From e08e41bb85749fe23b32817e5aa9cdd4ceb47c61 Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Thu, 19 Mar 2026 12:33:22 -0400 Subject: [PATCH] - Bump Version for SOC Opt Uni --- .../SOC Proofpoint TAP - Threat Detected.yml | 70 +- .../pack_metadata.json | 46 +- Packs/soc-framework-nist-ir/1_0_0.md | 44 + .../SOC_Endpoint_Compromise_Evaluation_V3.yml | 2242 +++++++++-------- .../soc-framework-nist-ir/pack_metadata.json | 2 +- Packs/soc-framework-nist-ir/xsoar_config.json | 4 +- .../POST_CONFIG_README.md | 125 +- .../Foundation_-_Data_Integrity_V3.yml | 78 +- .../Playbooks/Foundation_-_Dedup.yml | 112 +- ...Foundation_-_Product_Classification_V3.yml | 253 +- Packs/soc-optimization-unified/README.md | 290 +-- .../ReleaseNotes/3_4_0.md | 94 + .../pack_metadata.json | 2 +- .../xsoar_config.json | 8 +- TOOLING.md | 356 +++ pack_catalog.json | 4 +- 16 files changed, 2125 insertions(+), 1605 deletions(-) create mode 100644 Packs/soc-framework-nist-ir/1_0_0.md create mode 100644 Packs/soc-optimization-unified/ReleaseNotes/3_4_0.md create mode 100644 TOOLING.md diff --git a/Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml b/Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml index 5006ce6e..b049bdf1 100644 --- a/Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml +++ b/Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml @@ -10,42 +10,42 @@ alert_fields: # ── File indicators ──────────────────────────────────────────────────────── action_file_sha256: proofpointsha256 # attachment SHA256 (WildFire grouping) - action_file_md5: proofpointmd5 # attachment MD5 - action_file_name: proofpointfilename # attachment filename + action_file_md5: proofpointmd5 # attachment MD5 + action_file_name: proofpointfilename # attachment filename # ── Network indicators ───────────────────────────────────────────────────── - action_remote_ip: senderIP # sender IP (grouping + analytics) - dns_query_name: dns_name # threat domain (DNS grouping) - fw_url_domain: domain # URL domain + action_remote_ip: senderIP # sender IP (grouping + analytics) + dns_query_name: dns_name # threat domain (DNS grouping) + fw_url_domain: domain # URL domain # ── Email-specific fields ────────────────────────────────────────────────── - emailmessageid: messageID - emailsenderip: senderIP - emailsource: sender - fw_email_recipient: recipient - fw_email_sender: sender - fw_email_subject: subject + emailmessageid: messageID + emailsenderip: senderIP + emailsource: sender + fw_email_recipient: recipient + fw_email_sender: sender + fw_email_subject: subject # ── Proofpoint TAP extended fields ──────────────────────────────────────── - proofpointtapcampaignid: campaignId + proofpointtapcampaignid: campaignId proofpointtapclassification: classification_all - proofpointtapclickip: clickIP - proofpointtapclicktime: clickTime - proofpointtapguid: GUID - proofpointtapheadersfrom: headerFrom + proofpointtapclickip: clickIP + proofpointtapclicktime: clickTime + proofpointtapguid: GUID + proofpointtapheadersfrom: headerFrom proofpointtapheadersreplyto: headerReplyTo - proofpointtapid: id + proofpointtapid: id proofpointtapimposterscore: impostorScore - proofpointtapmalwarescore: malwareScore - proofpointtapmessageid: messageID - proofpointtapmessageparts: messageParts - proofpointtapmessagesize: messageSize + proofpointtapmalwarescore: malwareScore + proofpointtapmessageid: messageID + proofpointtapmessageparts: messageParts + proofpointtapmessagesize: messageSize proofpointtapphishingscore: phishScore proofpointtapreplytoaddress: replyToAddress - proofpointtapsenderip: senderIP - proofpointtapsmtpsender: sender - proofpointtapspamscore: spamScore - proofpointtapsubject: subject + proofpointtapsenderip: senderIP + proofpointtapsmtpsender: sender + proofpointtapspamscore: spamScore + proofpointtapsubject: subject proofpointtapsuspiciousurl: threat_urls proofpointtapthreatid: threat_ids proofpointtapthreatinfomap: threatsInfoMap_str @@ -54,12 +54,10 @@ alert_fields: proofpointtapthreaturl: threat_urls proofpointtaptype: type alert_name: $alert_name -alert_type: null -crontab: null +alert_type: +crontab: dataset: alerts -description: Unified Proofpoint TAP alert rule covering messages delivered and clicks - permitted. Fires on active or malicious threat status only. Suppression is per GUID - to preserve full blast-radius visibility for lateral risk detection. +description: Unified Proofpoint TAP alert rule covering messages delivered and clicks permitted. Fires on active or malicious threat status only. Suppression is per GUID to preserve full blast-radius visibility for lateral risk detection. drilldown_query_timeframe: ALERT execution_mode: REAL_TIME global_rule_id: SOC Proofpoint TAP - Threat Detected @@ -69,19 +67,19 @@ lookup_mapping: [] mapping_strategy: CUSTOM mitre_defs: TA0001 - Initial Access: - - T1566 - Phishing + - T1566 - Phishing TA0009 - Collection: - - T1114 - Email Collection + - T1114 - Email Collection name: SOC Proofpoint TAP - Threat Detected rule_id: 0 -search_window: null +search_window: severity: User Defined -simple_schedule: null +simple_schedule: suppression_duration: 24 hours suppression_enabled: true suppression_fields: - - GUID -timezone: null +- GUID +timezone: user_defined_category: alert_category user_defined_severity: alert_severity xql_query: | diff --git a/Packs/SocFrameworkProofPointTap/pack_metadata.json b/Packs/SocFrameworkProofPointTap/pack_metadata.json index 66ceec9e..ad32d715 100644 --- a/Packs/SocFrameworkProofPointTap/pack_metadata.json +++ b/Packs/SocFrameworkProofPointTap/pack_metadata.json @@ -1,25 +1,25 @@ { - "name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM", - "id": "soc-proofpoint-tap", - "description": "This content adds the proper content to make the soc-phishing-investigation-response work with proofpoint.", - "support": "community", - "currentVersion": "1.1.2", - "author": "Palo Alto Networks", - "url": "https://github.com/Palo-Cortex/soc-optimization-unified", - "email": "", - "categories": [ - "Forensics & Malware Analysis" - ], - "tags": [ - "SOC", - "SOC_Framework", - "Utility", - "Palo Alto Networks Products", - "Phishing" - ], - "useCases": [], - "keywords": [], - "marketplaces": [ - "marketplacev2" - ] + "name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM", + "id": "soc-proofpoint-tap", + "description": "This content adds the proper content to make the soc-phishing-investigation-response work with proofpoint.", + "support": "community", + "currentVersion": "1.1.2", + "author": "Palo Alto Networks", + "url": "https://github.com/Palo-Cortex/soc-optimization-unified", + "email": "", + "categories": [ + "Forensics & Malware Analysis" + ], + "tags": [ + "SOC", + "SOC_Framework", + "Utility", + "Palo Alto Networks Products", + "Phishing" + ], + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] } diff --git a/Packs/soc-framework-nist-ir/1_0_0.md b/Packs/soc-framework-nist-ir/1_0_0.md new file mode 100644 index 00000000..97ecabc2 --- /dev/null +++ b/Packs/soc-framework-nist-ir/1_0_0.md @@ -0,0 +1,44 @@ +--- + +## SOC Framework NIST IR – Release Notes + +### Version 1.1.0 + +#### Overview + +This release delivers targeted bug fixes to the **SOC Endpoint Analysis** playbook stack. Fixes address runtime failures caused by array-typed context values being passed to condition operators that require scalar strings, and a product category routing miss in the Endpoint Analysis and Analysis Evaluation playbooks. + +--- + +### Bug Fixes + +#### SOC Endpoint Compromise Evaluation — Array type mismatches (Critical) + +Three runtime failures were resolved in `SOC_Endpoint_Compromise_Evaluation_V3`: + +**SHA256 input — array instead of scalar** + +`SOCFramework.Artifacts.File` stores file hashes as a list. The `SHA256` playbook input sourced this field directly, passing an array to condition tasks that use `isEqualString`, `in`, and `notIn` operators. These operators call `InterfaceToString` internally and cannot handle `[]interface{}` values, causing a hard task error. + +Fix: Changed the `SHA256` input from a `simple` accessor to a `complex` block with a `join(',')` transformer. This collapses the array to a comma-separated scalar string before the value is passed into any condition evaluation. + +**verdict input — wrong source field** + +The `verdict` input was sourced from `${SOCFramework.Artifacts.Verdict}`, which is an array set during enrichment. The correct source is `${Analysis.Endpoint.verdict}`, which is a scalar written by `SOC_Endpoint_Verdict_Resolution_V3` after all TI sources and WildFire detonation are aggregated. Using the raw artifacts field bypassed the verdict resolution logic and produced the same `InterfaceToString` failure on the `isEqualString` operator in the "No Evidence?" condition (task 80). + +Fix: Changed the `verdict` input value to `${Analysis.Endpoint.verdict}`. + +**Task 80 "No Evidence?" — `in`/`notIn` on two arrays** + +The "No Evidence?" condition compared `inputs.SHA256` (now a joined scalar) against `inputs.xdm_sourceprocess_executable_sha256` and `inputs.initiator_sha256` using `notIn` and `isEqualString`. When the right-hand side is also an array, `in`/`notIn` fails with the same type error. + +Fix: Changed the affected operators in task 80 to `containsGeneral`, which handles both scalar and array right-hand values correctly. + +--- + +### Notes + +- All three fixes are isolated to `SOC_Endpoint_Compromise_Evaluation_V3` inputs and task 80 conditions. No other playbooks, outputs, contracts, or context keys were changed. +- The `SOCFramework.Artifacts.File` array-as-input pattern may affect other playbooks that source from `SOCFramework.Artifacts.*` and evaluate the value in string conditions. Audit recommended before 1.2.0. + +--- diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml index d534569f..dc0420f4 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml @@ -1,16 +1,19 @@ fromversion: 5.0.0 -adopted: true +id: SOC Endpoint Compromise Evaluation_V3 +version: 14 contentitemexportablefields: contentitemfields: - definitionid: "" - fromServerVersion: 5.0.0 - isoverridable: false - itemVersion: 3.0.30 packID: soc-framework-nist-ir - packName: SOC Framework Unified + packName: SOC Framework NIST IR (800-61) + itemVersion: 1.1.0 + fromServerVersion: 5.0.0 + toServerVersion: "" + definitionid: "" prevname: "" + isoverridable: false supportedModules: [] - toServerVersion: "" +vcShouldKeepItemLegacyProdMachine: false +name: SOC Endpoint Compromise Evaluation_V3 description: |- It evaluates three signals: @@ -35,157 +38,31 @@ description: |- Benign verdict and no supporting compromise indicators. The playbook does not use case risk score or alert volume; it focuses strictly on endpoint-level forensic evidence. -dirtyInputs: true -id: SOC Endpoint Compromise Evaluation_V3 -inputSections: -- description: Generic group for inputs - inputs: - - host_likely_compromised - - host_suspicious - - host_isolated_signal - - host_high_issue_count - - SHA256 - - verdict - - initiator_sha256 - - case_mitre_tactics - - case_mitre_techniques - - case_issue_count - - xdm_sourceprocess_executable_sha256 - - cgo_sha256 - - tactic_id - name: General (Inputs group) -inputs: -- description: Threshold for DBot Predicted Score for Host Likely Compromised - key: host_likely_compromised - playbookInputQuery: null - required: false - value: - simple: "70" -- description: Threshold for DBot Predicted Score for Host Suspicious. This value - will be between the host_likely_compromised and this value host_suspicious values. - key: host_suspicious - playbookInputQuery: null - required: false - value: - simple: "40" -- description: Anything less than this number will be an Isolated Signal for the host. - key: host_isolated_signal - playbookInputQuery: null - required: false - value: - simple: "40" -- description: "" - key: host_high_issue_count - playbookInputQuery: null - required: false - value: - simple: "3" -- description: "" - key: SHA256 - playbookInputQuery: null - required: false - value: - simple: ${SOCFramework.Artifacts.File} -- description: Enriched artifact verdict resolved by SOC_Endpoint_Verdict_Resolution_V3 - after all TI sources and WildFire detonation. Use Analysis.Endpoint.verdict, not - SOCFramework.Artifacts.Verdict, to ensure compromise evaluation uses the aggregated - DBot-normalized result rather than the raw source classification. - key: verdict - playbookInputQuery: null - required: false - value: - simple: ${Analysis.Endpoint.verdict} -- description: "" - key: initiator_sha256 - playbookInputQuery: null - required: false - value: - simple: ${issue.initiatorsha256} -- description: "" - key: case_mitre_tactics - playbookInputQuery: null - required: false - value: - simple: ${parentIncidentFields.mitre_tactics_ids_and_names} -- description: "" - key: case_mitre_techniques - playbookInputQuery: null - required: false - value: - simple: ${parentIncidentFields.mitre_techniques_ids_and_names.