diff --git a/Packs/SocFrameworkTrendMicroVisionOne/CorrelationRules/SOC Trend Micro Vision One V3.yml b/Packs/SocFrameworkTrendMicroVisionOne/CorrelationRules/SOC Trend Micro Vision One V3.yml index d30d3001..f2200391 100644 --- a/Packs/SocFrameworkTrendMicroVisionOne/CorrelationRules/SOC Trend Micro Vision One V3.yml +++ b/Packs/SocFrameworkTrendMicroVisionOne/CorrelationRules/SOC Trend Micro Vision One V3.yml @@ -38,10 +38,10 @@ alert_fields: trendmicrovisiononexdrpriorityscore: score userid: user_id alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null +alert_type: +crontab: dataset: alerts -description: null +description: drilldown_query_timeframe: ALERT execution_mode: REAL_TIME global_rule_id: SOC Trend Micro Vision One V3 @@ -52,126 +52,14 @@ mapping_strategy: CUSTOM mitre_defs: {} name: SOC Trend Micro Vision One V3 rule_id: 0 -search_window: null +search_window: severity: User Defined -simple_schedule: null -suppression_duration: null +simple_schedule: +suppression_duration: suppression_enabled: false -suppression_fields: null -timezone: null -user_defined_category: null +suppression_fields: +timezone: +user_defined_category: user_defined_severity: severity -xql_query: "dataset = trend_micro_vision_one_v3_generic_alert_raw\n| filter alert_provider\ - \ = \"SAE\"\n\n| alter j = _alert_data -> raw_json\n\n/* --- MITRE technique (cheap)\ - \ --- */\n| alter j_str = to_string(j)\n| alter mitre_technique_id_raw =\n json_extract_scalar(j_str,\ - \ \"$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]\")\n| alter j_str\ - \ = null\n\n| alter mitre_ids_str =\n if(\n mitre_technique_id_raw != null\ - \ and mitre_technique_id_raw != \"\",\n replace(replace(mitre_technique_id_raw,\ - \ \"\\\"\",\"\"), \"\\\\.[0-9]+$\",\"\"),\n \"\u2014\"\n )\n| alter mitre_ids_str\ - \ =\n if(mitre_ids_str contains \".\", arrayindex(regextract(mitre_ids_str, \"\ - (.*)\\.\"), 0), mitre_ids_str)\n\n/* --- MITRE Tactics Arrays ---- */\n| alter ta0043_reconnaissance\ - \ = arraycreate(\"T1590\",\"T1591\",\"T1592\",\"T1593\",\"T1594\",\"T1595\"\ - ,\"T1596\",\"T1597\",\"T1598\",\"T1599\")\n| alter ta0042_resource_development =\ - \ arraycreate(\"T1583\",\"T1584\",\"T1585\",\"T1586\",\"T1587\",\"T1650\")\n| alter\ - \ ta0001_initial_access = arraycreate(\"T1078\",\"T1189\",\"T1190\",\"T1195\"\ - ,\"T1133\",\"T1200\",\"T1566\",\"T1091\")\n| alter ta0002_execution =\ - \ arraycreate(\"T1059\",\"T1106\",\"T1047\",\"T1203\",\"T1129\",\"T1559\")\n| alter\ - \ ta0003_persistence = arraycreate(\"T1547\",\"T1543\",\"T1136\",\"T1505\"\ - ,\"T1053\",\"T1078\")\n| alter ta0004_privilege_escalation = arraycreate(\"T1548\"\ - ,\"T1068\",\"T1078\",\"T1055\",\"T1134\")\n| alter ta0005_defense_evasion =\ - \ arraycreate(\"T1027\",\"T1070\",\"T1218\",\"T1140\",\"T1562\",\"T1036\",\"T1055\"\ - )\n| alter ta0006_credential_access = arraycreate(\"T1003\",\"T1555\",\"T1552\"\ - ,\"T1110\",\"T1621\")\n| alter ta0007_discovery = arraycreate(\"T1082\"\ - ,\"T1083\",\"T1046\",\"T1057\",\"T1016\",\"T1049\",\"T1033\")\n| alter ta0008_lateral_movement\ - \ = arraycreate(\"T1021\",\"T1210\",\"T1091\",\"T1072\")\n| alter ta0009_collection\ - \ = arraycreate(\"T1005\",\"T1039\",\"T1113\",\"T1114\",\"T1115\")\n|\ - \ alter ta0011_command_and_control = arraycreate(\"T1071\",\"T1095\",\"T1105\"\ - ,\"T1571\",\"T1572\",\"T1041\")\n| alter ta0010_exfiltration = arraycreate(\"\ - T1041\",\"T1567\",\"T1020\")\n| alter ta0040_impact = arraycreate(\"\ - T1485\",\"T1486\",\"T1490\",\"T1499\",\"T1561\")\n\n/* --- Match Tactic Name + ID\ - \ --- */\n| alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, \"Impact\"\ - )\n| alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, \"Exfiltration\"\ - , mitre_tactic)\n| alter mitre_tactic = if (ta0011_command_and_control contains\ - \ mitre_ids_str, \"Command and Control\", mitre_tactic)\n| alter mitre_tactic =\ - \ if (ta0009_collection contains mitre_ids_str, \"Collection\", mitre_tactic)\n\ - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, \"Lateral\ - \ Movement\", mitre_tactic)\n| alter mitre_tactic = if (ta0007_discovery contains\ - \ mitre_ids_str, \"Discovery\", mitre_tactic)\n| alter mitre_tactic = if (ta0006_credential_access\ - \ contains mitre_ids_str, \"Credential Access\", mitre_tactic)\n| alter mitre_tactic\ - \ = if (ta0005_defense_evasion contains mitre_ids_str, \"Defense Evasion\", mitre_tactic)\n\ - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, \"\ - Privilege Escalation\", mitre_tactic)\n| alter mitre_tactic = if (ta0003_persistence\ - \ contains mitre_ids_str, \"Persistence\", mitre_tactic)\n| alter mitre_tactic =\ - \ if (ta0002_execution contains mitre_ids_str, \"Execution\", mitre_tactic)\n| alter\ - \ mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, \"Initial Access\"\ - , mitre_tactic)\n| alter mitre_tactic = if (ta0042_resource_development contains\ - \ mitre_ids_str, \"Resource Development\", mitre_tactic)\n| alter mitre_tactic =\ - \ if (ta0043_reconnaissance contains mitre_ids_str, \"Reconnaissance\", mitre_tactic)\n\ - \n| alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, \"TA0040\"\ - )\n| alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, \"\ - TA0010\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0011_command_and_control\ - \ contains mitre_ids_str, \"TA0011\", mitre_tactic_id)\n| alter mitre_tactic_id\ - \ = if (ta0009_collection contains mitre_ids_str, \"TA0009\", mitre_tactic_id)\n\ - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, \"\ - TA0008\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0007_discovery contains\ - \ mitre_ids_str, \"TA0007\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0006_credential_access\ - \ contains mitre_ids_str, \"TA0006\", mitre_tactic_id)\n| alter mitre_tactic_id\ - \ = if (ta0005_defense_evasion contains mitre_ids_str, \"TA0005\", mitre_tactic_id)\n\ - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str,\ - \ \"TA0004\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0003_persistence\ - \ contains mitre_ids_str, \"TA0003\", mitre_tactic_id)\n| alter mitre_tactic_id\ - \ = if (ta0002_execution contains mitre_ids_str, \"TA0002\", mitre_tactic_id)\n\ - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, \"TA0001\"\ - , mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0042_resource_development contains\ - \ mitre_ids_str, \"TA0042\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0043_reconnaissance\ - \ contains mitre_ids_str, \"TA0043\", mitre_tactic_id)\n\n/* ---- Split Anchor (required)\ - \ ---- */\n| alter\n mitre_technique_id = mitre_ids_str,\n mitre_technique\ - \ = null,\n mitre_tactic_id = mitre_tactic_id,\n mitre_tactic \ - \ = mitre_tactic\n\n/* ---- Core metadata (keep legacy field names you mapped) ----\ - \ */\n| alter\n id = j -> id,\n status = j\ - \ -> status,\n investigation_status = j -> investigation_status,\n investigation_result\ - \ = j -> investigation_result,\n workbench_link = j -> workbench_link,\n\ - \ alert_provider = j -> alert_provider,\n alert_name = j ->\ - \ model,\n score = to_integer(j -> score),\n severity \ - \ = j -> severity,\n alert_time = j -> created_date_time,\n\ - \ alert_description = j -> description,\n alert_source = coalesce(j\ - \ -> alert_provider, \"Trend Micro Vision One\"),\n indicators = j\ - \ -> indicators[]\n\n/* ---- FAST indicator extraction (no arraymap/indexof) ----\ - \ */\n/* host */\n| alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ - @element\",\"$.type\") = \"host\"), 0)\n| alter\n v1_host_guid = json_extract_scalar(i_host,\ - \ \"$.value.guid\"),\n v1_host_name = json_extract_scalar(i_host, \"$.value.name\"\ - ),\n local_ip = replace(json_extract_scalar(i_host, \"$.value.ips[0]\"),\ - \ \"\\\"\", \"\")\n\n/* mac (host indicator value has multiple possibilities in\ - \ some feeds; keep best-effort) */\n| alter mac_address =\n coalesce(\n \ - \ json_extract_scalar(i_host, \"$.value.mac\"),\n json_extract_scalar(i_host,\ - \ \"$.value.mac_address\"),\n json_extract_scalar(i_host, \"$.value.macs[0]\"\ - ),\n json_extract_scalar(i_host, \"$.value.macAddresses[0]\")\n )\n\n/*\ - \ user */\n| alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ - @element\",\"$.type\") = \"user_account\"), 0)\n| alter\n user_name = json_extract_scalar(i_user,\ - \ \"$.value\"),\n user_id = null\n\n/* cmdline */\n| alter i_cmd1 = arrayindex(arrayfilter(indicators,\ - \ json_extract_scalar(\"@element\",\"$.type\") = \"command_line\"), 0)\n| alter\ - \ i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"\ - $.field\") = \"processCmd\"), 0)\n| alter cmdline = coalesce(json_extract_scalar(i_cmd1,\ - \ \"$.value\"), json_extract_scalar(i_cmd2, \"$.value\"))\n\n/* sha256 (main) */\n\ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\"\ - ,\"$.type\") = \"file_sha256\"), 0)\n| alter sha256 = json_extract_scalar(i_sha,\ - \ \"$.value\")\n\n/* remote ip + domain */\n| alter i_peer = arrayindex(arrayfilter(indicators,\ - \ json_extract_scalar(\"@element\",\"$.field\") = \"peerIp\"), 0)\n| alter remote_ip_str\ - \ = json_extract_scalar(i_peer, \"$.value\")\n\n| alter i_dom = arrayindex(arrayfilter(indicators,\ - \ json_extract_scalar(\"@element\",\"$.field\") = \"domain\"), 0)\n| alter domain\ - \ = json_extract_scalar(i_dom, \"$.value\")\n\n/* parent process path */\n| alter\ - \ i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"\ - $.field\") = \"parentFilePath\"), 0)\n| alter parent_process_path = json_extract_scalar(i_pfp,\ - \ \"$.value\")\n| alter parent_process_name = replace(parent_process_path, \"^.*[\\\ - \\\\\\/]\", \"\")\n\n/* filepath / filename (from registry object or cmdline fallback)\ - \ */\n| alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ - @element\",\"$.field\") = \"objectRegistryData\"), 0)\n| alter reg_path = json_extract_scalar(i_reg,\ - \ \"$.value\")\n\n| alter filepath =\n coalesce(\n reg_path,\n arrayindex(regextract(cmdline,\ - \ \"^\\\\s*([^\\\\s]+)\"), 0)\n )\n| alter filename = replace(filepath, \"^.*[\\\ - \\\\\\/]\", \"\")\n\n/* convenience */\n| alter ioc_value = coalesce(sha256, null)\n\ - \n| fields\n id, workbench_link, alert_name, alert_source, status,\n investigation_status,\ - \ investigation_result,\n score, severity, alert_time, alert_description,\n \ - \ v1_host_guid, v1_host_name, local_ip, mac_address,\n user_name, user_id,\n\ - \ filename, filepath, parent_process_path, parent_process_name, cmdline,\n \ - \ sha256, ioc_value, domain, remote_ip_str,\n mitre_technique, mitre_technique_id,\ - \ mitre_tactic, mitre_tactic_id, mitre_ids_str\n" +xql_query: "dataset = trend_micro_vision_one_v3_generic_alert_raw\n| filter alert_provider = \"SAE\"\n\n| alter j = _alert_data -> raw_json\n\n/* --- MITRE technique (cheap) --- */\n| alter j_str = to_string(j)\n| alter mitre_technique_id_raw =\n json_extract_scalar(j_str, \"$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]\")\n| alter j_str = null\n\n| alter mitre_ids_str =\n if(\n mitre_technique_id_raw != null and mitre_technique_id_raw != \"\",\n replace(replace(mitre_technique_id_raw, \"\\\"\",\"\"), \"\\\\.[0-9]+$\",\"\"),\n \"—\"\n )\n| alter mitre_ids_str =\n if(mitre_ids_str contains \".\", arrayindex(regextract(mitre_ids_str, \"(.*)\\.\"), 0), mitre_ids_str)\n\n/* --- MITRE Tactics Arrays ---- */\n| alter ta0043_reconnaissance = arraycreate(\"T1590\",\"T1591\",\"T1592\",\"T1593\",\"T1594\",\"T1595\",\"T1596\",\"T1597\",\"T1598\",\"T1599\")\n| alter ta0042_resource_development = arraycreate(\"T1583\",\"T1584\",\"T1585\",\"T1586\",\"T1587\",\"T1650\")\n| alter ta0001_initial_access = arraycreate(\"T1078\",\"T1189\",\"T1190\",\"T1195\",\"T1133\",\"T1200\",\"T1566\",\"T1091\")\n| alter ta0002_execution = arraycreate(\"T1059\",\"T1106\",\"T1047\",\"T1203\",\"T1129\",\"T1559\")\n| alter ta0003_persistence = arraycreate(\"T1547\",\"T1543\",\"T1136\",\"T1505\",\"T1053\",\"T1078\")\n| alter ta0004_privilege_escalation = arraycreate(\"T1548\",\"T1068\",\"T1078\",\"T1055\",\"T1134\")\n| alter ta0005_defense_evasion = arraycreate(\"T1027\",\"T1070\",\"T1218\",\"T1140\",\"T1562\",\"T1036\",\"T1055\")\n| alter ta0006_credential_access = arraycreate(\"T1003\",\"T1555\",\"T1552\",\"T1110\",\"T1621\")\n| alter ta0007_discovery = arraycreate(\"T1082\",\"T1083\",\"T1046\",\"T1057\",\"T1016\",\"T1049\",\"T1033\")\n| alter ta0008_lateral_movement = arraycreate(\"T1021\",\"T1210\",\"T1091\",\"T1072\")\n| alter ta0009_collection = arraycreate(\"T1005\",\"T1039\",\"T1113\",\"T1114\",\"T1115\")\n| alter ta0011_command_and_control = arraycreate(\"T1071\",\"T1095\",\"T1105\",\"T1571\",\"T1572\",\"T1041\")\n| alter ta0010_exfiltration = arraycreate(\"T1041\",\"T1567\",\"T1020\")\n| alter ta0040_impact = arraycreate(\"T1485\",\"T1486\",\"T1490\",\"T1499\",\"T1561\")\n\n/* --- Match Tactic Name + ID --- */\n| alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, \"Impact\")\n| alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, \"Exfiltration\", mitre_tactic)\n| alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, \"Command and Control\", mitre_tactic)\n| alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, \"Collection\", mitre_tactic)\n| alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, \"Lateral Movement\", mitre_tactic)\n| alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, \"Discovery\", mitre_tactic)\n| alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, \"Credential Access\", mitre_tactic)\n| alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, \"Defense Evasion\", mitre_tactic)\n| alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, \"Privilege Escalation\", mitre_tactic)\n| alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, \"Persistence\", mitre_tactic)\n| alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, \"Execution\", mitre_tactic)\n| alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, \"Initial Access\", mitre_tactic)\n| alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, \"Resource Development\", mitre_tactic)\n| alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, \"Reconnaissance\", mitre_tactic)\n\n| alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, \"TA0040\")\n| alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, \"TA0010\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, \"TA0011\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, \"TA0009\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, \"TA0008\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, \"TA0007\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, \"TA0006\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, \"TA0005\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, \"TA0004\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, \"TA0003\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, \"TA0002\", mitre_tactic_id)\n| alter mitre_tactic_id + = if (ta0001_initial_access contains mitre_ids_str, \"TA0001\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, \"TA0042\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, \"TA0043\", mitre_tactic_id)\n\n/* ---- Split Anchor (required) ---- */\n| alter\n mitre_technique_id = mitre_ids_str,\n mitre_technique = null,\n mitre_tactic_id = mitre_tactic_id,\n mitre_tactic = mitre_tactic\n\n/* ---- Core metadata (keep legacy field names you mapped) ---- */\n| alter\n id = j -> id,\n status = j -> status,\n investigation_status = j -> investigation_status,\n investigation_result = j -> investigation_result,\n workbench_link = j -> workbench_link,\n alert_provider = j -> alert_provider,\n alert_name = j -> model,\n score = to_integer(j -> score),\n severity = j -> severity,\n alert_time = j -> created_date_time,\n alert_description = j -> description,\n alert_source = coalesce(j -> alert_provider, \"Trend Micro Vision One\"),\n indicators = j -> indicators[]\n\n/* ---- FAST indicator extraction (no arraymap/indexof) ---- */\n/* host */\n| alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.type\") = \"host\"), 0)\n| alter\n v1_host_guid = json_extract_scalar(i_host, \"$.value.guid\"),\n v1_host_name = json_extract_scalar(i_host, \"$.value.name\"),\n local_ip = replace(json_extract_scalar(i_host, \"$.value.ips[0]\"), \"\\\"\", \"\")\n\n/* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */\n| alter mac_address =\n coalesce(\n json_extract_scalar(i_host, \"$.value.mac\"),\n json_extract_scalar(i_host, \"$.value.mac_address\"),\n json_extract_scalar(i_host, \"$.value.macs[0]\"),\n json_extract_scalar(i_host, \"$.value.macAddresses[0]\")\n )\n\n/* user */\n| alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.type\") = \"user_account\"), 0)\n| alter\n user_name = json_extract_scalar(i_user, \"$.value\"),\n user_id = null\n\n/* cmdline */\n| alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.type\") = \"command_line\"), 0)\n| alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"processCmd\"), 0)\n| alter cmdline = coalesce(json_extract_scalar(i_cmd1, \"$.value\"), json_extract_scalar(i_cmd2, \"$.value\"))\n\n/* sha256 (main) */\n| alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.type\") = \"file_sha256\"), 0)\n| alter sha256 = json_extract_scalar(i_sha, \"$.value\")\n\n/* remote ip + domain */\n| alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"peerIp\"), 0)\n| alter remote_ip_str = json_extract_scalar(i_peer, \"$.value\")\n\n| alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"domain\"), 0)\n| alter domain = json_extract_scalar(i_dom, \"$.value\")\n\n/* parent process path */\n| alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"parentFilePath\"), 0)\n| alter parent_process_path = json_extract_scalar(i_pfp, \"$.value\")\n| alter parent_process_name = replace(parent_process_path, \"^.*[\\\\\\\\/]\", \"\")\n\n/* filepath / filename (from registry object or cmdline fallback) */\n| alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"objectRegistryData\"), 0)\n| alter reg_path = json_extract_scalar(i_reg, \"$.value\")\n\n| alter filepath =\n coalesce(\n reg_path,\n arrayindex(regextract(cmdline, \"^\\\\s*([^\\\\s]+)\"), 0)\n )\n| alter filename = replace(filepath, \"^.*[\\\\\\\\/]\", \"\")\n\n/* convenience */\n| alter ioc_value = coalesce(sha256, null)\n\n| fields\n id, workbench_link, alert_name, alert_source, status,\n investigation_status, investigation_result,\n score, severity, alert_time, alert_description,\n v1_host_guid, v1_host_name, local_ip, mac_address,\n user_name, user_id,\n filename, filepath, parent_process_path, parent_process_name, cmdline,\n sha256, ioc_value, domain, remote_ip_str,\n mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str\n" diff --git a/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules.yml b/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules.yml index 6a98bdf9..f35956cf 100644 --- a/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules.yml +++ b/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules.yml @@ -1,6 +1,5 @@ fromversion: 8.3.1 -adopted: true id: SOC_TrendMicro_VisionOne_ModelingRule name: SOC TrendMicro VisionOne Modeling Rule rules: '' -schema: '' \ No newline at end of file +schema: '' diff --git a/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules_schema.json b/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules_schema.json index 1b3fd740..d8a8ab18 100644 --- a/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules_schema.json +++ b/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules_schema.json @@ -1,484 +1,484 @@ { - "trend_micro_vision_one_v3_generic_alert_raw": { - "alert_provider": { - "type": "string", - "is_array": false - }, - "impact_scope": { - "type": "json", - "is_array": false - }, - "indicators": { - "type": "json", - "is_array": false - }, - "matched_rules": { - "type": "json", - "is_array": false - }, - "_raw_json": { - "type": "json", - "is_array": false - }, - "id": { - "type": "string", - "is_array": false - }, - "model": { - "type": "string", - "is_array": false - }, - "model_type": { - "type": "string", - "is_array": false - }, - "severity": { - "type": "string", - "is_array": false - }, - "status": { - "type": "string", - "is_array": false - }, - "investigation_status": { - "type": "string", - "is_array": false - }, - "investigation_result": { - "type": "string", - "is_array": false - }, - "description": { - "type": "string", - "is_array": false - }, - "workbench_link": { - "type": "string", - "is_array": false - }, - "score": { - "type": "string", - "is_array": false - }, - "Entities": { - "type": "string", - "is_array": false - }, - "Indicators": { - "type": "string", - "is_array": false - }, - "Rules": { - "type": "string", - "is_array": false - }, - "action": { - "type": "string", - "is_array": false - }, - "agent": { - "type": "string", - "is_array": false - }, - "alert": { - "type": "string", - "is_array": false - }, - "application": { - "type": "string", - "is_array": false - }, - "application_protocol": { - "type": "string", - "is_array": false - }, - "application_protocol_category": { - "type": "string", - "is_array": false - }, - "command_line": { - "type": "string", - "is_array": false - }, - "contains": { - "type": "string", - "is_array": false - }, - "content_version": { - "type": "string", - "is_array": false - }, - "dataset": { - "type": "string", - "is_array": false - }, - "device_id": { - "type": "string", - "is_array": false - }, - "domain": { - "type": "string", - "is_array": false - }, - "entityIdsAccountIdentifier": { - "type": "string", - "is_array": false - }, - "entityIdsDeviceId": { - "type": "string", - "is_array": false - }, - "entityIdsEmailIdentifier": { - "type": "string", - "is_array": false - }, - "entityValueGuidsHostname": { - "type": "string", - "is_array": false - }, - "entityValueGuidsUpn": { - "type": "string", - "is_array": false - }, - "entityValueGuidsUserName": { - "type": "string", - "is_array": false - }, - "entityValueIps": { - "type": "string", - "is_array": false - }, - "entityValueNamesHostName": { - "type": "string", - "is_array": false - }, - "entityValueNamesUpn": { - "type": "string", - "is_array": false - }, - "entityValueNamesUserName": { - "type": "string", - "is_array": false - }, - "entityValuesUserName": { - "type": "string", - "is_array": false - }, - "event": { - "type": "string", - "is_array": false - }, - "executable": { - "type": "string", - "is_array": false - }, - "extract_source_ipv4": { - "type": "string", - "is_array": false - }, - "extract_source_ipv6": { - "type": "string", - "is_array": false - }, - "extract_target_ip": { - "type": "string", - "is_array": false - }, - "file": { - "type": "string", - "is_array": false - }, - "file_before": { - "type": "string", - "is_array": false - }, - "file_type": { - "type": "string", - "is_array": false - }, - "filename": { - "type": "string", - "is_array": false - }, - "host": { - "type": "string", - "is_array": false - }, - "hostname": { - "type": "string", - "is_array": false - }, - "http": { - "type": "string", - "is_array": false - }, - "identifier": { - "type": "string", - "is_array": false - }, - "identityType": { - "type": "string", - "is_array": false - }, - "identity_type": { - "type": "string", - "is_array": false - }, - "indicatorsValuesCommandLine": { - "type": "string", - "is_array": false - }, - "indicatorsValuesExecPath": { - "type": "string", - "is_array": false - }, - "indicatorsValuesHostname": { - "type": "string", - "is_array": false - }, - "indicatorsValuesProcessId": { - "type": "string", - "is_array": false - }, - "indicatorsValuesProcessName": { - "type": "string", - "is_array": false - }, - "indicatorsValuesRegistryKey": { - "type": "string", - "is_array": false - }, - "indicatorsValuesRegistryVal": { - "type": "string", - "is_array": false - }, - "intermediate": { - "type": "string", - "is_array": false - }, - "ipv4": { - "type": "string", - "is_array": false - }, - "ipv4_addresses": { - "type": "string", - "is_array": false - }, - "ipv6": { - "type": "string", - "is_array": false - }, - "key": { - "type": "string", - "is_array": false - }, - "mac_addresses": { - "type": "string", - "is_array": false - }, - "matchedRulesIds": { - "type": "string", - "is_array": false - }, - "matchedRulesNames": { - "type": "string", - "is_array": false - }, - "md5": { - "type": "string", - "is_array": false - }, - "mitreTacticsRaw": { - "type": "string", - "is_array": false - }, - "mitreTechniquesRaw": { - "type": "string", - "is_array": false - }, - "mitre_tactics": { - "type": "string", - "is_array": false - }, - "mitre_tactics_raw": { - "type": "string", - "is_array": false - }, - "mitre_techniques": { - "type": "string", - "is_array": false - }, - "module": { - "type": "string", - "is_array": false - }, - "name": { - "type": "string", - "is_array": false - }, - "network": { - "type": "string", - "is_array": false - }, - "observer": { - "type": "string", - "is_array": false - }, - "operation_sub_type": { - "type": "string", - "is_array": false - }, - "originalThreatName": { - "type": "string", - "is_array": false - }, - "original_alert_id": { - "type": "string", - "is_array": false - }, - "original_event_type": { - "type": "string", - "is_array": false - }, - "original_threat_name": { - "type": "string", - "is_array": false - }, - "os": { - "type": "string", - "is_array": false - }, - "outcome_reason": { - "type": "string", - "is_array": false - }, - "parent_id": { - "type": "string", - "is_array": false - }, - "path": { - "type": "string", - "is_array": false - }, - "pid": { - "type": "string", - "is_array": false - }, - "port": { - "type": "string", - "is_array": false - }, - "process": { - "type": "string", - "is_array": false - }, - "protocol_version": { - "type": "string", - "is_array": false - }, - "provenances": { - "type": "string", - "is_array": false - }, - "referrer": { - "type": "string", - "is_array": false - }, - "registry": { - "type": "string", - "is_array": false - }, - "relatedEntities": { - "type": "string", - "is_array": false - }, - "resource": { - "type": "string", - "is_array": false - }, - "rule": { - "type": "string", - "is_array": false - }, - "session_context_id": { - "type": "string", - "is_array": false - }, - "session_id": { - "type": "string", - "is_array": false - }, - "sha256": { - "type": "string", - "is_array": false - }, - "signature_status": { - "type": "string", - "is_array": false - }, - "signer": { - "type": "string", - "is_array": false - }, - "size": { - "type": "string", - "is_array": false - }, - "source": { - "type": "string", - "is_array": false - }, - "subcategory": { - "type": "string", - "is_array": false - }, - "target": { - "type": "string", - "is_array": false - }, - "tls": { - "type": "string", - "is_array": false - }, - "type": { - "type": "string", - "is_array": false - }, - "unique_identifier": { - "type": "string", - "is_array": false - }, - "upn": { - "type": "string", - "is_array": false - }, - "url": { - "type": "string", - "is_array": false - }, - "user": { - "type": "string", - "is_array": false - }, - "user_agent": { - "type": "string", - "is_array": false - }, - "username": { - "type": "string", - "is_array": false - }, - "value": { - "type": "string", - "is_array": false - }, - "version": { - "type": "string", - "is_array": false - }, - "vlan": { - "type": "string", - "is_array": false + "trend_micro_vision_one_v3_generic_alert_raw": { + "alert_provider": { + "type": "string", + "is_array": false + }, + "impact_scope": { + "type": "json", + "is_array": false + }, + "indicators": { + "type": "json", + "is_array": false + }, + "matched_rules": { + "type": "json", + "is_array": false + }, + "_raw_json": { + "type": "json", + "is_array": false + }, + "id": { + "type": "string", + "is_array": false + }, + "model": { + "type": "string", + "is_array": false + }, + "model_type": { + "type": "string", + "is_array": false + }, + "severity": { + "type": "string", + "is_array": false + }, + "status": { + "type": "string", + "is_array": false + }, + "investigation_status": { + "type": "string", + "is_array": false + }, + "investigation_result": { + "type": "string", + "is_array": false + }, + "description": { + "type": "string", + "is_array": false + }, + "workbench_link": { + "type": "string", + "is_array": false + }, + "score": { + "type": "string", + "is_array": false + }, + "Entities": { + "type": "string", + "is_array": false + }, + "Indicators": { + "type": "string", + "is_array": false + }, + "Rules": { + "type": "string", + "is_array": false + }, + "action": { + "type": "string", + "is_array": false + }, + "agent": { + "type": "string", + "is_array": false + }, + "alert": { + "type": "string", + "is_array": false + }, + "application": { + "type": "string", + "is_array": false + }, + "application_protocol": { + "type": "string", + "is_array": false + }, + "application_protocol_category": { + "type": "string", + "is_array": false + }, + "command_line": { + "type": "string", + "is_array": false + }, + "contains": { + "type": "string", + "is_array": false + }, + "content_version": { + "type": "string", + "is_array": false + }, + "dataset": { + "type": "string", + "is_array": false + }, + "device_id": { + "type": "string", + "is_array": false + }, + "domain": { + "type": "string", + "is_array": false + }, + "entityIdsAccountIdentifier": { + "type": "string", + "is_array": false + }, + "entityIdsDeviceId": { + "type": "string", + "is_array": false + }, + "entityIdsEmailIdentifier": { + "type": "string", + "is_array": false + }, + "entityValueGuidsHostname": { + "type": "string", + "is_array": false + }, + "entityValueGuidsUpn": { + "type": "string", + "is_array": false + }, + "entityValueGuidsUserName": { + "type": "string", + "is_array": false + }, + "entityValueIps": { + "type": "string", + "is_array": false + }, + "entityValueNamesHostName": { + "type": "string", + "is_array": false + }, + "entityValueNamesUpn": { + "type": "string", + "is_array": false + }, + "entityValueNamesUserName": { + "type": "string", + "is_array": false + }, + "entityValuesUserName": { + "type": "string", + "is_array": false + }, + "event": { + "type": "string", + "is_array": false + }, + "executable": { + "type": "string", + "is_array": false + }, + "extract_source_ipv4": { + "type": "string", + "is_array": false + }, + "extract_source_ipv6": { + "type": "string", + "is_array": false + }, + "extract_target_ip": { + "type": "string", + "is_array": false + }, + "file": { + "type": "string", + "is_array": false + }, + "file_before": { + "type": "string", + "is_array": false + }, + "file_type": { + "type": "string", + "is_array": false + }, + "filename": { + "type": "string", + "is_array": false + }, + "host": { + "type": "string", + "is_array": false + }, + "hostname": { + "type": "string", + "is_array": false + }, + "http": { + "type": "string", + "is_array": false + }, + "identifier": { + "type": "string", + "is_array": false + }, + "identityType": { + "type": "string", + "is_array": false + }, + "identity_type": { + "type": "string", + "is_array": false + }, + "indicatorsValuesCommandLine": { + "type": "string", + "is_array": false + }, + "indicatorsValuesExecPath": { + "type": "string", + "is_array": false + }, + "indicatorsValuesHostname": { + "type": "string", + "is_array": false + }, + "indicatorsValuesProcessId": { + "type": "string", + "is_array": false + }, + "indicatorsValuesProcessName": { + "type": "string", + "is_array": false + }, + "indicatorsValuesRegistryKey": { + "type": "string", + "is_array": false + }, + "indicatorsValuesRegistryVal": { + "type": "string", + "is_array": false + }, + "intermediate": { + "type": "string", + "is_array": false + }, + "ipv4": { + "type": "string", + "is_array": false + }, + "ipv4_addresses": { + "type": "string", + "is_array": false + }, + "ipv6": { + "type": "string", + "is_array": false + }, + "key": { + "type": "string", + "is_array": false + }, + "mac_addresses": { + "type": "string", + "is_array": false + }, + "matchedRulesIds": { + "type": "string", + "is_array": false + }, + "matchedRulesNames": { + "type": "string", + "is_array": false + }, + "md5": { + "type": "string", + "is_array": false + }, + "mitreTacticsRaw": { + "type": "string", + "is_array": false + }, + "mitreTechniquesRaw": { + "type": "string", + "is_array": false + }, + "mitre_tactics": { + "type": "string", + "is_array": false + }, + "mitre_tactics_raw": { + "type": "string", + "is_array": false + }, + "mitre_techniques": { + "type": "string", + "is_array": false + }, + "module": { + "type": "string", + "is_array": false + }, + "name": { + "type": "string", + "is_array": false + }, + "network": { + "type": "string", + "is_array": false + }, + "observer": { + "type": "string", + "is_array": false + }, + "operation_sub_type": { + "type": "string", + "is_array": false + }, + "originalThreatName": { + "type": "string", + "is_array": false + }, + "original_alert_id": { + "type": "string", + "is_array": false + }, + "original_event_type": { + "type": "string", + "is_array": false + }, + "original_threat_name": { + "type": "string", + "is_array": false + }, + "os": { + "type": "string", + "is_array": false + }, + "outcome_reason": { + "type": "string", + "is_array": false + }, + "parent_id": { + "type": "string", + "is_array": false + }, + "path": { + "type": "string", + "is_array": false + }, + "pid": { + "type": "string", + "is_array": false + }, + "port": { + "type": "string", + "is_array": false + }, + "process": { + "type": "string", + "is_array": false + }, + "protocol_version": { + "type": "string", + "is_array": false + }, + "provenances": { + "type": "string", + "is_array": false + }, + "referrer": { + "type": "string", + "is_array": false + }, + "registry": { + "type": "string", + "is_array": false + }, + "relatedEntities": { + "type": "string", + "is_array": false + }, + "resource": { + "type": "string", + "is_array": false + }, + "rule": { + "type": "string", + "is_array": false + }, + "session_context_id": { + "type": "string", + "is_array": false + }, + "session_id": { + "type": "string", + "is_array": false + }, + "sha256": { + "type": "string", + "is_array": false + }, + "signature_status": { + "type": "string", + "is_array": false + }, + "signer": { + "type": "string", + "is_array": false + }, + "size": { + "type": "string", + "is_array": false + }, + "source": { + "type": "string", + "is_array": false + }, + "subcategory": { + "type": "string", + "is_array": false + }, + "target": { + "type": "string", + "is_array": false + }, + "tls": { + "type": "string", + "is_array": false + }, + "type": { + "type": "string", + "is_array": false + }, + "unique_identifier": { + "type": "string", + "is_array": false + }, + "upn": { + "type": "string", + "is_array": false + }, + "url": { + "type": "string", + "is_array": false + }, + "user": { + "type": "string", + "is_array": false + }, + "user_agent": { + "type": "string", + "is_array": false + }, + "username": { + "type": "string", + "is_array": false + }, + "value": { + "type": "string", + "is_array": false + }, + "version": { + "type": "string", + "is_array": false + }, + "vlan": { + "type": "string", + "is_array": false + } } - } } diff --git a/Packs/SocFrameworkTrendMicroVisionOne/pack_metadata.json b/Packs/SocFrameworkTrendMicroVisionOne/pack_metadata.json index 24ec73ed..2157f973 100644 --- a/Packs/SocFrameworkTrendMicroVisionOne/pack_metadata.json +++ b/Packs/SocFrameworkTrendMicroVisionOne/pack_metadata.json @@ -1,33 +1,33 @@ { - "name": "SOC Trend Micro Enhancement for Cortex XSIAM", - "id": "soc-trendmicro-visionone", - "description": "This contains enhancement content for Trend Micro Vision One including correlation rules, modeling rules, and layout for XSIAM.", - "support": "community", - "currentVersion": "1.0.29", - "author": "Palo Alto Networks", - "url": "https://github.com/Palo-Cortex/soc-optimization-unified", - "email": "", - "categories": [ - "Endpoint" - ], - "tags": [ - "SOC", - "SOC_Framework", - "Palo Alto Networks Products", - "EndPoint" - ], - "dependencies": { - "TrendMicroVisionOneV3": { - "mandatory": true, - "display_name": "Trend Micro Vision One" + "name": "SOC Trend Micro Enhancement for Cortex XSIAM", + "id": "soc-trendmicro-visionone", + "description": "This contains enhancement content for Trend Micro Vision One including correlation rules, modeling rules, and layout for XSIAM.", + "support": "community", + "currentVersion": "1.0.29", + "author": "Palo Alto Networks", + "url": "https://github.com/Palo-Cortex/soc-optimization-unified", + "email": "", + "categories": [ + "Endpoint" + ], + "tags": [ + "SOC", + "SOC_Framework", + "Palo Alto Networks Products", + "EndPoint" + ], + "dependencies": { + "TrendMicroVisionOneV3": { + "mandatory": true, + "display_name": "Trend Micro Vision One" + }, + "": { + "mandatory": true + } }, - "": { - "mandatory": true - } - }, - "useCases": [], - "keywords": [], - "marketplaces": [ - "marketplacev2" - ] + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] } diff --git a/Packs/soc-framework-nist-ir/Playbooks/EP_IR_NIST_(800-61).yml b/Packs/soc-framework-nist-ir/Playbooks/EP_IR_NIST_(800-61).yml index 2c0964b4..c313a1ca 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/EP_IR_NIST_(800-61).yml +++ b/Packs/soc-framework-nist-ir/Playbooks/EP_IR_NIST_(800-61).yml @@ -205,5 +205,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: 51ffcd5a-f5bb-4e09-84ae-e1efdc5165ac -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_Evaluation_V3.yml index 1ff1b71a..1e0d1d59 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_Evaluation_V3.yml @@ -7,9 +7,9 @@ contentitemexportablefields: packName: SOC Framework Unified itemVersion: 3.1.4 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false @@ -18,32 +18,26 @@ tags: - SOC - SOC_Framework_Unified - Detection & Analysis -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 type: start task: id: 7e6a701e-667b-4a70-8a74-14564da75fc7 version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "31" + - '31' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -51,8 +45,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "2": - id: "2" + '2': + id: '2' taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 type: title task: @@ -61,18 +55,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 60, - "y": 4240 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 4240\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -80,48 +68,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "31": - id: "31" + '31': + id: '31' taskid: da61ef8d-7840-4b48-9dcc-aa88221204b7 type: regular task: id: da61ef8d-7840-4b48-9dcc-aa88221204b7 version: -1 name: Set Case Risk Score - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_score value: simple: ${inputs.case_score} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -129,48 +109,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "32": - id: "32" + '32': + id: '32' taskid: 70bb5690-7d22-4b90-9db6-5ea5b648fa19 type: regular task: id: 70bb5690-7d22-4b90-9db6-5ea5b648fa19 version: -1 name: Set Compromise Suspicious - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "44" + - '44' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.compromise_level value: simple: ${inputs.compromise_level} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -178,48 +150,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "35": - id: "35" + '35': + id: '35' taskid: d728a61c-7878-4595-96ff-4f232562b11f type: regular task: id: d728a61c-7878-4595-96ff-4f232562b11f version: -1 name: Set Verdict - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "36" + - '36' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.verdict value: simple: ${inputs.verdict} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 775 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -227,48 +191,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "36": - id: "36" + '36': + id: '36' taskid: 28c28837-feb4-4488-a1e8-4ed377d2b172 type: regular task: id: 28c28837-feb4-4488-a1e8-4ed377d2b172 version: -1 name: Set Confidence - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "37" + - '37' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.confidence value: simple: ${inputs.confidence} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 960 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 960\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -276,48 +232,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "37": - id: "37" + '37': + id: '37' taskid: a7faa095-dc8c-46a9-92fa-e3724e99ee18 type: regular task: id: a7faa095-dc8c-46a9-92fa-e3724e99ee18 version: -1 name: Set Response Recommendation - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "38" + - '38' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.response_recommended value: simple: ${inputs.response_recommended} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1145 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1145\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -325,48 +273,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "38": - id: "38" + '38': + id: '38' taskid: 5b48fa18-6d81-467c-83e5-3c0982ec5cc1 type: regular task: id: 5b48fa18-6d81-467c-83e5-3c0982ec5cc1 version: -1 name: Set Case Category - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "39" + - '39' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_category value: simple: ${inputs.case_category} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1330 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1330\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -374,48 +314,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "39": - id: "39" + '39': + id: '39' taskid: d5f28fc2-d810-4113-9f1e-073ff60df0c3 type: regular task: id: d5f28fc2-d810-4113-9f1e-073ff60df0c3 version: -1 name: Set Primary Entity Type - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "50" + - '50' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.primary_entity_type value: simple: ${inputs.primary_entity_type} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1515 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1515\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -423,48 +355,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "40": - id: "40" + '40': + id: '40' taskid: 719b7f9d-c386-4f2f-8ebb-dc083820eb7e type: regular task: id: 719b7f9d-c386-4f2f-8ebb-dc083820eb7e version: -1 name: Set Persistence Types - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "41" + - '41' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.persistence_type value: simple: ${inputs.persistence_type} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1885 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1885\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -472,48 +396,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "41": - id: "41" + '41': + id: '41' taskid: 4297d1f6-862f-4fa6-bcfb-a0d33a48eb3e type: regular task: id: 4297d1f6-862f-4fa6-bcfb-a0d33a48eb3e version: -1 name: Set Spread Level - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "42" + - '42' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.spread_level value: simple: ${inputs.spread_level} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2070 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2070\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -521,48 +437,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "42": - id: "42" + '42': + id: '42' taskid: 30a3e2af-9499-4f3e-ad97-54dfa893bcaf type: regular task: id: 30a3e2af-9499-4f3e-ad97-54dfa893bcaf version: -1 name: Set User Count - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_user_count value: simple: ${inputs.case_user_count} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2255 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2255\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -570,48 +478,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "43": - id: "43" + '43': + id: '43' taskid: 2dfca0ab-5915-40a5-becd-4e4d45dbefa5 type: regular task: id: 2dfca0ab-5915-40a5-becd-4e4d45dbefa5 version: -1 name: Set Story - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.story value: simple: ${inputs.story} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 3365 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 3365\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -619,48 +519,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "44": - id: "44" + '44': + id: '44' taskid: 80711a69-e679-4322-aa8d-db3dd12f47ca type: regular task: id: 80711a69-e679-4322-aa8d-db3dd12f47ca version: -1 name: Set Compromise Decision - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "35" + - '35' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.compromise_decision value: simple: ${inputs.compromise_decision} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -668,48 +560,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "45": - id: "45" + '45': + id: '45' taskid: b023b41f-1a96-4c2f-8f48-05994a0759e9 type: regular task: id: b023b41f-1a96-4c2f-8f48-05994a0759e9 version: -1 name: Set Hash Prevalence Count - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "46" + - '46' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.global_hash_prevalence_count value: simple: ${inputs.global_hash_prevalence_count} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2440 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2440\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -717,48 +601,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "46": - id: "46" + '46': + id: '46' taskid: 2af6504f-a21c-4e90-9d6e-64eb7cb41214 type: regular task: id: 2af6504f-a21c-4e90-9d6e-64eb7cb41214 version: -1 name: Set Case Issue Count - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "47" + - '47' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_issue_count value: simple: ${inputs.case_issue_count} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2625 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2625\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -766,48 +642,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "47": - id: "47" + '47': + id: '47' taskid: 1e0f8dd0-c124-4a4f-b611-305a6a2c3fb0 type: regular task: id: 1e0f8dd0-c124-4a4f-b611-305a6a2c3fb0 version: -1 name: Set Case Host Count - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "48" + - '48' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_host_count value: simple: ${inputs.case_host_count} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2810 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2810\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -815,48 +683,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "48": - id: "48" + '48': + id: '48' taskid: 9e7d5761-ff0a-45a4-bd8a-7ad2d887b9c4 type: regular task: id: 9e7d5761-ff0a-45a4-bd8a-7ad2d887b9c4 version: -1 name: Set Case Entity User - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "49" + - '49' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.primary_entity_user value: simple: ${inputs.primary_entity_user} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2995 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2995\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -864,49 +724,41 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "49": - id: "49" + '49': + id: '49' taskid: e8e79b5c-465b-4b3c-8d3f-e4dc956cfb14 type: regular task: id: e8e79b5c-465b-4b3c-8d3f-e4dc956cfb14 version: -1 name: Set Case Entity Name - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "51" - - "43" + - '51' + - '43' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.primary_entity_name value: simple: ${inputs.primary_entity_name} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 3180 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 3180\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -914,48 +766,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "50": - id: "50" + '50': + id: '50' taskid: 8742c793-705c-427f-89ab-ce5177e715b4 type: regular task: id: 8742c793-705c-427f-89ab-ce5177e715b4 version: -1 name: Set Primary Entity ID - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "40" + - '40' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.primary_entity_id value: simple: ${inputs.primary_entity_id} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1700 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1700\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -963,8 +807,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "51": - id: "51" + '51': + id: '51' taskid: a8565059-98e8-419d-be67-4537cc738b13 type: title task: @@ -973,21 +817,15 @@ tasks: name: MITRE Techniques & Tactics type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "52" + - '52' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3290 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3290\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -995,48 +833,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "52": - id: "52" + '52': + id: '52' taskid: d355f6d4-194d-4711-8496-e4feb6773661 type: regular task: id: d355f6d4-194d-4711-8496-e4feb6773661 version: -1 name: Set MITRE Tactic - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "53" + - '53' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.mitre_tactic value: simple: ${inputs.mitre_tactic} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3410 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3410\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1044,48 +874,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "53": - id: "53" + '53': + id: '53' taskid: f7129588-7d49-43f6-bee8-6a6e0beb92b7 type: regular task: id: f7129588-7d49-43f6-bee8-6a6e0beb92b7 version: -1 name: Set MITRE Technique - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "56" + - '56' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.mitre_technique value: simple: ${inputs.mitre_technique} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3600 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3600\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1093,48 +915,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "55": - id: "55" + '55': + id: '55' taskid: bbf16a46-d12f-48ed-93a9-7b0d68bd596f type: regular task: id: bbf16a46-d12f-48ed-93a9-7b0d68bd596f version: -1 name: Set MITRE Technique ID - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.mitre_technique_id value: simple: ${inputs.mitre_technique_id} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3990 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3990\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1142,48 +956,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "56": - id: "56" + '56': + id: '56' taskid: b1e006d4-b723-42e1-a3d5-26362ce639ab type: regular task: id: b1e006d4-b723-42e1-a3d5-26362ce639ab version: -1 name: Set MITRE Tactic ID - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "55" + - '55' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.mitre_tactic_id value: simple: ${inputs.mitre_tactic_id} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3790 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3790\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1192,48 +998,38 @@ tasks: isoversize: false isautoswitchedtoquietmode: false system: true -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 4250, - "width": 830, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 4250,\n \"width\":\ + \ 830,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: case_score value: simple: ${parentIncidentFields.predicted_score} required: false - description: "" + description: '' playbookInputQuery: null - key: compromise_level value: simple: ${Analysis.Endpoint.compromise_level} required: false - description: "" + description: '' playbookInputQuery: null - key: verdict value: simple: ${Analysis.Endpoint.verdict} required: false - description: "" + description: '' playbookInputQuery: null - key: confidence value: simple: ${Analysis.Endpoint.confidence} required: false - description: "" + description: '' playbookInputQuery: null - key: response_recommended value: simple: ${Analysis.Endpoint.response_recommended} required: false - description: "" + description: '' playbookInputQuery: null - key: case_category value: @@ -1243,110 +1039,108 @@ inputs: transformers: - operator: toLowerCase required: false - description: "" + description: '' playbookInputQuery: null - key: primary_entity_type value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null - key: primary_entity_id value: simple: ${SOCFramework.Artifacts.EndPointID} required: false - description: "" + description: '' playbookInputQuery: null - key: spread_level value: simple: ${Analysis.Endpoint.spread_level} required: false - description: "" + description: '' playbookInputQuery: null - key: global_hash_prevalence_count value: simple: ${Core.AnalyticsPrevalence.Hash.