inspection,Endpoint,Email,Web,Data Leak | False | -| Insight Data Type | Hash,Domain,URI,Command,Port,Protocol | False | -| Indicators Limit | Amount of indicators to generate. Default = 1000 | False | -| feed | Fetch indicators | False | -| feedReputation | Indicator Reputation | False | -| behavioralReputation | Behavioral Indicator Reputation | False | -| feedReliability | Source Reliability | True | -| tlp_color | The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlp | False | -| feedExpirationPolicy | | False | -| feedFetchInterval | Feed Fetch Interval | False | -| feedBypassExclusionList | Bypass exclusion list | False | -| feedExpirationInterval | | False | -| insecure | Trust any certificate \(not secure\) | False | -| proxy | Use system proxy settings | False | - - - -## SafeBreach Insights -Table below summaries all available SafeBreach insights and their relative ids that should be used when calling the related commands. -Every customer environment might have some of the insights depending on the simulation results that were not blocked in the environment. - -| **Insight Id** | **Category** | **Data Type** | **Description** | -| --- | --- | --- | --- | -| 1 | Network Access | Port | Outbound traffic over non-standard ports -| 2 | Network Access | Protocol | Outbound traffic over non-standard protocols -| 3 | Network Access | Port | Outbound traffic over non-SSL protocols using secured ports -| 4 | Network Access | Port | Outbound traffic over not matching ports and protocols -| 19 | Network Access | Port | Inbound traffic over non-standard ports -| 20 | Network Access | Protocol | Inbound traffic over non-standard protocols -| 21 | Network Access | Port | Inbound traffic over non-SSL protocols using secured ports -| 22 | Network Access | Port | Inbound traffic over not matching ports and protocols -| 5 | Web | Domain | Malicious domain resolution -| 6 | Web | URI | Malicious URL requests -| 7 | Network Inspection | Hash | Malware transfer over standard ports -| 10 | Network Inspection | Protocol | Brute force -| 11 | Network Inspection | Other | Inbound C&C communication -| 12 | Network Inspection | Other | Outbound C&C communication -| 8 | Endpoint | Other | Execution of malware or code -| 9 | Endpoint | Hash | Malware drop to disk -| 13 | Endpoint | Other | Malicious host actions -| 14 | Endpoint | Command | Data and host information gathering -| 16 | Data Leak | Other | Exfiltration of sensitive data assets -| 15 | Email | Hash | Email with encrypted malicious attachments -| 24 | Email |Hash | Email with non-encrypted malicious attachment - -## Playbooks - -#### SafeBreach - Process Non-Behavioral Insights Feed -- This playbook automatically remediates all non-behavioral indicators generated from SafeBreach Insights. To validate the remediation, it reruns the related insights and classifies the indicators as Remediated or Not Remediated. -A special feed based triggered job is required to initiate this playbook for every new SafeBreach generated indicator. - -#### SafeBreach - Process Behavioral Insights Feed (Premium) -- This playbook processes all SafeBreach behavioral indicators. It creates an incident for each SafeBreach Insight, enriched with all the related indicators and additional SafeBreach contextual information. -A special feed based triggered job is required to initiate this playbook for every new SafeBreach generated indicator. - -#### SafeBreach - Rerun Insights -- This is a sub-playbook reruns a list of SafeBreach insights based on Insight Id and waits until they complete. Used in main SafeBreach playbooks, such as "SafeBreach - Handle Insight Incident" and "SafeBreach - Process Non-Behavioral Insights Feed". - -#### SafeBreach - Rerun Single Insight -- This playbook uses the following sub-playbooks, integrations, and scripts. - -#### SafeBreach - Compare and Validate Insight Indicators -- This playbook compares SafeBreach Insight indicators before and after the processing. It receives an insight and it's indicators before validation, fetches updated indicators after rerunning the insight, and then compares the results to validate mitigation. Indicators are classified as Remediated or Not Remediated based on their validated status and the appropriate field (SafeBreach Remediation Status) is updated. - -#### SafeBreach - SafeBreach Create Incidents per Insight and Associate Indicators -- This is a sub-playbook that creates incidents per SafeBreach insight, enriched with all the related indicators and additional SafeBreach insight contextual information. Used in main SafeBreach playbooks, such as "SafeBreach - Process Behavioral Insights Feed" and "SafeBreach - Process Non-Behavioral Insights Feed". - -#### SafeBreach - Handle Insight Incident (Premium) -- This playbook is triggered automatically for each SafeBreach Insight incident: - 1. Adding insight information (including suggested remediation actions); - 2. Assigning it to an analyst to remediate and either “ignore” or “validate.” Validated incidents are rerun with the related SafeBreach Insight and the results are compared to the previous indicator results. The incident is closed once all the indicators are resolved or the analyst “ignores” the incident. Unresolved indicators wait for handling by the analyst. + | **Parameter** | **Description** | **Required** | + | --- | --- | --- | + | SafeBreach Managment URL | For example, https://yourorg.safebreach.com | True | + | Account ID | Obtained with "config accounts" SafeBreach command | True | + | API Key | Generated with "config apikeys add" SafeBreach command | True | + | Insight Category | | | + | Insight Data Type | | | + | Non Behavioral Indicator Reputation | Non-Behavioral Indicator from this integration instance will be marked with this reputation | | + | Behavioral Reputation | Behavioral Indicator from this integration instance will be marked with this reputation | | + | Indicators Limit | The maximum number of indicators to generate. The default is 1000. | | + | Fetch indicators | | | + | Source Reliability | Reliability of the source providing the intelligence data | True | + | Traffic Light Protocol Color | The Traffic Light Protocol \(TLP\) designation to apply to indicators fetched from the feed | | + | | | | + | Feed Fetch Interval | | | + | Bypass exclusion list | When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. | | + | | | | + | Trust any certificate (not secure) | | | + | Use system proxy settings | | | + | Indicator Reputation | Indicators from this integration instance will be marked with this reputation | | + | Tags | Supports CSV values. | | - - -## Dashboard (Premium) -SafeBreach Insights dashboard summarizes the current status of actionable insights and related indicators. - ![SafeBreach Dashboard](https://github.com/demisto/content/raw/6af01e00312a5558e9e2fecdb22534e98414bc9c/Packs/SafeBreach/doc_imgs/xsoar_SafeBreach_dashboard.png) +4. Click **Test** to validate the URLs, token, and connection. ## Commands + You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. -### safebreach-get-insights -*** -Gets SafeBreach Insights for all security control categories. - - -#### Base Command - -`safebreach-get-insights` -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| insightIds | Array of insight IDs to fetch. | Optional | - - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SafeBreach.Insight.Name | String | Insight name representing the action required to be taken. | -| SafeBreach.Insight.Id | Number | Insight unique ID number. | -| SafeBreach.Insight.DataType | String | Insight data type. Options are Hash, Domain, URI, Command, Port, or Protocol. | -| SafeBreach.Insight.Category | String | Security control category name. | -| SafeBreach.Insight.LatestSimulation | Date | Time of the latest simulation from the insight. | -| SafeBreach.Insight.SimulationsCount | Number | Number of the related simulations. | -| SafeBreach.Insight.RiskImpact | Number | Risk impact of the insight on the environment total risk score. | -| SafeBreach.Insight.AffectedTargetsCount | Number | Number of affected targets. | -| SafeBreach.Insight.SeverityScore | Number | Insight severity numeric value | -| SafeBreach.Insight.Severity | String | Insight severity mapped to low/medium/high. | -| SafeBreach.Insight.RemediationDataCount | Number | Number of the remediation data points. | -| SafeBreach.Insight.RemediationDataType | String | Type of the remediation data. | -| SafeBreach.Insight.ThreatGroups | Array | Array of APT names that are mapped to the insight. | -| SafeBreach.Insight.NetworkDirection | String | Communication direction of Insight, relative to the target \(inbound/outbound\). | -| SafeBreach.Insight.AttacksCount | Number | List of all insight related SafeBreach attack IDs. | -| SafeBreach.Insight.AffectedTargets | Array | List of the affected targets including name, IP and number of the remediation points | -| SafeBreach.Insight.RemediationAction | String | Description of an action to take for the remediation | -| SafeBreach.Insight.ResultsLink | String | Link to the SafeBreach platform Results page filtered for the relevant simulation results | -| SafeBreach.Insight.AttackIds | Array | SafeBreach Attack Ids | - - -##### Command Example -```!safebreach-get-insights insightIds=[5,9]``` - -##### Context Example -``` -{ - "SafeBreach": { - "Insight": [ - { - "AffectedTargetsCount": 2, - "AttacksCount": 36, - "Category": "Web", - "DataType": "Domain", - "EarliestSimulation": "2020-04-07T14:34:15.807Z", - "Id": 5, - "LatestSimulation": "2020-04-07T15:54:01.256Z", - "Name": "Blacklist malicious domains", - "NetworkDirection": "outbound", - "RemediationDataCount": 71, - "RemediationDataType": "FQDN/IP", - "RiskImpact": 0.42, - "Severity": "Medium", - "SeverityScore": 10, - "SimulationsCount": 399, - "ThreatGroups": [ - "APT32", - "APT37", - "BRONZE BUTLER", - "Lazarus Group", - "OilRig", - "PLATINUM", - "APT18", - "APT19", - "APT29", - "APT3", - "APT33", - "Dragonfly 2.0", - "FIN7", - "FIN8", - "Magic Hound", - "Night Dragon", - "TEMP.Veles", - "Threat Group-3390", - "Tropic Trooper", - "N/A" - ] - }, - { - "AffectedTargetsCount": 3, - "AttacksCount": 97, - "Category": "Endpoint", - "DataType": "Hash", - "EarliestSimulation": "2020-04-06T11:17:04.253Z", - "Id": 9, - "LatestSimulation": "2020-04-06T12:02:09.109Z", - "Name": "Prevent malware to be written to disk", - "NetworkDirection": null, - "RemediationDataCount": 97, - "RemediationDataType": "Attack", - "RiskImpact": 0.36, - "Severity": "Medium", - "SeverityScore": 10, - "SimulationsCount": 229, - "ThreatGroups": [ - "APT28", - "Lazarus Group", - "APT32", - "APT34", - "APT37", - "BRONZE BUTLER", - "Dark Caracal", - "FIN7", - "Leviathan", - "N/A", - "Naikon", - "OilRig", - "PittyTiger", - "Scarlet Mimic", - "Turla", - "Winnti Group", - "menuPass" - ] - } - ] - } -} -``` - - - -### safebreach-get-remediation-data -*** -Gets remediation data for a specific SafeBreach Insight. - - -#### Base Command - -`safebreach-get-remediation-data` -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| insightId | The ID of the insight for which to fetch remediation data. | Required | - - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SafeBreach.Insight.Id | Number | Insight unique ID number. | -| SafeBreach.Insight.SHA256 | String | Malware SHA256 hash. | -| SafeBreach.Insight.Domain | String | Malicious domains. | -| SafeBreach.Insight.IP | String | Malicious IP addresses. | -| SafeBreach.Insight.Port | Number | Ports used during the attack. | -| SafeBreach.Insight.Protocol | String | Protocols used during