[0]} -- description: "" - key: case_issue_count - playbookInputQuery: null - required: false - value: - simple: ${parentIncidentFields.alert_count} -- description: "" - key: xdm_sourceprocess_executable_sha256 - playbookInputQuery: null - required: false - value: - simple: ${issue.xdmsourceprocessexecutablesha256} -- description: "" - key: cgo_sha256 - playbookInputQuery: null - required: false - value: - simple: ${issue.cgosha256} -- description: MITRE ATT&CK tactic ID written by Foundation into SOCFramework.Mitre.Tactic.ID - (e.g. TA0002 for Execution). Used alongside verdict to confirm execution without - requiring hash matching when CGO/XDM fields are not populated. - key: tactic_id - playbookInputQuery: null - required: false - value: - simple: ${SOCFramework.Mitre.Tactic.ID} -name: SOC Endpoint Compromise Evaluation_V3 -outputSections: -- description: Generic group for outputs - name: General (Outputs group) - outputs: - - Analysis.Endpoint.compromise_level - - Analysis.Endpoint.compromise_decision -outputs: -- contextPath: Analysis.Endpoint.compromise_level - description: Is this host considered compromised? - type: unknown -- contextPath: Analysis.Endpoint.compromise_decision - description: Why did this playbook decide this was the finding? - type: unknown -sourceplaybookid: SOC Data Analysis_V3 -starttaskid: "0" tags: -- SOC -- SOC_Framework_Unified -- Detection & Analysis -- NIST 800-61 -- EndPoint + - SOC + - SOC_Framework_Unified + - Detection & Analysis + - NIST 800-61 + - EndPoint +starttaskid: "0" tasks: "0": - continueonerrortype: "" id: "0" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "69" - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false + taskid: 27ca4564-aefc-483e-8598-fa04dbefbf2e + type: start task: - brand: "" id: 27ca4564-aefc-483e-8598-fa04dbefbf2e - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: "" + iscommand: false + brand: "" playbooktaskmissingcomponent: null - version: -1 - taskid: 27ca4564-aefc-483e-8598-fa04dbefbf2e - timertriggers: [] - type: start + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "69" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -193,17 +70,37 @@ tasks: "y": 50 } } - "29": - continueonerrortype: "" - id: "29" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: 4c010df0-1d0e-46e8-b043-672358f7ddbd + type: regular + task: + id: 4c010df0-1d0e-46e8-b043-672358f7ddbd + version: -1 + name: Set Compromise Likely + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" - note: false - quietmode: 0 + - "70" scriptarguments: append: simple: "false" @@ -214,9 +111,29 @@ tasks: value: simple: likely_compromised separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -620, + "y": 2550 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 4371bae8-fa9c-479e-ac55-d10a704a8938 + type: regular task: - brand: "" + id: 4371bae8-fa9c-479e-ac55-d10a704a8938 + version: -1 + name: Set Description Malicious And No Excecution description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor @@ -224,35 +141,15 @@ tasks: 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 4c010df0-1d0e-46e8-b043-672358f7ddbd + scriptName: SetAndHandleEmpty + type: regular iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Compromise Likely + brand: "" playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 4c010df0-1d0e-46e8-b043-672358f7ddbd - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": -620, - "y": 2550 - } - } - "30": - continueonerrortype: "" - id: "30" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" - note: false - quietmode: 0 + - "32" scriptarguments: append: simple: "false" @@ -263,9 +160,29 @@ tasks: value: simple: malicious_no_execution separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 315, + "y": 1485 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: a328a8d5-b8de-47b4-8a6a-69003e9e388d + type: regular task: - brand: "" + id: a328a8d5-b8de-47b4-8a6a-69003e9e388d + version: -1 + name: Set Description Suspicious with Execution description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor @@ -273,35 +190,15 @@ tasks: 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 4371bae8-fa9c-479e-ac55-d10a704a8938 + scriptName: SetAndHandleEmpty + type: regular iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Description Malicious And No Excecution + brand: "" playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 4371bae8-fa9c-479e-ac55-d10a704a8938 - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": 315, - "y": 1485 - } - } - "31": - continueonerrortype: "" - id: "31" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" - note: false - quietmode: 0 + - "32" scriptarguments: append: simple: "false" @@ -312,9 +209,29 @@ tasks: value: simple: suspicious_execution separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 212.5, + "y": 1670 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: 7b4a8594-365d-40d8-84cd-5590cb809f0d + type: regular task: - brand: "" + id: 7b4a8594-365d-40d8-84cd-5590cb809f0d + version: -1 + name: Set Compromise Suspicious description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor @@ -322,35 +239,15 @@ tasks: 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: a328a8d5-b8de-47b4-8a6a-69003e9e388d + scriptName: SetAndHandleEmpty + type: regular iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Description Suspicious with Execution + brand: "" playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: a328a8d5-b8de-47b4-8a6a-69003e9e388d - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": 212.5, - "y": 1670 - } - } - "32": - continueonerrortype: "" - id: "32" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" - note: false - quietmode: 0 + - "70" scriptarguments: append: simple: "false" @@ -361,9 +258,29 @@ tasks: value: simple: suspicious_execution separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -80, + "y": 2550 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: 673a1f63-6c99-4218-8520-8e5226cda124 + type: regular task: - brand: "" + id: 673a1f63-6c99-4218-8520-8e5226cda124 + version: -1 + name: Set Compromise Isolated description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor @@ -371,35 +288,15 @@ tasks: 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 7b4a8594-365d-40d8-84cd-5590cb809f0d + scriptName: SetAndHandleEmpty + type: regular iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Compromise Suspicious + brand: "" playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 7b4a8594-365d-40d8-84cd-5590cb809f0d - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": -80, - "y": 2550 - } - } - "33": - continueonerrortype: "" - id: "33" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" - note: false - quietmode: 0 + - "70" scriptarguments: append: simple: "false" @@ -410,27 +307,7 @@ tasks: value: simple: isolate_signal separatecontext: false - skipunavailable: false - task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 673a1f63-6c99-4218-8520-8e5226cda124 - iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Compromise Isolated - playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 673a1f63-6c99-4218-8520-8e5226cda124 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -438,31 +315,31 @@ tasks: "y": 2550 } } - "69": - continueonerrortype: "" - id: "69" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "82" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "69": + id: "69" + taskid: 9e094f2a-5581-4510-9292-6bb1be80aebd + type: title task: - brand: "" id: 9e094f2a-5581-4510-9292-6bb1be80aebd - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Investigate - playbooktaskmissingcomponent: null type: title - version: -1 - taskid: 9e094f2a-5581-4510-9292-6bb1be80aebd - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "82" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -470,28 +347,28 @@ tasks: "y": 220 } } - "70": - continueonerrortype: "" - id: "70" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "70": + id: "70" + taskid: 26cd8ee9-1d01-40d1-9b3a-dbd76a8cfa1e + type: title task: - brand: "" id: 26cd8ee9-1d01-40d1-9b3a-dbd76a8cfa1e - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Done - playbooktaskmissingcomponent: null type: title - version: -1 - taskid: 26cd8ee9-1d01-40d1-9b3a-dbd76a8cfa1e - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -499,17 +376,37 @@ tasks: "y": 2735 } } - "75": - continueonerrortype: "" - id: "75" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "75": + id: "75" + taskid: 9a3a0cd8-7536-4b2b-9cad-5448e9602fc5 + type: regular + task: + id: 9a3a0cd8-7536-4b2b-9cad-5448e9602fc5 + version: -1 + name: Set Compromise No Evidence + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" - note: false - quietmode: 0 + - "70" scriptarguments: append: simple: "false" @@ -520,27 +417,7 @@ tasks: value: simple: no_evidence separatecontext: false - skipunavailable: false - task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 9a3a0cd8-7536-4b2b-9cad-5448e9602fc5 - iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Compromise No Evidence - playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 9a3a0cd8-7536-4b2b-9cad-5448e9602fc5 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -548,95 +425,95 @@ tasks: "y": 2550 } } - "76": - conditions: - - condition: - - - left: - iscontext: true - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - operator: isEqualString - right: - value: - simple: malicious - - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: in - right: - iscontext: true - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: isEqualString - right: - iscontext: true - value: - simple: inputs.initiator_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: isEqualString - right: - iscontext: true - value: - simple: inputs.cgo_sha256 - label: Likely Compromised - - condition: - - - left: - iscontext: true - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - operator: isEqualString - right: - value: - simple: malicious - - - left: - iscontext: true - value: - simple: inputs.tactic_id - operator: isEqualString - right: - value: - simple: TA0002 - label: Likely Compromised - continueonerrortype: "" - id: "76" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "81" - Likely Compromised: - - "87" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "76": + id: "76" + taskid: 54387c7d-89ee-44c5-b977-07dab20e908e + type: condition task: - brand: "" id: 54387c7d-89ee-44c5-b977-07dab20e908e - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Compromised Host Malicious and Executed? - playbooktaskmissingcomponent: null type: condition - version: -1 - taskid: 54387c7d-89ee-44c5-b977-07dab20e908e - timertriggers: [] - type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "81" + Likely Compromised: + - "87" + separatecontext: false + conditions: + - label: Likely Compromised + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: isEqualString + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: isEqualString + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + - label: Likely Compromised + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: isEqualString + left: + value: + simple: inputs.tactic_id + iscontext: true + right: + value: + simple: TA0002 + continueonerrortype: "" view: |- { "position": { @@ -644,74 +521,74 @@ tasks: "y": 560 } } - "77": - conditions: - - condition: - - - left: - iscontext: true - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - operator: isEqualString - right: - value: - simple: malicious - - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.initiator_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.cgo_sha256 - label: Suspicious - continueonerrortype: "" - id: "77" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "78" - Suspicious: - - "30" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "77": + id: "77" + taskid: 34027e15-2aef-4b0a-8878-957e370550ce + type: condition task: - brand: "" id: 34027e15-2aef-4b0a-8878-957e370550ce - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Compromised Malicious No Execution? - playbooktaskmissingcomponent: null type: condition - version: -1 - taskid: 34027e15-2aef-4b0a-8878-957e370550ce - timertriggers: [] - type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "78" + Suspicious: + - "30" + separatecontext: false + conditions: + - label: Suspicious + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -719,74 +596,74 @@ tasks: "y": 1300 } } - "78": - conditions: - - condition: - - - left: - iscontext: true - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - operator: isEqualString - right: - value: - simple: suspicious - - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: in - right: - iscontext: true - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: in - right: - iscontext: true - value: - simple: inputs.initiator_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: in - right: - iscontext: true - value: - simple: inputs.cgo_sha256 - label: Suspicious - continueonerrortype: "" - id: "78" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "86" - Suspicious: - - "31" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false - task: - brand: "" - id: 9422d3f6-ce78-45bb-bea3-69c58b2ee781 - iscommand: false - istaskmissingcomponenterrordismissed: false - name: Compromised Suspicious with Execution? - playbooktaskmissingcomponent: null - type: condition - version: -1 + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "78": + id: "78" taskid: 9422d3f6-ce78-45bb-bea3-69c58b2ee781 - timertriggers: [] type: condition + task: + id: 9422d3f6-ce78-45bb-bea3-69c58b2ee781 + version: -1 + name: Compromised Suspicious with Execution? + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "86" + Suspicious: + - "31" + separatecontext: false + conditions: + - label: Suspicious + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: suspicious + - - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -794,111 +671,111 @@ tasks: "y": 1485 } } - "79": - conditions: - - condition: - - - left: - iscontext: true - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - operator: in - right: - value: - simple: | - ("unknown","suspicious")) - - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.initiator_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.cgo_sha256 - - - left: - iscontext: true - value: - simple: TA0011 - operator: notIn - right: - iscontext: true - value: - simple: inputs.case_mitre_tactics - - - left: - iscontext: true - value: - simple: TA0003 - operator: notIn - right: - iscontext: true - value: - simple: inputs.case_mitre_tactics - - - left: - iscontext: true - value: - simple: T1055 - operator: notIn - right: - iscontext: true - value: - simple: inputs.case_mitre_techniques - - - left: - iscontext: true - value: - simple: TA0004 - operator: isEqualString - right: - iscontext: true - value: - simple: inputs.case_mitre_techniques - label: Isolated Signal - continueonerrortype: "" - id: "79" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "80" - Isolated Signal: - - "91" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "79": + id: "79" + taskid: 28ea7aab-be63-4e6c-b9d9-63520cab7f0e + type: condition task: - brand: "" id: 28ea7aab-be63-4e6c-b9d9-63520cab7f0e - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Isolated Signal? - playbooktaskmissingcomponent: null type: condition - version: -1 - taskid: 28ea7aab-be63-4e6c-b9d9-63520cab7f0e - timertriggers: [] - type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "80" + Isolated Signal: + - "91" + separatecontext: false + conditions: + - label: Isolated Signal + condition: + - - operator: in + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: | + ("unknown","suspicious")) + - - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + - - operator: notIn + left: + value: + simple: TA0011 + iscontext: true + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - - operator: notIn + left: + value: + simple: TA0003 + iscontext: true + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - - operator: notIn + left: + value: + simple: T1055 + iscontext: true + right: + value: + simple: inputs.case_mitre_techniques + iscontext: true + - - operator: isEqualString + left: + value: + simple: TA0004 + iscontext: true + right: + value: + simple: inputs.case_mitre_techniques + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -906,74 +783,74 @@ tasks: "y": 2040 } } - "80": - conditions: - - condition: - - - left: - iscontext: true - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - operator: isEqualString - right: - value: - simple: benign - - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.initiator_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: isEqualString - right: - iscontext: true - value: - simple: inputs.cgo_sha256 - label: No Evidence - continueonerrortype: "" - id: "80" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "80": + id: "80" + taskid: 510e58df-e742-49b3-9910-02f691e96640 + type: condition + task: + id: 510e58df-e742-49b3-9910-02f691e96640 + version: -1 + name: No Evidence? + type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "70" + - "70" No Evidence: - - "92" - note: false - quietmode: 0 + - "92" separatecontext: false - skipunavailable: false - task: - brand: "" - id: 4fc50960-386f-4513-ae04-8a7df6cd4db1 - iscommand: false - istaskmissingcomponenterrordismissed: false - name: No Evidence? - playbooktaskmissingcomponent: null - type: condition - version: -1 - taskid: 4fc50960-386f-4513-ae04-8a7df6cd4db1 - timertriggers: [] - type: condition + conditions: + - label: No Evidence + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: benign + - - operator: containsGeneral + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: containsGeneral + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: containsGeneral + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -981,79 +858,79 @@ tasks: "y": 2255 } } - "81": - conditions: - - condition: - - - left: - value: - simple: TA0011 - operator: in - right: - iscontext: true - value: - simple: inputs.case_mitre_tactics - - left: - value: - simple: TA0003 - operator: in - right: - iscontext: true - value: - simple: inputs.case_mitre_tactics - - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: in - right: - iscontext: true - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: in - right: - iscontext: true - value: - simple: inputs.initiator_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: in - right: - iscontext: true - value: - simple: inputs.cgo_sha256 - label: Likely Compromised - continueonerrortype: "" - id: "81" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "85" - Likely Compromised: - - "88" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "81": + id: "81" + taskid: 98a68f9b-8748-4de0-83b6-ae46d324c1e2 + type: condition task: - brand: "" id: 98a68f9b-8748-4de0-83b6-ae46d324c1e2 - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Execution + Strong Exploit Tactics - playbooktaskmissingcomponent: null type: condition - version: -1 - taskid: 98a68f9b-8748-4de0-83b6-ae46d324c1e2 - timertriggers: [] - type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "85" + Likely Compromised: + - "88" + separatecontext: false + conditions: + - label: Likely Compromised + condition: + - - operator: in + left: + value: + simple: TA0011 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - operator: in + left: + value: + simple: TA0003 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -1061,31 +938,31 @@ tasks: "y": 745 } } - "82": - continueonerrortype: "" - id: "82" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "76" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "82": + id: "82" + taskid: 21ba8f6d-bdff-425f-9c4b-f19cccf4de83 + type: title task: - brand: "" id: 21ba8f6d-bdff-425f-9c4b-f19cccf4de83 - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Evaluate Malicious - playbooktaskmissingcomponent: null type: title - version: -1 - taskid: 21ba8f6d-bdff-425f-9c4b-f19cccf4de83 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "76" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1093,31 +970,31 @@ tasks: "y": 390 } } - "83": - continueonerrortype: "" - id: "83" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "77" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "83": + id: "83" + taskid: 289cfa9b-dc82-4e6f-be72-b0002e049a00 + type: title task: - brand: "" id: 289cfa9b-dc82-4e6f-be72-b0002e049a00 - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Evaluate Suspicious - playbooktaskmissingcomponent: null type: title - version: -1 - taskid: 289cfa9b-dc82-4e6f-be72-b0002e049a00 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "77" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1125,31 +1002,31 @@ tasks: "y": 1122.5 } } - "84": - continueonerrortype: "" - id: "84" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - "79" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "84": + id: "84" + taskid: 2e46b5b4-7337-4691-b9df-349934c95fd7 + type: title task: - brand: "" id: 2e46b5b4-7337-4691-b9df-349934c95fd7 - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Evaluate Isolated Signal - playbooktaskmissingcomponent: null type: title - version: -1 - taskid: 2e46b5b4-7337-4691-b9df-349934c95fd7 - timertriggers: [] - type: title + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#none#': + - "79" + separatecontext: false + continueonerrortype: "" view: |- { "position": { @@ -1157,63 +1034,63 @@ tasks: "y": 1862.5 } } - "85": - conditions: - - condition: - - - left: - iscontext: true - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - operator: isEqualString - right: - value: - simple: malicious - - - left: - value: - simple: TA0011 - operator: in - right: - iscontext: true - value: - simple: inputs.case_mitre_tactics - - left: - value: - simple: TA0003 - operator: in - right: - iscontext: true - value: - simple: inputs.case_mitre_tactics - label: Likely Compromised - continueonerrortype: "" - id: "85" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "83" - Likely Compromised: - - "89" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "85": + id: "85" + taskid: b57df6ec-9f5d-481c-b732-7f1f59026dbd + type: condition task: - brand: "" id: b57df6ec-9f5d-481c-b732-7f1f59026dbd - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Malicious Strong Exploit Tactics - playbooktaskmissingcomponent: null type: condition - version: -1 - taskid: b57df6ec-9f5d-481c-b732-7f1f59026dbd - timertriggers: [] - type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "83" + Likely Compromised: + - "89" + separatecontext: false + conditions: + - label: Likely Compromised + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: in + left: + value: + simple: TA0011 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - operator: in + left: + value: + simple: TA0003 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -1221,80 +1098,80 @@ tasks: "y": 930 } } - "86": - conditions: - - condition: - - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.initiator_sha256 - - left: - iscontext: true - value: - simple: inputs.SHA256 - operator: notIn - right: - iscontext: true - value: - simple: inputs.cgo_sha256 - - - left: - value: - simple: TA0011 - operator: in - right: - iscontext: true - value: - simple: inputs.case_mitre_tactics - - left: - value: - simple: TA0003 - operator: in - right: - iscontext: true - value: - simple: inputs.case_mitre_tactics - label: Suspicious - continueonerrortype: "" - id: "86" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - "84" - Suspicious: - - "32" - - "90" note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "86": + id: "86" + taskid: a6c34090-a35f-400d-b4f4-30dc4d0ff3c8 + type: condition task: - brand: "" id: a6c34090-a35f-400d-b4f4-30dc4d0ff3c8 - iscommand: false - istaskmissingcomponenterrordismissed: false + version: -1 name: Compromised Strong Tactics No Execution? - playbooktaskmissingcomponent: null type: condition - version: -1 - taskid: a6c34090-a35f-400d-b4f4-30dc4d0ff3c8 - timertriggers: [] - type: condition + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + nexttasks: + '#default#': + - "84" + Suspicious: + - "32" + - "90" + separatecontext: false + conditions: + - label: Suspicious + condition: + - - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + - - operator: in + left: + value: + simple: TA0011 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - operator: in + left: + value: + simple: TA0003 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + continueonerrortype: "" view: |- { "position": { @@ -1302,17 +1179,37 @@ tasks: "y": 1670 } } - "87": - continueonerrortype: "" - id: "87" + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "87": + id: "87" + taskid: 1e4dec76-91c3-45a2-9ec3-7e57564c7c32 + type: regular + task: + id: 1e4dec76-91c3-45a2-9ec3-7e57564c7c32 + version: -1 + name: Set Description To Malicious And Executed + description: "Set a value in context under the key you entered. If no value + is entered, the script doesn't do anything.\n\nThis automation runs using + the default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "29" - note: false - quietmode: 0 + - "29" scriptarguments: append: simple: "false" @@ -1323,9 +1220,29 @@ tasks: value: simple: malicious_and_executed separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -42.5, + "y": 745 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "88": + id: "88" + taskid: 353dc2b8-f205-4dc6-abca-c9c00d6d34e9 + type: regular task: - brand: "" + id: 353dc2b8-f205-4dc6-abca-c9c00d6d34e9 + version: -1 + name: Set Description Execution And Strong Tactics description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor @@ -1333,35 +1250,15 @@ tasks: 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 1e4dec76-91c3-45a2-9ec3-7e57564c7c32 + scriptName: SetAndHandleEmpty + type: regular iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Description To Malicious And Executed + brand: "" playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 1e4dec76-91c3-45a2-9ec3-7e57564c7c32 - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": -42.5, - "y": 745 - } - } - "88": - continueonerrortype: "" - id: "88" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "29" - note: false - quietmode: 0 + - "29" scriptarguments: append: simple: "false" @@ -1372,9 +1269,29 @@ tasks: value: simple: execution_strong_tactics separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 200, + "y": 930 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "89": + id: "89" + taskid: bcbc6174-fcc2-488e-83fb-dc73560cfa4d + type: regular task: - brand: "" + id: bcbc6174-fcc2-488e-83fb-dc73560cfa4d + version: -1 + name: Set Description Malicioius And Strong Tactics description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor @@ -1382,35 +1299,15 @@ tasks: 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 353dc2b8-f205-4dc6-abca-c9c00d6d34e9 + scriptName: SetAndHandleEmpty + type: regular iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Description Execution And Strong Tactics + brand: "" playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 353dc2b8-f205-4dc6-abca-c9c00d6d34e9 - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": 200, - "y": 930 - } - } - "89": - continueonerrortype: "" - id: "89" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "29" - note: false - quietmode: 0 + - "29" scriptarguments: append: simple: "false" @@ -1421,9 +1318,29 @@ tasks: value: simple: malicious_strong_tactics separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 387.5, + "y": 1115 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "90": + id: "90" + taskid: 9b9d105e-134e-4397-b80f-949c549cd6be + type: regular task: - brand: "" + id: 9b9d105e-134e-4397-b80f-949c549cd6be + version: -1 + name: Set Description Suspicious with Execution description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor @@ -1431,35 +1348,15 @@ tasks: 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: bcbc6174-fcc2-488e-83fb-dc73560cfa4d + scriptName: SetAndHandleEmpty + type: regular iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Description Malicioius And Strong Tactics + brand: "" playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: bcbc6174-fcc2-488e-83fb-dc73560cfa4d - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": 387.5, - "y": 1115 - } - } - "90": - continueonerrortype: "" - id: "90" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" - note: false - quietmode: 0 + - "32" scriptarguments: append: simple: "false" @@ -1470,9 +1367,29 @@ tasks: value: simple: strong_tactics_no_execution separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 447.5, + "y": 1855 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "91": + id: "91" + taskid: c0ae4ecb-c687-49e8-84d7-e15087f2c7b3 + type: regular task: - brand: "" + id: c0ae4ecb-c687-49e8-84d7-e15087f2c7b3 + version: -1 + name: Set Description Suspicious, No Execution, No Tactics description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor @@ -1480,35 +1397,15 @@ tasks: 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: 9b9d105e-134e-4397-b80f-949c549cd6be + scriptName: SetAndHandleEmpty + type: regular iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Description Suspicious with Execution + brand: "" playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: 9b9d105e-134e-4397-b80f-949c549cd6be - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": 447.5, - "y": 1855 - } - } - "91": - continueonerrortype: "" - id: "91" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "33" - note: false - quietmode: 0 + - "33" scriptarguments: append: simple: "false" @@ -1519,9 +1416,29 @@ tasks: value: simple: suspcious_no_tactics_no_execution separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 652.5, + "y": 2255 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "92": + id: "92" + taskid: f14be6c5-632b-4ab2-95c0-ccea72352e00 + type: regular task: - brand: "" + id: f14be6c5-632b-4ab2-95c0-ccea72352e00 + version: -1 + name: Set Description Benign, No Execution description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor @@ -1529,35 +1446,15 @@ tasks: 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: c0ae4ecb-c687-49e8-84d7-e15087f2c7b3 + scriptName: SetAndHandleEmpty + type: regular iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Description Suspicious, No Execution, No Tactics + brand: "" playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: c0ae4ecb-c687-49e8-84d7-e15087f2c7b3 - timertriggers: [] - type: regular - view: |- - { - "position": { - "x": 652.5, - "y": 2255 - } - } - "92": - continueonerrortype: "" - id: "92" - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "75" - note: false - quietmode: 0 + - "75" scriptarguments: append: simple: "false" @@ -1568,27 +1465,7 @@ tasks: value: simple: benign_no_execution separatecontext: false - skipunavailable: false - task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - id: f14be6c5-632b-4ab2-95c0-ccea72352e00 - iscommand: false - istaskmissingcomponenterrordismissed: false - name: Set Description Benign, No Execution - playbooktaskmissingcomponent: null - script: SetAndHandleEmpty - type: regular - version: -1 - taskid: f14be6c5-632b-4ab2-95c0-ccea72352e00 - timertriggers: [] - type: regular + continueonerrortype: "" view: |- { "position": { @@ -1596,7 +1473,13 @@ tasks: "y": 2410 } } -version: -1 + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": { @@ -1611,3 +1494,128 @@ view: |- } } } +inputs: + - key: host_likely_compromised + value: + simple: "70" + required: false + description: Threshold for DBot Predicted Score for Host Likely Compromised + playbookInputQuery: null + - key: host_suspicious + value: + simple: "40" + required: false + description: Threshold for DBot Predicted Score for Host Suspicious. This value + will be between the host_likely_compromised and this value host_suspicious values. + playbookInputQuery: null + - key: host_isolated_signal + value: + simple: "40" + required: false + description: Anything less than this number will be an Isolated Signal for the host. + playbookInputQuery: null + - key: host_high_issue_count + value: + simple: "3" + required: false + description: "" + playbookInputQuery: null + - key: SHA256 + value: + complex: + root: SOCFramework.Artifacts.File + transformers: + - operator: join + args: + separator: + value: + simple: ',' + required: false + description: "" + playbookInputQuery: null + - key: verdict + value: + simple: ${Analysis.Endpoint.verdict} + required: false + description: Enriched artifact verdict resolved by SOC_Endpoint_Verdict_Resolution_V3 + after all TI sources and WildFire detonation. Use Analysis.Endpoint.verdict, not + SOCFramework.Artifacts.Verdict, to ensure compromise evaluation uses the aggregated + DBot-normalized result rather than the raw source classification. + playbookInputQuery: null + - key: initiator_sha256 + value: + simple: ${issue.initiatorsha256} + required: false + description: "" + playbookInputQuery: null + - key: case_mitre_tactics + value: + simple: ${parentIncidentFields.mitre_tactics_ids_and_names} + required: false + description: "" + playbookInputQuery: null + - key: case_mitre_techniques + value: + simple: ${parentIncidentFields.mitre_techniques_ids_and_names.