[0].data.global_prevalence.value} required: false - description: "" + description: '' playbookInputQuery: null - key: story value: - simple: "Endpoint Analysis Summary\n\nA file with verdict \"${SOCFramework.Artifacts.Verdict}\" - was observed in this case.\n\nThe endpoint compromise level has been assessed - as \"${Analysis.Endpoint.compromise_level}\", based on execution correlation - and observed MITRE ATT&CK behavioral patterns.\n\nActivity scope:\n• Hosts involved: - ${Analysis.Endpoint.host_count}\n• Users involved: ${Analysis.Endpoint.user_count}\n• - Environmental hash prevalence: ${Analysis.Endpoint.hash_prevalence_count}\n• - Spread level: ${Analysis.Endpoint.spread_level}\n\nInvestigation confidence - is \"${Analysis.Endpoint.confidence}\". \nResponse recommendation: ${Analysis.Endpoint.response_recommended}." + simple: "Endpoint Analysis Summary\n\nA file with verdict \"${SOCFramework.Artifacts.Verdict}\" was observed in this case.\n\ + \nThe endpoint compromise level has been assessed as \"${Analysis.Endpoint.compromise_level}\", based on execution correlation\ + \ and observed MITRE ATT&CK behavioral patterns.\n\nActivity scope:\n• Hosts involved: ${Analysis.Endpoint.host_count}\n\ + • Users involved: ${Analysis.Endpoint.user_count}\n• Environmental hash prevalence: ${Analysis.Endpoint.hash_prevalence_count}\n\ + • Spread level: ${Analysis.Endpoint.spread_level}\n\nInvestigation confidence is \"${Analysis.Endpoint.confidence}\"\ + . \nResponse recommendation: ${Analysis.Endpoint.response_recommended}." required: false - description: "" + description: '' playbookInputQuery: null - key: case_host_count value: simple: ${Analysis.Endpoint.host_count} required: false - description: "" + description: '' playbookInputQuery: null - key: case_issue_count value: simple: ${Analysis.Endpoint.issue_count} required: false - description: "" + description: '' playbookInputQuery: null - key: compromise_decision value: simple: ${Analysis.Endpoint.compromise_decision} required: false - description: "" + description: '' playbookInputQuery: null - key: case_user_count value: simple: ${Analysis.Endpoint.user_count} required: false - description: "" + description: '' playbookInputQuery: null - key: primary_entity_name value: simple: ${SOCFramework.Artifacts.HostName} required: false - description: "" + description: '' playbookInputQuery: null - key: persistence_type value: simple: ${Analysis.Endpoint.persistence_type} required: false - description: "" + description: '' playbookInputQuery: null - key: primary_entity_user value: simple: ${SOCFramework.Artifacts.UserName} required: false - description: "" + description: '' playbookInputQuery: null - key: mitre_tactic_id value: simple: ${SOCFramework.Mitre.Tactic.ID} required: false - description: "" + description: '' playbookInputQuery: null - key: mitre_technique_id value: simple: ${SOCFramework.Mitre.Technique.ID} required: false - description: "" + description: '' playbookInputQuery: null - key: mitre_technique value: simple: ${SOCFramework.Mitre.Technique} required: false - description: "" + description: '' playbookInputQuery: null - key: mitre_tactic value: simple: ${SOCFramework.Mitre.Tactic} required: false - description: "" + description: '' playbookInputQuery: null inputSections: - inputs: @@ -1450,5 +1244,5 @@ outputs: - contextPath: Analysis.mitre_tactic type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_V3.yml index 9c756d64..d8d4077d 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_V3.yml @@ -7,65 +7,71 @@ contentitemexportablefields: packName: SOC Framework Unified itemVersion: 3.1.4 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOC Analysis_V3 -description: |- - Identify potential security events, determine whether they represent true alerts, understand their scope and impact, and establish the actionable context needed to respond effectively. +description: 'Identify potential security events, determine whether they represent true alerts, understand their scope and + impact, and establish the actionable context needed to respond effectively. + What this phase includes: + Monitoring security telemetry from logs, alerts, sensors, EDR, SIEM/XSIAM analytics, threat intel, and user reports. + Triaging events to distinguish benign activity, false positives, and true security alerts. - Enriching indicators and artifacts (e.g., IPs, hashes, domains, user accounts, processes, network connections) using internal data and external threat intelligence. + + Enriching indicators and artifacts (e.g., IPs, hashes, domains, user accounts, processes, network connections) using internal + data and external threat intelligence. + Correlating events across systems to understand the timeline, root cause, attack vector, and potential lateral movement. + Assigning alert classification, severity, priority, and category for consistent response. + Documenting findings, evidence, and hypotheses while preserving forensic integrity. + Determining the initial scope and business impact to decide how aggressive containment must be. + Outcome: - A validated and well-understood security alert with clear context, severity, indicators, and scope—enabling the organization to transition into Containment with confidence and accuracy. + + A validated and well-understood security alert with clear context, severity, indicators, and scope—enabling the organization + to transition into Containment with confidence and accuracy.' tags: - SOC - SOC_Framework_Unified - NIST 800-61 - Analysis -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 2d9b464e-b61d-4ff1-8425-1dec11c5d731 type: start task: id: 2d9b464e-b61d-4ff1-8425-1dec11c5d731 version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "10" + - '10' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1175, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1175,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -73,8 +79,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "1": - id: "1" + '1': + id: '1' taskid: 57a5da65-400a-4cd5-826c-3436a01618f8 type: playbook task: @@ -84,21 +90,15 @@ tasks: playbookName: SOC Data Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 162.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -106,41 +106,48 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "3": - id: "3" + '3': + id: '3' taskid: 8789348a-ffb7-44b8-bf30-a449ccd3b55d type: playbook task: id: 8789348a-ffb7-44b8-bf30-a449ccd3b55d version: -1 name: SOC EndPoint Analysis_V3 - description: |- - This is the analyst’s core domain. + description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the alert (category, severity, impact). + Document findings and escalate confirmed alerts. + Outcome: Determine whether an event is a legitimate alert and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' playbookName: SOC EndPoint Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' scriptarguments: Alert_Subtype: simple: ${SOCFramework.Product.category} @@ -163,19 +170,13 @@ tasks: XSIAM_RiskScore: simple: ${SOCFramework.Investigation.RiskScore} separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 1062.5, - "y": 590 - } - } + view: "{\n \"position\": {\n \"x\": 1062.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -183,8 +184,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "5": - id: "5" + '5': + id: '5' taskid: d7385c3a-2283-4938-81b3-58ea63cc75f2 type: playbook task: @@ -194,21 +195,15 @@ tasks: playbookName: SOC Identity Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1512.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1512.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -216,8 +211,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "6": - id: "6" + '6': + id: '6' taskid: e2089744-16e7-4227-8a13-0c65f8278895 type: playbook task: @@ -227,21 +222,15 @@ tasks: playbookName: SOC Network Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1962.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1962.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -249,8 +238,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "7": - id: "7" + '7': + id: '7' taskid: 4b7573be-bd91-4fe6-8959-2bc5d4aaa78c type: playbook task: @@ -260,21 +249,15 @@ tasks: playbookName: SOC SaaS Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 2412.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 2412.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -282,8 +265,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "8": - id: "8" + '8': + id: '8' taskid: 3d8bf25e-863c-4ee5-8a18-47d621adbc11 type: playbook task: @@ -293,21 +276,15 @@ tasks: playbookName: SOC Workload Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 2862.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 2862.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -315,8 +292,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "9": - id: "9" + '9': + id: '9' taskid: 8ceb5aed-c39b-452d-8fd8-f5f2ed8eb896 type: title task: @@ -325,18 +302,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1287.5, - "y": 775 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1287.5,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -344,8 +315,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "10": - id: "10" + '10': + id: '10' taskid: 92178e4d-7444-47c9-8229-cca9ce09d331 type: condition task: @@ -354,26 +325,26 @@ tasks: name: Product Category type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Data: - - "13" + - '13' Email: - - "18" + - '18' Endpoint: - - "12" + - '12' Identity: - - "14" + - '14' Network: - - "15" + - '15' SaaS: - - "16" + - '16' Workload: - - "17" + - '17' separatecontext: false conditions: - label: Data @@ -446,14 +417,8 @@ tasks: right: value: simple: Network - continueonerrortype: "" - view: |- - { - "position": { - "x": 1175, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1175,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -461,8 +426,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "12": - id: "12" + '12': + id: '12' taskid: 51a32d2e-ec43-4029-8faa-f5c1ab7f7799 type: condition task: @@ -471,14 +436,14 @@ tasks: name: Endpoint Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "3" + - '3' separatecontext: false conditions: - label: Default @@ -525,14 +490,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 950, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -540,8 +499,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "13": - id: "13" + '13': + id: '13' taskid: bdabddaf-0b19-4e96-971a-d3f85479805e type: condition task: @@ -550,14 +509,14 @@ tasks: name: Data Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "1" + - '1' separatecontext: false conditions: - label: Default @@ -604,14 +563,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -619,8 +572,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "14": - id: "14" + '14': + id: '14' taskid: 1333bc58-8ac4-4522-b913-52c76f5cc116 type: condition task: @@ -629,14 +582,14 @@ tasks: name: Identity Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "5" + - '5' separatecontext: false conditions: - label: Default @@ -683,14 +636,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 1400, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1400,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -698,8 +645,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "15": - id: "15" + '15': + id: '15' taskid: dca31f2e-7363-4767-bfdd-42af9b9a5066 type: condition task: @@ -708,14 +655,14 @@ tasks: name: Network Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "6" + - '6' separatecontext: false conditions: - label: Default @@ -762,14 +709,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 1850, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1850,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -777,8 +718,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "16": - id: "16" + '16': + id: '16' taskid: 419f92e1-5c35-47f4-ae4e-8b75acf42e57 type: condition task: @@ -787,14 +728,14 @@ tasks: name: SaaS Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "7" + - '7' separatecontext: false conditions: - label: Default @@ -841,14 +782,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 2300, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 2300,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -856,8 +791,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "17": - id: "17" + '17': + id: '17' taskid: 866225a9-2ae1-434f-b042-8907793f102f type: condition task: @@ -866,14 +801,14 @@ tasks: name: Workload Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "8" + - '8' separatecontext: false conditions: - label: Default @@ -920,14 +855,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 2750, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 2750,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -935,8 +864,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "18": - id: "18" + '18': + id: '18' taskid: e96a6c41-f225-4ae6-9939-0bb1639cdecb type: condition task: @@ -945,14 +874,14 @@ tasks: name: Email Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "19" + - '19' separatecontext: false conditions: - label: Default @@ -999,14 +928,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1014,50 +937,51 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "19": - id: "19" + '19': + id: '19' taskid: 8d429896-10a1-417b-8289-dbaeb060bcce type: playbook task: id: 8d429896-10a1-417b-8289-dbaeb060bcce version: -1 name: SOC Email Analysis_V3 - description: |- - This is the analyst’s core domain. + description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the alert (category, severity, impact). + Document findings and escalate confirmed alerts. + Outcome: Determine whether an event is a legitimate alert and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' playbookName: SOC Email Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 612.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1066,29 +990,15 @@ tasks: isoversize: false isautoswitchedtoquietmode: false system: true -view: |- - { - "linkLabelsPosition": { - "10_14_Identity": 0.88, - "10_16_SaaS": 0.82, - "10_17_Workload": 0.9, - "18_19_Default": 0.8 - }, - "paper": { - "dimensions": { - "height": 785, - "width": 3192.5, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {\n \"10_14_Identity\": 0.88,\n \"10_16_SaaS\": 0.82,\n \"10_17_Workload\": 0.9,\n\ + \ \"18_19_Default\": 0.8\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 785,\n \"width\": 3192.5,\n\ + \ \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: ExecutionBranch value: simple: ${lists.SOCExecutionList_V3} required: false - description: "" + description: '' playbookInputQuery: null - key: ProductCategory value: @@ -1174,5 +1084,5 @@ outputs: - contextPath: Analysis.case_user_count type: unknown sourceplaybookid: SOC Containment_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_Evaluation_V3.yml index 232934c7..5908470e 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_Evaluation_V3.yml @@ -7,9 +7,9 @@ contentitemexportablefields: packName: SOC Framework Unified itemVersion: 3.1.4 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false @@ -18,32 +18,26 @@ tags: - SOC - SOC_Framework_Unified - Containment -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 type: start task: id: 7e6a701e-667b-4a70-8a74-14564da75fc7 version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "31" + - '31' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -51,8 +45,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "2": - id: "2" + '2': + id: '2' taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 type: title task: @@ -61,18 +55,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 960 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 960\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -80,48 +68,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "31": - id: "31" + '31': + id: '31' taskid: ccfd4d07-3d48-4610-bf9d-9ed0f49551eb type: regular task: id: ccfd4d07-3d48-4610-bf9d-9ed0f49551eb version: -1 name: Set Containment Status - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Containment.status value: simple: ${inputs.status} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -129,48 +109,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "32": - id: "32" + '32': + id: '32' taskid: 7ba489bd-a62b-47f4-a5d4-2a157d7dd7fe type: regular task: id: 7ba489bd-a62b-47f4-a5d4-2a157d7dd7fe version: -1 name: Set Containment Isolated Hosts - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "44" + - '44' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Containment.isolate_hosts value: simple: ${inputs.isolated_hosts} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -178,48 +150,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "43": - id: "43" + '43': + id: '43' taskid: fde09d0c-93d8-423c-926d-5f0562365364 type: regular task: id: fde09d0c-93d8-423c-926d-5f0562365364 version: -1 name: Set Story - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Containment.story value: simple: ${inputs.story} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 775 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -227,48 +191,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "44": - id: "44" + '44': + id: '44' taskid: db106c52-f407-4794-bfab-6545966cb9c1 type: regular task: id: db106c52-f407-4794-bfab-6545966cb9c1 version: -1 name: Set Containment Action - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "43" + - '43' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Containment.action value: simple: ${inputs.action} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -276,47 +232,42 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 970, - "width": 380, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 970,\n \"width\": 380,\n\ + \ \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: status value: {} required: false - description: "" + description: '' playbookInputQuery: null - key: isolated_hosts value: {} required: false - description: "" + description: '' playbookInputQuery: null - key: story value: - simple: |- - Malware execution confirmed on ${Analysis.case_host_count} host(s). + simple: 'Malware execution confirmed on ${Analysis.case_host_count} host(s). + Spread level assessed as ${Analysis.spread_level}. + Compromise level: ${Analysis.compromise_level}. + Case risk score: ${Analysis.case_score}. + Containment action taken: ${Containment.action}. + Hosts isolated: ${Containment.isolated_hosts}. - Users disabled: ${Containment.disabled_users}. + + Users disabled: ${Containment.disabled_users}.' required: false - description: "" + description: '' playbookInputQuery: null - key: action value: simple: isolate_host required: false - description: "" + description: '' playbookInputQuery: null inputSections: - inputs: @@ -344,5 +295,5 @@ outputs: - contextPath: Containment.action type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_V3.yml index 044ba675..97950f8f 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_V3.yml @@ -1,12 +1,11 @@ -adopted: true fromversion: 5.0.0 id: SOC Containment_V3 -version: 21 +version: 49 contentitemexportablefields: contentitemfields: packID: soc-framework-nist-ir - packName: SOC Framework Unified - itemVersion: 3.1.4 + packName: SOC Framework NIST IR (800-61) + itemVersion: 1.1.0 fromServerVersion: 5.0.0 toServerVersion: '' definitionid: '' @@ -69,7 +68,7 @@ tasks: - '21' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1250,\n \"y\": -100\n }\n}" + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -99,7 +98,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -107,7 +105,7 @@ tasks: exitCondition: '' wait: 1 max: 0 - view: "{\n \"position\": {\n \"x\": 1145,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 1605,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -137,7 +135,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -145,7 +142,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 2025,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 2485,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -175,7 +172,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -183,7 +179,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 622.5,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -213,7 +209,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -221,7 +216,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 1052.5,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -244,7 +239,7 @@ tasks: istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1595,\n \"y\": 775\n }\n}" + view: "{\n \"position\": {\n \"x\": 2045,\n \"y\": 960\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -355,7 +350,7 @@ tasks: value: simple: Workload continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1257.5,\n \"y\": 220\n }\n}" + view: "{\n \"position\": {\n \"x\": 1717.5,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -429,7 +424,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 2925,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 3385,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -501,7 +496,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 2475,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 2935,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -531,7 +526,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -539,7 +533,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 3375,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 3835,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -614,7 +608,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1687.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 2250,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -687,7 +681,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1032.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 1492.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -760,7 +754,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 2362.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 2822.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -833,7 +827,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 3262.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 3722.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -906,7 +900,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 520,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -977,7 +971,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 1052.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1050,7 +1044,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 2812.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 3272.