the attack. | -| SafeBreach.Insight.Proxy | String | Proxies used during the attack. | -| SafeBreach.Insight.URI | String | Malicious URIs. | -| SafeBreach.Insight.DropPath | String | Malware drop paths. | -| SafeBreach.Insight.User | String | Impersonated users running the attacks. | -| SafeBreach.Insight.Command | String | Attack executed commands. | -| SafeBreach.Insight.Registry | String | Attack read/changed registry paths. | -| SafeBreach.Insight.ClientHeader | String | Client HTTP headers used in the attacks. | -| SafeBreach.Insight.ServerHeader | String | Server HTTP headers used in the attacks. | -| URL.Data | String | Malicious domains, URLs, or IP addresses. | -| File.SHA256 | String | Malicious SHA256 file hashes. | -| Process.CommandLine | String | Suspicious commands. | -| DBotScore.Indicator | String | Indicator value. Options are IP, SHA1, MD5, SHA256, Email, or Url. | -| DBotScore.Type | String | Indicator type. Options are ip, file, email, or url. | -| DBotScore.Vendor | String | SafeBreach. This is the vendor reporting the score of the indicator. | -| DBotScore.Score | Number | 3 \(Bad\). The score of the indicator. | -| SafeBreach.Insight.RemediationData.Splunk | String | Remediation data in a form of a Splunk query | - - -##### Command Example -```!safebreach-get-remediation-data insightId=5``` - -##### Context Example -``` -{ - "DBotScore": [ - { - "Indicator": "codeluxsoftware.com.", - "Score": 3, - "Type": "url", - "Vendor": "SafeBreach" - }, - { - "Indicator": "866448.com.", - "Score": 3, - "Type": "url", - "Vendor": "SafeBreach" - }, - { - "Indicator": "a1.weilwords2.com.br.", - "Score": 3, - "Type": "url", - "Vendor": "SafeBreach" - } - ], - "Domain": [ - { - "Malicious": { - "Description": "SafeBreach Insights - (5)Blacklist malicious domains", - "Vendor": "SafeBreach" - }, - "Name": "codeluxsoftware.com." - }, - { - "Malicious": { - "Description": "SafeBreach Insights - (5)Blacklist malicious domains", - "Vendor": "SafeBreach" - }, - "Name": "866448.com." - }, - { - "Malicious": { - "Description": "SafeBreach Insights - (5)Blacklist malicious domains", - "Vendor": "SafeBreach" - }, - "Name": "a1.weilwords2.com.br." - } - ], - "SafeBreach": { - "Insight": { - "FQDN/IP": [ - "codeluxsoftware.com.", - "866448.com.", - "a1.weilwords2.com.br." - ], - "Id": "5" - } - }, - "URL": [ - { - "Data": "codeluxsoftware.com.", - "Malicious": { - "Description": "SafeBreach Insights - (5)Blacklist malicious domains", - "Vendor": "SafeBreach" - } - }, - { - "Data": "866448.com.", - "Malicious": { - "Description": "SafeBreach Insights - (5)Blacklist malicious domains", - "Vendor": "SafeBreach" - } - }, - { - "Data": "a1.weilwords2.com.br.", - "Malicious": { - "Description": "SafeBreach Insights - (5)Blacklist malicious domains", - "Vendor": "SafeBreach" - } - }, - ] -} -``` - - - -### safebreach-rerun-insight -*** -Reruns a specific SafeBreach Insight related simulations in your environment. - - -#### Base Command - -`safebreach-rerun-insight` -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| insightIds | The IDs of the insight to rerun. | Required | - - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SafeBreach.Insight.Id | Number | Insight unique ID. | -| SafeBreach.Insight.Rerun.Name | String | Insight rerun test name. | -| SafeBreach.Insight.Rerun.Id | String | ID of the rerun insight test. | -| SafeBreach.Insight.Rerun.AttacksCount | Number | Count of the attacks executed in the insight rerun test. | -| SafeBreach.Test.Id | String | ID of the test. | -| SafeBreach.Test.Name | String | Name of the test. | -| SafeBreach.Test.AttacksCount | Number | The number of attacks executed in the insight rerun test. | -| SafeBreach.Test.Status | String | Test run status. For insight rerun, starts from PENDING. | -| SafeBreach.Test.ScheduledTime | Date | Time when the test was triggered. | - - -##### Command Example -```!safebreach-rerun-insight insightIds=5``` - -##### Context Example -``` -{ - "SafeBreach": { - "Insight": { - "Id": "5", - "Rerun": [ - { - "AttacksCount": 36, - "Id": "1586684450523.75", - "Name": "Insight (Demisto) - Blacklist malicious domains", - "ScheduledTime": "2020-04-12T09:40:50.533398" - } - ] - }, - "Test": { - "AttacksCount": 36, - "Id": "1586684450523.75", - "Name": "Insight (Demisto) - Blacklist malicious domains", - "ScheduledTime": "2020-04-12T09:40:50.533414", - "Status": "Pending" - } - } -} -``` - -##### Human Readable Output -### Rerun SafeBreach Insight -|# Attacks|Insight Id|Name|Test Id| -|---|---|---|---| -| 36 | 5 | Insight (Demisto) - Blacklist malicious domains | 1586684450523.75 | - - -### safebreach-get-test-status -*** -Gets the status of a SafeBreach test for tracking progress of a run. - - -#### Base Command - -`safebreach-get-test-status` -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| testId | The ID of the test to track. | Required | - - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SafeBreach.Test.Id | String | ID of the test. | -| SafeBreach.Test.Name | String | Name of the test. | -| SafeBreach.Test.Status | String | Test run status. Options are PENDING, RUNNING, CANCELED, or COMPLETED. | -| SafeBreach.Test.StartTime | Date | Starting time of the test. | -| SafeBreach.Test.EndTime | Date | Ending time of the test. | -| SafeBreach.Test.TotalSimulationNumber | Number | Number of simulations for the test. | - - -##### Command Example -```!safebreach-get-test-status testId=1585757174467.23``` - -##### Context Example -``` -{ - "SafeBreach": { - "Test": { - "EndTime": "2020-04-01T16:10:36.389Z", - "Id": "1585757174467.23", - "Name": "Rerun (Demisto) - #(2122) Write SamSam Malware (AA18-337A) to Disk", - "StartTime": "2020-04-01T16:06:14.471Z", - "Status": "CANCELED", - "TotalSimulationNumber": 9 - } - } -} -``` - -##### Human Readable Output -### Test Status -|Test Id|Name|Status|Start Time|End Time|Total Simulation Number| -|---|---|---|---|---|---| -| 1585757174467.23 | Rerun (Demisto) - #(2122) Write SamSam Malware (AA18-337A) to Disk | CANCELED | 2020-04-01T16:06:14.471Z | 2020-04-01T16:10:36.389Z | 9 | - - - - -### safebreach-get-simulation -*** -Get SafeBreach simulation - - -#### Base Command - -`safebreach-get-simulation` -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| simulationId | The ID of the simulation. By default, taken from the incident. | Required | - - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SafeBreach.Simulation.Id | String | ID of the simulation result. | -| SafeBreach.Simulation.FinalStatus | String | Simulation final status. Options are Missed, Detected, Stopped, Prevented, or Inconsistent. | -| SafeBreach.Simulation.Result | String | Indicates whether the simulation was blocked. | -| SafeBreach.Simulation.DetectedAction | String | Indicates the overall detected action taken by security controls. | -| SafeBreach.Simulation.SimulationRunId | Number | The unique simulation run ID \(changes between simulation runs\). | -| SafeBreach.Simulation.Time | Datetime | Latest simulation run time. | -| SafeBreach.Simulation.LastChangeTime | Datetime | Time when the simulation result was changed. | -| SafeBreach.Simulation.Labels | Array | Array of labels applied on the simulation. | -| SafeBreach.Simulation.Attack.Id | String | ID of the simulated attack. | -| SafeBreach.Simulation.Attack.Name | String | Name of the simulated attack. | -| SafeBreach.Simulation.Attack.Description | String | Description of the attack flow. | -| SafeBreach.Simulation.Attack.Phase | String | The phase of the attack. Option are Infiltration, Exfiltration ,Lateral Movement, or Host Level. | -| SafeBreach.Simulation.Attack.Type | String | The type of the attack. For example, Real C2 Communication, Malware Transfer, or Malware Write to Disk. | -| SafeBreach.Simulation.Attack.SecurityControl | String | Related security control category. | -| SafeBreach.Simulation.Attack.IndicatorBased | Bool | True if this attack is based on an indicator. False if this is behavioral non\-indicator based. | -| SafeBreach.Simulation.Attacker.Name | String | Name of the attacker simulator. | -| SafeBreach.Simulation.Attacker.OS | String | OS of the attacker simulator. | -| SafeBreach.Simulation.Attacker.InternalIp | String | Internal IP address of the attacker simulator. | -| SafeBreach.Simulation.Attacker.ExternalIp | String | External IP address of the attacker simulator. | -| SafeBreach.Simulation.Attacker.SimulationDetails | JSON | Simulation run detailed logs from the attacker simulator. | -| SafeBreach.Simulation.Target.Name | String | Name of the target simulator. | -| SafeBreach.Simulation.Target.OS | String | OS of the target simulator. | -| SafeBreach.Simulation.Target.InternalIp | String | Internal IP address of the target simulator. | -| SafeBreach.Simulation.Target.ExternalIp | String | External IP address of the target simulator. | -| SafeBreach.Simulation.Target.SimulationDetails | JSON | Simulation run detailed logs from the target simulator. | -| SafeBreach.Simulation.Network.Direction | String | Attack network direction relative to the target \- inbound/outbound. | -| SafeBreach.Simulation.Network.SourceIp | String | The IP address that initiated the network communication. | -| SafeBreach.Simulation.Network.DestinationIp | String | The IP address that received the network communication. | -| SafeBreach.Simulation.Network.SourcePort | String | The source port of the network communication. | -| SafeBreach.Simulation.Network.DestinationPort | String | The destination port of the network communication. | -| SafeBreach.Simulation.Network.Protocol | String | The top\-level protocol of the network communication. | -| SafeBreach.Simulation.Network.Proxy | String | The proxy name used in the network communication. | -| SafeBreach.Simulation.Classifications.MITRETechniques | Array | List of attack related MITRE techniques. | -| SafeBreach.Simulation.Classifications.MITREGroups | Array | List of attack related MITRE threat groups. | -| SafeBreach.Simulation.Classifications.MITRESoftware | Array | List of attack related MITRE software and tools. | -| SafeBreach.Simulation.Parameters | JSON | Parameters of the simulation. | - - -##### Command Example -```!safebreach-get-simulation simulationId=d937cd0e5fd4e2c9266801b7bd17e097``` - -##### Context Example -``` -{ - "SafeBreach": { - "Simulation": { - "Attack": { - "Description": "**Goal**\n\n1. Verify whether the malware can be written to disk.