[0]} + required: false + description: "" + playbookInputQuery: null + - key: case_issue_count + value: + simple: ${parentIncidentFields.alert_count} + required: false + description: "" + playbookInputQuery: null + - key: xdm_sourceprocess_executable_sha256 + value: + simple: ${issue.xdmsourceprocessexecutablesha256} + required: false + description: "" + playbookInputQuery: null + - key: cgo_sha256 + value: + simple: ${issue.cgosha256} + required: false + description: "" + playbookInputQuery: null + - key: tactic_id + value: + simple: ${SOCFramework.Mitre.Tactic.ID} + required: false + description: MITRE ATT&CK tactic ID written by Foundation into SOCFramework.Mitre.Tactic.ID + (e.g. TA0002 for Execution). Used alongside verdict to confirm execution without + requiring hash matching when CGO/XDM fields are not populated. + playbookInputQuery: null +inputSections: + - inputs: + - host_likely_compromised + - host_suspicious + - host_isolated_signal + - host_high_issue_count + - SHA256 + - verdict + - initiator_sha256 + - case_mitre_tactics + - case_mitre_techniques + - case_issue_count + - xdm_sourceprocess_executable_sha256 + - cgo_sha256 + - tactic_id + name: General (Inputs group) + description: Generic group for inputs +outputSections: + - outputs: + - Analysis.Endpoint.compromise_level + - Analysis.Endpoint.compromise_decision + name: General (Outputs group) + description: Generic group for outputs +outputs: + - contextPath: Analysis.Endpoint.compromise_level + description: Is this host considered compromised? + type: unknown + - contextPath: Analysis.Endpoint.compromise_decision + description: Why did this playbook decide this was the finding? + type: unknown +sourceplaybookid: SOC Data Analysis_V3 +dirtyInputs: true +adopted: true diff --git a/Packs/soc-framework-nist-ir/pack_metadata.json b/Packs/soc-framework-nist-ir/pack_metadata.json index 545f2a56..6f65dd18 100644 --- a/Packs/soc-framework-nist-ir/pack_metadata.json +++ b/Packs/soc-framework-nist-ir/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-nist-ir", "description": "SOC Framework \u2013 Incident Response (NIST)\n\nDescription\n\nThe SOC Framework \u2013 Incident Response (NIST) pack provides a standardized set of incident response workflows aligned with the lifecycle defined in NIST SP 800-61. It implements the operational stages of incident response within the SOC Framework, enabling consistent investigation, containment, eradication, recovery, and communication processes across security incidents.\n\nRather than building separate playbooks for each threat scenario, this pack organizes response logic around the incident response lifecycle. Scenarios such as phishing, endpoint compromise, identity abuse, and other security events enter the workflow and progress through the same structured response phases. This approach promotes consistent analyst workflows, reduces duplicated automation logic, and ensures that containment and recovery actions follow a predictable process.\n\nThe playbooks in this pack are designed to operate on standardized artifacts and actions provided by the SOC Framework Core pack. Vendor-specific commands are abstracted through framework actions, allowing the same incident response logic to operate across different security products and environments.", "support": "xsoar", - "currentVersion": "1.0.7", + "currentVersion": "1.1.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-nist-ir/xsoar_config.json b/Packs/soc-framework-nist-ir/xsoar_config.json index 7b7993ec..f28f9bf7 100644 --- a/Packs/soc-framework-nist-ir/xsoar_config.json +++ b/Packs/soc-framework-nist-ir/xsoar_config.json @@ -1,8 +1,8 @@ { "custom_packs": [ { - "id": "soc-framework-nist-ir-v1.0.7.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-nist-ir-v1.0.7/soc-framework-nist-ir-v1.0.7.zip", + "id": "soc-framework-nist-ir-v1.1.0.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-nist-ir-v1.1.0/soc-framework-nist-ir-v1.1.0.zip", "system": "yes" } ], diff --git a/Packs/soc-optimization-unified/POST_CONFIG_README.md b/Packs/soc-optimization-unified/POST_CONFIG_README.md index 6169c6ef..d202cb72 100644 --- a/Packs/soc-optimization-unified/POST_CONFIG_README.md +++ b/Packs/soc-optimization-unified/POST_CONFIG_README.md @@ -1,102 +1,75 @@ -# Completing the SOC Optimization XSIAM Tenant Configuration +# Post-Installation Configuration -Once the tenant configuration is pushed with either the [POV Companion application](https://pov-companion.ts.paloaltonetworks.com/tenant-configurations) or -the [xsiam-pov-automation](https://github.com/annabarone/xsiam-pov-automation/tree/main) setup.py script, the following -manual steps still need to be done: +After the pack is installed, these manual steps are required to complete the configuration. --- -## Quick Start -1. **Enable Auto Triage Job** - * Choose Auto Triage and Enable - * Refresh page and look for Running or Completed -2. **Configure Starring** - * Star Issues on Medium or Higher + has MITRE Tactic -![Starring_NIST_IR.png](../../docs/soc-optimization/Starring_NIST_IR.png) -3. **Configure Automation Trigger** - * NIST Incident Response Flow (800-61) - * Trigger playbook "EP_IR_NIST(800-61)" on Medium Severity or Higher Alerts - ![Automation_Trigger_NIST_IR.png](https://github.com/Palo-Cortex/soc-optimization/blob/main/images/Automation_Trigger_NIST_IR.png) ---- -## What Next? -1. XSIAM SOC Value Metrics Dashboard([Value Metrics](../../Documentation/Value_Metrics.md)) - * These require alerts with triggered playbooks tasks. -2. Customize Value Metrics tasks or playbooks "Use Cases" ([setValueTags_V3.md](../../Documentation/setValueTags_V3.md)) -3. Observe Playbooks running in Issues table. ---- - -## Troubleshooting -* Check xsiam_playbookmetrics_raw exists -- Once alerts start to flow and automation get triggered the JOB will start collecting metrics based on the JOB run interval. - -### Manual Configuration -#### 1 - Enable Job - Auto Triage +## Quick Start (5 minutes) -To guarantee the configuration does not interfere with existing tenants without the SC/DC’s understanding, -we have disabled the auto triage job by default. Once you are confident that the starred alerts for your -tenant are set up properly, please enable the job. +**1. Enable the Auto Triage job** +- Navigate to **Investigation & Response → Automation → Jobs** +- Find **JOB - Triage Alerts V3** → click **Enable** +- Refresh — status should show **Running** or **Completed** -1. Navigate to **Incident Response → Automation → Jobs** +**2. Configure the Starring Rule** +- Navigate to **Cases & Issues → Case Configuration → Starred Issues** +- Add rule: `Severity >= Medium` AND `Has MITRE Tactic` -2. Find the _Auto Triage_ Job - -3. Click **Enable** +**3. Configure the Automation Trigger** +- Navigate to **Investigation & Response → Automation → Automation Rules** +- Add rule: Run playbook **EP_IR_NIST (800-61)_V3** when `starred = true` --- -### Errored Jobs - -If either of the "_Auto Triage_" or "_Collect Playbook Metrics_" jobs show as _**Error**_ for their _Last Run status_ as seen in -this picture below, please follow these troubleshooting steps: -![Job Troubleshooting](../../docs/soc-optimization/job-troubleshooting.png) +## What to Check Next -#### Verify Job's Playbooks Exist in Library +**Value Metrics Dashboard** +- Navigate to **Dashboards → XSIAM SOC Value Metrics V3** +- Select a **7-day** window for reporting +- The dashboard requires alerts to have fired playbooks with tasks. Give it a few hours after your first starred alert processes. -1. In the Playbook Library (**Incident Response -> Automation -> Playbooks**), verify that these playbooks exist. - - JOB - Store Playbook Metrics in Dataset - JOB - Triage Alerts +**Shadow Mode** +- All Containment, Eradication, and Recovery actions default to Shadow Mode +- Actions are logged to the warroom and written to `xsiam_socfw_ir_execution_raw` but vendor commands are not executed +- To move individual actions to production, set `"shadow_mode": false` in `SOCFrameworkActions_V3` -If they don't exist, the custom content installation of the "SOC Framework" pack failed. +**Run a Health Check** +- Open any case and run the `SOCFWHealthCheck` script from the warroom +- It will report on integration instances, installed playbooks, jobs, and required lists -#### Check Job's Playbook Registered +--- -If the job's playbook shows as **"Missing/Deleted playbook"** in the job table even though the playbook exists in the library, -this may mean the job's playbook has not fully registered with the tenant yet. There is an observed timing gap between -when a custom content pack gets installed and when the custom content's playbook can be used in a job. To resolve this issue: +## Errored Jobs -1. Wait 30 to 60 minutes to give the tenant time to register the playbook +If **JOB - Triage Alerts V3** or **JOB - Store Playbook Metrics in Dataset V3** show as **Error**: -- If you return, hard refresh the page, and the playbook is still missing, you will need to manually create the job. We recommend -disabling the broken job and recreating it with the same parameters. +**Step 1 — Verify the playbooks are installed** -- If you return, hard refresh the page, and the job's playbook shows as the correct playbook but the _Last Run status_ still -shows as "**_Error_**", this is because the previous job runs need to be cleaned. These are the jobs that show as "Running". -Continue with these steps to clean the jobs. +In the Playbook Library (**Investigation & Response → Automation → Playbooks**), verify both playbooks exist: -2. In the top right corner of the Jobs screen, click the hamburger menu to **Switch to Detailed View**. +``` +JOB - Triage Alerts V3 +JOB - Store Playbook Metrics in Dataset V3 +``` -3. If you do not have any Job Runs that show as _**Completed**_, you need to verify that the playbook is registered: +If they are missing, the pack installation failed. Re-run the installer. - 1. Click **Run now** - - 2. Refresh the page - - 3. Click on the just-triggered Run ID - - 4. Toggle to "_Work Plan_" tab - - 5. Verify that the playbook was triggered for this alert. If not, you will need to manually recreate the job. +**Step 2 — Check for a registration timing gap** -4. After verifying that the playbook gets properly triggered, we need to clean up the previous runs. For each of the jobs -that show as "Running", do the following: +A known XSIAM behavior: there is sometimes a delay between when a custom content pack installs and when its playbooks become available to jobs. If the job shows **"Missing/Deleted playbook"** but the playbook exists in the library: - 1. Click on the Run ID - - 2. Toggle to the "Work Plan" tab - - 3. Click "Choose a playbook" +1. Wait 30–60 minutes +2. Hard-refresh the page +3. If the playbook now appears, click **Run now** to verify it executes - 4. Select "Close Alerts" or some other simple playbook that requires no input/output to close +**Step 3 — Clean stuck job runs** -5. Once you've completed close all running jobs, you should be good to go! +If previous job runs are stuck in **Running** status, clean them before enabling: +1. In the top-right corner of the Jobs screen, click the hamburger menu → **Switch to Detailed View** +2. For each run showing **Running**: + - Click the Run ID + - Go to the **Work Plan** tab + - Click **Choose a playbook** + - Select **SOC Close Cases V3** or another simple close playbook to terminate the run +3. Once all stuck runs are cleared, click **Enable** on the job diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml index 3bc68f42..2fcef8af 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml @@ -18,21 +18,21 @@ description: | dirtyInputs: true id: 'Foundation - Data Integrity_V3' inputSections: -- description: Generic group for inputs - inputs: [] - name: General (Inputs group) + - description: Generic group for inputs + inputs: [] + name: General (Inputs group) inputs: [] name: Foundation - Data Integrity_V3 outputSections: -- description: Generic group for outputs - name: General (Outputs group) - outputs: [] + - description: Generic group for outputs + name: General (Outputs group) + outputs: [] outputs: [] sourceplaybookid: Foundation - Upon Trigger starttaskid: "0" tags: -- SOC -- SOC_Framework_Unified + - SOC + - SOC_Framework_Unified tasks: "0": continueonerrortype: "" @@ -42,7 +42,7 @@ tasks: isoversize: false nexttasks: '#none#': - - "21" + - "21" note: false quietmode: 0 separatecontext: false @@ -107,7 +107,7 @@ tasks: wait: 1 nexttasks: '#none#': - - "8" + - "8" note: false quietmode: 0 separatecontext: true @@ -142,7 +142,7 @@ tasks: isoversize: false nexttasks: '#none#': - - "27" + - "27" note: false quietmode: 0 separatecontext: false @@ -181,7 +181,7 @@ tasks: wait: 1 nexttasks: '#none#': - - "28" + - "28" note: false quietmode: 0 scriptarguments: @@ -189,26 +189,40 @@ tasks: complex: accessor: tags} root: ${issue + filters: + - - operator: containsGeneral + left: + value: + simple: issue.tags + iscontext: true + right: + value: + simple: 'DS:' transformers: - - args: - limit: {} - replaceWith: - value: - simple: _ - toReplace: - value: - simple: ':' - operator: replace - - args: - limit: {} - replaceWith: - value: - simple: _ - toReplace: - value: - simple: / - operator: replace - - operator: toLowerCase + - args: + limit: {} + replaceWith: + value: + simple: _ + toReplace: + value: + simple: ':' + operator: replace + - args: + limit: {} + replaceWith: + value: + simple: _ + toReplace: + value: + simple: / + operator: replace + - operator: toLowerCase + - operator: getIndex + args: + index: + value: + simple: '0' product: simple: Fusion separatecontext: true @@ -243,7 +257,7 @@ tasks: isoversize: false nexttasks: '#none#': - - "18" + - "18" note: false quietmode: 0 separatecontext: false diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup.yml index d6c15105..a4995d51 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup.yml @@ -17,8 +17,8 @@ description: | Uses our alert fingerprinting - and compares the alert to the alert ledger If a duplicate is identified - the parent alert is recorded, and the alert resolves tags: -- SOC -- SOC_Framework_Unified + - SOC + - SOC_Framework_Unified starttaskid: "0" tasks: "0": @@ -34,7 +34,7 @@ tasks: playbooktaskmissingcomponent: nexttasks: '#none#': - - "10" + - "10" separatecontext: false continueonerrortype: "" view: |- @@ -97,30 +97,30 @@ tasks: playbooktaskmissingcomponent: nexttasks: '#error#': - - "17" + - "18" '#none#': - - "16" + - "16" scriptarguments: fromDate: complex: root: lists accessor: SOCOptimizationConfig_V3 transformers: - - operator: getField - args: - field: - value: - simple: Dedup - - operator: getField - args: - field: - value: - simple: fields - - operator: getField - args: - field: - value: - simple: DedupWindow + - operator: getField + args: + field: + value: + simple: Dedup + - operator: getField + args: + field: + value: + simple: fields + - operator: getField + args: + field: + value: + simple: DedupWindow minimunIncidentSimilarity: simple: "0.8" query: @@ -162,9 +162,9 @@ tasks: playbooktaskmissingcomponent: nexttasks: '#error#': - - "17" + - "18" '#none#': - - "8" + - "8" scriptarguments: closeNotes: simple: Auto-Close Duplicate @@ -205,12 +205,12 @@ tasks: playbooktaskmissingcomponent: nexttasks: '#error#': - - "17" + - "18" '#none#': - - "14" + - "14" scriptarguments: value: - simple: ${DBotFindSimilarIncidents.similarIncident.id} + simple: "🔁 **Duplicate alert detected** — current alert (${alert.id}) is the latest. Closing older duplicate(s): ${DBotFindSimilarIncidents.similarIncident.id}" separatecontext: false continueonerror: true continueonerrortype: errorPath @@ -242,20 +242,20 @@ tasks: playbooktaskmissingcomponent: nexttasks: '#default#': - - "8" + - "8" "yes": - - "15" + - "15" separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isTrue - left: - value: - simple: DBotFindSimilarIncidents.isSimilarIncidentFound - iscontext: true - right: - value: {} + - label: "yes" + condition: + - - operator: isTrue + left: + value: + simple: DBotFindSimilarIncidents.isSimilarIncidentFound + iscontext: true + right: + value: {} continueonerrortype: "" view: |- { @@ -271,6 +271,43 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: b7e14f2c-3a8d-4901-bc56-d2f9a3e7c084 + type: regular + task: + id: b7e14f2c-3a8d-4901-bc56-d2f9a3e7c084 + version: -1 + name: Print Dedup Skipped Warning + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + playbooktaskmissingcomponent: + nexttasks: + '#none#': + - "17" + scriptarguments: + value: + simple: "⚠️ **Dedup skipped** — an error occurred during alert fingerprinting or dedup close. This alert was not evaluated for duplicates. Check the error log for details." + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 162.5, + "y": 760 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false "17": id: "17" taskid: c9a53716-a57b-4fae-8e00-d3508d482f51 @@ -286,7 +323,7 @@ tasks: playbooktaskmissingcomponent: nexttasks: '#none#': - - "8" + - "8" separatecontext: true continueonerrortype: "" view: |- @@ -313,6 +350,7 @@ view: |- "width": 717.5, "x": 50, "y": 50 + } } } diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml index 8a384172..7d9daaa4 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml @@ -17,8 +17,8 @@ name: Foundation - Product Classification_V3 description: Designed to get the product category (EndPoint, Network, Cloud SaaS, Cloud Workload, etc) from the list SOCProductCategoryMap_V3 tags: -- SOC -- SOC_Framework_Unified + - SOC + - SOC_Framework_Unified starttaskid: "0" tasks: "0": @@ -35,7 +35,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "21" + - "21" separatecontext: false continueonerrortype: "" view: |- @@ -98,7 +98,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "24" + - "24" separatecontext: false continueonerrortype: "" view: |- @@ -138,12 +138,12 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "26" + - "26" '#none#': - - "27" - - "28" - - "29" - - "31" + - "27" + - "28" + - "29" + - "31" scriptarguments: append: simple: "false" @@ -153,28 +153,33 @@ tasks: complex: root: issue.tags filters: - - - operator: containsGeneral - left: - value: - simple: issue.tags - iscontext: true - right: - value: - simple: 'DS:' + - - operator: containsGeneral + left: + value: + simple: issue.tags + iscontext: true + right: + value: + simple: 'DS:' transformers: - - operator: toLowerCase - - operator: RegexReplace - args: - action_dt: {} - ignore_case: {} - multi_line: {} - output_format: - value: - simple: _ - period_matches_newline: {} - regex: - value: - simple: (?<=.)[^A-Za-z0-9](?=.) + - operator: toLowerCase + - operator: RegexReplace + args: + action_dt: {} + ignore_case: {} + multi_line: {} + output_format: + value: + simple: _ + period_matches_newline: {} + regex: + value: + simple: (?<=.)[^A-Za-z0-9](?=.) + - operator: join + args: + separator: + value: + simple: '' separatecontext: false continueonerror: true continueonerrortype: errorPath @@ -208,18 +213,18 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "8" + - "8" "yes": - - "30" + - "30" separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: - value: - simple: lists.SOCProductCategoryMap_V3 - iscontext: true + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: lists.SOCProductCategoryMap_V3 + iscontext: true continueonerrortype: "" view: |- { @@ -251,7 +256,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "8" + - "8" separatecontext: true continueonerrortype: "" view: |- @@ -291,9 +296,9 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "26" + - "26" '#none#': - - "8" + - "8" scriptarguments: key: simple: SOCFramework.Product.type @@ -302,17 +307,17 @@ tasks: root: lists accessor: SOCProductCategoryMap_V3 transformers: - - operator: getField - args: - field: - value: - simple: SOCFramework.Product.key - iscontext: true - - operator: getField - args: - field: - value: - simple: type + - operator: getField + args: + field: + value: + simple: SOCFramework.Product.key + iscontext: true + - operator: getField + args: + field: + value: + simple: type separatecontext: false continueonerror: true continueonerrortype: errorPath @@ -353,9 +358,9 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "26" + - "26" '#none#': - - "8" + - "8" scriptarguments: key: simple: SOCFramework.Product.confidence @@ -364,17 +369,17 @@ tasks: root: lists accessor: SOCProductCategoryMap_V3 transformers: - - operator: getField - args: - field: - value: - simple: SOCFramework.Product.key - iscontext: true - - operator: getField - args: - field: - value: - simple: confidence + - operator: getField + args: + field: + value: + simple: SOCFramework.Product.key + iscontext: true + - operator: getField + args: + field: + value: + simple: confidence separatecontext: false continueonerror: true continueonerrortype: errorPath @@ -415,9 +420,9 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "26" + - "26" '#none#': - - "8" + - "8" scriptarguments: key: simple: SOCFramework.Product.response @@ -426,17 +431,17 @@ tasks: root: lists accessor: SOCProductCategoryMap_V3 transformers: - - operator: getField - args: - field: - value: - simple: SOCFramework.Product.key - iscontext: true - - operator: getField - args: - field: - value: - simple: response + - operator: getField + args: + field: + value: + simple: SOCFramework.Product.key + iscontext: true + - operator: getField + args: + field: + value: + simple: response separatecontext: false continueonerror: true continueonerrortype: errorPath @@ -476,7 +481,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "22" + - "22" scriptarguments: key: simple: SOCFramework.Product. @@ -519,9 +524,9 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#error#': - - "26" + - "26" '#none#': - - "8" + - "8" scriptarguments: key: simple: SOCFramework.Product.category @@ -530,17 +535,17 @@ tasks: root: lists accessor: SOCProductCategoryMap_V3 transformers: - - operator: getField - args: - field: - value: - simple: SOCFramework.Product.key - iscontext: true - - operator: getField - args: - field: - value: - simple: category + - operator: getField + args: + field: + value: + simple: SOCFramework.Product.key + iscontext: true + - operator: getField + args: + field: + value: + simple: category separatecontext: false continueonerror: true continueonerrortype: errorPath @@ -572,40 +577,40 @@ view: |- } } inputs: -- key: ProductKey - value: - simple: ${issue.tags.[0]} - required: true - description: Pass the product Data Source typically found here (i.e. issue.tags.[0]) - playbookInputQuery: null + - key: ProductKey + value: + simple: ${issue.tags.[0]} + required: false + description: Pass the product Data Source typically found here (i.e. issue.tags.[0]) + playbookInputQuery: null inputSections: -- inputs: - - ProductKey - name: General (Inputs group) - description: Generic group for inputs + - inputs: + - ProductKey + name: General (Inputs group) + description: Generic group for inputs outputSections: -- outputs: - - SOCFramework.Product.key - - SOCFramework.Product.category - - SOCFramework.Product.type - - SOCFramework.Product.confidence - name: General (Outputs group) - description: Generic group for outputs + - outputs: + - SOCFramework.Product.key + - SOCFramework.Product.category + - SOCFramework.Product.type + - SOCFramework.Product.confidence + name: General (Outputs group) + description: Generic group for outputs outputs: -- contextPath: SOCFramework.Product.key - description: Canonical resolved product key - type: string -- contextPath: SOCFramework.Product.category - description: High-level product category used for SOC routing (e.g. Endpoint, Identity, - Network). - type: string -- contextPath: SOCFramework.Product.type - description: More specific product type (e.g. EDR, NGFW, IDP, PAM). - type: string -- contextPath: SOCFramework.Product.confidence - description: Confidence level of the product classification (e.g. high, medium, - low). - type: string + - contextPath: SOCFramework.Product.key + description: Canonical resolved product key + type: string + - contextPath: SOCFramework.Product.category + description: High-level product category used for SOC routing (e.g. Endpoint, Identity, + Network). + type: string + - contextPath: SOCFramework.Product.type + description: More specific product type (e.g. EDR, NGFW, IDP, PAM). + type: string + - contextPath: SOCFramework.Product.confidence + description: Confidence level of the product classification (e.g. high, medium, + low). + type: string sourceplaybookid: Foundation - Upon Trigger dirtyInputs: true adopted: true diff --git a/Packs/soc-optimization-unified/README.md b/Packs/soc-optimization-unified/README.md index 14cb7f01..c28938e8 100644 --- a/Packs/soc-optimization-unified/README.md +++ b/Packs/soc-optimization-unified/README.md @@ -1,214 +1,204 @@ -# ⚙️ SOC Optimization Framework for Cortex XSIAM +# SOC Framework for Cortex XSIAM -This repository outlines a scalable SOC optimization approach tailored for Palo Alto Networks Cortex XSIAM. The goal is to reduce analyst fatigue, improve response time, and enable data-driven visibility into automation value. The solution is based on three core patterns and enhanced by modular design and operational safeguards. +The SOC Framework turns XSIAM into a structured, repeatable incident response machine. Every alert that matters gets normalized, enriched, analyzed, and — when you're ready — contained and remediated through a standardized NIST IR lifecycle. You control the pace. Shadow Mode lets the framework show you exactly what it *would* do without touching a single endpoint, making it safe to run in any environment from day one. --- -# Quick Setup -- Get started fast with Auto Triage + Incident Response Catch-All. -- These content packs get installed via the PoV Companion. +## Five Things Worth Understanding First ---- +### 1. Every alert runs through the same foundation -## 1. Enable Auto Triage -1. Read 👉 [Auto-Triage Usage](https://github.com/Palo-Cortex/soc-optimization/blob/main/Documentation/Documentation/Auto_Triage.md) To Understand How it Closes Cases -2. Investigation & Response → Automation → Jobs -3. Check Auto Triage -4. Click Enable Button +When a starred alert fires the entry point playbook, `Foundation - Upon Trigger V3` runs immediately — on every alert, every time. It normalizes artifacts, classifies the product category, deduplicates, and enriches before the analyst ever sees it. This is what eliminates the swivel-chair work. +### 2. The lifecycle follows NIST IR 800-61 -![Auto_Triage_Enable.png](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Auto_Triage_Enable.png) ---- +After the Foundation, alerts enter a structured lifecycle: -## 2. Configure Automation Rules -1. Navigate: **Investigation & Response → Automation → Automation Rules** -2. Add Rule: Run Entry Point Playbook called **EP_IR_NIST(800-61)** if `starred = True` +``` +Alert → Foundation → Analysis → Containment → Eradication → Recovery +``` - 👉 [Learn more about Entry Point playbooks](https://github.com/Palo-Cortex/soc-optimization/blob/main/Documentation/EntryPoints.md) +Each stage has a clear contract — a defined set of context keys it reads and writes. Containment doesn't guess what Analysis found; it reads `Analysis.verdict` and `Analysis.compromise_decision`. Each stage is independent and replaceable without touching the others. -![Default_Automation_Rules.png](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Default_Automation_Rules.png) - - **EP_IR_NIST(800-61)** is the *Incident Response Catch-All*. - - You can create more specific rules above this (e.g., Phishing based on MITRE Technique T1566). +→ [Lifecycle Contracts](./docs/contracts.md) ---- +### 3. Shadow Mode is the default — nothing executes until you say so -## 3. Configure Starring Rule -**Starred Issues define which alerts feed into Auto Triage.