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1088,7 +1082,7 @@ tasks: right: value: {} continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1250,\n \"y\": 30\n }\n}" + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1114,7 +1108,7 @@ tasks: - '8' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1595,\n \"y\": 597.5\n }\n}" + view: "{\n \"position\": {\n \"x\": 2055,\n \"y\": 782.5\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1124,7 +1118,7 @@ tasks: isautoswitchedtoquietmode: false '30': id: '30' - taskid: fcd0fd59-4997-4a18-9c90-421c06c00366 + taskid: c47d557d-c843-42bd-84b3-7825d3179091 type: regular task: id: c47d557d-c843-42bd-84b3-7825d3179091 @@ -1151,7 +1145,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 530\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1161,7 +1155,7 @@ tasks: isautoswitchedtoquietmode: false '31': id: '31' - taskid: b3cb345b-d2b6-4a59-a261-b4ee219a3e14 + taskid: 188c332a-c6aa-4204-b61d-7498a069d059 type: regular task: id: 188c332a-c6aa-4204-b61d-7498a069d059 @@ -1188,7 +1182,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 700\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1198,7 +1192,7 @@ tasks: isautoswitchedtoquietmode: false '32': id: '32' - taskid: 145113c3-8a3f-4a0d-bfa3-1dbfe25ac7b2 + taskid: da7884c4-ccd3-4497-9c37-b0295e4096aa type: regular task: id: da7884c4-ccd3-4497-9c37-b0295e4096aa @@ -1232,7 +1226,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 870\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1242,8 +1236,8 @@ tasks: isautoswitchedtoquietmode: false system: true view: "{\n \"linkLabelsPosition\": {\n \"9_16_Endpoint\": 0.9,\n \"9_17_Network\": 0.3,\n \"9_20_Identity\": 0.9\n\ - \ },\n \"paper\": {\n \"dimensions\": {\n \"height\": 935,\n \"width\": 3705,\n \"x\": 50,\n \"\ - y\": -100\n }\n }\n}" + \ },\n \"paper\": {\n \"dimensions\": {\n \"height\": 970,\n \"width\": 4165,\n \"x\": 50,\n \"\ + y\": 50\n }\n }\n}" inputs: - key: ProductCategory value: @@ -1281,4 +1275,5 @@ outputs: - contextPath: Containment.story type: unknown sourceplaybookid: SOC Containment_V3 -dirtyInputs: true +dirtyInputs: false +adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Analysis_V3.yml index a39339aa..8d8d7711 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Analysis_V3.yml @@ -1,27 +1,34 @@ adopted: true -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the incident (category, severity, impact). + Document findings and escalate confirmed incidents. + Outcome: Determine whether an event is a legitimate incident and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. -id: 'SOC Data Analysis_V3' + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' +id: SOC Data Analysis_V3 inputs: [] name: SOC Data Analysis_V3 outputs: [] -starttaskid: "0" +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -29,39 +36,33 @@ tags: - Detection & Analysis - NIST 800-61 tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false - name: "" - playbooktaskmissingcomponent: + name: '' + playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 450, - "y": 50 - } - } - "1": - continueonerrortype: "" - id: "1" + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -70,27 +71,21 @@ tasks: separatecontext: true skipunavailable: false task: - brand: "" + brand: '' id: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa iscommand: false name: Foundation - Error Handling_V3 playbookId: Foundation - Error Handling_V3 - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: playbook version: -1 taskid: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa timertriggers: [] type: playbook - view: |- - { - "position": { - "x": 740, - "y": 290 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 290\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -99,34 +94,18 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false name: Done - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: title version: -1 taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 430, - "y": 470 - } - } + view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 470\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 480, - "width": 690, - "x": 430, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 480,\n \"width\": 690,\n\ + \ \"x\": 430,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Containment_V3.yml index 1162cede..322ecebe 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Containment_V3.yml @@ -114,4 +114,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Eradication_V3.yml index 8d3ebdaf..a20062bd 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Eradication_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Recovery_V3.yml index c909e826..bad0754f 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Recovery_V3.yml @@ -109,5 +109,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Analysis_V3.yml index 7d3cb8bd..38fa7031 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Analysis_V3.yml @@ -417,10 +417,10 @@ tasks: isautoswitchedtoquietmode: false '15': id: '15' - taskid: bf21gc03-d4e5-5f6a-c7b8-90123456bcde + taskid: c125bb93-7ce0-5b63-bfcb-48c6c5a37642 type: playbook task: - id: bf21gc03-d4e5-5f6a-c7b8-90123456bcde + id: c125bb93-7ce0-5b63-bfcb-48c6c5a37642 version: -1 name: SOC Email Spread Evaluation_V3 description: Maps RecipientScope to canonical spread_level (single_entity / limited_entity / multi_entity) and audits diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml index 71bb2126..87d26f7d 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml @@ -1,114 +1,185 @@ adopted: true -id: SOC Email Exposure Evaluation V3 -name: SOC Email Exposure Evaluation V3 +id: SOC Email Exposure Evaluation_V3 +name: SOC Email Exposure Evaluation_V3 version: -1 fromversion: 5.0.0 -description: Evaluates Proofpoint TAP email exposure via Universal Command. Determines click/delivered/blocked exposure level, recipient scope, and high-value user involvement. No XQL dependency. +description: Evaluates Proofpoint TAP email exposure via Universal Command. Determines click/delivered/blocked exposure level, + recipient scope, and high-value user involvement. No XQL dependency. tags: - - Email - - SOCFramework - - Analysis -starttaskid: "0" - +- Email +- SOCFramework +- Analysis +starttaskid: '0' inputs: [] - -outputs: [] - +outputs: +- contextPath: Email.Exposure.level + description: 'Exposure level: clicked / delivered / blocked' + type: String +- contextPath: Email.Exposure.click_count + description: Number of click events observed for the threat URL + type: Number +- contextPath: Email.Exposure.delivered_count + description: Number of delivered message events for the threat URL + type: Number +- contextPath: Email.Exposure.mailbox_count + description: Total number of affected mailboxes (blast radius) + type: Number +- contextPath: Email.Exposure.recipient_scope + description: 'Recipient scope: targeted (≤5 mailboxes) / broad (>5)' + type: String +- contextPath: Email.Exposure.message_id + description: Proofpoint GUID for downstream correlation + type: String +- contextPath: Email.Exposure.high_value_user + description: true if a high-value user was targeted + type: String +- contextPath: Email.Classification + description: 'Email classification from TAP alert: phish / malware / spam' + type: String tasks: - "0": - id: "0" - taskid: "0" + '0': + id: '0' + taskid: 41afcaf6-108b-5bc5-af11-cd02c873e084 type: start task: - id: "0" - name: "" + id: 41afcaf6-108b-5bc5-af11-cd02c873e084 + name: '' iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "1" + - '1' separatecontext: false - continueonerrortype: "" - - "1": - id: "1" - taskid: "1" + continueonerrortype: '' + view: '{"position": {"x": 592, "y": 50}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '1': + id: '1' + taskid: 32dff903-6c43-5958-9050-2eff3f0b3ae2 type: title task: - id: "1" + id: 32dff903-6c43-5958-9050-2eff3f0b3ae2 name: Query Delivery & Click Events type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' separatecontext: false - - "2": - id: "2" - taskid: "2" + view: '{"position": {"x": 592, "y": 195}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '2': + id: '2' + taskid: 6f0e4c70-e000-5c0e-839c-bbd635ae2da8 type: condition task: - id: "2" + id: 6f0e4c70-e000-5c0e-839c-bbd635ae2da8 name: Is Click Event? - description: Checks alert.type directly to determine whether the triggering event is a click or delivery event. No XQL required. If click, seeds click_count=1 before API call so count is never zero even if API interval misses this event. + description: Checks alert.type directly to determine whether the triggering event is a click or delivery event. No XQL + required. If click, seeds click_count=1 before API call so count is never zero even if API interval misses this event. type: condition iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false conditions: - - label: "YES" - condition: - - - operator: isEqualString - left: - value: - simple: ${alert.type} - iscontext: true - right: - value: - simple: clicks permitted - ignorecase: true + - label: 'YES' + condition: + - - operator: isEqualString + left: + value: + simple: ${alert.type} + iscontext: true + right: + value: + simple: clicks permitted + ignorecase: true nexttasks: - "YES": - - "3" + 'YES': + - '3' '#default#': - - "4" + - '4' separatecontext: false - - "3": - id: "3" - taskid: "3" + view: '{"position": {"x": 592, "y": 360}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '3': + id: '3' + taskid: ee2cb1ec-3409-5f86-b500-fe08effd6eac type: regular task: - id: "3" + id: ee2cb1ec-3409-5f86-b500-fe08effd6eac name: Seed Click Count - Alert Is Click Event - description: Sets click_count=1 as a floor. Subsequent Set Click Count task uses SetAndHandleEmpty which will only overwrite if the API returns a non-empty result. If API interval misses this event, the seed of 1 is preserved. + description: Sets click_count=1 as a floor. Subsequent Set Click Count task uses SetAndHandleEmpty which will only overwrite + if the API returns a non-empty result. If API interval misses this event, the seed of 1 is preserved. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.click_count value: - simple: "1" + simple: '1' append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "4" + - '4' separatecontext: false - - "4": - id: "4" - taskid: "4" + view: '{"position": {"x": 250, "y": 555}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '4': + id: '4' + taskid: db8a924c-9a49-5d3a-8240-1a4b598b4e2b type: regular task: - id: "4" + id: db8a924c-9a49-5d3a-8240-1a4b598b4e2b name: Get Email Events via Universal Command - description: Calls soc-get-email-events via SOCCommandWrapper. Runs proofpoint-get-messages-delivered and proofpoint-get-clicks-permitted against the threat URL. shadow_mode=false so enrichment is never suppressed. + description: Calls soc-get-email-events via SOCCommandWrapper. Runs proofpoint-get-messages-delivered and proofpoint-get-clicks-permitted + against the threat URL. shadow_mode=false so enrichment is never suppressed. script: SOCCommandWrapper iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: action: simple: soc-get-email-events @@ -116,21 +187,32 @@ tasks: simple: SOCFrameworkActions_V3 nexttasks: '#none#': - - "5" + - '5' separatecontext: false - continueonerrortype: "" - - "5": - id: "5" - taskid: "5" + continueonerrortype: '' + view: '{"position": {"x": 592, "y": 740}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '5': + id: '5' + taskid: 874a9608-29e0-5205-bd58-26ba982990d7 type: regular task: - id: "5" + id: 874a9608-29e0-5205-bd58-26ba982990d7 name: Get Email Forensics via Universal Command - description: Calls soc-get-email-forensics via SOCCommandWrapper. Runs proofpoint-get-forensics with threatId and campaignId. shadow_mode=false so enrichment is never suppressed. + description: Calls soc-get-email-forensics via SOCCommandWrapper. Runs proofpoint-get-forensics with threatId and campaignId. + shadow_mode=false so enrichment is never suppressed. script: SOCCommandWrapper iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: action: simple: soc-get-email-forensics @@ -138,21 +220,32 @@ tasks: simple: SOCFrameworkActions_V3 nexttasks: '#none#': - - "6" + - '6' separatecontext: false - continueonerrortype: "" - - "6": - id: "6" - taskid: "6" + continueonerrortype: '' + view: '{"position": {"x": 592, "y": 920}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '6': + id: '6' + taskid: f63228bb-9090-563a-8092-4e88a71655eb type: regular task: - id: "6" + id: f63228bb-9090-563a-8092-4e88a71655eb name: Set Click Count - description: Count entries in UC.Email.Events.clicks_permitted array. SetAndHandleEmpty only overwrites if non-empty, preserving the seeded value of 1 if the API returned no results. + description: Count entries in UC.Email.Events.clicks_permitted array. SetAndHandleEmpty only overwrites if non-empty, + preserving the seeded value of 1 if the API returned no results. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.click_count @@ -160,25 +253,36 @@ tasks: complex: root: UC.Email.Events.clicks_permitted transformers: - - operator: count + - operator: count append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "7" + - '7' separatecontext: false - - "7": - id: "7" - taskid: "7" + view: '{"position": {"x": 592, "y": 1100}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '7': + id: '7' + taskid: ad7724f4-30fa-5621-bf1d-a76d92c8b7bb type: regular task: - id: "7" + id: ad7724f4-30fa-5621-bf1d-a76d92c8b7bb name: Set Delivered Count description: Count entries in UC.Email.Events.messages_delivered array. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.delivered_count @@ -186,25 +290,36 @@ tasks: complex: root: UC.Email.Events.messages_delivered transformers: - - operator: count + - operator: count append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "8" + - '8' separatecontext: false - - "8": - id: "8" - taskid: "8" + view: '{"position": {"x": 592, "y": 1280}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '8': + id: '8' + taskid: 57870dec-108e-5ced-9299-298b059b24eb type: regular task: - id: "8" + id: 57870dec-108e-5ced-9299-298b059b24eb name: Set Mailbox Count description: Derives total mailbox count from delivered messages array length. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.mailbox_count @@ -212,25 +327,36 @@ tasks: complex: root: UC.Email.Events.messages_delivered transformers: - - operator: count + - operator: count append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "9" + - '9' separatecontext: false - - "9": - id: "9" - taskid: "9" + view: '{"position": {"x": 592, "y": 1460}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '9': + id: '9' + taskid: dfb7fffa-9458-51d9-ba6f-97d2663ad05c type: regular task: - id: "9" + id: dfb7fffa-9458-51d9-ba6f-97d2663ad05c name: Set Message ID description: Store the Proofpoint GUID for downstream correlation. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.message_id @@ -239,38 +365,60 @@ tasks: root: UC.Email.Events accessor: message_id append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "10" + - '10' separatecontext: false - - "10": - id: "10" - taskid: "10" + view: '{"position": {"x": 592, "y": 1640}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '10': + id: '10' + taskid: da1fe29c-2599-57d0-bd41-c3793077de04 type: title task: - id: "10" + id: da1fe29c-2599-57d0-bd41-c3793077de04 name: Set Classification type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "11" + - '11' separatecontext: false - - "11": - id: "11" - taskid: "11" + view: '{"position": {"x": 592, "y": 1820}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '11': + id: '11' + taskid: a116216b-cbac-5e4f-ae46-0057986cf135 type: regular task: - id: "11" + id: a116216b-cbac-5e4f-ae46-0057986cf135 name: Set Email Classification description: Pulls classification label directly from the alert field (phish/malware/spam). No secondary lookup needed. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Classification @@ -279,270 +427,479 @@ tasks: root: alert accessor: classification append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "12" + - '12' separatecontext: false - - "12": - id: "12" - taskid: "12" + view: '{"position": {"x": 592, "y": 1990}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '12': + id: '12' + taskid: 06d02667-ba52-50bc-8071-9ca66854944b type: title task: - id: "12" + id: 06d02667-ba52-50bc-8071-9ca66854944b name: Determine Exposure Level type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "13" + - '13' separatecontext: false - - "13": - id: "13" - taskid: "13" + view: '{"position": {"x": 592, "y": 2170}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '13': + id: '13' + taskid: edc3ca1e-957f-50d6-9103-7bc47a42b18f type: condition task: - id: "13" + id: edc3ca1e-957f-50d6-9103-7bc47a42b18f name: Exposure Level? description: CLICKED takes priority over DELIVERED. Default with no clicks or deliveries is blocked. type: condition iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false conditions: - - label: CLICKED - condition: - - - operator: isNotEmpty - left: - value: - simple: ${Email.Exposure.click_count} - iscontext: true - - operator: greaterThan - left: - value: - simple: ${Email.Exposure.click_count} - iscontext: true - right: - value: - simple: "0" - - label: DELIVERED - condition: - - - operator: isNotEmpty - left: - value: - simple: ${Email.Exposure.delivered_count} - iscontext: true - - operator: greaterThan - left: - value: - simple: ${Email.Exposure.delivered_count} - iscontext: true - right: - value: - simple: "0" + - label: CLICKED + condition: + - - operator: isNotEmpty + left: + value: + simple: ${Email.Exposure.click_count} + iscontext: true + - operator: greaterThan + left: + value: + simple: ${Email.Exposure.click_count} + iscontext: true + right: + value: + simple: '0' + - label: DELIVERED + condition: + - - operator: isNotEmpty + left: + value: + simple: ${Email.Exposure.delivered_count} + iscontext: true + - operator: greaterThan + left: + value: + simple: ${Email.Exposure.delivered_count} + iscontext: true + right: + value: + simple: '0' nexttasks: CLICKED: - - "14" + - '14' DELIVERED: - - "15" + - '15' '#default#': - - "16" + - '16' separatecontext: false - - "14": - id: "14" - taskid: "14" + view: '{"position": {"x": 592, "y": 2340}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '14': + id: '14' + taskid: eb971bc0-bd59-5ea6-a07c-3473fe8a3949 type: regular task: - id: "14" + id: eb971bc0-bd59-5ea6-a07c-3473fe8a3949 name: Set Exposure Level - clicked script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.level value: simple: clicked append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "17" + - '17' separatecontext: false - - "15": - id: "15" - taskid: "15" + view: '{"position": {"x": 150, "y": 2540}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '15': + id: '15' + taskid: 18a5cca2-e3f4-51cc-b387-475f43394077 type: regular task: - id: "15" + id: 18a5cca2-e3f4-51cc-b387-475f43394077 name: Set Exposure Level - delivered script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.level value: simple: delivered append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "17" + - '17' separatecontext: false - - "16": - id: "16" - taskid: "16" + view: '{"position": {"x": 592, "y": 2540}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '16': + id: '16' + taskid: dbf84b1c-c45b-5357-a3c8-6dc6ff187e3a type: regular task: - id: "16" + id: dbf84b1c-c45b-5357-a3c8-6dc6ff187e3a name: Set Exposure Level - blocked script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.level value: simple: blocked append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "17" + - '17' separatecontext: false - - "17": - id: "17" - taskid: "17" + view: '{"position": {"x": 1020, "y": 2540}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '17': + id: '17' + taskid: a4ee6ff5-88f9-56e6-b0ab-368c3cebe620 type: title task: - id: "17" + id: a4ee6ff5-88f9-56e6-b0ab-368c3cebe620 name: Determine Recipient Scope type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "18" + - '18' separatecontext: false - - "18": - id: "18" - taskid: "18" - type: regular + view: '{"position": {"x": 592, "y": 2730}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '18': + id: '18' + taskid: f66dbd21-6781-5ba1-bcb3-2d316b6ba1a3 + type: condition task: - id: "18" - name: Set Recipient Scope - description: Classifies blast radius as targeted (1-5 mailboxes) or broad (more than 5). Feeds Analysis verdict severity and blast radius fields. - script: SetAndHandleEmpty + id: f66dbd21-6781-5ba1-bcb3-2d316b6ba1a3 + version: -1 + name: Targeted Scope? (≤5 mailboxes) + description: Classifies recipient scope as targeted (1-5 mailboxes) or broad (>5). Replaces if-then-else transformer + which is not supported in XSIAM (error 52). + type: condition iscommand: false - brand: "" - scriptarguments: - key: - simple: Email.Exposure.recipient_scope - value: - complex: - root: Email.Exposure.mailbox_count - transformers: - - operator: if-then-else - args: - condition: - value: - simple: lte,5 - thenValue: - value: - simple: targeted - elseValue: - value: - simple: broad - append: - simple: "false" + brand: '' + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: - '#none#': - - "19" + 'yes': + - 18a + '#default#': + - 18b + conditions: + - label: 'yes' + condition: + - - operator: lessThanOrEqual + left: + value: + simple: ${Email.Exposure.mailbox_count} + iscontext: true + right: + value: + simple: '5' separatecontext: false - - "19": - id: "19" - taskid: "19" + continueonerrortype: '' + view: '{"position": {"x": 592, "y": 2905}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '19': + id: '19' + taskid: 4fa0c2f1-85b3-571c-bd7e-ab2dfc27aea1 type: title task: - id: "19" + id: 4fa0c2f1-85b3-571c-bd7e-ab2dfc27aea1 name: High Value User Check type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "20" + - '20' separatecontext: false - - "20": - id: "20" - taskid: "20" + view: '{"position": {"x": 592, "y": 3080}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '20': + id: '20' + taskid: 72081240-6e86-5299-86da-104f60736cde type: condition task: - id: "20" + id: 72081240-6e86-5299-86da-104f60736cde name: Is Recipient a High Value User? - description: Checks whether the alert username appears in the SOCFWHighValueUsers list. If matched, sets Email.Exposure.high_value_user=true to escalate priority in the parent Analysis playbook. + description: Checks whether the alert username appears in the SOCFWHighValueUsers list. If matched, sets Email.Exposure.high_value_user=true + to escalate priority in the parent Analysis playbook. type: condition iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false conditions: - - label: "YES" - condition: - - - operator: inList - left: - value: - simple: ${alert.username} - iscontext: true - right: - value: - simple: ${lists.SOCFWHighValueUsers} - iscontext: true + - label: 'YES' + condition: + - - operator: inList + left: + value: + simple: ${alert.username} + iscontext: true + right: + value: + simple: ${lists.SOCFWHighValueUsers} + iscontext: true nexttasks: - "YES": - - "21" + 'YES': + - '21' '#default#': - - "22" + - '22' separatecontext: false - - "21": - id: "21" - taskid: "21" + view: '{"position": {"x": 592, "y": 3250}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '21': + id: '21' + taskid: 3714f59d-5bf3-5075-9bc3-035a5e635edd type: regular task: - id: "21" + id: 3714f59d-5bf3-5075-9bc3-035a5e635edd name: Set High Value User Involved script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.high_value_user value: - simple: "true" + simple: 'true' append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "22" + - '22' separatecontext: false - - "22": - id: "22" - taskid: "22" + view: '{"position": {"x": 950, "y": 3450}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '22': + id: '22' + taskid: 7988e1a7-1621-5254-938e-47d363c8c96b type: title task: - id: "22" + id: 7988e1a7-1621-5254-938e-47d363c8c96b name: Done type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + view: '{"position": {"x": 592, "y": 3640}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + 18a: + id: 18a + taskid: 6f597fb5-14f0-55f4-b4f4-21800c6be361 + type: regular + task: + id: 6f597fb5-14f0-55f4-b4f4-21800c6be361 + version: -1 + name: Set Recipient Scope — targeted + type: regular + iscommand: false + brand: '' + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + scriptName: SetAndHandleEmpty + nexttasks: + '#none#': + - '19' + scriptarguments: + key: + simple: Email.Exposure.recipient_scope + value: + simple: targeted + append: + simple: 'false' + force: + simple: 'true' + separatecontext: false + continueonerrortype: '' + view: '{"position": {"x": 250, "y": 3090}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + 18b: + id: 18b + taskid: d1c24651-1cd5-5f16-9e17-a724f00fd63b + type: regular + task: + id: d1c24651-1cd5-5f16-9e17-a724f00fd63b + version: -1 + name: Set Recipient Scope — broad + type: regular + iscommand: false + brand: '' + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + scriptName: SetAndHandleEmpty + nexttasks: + '#none#': + - '19' + scriptarguments: + key: + simple: Email.Exposure.recipient_scope + value: + simple: broad + append: + simple: 'false' + force: + simple: 'true' separatecontext: false + continueonerrortype: '' + view: '{"position": {"x": 935, "y": 3090}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 3900, "width": 1400, "x": 50, "y": 50}}}' +contentitemexportablefields: + contentitemfields: + definitionid: '' + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 1.1.0 + packID: soc-framework-nist-ir + packName: SOC Framework NIST IR + prevname: '' + supportedModules: [] + toServerVersion: '' diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Forensics_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Forensics_Evaluation_V3.yml index 296c9604..3bc26b70 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Forensics_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Forensics_Evaluation_V3.yml @@ -1,8 +1,19 @@ -adopted: true +fromversion: 5.0.0 id: SOC Email Forensics Evaluation_V3 +version: 48 +contentitemexportablefields: + contentitemfields: + packID: soc-framework-nist-ir + packName: SOC Framework NIST IR (800-61) + itemVersion: 1.1.0 + fromServerVersion: 6.10.0 + toServerVersion: '' + definitionid: '' + prevname: '' + isoverridable: false + supportedModules: [] +vcShouldKeepItemLegacyProdMachine: false name: SOC Email Forensics Evaluation_V3 -version: -1 -fromversion: 6.10.0 description: "NIST IR 800-61 — Detection & Analysis — Email Forensics Evaluation\n\nAnswers: what did this threat actually\ \ do, and what forensic evidence exists?\n\nValue Driver: VD1 (Reduce Risk) — forensic data drives accurate verdict confidence\ \ and informs eradication scope.