\n\n**Actions**\n\n1. **Malware Drop** \n **Action:** [wannacry](https://attack.mitre.org/software/S0366) malware is written to disk on the target simulator. \n **Expected behavior:** The malware written to disk is identified and removed after a pre-defined time period. \n\n**More Info** \n", - "Id": 3055, - "IndicatorBased": "False", - "Name": "Write wannacry malware to disk", - "Phase": "Host Level", - "SecurityControl": [ - "Endpoint" - ], - "Type": [ - "Malware Drop" - ] - }, - "Attacker": { - "ExternalIp": "172.31.42.76", - "InternalIp": "172.31.42.76", - "Name": "Win10 - Cylance", - "OS": "WINDOWS", - "SimulationDetails": { - "DETAILS": "Task finished running because of an exception. Traceback: \r\nTraceback (most recent call last):\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\sbsimulation\\task_action_runner.py\", line 89, in run\n pythonect_result_object = pythonect_runner(full_pythonect_string, self.pythonect_params)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\sbsimulation\\runners\\runner_classes.py\", line 187, in __call__\n return pythonect.eval(self.pythonect_string, locals_=self.pythonect_params)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 938, in eval\n result = _run(graph, root_nodes[0], globals_, locals_, {}, pool, False)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 738, in _run\n return_value = _run_next_virtual_nodes(graph, node, globals_, locals_, flags, pool, result)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 224, in _run_next_virtual_nodes\n return_value = __resolve_and_merge_results(_run(graph, node, tmp_globals, tmp_locals, {}, pool, True))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 660, in _run\n return_value = _run_next_graph_nodes(graph, node, globals_, locals_, pool)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 610, in _run_next_graph_nodes\n nodes_return_value.insert(0, _run(graph, next_nodes[0], globals_, locals_, {}, pool, False))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 738, in _run\n return_value = _run_next_virtual_nodes(graph, node, globals_, locals_, flags, pool, result)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 224, in _run_next_virtual_nodes\n return_value = __resolve_and_merge_results(_run(graph, node, tmp_globals, tmp_locals, {}, pool, True))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 660, in _run\n return_value = _run_next_graph_nodes(graph, node, globals_, locals_, pool)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 610, in _run_next_graph_nodes\n nodes_return_value.insert(0, _run(graph, next_nodes[0], globals_, locals_, {}, pool, False))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 734, in _run\n result = runner(__node_main, args=(input_value, last_value, globals_, locals_))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 629, in __apply_current\n return func(*args, **kwds)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 440, in __node_main\n return_value = python.eval(current_value, globals_, locals_)\n File \"\", line 1, in \n File \"c:\\jenkins\\workspace\\multi-branch_master-NLIC56DSK443DP5KDJGAEKHQDPZ2GF\\agent\\project\\dependencies\\framework\\src\\build\\lib\\framework\\__init__.py\", line 285, in wrapper\n File \"c:\\jenkins\\workspace\\multi-branch_master-NLIC56DSK443DP5KDJGAEKHQDPZ2GF\\agent\\project\\dependencies\\framework\\src\\build\\lib\\framework\\endpoint\\utils\\file_utils.py\", line 121, in open_or_die\nSBFileNotFoundException: ('File (%s) was removed', 'c:\\\\windows\\\\temp\\\\sb-sim-temp-jvu_fk\\\\sb_107985_bs_9vrn0e\\\\bdata.bin')\n", - "ERROR": "", - "METADATA": { - "executable": [ - "C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\Scripts\\python.exe", - "C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\Scripts\\safebreach_simulation.py" - ], - "hostname": "Cylance-Win10-Demisto", - "pid": 5584, - "ret_code": 0 - }, - "OUTPUT": "", - "SIMULATION_STEPS": [ - { - "level": "INFO", - "message": "File opened", - "params": { - "mode": "wb", - "path": "c:\\windows\\temp\\sb-sim-temp-jvu_fk\\sb_107985_bs_9vrn0e\\bdata.bin" - }, - "time": "2020-04-02T09:47:01.500000" - }, - { - "level": "INFO", - "message": "File written", - "params": { - "path": "c:\\windows\\temp\\sb-sim-temp-jvu_fk\\sb_107985_bs_9vrn0e\\bdata.bin" - }, - "time": "2020-04-02T09:47:01.500000" - } - ] - } - }, - "Classifications": { - "MITREGroups": [ - "Lazarus Group" - ], - "MITRESoftware": [ - "(S0366) wannacry" - ], - "MITRETechniques": [ - "(T1107) File Deletion" - ] - }, - "DetectedAction": "Prevent", - "FinalStatus": "Prevented", - "Id": "d937cd0e5fd4e2c9266801b7bd17e097", - "Labels": [], - "LastChangeTime": "2020-03-10T15:13:51.900Z", - "Network": { - "DestinationIp": "", - "DestinationPort": null, - "Direction": null, - "Protocol": "N/A", - "Proxy": null, - "SourceIp": "", - "SourcePort": [] - }, - "Parameters": { - "BINARY": [ - { - "displayName": "Sample binaries", - "displayType": "Hash", - "displayValue": "sha256", - "md5": "246c2781b88f58bc6b0da24ec71dd028", - "name": "buffer", - "sha256": "16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab", - "value": "16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab" - } - ], - "NOT_CLASSIFIED": [ - { - "displayName": "Simulation wait", - "displayType": "Not Classified", - "displayValue": "10 seconds", - "name": "timeout", - "value": "10" - } - ], - "PATH": [ - { - "displayName": "Drop paths", - "displayType": "Path", - "displayValue": "Temporary folder", - "name": "drop_path", - "value": "%temp%\\\\\\\\bdata.bin" - } - ], - "SIMULATION_USER_DESTINATION": [ - { - "displayName": "Impersonated User - Target", - "displayValue": "SYSTEM", - "name": "Impersonated User - Target", - "value": "SYSTEM" - } - ] - }, - "Result": "Blocked", - "SimulationRunId": 107985, - "Target": { - "ExternalIp": "172.31.42.76", - "InternalIp": "172.31.42.76", - "Name": "Win10 - Cylance", - "OS": "WINDOWS", - "SimulationDetails": { - "DETAILS": "Task finished running because of an exception. Traceback: \r\nTraceback (most recent call last):\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\sbsimulation\\task_action_runner.py\", line 89, in run\n pythonect_result_object = pythonect_runner(full_pythonect_string, self.pythonect_params)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\sbsimulation\\runners\\runner_classes.py\", line 187, in __call__\n return pythonect.eval(self.pythonect_string, locals_=self.pythonect_params)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 938, in eval\n result = _run(graph, root_nodes[0], globals_, locals_, {}, pool, False)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 738, in _run\n return_value = _run_next_virtual_nodes(graph, node, globals_, locals_, flags, pool, result)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 224, in _run_next_virtual_nodes\n return_value = __resolve_and_merge_results(_run(graph, node, tmp_globals, tmp_locals, {}, pool, True))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 660, in _run\n return_value = _run_next_graph_nodes(graph, node, globals_, locals_, pool)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 610, in _run_next_graph_nodes\n nodes_return_value.insert(0, _run(graph, next_nodes[0], globals_, locals_, {}, pool, False))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 738, in _run\n return_value = _run_next_virtual_nodes(graph, node, globals_, locals_, flags, pool, result)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 224, in _run_next_virtual_nodes\n return_value = __resolve_and_merge_results(_run(graph, node, tmp_globals, tmp_locals, {}, pool, True))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 660, in _run\n return_value = _run_next_graph_nodes(graph, node, globals_, locals_, pool)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 610, in _run_next_graph_nodes\n nodes_return_value.insert(0, _run(graph, next_nodes[0], globals_, locals_, {}, pool, False))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 734, in _run\n result = runner(__node_main, args=(input_value, last_value, globals_, locals_))\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 629, in __apply_current\n return func(*args, **kwds)\n File \"C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\lib\\site-packages\\pythonect\\internal\\eval.py\", line 440, in __node_main\n return_value = python.eval(current_value, globals_, locals_)\n File \"\", line 1, in \n File \"c:\\jenkins\\workspace\\multi-branch_master-NLIC56DSK443DP5KDJGAEKHQDPZ2GF\\agent\\project\\dependencies\\framework\\src\\build\\lib\\framework\\__init__.py\", line 285, in wrapper\n File \"c:\\jenkins\\workspace\\multi-branch_master-NLIC56DSK443DP5KDJGAEKHQDPZ2GF\\agent\\project\\dependencies\\framework\\src\\build\\lib\\framework\\endpoint\\utils\\file_utils.py\", line 121, in open_or_die\nSBFileNotFoundException: ('File (%s) was removed', 'c:\\\\windows\\\\temp\\\\sb-sim-temp-jvu_fk\\\\sb_107985_bs_9vrn0e\\\\bdata.bin')\n", - "ERROR": "", - "METADATA": { - "executable": [ - "C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\Scripts\\python.exe", - "C:\\Program Files\\SafeBreach\\SafeBreach Endpoint Simulator\\app\\20.1.13\\simvenv\\Scripts\\safebreach_simulation.py" - ], - "hostname": "Cylance-Win10-Demisto", - "pid": 5584, - "ret_code": 0 - }, - "OUTPUT": "", - "SIMULATION_STEPS": [ - { - "level": "INFO", - "message": "File opened", - "params": { - "mode": "wb", - "path": "c:\\windows\\temp\\sb-sim-temp-jvu_fk\\sb_107985_bs_9vrn0e\\bdata.bin" - }, - "time": "2020-04-02T09:47:01.500000" - }, - { - "level": "INFO", - "message": "File written", - "params": { - "path": "c:\\windows\\temp\\sb-sim-temp-jvu_fk\\sb_107985_bs_9vrn0e\\bdata.bin" - }, - "time": "2020-04-02T09:47:01.500000" - } - ] - } - }, - "Time": "2020-04-02T09:47:12.506Z" - } - } -} -``` - -##### Human Readable Output -### SafeBreach Simulation -|Id|Name|Status|Result|Detected Action|Attacker|Target| -|---|---|---|---|---|---|---| -| d937cd0e5fd4e2c9266801b7bd17e097 | (#3055) Write wannacry malware to disk | Prevented | Fail | Prevent | Win10 - Cylance (172.31.42.76,172.31.42.76) | Win10 - Cylance (172.31.42.76,172.31.42.76) | - - - - -### safebreach-rerun-simulation -*** -Reruns a specific SafeBreach simulation in your environment. - - -#### Base Command - -`safebreach-rerun-simulation` -#### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| simulationId | The ID of the simulation to rerun. | Required | - - -#### Context Output - -| **Path** | **Type** | **Description** | -| --- | --- | --- | -| SafeBreach.Simulation.Id | Number | Simulation unique ID. | -| SafeBreach.Simulation.Rerun.Name | String | Simulation rerun test name. | -| SafeBreach.Simulation.Rerun.Id | String | ID of the rerun test. | -| SafeBreach.Simulation.Rerun.ScheduledTime | Datetime | Time when the rerun was triggered. | -| SafeBreach.Test.Id | String | ID of the test. | -| SafeBreach.Test.Name | String | Name of the test. | -| SafeBreach.Test.AttacksCount | Number | The number of the attacks executed in the insight rerun test. | -| SafeBreach.Test.Status | String | Test run status. For insight rerun \- “PENDING” | -| SafeBreach.Test.ScheduledTime | Datetime | Time when the test was triggered. | - - -##### Command Example -```!safebreach-rerun-simulation simulationId=d937cd0e5fd4e2c9266801b7bd17e097``` - -##### Context Example -``` -{ - "SafeBreach": { - "Simulation": { - "Id": "d937cd0e5fd4e2c9266801b7bd17e097", - "Rerun": { - "Id": "1586684466634.76", - "Name": "Rerun (Demisto) - #(3055) Write wannacry malware to disk", - "ScheduledTime": "2020-04-12T09:41:06.643609" - } - }, - "Test": { - "AttacksCount": 1, - "Id": "1586684466634.76", - "Name": "Rerun (Demisto) - #(3055) Write wannacry malware to disk", - "Status": "PENDING" - } - } -} -``` - -##### Human Readable Output -### SafeBreach Rerun Simualtion -|Simulation Id|Test Id|Name| -|---|---|---| -| d937cd0e5fd4e2c9266801b7bd17e097 | 1586684466634.76 | Rerun (Demisto) - #(3055) Write wannacry malware to disk | - - -### safebreach-get-indicators -*** -Fetches SafeBreach Insights from which indicators are extracted, creating new indicators or updating existing indicators. - - -##### Base Command - -`safebreach-get-indicators` -##### Input - -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| limit | The maximum number of indicators to generate. The default is 1000. | Optional | -| insightCategory | Multi-select option for the category of the insights to get remediation data for:
Network Access, Network Inspection, Endpoint, Email, Web, Data Leak | Optional | -| insightDataType | Multi-select option for the remediation data type to get:
Hash, Domain, URI, Command, Port, Protocol, Registry | Optional | - - -##### Context Output - -There is no context output for this command. - -##### Command Example -```!safebreach-get-indicators limit=10``` - -##### Context Example -``` -None -``` - -##### Human Readable Output -### Indicators: -|Fields|Rawjson|Score|Type|Value| -|---|---|---|---|---| -| description: SafeBreach Insight - Prevent malware network transfer
sha256: 0a2076b9d288411486a0c6367bccf75ea0fd6ba9aaaa9ff046ff3959f60ff35f
tags: SafeBreachInsightId: 7 | value: 0a2076b9d288411486a0c6367bccf75ea0fd6ba9aaaa9ff046ff3959f60ff35f
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | 0a2076b9d288411486a0c6367bccf75ea0fd6ba9aaaa9ff046ff3959f60ff35f | -| description: SafeBreach Insight - Prevent malware network transfer
sha256: 0dcbb073b62f9ec1783d98d826bbfd1f938feb59e8e70180c00ecdfd903c0fe1
tags: SafeBreachInsightId: 7 | value: 0dcbb073b62f9ec1783d98d826bbfd1f938feb59e8e70180c00ecdfd903c0fe1
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | 0dcbb073b62f9ec1783d98d826bbfd1f938feb59e8e70180c00ecdfd903c0fe1 | -| description: SafeBreach Insight - Prevent malware network transfer
sha256: f456baa4593272686b9e07c8d902868991423dddeb5587734985d676c06dc730
tags: SafeBreachInsightId: 7 | value: f456baa4593272686b9e07c8d902868991423dddeb5587734985d676c06dc730
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | f456baa4593272686b9e07c8d902868991423dddeb5587734985d676c06dc730 | -| description: SafeBreach Insight - Prevent malware network transfer
sha256: e3c6ce5a57623cb0ea51f70322c312ccf23b9e4a7342680fd18f0cce556aaa0f
tags: SafeBreachInsightId: 7 | value: e3c6ce5a57623cb0ea51f70322c312ccf23b9e4a7342680fd18f0cce556aaa0f
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | e3c6ce5a57623cb0ea51f70322c312ccf23b9e4a7342680fd18f0cce556aaa0f | -| description: SafeBreach Insight - Prevent malware network transfer
sha256: 327c968b4c381d7c8f051c78720610cbb115515a370924c0d414c403524d7a03
tags: SafeBreachInsightId: 7 | value: 327c968b4c381d7c8f051c78720610cbb115515a370924c0d414c403524d7a03
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | 327c968b4c381d7c8f051c78720610cbb115515a370924c0d414c403524d7a03 | -| description: SafeBreach Insight - Prevent malware network transfer
sha256: 566ef062b86cc505fac48c50a80c65ae5f8bd19cdf6dc2a9d935045d08a37e60
tags: SafeBreachInsightId: 7 | value: 566ef062b86cc505fac48c50a80c65ae5f8bd19cdf6dc2a9d935045d08a37e60
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | 566ef062b86cc505fac48c50a80c65ae5f8bd19cdf6dc2a9d935045d08a37e60 | -| description: SafeBreach Insight - Prevent malware network transfer
sha256: 620f756be7815e24dfb2724839dc616fe46b545fa13fd3a7e063db661e21d596
tags: SafeBreachInsightId: 7 | value: 620f756be7815e24dfb2724839dc616fe46b545fa13fd3a7e063db661e21d596
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | 620f756be7815e24dfb2724839dc616fe46b545fa13fd3a7e063db661e21d596 | -| description: SafeBreach Insight - Prevent malware network transfer
sha256: 500f7f7b858b4bb4e4172361327ee8c340bc95442ebf713d60f892347e02af2f
tags: SafeBreachInsightId: 7 | value: 500f7f7b858b4bb4e4172361327ee8c340bc95442ebf713d60f892347e02af2f
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | 500f7f7b858b4bb4e4172361327ee8c340bc95442ebf713d60f892347e02af2f | -| description: SafeBreach Insight - Prevent malware network transfer
sha256: 5fd54218d1c68562e0a98985f79cb03526aa97e95be020a2b8ceaa9c083f9c19
tags: SafeBreachInsightId: 7 | value: 5fd54218d1c68562e0a98985f79cb03526aa97e95be020a2b8ceaa9c083f9c19
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | 5fd54218d1c68562e0a98985f79cb03526aa97e95be020a2b8ceaa9c083f9c19 | -| description: SafeBreach Insight - Prevent malware network transfer
sha256: 1711fbb363aebfe66f2d8dcbf8cddca8d2fd9fa9a6952da5873b7825e57f542d
tags: SafeBreachInsightId: 7 | value: 1711fbb363aebfe66f2d8dcbf8cddca8d2fd9fa9a6952da5873b7825e57f542d
dataType: SHA256
insightId: 7
insightTime: 2020-04-07T15:54:01.256Z | 3 | File | 1711fbb363aebfe66f2d8dcbf8cddca8d2fd9fa9a6952da5873b7825e57f542d | - - diff --git a/Packs/SafeBreach/Integrations/SafeBreach_v2/SafeBreach_v2.yml b/Packs/SafeBreach/Integrations/SafeBreach_v2/SafeBreach_v2.yml index 5d1bae63a12b..230356c7af18 100644 --- a/Packs/SafeBreach/Integrations/SafeBreach_v2/SafeBreach_v2.yml +++ b/Packs/SafeBreach/Integrations/SafeBreach_v2/SafeBreach_v2.yml @@ -142,9 +142,8 @@ configuration: display: Tags name: feedTags type: 0 - required: false -description: SafeBreach automatically executes thousands of breach methods from its extensive and growing Hacker’s Playbook™ to validate security control effectiveness. Simulations are automatically correlated with network, endpoint, and SIEM solutions providing data-driven SafeBreach Insights for holistic remediation to harden enterprise defenses. -display: SafeBreach v2 +description: Deprecated. No available replacement. +display: SafeBreach v2 (Deprecated) name: SafeBreach v2 script: commands: @@ -212,6 +211,7 @@ script: - contextPath: SafeBreach.Insight.AttackIds description: SafeBreach Attack Ids type: Unknown + deprecated: true - arguments: - description: The ID of the insight for which to fetch remediation data. name: insightId @@ -285,6 +285,7 @@ script: - contextPath: SafeBreach.Insight.RemediationData.Splunk description: Remediation data in a form of a Splunk query type: String + deprecated: true - arguments: - description: Array of insight IDs to rerun. isArray: true @@ -319,6 +320,7 @@ script: - contextPath: SafeBreach.Test.ScheduledTime description: Time when the test was triggered. type: Date + deprecated: true - arguments: - defaultValue: '1000' description: The maximum number of indicators to generate. The default is 1000. @@ -338,6 +340,7 @@ script: - '' description: Fetches SafeBreach Insights from which indicators are extracted, creating new indicators or updating existing indicators. name: safebreach-get-indicators + deprecated: true - arguments: - description: The ID of the test to track. isArray: true @@ -364,6 +367,7 @@ script: - contextPath: SafeBreach.Test.TotalSimulationNumber description: Number of simulations for the test. type: Number + deprecated: true - arguments: - description: The ID of the simulation. By default, taken from the incident. name: simulationId @@ -479,6 +483,7 @@ script: - contextPath: SafeBreach.Simulation.Parameters description: Parameters of the simulation. type: JSON + deprecated: true - arguments: - description: The ID of the simulation to rerun. name: simulationId @@ -513,6 +518,7 @@ script: - contextPath: SafeBreach.Test.ScheduledTime description: Time when the test was triggered. type: Datetime + deprecated: true dockerimage: demisto/python3:3.10.12.63474 feed: true runonce: false @@ -520,5 +526,6 @@ script: subtype: python3 type: python tests: -- No tests +- No tests (deprecated) fromversion: 5.5.0 +deprecated: true diff --git a/Packs/SafeBreach/Integrations/SafeBreach_v2/SafeBreach_v2_description.md b/Packs/SafeBreach/Integrations/SafeBreach_v2/SafeBreach_v2_description.md index 18ea5bdcda89..caf206f4666d 100644 --- a/Packs/SafeBreach/Integrations/SafeBreach_v2/SafeBreach_v2_description.md +++ b/Packs/SafeBreach/Integrations/SafeBreach_v2/SafeBreach_v2_description.md @@ -1,7 +1,9 @@ ## SafeBreach Simulations & Insights + This integration leverages SafeBreach simulation results and insights to remediate malicious indicators that expose your environment to real risks. To configure the integration on SafeBreach: + 1. Open the **Navigation bar** → … → **CLI Console**. 2. Type **config accounts** to get the account id. 3. Use the id as the **accountId** parameter when configuring the SafeBreach integration in Cortex XSOAR. @@ -9,4 +11,4 @@ This integration leverages SafeBreach simulation results and insights to remedia OR \ Add a new one by typing: **config apikeys add --name ** 5. Use the generated API token as **apiKey** parameter when configuring the SafeBreach integration in Cortex XSOAR. - 6. Use your SafeBreach Management URL as the **url** parameter when configuring the SafeBreach integration in Cortex XSOAR. + 6. Use your SafeBreach Management URL as the **url** parameter when configuring the SafeBreach integration in Cortex XSOAR. \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-details-SafeBreach_Insight-v2.json b/Packs/SafeBreach/Layouts/layout-details-SafeBreach_Insight-v2.json index 506ae0112be0..dbe25109bbf0 100644 --- a/Packs/SafeBreach/Layouts/layout-details-SafeBreach_Insight-v2.json +++ b/Packs/SafeBreach/Layouts/layout-details-SafeBreach_Insight-v2.json @@ -563,5 +563,6 @@ "typeId": "SafeBreach Insight", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-details-SafeBreach_Simulation-v2.json b/Packs/SafeBreach/Layouts/layout-details-SafeBreach_Simulation-v2.json index 24b68009948e..47f6f3e38fab 100644 --- a/Packs/SafeBreach/Layouts/layout-details-SafeBreach_Simulation-v2.json +++ b/Packs/SafeBreach/Layouts/layout-details-SafeBreach_Simulation-v2.json @@ -325,5 +325,6 @@ "typeId": "SafeBreach Simulation", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Command-v2.json b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Command-v2.json index 31ed0cb704b8..285eda6910ec 100644 --- a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Command-v2.json +++ b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Command-v2.json @@ -293,5 +293,6 @@ "typeId": "SafeBreach Command", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Domain-v2.json b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Domain-v2.json index f65be2b2ab02..7716f361baa5 100644 --- a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Domain-v2.json +++ b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Domain-v2.json @@ -293,5 +293,6 @@ "typeId": "SafeBreach Domain", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Hash-v2.json b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Hash-v2.json index 297e6afae425..8ac8bf51ac7f 100644 --- a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Hash-v2.json +++ b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Hash-v2.json @@ -293,5 +293,6 @@ "typeId": "SafeBreach Hash", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_IP-v2.json b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_IP-v2.json index 68a2771f6720..0f167913abc0 100644 --- a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_IP-v2.json +++ b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_IP-v2.json @@ -293,5 +293,6 @@ "typeId": "SafeBreach IP", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Port-v2.json b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Port-v2.json index 3952611ed557..716ad55dc292 100644 --- a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Port-v2.json +++ b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Port-v2.json @@ -293,5 +293,6 @@ "typeId": "SafeBreach Port", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Process-v2.json b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Process-v2.json index 27495370c03d..e37100b15d92 100644 --- a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Process-v2.json +++ b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Process-v2.json @@ -293,5 +293,6 @@ "typeId": "SafeBreach Process", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Protocol-v2.json b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Protocol-v2.json index cdfe39bdbbd7..14d53003accf 100644 --- a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Protocol-v2.json +++ b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Protocol-v2.json @@ -293,5 +293,6 @@ "typeId": "SafeBreach Protocol", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Registry-v2.json b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Registry-v2.json index 671c85a75263..c5769f902959 