** -1. Navigate: **Cases & Issues → Case Configuration → Starred Issues** -2. Add Rule: Star alert if - - `Severity >= Medium` - - `Has MITRE Tactic` +Every Containment, Eradication, and Recovery action is registered in `SOCFrameworkActions_V3` with `shadow_mode: true`. The Universal Command (`SOCCommandWrapper`) reads that flag before doing anything. In shadow mode it: -![Starring_NIST_IR.png](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Starring_NIST_IR.png) +- Prints the action to the warroom so analysts can see exactly what would happen +- Writes the record to the `xsiam_socfw_ir_execution_raw` dataset for metrics +- Does **not** call the vendor command -## 4. XSIAM SOC Value Metric Dashboard -** Real-time metrics from PoV into production ** -1. Dashboards & Reports → Dashboard → XSIAM SOC Value Metrics -2. Select 7 Days (More realistic for SOC reporting) -![Value_Metrics.png](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Value_Metrics.png) +To move a specific action to production, set `shadow_mode: false` for that action in `SOCFrameworkActions_V3`. The switch is per-action — you can run isolation in production while credential resets stay in shadow. -*Tips:* -- Alerts must fire playbooks and playbook tasks must run before this dash works. -- Dataset = `xsiam_playbookmetrics_raw` +→ [Shadow Mode Detail](./docs/shadow_mode.md) ---- +### 4. The Universal Command abstracts vendor differences -# 🔁 Core Patterns +`SOCCommandWrapper` is a single script that handles every action across every vendor. When a playbook needs to isolate an endpoint, it calls `soc-isolate-endpoint`. The wrapper looks up which EDR is installed (CrowdStrike, Cortex, Defender, Trend Micro) and calls the right vendor command with the right arguments. Playbooks never contain vendor-specific logic. + +→ [Universal Command Reference](./docs/universal_command.md) + +### 5. Value metrics are built in from day one + +Every action that runs through `SOCCommandWrapper` is written to the `xsiam_socfw_ir_execution_raw` dataset. The `JOB - Store Playbook Metrics in Dataset V3` job collects task-level data and joins it against the `value_tags` lookup table. The result powers the **XSIAM SOC Value Metrics** dashboard — hours saved, vendor usage, automation coverage by category — without any custom configuration. + +→ [Value Metrics](./docs/value_metrics.md) --- -### 1. **Auto-Triage for Non-Starred Incidents** -- Incidents that are not marked with a star are automatically triaged using `JOB_-_Triage_Incidents.yml`. -- Ensures that high-volume, low-risk alerts are handled without manual intervention. +## Quick Setup + +These steps complete the configuration after the pack is installed. + +**1. Enable the Auto Triage job** -👉 [Auto-Triage Usage](https://github.com/Palo-Cortex/soc-optimization/tree/main/images/Auto_Triage.md) — Automatically closes non-priority incidents to reduce alert fatigue. +Auto Triage is disabled by default to protect existing tenants. -### 2. **Modular Playbooking with the `Upon Trigger`** -- The `Upon Trigger` playbook is the engine of modular decision-making. -- It divides alert processing into four logical stages: - - **Alert Triage** - - **Enrichment** - - **Auto Remediation** - - **Assessment and Escalation** -- This playbook dynamically decides whether to run in **Shadow Mode** (safe/test) or **Full Mode** (production) using contextual data. -> 🔄 **Modular playbooking starts with Entry Point playbooks** — Each MITRE Tactic has its own Entry Point (e.g., `EP_Execution`, `EP_InitialAccess`) that routes execution based on blue/green deployment state. This allows for seamless promotion and rollback of playbooks in production environments. -> -> 👉 [Learn more about Entry Point playbooks](https://github.com/Palo-Cortex/soc-optimization/blob/main/Documentation/EntryPoints.md) +- Navigate to **Investigation & Response → Automation → Jobs** +- Find **JOB - Triage Alerts V3** and click **Enable** -👉 [See when to use the Upon Trigger](https://github.com/Palo-Cortex/soc-optimization/blob/main/Documentation/Upon_Trigger.md) +This job automatically closes low-priority, non-starred alerts. Without it, your case queue will fill with noise. -![Modular Playbooking](https://github.com/Palo-Cortex/soc-optimization/blob/main/images/ModularPlaybooking.png) +→ [Auto Triage](./docs/auto_triage.md) -### 3. **Value Metrics for Automation Efficiency** -- The `JOB_-_Store_Playbook_Metrics_in_Dataset.yml` playbook collects key metrics and stores them in a dataset. -- Combined with the `value_tags` lookup table, metrics enable dashboards to measure: - - ⏱️ **Time saved** by XSIAM automations. - - 📊 **Time spent** by category (triage, enrichment, remediation, etc.). - - 🔌 **Vendor product usage** across automations. - - 🛠️ **Custom scripting vs. out-of-the-box content**. - - 📈 **Alert metrics per data source**: - - Alert volume - - Grouping effectiveness - - Auto-remediation success rate - - Analyst review backlog +**2. Set your starring rule** -👉 [See how to use the Value Metrics](https://github.com/Palo-Cortex/soc-optimization/blob/main/Documentation/Value_Metrics.md) +Starred alerts are what feed the NIST IR lifecycle. A reasonable default: -### 4. **Blue / Green Deployment Model** +- Navigate to **Cases & Issues → Case Configuration → Starred Issues** +- Add rule: `Severity >= Medium` **AND** `Has MITRE Tactic` -This script enables a **blue/green deployment strategy** for Cortex XSIAM playbooks using a centralized list called `PlaybookDeploymentMatrix`. +**3. Add the automation trigger** -Each Entry Point (EP) tracks: -- A `prod` playbook (live in production) -- A `green` playbook (staged for testing) +- Navigate to **Investigation & Response → Automation → Automation Rules** +- Add rule: Run playbook **EP_IR_NIST (800-61)_V3** when `starred = true` -##### ✅ Benefits -- 🔄 **Safe Playbook Promotion**: Easily test and promote playbooks without disrupting production. -- 🚫 **Instant Rollback**: Quickly revert if a green version causes issues. -- 🔍 **Clear Visibility**: View current deployment states via command. -- 🛡️ **Controlled Changes**: Use the `enabled` flag to gate deployment activity. +This is the catch-all. You can layer more specific rules above it (e.g., trigger a phishing-specific EP on T1566) — the catch-all handles everything else. -👉 [How to Use Blue / Green Deployment](https://github.com/Palo-Cortex/soc-optimization/blob/main/Documentation/Blue_Green.md) +**4. Verify the Value Metrics dashboard** -Additionally, all Entry Point playbooks are driven by **MITRE Tactic tags** and function as smart routers, pulling the correct playbook version based on deployment state. This supports safe DevOps-style promotion and rollback. +- Navigate to **Dashboards → XSIAM SOC Value Metrics V3** +- Select **7 days** for a realistic reporting window + +The dashboard will be empty until alerts fire playbooks and tasks run. Give it a few hours after setup. --- -## 🧩 Playbook Structure +## Components -### Main Playbooks: -- **Upon Trigger** – Modular logic engine for alert decisioning -- **Emergency Resolver** – Escalation logic for critical alert closures +### Foundation Playbooks -### Job Playbooks: -- **JOB_-_Triage_Incidents.yml** – Auto-triages non-starred incidents -- **JOB_-_Store_Playbook_Metrics_in_Dataset.yml** – Stores value metrics +These run on every alert. They are shared infrastructure — you do not modify them for individual use cases. ---- +| Playbook | Purpose | +|---|---| +| `Foundation - Upon Trigger V3` | Entry point for all alert processing. Calls the entire Foundation chain. | +| `Foundation - Normalize Artifacts V3` | Extracts and standardizes entities: user, endpoint, IP, hash, domain, URL | +| `Foundation - Product Classification V3` | Identifies the alert source category (Endpoint, Email, Identity, Network, SaaS, Workload) and routes to the correct lifecycle playbook | +| `Foundation - Enrichment V3` | Runs enrichment pipelines tailored to the classified product category | +| `Foundation - Dedup V3` | Suppresses duplicate alerts within the configured dedup window | +| `Foundation - Assessment V3` | Evaluates alert risk and determines escalation need | +| `Foundation - Escalation V3` | Handles escalation logic for critical or unresolved alerts | +| `Foundation - Environment Detection V3` | Detects tenant environment context used by shadow mode logic | +| `Foundation - Data Integrity V3` | Validates context key completeness before lifecycle handoff | +| `Foundation - Error Handling V3` | Catches and logs playbook errors without breaking the pipeline | +| `Foundation - Performance Capture V3` | Records timing data for MTTD/MTTC metrics | -## ⚙️ Configuration and Lists +### Job Playbooks -This framework uses system-level lists for dynamic context: +| Playbook | Purpose | +|---|---| +| `JOB - Triage Alerts V3` | Runs on a schedule. Closes non-starred alerts that meet triage criteria. Keeps the case queue clean. | +| `JOB - Store Playbook Metrics in Dataset V3` | Runs on a schedule. Collects task-level execution data and writes to `xsiam_playbookmetrics_raw` for the Value Metrics dashboard. | -- **`SOCOptimizationConfig_V3`** - Stores runtime configuration flags, such as enabling/disabling Shadow Mode. +### Communications Playbooks -- **`AssetTypes`** - Documents high-value or administrative assets to influence alert escalation. +Fire-and-forget side effects. Never block the main lifecycle flow. -- **`ProductionAssets`** - Controls which assets bypass Shadow Mode and receive live remediation. +| Playbook | Purpose | +|---|---| +| `SOC Comms Email V3` | Sends email notifications at configured lifecycle stages | +| `SOC Comms IM V3` | Sends instant message notifications (Slack, Teams, etc.) | +| `SOC Comms Ticketing V3` | Creates or updates tickets in integrated ticketing systems | -- **`JobUtilityBulkAlertCloserIDList`** - Used by the Emergency Resolver to safely close large volumes of alerts within thresholds. +### Scripts ---- +| Script | Purpose | +|---|---| +| `SOCCommandWrapper` | Universal Command. Reads `SOCFrameworkActions_V3` to determine the vendor command and shadow mode state for every action. The only script that calls vendor APIs. | +| `setValueTags_V3` | Tags playbook tasks for the value metrics system. Maps tasks to categories (enrichment, containment, eradication, etc.) and vendor. | +| `SOCFWHealthCheck` | Validates that required integrations, playbooks, jobs, and lists are correctly installed. Run this to diagnose a broken deployment. | -## 🧪 Shadow Mode Logic +### Configuration Lists -Shadow Mode is a key safety mechanism. It ensures actions like `isolate_endpoint` or `disable_user` are logged but **not executed** in test scenarios. Shadow Mode decisions are: -- Made in the `Upon Trigger` playbook. -- Stored in the incident’s data context. -- Controlled via `ProductionAssets` and `SOCOptimizationConfig_V3` lists. +| List | Purpose | +|---|---| +| `SOCFrameworkActions_V3` | Maps every SOC action (`soc-isolate-endpoint`, `soc-delete-file`, etc.) to vendor-specific commands and sets `shadow_mode` per action. **This is where you flip Shadow Mode to production.** | +| `SOCExecutionList_V3` | Controls which lifecycle playbooks are active and sets their `execute_branch`. | +| `SOCProductCategoryMap_V3` | Maps alert sources to product categories (Endpoint, Email, Identity, Network, SaaS, Workload, PAM, Data). Drives the routing in Product Classification. | +| `SOCOptimizationConfig_V3` | Runtime configuration for jobs: triage window, metrics lookback, dedup window. | +| `SOCFWConfig` | Framework-level configuration: required integration brands, entry point prefixes, required datasets. Used by health checks. | + +### Datasets + +| Dataset | Written by | Used for | +|---|---|---| +| `xsiam_socfw_ir_execution_raw` | `SOCCommandWrapper` | Records every action execution (shadow and production). Primary dataset for execution metrics. | +| `xsiam_playbookmetrics_raw` | `JOB - Store Playbook Metrics in Dataset V3` | Task-level execution data for the Value Metrics dashboard. | --- -## 📊 Metrics and Dashboards +## How Shadow Mode Works End to End -The metrics collected are designed to demonstrate **operational value**: +``` +Lifecycle playbook reaches a C/E/R action + → calls SOCCommandWrapper with action = "soc-isolate-endpoint" + → wrapper reads SOCFrameworkActions_V3 + entry: { "shadow_mode": true, "responses": { "CrowdstrikeFalcon": {...} } } + → shadow_mode is true: + warroom → "SHADOW MODE — cs-falcon-contain-host would have run" + dataset → xsiam_socfw_ir_execution_raw (execution_mode: "shadow") + vendor command → NOT called + → shadow_mode is false (production): + vendor command → called + dataset → xsiam_socfw_ir_execution_raw (execution_mode: "production") +``` -| Metric Type | Description | -|---------------------|-----------------------------------------------------------------------------| -| Time Saved | Total analyst time replaced by automation | -| Time Spent | Time breakdown across enrichment, triage, remediation, etc. | -| Vendor Usage | How often and where each vendor’s integration is leveraged | -| Custom Content Use | Measures reliance on custom scripts vs out-of-the-box playbooks | -| Alert Source Metrics| Insight per data source: volume, grouping, remediation, and leftovers | +To move to production for a specific action, edit `SOCFrameworkActions_V3` and set `"shadow_mode": false` for that action. No playbook changes required. --- -## 📷 Visual Overview +## Lifecycle Stage Contracts -![SOC Automation Foundation - Upon Trigger](https://github.com/Palo-Cortex/soc-optimization/blob/main/images/UponTrigger.jpg) +Each stage defines what context it expects to receive and what it promises to write before handing off to the next stage. These contracts are what make the Framework composable — a new use case can reuse existing stages as long as it honors the contracts. -> *Diagram illustrates the four-stage logic inside the Upon Trigger playbook: Alert Triage, Enrichment, Auto Remediation, and Assessment & Escalation.* +| Stage | Key inputs | Key outputs | +|---|---|---| +| **Foundation** | Raw alert fields | `SOCFramework.Artifacts.*`, `SOCFramework.Product.category`, `SOCFramework.Mitre.