\nValue Driver: VD3 (Efficiency) — automated forensics retrieval replaces manual Proofpoint\ @@ -26,7 +37,7 @@ starttaskid: '0' tasks: '0': id: '0' - taskid: 8ee1fe1d-e767-491c-b669-2a96023346d2 + taskid: 58238c60-26f4-4a51-a449-354a86a91458 type: start task: id: 58238c60-26f4-4a51-a449-354a86a91458 @@ -41,7 +52,7 @@ tasks: - '1' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 50\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -51,7 +62,7 @@ tasks: isautoswitchedtoquietmode: false '1': id: '1' - taskid: 52d84739-32bb-489c-ad29-026452a6a423 + taskid: 23698d40-5318-4874-a3fc-2df29e48818f type: title task: id: 23698d40-5318-4874-a3fc-2df29e48818f @@ -67,7 +78,7 @@ tasks: - '2' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 195\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -77,7 +88,7 @@ tasks: isautoswitchedtoquietmode: false '2': id: '2' - taskid: 7975a7ce-95f4-4b76-b968-473048a9785f + taskid: a9ab15d4-5b0f-417b-972d-f99222f79469 type: regular task: id: a9ab15d4-5b0f-417b-972d-f99222f79469 @@ -108,7 +119,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 365\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 390\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -118,7 +129,7 @@ tasks: isautoswitchedtoquietmode: false '3': id: '3' - taskid: db3bd46e-1001-462f-9d6d-615c972b644a + taskid: 34c83a91-5113-49ec-9467-a2e512f9c36e type: regular task: id: 34c83a91-5113-49ec-9467-a2e512f9c36e @@ -149,7 +160,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 365\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -159,7 +170,7 @@ tasks: isautoswitchedtoquietmode: false '4': id: '4' - taskid: 54b447d0-4e39-4700-af82-e3bf1b19c76c + taskid: e3ab0dcd-c048-455d-a693-92dbc2b1b1c8 type: title task: id: e3ab0dcd-c048-455d-a693-92dbc2b1b1c8 @@ -175,7 +186,7 @@ tasks: - '5' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 555\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 760\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -185,13 +196,12 @@ tasks: isautoswitchedtoquietmode: false '5': id: '5' - taskid: 051c11cd-2a92-4159-a8c5-ebe6d41f6514 + taskid: 26c1fc39-ddc3-4489-b62d-b236d88025c0 type: condition task: id: 26c1fc39-ddc3-4489-b62d-b236d88025c0 version: -1 name: IDs Available? - type: condition description: 'Routes forensics retrieval based on which IDs are present. Campaign+Threat: fetch by threat ID with campaign forensics included. @@ -201,6 +211,7 @@ tasks: Threat Only: fetch by threat ID. Default (neither): skip forensics, proceed to summarize.' + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -214,6 +225,7 @@ tasks: - '6' Threat Only: - '6' + separatecontext: false conditions: - label: Campaign + Threat condition: @@ -257,9 +269,8 @@ tasks: value: simple: SOCFramework.Email.TAP.ThreatID iscontext: true - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 725\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 930\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -293,7 +304,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: errorPath - view: '{"position": {"x": 480, "y": 560}}' + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 1115\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -303,7 +314,7 @@ tasks: isautoswitchedtoquietmode: false '9': id: '9' - taskid: 2dfa82e2-c0a3-4257-b8fa-465d2995be0e + taskid: ad9b27bc-08eb-4964-a077-276fd21c6806 type: title task: id: ad9b27bc-08eb-4964-a077-276fd21c6806 @@ -319,7 +330,7 @@ tasks: - '10' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 920\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1300\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -329,7 +340,7 @@ tasks: isautoswitchedtoquietmode: false '10': id: '10' - taskid: 20ee7e5a-788b-41c0-8555-0f06b388d496 + taskid: 3a59d92c-4751-4a3a-8c8d-14216a33dea6 type: title task: id: 3a59d92c-4751-4a3a-8c8d-14216a33dea6 @@ -345,7 +356,7 @@ tasks: - '11' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1110\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1470\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -355,18 +366,18 @@ tasks: isautoswitchedtoquietmode: false '11': id: '11' - taskid: 9f0ddb17-9f95-4cb7-b17f-fd4ed9d9d056 + taskid: 4922ac4e-dbc1-443e-ad10-d6fb584a0cf7 type: condition task: id: 4922ac4e-dbc1-443e-ad10-d6fb584a0cf7 version: -1 name: Forensics Data Exists? - type: condition description: 'Checks for Proofpoint.Report.Behavior as the presence signal for forensics data. Behavior is always populated when forensics are returned. Future: swap to UC.Email.Forensics.behavior when SOCCommandWrapper output_map is implemented.' + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -376,6 +387,7 @@ tasks: - '13' 'yes': - '12' + separatecontext: false conditions: - label: 'yes' condition: @@ -384,9 +396,8 @@ tasks: value: simple: Proofpoint.Report.Behavior iscontext: true - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1280\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1640\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -396,19 +407,19 @@ tasks: isautoswitchedtoquietmode: false '12': id: '12' - taskid: 6a1304af-0509-49c1-b087-4eba3e2fd23d + taskid: d04043ad-70d5-49d8-8f48-974eea15cd6b type: regular task: id: d04043ad-70d5-49d8-8f48-974eea15cd6b version: -1 name: Summarize Forensic Data description: Write forensics summary to warroom. + script: Builtin|||setIssue type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||setIssue nexttasks: '#none#': - '13' @@ -477,7 +488,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1465\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 1825\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -487,7 +498,7 @@ tasks: isautoswitchedtoquietmode: false '13': id: '13' - taskid: 92681567-a6a3-4f7c-ab37-be78ea3e7c10 + taskid: 56453e3b-ec35-42a6-8bcd-bff24e97838c type: regular task: id: 56453e3b-ec35-42a6-8bcd-bff24e97838c @@ -515,7 +526,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1655\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2010\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -525,7 +536,7 @@ tasks: isautoswitchedtoquietmode: false '14': id: '14' - taskid: a1ed723f-c2b6-4c76-b98c-012287bf2fe8 + taskid: de4bb3fe-9e59-4e52-af23-e84c194c80ab type: title task: id: de4bb3fe-9e59-4e52-af23-e84c194c80ab @@ -536,10 +547,9 @@ tasks: brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: {} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1835\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2195\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -547,8 +557,18 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false +system: true +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 2205,\n \"width\":\ + \ 492.5,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: [] -inputSections: [] +outputSections: +- outputs: + - SOCFramework.Email.TAP.CampaignID + - SOCFramework.Email.TAP.ThreatID + - Analysis.Email.forensics_available + name: Forensics Contract + description: CampaignID and ThreatID consumed by Exposure Evaluation XQL filter. forensics_available consumed by Analysis + Evaluation narrative. outputs: - contextPath: SOCFramework.Email.TAP.CampaignID description: Proofpoint TAP campaign ID — extracted from alert.proofpointtapcampaignid @@ -560,25 +580,4 @@ outputs: - contextPath: Analysis.Email.forensics_available description: True if Proofpoint.Report.Behavior was populated by forensics retrieval type: boolean -outputSections: -- outputs: - - SOCFramework.Email.TAP.CampaignID - - SOCFramework.Email.TAP.ThreatID - - Analysis.Email.forensics_available - name: Forensics Contract - description: CampaignID and ThreatID consumed by Exposure Evaluation XQL filter. forensics_available consumed by Analysis - Evaluation narrative. -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1890,\n \"width\":\ - \ 1350,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" -contentitemexportablefields: - contentitemfields: - definitionid: '' - fromServerVersion: 6.10.0 - isoverridable: false - itemVersion: 3.0.0 - packID: soc-framework-nist-ir - packName: SOC Framework NIST IR - prevname: '' - supportedModules: [] - toServerVersion: '' -dirtyInputs: false +adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_IOC_Enrichment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_IOC_Enrichment_V3.yml index eee3dc9f..05b06b70 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_IOC_Enrichment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_IOC_Enrichment_V3.yml @@ -1,8 +1,19 @@ -adopted: true +fromversion: 5.0.0 id: SOC Email IOC Enrichment_V3 +version: 41 +contentitemexportablefields: + contentitemfields: + packID: soc-framework-nist-ir + packName: SOC Framework NIST IR (800-61) + itemVersion: 1.1.0 + fromServerVersion: 6.10.0 + toServerVersion: '' + definitionid: '' + prevname: '' + isoverridable: false + supportedModules: [] +vcShouldKeepItemLegacyProdMachine: false name: SOC Email IOC Enrichment_V3 -version: -1 -fromversion: 6.10.0 description: "NIST IR 800-61 — Detection & Analysis — Email IOC Enrichment\n\nCreates indicators in XSIAM TIM, assigns Proofpoint\ \ DBot scores, and checks sender prevalence before Signal Characterization runs.\n\nMUST run before SOC Email Signal Characterization_V3\ \ — Signal Characterization reads DBotScore.Score via GetIndicatorDBotScoreFromCache. If no indicator exists with a score,\ @@ -26,7 +37,7 @@ starttaskid: '0' tasks: '0': id: '0' - taskid: 4dbf16a9-878a-4f02-81f8-bbc7d84ab027 + taskid: 51b4a7c9-3f34-480b-a0f8-bf48cbe81ca5 type: start task: id: 51b4a7c9-3f34-480b-a0f8-bf48cbe81ca5 @@ -42,7 +53,7 @@ tasks: - '2' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 50\n }\n}" + view: "{\n \"position\": {\n \"x\": 275,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -52,16 +63,16 @@ tasks: isautoswitchedtoquietmode: false '1': id: '1' - taskid: b9e71c8d-a4ee-40ef-9e10-4be78fba8eea + taskid: 3ef80573-d0c0-4812-b210-a6ba459d5df7 type: condition task: id: 3ef80573-d0c0-4812-b210-a6ba459d5df7 version: -1 name: Is URL Threat? - type: condition description: 'Routes to URL IOC creation if threatType contains "url". Source: alert.proofpointtapthreatinfomap.threatType' + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -71,6 +82,7 @@ tasks: - '10' 'yes': - '3' + separatecontext: false conditions: - label: 'yes' condition: @@ -83,9 +95,8 @@ tasks: value: simple: url ignorecase: true - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 220\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -95,16 +106,16 @@ tasks: isautoswitchedtoquietmode: false '2': id: '2' - taskid: 445d06e5-1448-45a2-ad49-ae786bb96b17 + taskid: 84eb463d-e7c3-44e4-b860-264f5ed4c2b0 type: condition task: id: 84eb463d-e7c3-44e4-b860-264f5ed4c2b0 version: -1 name: Is Attachment Threat? - type: condition description: 'Routes to File IOC creation if threatType contains "attachment". Source: alert.proofpointtapthreatinfomap.threatType' + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -114,6 +125,7 @@ tasks: - '10' 'yes': - '6' + separatecontext: false conditions: - label: 'yes' condition: @@ -126,9 +138,8 @@ tasks: value: simple: attachment ignorecase: true - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 220\n }\n}" + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -138,7 +149,7 @@ tasks: isautoswitchedtoquietmode: false '3': id: '3' - taskid: 5d24be2e-ef81-45de-a428-6f74f9eb1edc + taskid: 7374b5c1-3696-4a0d-905b-7219add8b604 type: title task: id: 7374b5c1-3696-4a0d-905b-7219add8b604 @@ -154,7 +165,7 @@ tasks: - '4' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 410\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -164,33 +175,33 @@ tasks: isautoswitchedtoquietmode: false '4': id: '4' - taskid: 4bddec58-29a6-499a-9294-fd8197baf0aa + taskid: d0a414b4-2386-452a-8845-3d8f093d97c1 type: regular task: id: d0a414b4-2386-452a-8845-3d8f093d97c1 version: -1 name: Create URL Indicator description: commands.local.cmd.new.indicator + script: Builtin|||createNewIndicator type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||createNewIndicator nexttasks: '#none#': - '5' scriptarguments: + proofpointtaplink: + simple: ${inputs.ThreatURL} type: simple: URL value: simple: ${inputs.ThreatURL} - proofpointtaplink: - simple: ${inputs.ThreatURL} separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 580\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -200,7 +211,7 @@ tasks: isautoswitchedtoquietmode: false '5': id: '5' - taskid: 4ee8414d-6347-4af9-8405-2adf07865451 + taskid: 3442ffab-32ee-4a8a-bcb0-199f1d213433 type: regular task: id: 3442ffab-32ee-4a8a-bcb0-199f1d213433 @@ -237,16 +248,16 @@ tasks: accessor: threat indicatorType: simple: URL - score: - simple: '2' reliability: simple: C - Fairly reliable + score: + simple: '2' vendor: simple: Proofpoint TAP separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 750\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 760\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -256,7 +267,7 @@ tasks: isautoswitchedtoquietmode: false '6': id: '6' - taskid: a067fb55-ca99-4d8c-b30d-f223279a8873 + taskid: 75fc0a2c-1eee-45aa-9c18-4dcd9930b090 type: title task: id: 75fc0a2c-1eee-45aa-9c18-4dcd9930b090 @@ -272,7 +283,7 @@ tasks: - '7' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 410\n }\n}" + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -282,23 +293,25 @@ tasks: isautoswitchedtoquietmode: false '7': id: '7' - taskid: d23dba56-3b32-40e5-a5cf-b074dc0ee249 + taskid: 6eb0b22e-c455-4017-909b-fcac0dcadef9 type: regular task: id: 6eb0b22e-c455-4017-909b-fcac0dcadef9 version: -1 name: Create File Indicator description: commands.local.cmd.new.indicator + script: Builtin|||createNewIndicator type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||createNewIndicator nexttasks: '#none#': - '8' scriptarguments: + proofpointtaplink: + simple: ${inputs.ThreatURL} type: simple: File value: @@ -314,12 +327,10 @@ tasks: value: simple: attachment accessor: threat - proofpointtaplink: - simple: ${inputs.ThreatURL} separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 580\n }\n}" + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -329,7 +340,7 @@ tasks: isautoswitchedtoquietmode: false '8': id: '8' - taskid: ce5967db-a458-4f65-9604-1f236f5e6880 + taskid: 3fcdac81-a1ab-40a5-a7c3-db7d4c938146 type: regular task: id: 3fcdac81-a1ab-40a5-a7c3-db7d4c938146 @@ -364,16 +375,16 @@ tasks: accessor: threat indicatorType: simple: File - score: - simple: '2' reliability: simple: C - Fairly reliable + score: + simple: '2' vendor: simple: Proofpoint TAP separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 750\n }\n}" + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 760\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -383,7 +394,7 @@ tasks: isautoswitchedtoquietmode: false '10': id: '10' - taskid: 8f826b03-587b-403f-8510-e53142377b3a + taskid: 5836d8b7-0139-4593-9591-6f76ecd5e12c type: title task: id: 5836d8b7-0139-4593-9591-6f76ecd5e12c @@ -399,7 +410,7 @@ tasks: - '11' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 940\n }\n}" + view: "{\n \"position\": {\n \"x\": 275,\n \"y\": 945\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -409,19 +420,19 @@ tasks: isautoswitchedtoquietmode: false '11': id: '11' - taskid: dc1fd8e1-fa0d-49f0-803b-c7f29039c258 + taskid: 909e7a45-863f-4386-9512-f2b74b6e3394 type: regular task: id: 909e7a45-863f-4386-9512-f2b74b6e3394 version: -1 name: Tag Indicators — ProofpointTAPThreat description: commands.local.cmd.set.indicators + script: Builtin|||setIndicators type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||setIndicators nexttasks: '#none#': - '12' @@ -441,7 +452,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1110\n }\n}" + view: "{\n \"position\": {\n \"x\": 275,\n \"y\": 1115\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -451,7 +462,7 @@ tasks: isautoswitchedtoquietmode: false '12': id: '12' - taskid: bfb1f0b3-d369-464b-b168-8676f0644f44 + taskid: d69488a6-e95c-4093-9ef3-42a309a558de type: title task: id: d69488a6-e95c-4093-9ef3-42a309a558de @@ -468,7 +479,7 @@ tasks: - g14i separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1295\n }\n}" + view: "{\n \"position\": {\n \"x\": 275,\n \"y\": 1300\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -478,7 +489,7 @@ tasks: isautoswitchedtoquietmode: false '13': id: '13' - taskid: 09c034a7-8cce-4f8d-857c-b6c07b6e7c8e + taskid: 8b0aa331-6462-474b-a197-794408e55a53 type: regular task: id: 8b0aa331-6462-474b-a197-794408e55a53 @@ -513,7 +524,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: errorPath - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1465\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 1655\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -523,7 +534,7 @@ tasks: isautoswitchedtoquietmode: false '14': id: '14' - taskid: 28c03dbd-1d0e-40b6-a826-38fc076f6296 + taskid: a5c33cc5-43e6-4fb4-9c45-7edd74671856 type: regular task: id: a5c33cc5-43e6-4fb4-9c45-7edd74671856 @@ -542,14 +553,14 @@ tasks: '#none#': - '16' scriptarguments: - ip_address: - simple: ${alert.localip} extend-context: simple: Core=. + ip_address: + simple: ${alert.localip} separatecontext: false continueonerror: true continueonerrortype: errorPath - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 1465\n }\n}" + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 1655\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -559,14 +570,14 @@ tasks: isautoswitchedtoquietmode: false '15': id: '15' - taskid: b24c7af1-db37-46d4-bc6d-34a7cd382c91 + taskid: 3d5dfa1e-914d-4a49-8646-35a649e78e59 type: condition task: id: 3d5dfa1e-914d-4a49-8646-35a649e78e59 version: -1 name: Non-Prevalent Domain? - type: condition description: isFalse = prevalence returned 0 or false — domain is uncommon in environment. + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -576,6 +587,7 @@ tasks: - '18' 'yes': - '17' + separatecontext: false conditions: - label: 'yes' condition: @@ -586,9 +598,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1640\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1840\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -598,14 +609,14 @@ tasks: isautoswitchedtoquietmode: false '16': id: '16' - taskid: 153c3a70-ff56-4947-a785-35ead26c8401 + taskid: 15c6b46c-d16a-4d18-928c-f6c9fbf7573a type: condition task: id: 15c6b46c-d16a-4d18-928c-f6c9fbf7573a version: -1 name: Non-Prevalent IP? - type: condition description: isFalse = prevalence returned 0 or false — IP is uncommon in environment. + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -615,6 +626,7 @@ tasks: - '18' 'yes': - '17' + separatecontext: false conditions: - label: 'yes' condition: @@ -625,9 +637,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 1640\n }\n}" + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1840\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -637,19 +648,19 @@ tasks: isautoswitchedtoquietmode: false '17': id: '17' - taskid: 639b7a40-749a-42fe-bd3b-710988a06fd9 + taskid: 477cd42f-a96c-4fdc-bf00-bca587ca6d5c type: regular task: id: 477cd42f-a96c-4fdc-bf00-bca587ca6d5c version: -1 name: Tag Indicators — Uncommon description: commands.local.cmd.set.indicators + script: Builtin|||setIndicators type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||setIndicators nexttasks: '#none#': - '18' @@ -679,7 +690,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1830\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 2025\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -689,7 +700,7 @@ tasks: isautoswitchedtoquietmode: false '18': id: '18' - taskid: ed1fa2dc-a6ee-4dc0-b466-d8b9c677f8b5 + taskid: 76fe7d6f-983f-4e02-a951-b4486c6df70e type: title task: id: 76fe7d6f-983f-4e02-a951-b4486c6df70e @@ -705,7 +716,7 @@ tasks: - '19' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 2015\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 2210\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -715,7 +726,7 @@ tasks: isautoswitchedtoquietmode: false '19': id: '19' - taskid: f84b5358-1d0b-4ba6-b023-c55718879d50 + taskid: c8d44496-0e09-4142-a02e-d26e5f35efaa type: regular task: id: c8d44496-0e09-4142-a02e-d26e5f35efaa @@ -742,7 +753,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 2185\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 2380\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -752,7 +763,7 @@ tasks: isautoswitchedtoquietmode: false '20': id: '20' - taskid: a761892d-3a24-44a2-9c01-7c123ba38b3f + taskid: 86d7087c-5dad-4030-8568-d9de9c2025d0 type: title task: id: 86d7087c-5dad-4030-8568-d9de9c2025d0 @@ -763,10 +774,9 @@ tasks: brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: {} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 2355\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 2565\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -776,10 +786,10 @@ tasks: isautoswitchedtoquietmode: false g13: id: g13 - taskid: gateg13-sig-alert.pr-check1234 + taskid: 058bc382-11ec-5a21-8a2f-69ad191b87d7 type: condition task: - id: gateg13-sig-alert.pr-check1234 + id: 058bc382-11ec-5a21-8a2f-69ad191b87d7 version: -1 name: Sender Domain Available? description: Skip Sender Domain prevalence check if value is empty — continueonerror fallback. @@ -793,6 +803,7 @@ tasks: - '15' 'yes': - '13' + separatecontext: false conditions: - label: 'yes' condition: @@ -803,9 +814,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: '{"position": {"x": 480, "y": 0}}' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1470\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -815,10 +825,10 @@ tasks: isautoswitchedtoquietmode: false g14i: id: g14i - taskid: gateg14i-sig-alert.lo-check1234 + taskid: e83f74d6-846e-5f27-a381-27a791b2b82c type: condition task: - id: gateg14i-sig-alert.lo-check1234 + id: e83f74d6-846e-5f27-a381-27a791b2b82c version: -1 name: Sender IP Available? description: Skip Sender IP prevalence check if value is empty — continueonerror fallback. @@ -832,6 +842,7 @@ tasks: - '16' 'yes': - '14' + separatecontext: false conditions: - label: 'yes' condition: @@ -842,9 +853,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: '{"position": {"x": 480, "y": 0}}' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1470\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -852,6 +862,9 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false +system: true +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 2575,\n \"width\":\ + \ 942.5,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: ThreatURL value: @@ -864,27 +877,14 @@ inputSections: - ThreatURL name: IOC Enrichment Inputs description: Inputs passed from SOC Email Analysis_V3. -outputs: -- contextPath: Analysis.Email.ioc_enriched - description: true when IOC creation and DBot score assignment completed - type: boolean outputSections: - outputs: - Analysis.Email.ioc_enriched name: Enrichment Contract description: Flag consumed by Analysis Evaluation story. DBotScore.* written to context and consumed by Signal Characterization GetIndicatorDBotScoreFromCache. -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 2410,\n \"width\":\ - \ 1200,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" -contentitemexportablefields: - contentitemfields: - definitionid: '' - fromServerVersion: 6.10.0 - isoverridable: false - itemVersion: 3.0.0 - packID: soc-framework-nist-ir - packName: SOC Framework NIST IR - prevname: '' - supportedModules: [] - toServerVersion: '' -dirtyInputs: false +outputs: +- contextPath: Analysis.Email.ioc_enriched + description: true when IOC creation and DBot score assignment completed + type: boolean +adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Signal_Characterization_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Signal_Characterization_V3.yml index 760cf5d6..e7c085ca 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Signal_Characterization_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Signal_Characterization_V3.yml @@ -1,8 +1,19 @@ -adopted: true +fromversion: 5.0.0 id: SOC Email Signal Characterization_V3 +version: 11 +contentitemexportablefields: + contentitemfields: + packID: soc-framework-nist-ir + packName: SOC Framework NIST IR (800-61) + itemVersion: 1.1.0 + fromServerVersion: 6.10.0 + toServerVersion: '' + definitionid: '' + prevname: '' + isoverridable: false + supportedModules: [] +vcShouldKeepItemLegacyProdMachine: false name: SOC Email Signal Characterization_V3 -version: -1 -fromversion: 6.10.0 description: "Purpose\nDetermine what kind of email threat this is and build the indicator intelligence needed for verdict\ \ resolution.\n\nThis is not verdict determination — that belongs in SOC Email Verdict Resolution_V3.\nThis playbook answers:\ \ what is the nature of the threat object?