100644 --- a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Registry-v2.json +++ b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_Registry-v2.json @@ -293,5 +293,6 @@ "typeId": "SafeBreach Registry", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_URL-v2.json b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_URL-v2.json index c4c6028ecdd8..8fbc6777c128 100644 --- a/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_URL-v2.json +++ b/Packs/SafeBreach/Layouts/layout-indicatorsDetails-SafeBreach_URL-v2.json @@ -293,5 +293,6 @@ "typeId": "SafeBreach URL", "version": -1 }, - "toVersion": "5.9.9" + "toVersion": "5.9.9", + "description": "" } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layoutscontainer-SafeBreach_Insight.json b/Packs/SafeBreach/Layouts/layoutscontainer-SafeBreach_Insight.json index a611a752818f..024f433a6e93 100644 --- a/Packs/SafeBreach/Layouts/layoutscontainer-SafeBreach_Insight.json +++ b/Packs/SafeBreach/Layouts/layoutscontainer-SafeBreach_Insight.json @@ -557,5 +557,7 @@ } ] }, - "marketplaces": ["xsoar"] + "marketplaces": [ + "xsoar" + ] } \ No newline at end of file diff --git a/Packs/SafeBreach/Layouts/layoutscontainer-SafeBreach_Simulation.json b/Packs/SafeBreach/Layouts/layoutscontainer-SafeBreach_Simulation.json index f6e585539606..894bc2ea1a6f 100644 --- a/Packs/SafeBreach/Layouts/layoutscontainer-SafeBreach_Simulation.json +++ b/Packs/SafeBreach/Layouts/layoutscontainer-SafeBreach_Simulation.json @@ -319,5 +319,7 @@ } ] }, - "marketplaces": ["xsoar"] + "marketplaces": [ + "xsoar" + ] } \ No newline at end of file diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Compare_and_Validate_Insight_Indicators.yml b/Packs/SafeBreach/Playbooks/SafeBreach_Compare_and_Validate_Insight_Indicators.yml index b37302b0f5e2..bbebf01bace1 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Compare_and_Validate_Insight_Indicators.yml +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Compare_and_Validate_Insight_Indicators.yml @@ -1,12 +1,7 @@ id: SafeBreach - Compare and Validate Insight Indicators version: -1 name: SafeBreach - Compare and Validate Insight Indicators -description: This playbook compares SafeBreach Insight indicators before and after - the processing. It receives an insight and it's indicators before validation, fetches - updated indicators after rerunning the insight, and then compares the results to - validate mitigation. Indicators are classified as Remediated or Not Remediated based - on their validated status and the appropriate field (SafeBreach Remediation Status) - is updated. +description: Deprecated. No available replacement. starttaskid: "0" tasks: "0": @@ -69,8 +64,7 @@ tasks: id: 4c83f511-be99-4817-85c4-26e71e9992d9 version: -1 name: Set indicators after validation - description: Sets "IndicatorsAfterValidation" with indicator values from insight - context "SafeBreach.Insight.RawRemediationData". + description: Sets "IndicatorsAfterValidation" with indicator values from insight context "SafeBreach.Insight.RawRemediationData". scriptName: SetAndHandleEmpty type: regular iscommand: false @@ -245,8 +239,7 @@ tasks: id: 0300ef33-eb9f-418e-8cd0-72ada99f74f4 version: -1 name: Set indicators remediation status as Remediated - description: Update status of XSOAR indicators with SafeBreach Remediation Status - "Remediated". + description: Update status of XSOAR indicators with SafeBreach Remediation Status "Remediated". script: Builtin|||setIndicator type: regular iscommand: true @@ -255,128 +248,8 @@ tasks: '#none#': - "4" scriptarguments: - accounttype: {} - actor: {} - admincountry: {} - adminemail: {} - adminname: {} - adminphone: {} - asn: {} - associatedfilenames: {} - associations: {} - biosversion: {} - creationdate: {} - customFields: {} - cvedescription: {} - cvemodified: {} - cvss: {} - description: {} - detectionengines: {} - devicemodel: {} - dhcpserver: {} - displayname: {} - dns: {} - domainname: {} - domainstatus: {} - emailaddress: {} - employeehealthstatus: {} - employeeresponsestatus: {} - entryid: {} - expirationdate: {} - fileextension: {} - filetype: {} - firstname: {} - firstseenbysource: {} - geocountry: {} - geolocation: {} - groups: {} - hostname: {} - id: {} - imphash: {} - indicatoridentification: {} - internal: {} - ipaddress: {} - jobtitle: {} - lastname: {} - lastseenbysource: {} - macaddress: {} - malwarefamily: {} - md5: {} - memory: {} - mitrealiases: {} - mitrecontributors: {} - mitredatasources: {} - mitredefensebypassed: {} - mitredescription: {} - mitredetection: {} - mitreextendedaliases: {} - mitreexternalreferences: {} - mitreid: {} - mitreimpacttype: {} - mitrekillchainphases: {} - mitrelabels: {} - mitrename: {} - mitrepermissionsrequired: {} - mitreplatforms: {} - mitresystemrequirements: {} - mitretype: {} - mitreversion: {} - name: {} - namefield: {} - nameservers: {} - office365category: {} - office365expressroute: {} - office365required: {} - operatingsystem: {} - operatingsystemversion: {} - organization: {} - organizationalunitou: {} - osversion: {} - path: {} - port: {} - positivedetections: {} - processor: {} - processors: {} - published: {} - quarantined: {} - recordedfutureevidencedetails: {} - region: {} - registrantcountry: {} - registrantemail: {} - registrantname: {} - registrantphone: {} - registrarabuseemail: {} - registrarabusephone: {} - registrarname: {} - reportedby: {} - reputation: {} - safebreachattackids: {} - safebreachinsightids: {} - safebreachisbehavioral: {} safebreachremediationstatus: simple: Remediated - safebreachseverity: {} - safebreachseverityscore: {} - service: {} - sha1: {} - sha256: {} - sha512: {} - signatureauthentihash: {} - signaturecopyright: {} - signaturedescription: {} - signaturefileversion: {} - signatureinternalname: {} - signed: {} - size: {} - sourceoriginalseverity: {} - ssdeep: {} - subdomains: {} - tags: {} - threattypes: {} - trafficlightprotocol: {} - type: {} - updateddate: {} - username: {} value: complex: root: RemediatedIndicators @@ -402,8 +275,7 @@ tasks: id: 06a22d2a-16a4-4622-87e4-76fd9e1a5aad version: -1 name: Set indicators remediation status as Not Remediated - description: Update status of XSOAR indicators with SafeBreach Remediation Status - "Not Remediated". + description: Update status of XSOAR indicators with SafeBreach Remediation Status "Not Remediated". script: Builtin|||setIndicator type: regular iscommand: true @@ -412,128 +284,8 @@ tasks: '#none#': - "4" scriptarguments: - accounttype: {} - actor: {} - admincountry: {} - adminemail: {} - adminname: {} - adminphone: {} - asn: {} - associatedfilenames: {} - associations: {} - biosversion: {} - creationdate: {} - customFields: {} - cvedescription: {} - cvemodified: {} - cvss: {} - description: {} - detectionengines: {} - devicemodel: {} - dhcpserver: {} - displayname: {} - dns: {} - domainname: {} - domainstatus: {} - emailaddress: {} - employeehealthstatus: {} - employeeresponsestatus: {} - entryid: {} - expirationdate: {} - fileextension: {} - filetype: {} - firstname: {} - firstseenbysource: {} - geocountry: {} - geolocation: {} - groups: {} - hostname: {} - id: {} - imphash: {} - indicatoridentification: {} - internal: {} - ipaddress: {} - jobtitle: {} - lastname: {} - lastseenbysource: {} - macaddress: {} - malwarefamily: {} - md5: {} - memory: {} - mitrealiases: {} - mitrecontributors: {} - mitredatasources: {} - mitredefensebypassed: {} - mitredescription: {} - mitredetection: {} - mitreextendedaliases: {} - mitreexternalreferences: {} - mitreid: {} - mitreimpacttype: {} - mitrekillchainphases: {} - mitrelabels: {} - mitrename: {} - mitrepermissionsrequired: {} - mitreplatforms: {} - mitresystemrequirements: {} - mitretype: {} - mitreversion: {} - name: {} - namefield: {} - nameservers: {} - office365category: {} - office365expressroute: {} - office365required: {} - operatingsystem: {} - operatingsystemversion: {} - organization: {} - organizationalunitou: {} - osversion: {} - path: {} - port: {} - positivedetections: {} - processor: {} - processors: {} - published: {} - quarantined: {} - recordedfutureevidencedetails: {} - region: {} - registrantcountry: {} - registrantemail: {} - registrantname: {} - registrantphone: {} - registrarabuseemail: {} - registrarabusephone: {} - registrarname: {} - reportedby: {} - reputation: {} - safebreachattackids: {} - safebreachinsightids: {} - safebreachisbehavioral: {} safebreachremediationstatus: simple: Not Remediated - safebreachseverity: {} - safebreachseverityscore: {} - service: {} - sha1: {} - sha256: {} - sha512: {} - signatureauthentihash: {} - signaturecopyright: {} - signaturedescription: {} - signaturefileversion: {} - signatureinternalname: {} - signed: {} - size: {} - sourceoriginalseverity: {} - ssdeep: {} - subdomains: {} - tags: {} - threattypes: {} - trafficlightprotocol: {} - type: {} - updateddate: {} - username: {} value: complex: root: NotRemediatedIndicators @@ -593,8 +345,7 @@ tasks: id: 71672b76-abf9-4c4b-8982-c315fff6a2fa version: -1 name: 'Map input insight to context ' - description: Maps the SafeBreach Insight received as an input to "SafeBreach.Insight" - context. + description: Maps the SafeBreach Insight received as an input to "SafeBreach.Insight" context. scriptName: ChangeContext type: regular iscommand: false @@ -793,4 +544,5 @@ outputs: quiet: true fromversion: 5.5.0 tests: -- No tests (auto formatted) +- No tests (deprecated) +deprecated: true diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Compare_and_Validate_Insight_Indicators_README.md b/Packs/SafeBreach/Playbooks/SafeBreach_Compare_and_Validate_Insight_Indicators_README.md index 71e5663bb2bf..9b00b32dc744 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Compare_and_Validate_Insight_Indicators_README.md +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Compare_and_Validate_Insight_Indicators_README.md @@ -1,24 +1,30 @@ -This playbook compares SafeBreach Insight indicators before and after the processing. It receives an insight and it's indicators before validation, fetches updated indicators after rerunning the insight, and then compares the results to validate mitigation. Indicators are classified as Remediated or Not Remediated based on their validated status and the appropriate field (SafeBreach Remediation Status) is updated. +Deprecated. No available replacement. ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks + This playbook does not use any sub-playbooks. ### Integrations + * SafeBreach_v2 ### Scripts -* ChangeContext -* SetAndHandleEmpty + * Set +* SetAndHandleEmpty +* ChangeContext ### Commands -* setIndicator + * safebreach-get-remediation-data +* setIndicator ## Playbook Inputs + --- | **Name** | **Description** | **Default Value** | **Required** | @@ -27,13 +33,10 @@ This playbook does not use any sub-playbooks. | Insight | SafeBreach insight object to verify the remediation for. | | Required | ## Playbook Outputs + --- | **Path** | **Description** | **Type** | | --- | --- | --- | | RemediatedIndicators | List of indicators that were remediated | Array | | NotRemediatedIndicators | List of indicators that were not remediated | Array | - -## Playbook Image ---- -![SafeBreach - Compare and Validate Insight Indicators](https://github.com/demisto/content/raw/6af01e00312a5558e9e2fecdb22534e98414bc9c/Packs/SafeBreach/doc_imgs/SafeBreach_Compare_and_Validate_Insight_Indicators.png) \ No newline at end of file diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Create_Incidents_per_Insight_and_Associate_Indicators.yml b/Packs/SafeBreach/Playbooks/SafeBreach_Create_Incidents_per_Insight_and_Associate_Indicators.yml index 2c5d4f1cb58a..b61c78b98985 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Create_Incidents_per_Insight_and_Associate_Indicators.yml +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Create_Incidents_per_Insight_and_Associate_Indicators.yml @@ -1,10 +1,7 @@ id: SafeBreach - Create Incidents per Insight and Associate Indicators version: -1 name: SafeBreach - Create Incidents per Insight and Associate Indicators -description: This is a sub-playbook that creates incidents per SafeBreach insight, - enriched with all the related indicators and additional SafeBreach insight contextual - information. Used in main SafeBreach playbooks, such as "SafeBreach - Process Behavioral - Insights Feed" and "SafeBreach - Process Non-Behavioral Insights Feed". +description: Deprecated. No available replacement. starttaskid: "0" tasks: "0": @@ -67,8 +64,7 @@ tasks: id: ae6fc506-2860-4842-81fb-2d66ba22100e version: -1 name: Create SafeBreach Insight incidents - description: Create a new incident of type SafeBreach Insight for each insight - related to the indicators. + description: Create a new incident of type SafeBreach Insight for each insight related to the indicators. script: Builtin|||createNewIncident type: regular iscommand: true @@ -77,228 +73,10 @@ tasks: '#none#': - "25" scriptarguments: - accountgroups: {} - accountid: {} - accountinformationbreached: {} - accountname: {} - activedirectoryaccountstatus: {} - activedirectorydisplayname: {} - activedirectorypasswordstatus: {} - affecteddata: {} - affecteddatatype: {} - affectedindividualscontactinformation: {} - agentid: {} - app: {} - approximatenumberofaffecteddatasubjects: {} - assetid: {} - associatedmaliciousdomains: {} - attachmentcount: {} - attachmentextension: {} - attachmenthash: {} - attachmentid: {} - attachmentname: {} - attachmentsize: {} - attachmenttype: {} - attackerhostisolated: {} - attackeripblocked: {} - axoniuslink: {} - ballmergrid: {} - blockedaction: {} - bugtraq: {} - city: {} - clarotyalertresolved: {} - clarotyalerttype: {} - clarotycategory: {} - clarotydepartment: {} - clarotynetworkid: {} - clarotyrelatedassets: {} - clarotyresourceid: {} - clarotysiteid: {} - clienthello: {} - cloudtype: {} - code42alerttype: {} - code42fileevents: {} - commandline: {} - companyaddress: {} - companycity: {} - companycountry: {} - companyhasinsuranceforthebreach: {} - companyname: {} - companypostalcode: {} - companypropertystatus: {} - contactaddress: {} - contactemailaddress: {} - contactname: {} - contacttelephonenumber: {} - coordinates: {} - cortexreceivetime: {} - country: {} - countrywherebusinesshasitsmainestablishment: {} - countrywherethebreachtookplace: {} - criticalassets: {} - customFields: {} - cve: {} - cvss: {} - cymulateimmediatethreatsattackid: {} - cymulateimmediatethreatsfiletype: {} - cymulateimmediatethreatsid: {} - cymulateimmediatethreatsmitigations: {} - cymulateimmediatethreatsmodule: {} - cymulateimmediatethreatspayloadname: {} - cymulateimmediatethreatsstatus: {} - cymulateimmediatethreatsvector: {} - dataencryptionstatus: {} - datetimeofthebreach: {} - dbotprediction: {} - dbotpredictionprobability: {} - dbottextsuggestionhighlighted: {} - dest: {} - desthostname: {} - destinationip: {} - destinationport: {} - destinationports: {} - destntdomain: {} - destos: {} details: complex: root: JoinedIndicators accessor: value - detectionendtime: {} - detectionid: {} - detectionticketed: {} - detectionupdatetime: {} - detectionurl: {} - devicegsuiteaccountstatus: {} - devicehostname: {} - devicename: {} - digitalguardianactivity: {} - digitalguardianalarmname: {} - digitalguardianarcuid: {} - digitalguardianattachmentfilename: {} - digitalguardianclassification: {} - digitalguardiancommandline: {} - digitalguardiancomputername: {} - digitalguardiandestinationaddress: {} - digitalguardiandestinationdnsdomain: {} - digitalguardianemailrecipient: {} - digitalguardianemailsender: {} - digitalguardianemailsubject: {} - digitalguardianfilename: {} - digitalguardianparentprocessname: {} - digitalguardianpolicy: {} - digitalguardianprocessname: {} - digitalguardianremoteport: {} - digitalguardiansensitivity: {} - digitalguardiansourceaddress: {} - digitalguardiansourceip: {} - digitalguardianthreattype: {} - digitalguardianusername: {} - domain: {} - dpoemailaddress: {} - duoaccountstatus: {} - duration: {} - emailaddress: {} - emailauthenticitycheck: {} - emailautoreply: {} - emailbcc: {} - emailbody: {} - emailbodyformat: {} - emailbodyhtml: {} - emailcc: {} - emailclassification: {} - emailclientname: {} - emailfrom: {} - emailheaders: {} - emailhtml: {} - emailinreplyto: {} - emailkeywords: {} - emailmessageid: {} - emailreceived: {} - emailreplyto: {} - emailreturnpath: {} - emailsenderip: {} - emailsize: {} - emailsource: {} - emailsubject: {} - emailto: {} - emailtocount: {} - emailurlclicked: {} - employeedisplayname: {} - employeeemail: {} - employeemanageremail: {} - entryIDs: {} - exactlywhathappenedandatwhattimes: {} - exfiltratedfiles: {} - expanseexposuretype: {} - expanserawjsonevent: {} - expanseseverity: {} - extrahopapplianceid: {} - extrahophostname: {} - filehash: {} - filehashblocked: {} - filename: {} - filepath: {} - filesize: {} - financialinformationbreached: {} - firstseen: {} - globaldirectoryvisibility: {} - googleaccountstatus: {} - googleadminrolesstatus: {} - googledisplayname: {} - googledrivestatus: {} - googlemailstatus: {} - googlepasswordstatus: {} - healthinsurancebreached: {} - helloworldalertid: {} - helloworldalertstatus: {} - helloworldalerttype: {} - helloworldid: {} - helloworldstatus: {} - helloworldtype: {} - hostname: {} - howcouldinformationsharingwithotherorganizationshavebeenimproved: {} - howwastheincidentcontainedanderadicated: {} - howwelldidstaffandmanagementperformindealingwiththeincidentwerethedocumentedproceduresfollowedweretheyadequate: {} - illusionblackattackerid: {} - illusionblackattacktype: {} - illusionblackdecoyid: {} - illusionblackevents: {} - illusionblackthreatparse: {} - illusivenetworkshasforensics: {} - illusivenetworkshostname: {} - illusivenetworksid: {} - illusivenetworkslastseenuser: {} - illusivenetworkssourceoperatingsystem: {} - illusivenetworksstepstocrownjewel: {} - illusivenetworksstepstodomainadmin: {} - indenideviceid: {} - indeniissueid: {} - infectedhostnames: {} - infectedhosts: {} - investigationstage: {} - isolated: {} - isthedatasubjecttodpia: {} - ja3: {} - ja3s: {} - labels: {} - lastmodifiedby: {} - lastmodifiedon: {} - lastseen: {} - likelyimpact: {} - loginattemptcount: {} - logzioalerteventid: {} - logzioalertid: {} - logzioalertsummary: {} - logziotags: {} - macaddress: {} - mailboxdelegation: {} - maliciousbehavior: {} - maliciouscauseifthecauseisamaliciousattack: {} - maliciousdomainsblocked: {} - malwarefamily: {} - manageremail: {} - measurestomitigate: {} - medicalinformationbreached: {} name: complex: root: JoinedIndicators @@ -310,130 +88,6 @@ tasks: value: simple: 'SafeBreach Insight - ' suffix: {} - ngfwaction: {} - ngfwcategoryofapp: {} - ngfwcategoryofthreatid: {} - ngfwdestinationport: {} - ngfwdestinationzone: {} - ngfwdomain: {} - ngfwhostname: {} - ngfwhttpmethod: {} - ngfwinboundinterface: {} - ngfwnameofthreatid: {} - ngfwoutboundinterface: {} - ngfwpcap: {} - ngfwprotocol: {} - ngfwriskofapp: {} - ngfwrule: {} - ngfwsessionid: {} - ngfwsourceport: {} - ngfwsourcezone: {} - ngfwsrcuser: {} - ngfwsubcategoryofapp: {} - ngfwsubtype: {} - ngfwtechnologyofapp: {} - ngfwthreatid: {} - ngfwtrafficdirection: {} - ngfwvsys: {} - niststage: {} - numberofports: {} - numberofuniqueports: {} - o365endpoints: {} - o365instance: {} - o365servicesareas: {} - occurred: {} - offboardingdate: {} - offboardingstage: {} - oktaaccountstatus: {} - otherpiidatabreached: {} - owner: {} - parentprocessid: {} - participants: {} - passwordexpirationstatus: {} - penteraoperationdetails: {} - penteraoperationtype: {} - phase: {} - phishingsubtype: {} - pid: {} - piidatatype: {} - policydeleted: {} - policydescription: {} - policydetails: {} - policyid: {} - policyrecommendation: {} - policyremediable: {} - policyseverity: {} - policytype: {} - portsblocked: {} - possiblecauseofthebreach: {} - postalcode: {} - previouscoordinates: {} - previouscountry: {} - previoussignindatetime: {} - previoussourceip: {} - prismacloudcomputeactivitytype: {} - prismacloudcomputeappid: {} - prismacloudcomputecategory: {} - prismacloudcomputecollections: {} - prismacloudcomputecommand: {} - prismacloudcomputecontainer: {} - prismacloudcomputecredentialid: {} - prismacloudcomputedistribution: {} - prismacloudcomputeerror: {} - prismacloudcomputeforensic: {} - prismacloudcomputefqdn: {} - prismacloudcomputefunction: {} - prismacloudcomputehost: {} - prismacloudcomputeimage: {} - prismacloudcomputeinteractive: {} - prismacloudcomputekubernetesresource: {} - prismacloudcomputelabels: {} - prismacloudcomputeline: {} - prismacloudcomputelogfile: {} - prismacloudcomputemarkdown: {} - prismacloudcomputemessage: {} - prismacloudcomputeproject: {} - prismacloudcomputeprotected: {} - prismacloudcomputeprovider: {} - prismacloudcomputerawalertjson: {} - prismacloudcomputeregion: {} - prismacloudcomputeregistry: {} - prismacloudcomputerule: {} - prismacloudcomputeruntime: {} - prismacloudcomputeservice: {} - prismacloudcomputeservicetype: {} - prismacloudcomputetotal: {} - prismacloudcomputetype: {} - prismacloudcomputeuser: {} - prismacloudid: {} - prismacloudreason: {} - prismacloudrules: {} - prismacloudstatus: {} - prismacloudtime: {} - quarantined: {} - rating: {} - rawparticipants: {} - redlockpolicy: {} - region: {} - regionid: {} - remediable: {} - reporteremailaddress: {} - residentnotificationoption: {} - residentsemailaddress: {} - resourceapiname: {} - resourcecloudtype: {} - resourceid: {} - resourcename: {} - resourcetype: {} - riskrating: {} - riskscore: {} - roles: {} - rrn: {} - safebreachaffectedtargets: {} - safebreachaffectedtargetscount: {} - safebreachattackcount: {} - safebreachattackids: {} - safebreachattacks: {} safebreachinsightcategory: complex: root: SafeBreach @@ -442,138 +96,14 @@ tasks: complex: root: JoinedIndicators accessor: Id - safebreachinsightname: {} - safebreachinsightriskimpact: {} - safebreachlatestsimulation: {} - safebreachremediationaction: {} - safebreachremediationdata: {} - safebreachremediationdatacount: {} safebreachremediationstatus: simple: New - safebreachresultslink: {} - safebreachseverity: {} - safebreachseverityscore: {} - safebreachsimulationid: {} - safebreachsimulationnumber: {} - safebreachthreatgroups: {} - samaccountname: {} - sansstage: {} - scansourcetype: {} - score: {} - sectorofaffectedparty: {} severity: complex: root: SafeBreach accessor: Insight.Severity - signature: {} - signindatetime: {} - sixgillalertid: {} - sixgillcontent: {} - sixgillthreatlevel: {} - sixgillthreattype: {} - sizenumberofemployees: {} - sizeturnover: {} - skuname: {} - skutier: {} - sla: {} - slaField: {} - sourcehostname: {} - sourceip: {} - sourceport: {} - sourceusername: {} - src: {} - srchostname: {} - srcntdomain: {} - srcos: {} - srcuser: {} - sslversion: {} - statewherethebreachtookplace: {} - subscriptionassignedby: {} - subscriptioncreatedby: {} - subscriptioncreatedon: {} - subscriptiondescription: {} - subscriptionid: {} - subscriptionname: {} - subscriptiontype: {} - subscriptionupdatedby: {} - subscriptionupdatedon: {} - subtype: {} - successfullogin: {} - suggestionsanddiscussionofhowtoimprovetheteam: {} - systemdefault: {} - systems: {} - targetfirewallversion: {} - telephoneno: {} - terminatedaction: {} - threatactor: {} - threatvaultlink: {} - trapsid: {} - travelmaplink: {} - triggeredsecurityprofile: {} type: simple: SafeBreach Insight - uniquebiometricdatabreached: {} - uniqueidentificationnumberbreached: {} - url: {} - urlsslverification: {} - user: {} - useraccountcontrol: {} - userdisabledstatus: {} - username: {} - vendorid: {} - vendorproduct: {} - vpcid: {} - vulnerabilitycategory: {} - wereanystepsoractionstakenthatmighthaveinhibitedtherecovery: {} - whatadditionaltoolsorresourcesareneededtodetectanalyzeandmitigatefutureincidents: {} - whataretheareasthatneedimprovement: {} - whatcorrectiveactionscanpreventsimilarincidentsinthefuture: {} - whatinformationwasneededsooner: {} - whatprecursorsorindicatorsshouldbewatchedforinthefuturetodetectsimilarincidents: {} - whatwasthescopeoftheincident: {} - whatwastheworkperformedduringrecovery: {} - whatweretheareaswherethecirtteamswereeffective: {} - whatwouldthestaffandmanagementdodifferentlythenexttimeasimilarincidentoccurs: {} - whenwastheproblemfirstdetectedandbywhom: {} - whereisdatahosted: {} - xdractivityfirstseen: {} - xdractivitylastseen: {} - xdralertcount: {} - xdralerts: {} - xdrassigneduseremail: {} - xdrassigneduserprettyname: {} - xdrcategory: {} - xdrdescription: {} - xdrdetectiontime: {} - xdrdevicehostname: {} - xdrdeviceip: {} - xdrexternaldestinations: {} - xdrfileartifacts: {} - xdrfirstdetected: {} - xdrhighseverityalertcount: {} - xdrhostcount: {} - xdrid: {} - xdrincidentid: {} - xdripranges: {} - xdrips: {} - xdrirquerybydestinations: {} - xdrlastdetected: {} - xdrlink: {} - xdrlowseverityalertcount: {} - xdrmac: {} - xdrmediumseverityalertcount: {} - xdrnetworkartifacts: {} - xdrnotes: {} - xdros: {} - xdrostype: {} - xdrresolvecomment: {} - xdrseverity: {} - xdrstatus: {} - xdrtype: {} - xdrurl: {} - xdrusercount: {} - xdruserdisplayname: {} - xdrusername: {} reputationcalc: 1 separatecontext: false view: |- @@ -714,8 +244,7 @@ tasks: id: 9ab9e486-a0d3-44e5-8344-06f0593b09e2 version: -1 name: Merge indicators and insights data - description: Sets "IndicatorsWithIncidents" with combined data from indicator - and insights. + description: Sets "IndicatorsWithIncidents" with combined data from indicator and insights. scriptName: Set type: regular iscommand: false @@ -766,8 +295,7 @@ tasks: id: 2d2ca0e1-ef0e-4157-8c63-f96bbb7cb6a2 version: -1 name: Associate indicators to incident - description: Associate an indicator to a given incident. All indicators joined - and assigned to the details field of incidents. + description: Associate an indicator to a given incident. All indicators joined and assigned to the details field of incidents. script: Builtin|||associateIndicatorToIncident type: regular iscommand: true @@ -915,4 +443,5 @@ outputs: quiet: true fromversion: 5.5.0 tests: -- No tests (auto formatted) +- No tests (deprecated) +deprecated: true diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Create_Incidents_per_Insight_and_Associate_Indicators_README.md b/Packs/SafeBreach/Playbooks/SafeBreach_Create_Incidents_per_Insight_and_Associate_Indicators_README.md index f61aae8e6c99..fe698d7b5ef6 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Create_Incidents_per_Insight_and_Associate_Indicators_README.md +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Create_Incidents_per_Insight_and_Associate_Indicators_README.md @@ -1,24 +1,31 @@ -This is a sub-playbook that creates incidents per SafeBreach insight, enriched with all the related indicators and additional SafeBreach insight contextual information. Used in main SafeBreach playbooks, such as "SafeBreach - Process Behavioral Insights Feed" and "SafeBreach - Process Non-Behavioral Insights Feed". +Deprecated. No available replacement. ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks + This playbook does not use any sub-playbooks. ### Integrations + * SafeBreach_v2 ### Scripts + * Set +* Sleep * SearchIncidentsV2 ### Commands + * associateIndicatorToIncident -* safebreach-get-insights * createNewIncident +* safebreach-get-insights ## Playbook Inputs + --- | **Name** | **Description** | **Default Value** | **Required** | @@ -28,12 +35,9 @@ This playbook does not use any sub-playbooks. | indicators | List of indicators that to be assigned to created incidents | | Required | ## Playbook Outputs + --- | **Path** | **Description** | **Type** | | --- | --- | --- | | incident | Incidents created from SafeBreach Insights | Array | - -## Playbook Image ---- -![SafeBreach - Create Incidents per Insight and Associate Indicators](https://github.com/demisto/content/raw/6af01e00312a5558e9e2fecdb22534e98414bc9c/Packs/SafeBreach/doc_imgs/SafeBreach_Create_Incidents_per_Insight_and_Associate_Indicators.png) \ No newline at end of file diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Process_Non-Behavioral_Insights_Feed.yml b/Packs/SafeBreach/Playbooks/SafeBreach_Process_Non-Behavioral_Insights_Feed.yml index 00abe6165c6b..f73f114f4894 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Process_Non-Behavioral_Insights_Feed.yml +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Process_Non-Behavioral_Insights_Feed.yml @@ -2,8 +2,7 @@ id: SafeBreach - Process Non-Behavioral Insights Feed version: -1 name: SafeBreach - Process Non-Behavioral Insights Feed description: |- - This playbook automatically remediates all non-behavioral indicators generated from SafeBreach Insights. To validate the remediation, it reruns the related insights and classifies the indicators as Remediated or Not Remediated. - A special feed based triggered job is required to initiate this playbook for every new SafeBreach generated indicator. + Deprecated. No available replacement. starttaskid: "0" tasks: "0": @@ -66,8 +65,7 @@ tasks: id: d31f4007-b0a9-4e82-8588-81716ea68957 version: -1 name: Extract list of insight ids from indicators - description: Sets "InsightIds" with all the insights related to the processes - indicators. + description: Sets "InsightIds" with all the insights related to the processes indicators. scriptName: Set type: regular iscommand: false @@ -278,12 +276,7 @@ tasks: id: b60ddac3-66ce-495c-8f23-dcbc1b07d932 version: -1 name: SafeBreach - Compare and Validate Insight Indicators - description: This playbook compares SafeBreach Insight indicators before and - after the processing. It receives an insight and it's indicators before validation, - fetches updated indicators after rerunning the insight, and then compares - the results to validate mitigation. Indicators are classified as Remediated - or Not Remediated based on their validated status and the appropriate field - (SafeBreach Remediation Status) is updated. + description: This playbook compares SafeBreach Insight indicators before and after the processing. It receives an insight and it's indicators before validation, fetches updated indicators after rerunning the insight, and then compares the results to validate mitigation. Indicators are classified as Remediated or Not Remediated based on their validated status and the appropriate field (SafeBreach Remediation Status) is updated. playbookName: SafeBreach - Compare and Validate Insight Indicators type: playbook iscommand: false @@ -326,10 +319,7 @@ tasks: id: 65b815fe-6c0c-4411-81bd-5da4a3d2d831 version: -1 name: SafeBreach - Rerun Insights - description: This is a sub-playbook reruns a list of SafeBreach insights based - on Insight Id and waits until they complete. Used in main SafeBreach playbooks, - such as "SafeBreach - Handle Insight Incident" and "SafeBreach - Process Non-Behavioral - Insights Feed". + description: This is a sub-playbook reruns a list of SafeBreach insights based on Insight Id and waits until they complete. Used in main SafeBreach playbooks, such as "SafeBreach - Handle Insight Incident" and "SafeBreach - Process Non-Behavioral Insights Feed". playbookName: SafeBreach - Rerun Insights type: playbook iscommand: false @@ -521,11 +511,7 @@ tasks: id: 805fe301-1f29-412e-8ec9-a25c1e2ef316 version: -1 name: SafeBreach - Create Incidents per Insight and Associate Indicators - description: This is a sub-playbook that creates incidents per SafeBreach insight, - enriched with all the related indicators and additional SafeBreach insight - contextual information. Used in main SafeBreach playbooks, such as "SafeBreach - - Process Behavioral Insights Feed" and "SafeBreach - Process Non-Behavioral - Insights Feed". + description: This is a sub-playbook that creates incidents per SafeBreach insight, enriched with all the related indicators and additional SafeBreach insight contextual information. Used in main SafeBreach playbooks, such as "SafeBreach - Process Behavioral Insights Feed" and "SafeBreach - Process Non-Behavioral Insights Feed". playbookName: SafeBreach - Create Incidents per Insight and Associate Indicators type: playbook iscommand: false @@ -618,4 +604,5 @@ outputs: [] quiet: true fromversion: 5.5.0 tests: -- No tests (auto formatted) +- No tests (deprecated) +deprecated: true diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Process_Non-Behavioral_Insights_Feed_README.md b/Packs/SafeBreach/Playbooks/SafeBreach_Process_Non-Behavioral_Insights_Feed_README.md index 64a96299a476..998c90f86f14 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Process_Non-Behavioral_Insights_Feed_README.md +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Process_Non-Behavioral_Insights_Feed_README.md @@ -1,27 +1,32 @@ -This playbook automatically remediates all non-behavioral indicators generated from SafeBreach Insights. To validate the remediation, it reruns the related insights and classifies the indicators as Remediated or Not Remediated. -A special feed based triggered job is required to initiate this playbook for every new SafeBreach generated indicator. +Deprecated. No available replacement. ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks + * SafeBreach - Compare and Validate Insight Indicators * SafeBreach - Rerun Insights -* Block Indicators - Generic v2 * SafeBreach - Create Incidents per Insight and Associate Indicators +* Block Indicators - Generic v2 ### Integrations + * SafeBreach_v2 ### Scripts -* Sleep + * Set +* Sleep ### Commands -* safebreach-get-insights + * safebreach-get-remediation-data +* safebreach-get-insights ## Playbook Inputs + --- | **Name** | **Description** | **Default Value** | **Required** | @@ -29,9 +34,6 @@ This playbook uses the following sub-playbooks, integrations, and scripts. | Indicator Query | Indicators matching the indicator query will be used as playbook input | sourceBrands:["SafeBreach*"] and -safebreachisbehavioral:T | Optional | ## Playbook Outputs ---- -There are no outputs for this playbook. -## Playbook Image --- -![SafeBreach - Process Non-Behavioral Insights Feed](https://github.com/demisto/content/raw/6af01e00312a5558e9e2fecdb22534e98414bc9c/Packs/SafeBreach/doc_imgs/SafeBreach_Process_Non-Behavioral_Insights_Feed.png) \ No newline at end of file +There are no outputs for this playbook. diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Insights.yml b/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Insights.yml index 85e0b19b8262..967f94e8f3ef 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Insights.yml +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Insights.yml @@ -1,10 +1,7 @@ id: SafeBreach - Rerun Insights version: -1 name: SafeBreach - Rerun Insights -description: This is a sub-playbook reruns a list of SafeBreach insights based on - Insight Id and waits until they complete. Used in main SafeBreach playbooks, such - as "SafeBreach - Handle Insight Incident" and "SafeBreach - Process Non-Behavioral - Insights Feed". +description: Deprecated. No available replacement. starttaskid: "0" tasks: "0": @@ -157,9 +154,7 @@ tasks: id: cdefcbe4-b1f9-4b59-848a-e2805964e625 version: -1 name: SafeBreach - Rerun Single Insight - description: This is a sub-playbook that reruns a single insight using a specified - Insight Id as input. It is used to run insights one by one iteratively as - part of the main rerun playbook - "SafeBreach Rerun Insights". + description: This is a sub-playbook that reruns a single insight using a specified Insight Id as input. It is used to run insights one by one iteratively as part of the main rerun playbook - "SafeBreach Rerun Insights". playbookName: SafeBreach - Rerun Single Insight type: playbook iscommand: false @@ -198,8 +193,7 @@ tasks: id: 1a7c8892-f3b2-4151-80c5-0eca0ac57930 version: -1 name: Is there a test for polling? - description: Checks "SafeBreach.Test.Id" for existence to decide whether to - proceed to the polling task or not. + description: Checks "SafeBreach.Test.Id" for existence to decide whether to proceed to the polling task or not. type: condition iscommand: false brand: "" @@ -356,4 +350,5 @@ outputs: quiet: true fromversion: 5.5.0 tests: -- No Test +- No tests (deprecated) +deprecated: true diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Insights_README.md b/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Insights_README.md index fb596cbee817..47b5f4379fb2 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Insights_README.md +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Insights_README.md @@ -1,23 +1,29 @@ -This is a sub-playbook reruns a list of SafeBreach insights based on Insight Id and waits until they complete. Used in main SafeBreach playbooks, such as "SafeBreach - Handle Insight Incident" and "SafeBreach - Process Non-Behavioral Insights Feed". +Deprecated. No available replacement. ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks -* GenericPolling + * SafeBreach - Rerun Single Insight +* GenericPolling ### Integrations + This playbook does not use any integrations. ### Scripts + * Sleep * Print ### Commands + This playbook does not use any commands. ## Playbook Inputs + --- | **Name** | **Description** | **Default Value** | **Required** | @@ -25,6 +31,7 @@ This playbook does not use any commands. | InsightIds | SafeBreach Insight Ids to rerun | SafeBreach.Insight.Id | Required | ## Playbook Outputs + --- | **Path** | **Description** | **Type** | @@ -44,7 +51,3 @@ This playbook does not use any commands. | SafeBreach.Insight.ThreatGroups | Array of APT names that are mapped to the insight | Array | | SafeBreach.Insight.NetworkDirection | Communication direction of Insight, relative to the target \(inbound/outbound\) | String | | SafeBreach.Insight.AttacksCount | List of all insight related SafeBreach attack ids | Array | - -## Playbook Image ---- -![SafeBreach - Rerun Insights](https://github.com/demisto/content/raw/6af01e00312a5558e9e2fecdb22534e98414bc9c/Packs/SafeBreach/doc_imgs/SafeBreach_Rerun_Insights.png) \ No newline at end of file diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Single_Insight.yml b/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Single_Insight.yml index ec17409c29c0..6e742f201153 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Single_Insight.yml +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Single_Insight.yml @@ -1,9 +1,7 @@ id: SafeBreach - Rerun Single Insight version: -1 name: SafeBreach - Rerun Single Insight -description: This is a sub-playbook that reruns a single insight using a specified - Insight Id as input. It is used to run insights one by one iteratively as part of - the main rerun playbook - "SafeBreach Rerun Insights". +description: Deprecated. No available replacement. starttaskid: "0" tasks: "0": @@ -41,8 +39,7 @@ tasks: id: 7e533299-05f4-44a9-8554-3c1fdc539e78 version: -1 name: Rerun single insight - description: Reruns a specific SafeBreach Insight related simulations in your - environment. + description: Reruns a specific SafeBreach Insight related simulations in your environment. script: SafeBreach v2|||safebreach-rerun-insight type: regular iscommand: true @@ -265,4 +262,5 @@ outputs: quiet: true fromversion: 5.5.0 tests: -- No tests (auto formatted) +- No tests (deprecated) +deprecated: true diff --git a/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Single_Insight_README.md b/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Single_Insight_README.md index 5a07c68d1a5c..bfed67ab0e72 100644 --- a/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Single_Insight_README.md +++ b/Packs/SafeBreach/Playbooks/SafeBreach_Rerun_Single_Insight_README.md @@ -1,22 +1,28 @@ -This is a sub-playbook that reruns a single insight using a specified Insight Id as input. It is used to run insights one by one iteratively as part of the main rerun playbook - "SafeBreach Rerun Insights". +Deprecated. No available replacement. ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks + This playbook does not use any sub-playbooks. ### Integrations + * SafeBreach v2 ### Scripts -* Print + * Sleep +* Print ### Commands + * safebreach-rerun-insight ## Playbook Inputs + --- | **Name** | **Description** | **Default Value** | **Required** | @@ -24,6 +30,7 @@ This playbook does not use any sub-playbooks. | InsightIds | SafeBreach Insight Ids | SafeBreach.Insight.Id | Required | ## Playbook Outputs + --- | **Path** | **Description** | **Type** | @@ -37,7 +44,3 @@ This playbook does not use any sub-playbooks. | SafeBreach.Test.AttacksCount | The number of attacks executed in the insight rerun test. | Number | | SafeBreach.Test.Status | Test run status. For insight rerun, starts from PENDING. | String | | SafeBreach.Test.ScheduledTime | Time when the test was triggered. | String | - -## Playbook Image ---- -![SafeBreach - Rerun Single Insight](https://github.com/demisto/content/raw/6af01e00312a5558e9e2fecdb22534e98414bc9c/Packs/SafeBreach/doc_imgs/SafeBreach_Rerun_Single_Insight.png) \ No newline at end of file diff --git a/Packs/SafeBreach/README.md b/Packs/SafeBreach/README.md index a6d305f6d345..f91850a9967f 100644 --- a/Packs/SafeBreach/README.md +++ b/Packs/SafeBreach/README.md @@ -2,6 +2,7 @@ SafeBreach has an extensive Hacker’s Playbook of breach and attack simulations The integration with Cortex XSOAR enables a fully automated, closed-loop process to ensure your security defenses will prevent the latest indicators from breaching your defenses. Enable the "SafeBreach - Breach and Attack Simulation platform" integration with Cortex XSOAR and benefit from **closed-loop automated security control remediation of IOCs:** + - Discover security gaps through continuous breach & attack simulation - Automatically remediate and validate missed IOCs - Maximize the effectiveness and value of your existing security controls @@ -13,6 +14,7 @@ Enable the "SafeBreach - Breach and Attack Simulation platform" integration with - Extends the existing XSOAR indicator types with additional custom SafeBreach indicator types **How to enable it?** + 1. Enable and configure SafeBreach v2 integration 2. Create a Feed triggered job that will be triggered for SafeBreach indicators 3. Assign the playbook for the job - "SafeBreach - Process Non-Behavioral Insights Feed" \ No newline at end of file diff --git a/Packs/SafeBreach/ReleaseNotes/1_3_0.md b/Packs/SafeBreach/ReleaseNotes/1_3_0.md new file mode 100644 index 000000000000..c2ec94f4f2ac --- /dev/null +++ b/Packs/SafeBreach/ReleaseNotes/1_3_0.md @@ -0,0 +1,32 @@ +#### Integrations + +##### SafeBreach v2 (Deprecated) + +- Deprecated. No available replacement. + +#### Playbooks + +##### SafeBreach - Create Incidents per Insight and Associate Indicators + +- Deprecated. No available replacement. +##### SafeBreach - Process Non-Behavioral Insights Feed + +- Deprecated. No available replacement. +##### SafeBreach - Compare and Validate Insight Indicators + +- Deprecated. No available replacement. +##### SafeBreach - Rerun Single Insight + +- Deprecated. No available replacement. +##### SafeBreach - Rerun Insights + +- Deprecated. No available replacement. + +#### Scripts + +##### JoinListsOfDicts + +- Deprecated. No available replacement. +##### ListGroupBy + +- Deprecated. No available replacement. diff --git a/Packs/SafeBreach/Scripts/JoinListsOfDicts/JoinListsOfDicts.yml b/Packs/SafeBreach/Scripts/JoinListsOfDicts/JoinListsOfDicts.yml index 626ce194708d..bccf8bd54f4e 100644 --- a/Packs/SafeBreach/Scripts/JoinListsOfDicts/JoinListsOfDicts.yml +++ b/Packs/SafeBreach/Scripts/JoinListsOfDicts/JoinListsOfDicts.yml @@ -14,7 +14,7 @@ args: - description: The key to match in the right list (optional). Support "CustomFields" if used explicitly. name: rightkey required: true -comment: Join two list of dictionaries by a key. If the key name differs between the two lists, specify both key (for left list) and rightkey (for right list). +comment: Deprecated. No available replacement. commonfields: id: JoinListsOfDicts version: -1 @@ -31,5 +31,6 @@ type: python dockerimage: demisto/python3:3.10.12.63474 runas: DBotWeakRole tests: -- No tests (auto formatted) +- No tests (deprecated) fromversion: 5.0.0 +deprecated: true diff --git a/Packs/SafeBreach/Scripts/ListGroupBy/ListGroupBy.yml b/Packs/SafeBreach/Scripts/ListGroupBy/ListGroupBy.yml index f0481babbe0a..e493d08b7d98 100644 --- a/Packs/SafeBreach/Scripts/ListGroupBy/ListGroupBy.yml +++ b/Packs/SafeBreach/Scripts/ListGroupBy/ListGroupBy.yml @@ -15,7 +15,7 @@ args: - defaultValue: ',' description: Separator to use in the merged value. name: separator -comment: Group an output field from a list using multiple keys. +comment: Deprecated. No available replacement. commonfields: id: ListGroupBy version: -1 @@ -33,4 +33,5 @@ tags: type: python fromversion: 5.0.0 tests: -- No tests (auto formatted) +- No tests (deprecated) +deprecated: true diff --git a/Packs/SafeBreach/TestPlaybooks/playbook-SafeBreach-Test.yml b/Packs/SafeBreach/TestPlaybooks/playbook-SafeBreach-Test.yml index de3accc3ee76..62e3a37e3137 100644 --- a/Packs/SafeBreach/TestPlaybooks/playbook-SafeBreach-Test.yml +++ b/Packs/SafeBreach/TestPlaybooks/playbook-SafeBreach-Test.yml @@ -1,5 +1,5 @@ id: playbook-SafeBreach-Test -version: 17 +version: -1 name: playbook-SafeBreach-Test starttaskid: "0" tasks: @@ -13,6 +13,7 @@ tasks: name: "" iscommand: false brand: "" + description: '' nexttasks: '#none#': - "1" @@ -300,6 +301,7 @@ tasks: type: title iscommand: false brand: "" + description: '' separatecontext: false view: |- { @@ -360,3 +362,7 @@ view: |- inputs: [] outputs: [] fromversion: 5.0.0 +deprecated: true +tests: +- No tests (deprecated) +description: Deprecated. No available replacement. diff --git a/Packs/SafeBreach/pack_metadata.json b/Packs/SafeBreach/pack_metadata.json index 590ba7e334b9..65517c013431 100644 --- a/Packs/SafeBreach/pack_metadata.json +++ b/Packs/SafeBreach/pack_metadata.json @@ -1,11 +1,12 @@ { - "name": "SafeBreach - Breach and Attack Simulation platform", - "description": "SafeBreach automates validation and remediation of your security controls to ensure you detect and prevent known indicators of compromise (IOCs).", + "name": "SafeBreach - Breach and Attack Simulation platform (Deprecated)", + "description": "Deprecated. No available replacement.", "support": "partner", + "hidden": true, "videos": [ "https://www.youtube.com/watch?v=Wb7q5Gbd2qo" ], - "currentVersion": "1.2.4", + "currentVersion": "1.3.0", "author": "SafeBreach", "url": "https://www.safebreach.com", "email": "support@safebreach.com",