*` | +| **Analysis** | Foundation artifacts | `Analysis.verdict`, `Analysis.confidence`, `Analysis.compromise_decision` | +| **Containment** | Analysis verdict | `Containment.action`, `Containment.status`, `Containment.isolate_hosts` | +| **Eradication** | Containment status | `Eradication.files_removed`, `Eradication.persistence_removed`, `Eradication.success` | +| **Recovery** | Eradication success | `Recovery.restore_required`, `Recovery.restore_method`, `Recovery.status` | -## 🔧 Repository Structure and Usage +→ [Full Contract Reference](./docs/contracts.md) -``` -. -├── Supporting Playbooks -│ └── SOC Common Playbooks -│ -├── Optimization Layer (Optional) -│ ├── EP IR NIST (800-61) - Entry Point playbook for SOC NIST IR (800-61)_V3 -│ ├── SOC NIST IR (800-61)_V3 - Runs the NIST framework for incident response -│ ├── SOC Phishing - Generic v3 - Runs a one off Phishing playbook. -│ ├── EP MITRE Tactic - Entry Point playbook for MITRE Tactic playbooks. Allows for Blue / Green Deployments -│ ├── MITRE - Execution - Runs MITRE Execution automations -│ ├── MITRE - Initial Access - Runs MITRE Initial Access automations -│ └── JOB - Triage Alerts - Automatic Triage to close Low Fidelity Alerts -│ -├── Product Enhancements -│ ├── SOC ProofPoint TAP (Optional) -│ ├── SOC Microsoft Defender (Optional) -│ ├── SOC Microsoft Graph Security (Optional) -│ ├── SOC CrowdStrike Falcon (Optional) -│ └── ... -│ -├── scripts -│ ├── DeployPlaybook - Blue / Green Deployment Script -│ ├── EntryPointGBState - Blue / Green Router -│ ├── ShadowModeRouter_V3 - Conditional task script that runs the playbook in Full Run or Shadow Mode -│ ├── SOCNormalizeContext - Normalizeds Artifacts in Data Context (i.e. user, IPs, domains, urls, etc.) -│ └── setValueTags_V3 – Maintains `value_tags` table for metrics and dashboards -``` --- -## 📘 Description +## Troubleshooting + +**Dashboard is empty** +Alerts must fire playbooks and tasks must run before metrics appear. Confirm the automation trigger is configured and at least one starred alert has processed. Check `xsiam_playbookmetrics_raw` exists in your XQL dataset list. + +**Job shows as Error** +See the [Job Troubleshooting](./POST_CONFIG_README.md#errored-jobs) section. The most common cause is the playbook registering with a timing delay after pack install. Wait 30–60 minutes and try enabling the job again. -This repository enables modular, scalable playbook deployment in Cortex XSIAM, tailored for key SOC use cases. +**Actions not executing after flipping shadow mode** +Verify the integration instance is installed and the brand name in `SOCFrameworkActions_V3` matches the exact brand name of the configured instance in Settings → Integrations. -- **Use Case Playbooks** (NIST IR "Incident Response" (800-61) ) is the catch-all for operational support. -- **SOC Optimization** (optional) overlays efficiency patterns inspired by the Palo Alto Networks SOC to enhance all use case workflows. -- **Product Enhancement Packs** for `CrowdStrike Falcon` and `ProofPoint TAP` enrich detection and response capabilities by leveraging product-specific context in XSIAM. +**Run SOCFWHealthCheck** to get a structured diagnostic of your installation: +- Integration instances present and enabled +- Required playbooks installed +- Required jobs configured +- Required lists and datasets present diff --git a/Packs/soc-optimization-unified/ReleaseNotes/3_4_0.md b/Packs/soc-optimization-unified/ReleaseNotes/3_4_0.md new file mode 100644 index 00000000..b2404d96 --- /dev/null +++ b/Packs/soc-optimization-unified/ReleaseNotes/3_4_0.md @@ -0,0 +1,94 @@ +--- + +## SOC Framework Unified – Release Notes + +### Version 3.4.0 + +#### Overview + +This release extends the SOC Framework to the **Identity product category**, delivers targeted improvements to the **Foundation - Dedup** playbook, and fixes a critical product routing bug in **Foundation - Product Classification** that caused `SOCFramework.Product.*` context to be silently absent when alerts carried multiple tags. + +--- + +### New Features + +#### Identity Product Category — Full Lifecycle Coverage + +The Identity category is now registered as a first-class execution branch in the SOC Framework. + +- **`SOCExecutionList_V3`** — Added four Identity execution branches: `SOC Identity Analysis_V3`, `SOC Identity Containment_V3`, `SOC Identity Eradication_V3`, `SOC Identity Recovery_V3`. All branches default to `execute_branch: default` consistent with the existing per-category pattern. +- **`SOCFrameworkActions_V3`** — Added four Identity-specific Universal Command actions: `soc-clear-sessions`, `soc-reset-password`, `soc-revoke-tokens`, `soc-enable-user`. These actions are consumed by Identity C/E/R playbooks via `SOCCommandWrapper` and respect Shadow Mode. + +#### SOCFWHealthCheck Script + +New automation script `SOCFWHealthCheck` added to the pack. Provides on-demand health validation across four check categories: + +- Integration instances (brand and connection status) +- Installed playbooks (presence and adoption state) +- Scheduled jobs (enabled status) +- Required lists and datasets (existence and accessibility) + +Outputs a warroom markdown summary, a `CommandResults` table, and an optional dataset write to `socfw_health_checks` for PoV trend tracking across engagements. + +--- + +### Bug Fixes + +#### Foundation - Product Classification — Array tag handling (Critical) + +**Root cause:** `issue.tags` arrives as a native array (e.g. `["DS:CrowdStrike/Falcon_Event", "DOM:Security"]`). Task 22 ("Set New ProductKey from issue.tags") filtered for `DS:` tags correctly but stored the result as a single-element array rather than a scalar string. The downstream map lookup in task 31 (`getField` on `SOCProductCategoryMap_V3`) requires a scalar key and failed silently when handed an array, writing nothing to `SOCFramework.Product.*`. All phase container routing then fell through to DEFAULT because `SOCFramework.Product.category` was never set. + +**Fix:** Added a `join('')` transformer as the final step in the task 22 chain, after `toLowerCase` and `RegexReplace`. This collapses the single-element filtered array to a scalar string before `SetAndHandleEmpty` stores it, making the map lookup succeed consistently regardless of how many tags are present on the alert. + +**Impact:** Without this fix, product category routing was broken for any alert source that carries more than one tag in `issue.tags`. `SOCFramework.Product.category`, `SOCFramework.Product.type`, `SOCFramework.Product.confidence`, and `SOCFramework.Product.response` were all absent, causing all four phase containers (Analysis, Containment, Eradication, Recovery) to fall through to their DEFAULT branch. + +Additionally, `ProductKey` input on this playbook changed from `required: true` to `required: false`. The input is not used internally by the playbook — task 22 reads `issue.tags` directly — but the `required: true` declaration caused a hard error at sub-playbook invocation time when the caller passed a null value, preventing task 22 from ever running. + +--- + +### Improvements + +#### Foundation - Dedup — Warroom visibility + +**Duplicate detection print (Task 15)** +The warroom print on the duplicate detection path previously logged only the raw similar incident ID with no context. Updated to clearly state that the current alert is the latest survivor and identify which older duplicate IDs are being closed: + +> 🔁 **Duplicate alert detected** — current alert (`${alert.id}`) is the latest. Closing older duplicate(s): `${DBotFindSimilarIncidents.similarIncident.id}` + +**Error path warning (Task 18 — new)** +Added new task `Print Dedup Skipped Warning` on all error paths. When `DBotFindSimilarAlerts`, the print task, or `closeInvestigation` fails, a warroom message is written before routing to `Foundation - Error Handling_V3`: + +> ⚠️ **Dedup skipped** — an error occurred during alert fingerprinting or dedup close. This alert was not evaluated for duplicates. Check the error log for details. + +Flow is uninterrupted on all paths — `continueonerror: true` is retained throughout. + +--- + +### Known Issues + +#### Foundation - Dedup — Race condition on burst alerts (tracked for 3.5.0) + +When a large number of identical alerts arrive simultaneously and all playbooks start before any closures have completed, a race condition exists where alerts can close each other. In the worst case all alerts in the burst are closed with no survivor. The `continueonerror: true` on the close task provides partial protection but does not guarantee a survivor. + +**Root cause:** No timestamp guard exists. All concurrent playbook runs see the same set of open alerts and attempt to close each other. + +**Planned fix (3.5.0):** Add a timestamp guard condition between the similarity check and the close task. Before closing found duplicates, verify the current alert is newer than all found similar alerts (`alert.occurred >= MAX(similarIncident.occurred)`). If the current alert is older, close itself instead and exit. This makes the survivor deterministic — the newest alert always wins — and eliminates the wipe-all scenario entirely. + +--- + +### Open Items (Target 3.4.1) + +- `Foundation - Normalize Artifacts V3` — Identity artifact fields (`SOCFramework.Artifacts.Identity.*`) pending addition +- `value_tags.json` — Identity `signal_type` entries for Universal Command metrics pending verification and addition +- `XSIAM_SOC_Value_Metrics_V3` — Identity metric widgets pending validation against `xsiam_socfw_ir_execution_raw` + +--- + +### Notes + +- `SOCFWHealthCheck` is designed to be run interactively from a case warroom during PoV engagements. It does not require a scheduled job. Dataset write to `socfw_health_checks` is optional and controlled by script argument. +- Foundation - Dedup changes are non-breaking. No playbook inputs, outputs, or contracts changed. Drop-in replacement. +- Identity playbooks (`SOC Identity Analysis_V3` etc.) live in `soc-framework-nist-ir`. This pack ships only the execution list branches and action map entries required to support them. +- Foundation - Product Classification fix is non-breaking. No inputs, outputs, or contracts changed. The `ProductKey` input default value (`${issue.tags.[0]}`) is unchanged — only `required` flag and internal task 22 transformer chain were modified. + +--- diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index 77dccb5a..d717897c 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "community", - "currentVersion": "3.3.17", + "currentVersion": "3.4.0", "author": "Palo Alto Networks", "url": "https://github.com/Palo-Cortex/soc-optimization-unified", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 61d15f0e..313b7951 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -7,13 +7,13 @@ ], "custom_packs": [ { - "id": "soc-optimization-unified-v3.3.17.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.3.17/soc-optimization-unified-v3.3.17.zip", + "id": "soc-optimization-unified-v3.4.0.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.4.0/soc-optimization-unified-v3.4.0.zip", "system": "yes" }, { - "id": "soc-optimization-unified-v3.3.17.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.3.17/soc-optimization-unified-v3.3.17.zip", + "id": "soc-optimization-unified-v3.4.0.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.4.0/soc-optimization-unified-v3.4.0.zip", "system": "yes" } ], diff --git a/TOOLING.md b/TOOLING.md new file mode 100644 index 00000000..0c89dcbe --- /dev/null +++ b/TOOLING.md @@ -0,0 +1,356 @@ +# SOC Framework — Tooling & CI Reference + +This document covers the local development workflow, every tool in `tools/`, and the two CI pipelines. It is the single source of truth for how content moves from your editor to a customer tenant. + +--- + +## Daily Workflow (Short Version) + +``` +Edit content + → pack_prep.py # normalize + validate + → fix_errors.py # fix what SDK reported (only if errors) + → upload_package.sh # push directly to your dev tenant + → (repeat until clean) + +Ready to deploy to QA? + → bump_pack_version.py # increment version — this triggers CI + → git commit + push PR # CI builds, validates, deploys to QA tenant + +Ready to update PoV Companion / Package Manager? + → build_pack_catalog.py # update pack_catalog.json + → commit pack_catalog.json +``` + +--- + +## Tool Reference + +### `pack_prep.py` — Normalize and validate a pack + +**What it does:** +1. Runs `normalize_ruleid_adopted.py --fix` on the pack to enforce correlation rule IDs, `adopted: true` on playbooks, correct `packID` in `contentitemfields`, and required pack root files. +2. Runs `demisto-sdk validate -i ` and appends all output to `output/sdk_errors.txt`. +3. Exits non-zero if validation fails. + +**Usage:** +```bash +python3 tools/pack_prep.py Packs/ + +# Examples +python3 tools/pack_prep.py Packs/soc-framework-nist-ir +python3 tools/pack_prep.py Packs/soc-optimization-unified +``` + +**Run this every time you add or change content.** It is the required first step before uploading. The CI `validate` job runs the same steps — if `pack_prep.py` passes locally, the CI job should pass too. + +**Output:** +- `output/sdk_errors.txt` — SDK validation output. Created on first error; appended on subsequent runs. Clear it between sessions if you want a clean log. +- Exit code `0` = clean. Exit code `1` = errors written to `sdk_errors.txt`. + +--- + +### `fix_errors.py` — Auto-fix SDK validation errors + +**What it does:** + +Reads `output/sdk_errors.txt` line by line and automatically repairs known error categories. There are two pass types: + +**Pre-flight (manual fix required — no auto-repair possible):** + +| Condition | What to do | +|---|---| +| Pydantic `ValidationError` block | A List descriptor `.json` file is missing one or more required fields. Fix the descriptor manually. Required fields: `id`, `name`, `display_name`, `type` — all must match the list name exactly. | +| List descriptor scan | Walks all `Packs/**/Lists/**/*.json` (non-`_data.json`) files and prints specific paths and missing fields. | + +**Per-line auto-fixes:** + +| Error code | What gets fixed | +|---|---| +| Parsing error (`NoneType`) | JSON Dashboard/Layout with `null` array fields — set to `[]`. | +| Layout group `"alert"` / `"incidents"` | Changed to `"incident"`. | +| `PA128` | Creates missing `.secrets-ignore`, `.pack-ignore`, and `README.md` in the pack root. | +| `BA101` | Sets `id` equal to `name` (textual edit only — YAML is never re-serialized). | +| `BA106` | Bumps `fromversion` to the minimum required value (textual for YAML, structured edit for JSON). | +| `BA102` | Runs `demisto-sdk format --assume-yes` on the file. **Skipped for Script YAMLs** (files containing embedded Python) — prints a manual fix instruction instead to avoid corrupting indentation in `script: |-` blocks. | + +**Usage:** +```bash +python3 tools/fix_errors.py output/sdk_errors.txt + +# Dry run — shows what would change without writing files +python3 tools/fix_errors.py output/sdk_errors.txt --dry-run +``` + +**Typical loop:** +```bash +python3 tools/pack_prep.py Packs/ # run SDK, write sdk_errors.txt +python3 tools/fix_errors.py output/sdk_errors.txt # auto-fix what it can +python3 tools/pack_prep.py Packs/ # re-run — repeat until clean +``` + +**What it will not fix:** +- Pydantic errors (no file path available in SDK output — find the file manually from the pre-flight scan). +- BA102 on Script YAMLs (embedded Python — fix the specific field manually). +- Errors not matched by its regex patterns (review `sdk_errors.txt` directly for anything not reported as fixed). + +--- + +### `upload_package.sh` — Upload a pack directly to your dev tenant + +**What it does:** + +Runs `demisto-sdk upload` with the correct flags for XSIAM: +- `--marketplace marketplacev2` — required for XSIAM; omitting this causes silent skip with no error. +- `-x` (`--insecure`) — bypasses SSL verification for lab/dev tenants. +- `-z` (`--zip`) — packages the pack before upload. +- `--console-log-threshold DEBUG` — verbose output so you can see exactly what was skipped or rejected. + +**Usage:** +```bash +bash tools/upload_package.sh Packs/ + +# Or run without an argument — it will prompt you +bash tools/upload_package.sh +``` + +**Prerequisites:** `DEMISTO_BASE_URL` and `DEMISTO_API_KEY` (or `XSIAM_AUTH_ID`) must be set in your environment or `.env`. The script changes to the git root automatically so relative paths resolve correctly. + +**When to use:** After `pack_prep.py` passes cleanly. This is your inner-loop shortcut — faster than waiting for CI to deploy. + +--- + +### `bump_pack_version.py` — Increment pack version and update all URLs + +**What it does:** + +1. Prompts you to choose a version bump type: + - `R` (Revision) — backwards compatible bug fix → `X.Y.Z+1` + - `M` (Minor) — new backwards compatible functionality → `X.Y+1.0` + - `J` (Major) — breaking changes or significant additions → `X+1.0.0` +2. Updates `pack_metadata.json` with the new version. +3. Updates `xsoar_config.json`: + - `version` field (top-level, if present) + - `custom_packs[].url` — regenerated from the pack directory name and new version + - `custom_packs[].id` — regenerated to match the zip filename + - `pre_config_docs[].url` / `post_config_docs[].url` — corrected to point at the current repo and pack directory + +The pack directory name is the source of truth for the zip URL. If the directory was ever renamed, `bump_pack_version.py` will silently correct the stale name in `xsoar_config.json`. + +**Usage:** +```bash +python3 tools/bump_pack_version.py Packs/ + +# Example +python3 tools/bump_pack_version.py Packs/SocFrameworkCrowdstrikeFalcon +``` + +**This is the trigger for CI deployment to QA.** The PR gate detects a version change in `pack_metadata.json` and runs the full validation + deploy pipeline. Without a version bump, CI skips the pack even if you changed content inside it. + +**After running:** +```bash +git add Packs//pack_metadata.json Packs//xsoar_config.json +git commit -m "Bump to vX.Y.Z" +# Then open a PR — CI takes it from here +``` + +--- + +### `build_pack_catalog.py` — Rebuild the pack catalog + +**What it does:** + +Walks every directory under `Packs/` that contains a `pack_metadata.json` and writes `pack_catalog.json` at the repo root. Used by the PoV Companion and Package Manager to discover available packs and their install URLs. + +For each pack it captures: +- `id` — the directory name under `Packs/` +- `display_name` — from `pack_metadata.json` +- `version` — from `pack_metadata.json` +- `path` — relative path to the pack directory +- `visible` — preserved from the existing catalog if present; defaults to `false` for new packs +- `xsoar_config` — raw `githubusercontent.com` URL to `xsoar_config.json` if the file exists, otherwise `null` + +**Usage:** +```bash +python3 tools/build_pack_catalog.py + +# Optional overrides (defaults are correct for this repo) +python3 tools/build_pack_catalog.py \ + --packs-dir Packs \ + --catalog pack_catalog.json \ + --org Palo-Cortex \ + --repo secops-framework \ + --ref refs/heads/main +``` + +**Run this after a version bump is merged** to update the catalog so PoV Companion and Package Manager see the new version. Commit the resulting `pack_catalog.json`. + +**Catalog updates are always manual.** Run this after a version bump is merged, then commit `pack_catalog.json`. There is no CI automation for the catalog — see backlog. + +--- + +### `validate_playbooks.py` — Playbook integrity check (on-demand) + +Validates integration references, orphaned playbooks, missing lists, and sub-playbook dependency chains across all packs. Run this when adding a new playbook or wiring a new integration to catch missing `xsoar_config.json` entries before upload. + +```bash +python3 tools/validate_playbooks.py --root Packs/soc-optimization-unified +``` + +Full documentation in `PLAYBOOK_VALIDATION.md`. + +--- + +### `validate_shadow_mode.py` — PoV safety check (pre-commit, local only) + +Checks that every C/E/R (Containment, Eradication, Recovery) playbook is correctly wired for action-list shadow mode. Intended as a local pre-commit guard, not a CI gate. + +```bash +python3 tools/validate_shadow_mode.py --all \ + --actions-list Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json +``` + +This is also configured in `.pre-commit-config.yaml` and runs automatically on `git commit` if you have pre-commit installed (`pip install pre-commit && pre-commit install`). + +--- + +## CI Pipeline Reference + +Two workflows live in `.github/workflows/`. They are complementary — the PR gate validates before merge, the release workflow promotes after merge. + +--- + +### `soc-packs-pr-gate.yml` — Runs on every PR targeting `main` + +All jobs must pass before the PR can be merged. + +**Trigger:** `pull_request` → `main` (opened, synchronize, reopened) + +**Change detection:** The pipeline only processes packs where `pack_metadata.json` version changed relative to `main`. Unchanged packs are skipped entirely. This means **a version bump is required for CI to pick up your changes**. + +| Job | Depends on | What it does | +|---|---|---| +| `scan` | — | Diffs the PR against `main` and checks for patterns listed in `Lists/customer-identifiers.json`. Blocks if any customer-specific data is found. | +| `detect` | — | Finds packs with a version bump. Outputs the pack list for downstream jobs. If no packs changed, all downstream jobs are skipped. | +| `validate` | detect | Runs `normalize_ruleid_adopted.py --fix` then `demisto-sdk validate` on each changed pack. Same logic as `pack_prep.py`. | +| `preflight` | detect, validate | Runs `preflight_xsoar_config.py` — checks `xsoar_config.json` zip URL format and doc URL reachability. | +| `prerelease` | detect, preflight | Builds a zip via `demisto-sdk prepare-content --marketplace marketplacev2`. Creates an ephemeral GitHub prerelease tagged `-v-pr`. Also uploads a modified `xsoar_config.json` pointing at the prerelease zip URL. | +| `deploy-dev` | detect, prerelease | Deploys to the QA tenant using the prerelease `xsoar_config.json` URL. Uses the `xsiam-pov-automation` helper repo. | + +**Prerelease tags** are ephemeral. Every push to the PR overwrites them. They are superseded when the PR merges and the release workflow creates the real immutable tag. + +--- + +### `soc-packs-release.yml` — Runs on push to `main` + +**Trigger:** `push` → `main` (post-merge) + +**Skip flags:** Commits with `[skip ci]` or `[skip release]` in the message bypass the release job entirely. + +| Job | Depends on | What it does | +|---|---|---| +| `release` | — | Same change detection as the PR gate. Builds zip, creates an immutable GitHub release tagged `-v`. This is the production artifact. | +| `deploy` | release | Deploys the immutable release to the tenant. | +| ~~`catalog`~~ | ~~release, deploy~~ | **Dead — do not use.** References `tools/update_pack_catalog.py` which does not exist. Job will fail at runtime if the `pack-catalog-gate` approval is ever granted. See backlog. | + +--- + +## Environment Variables and Secrets + +| Variable | Used by | Purpose | +|---|---|---| +| `DEMISTO_BASE_URL` | upload_package.sh, deploy jobs | Your XSIAM tenant URL | +| `DEMISTO_API_KEY` | upload_package.sh, deploy jobs | API key for the tenant | +| `XSIAM_AUTH_ID` | deploy jobs (CI) | Advanced auth ID for XSIAM API | +| `DEMISTO_SDK_IGNORE_CONTENT_WARNING` | all SDK calls | Suppresses non-fatal SDK warnings that would otherwise pollute logs | +| `GH_TOKEN` / `GITHUB_TOKEN` | prerelease, release jobs | GitHub token for creating releases | + +For local use, set `DEMISTO_BASE_URL` and `DEMISTO_API_KEY` in your shell or a `.env` file. `upload_package.sh` picks these up automatically via the SDK. + +--- + +## Common Issues + +**`output/sdk_errors.txt` keeps growing** + +The file is appended to, not overwritten. Delete or truncate it between sessions: +```bash +rm output/sdk_errors.txt +``` + +**CI skipped my pack even though I changed content** + +The pipeline detects changes by comparing `pack_metadata.json` version between the PR branch and `main`. If the version didn't change, the pack is skipped. Run `bump_pack_version.py` and re-push. + +**`demisto-sdk upload` succeeded but content didn't appear in the tenant** + +The most common cause is a missing `--marketplace marketplacev2`. The SDK silently skips XSIAM-incompatible content without this flag. `upload_package.sh` always includes it. + +**BA102 was not auto-fixed on a Script YAML** + +`fix_errors.py` intentionally skips `demisto-sdk format` on any YAML containing embedded Python (`script: |-` or `type: python`). Running format on these files can corrupt indentation in the script block, breaking the automation. Fix the BA102 error manually in the specific field the SDK flagged. + +**Pydantic `ValidationError` from a List descriptor** + +The SDK emits these before per-file error lines with no file path. The pre-flight scan in `fix_errors.py` will identify the specific `.json` descriptor file missing required fields. All four fields are required and must be non-null: `id`, `name`, `display_name`, and `type`. + +--- + +## Backlog + +Known issues and deferred cleanup work. These are not blocking current PoV delivery but should be addressed before the tooling is used by anyone outside this project. + +--- + +### BL-001 · Remove dead `catalog` job from `soc-packs-release.yml` + +**File:** `.github/workflows/soc-packs-release.yml` + +The `catalog` job (Job 3) references `tools/update_pack_catalog.py`, which does not exist. The script was part of an earlier design that automated catalog updates on every merge. That approach caused Git flow instability and was abandoned. The job was never removed from the workflow. + +**Risk:** If someone approves the `pack-catalog-gate` environment gate in GitHub, the job will fire and immediately fail with a missing file error. No functional harm — the deploy has already succeeded by that point — but it will generate a confusing pipeline failure. + +**Fix:** Delete the `catalog` job block from `soc-packs-release.yml` and remove `pack-catalog-gate` from the GitHub environments list. + +--- + +### BL-002 · `validate_shadow_mode.py` has edge cases that silently pass + +**File:** `tools/validate_shadow_mode.py` + +The script has five gaps identified during review. None of these break current behavior because the runtime architecture (SOCCommandWrapper reading from the action list) is the real enforcement layer. These gaps only matter if the script is ever relied on as a hard guarantee. + +**Gap 1 — `UNKNOWN_ACTION` skips Check 3 silently** +If a UC task has no `action` argument, or uses a `complex` expression instead of `simple`, the action resolves to `UNKNOWN_ACTION` and the action-list registration check is skipped entirely. The task reaches the wrapper at runtime with no `shadow_mode` entry to read. + +**Gap 2 — Actions list load failure is a soft warning, not a hard exit** +If the path to `SOCFrameworkActions_V3_data.json` is wrong or the file is missing, `load_actions_list` returns an empty dict and prints a warning. Because Check 3 only runs when `actions_map` is truthy, the entire check is silently skipped for every file. The most important check becomes optional by accident. + +**Gap 3 — `shadow_mode` presence is checked but not value** +An action entry with `"shadow_mode": "false"` passes Check 3. For C/E/R actions in a PoV context the value needs to be `"true"`, not just the key to exist. + +**Gap 4 — Filename-only classifier misses non-standard names** +`is_cer_playbook` matches on `Containment`, `Eradication`, or `Recovery` in the filename. A containment action named without one of those words (e.g., `SOC_Endpoint_Block_V3.yml`) is invisible to the scanner. The script has no awareness of the playbook's YAML `type` field or call hierarchy position. + +**Gap 5 — SOCCommandWrapper detection is fragile to YAML normalization** +The wrapper is detected by checking `task.scriptName` and `task.script` for the string `SOCCommandWrapper`. After `demisto-sdk` normalization rewrites a playbook, the field structure can change and the detection can miss the task. + +**Fix:** Address Gaps 1–3 in the script (straightforward). Accept Gaps 4–5 as limitations of static filename analysis and document them. The script is most valuable as a local pre-commit check, not a CI hard gate. + +--- + +### ~~BL-003~~ ✅ RESOLVED · Shadow mode job removed from `soc-packs-pr-gate.yml` + +The `shadow-mode` job (formerly Job 5) has been removed from `soc-packs-pr-gate.yml`. The `prerelease` job `needs` is restored to `[detect, preflight]` and jobs are renumbered 1–6. The `validate_shadow_mode.py` script remains wired as a pre-commit hook in `.pre-commit-config.yaml` for local use. + +--- + +### BL-004 · `output/sdk_errors.txt` is appended-to, never cleared by tooling + +**File:** `tools/pack_prep.py`, `output/sdk_errors.txt` + +`pack_prep.py` appends SDK output to `output/sdk_errors.txt` on every run. There is no automated truncation. Over time the file accumulates errors from multiple sessions and packs, making it harder to read and causing `fix_errors.py` to attempt repairs on stale entries that no longer correspond to actual files. + +**Risk:** Low — `fix_errors.py` skips missing files gracefully. But a stale log can print misleading output and makes debugging harder. + +**Fix:** Either truncate the file at the start of each `pack_prep.py` run, or write per-pack named files (e.g., `output/sdk_errors_.txt`) so runs don't bleed into each other. diff --git a/pack_catalog.json b/pack_catalog.json index bb801708..720165d4 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -67,7 +67,7 @@ { "id": "soc-framework-nist-ir", "display_name": "SOC Framework NIST IR (800-61)", - "version": "1.0.7", + "version": "1.1.0", "path": "Packs/soc-framework-nist-ir", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-nist-ir/xsoar_config.json" @@ -83,7 +83,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.3.17", + "version": "3.4.0", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json"