\n\nSignal Types Produced:\n url_phish — threat type is URL (phishing link,\ @@ -36,7 +47,7 @@ tasks: - '1' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 50\n }\n}" + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -52,17 +63,17 @@ tasks: id: 5bdf589d-bd70-4316-b817-34b201a9952c version: -1 name: Characterize Threat Type + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - '2' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 195\n }\n}" + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -78,29 +89,20 @@ tasks: id: c2893eed-6d85-4b5a-9564-19e8cec61f2e version: -1 name: What is the Threat Type? + description: Routes on SOCFramework.Artifacts.Email.ThreatType to determine IOC creation and enrichment path. + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Routes on SOCFramework.Artifacts.Email.ThreatType to determine IOC creation and enrichment path. - type: condition nexttasks: '#default#': - '10' - URL: - - '3' Attachment: - '7' + URL: + - '3' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 365\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: URL condition: @@ -124,6 +126,15 @@ tasks: value: simple: attachment ignorecase: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 390\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '3': id: '3' taskid: 88bbf74f-0a0a-4fa3-b8fc-ad62b38a7eeb @@ -132,19 +143,26 @@ tasks: id: 88bbf74f-0a0a-4fa3-b8fc-ad62b38a7eeb version: -1 name: Create URL Indicator + description: Creates a URL indicator from the threat URL extracted at entry point. + script: Builtin|||createNewIndicator + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Creates a URL indicator from the threat URL extracted at entry point. - type: regular - script: Builtin|||createNewIndicator nexttasks: '#none#': - '4' + scriptarguments: + proofpointtaplink: + simple: ${inputs.ThreatURL} + type: + simple: URL + value: + simple: ${inputs.ThreatURL} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 560\n }\n}" + view: "{\n \"position\": {\n \"x\": 265,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -152,13 +170,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - value: - simple: ${inputs.ThreatURL} - type: - simple: URL - proofpointtaplink: - simple: ${inputs.ThreatURL} '4': id: '4' taskid: 0e891e39-9645-463f-86d0-b0ec9101f706 @@ -167,38 +178,38 @@ tasks: id: 0e891e39-9645-463f-86d0-b0ec9101f706 version: -1 name: Assign DBot Score — URL + description: Seeds DBot score for the threat URL from Proofpoint TAP signal. + scriptName: AddDBotScoreToContext + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Seeds DBot score for the threat URL from Proofpoint TAP signal. - type: regular - scriptName: AddDBotScoreToContext nexttasks: '#none#': - '5' - '6' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 740\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 2 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicator: simple: ${inputs.ThreatURL} indicatorType: simple: URL - score: - simple: '2' reliability: simple: C - Fairly reliable + score: + simple: '2' vendor: simple: Proofpoint TAP + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 265,\n \"y\": 760\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false '5': id: '5' taskid: 3b410dc5-8726-46bb-a70e-159b99fb1bd8 @@ -207,19 +218,22 @@ tasks: id: 3b410dc5-8726-46bb-a70e-159b99fb1bd8 version: -1 name: Extract Domains from URL Threat + description: Extracts domain indicators from the threat URL for prevalence analysis. + script: Builtin|||extractIndicators + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Extracts domain indicators from the threat URL for prevalence analysis. - type: regular - script: Builtin|||extractIndicators nexttasks: '#none#': - '11' + scriptarguments: + text: + simple: ${inputs.ThreatURL} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 920\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 945\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -227,9 +241,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - text: - simple: ${inputs.ThreatURL} '6': id: '6' taskid: b4161365-b353-4eba-9886-5051c8909f3d @@ -238,19 +249,23 @@ tasks: id: b4161365-b353-4eba-9886-5051c8909f3d version: -1 name: Rasterize URL + description: Captures a screenshot of the threat URL for analyst review. Best-effort — continues on error. + script: '|||rasterize' + type: regular iscommand: true brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Captures a screenshot of the threat URL for analyst review. Best-effort — continues on error. - type: regular - script: '|||rasterize' nexttasks: '#none#': - '11' + scriptarguments: + url: + simple: ${inputs.ThreatURL} separatecontext: false + continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 920\n }\n}" + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 945\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -258,10 +273,6 @@ tasks: quietmode: 2 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - url: - simple: ${inputs.ThreatURL} - continueonerror: true '7': id: '7' taskid: 0b69ca12-08ef-4b3e-afaf-3862617168dd @@ -270,19 +281,26 @@ tasks: id: 0b69ca12-08ef-4b3e-afaf-3862617168dd version: -1 name: Create File Indicator + description: Creates a File indicator from the attachment hash extracted at entry point. + script: Builtin|||createNewIndicator + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Creates a File indicator from the attachment hash extracted at entry point. - type: regular - script: Builtin|||createNewIndicator nexttasks: '#none#': - '8' + scriptarguments: + proofpointtaplink: + simple: ${inputs.ThreatURL} + type: + simple: File + value: + simple: ${inputs.ThreatIndicator} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 560\n }\n}" + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 760\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -290,13 +308,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - value: - simple: ${inputs.ThreatIndicator} - type: - simple: File - proofpointtaplink: - simple: ${inputs.ThreatURL} '8': id: '8' taskid: e0106919-475c-4d4a-af74-2b7e3ca023c5 @@ -305,37 +316,37 @@ tasks: id: e0106919-475c-4d4a-af74-2b7e3ca023c5 version: -1 name: Assign DBot Score — File + description: Seeds DBot score for the attachment hash from Proofpoint TAP signal. + scriptName: AddDBotScoreToContext + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Seeds DBot score for the attachment hash from Proofpoint TAP signal. - type: regular - scriptName: AddDBotScoreToContext nexttasks: '#none#': - '11' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 740\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 2 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicator: simple: ${inputs.ThreatIndicator} indicatorType: simple: File - score: - simple: '2' reliability: simple: C - Fairly reliable + score: + simple: '2' vendor: simple: Proofpoint TAP + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 945\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false '10': id: '10' taskid: 597e2d1e-b058-462b-b10a-ca9c460a07dd @@ -344,17 +355,17 @@ tasks: id: 597e2d1e-b058-462b-b10a-ca9c460a07dd version: -1 name: Unknown Threat Type + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - '11' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1280,\n \"y\": 560\n }\n}" + view: "{\n \"position\": {\n \"x\": 1340,\n \"y\": 952.5\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -370,17 +381,17 @@ tasks: id: a6a7a4c2-216f-4453-bdfe-2e5329a49f79 version: -1 name: Sender Prevalence Checks + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - g12 separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1110\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 1130\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -396,27 +407,17 @@ tasks: id: 7d6781b0-a2be-4d00-8d74-6911e25d1c04 version: -1 name: Sender Domain Prevalence Check + description: Checks whether the sender domain has been seen before in the environment. Low prevalence is an indicator + of a first-seen phishing domain. + script: '|||core-get-domain-analytics-prevalence' + type: regular iscommand: true brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Checks whether the sender domain has been seen before in the environment. Low prevalence is an indicator - of a first-seen phishing domain. - type: regular - script: '|||core-get-domain-analytics-prevalence' nexttasks: '#none#': - '13' - separatecontext: false - continueonerrortype: errorPath - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1280\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: domain_name: complex: @@ -429,7 +430,17 @@ tasks: simple: '@' extend-context: simple: Core=. + separatecontext: false continueonerror: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 582.5,\n \"y\": 1485\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '13': id: '13' taskid: 0205ceb1-4015-4b2d-ab0b-07157927e28a @@ -438,26 +449,17 @@ tasks: id: 0205ceb1-4015-4b2d-ab0b-07157927e28a version: -1 name: Non-Prevalent Domain? + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: condition nexttasks: '#default#': - g14 'yes': - '15' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1460\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: 'yes' condition: @@ -474,6 +476,15 @@ tasks: iscontext: true accessor: value iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 1670\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '14': id: '14' taskid: a0e1cb99-bb2f-4beb-b72d-8a1ac9a371b2 @@ -482,19 +493,25 @@ tasks: id: a0e1cb99-bb2f-4beb-b72d-8a1ac9a371b2 version: -1 name: Sender IP Prevalence Check + description: Checks sender IP prevalence. Low prevalence may indicate a new sending infrastructure. + script: '|||core-get-IP-analytics-prevalence' + type: regular iscommand: true brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Checks sender IP prevalence. Low prevalence may indicate a new sending infrastructure. - type: regular - script: '|||core-get-IP-analytics-prevalence' nexttasks: '#none#': - '16' + scriptarguments: + extend-context: + simple: Core=. + ip_address: + simple: ${inputs.SenderIP} separatecontext: false + continueonerror: true continueonerrortype: errorPath - view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 1650\n }\n}" + view: "{\n \"position\": {\n \"x\": 582.5,\n \"y\": 2225\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -502,12 +519,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - ip_address: - simple: ${inputs.SenderIP} - extend-context: - simple: Core=. - continueonerror: true '15': id: '15' taskid: 171e6204-bb58-431f-9307-f4f3e202097f @@ -516,25 +527,15 @@ tasks: id: 171e6204-bb58-431f-9307-f4f3e202097f version: -1 name: Tag Domain — Uncommon + script: Builtin|||setIndicators + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - script: Builtin|||setIndicators nexttasks: '#none#': - g14 - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 340,\n \"y\": 1650\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicatorsValues: complex: @@ -558,6 +559,16 @@ tasks: simple: ',' tags: simple: Uncommon + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 1855\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '16': id: '16' taskid: 8369ebbf-da84-4ec0-8472-83ee1cbb7b8f @@ -566,26 +577,17 @@ tasks: id: 8369ebbf-da84-4ec0-8472-83ee1cbb7b8f version: -1 name: Non-Prevalent IP? + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: condition nexttasks: '#default#': - '17' 'yes': - '18' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 1835\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: 'yes' condition: @@ -602,6 +604,15 @@ tasks: iscontext: true accessor: value iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 2410\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '17': id: '17' taskid: 5a8cc61c-8e3e-47bd-9fad-755db1711b87 @@ -610,17 +621,17 @@ tasks: id: 5a8cc61c-8e3e-47bd-9fad-755db1711b87 version: -1 name: Tag Indicators + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - '19' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 2025\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 2780\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -636,25 +647,15 @@ tasks: id: 5a9b09d2-5d6e-47d9-8f15-506fb793be98 version: -1 name: Tag IP — Uncommon + script: Builtin|||setIndicators + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - script: Builtin|||setIndicators nexttasks: '#none#': - '17' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 600,\n \"y\": 2025\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicatorsValues: complex: @@ -678,6 +679,16 @@ tasks: simple: ',' tags: simple: Uncommon + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 2595\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '19': id: '19' taskid: d63ac3d3-a6ca-41dc-88f8-ea9309fe1450 @@ -686,26 +697,16 @@ tasks: id: d63ac3d3-a6ca-41dc-88f8-ea9309fe1450 version: -1 name: Tag Threat Indicators + description: Tags all threat indicators with the detection source for downstream filtering and reporting. + script: Builtin|||setIndicators + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Tags all threat indicators with the detection source for downstream filtering and reporting. - type: regular - script: Builtin|||setIndicators nexttasks: '#none#': - '20' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2210\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicatorsValues: complex: @@ -718,6 +719,16 @@ tasks: simple: ',' tags: simple: ProofpointTAPThreat + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 2950\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '20': id: '20' taskid: c22b6d6c-cb2a-4870-98e8-75d350a5d666 @@ -726,26 +737,17 @@ tasks: id: c22b6d6c-cb2a-4870-98e8-75d350a5d666 version: -1 name: Threat Indicator Defined? + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: condition nexttasks: '#default#': - '23' 'yes': - '21' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2400\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: 'yes' condition: @@ -754,6 +756,15 @@ tasks: value: simple: inputs.ThreatIndicator iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 3135\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '21': id: '21' taskid: 160fc4ae-0779-4852-89e5-9c6b80fd678a @@ -762,19 +773,23 @@ tasks: id: 160fc4ae-0779-4852-89e5-9c6b80fd678a version: -1 name: Get Indicator DBot Score + description: Retrieves the cached DBot score for the threat indicator to use in verdict resolution. + scriptName: GetIndicatorDBotScoreFromCache + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Retrieves the cached DBot score for the threat indicator to use in verdict resolution. - type: regular - scriptName: GetIndicatorDBotScoreFromCache nexttasks: '#none#': - '22' + scriptarguments: + value: + simple: ${inputs.ThreatIndicator} separatecontext: false + continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 2590\n }\n}" + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 3320\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -782,10 +797,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - value: - simple: ${inputs.ThreatIndicator} - continueonerror: true '22': id: '22' taskid: 97d2885d-b15b-4b36-b1c0-40e01db2fbbe @@ -794,28 +805,22 @@ tasks: id: 97d2885d-b15b-4b36-b1c0-40e01db2fbbe version: -1 name: Set Email Source Verdict from DBot + description: Maps the numeric DBot score to the standard source_verdict string used in Analysis. Used as a secondary + signal — primary verdict comes from Proofpoint ThreatStatus. + scriptName: SetAndHandleEmpty + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Maps the numeric DBot score to the standard source_verdict string used in Analysis. Used as a secondary - signal — primary verdict comes from Proofpoint ThreatStatus. - type: regular - scriptName: SetAndHandleEmpty nexttasks: '#none#': - '23' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 2775\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: + append: + simple: 'false' + force: + simple: 'true' key: simple: Analysis.Email.source_verdict value: @@ -838,10 +843,16 @@ tasks: value: simple: benign,suspicious,malicious sep: {} - append: - simple: 'false' - force: - simple: 'true' + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 3505\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '23': id: '23' taskid: 779d977b-7cd8-4322-8045-cbab913210e0 @@ -850,17 +861,17 @@ tasks: id: 779d977b-7cd8-4322-8045-cbab913210e0 version: -1 name: Set Signal Type + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - '24' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 2960\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 3690\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -876,28 +887,19 @@ tasks: id: c91af9b6-2a49-4585-a96f-8e94b1572c1c version: -1 name: Classify Signal Type + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: condition nexttasks: '#default#': - '27' - URL Phish: - - '25' File Malware: - '26' + URL Phish: + - '25' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 3130\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: URL Phish condition: @@ -921,6 +923,15 @@ tasks: value: simple: attachment ignorecase: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 3860\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '25': id: '25' taskid: 2b8c2bd5-c608-4083-bf1b-d598cfa93e97 @@ -929,18 +940,27 @@ tasks: id: 2b8c2bd5-c608-4083-bf1b-d598cfa93e97 version: -1 name: Set Signal Type — url_phish + scriptName: SetAndHandleEmpty + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - scriptName: SetAndHandleEmpty nexttasks: '#none#': - '28' + scriptarguments: + append: + simple: 'false' + force: + simple: 'true' + key: + simple: Analysis.Email.signal_type + value: + simple: url_phish separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 3320\n }\n}" + view: "{\n \"position\": {\n \"x\": 265,\n \"y\": 4045\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -948,15 +968,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - key: - simple: Analysis.Email.signal_type - value: - simple: url_phish - append: - simple: 'false' - force: - simple: 'true' '26': id: '26' taskid: ace0321d-e7e3-4fea-a901-583b475a9687 @@ -965,18 +976,27 @@ tasks: id: ace0321d-e7e3-4fea-a901-583b475a9687 version: -1 name: Set Signal Type — file_malware + scriptName: SetAndHandleEmpty + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - scriptName: SetAndHandleEmpty nexttasks: '#none#': - '28' + scriptarguments: + append: + simple: 'false' + force: + simple: 'true' + key: + simple: Analysis.Email.signal_type + value: + simple: file_malware separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 3320\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 4045\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -984,15 +1004,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - key: - simple: Analysis.Email.signal_type - value: - simple: file_malware - append: - simple: 'false' - force: - simple: 'true' '27': id: '27' taskid: 733d359e-2a41-4ce2-bb62-e9bbcebc0234 @@ -1001,18 +1012,27 @@ tasks: id: 733d359e-2a41-4ce2-bb62-e9bbcebc0234 version: -1 name: Set Signal Type — unknown + scriptName: SetAndHandleEmpty + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - scriptName: SetAndHandleEmpty nexttasks: '#none#': - '28' + scriptarguments: + append: + simple: 'false' + force: + simple: 'true' + key: + simple: Analysis.Email.signal_type + value: + simple: unknown separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 3320\n }\n}" + view: "{\n \"position\": {\n \"x\": 1125,\n \"y\": 4045\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1020,15 +1040,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - key: - simple: Analysis.Email.signal_type - value: - simple: unknown - append: - simple: 'false' - force: - simple: 'true' '28': id: '28' taskid: dfd77dbc-f8ca-44c3-b95d-63f4f3bb028f @@ -1037,15 +1048,14 @@ tasks: id: dfd77dbc-f8ca-44c3-b95d-63f4f3bb028f version: -1 name: Done + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title - nexttasks: {} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 3510\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 4230\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1055,10 +1065,10 @@ tasks: isautoswitchedtoquietmode: false g12: id: g12 - taskid: gateg12-sig-inputs.S-check1234 + taskid: 3f7e2d1c-4b5a-4987-b8c9-d0e1f2a3b4c5 type: condition task: - id: gateg12-sig-inputs.S-check1234 + id: 3f7e2d1c-4b5a-4987-b8c9-d0e1f2a3b4c5 version: -1 name: Sender Domain Available? description: Skip Sender Domain prevalence check if value is empty — continueonerror fallback. @@ -1072,6 +1082,7 @@ tasks: - '13' 'yes': - '12' + separatecontext: false conditions: - label: 'yes' condition: @@ -1082,9 +1093,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: '{"position": {"x": 480, "y": 0}}' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 1300\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1094,10 +1104,10 @@ tasks: isautoswitchedtoquietmode: false g14: id: g14 - taskid: gateg14-sig-inputs.S-check1234 + taskid: 4e8f3d2c-5c6b-4098-c9da-e1f2a3b4c5d6 type: condition task: - id: gateg14-sig-inputs.S-check1234 + id: 4e8f3d2c-5c6b-4098-c9da-e1f2a3b4c5d6 version: -1 name: Sender IP Available? description: Skip Sender IP prevalence check if value is empty — continueonerror fallback. @@ -1111,6 +1121,7 @@ tasks: - '16' 'yes': - '14' + separatecontext: false conditions: - label: 'yes' condition: @@ -1121,9 +1132,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: '{"position": {"x": 480, "y": 0}}' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 2040\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1131,6 +1141,9 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false +system: true +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 4240,\n \"width\":\ + \ 1670,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: ThreatType value: @@ -1178,6 +1191,12 @@ inputSections: - SenderIP name: Sender description: Sender identity inputs for prevalence analysis +outputSections: +- outputs: + - Analysis.Email.signal_type + - Analysis.Email.source_verdict + name: Signal Characterization + description: '' outputs: - contextPath: Analysis.Email.signal_type description: 'Behavioral classification of the email threat: url_phish / file_malware / unknown' @@ -1186,23 +1205,4 @@ outputs: description: 'DBot-derived indicator verdict: malicious / suspicious / benign. Secondary signal — primary verdict comes from ThreatStatus in SOC Email Verdict Resolution_V3.' type: string -outputSections: -- outputs: - - Analysis.Email.signal_type - - Analysis.Email.source_verdict - name: Signal Characterization - description: '' -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 3530,\n \"width\":\ - \ 1620,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" -contentitemexportablefields: - contentitemfields: - definitionid: '' - fromServerVersion: 6.10.0 - isoverridable: false - itemVersion: 3.0.0 - packID: soc-framework-nist-ir - packName: SOC Framework Unified - prevname: '' - supportedModules: [] - toServerVersion: '' -dirtyInputs: true +adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Verdict_Resolution_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Verdict_Resolution_V3.yml index d2be2148..40cc6535 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Verdict_Resolution_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Verdict_Resolution_V3.yml @@ -36,7 +36,7 @@ tasks: - '1' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 50\n }\n}" + view: '{"position": {"x": 592, "y": 50}}' note: false timertriggers: [] ignoreworker: false @@ -62,7 +62,7 @@ tasks: - '2' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 195\n }\n}" + view: '{"position": {"x": 592, "y": 195}}' note: false timertriggers: [] ignoreworker: false @@ -97,7 +97,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 365\n }\n}" + view: '{"position": {"x": 592, "y": 365}}' note: false timertriggers: [] ignoreworker: false @@ -123,7 +123,7 @@ tasks: - '4' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 555\n }\n}" + view: '{"position": {"x": 592, "y": 555}}' note: false timertriggers: [] ignoreworker: false @@ -190,7 +190,7 @@ tasks: ignorecase: true separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 725\n }\n}" + view: '{"position": {"x": 592, "y": 725}}' note: false timertriggers: [] ignoreworker: false @@ -225,7 +225,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 920\n }\n}" + view: '{"position": {"x": 200, "y": 920}}' note: false timertriggers: [] ignoreworker: false @@ -260,7 +260,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 920\n }\n}" + view: '{"position": {"x": 592, "y": 920}}' note: false timertriggers: [] ignoreworker: false @@ -295,7 +295,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 920\n }\n}" + view: '{"position": {"x": 985, "y": 920}}' note: false timertriggers: [] ignoreworker: false @@ -321,7 +321,7 @@ tasks: - '9' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1105\n }\n}" + view: '{"position": {"x": 592, "y": 1110}}' note: false timertriggers: [] ignoreworker: false @@ -361,7 +361,7 @@ tasks: value: simple: malicious ignorecase: true - - operator: isEqualString + - - operator: isEqualString left: value: simple: Analysis.Email.verdict @@ -372,7 +372,7 @@ tasks: ignorecase: true separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1270\n }\n}" + view: '{"position": {"x": 592, "y": 1280}}' note: false timertriggers: [] ignoreworker: false @@ -398,7 +398,7 @@ tasks: - '12' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1450\n }\n}" + view: '{"position": {"x": 592, "y": 1470}}' note: false timertriggers: [] ignoreworker: false @@ -433,7 +433,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 1450\n }\n}" + view: '{"position": {"x": 985, "y": 1470}}' note: false timertriggers: [] ignoreworker: false @@ -479,7 +479,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1620\n }\n}" + view: '{"position": {"x": 592, "y": 1640}}' note: false timertriggers: [] ignoreworker: false @@ -505,7 +505,7 @@ tasks: - '14' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1805\n }\n}" + view: '{"position": {"x": 592, "y": 1825}}' note: false timertriggers: [] ignoreworker: false @@ -551,14 +551,14 @@ tasks: value: simple: malicious ignorecase: true - - operator: isEqualString + - - operator: isEqualString left: value: simple: inputs.HighValueUserInvolved iscontext: true right: value: - simple: 'True' + simple: 'true' ignorecase: true - label: search_and_purge condition: @@ -571,7 +571,7 @@ tasks: value: simple: malicious ignorecase: true - - operator: greaterThan + - - operator: greaterThan left: value: simple: inputs.ClickCount @@ -590,7 +590,7 @@ tasks: value: simple: malicious ignorecase: true - - operator: greaterThan + - - operator: greaterThan left: value: simple: inputs.DeliveredCount @@ -598,7 +598,7 @@ tasks: right: value: simple: '0' - - operator: isEqualNumber + - - operator: isEqualNumber left: value: simple: inputs.ClickCount @@ -617,7 +617,7 @@ tasks: value: simple: malicious ignorecase: true - - operator: isEqualNumber + - - operator: isEqualNumber left: value: simple: inputs.DeliveredCount @@ -627,7 +627,7 @@ tasks: simple: '0' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1975\n }\n}" + view: '{"position": {"x": 592, "y": 2000}}' note: false timertriggers: [] ignoreworker: false @@ -663,7 +663,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 50, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -699,7 +699,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 330,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 330, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -735,7 +735,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 592, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -771,7 +771,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 855,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 855, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -807,7 +807,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1120,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 1120, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -831,7 +831,7 @@ tasks: nexttasks: {} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 2360\n }\n}" + view: '{"position": {"x": 592, "y": 2780}}' note: false timertriggers: [] ignoreworker: false @@ -942,7 +942,7 @@ tasks: ignorecase: true separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1985\n }\n}" + view: '{"position": {"x": 592, "y": 2400}}' note: false timertriggers: [] ignoreworker: false @@ -979,7 +979,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 2155\n }\n}" + view: '{"position": {"x": 250, "y": 2590}}' note: false timertriggers: [] ignoreworker: false @@ -1016,7 +1016,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 2155\n }\n}" + view: '{"position": {"x": 935, "y": 2590}}' note: false timertriggers: [] ignoreworker: false @@ -1098,8 +1098,7 @@ outputSections: - Analysis.Email.response_recommended name: Verdict Contract description: Consumed by SOC Email Analysis_V3 orchestrator and passed to Containment phase -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 2380,\n \"width\":\ - \ 1350,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" +view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 2900, "width": 1300, "x": 50, "y": 50}}}' contentitemexportablefields: contentitemfields: definitionid: '' diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Analysis_V3.yml index f603391b..b894e2e8 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Analysis_V3.yml @@ -7,63 +7,64 @@ contentitemexportablefields: packName: SOC Framework Unified itemVersion: 3.1.4 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOC EndPoint Analysis_V3 -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the alert (category, severity, impact). + Document findings and escalate confirmed alerts. + Outcome: Determine whether an event is a legitimate alert and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' tags: - SOC - SOC_Framework_Unified - Detection & Analysis - NIST 800-61 - EndPoint -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 27ca4564-aefc-483e-8598-fa04dbefbf2e type: start task: id: 27ca4564-aefc-483e-8598-fa04dbefbf2e version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "59" + - '59' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 480, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -71,8 +72,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "2": - id: "2" + '2': + id: '2' taskid: eacb150f-a5d1-4b77-8945-e7f68a68424d type: title task: @@ -81,18 +82,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 3400 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 3400\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -100,8 +95,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "3": - id: "3" + '3': + id: '3' taskid: dfb1f62b-258e-4e82-8f1c-b14f17ea13e4 type: title task: @@ -110,21 +105,15 @@ tasks: name: Define Attack Vector type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "66" + - '66' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 480, - "y": 575 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -132,36 +121,32 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "6": - id: "6" + '6': + id: '6' taskid: 61337536-2acd-4281-af6c-6da3a9a6ec8c type: title task: id: 61337536-2acd-4281-af6c-6da3a9a6ec8c version: -1 name: Investigate Artifacts - description: |- - This captures: + description: 'This captures: + WildFire Malware + Malware Activity - Known Malicious File + + Known Malicious File' type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "72" + - '72' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 930 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 930\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -169,35 +154,30 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "17": - id: "17" + '17': + id: '17' taskid: 1e3625cf-1808-4765-8323-46f42118c05d type: title task: id: 1e3625cf-1808-4765-8323-46f42118c05d version: -1 name: Make Recommendations - description: |- - What should an analysis or automation do? + description: 'What should an analysis or automation do? + What is our level of confidence? - i.e. Is Containment Justified? + + i.e. Is Containment Justified?' type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "41" + - '41' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2490 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2490\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -205,8 +185,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "41": - id: "41" + '41': + id: '41' taskid: bffb3c22-b13a-429e-8695-b7c4c8f68abe type: condition task: @@ -215,16 +195,16 @@ tasks: name: Analysis Confidence type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "44" + - '44' high: - - "42" + - '42' medium: - - "43" + - '43' separatecontext: false conditions: - label: high @@ -252,7 +232,7 @@ tasks: iscontext: true right: value: - simple: "3" + simple: '3' - operator: isEqualString left: value: @@ -280,14 +260,8 @@ tasks: value: simple: inputs.host_high_issue_count iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2660 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2660\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -295,48 +269,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "42": - id: "42" + '42': + id: '42' taskid: 03ffec5b-25f2-4610-816b-e988acd1c518 type: regular task: id: 03ffec5b-25f2-4610-816b-e988acd1c518 version: -1 name: Investigation Confidence High - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.confidence value: simple: high separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2845 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2845\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -344,48 +310,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "43": - id: "43" + '43': + id: '43' taskid: 0f08ef52-69b0-4947-8550-0ed220208608 type: regular task: id: 0f08ef52-69b0-4947-8550-0ed220208608 version: -1 name: Investigation Confidence Medium - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.confidence value: simple: medium separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 940, - "y": 2845 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 2845\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -393,48 +351,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "44": - id: "44" + '44': + id: '44' taskid: 4b9c3d18-0eb9-4193-82e4-144f9cf2f714 type: regular task: id: 4b9c3d18-0eb9-4193-82e4-144f9cf2f714 version: -1 name: Investigation Confidence Low - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "46" + - '46' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.confidence value: simple: low separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 80, - "y": 2845 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 2845\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -442,48 +392,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "45": - id: "45" + '45': + id: '45' taskid: 369b4d28-ffb1-40f8-88cf-dd311fda4b65 type: regular task: id: 369b4d28-ffb1-40f8-88cf-dd311fda4b65 version: -1 name: Analysis Response Recommended - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "74" + - '74' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.response_recommended value: - simple: "true" + simple: 'true' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 725, - "y": 3030 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 725,\n \"y\": 3030\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -491,48 +433,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "46": - id: "46" + '46': + id: '46' taskid: 2804eb79-4c2d-4438-8d29-214a78cbcf92 type: regular task: id: 2804eb79-4c2d-4438-8d29-214a78cbcf92 version: -1 name: Analysis Response NOT Recommended - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "74" + - '74' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.response_recommended value: - simple: "false" + simple: 'false' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 80, - "y": 3030 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 3030\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -540,8 +474,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "52": - id: "52" + '52': + id: '52' taskid: 2fd935ad-6e86-4bfc-8078-7c81b439bbfd type: title task: @@ -550,21 +484,15 @@ tasks: name: Evaluate Spread Level type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "71" + - '71' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 1825 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1825\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -572,8 +500,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "59": - id: "59" + '59': + id: '59' taskid: 83d2afba-5835-433d-8516-ca98aa42357d type: title task: @@ -583,21 +511,15 @@ tasks: description: Clean Out Keys for the Investigation and Analysis type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "65" + - '65' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 480, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -605,8 +527,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "65": - id: "65" + '65': + id: '65' taskid: 7a1fb408-753f-4af3-ab79-f8e46d372eab type: playbook task: @@ -617,12 +539,12 @@ tasks: playbookName: SOC Initialize Investigation Context_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "3" + - '3' scriptarguments: case_host_count: simple: ${parentIncidentFields.host_count} @@ -635,19 +557,13 @@ tasks: reset_issue_keys: simple: Investigation, Analysis, Containment, Eradication, Recovery separatecontext: false - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 480, - "y": 390 - } - } + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 390\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -655,27 +571,26 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "66": - id: "66" + '66': + id: '66' taskid: e6069e69-8290-4781-aa2b-5a843821676d type: playbook task: id: e6069e69-8290-4781-aa2b-5a843821676d version: -1 name: SOC Endpoint Signal Characterization_V3 - description: "Purpose\nDetermine what type of endpoint behavior this is.\nThis - is not attack vector.\nThis is behavioral class.\nCurrent Tasks:\n\nDefine - Attack Vector\nIs Malware? \nIs Injection / Shellcode? \nDoes CGO CMD Exist? - \nSet Endpoint Path " + description: "Purpose\nDetermine what type of endpoint behavior this is.\nThis is not attack vector.\nThis is behavioral\ + \ class.\nCurrent Tasks:\n\nDefine Attack Vector\nIs Malware? \nIs Injection / Shellcode? \nDoes CGO CMD Exist? \n\ + Set Endpoint Path " playbookName: SOC Endpoint Signal Characterization_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "6" + - '6' scriptarguments: case_name: complex: @@ -686,19 +601,13 @@ tasks: cgo_name: simple: ${SOCFramework.Artifacts.CommandLine} separatecontext: false - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 480, - "y": 745 - } - } + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 745\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -706,8 +615,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "68": - id: "68" + '68': + id: '68' taskid: 7931e941-7495-4368-a91c-521cf74d9071 type: title task: @@ -716,21 +625,15 @@ tasks: name: Verdict Resolved type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "69" + - '69' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 1280 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1280\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -738,8 +641,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "69": - id: "69" + '69': + id: '69' taskid: bf19e707-75b4-455c-b713-3ccd9731a059 type: title task: @@ -748,21 +651,15 @@ tasks: name: Investigate Case & Issues type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "73" + - '73' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 1470 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1470\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -770,8 +667,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "71": - id: "71" + '71': + id: '71' taskid: ae300369-1218-4032-9c7d-ac5837a06f8c type: playbook task: @@ -781,12 +678,12 @@ tasks: playbookName: SOC EndPoint Spread Evaluation_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "75" + - '75' scriptarguments: SHA256: simple: ${SOCFramework.Artifacts.File} @@ -797,29 +694,23 @@ tasks: case_user_count: simple: ${Analysis.Endpoint.user_count} high_hash_count_per_case: - simple: "3" + simple: '3' high_host_count_per_case: - simple: "3" + simple: '3' limited_hash_count_per_case: - simple: "2" + simple: '2' limited_host_count_per_case: - simple: "2" + simple: '2' limited_user_count_per_case: - simple: "2" + simple: '2' separatecontext: false - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 510, - "y": 1985 - } - } + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1985\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -827,45 +718,38 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "72": - id: "72" + '72': + id: '72' taskid: 5502afb5-7005-4ebf-a246-509c3be1a3e4 type: playbook task: id: 5502afb5-7005-4ebf-a246-509c3be1a3e4 version: -1 name: SOC Endpoint Verdict Resolution_V3 - description: "Purpose: Is the artifact malicious, suspicious, benign, or unknown?\n\nCurrent - Tasks\nWhat is Current File Verdict \nCan We Get the Verdict\nWildFire Detonate - \nDBot Score \nDoes DBot Think It’s Malicious? \nSet Verdict " + description: "Purpose: Is the artifact malicious, suspicious, benign, or unknown?\n\nCurrent Tasks\nWhat is Current\ + \ File Verdict \nCan We Get the Verdict\nWildFire Detonate \nDBot Score \nDoes DBot Think It’s Malicious? \nSet Verdict " playbookName: SOC Endpoint Verdict Resolution_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "69" + - '69' scriptarguments: SHA256: simple: ${SOCFramework.Artifacts.File} verdict: simple: ${SOCFramework.Artifacts.Verdict} separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 500, - "y": 1090 - } - } + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1090\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -873,8 +757,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "73": - id: "73" + '73': + id: '73' taskid: 7ffff426-0520-44b0-8c0c-d318968abc90 type: playbook task: @@ -884,21 +768,15 @@ tasks: playbookName: SOC Endpoint Compromise Evaluation_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "52" + - '52' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 1640 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1640\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -906,8 +784,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "74": - id: "74" + '74': + id: '74' taskid: eb85d106-1d55-4fbd-995d-831c3912e421 type: playbook task: @@ -917,12 +795,12 @@ tasks: playbookName: SOC Analysis Evaluation_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' scriptarguments: case_category: complex: @@ -969,31 +847,22 @@ tasks: spread_level: simple: ${Analysis.Endpoint.spread_level} story: - simple: "Endpoint Analysis Summary\n\nA file with verdict \"${SOCFramework.Artifacts.Verdict}\" - was observed in this case.\n\nThe endpoint compromise level has been assessed - as \"${Analysis.Endpoint.compromise_level}\", based on execution correlation - and observed MITRE ATT&CK behavioral patterns.\n\nActivity scope:\n• Hosts - involved: ${Analysis.Endpoint.host_count}\n• Users involved: ${Analysis.Endpoint.user_count}\n• - Environmental hash prevalence: ${Analysis.Endpoint.hash_prevalence_count}\n• - Spread level: ${Analysis.Endpoint.spread_level}\n\nInvestigation confidence - is \"${Analysis.Endpoint.confidence}\". \nResponse recommendation: - ${Analysis.Endpoint.response_recommended}." + simple: "Endpoint Analysis Summary\n\nA file with verdict \"${SOCFramework.Artifacts.Verdict}\" was observed in this\ + \ case.\n\nThe endpoint compromise level has been assessed as \"${Analysis.Endpoint.compromise_level}\", based on\ + \ execution correlation and observed MITRE ATT&CK behavioral patterns.\n\nActivity scope:\n• Hosts involved: ${Analysis.Endpoint.host_count}\n\ + • Users involved: ${Analysis.Endpoint.user_count}\n• Environmental hash prevalence: ${Analysis.Endpoint.hash_prevalence_count}\n\ + • Spread level: ${Analysis.Endpoint.spread_level}\n\nInvestigation confidence is \"${Analysis.Endpoint.confidence}\"\ + . \nResponse recommendation: ${Analysis.Endpoint.response_recommended}." verdict: simple: ${SOCFramework.Artifacts.Verdict} separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 510, - "y": 3215 - } - } + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 3215\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1001,8 +870,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "75": - id: "75" + '75': + id: '75' taskid: e808dafe-8229-48a1-b0bb-f914ba0a14f3 type: title task: @@ -1011,21 +880,15 @@ tasks: name: Get Persistence Type type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "76" + - '76' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2180 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2180\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1033,30 +896,28 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "76": - id: "76" + '76': + id: '76' taskid: 6ff3604f-c87a-44cc-a6be-33136836985f type: regular task: id: 6ff3604f-c87a-44cc-a6be-33136836985f version: -1 name: Get MITRE Technique Name - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "17" + - '17' scriptarguments: key: simple: Analysis.Endpoint.persistence_type @@ -1075,14 +936,8 @@ tasks: accessor: Technique separatecontext: false continueonerror: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2330 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2330\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1091,18 +946,8 @@ tasks: isoversize: false isautoswitchedtoquietmode: false system: true -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 3410, - "width": 1240, - "x": 80, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 3410,\n \"width\":\ + \ 1240,\n \"x\": 80,\n \"y\": 50\n }\n }\n}" inputs: - key: entity_id value: @@ -1114,19 +959,19 @@ inputs: value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null - key: entity_type value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null - key: SHA256 value: simple: ${SOCFramework.Artifacts.File} required: false - description: "" + description: '' playbookInputQuery: null inputSections: - inputs: @@ -1208,5 +1053,5 @@ outputs: - contextPath: Analysis.case_user_count type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Eradication_V3.yml index a6548b33..48ec51ae 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Eradication_V3.yml @@ -44,7 +44,7 @@ tasks: - '4' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 320,\n \"y\": -560\n }\n}" + view: '{"position": {"x": 320, "y": 50}}' note: false timertriggers: [] ignoreworker: false @@ -67,7 +67,7 @@ tasks: istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3900\n }\n}" + view: '{"position": {"x": 530, "y": 4510}}' note: false timertriggers: [] ignoreworker: false @@ -109,7 +109,7 @@ tasks: right: value: {} continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 320,\n \"y\": -400\n }\n}" + view: '{"position": {"x": 320, "y": 210}}' note: false timertriggers: [] ignoreworker: false @@ -135,7 +135,7 @@ tasks: - '8' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": -160\n }\n}" + view: '{"position": {"x": 820, "y": 450}}' note: false timertriggers: [] ignoreworker: false @@ -210,7 +210,7 @@ tasks: value: simple: isolated_signal continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 130\n }\n}" + view: '{"position": {"x": 820, "y": 740}}' note: false timertriggers: [] ignoreworker: false @@ -249,7 +249,7 @@ tasks: value: simple: persistence continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 980,\n \"y\": 2340\n }\n}" + view: '{"position": {"x": 980, "y": 2950}}' note: false timertriggers: [] ignoreworker: false @@ -291,7 +291,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3452.5\n }\n}" + view: '{"position": {"x": 110, "y": 4062.5}}' note: false timertriggers: [] ignoreworker: false @@ -334,7 +334,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3705\n }\n}" + view: '{"position": {"x": 110, "y": 4315}}' note: false timertriggers: [] ignoreworker: false @@ -360,7 +360,7 @@ tasks: - '44' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3167.5\n }\n}" + view: '{"position": {"x": 110, "y": 3777.5}}' note: false timertriggers: [] ignoreworker: false @@ -402,7 +402,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 2160\n }\n}" + view: '{"position": {"x": 820, "y": 2770}}' note: false timertriggers: [] ignoreworker: false @@ -428,7 +428,7 @@ tasks: - '18' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": 1820\n }\n}" + view: '{"position": {"x": 1310, "y": 2430}}' note: false timertriggers: [] ignoreworker: false @@ -470,7 +470,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": 1990\n }\n}" + view: '{"position": {"x": 1310, "y": 2600}}' note: false timertriggers: [] ignoreworker: false @@ -506,7 +506,7 @@ tasks: - '54' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 980,\n \"y\": 2505\n }\n}" + view: '{"position": {"x": 980, "y": 3115}}' note: false timertriggers: [] ignoreworker: false @@ -532,7 +532,7 @@ tasks: - '30' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3167.5\n }\n}" + view: '{"position": {"x": 530, "y": 3777.5}}' note: false timertriggers: [] ignoreworker: false @@ -574,7 +574,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3335\n }\n}" + view: '{"position": {"x": 530, "y": 3945}}' note: false timertriggers: [] ignoreworker: false @@ -616,7 +616,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3577.5\n }\n}" + view: '{"position": {"x": 530, "y": 4187.5}}' note: false timertriggers: [] ignoreworker: false @@ -679,7 +679,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3705\n }\n}" + view: '{"position": {"x": 530, "y": 4315}}' note: false timertriggers: [] ignoreworker: false @@ -705,7 +705,7 @@ tasks: - '36' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 550\n }\n}" + view: '{"position": {"x": 820, "y": 1160}}' note: false timertriggers: [] ignoreworker: false @@ -776,7 +776,7 @@ tasks: value: simple: single_entity continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 710\n }\n}" + view: '{"position": {"x": 820, "y": 1320}}' note: false timertriggers: [] ignoreworker: false @@ -802,7 +802,7 @@ tasks: - '41' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 1040\n }\n}" + view: '{"position": {"x": 1780, "y": 1650}}' note: false timertriggers: [] ignoreworker: false @@ -845,7 +845,7 @@ tasks: value: simple: malicious_and_executed continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1190\n }\n}" + view: '{"position": {"x": 820, "y": 1800}}' note: false timertriggers: [] ignoreworker: false @@ -871,7 +871,7 @@ tasks: - '63' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1360\n }\n}" + view: '{"position": {"x": 820, "y": 1970}}' note: false timertriggers: [] ignoreworker: false @@ -897,7 +897,7 @@ tasks: - '64' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1820\n }\n}" + view: '{"position": {"x": 820, "y": 2430}}' note: false timertriggers: [] ignoreworker: false @@ -939,7 +939,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 1990\n }\n}" + view: '{"position": {"x": 1780, "y": 2600}}' note: false timertriggers: [] ignoreworker: false @@ -965,7 +965,7 @@ tasks: - '13' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 685\n }\n}" + view: '{"position": {"x": 110, "y": 1295}}' note: false timertriggers: [] ignoreworker: false @@ -1007,7 +1007,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3452.5\n }\n}" + view: '{"position": {"x": 530, "y": 4062.5}}' note: false timertriggers: [] ignoreworker: false @@ -1049,7 +1049,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3335\n }\n}" + view: '{"position": {"x": 110, "y": 3945}}' note: false timertriggers: [] ignoreworker: false @@ -1091,7 +1091,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3577.5\n }\n}" + view: '{"position": {"x": 110, "y": 4187.5}}' note: false timertriggers: [] ignoreworker: false @@ -1117,7 +1117,7 @@ tasks: - '38' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1050\n }\n}" + view: '{"position": {"x": 820, "y": 1660}}' note: false timertriggers: [] ignoreworker: false @@ -1159,7 +1159,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3335\n }\n}" + view: '{"position": {"x": 1780, "y": 3945}}' note: false timertriggers: [] ignoreworker: false @@ -1201,7 +1201,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3452.5\n }\n}" + view: '{"position": {"x": 1780, "y": 4062.5}}' note: false timertriggers: [] ignoreworker: false @@ -1243,7 +1243,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3577.5\n }\n}" + view: '{"position": {"x": 1780, "y": 4187.5}}' note: false timertriggers: [] ignoreworker: false @@ -1306,7 +1306,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3705\n }\n}" + view: '{"position": {"x": 1780, "y": 4315}}' note: false timertriggers: [] ignoreworker: false @@ -1332,7 +1332,7 @@ tasks: - '48' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3167.5\n }\n}" + view: '{"position": {"x": 1780, "y": 3777.5}}' note: false timertriggers: [] ignoreworker: false @@ -1358,7 +1358,7 @@ tasks: - '60' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1240,\n \"y\": 2690\n }\n}" + view: '{"position": {"x": 1240, "y": 3300}}' note: false timertriggers: [] ignoreworker: false @@ -1384,7 +1384,7 @@ tasks: - '59' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 2690\n }\n}" + view: '{"position": {"x": 690, "y": 3300}}' note: false timertriggers: [] ignoreworker: false @@ -1410,7 +1410,7 @@ tasks: - '36' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1280,\n \"y\": 400\n }\n}" + view: '{"position": {"x": 1280, "y": 1010}}' note: false timertriggers: [] ignoreworker: false @@ -1436,7 +1436,7 @@ tasks: - '35' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 410\n }\n}" + view: '{"position": {"x": 820, "y": 1020}}' note: false timertriggers: [] ignoreworker: false @@ -1462,7 +1462,7 @@ tasks: - '62' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1370,\n \"y\": 1360\n }\n}" + view: '{"position": {"x": 1370, "y": 1970}}' note: false timertriggers: [] ignoreworker: false @@ -1504,7 +1504,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 2805\n }\n}" + view: '{"position": {"x": 690, "y": 3415}}' note: false timertriggers: [] ignoreworker: false @@ -1546,7 +1546,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1240,\n \"y\": 2805\n }\n}" + view: '{"position": {"x": 1240, "y": 3415}}' note: false timertriggers: [] ignoreworker: false @@ -1608,7 +1608,7 @@ tasks: simple: Shadow Mode, Eradication separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1650\n }\n}" + view: '{"position": {"x": 820, "y": 2260}}' note: false timertriggers: [] ignoreworker: false @@ -1669,7 +1669,7 @@ tasks: simple: Shadow Mode,Eradication separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1490\n }\n}" + view: '{"position": {"x": 820, "y": 2100}}' note: false timertriggers: [] ignoreworker: false @@ -1730,7 +1730,7 @@ tasks: simple: Shadow Mode,Eradication separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1990\n }\n}" + view: '{"position": {"x": 820, "y": 2600}}' note: false timertriggers: [] ignoreworker: false @@ -1780,4 +1780,4 @@ outputs: - contextPath: Eradication.attempted type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Recovery_V3.yml index 37945fb1..6875a719 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Recovery_V3.yml @@ -871,4 +871,4 @@ outputs: - contextPath: Recovery.restore_method type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Spread_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Spread_Evaluation_V3.yml index 61244f4c..4d6bd710 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Spread_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Spread_Evaluation_V3.yml @@ -471,4 +471,4 @@ outputs: type: unknown description: Hash global prevalence count from soc-enrich-file UC call sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml index dc0420f4..3709f91e 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml @@ -7,69 +7,75 @@ contentitemexportablefields: packName: SOC Framework NIST IR (800-61) itemVersion: 1.1.0 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOC Endpoint Compromise Evaluation_V3 -description: |- - It evaluates three signals: +description: 'It evaluates three signals: + File verdict (malicious / suspicious / benign) + Execution evidence (file SHA256 matches executed process hashes in the issue context) + Behavioral indicators (MITRE tactics/techniques such as Persistence, Command & Control, Privilege Escalation, Process Injection) + Outputs + likely_compromised + Malicious file executed or strong post-exploitation behavior observed. + suspicious + Malicious or suspicious activity present but no definitive execution or compromise proof. + isolated_signal + Single weak signal with no execution or strong behavioral indicators. + no_evidence + Benign verdict and no supporting compromise indicators. - The playbook does not use case risk score or alert volume; it focuses strictly on endpoint-level forensic evidence. + + The playbook does not use case risk score or alert volume; it focuses strictly on endpoint-level forensic evidence.' tags: - - SOC - - SOC_Framework_Unified - - Detection & Analysis - - NIST 800-61 - - EndPoint -starttaskid: "0" +- SOC +- SOC_Framework_Unified +- Detection & Analysis +- NIST 800-61 +- EndPoint +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 27ca4564-aefc-483e-8598-fa04dbefbf2e type: start task: id: 27ca4564-aefc-483e-8598-fa04dbefbf2e version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "69" + - '69' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 592.5, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -77,48 +83,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "29": - id: "29" + '29': + id: '29' taskid: 4c010df0-1d0e-46e8-b043-672358f7ddbd type: regular task: id: 4c010df0-1d0e-46e8-b043-672358f7ddbd version: -1 name: Set Compromise Likely - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" + - '70' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_level value: simple: likely_compromised separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": -620, - "y": 2550 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": -620,\n \"y\": 2550\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -126,48 +124,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "30": - id: "30" + '30': + id: '30' taskid: 4371bae8-fa9c-479e-ac55-d10a704a8938 type: regular task: id: 4371bae8-fa9c-479e-ac55-d10a704a8938 version: -1 name: Set Description Malicious And No Excecution - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: malicious_no_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 315, - "y": 1485 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 315,\n \"y\": 1485\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -175,48 +165,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "31": - id: "31" + '31': + id: '31' taskid: a328a8d5-b8de-47b4-8a6a-69003e9e388d type: regular task: id: a328a8d5-b8de-47b4-8a6a-69003e9e388d version: -1 name: Set Description Suspicious with Execution - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: suspicious_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 212.5, - "y": 1670 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 212.5,\n \"y\": 1670\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -224,48 +206,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "32": - id: "32" + '32': + id: '32' taskid: 7b4a8594-365d-40d8-84cd-5590cb809f0d type: regular task: id: 7b4a8594-365d-40d8-84cd-5590cb809f0d version: -1 name: Set Compromise Suspicious - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" + - '70' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: suspicious_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": -80, - "y": 2550 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": -80,\n \"y\": 2550\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -273,48 +247,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "33": - id: "33" + '33': + id: '33' taskid: 673a1f63-6c99-4218-8520-8e5226cda124 type: regular task: id: 673a1f63-6c99-4218-8520-8e5226cda124 version: -1 name: Set Compromise Isolated - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" + - '70' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_level value: simple: isolate_signal separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 652.5, - "y": 2550 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 652.5,\n \"y\": 2550\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -322,8 +288,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "69": - id: "69" + '69': + id: '69' taskid: 9e094f2a-5581-4510-9292-6bb1be80aebd type: title task: @@ -332,21 +298,15 @@ tasks: name: Investigate type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "82" + - '82' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 592.5, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -354,8 +314,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "70": - id: "70" + '70': + id: '70' taskid: 26cd8ee9-1d01-40d1-9b3a-dbd76a8cfa1e type: title task: @@ -364,18 +324,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 827.5, - "y": 2735 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 827.5,\n \"y\": 2735\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -383,48 +337,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "75": - id: "75" + '75': + id: '75' taskid: 9a3a0cd8-7536-4b2b-9cad-5448e9602fc5 type: regular task: id: 9a3a0cd8-7536-4b2b-9cad-5448e9602fc5 version: -1 name: Set Compromise No Evidence - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" + - '70' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_level value: simple: no_evidence separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1340, - "y": 2550 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1340,\n \"y\": 2550\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -432,8 +378,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "76": - id: "76" + '76': + id: '76' taskid: 54387c7d-89ee-44c5-b977-07dab20e908e type: condition task: @@ -442,85 +388,79 @@ tasks: name: Compromised Host Malicious and Executed? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "81" + - '81' Likely Compromised: - - "87" + - '87' separatecontext: false conditions: - - label: Likely Compromised - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: malicious - - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: isEqualString - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: isEqualString - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - - label: Likely Compromised - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: malicious - - - operator: isEqualString - left: - value: - simple: inputs.tactic_id - iscontext: true - right: - value: - simple: TA0002 - continueonerrortype: "" - view: |- - { - "position": { - "x": 592.5, - "y": 560 - } - } + - label: Likely Compromised + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: isEqualString + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: isEqualString + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + - label: Likely Compromised + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: isEqualString + left: + value: + simple: inputs.tactic_id + iscontext: true + right: + value: + simple: TA0002 + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 560\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -528,8 +468,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "77": - id: "77" + '77': + id: '77' taskid: 34027e15-2aef-4b0a-8878-957e370550ce type: condition task: @@ -538,64 +478,58 @@ tasks: name: Compromised Malicious No Execution? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "78" + - '78' Suspicious: - - "30" + - '30' separatecontext: false conditions: - - label: Suspicious - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: malicious - - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 920, - "y": 1300 - } - } + - label: Suspicious + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1300\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -603,8 +537,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "78": - id: "78" + '78': + id: '78' taskid: 9422d3f6-ce78-45bb-bea3-69c58b2ee781 type: condition task: @@ -613,64 +547,58 @@ tasks: name: Compromised Suspicious with Execution? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "86" + - '86' Suspicious: - - "31" + - '31' separatecontext: false conditions: - - label: Suspicious - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: suspicious - - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1032.5, - "y": 1485 - } - } + - label: Suspicious + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: suspicious + - - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1032.5,\n \"y\": 1485\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -678,8 +606,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "79": - id: "79" + '79': + id: '79' taskid: 28ea7aab-be63-4e6c-b9d9-63520cab7f0e type: condition task: @@ -688,101 +616,96 @@ tasks: name: Isolated Signal? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "80" + - '80' Isolated Signal: - - "91" + - '91' separatecontext: false conditions: - - label: Isolated Signal - condition: - - - operator: in - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: | - ("unknown","suspicious")) - - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - - - operator: notIn - left: - value: - simple: TA0011 - iscontext: true - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - - operator: notIn - left: - value: - simple: TA0003 - iscontext: true - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - - operator: notIn - left: - value: - simple: T1055 - iscontext: true - right: - value: - simple: inputs.case_mitre_techniques - iscontext: true - - - operator: isEqualString - left: - value: - simple: TA0004 - iscontext: true - right: - value: - simple: inputs.case_mitre_techniques - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1155, - "y": 2040 - } - } + - label: Isolated Signal + condition: + - - operator: in + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: '("unknown","suspicious")) + + ' + - - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + - - operator: notIn + left: + value: + simple: TA0011 + iscontext: true + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - - operator: notIn + left: + value: + simple: TA0003 + iscontext: true + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - - operator: notIn + left: + value: + simple: T1055 + iscontext: true + right: + value: + simple: inputs.case_mitre_techniques + iscontext: true + - - operator: isEqualString + left: + value: + simple: TA0004 + iscontext: true + right: + value: + simple: inputs.case_mitre_techniques + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1155,\n \"y\": 2040\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -790,8 +713,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "80": - id: "80" + '80': + id: '80' taskid: 510e58df-e742-49b3-9910-02f691e96640 type: condition task: @@ -800,64 +723,58 @@ tasks: name: No Evidence? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "70" + - '70' No Evidence: - - "92" + - '92' separatecontext: false conditions: - - label: No Evidence - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: benign - - - operator: containsGeneral - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: containsGeneral - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: containsGeneral - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1085, - "y": 2255 - } - } + - label: No Evidence + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: benign + - - operator: containsGeneral + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: containsGeneral + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: containsGeneral + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1085,\n \"y\": 2255\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -865,8 +782,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "81": - id: "81" + '81': + id: '81' taskid: 98a68f9b-8748-4de0-83b6-ae46d324c1e2 type: condition task: @@ -875,69 +792,63 @@ tasks: name: Execution + Strong Exploit Tactics type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "85" + - '85' Likely Compromised: - - "88" + - '88' separatecontext: false conditions: - - label: Likely Compromised - condition: - - - operator: in - left: - value: - simple: TA0011 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - operator: in - left: - value: - simple: TA0003 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 705, - "y": 745 - } - } + - label: Likely Compromised + condition: + - - operator: in + left: + value: + simple: TA0011 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - operator: in + left: + value: + simple: TA0003 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": 745\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -945,8 +856,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "82": - id: "82" + '82': + id: '82' taskid: 21ba8f6d-bdff-425f-9c4b-f19cccf4de83 type: title task: @@ -955,21 +866,15 @@ tasks: name: Evaluate Malicious type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "76" + - '76' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 592.5, - "y": 390 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 390\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -977,8 +882,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "83": - id: "83" + '83': + id: '83' taskid: 289cfa9b-dc82-4e6f-be72-b0002e049a00 type: title task: @@ -987,21 +892,15 @@ tasks: name: Evaluate Suspicious type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "77" + - '77' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 920, - "y": 1122.5 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1122.5\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1009,8 +908,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "84": - id: "84" + '84': + id: '84' taskid: 2e46b5b4-7337-4691-b9df-349934c95fd7 type: title task: @@ -1019,21 +918,15 @@ tasks: name: Evaluate Isolated Signal type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "79" + - '79' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1155, - "y": 1862.5 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1155,\n \"y\": 1862.5\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1041,8 +934,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "85": - id: "85" + '85': + id: '85' taskid: b57df6ec-9f5d-481c-b732-7f1f59026dbd type: condition task: @@ -1051,53 +944,47 @@ tasks: name: Malicious Strong Exploit Tactics type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "83" + - '83' Likely Compromised: - - "89" + - '89' separatecontext: false conditions: - - label: Likely Compromised - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: malicious - - - operator: in - left: - value: - simple: TA0011 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - operator: in - left: - value: - simple: TA0003 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 910, - "y": 930 - } - } + - label: Likely Compromised + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: in + left: + value: + simple: TA0011 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - operator: in + left: + value: + simple: TA0003 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 930\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1105,8 +992,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "86": - id: "86" + '86': + id: '86' taskid: a6c34090-a35f-400d-b4f4-30dc4d0ff3c8 type: condition task: @@ -1115,70 +1002,64 @@ tasks: name: Compromised Strong Tactics No Execution? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "84" + - '84' Suspicious: - - "32" - - "90" + - '32' + - '90' separatecontext: false conditions: - - label: Suspicious - condition: - - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - - - operator: in - left: - value: - simple: TA0011 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - operator: in - left: - value: - simple: TA0003 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1155, - "y": 1670 - } - } + - label: Suspicious + condition: + - - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + - - operator: in + left: + value: + simple: TA0011 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - operator: in + left: + value: + simple: TA0003 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1155,\n \"y\": 1670\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1186,48 +1067,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "87": - id: "87" + '87': + id: '87' taskid: 1e4dec76-91c3-45a2-9ec3-7e57564c7c32 type: regular task: id: 1e4dec76-91c3-45a2-9ec3-7e57564c7c32 version: -1 name: Set Description To Malicious And Executed - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "29" + - '29' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: malicious_and_executed separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": -42.5, - "y": 745 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": -42.5,\n \"y\": 745\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1235,48 +1108,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "88": - id: "88" + '88': + id: '88' taskid: 353dc2b8-f205-4dc6-abca-c9c00d6d34e9 type: regular task: id: 353dc2b8-f205-4dc6-abca-c9c00d6d34e9 version: -1 name: Set Description Execution And Strong Tactics - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "29" + - '29' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: execution_strong_tactics separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 200, - "y": 930 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 930\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1284,48 +1149,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "89": - id: "89" + '89': + id: '89' taskid: bcbc6174-fcc2-488e-83fb-dc73560cfa4d type: regular task: id: bcbc6174-fcc2-488e-83fb-dc73560cfa4d version: -1 name: Set Description Malicioius And Strong Tactics - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "29" + - '29' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: malicious_strong_tactics separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 387.5, - "y": 1115 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 387.5,\n \"y\": 1115\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1333,48 +1190,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "90": - id: "90" + '90': + id: '90' taskid: 9b9d105e-134e-4397-b80f-949c549cd6be type: regular task: id: 9b9d105e-134e-4397-b80f-949c549cd6be version: -1 name: Set Description Suspicious with Execution - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: strong_tactics_no_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 447.5, - "y": 1855 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 447.5,\n \"y\": 1855\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1382,48 +1231,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "91": - id: "91" + '91': + id: '91' taskid: c0ae4ecb-c687-49e8-84d7-e15087f2c7b3 type: regular task: id: c0ae4ecb-c687-49e8-84d7-e15087f2c7b3 version: -1 name: Set Description Suspicious, No Execution, No Tactics - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "33" + - '33' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: suspcious_no_tactics_no_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 652.5, - "y": 2255 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 652.5,\n \"y\": 2255\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1431,48 +1272,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "92": - id: "92" + '92': + id: '92' taskid: f14be6c5-632b-4ab2-95c0-ccea72352e00 type: regular task: id: f14be6c5-632b-4ab2-95c0-ccea72352e00 version: -1 name: Set Description Benign, No Execution - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "75" + - '75' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: benign_no_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1340, - "y": 2410 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1340,\n \"y\": 2410\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1480,142 +1313,128 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false -view: |- - { - "linkLabelsPosition": { - "76_81_#default#": 0.9 - }, - "paper": { - "dimensions": { - "height": 2745, - "width": 2340, - "x": -620, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {\n \"76_81_#default#\": 0.9\n },\n \"paper\": {\n \"dimensions\": {\n \"\ + height\": 2745,\n \"width\": 2340,\n \"x\": -620,\n \"y\": 50\n }\n }\n}" inputs: - - key: host_likely_compromised - value: - simple: "70" - required: false - description: Threshold for DBot Predicted Score for Host Likely Compromised - playbookInputQuery: null - - key: host_suspicious - value: - simple: "40" - required: false - description: Threshold for DBot Predicted Score for Host Suspicious. This value - will be between the host_likely_compromised and this value host_suspicious values. - playbookInputQuery: null - - key: host_isolated_signal - value: - simple: "40" - required: false - description: Anything less than this number will be an Isolated Signal for the host. - playbookInputQuery: null - - key: host_high_issue_count - value: - simple: "3" - required: false - description: "" - playbookInputQuery: null - - key: SHA256 - value: - complex: - root: SOCFramework.Artifacts.File - transformers: - - operator: join - args: - separator: - value: - simple: ',' - required: false - description: "" - playbookInputQuery: null - - key: verdict - value: - simple: ${Analysis.Endpoint.verdict} - required: false - description: Enriched artifact verdict resolved by SOC_Endpoint_Verdict_Resolution_V3 - after all TI sources and WildFire detonation. Use Analysis.Endpoint.verdict, not - SOCFramework.Artifacts.Verdict, to ensure compromise evaluation uses the aggregated - DBot-normalized result rather than the raw source classification. - playbookInputQuery: null - - key: initiator_sha256 - value: - simple: ${issue.initiatorsha256} - required: false - description: "" - playbookInputQuery: null - - key: case_mitre_tactics - value: - simple: ${parentIncidentFields.mitre_tactics_ids_and_names} - required: false - description: "" - playbookInputQuery: null - - key: case_mitre_techniques - value: - simple: ${parentIncidentFields.mitre_techniques_ids_and_names.[0]} - required: false - description: "" - playbookInputQuery: null - - key: case_issue_count - value: - simple: ${parentIncidentFields.alert_count} - required: false - description: "" - playbookInputQuery: null - - key: xdm_sourceprocess_executable_sha256 - value: - simple: ${issue.xdmsourceprocessexecutablesha256} - required: false - description: "" - playbookInputQuery: null - - key: cgo_sha256 - value: - simple: ${issue.cgosha256} - required: false - description: "" - playbookInputQuery: null - - key: tactic_id - value: - simple: ${SOCFramework.Mitre.Tactic.ID} - required: false - description: MITRE ATT&CK tactic ID written by Foundation into SOCFramework.Mitre.Tactic.ID - (e.g. TA0002 for Execution). Used alongside verdict to confirm execution without - requiring hash matching when CGO/XDM fields are not populated. - playbookInputQuery: null +- key: host_likely_compromised + value: + simple: '70' + required: false + description: Threshold for DBot Predicted Score for Host Likely Compromised + playbookInputQuery: null +- key: host_suspicious + value: + simple: '40' + required: false + description: Threshold for DBot Predicted Score for Host Suspicious. This value will be between the host_likely_compromised + and this value host_suspicious values. + playbookInputQuery: null +- key: host_isolated_signal + value: + simple: '40' + required: false + description: Anything less than this number will be an Isolated Signal for the host. + playbookInputQuery: null +- key: host_high_issue_count + value: + simple: '3' + required: false + description: '' + playbookInputQuery: null +- key: SHA256 + value: + complex: + root: SOCFramework.Artifacts.File + transformers: + - operator: join + args: + separator: + value: + simple: ',' + required: false + description: '' + playbookInputQuery: null +- key: verdict + value: + simple: ${Analysis.Endpoint.verdict} + required: false + description: Enriched artifact verdict resolved by SOC_Endpoint_Verdict_Resolution_V3 after all TI sources and WildFire + detonation. Use Analysis.Endpoint.verdict, not SOCFramework.Artifacts.Verdict, to ensure compromise evaluation uses the + aggregated DBot-normalized result rather than the raw source classification. + playbookInputQuery: null +- key: initiator_sha256 + value: + simple: ${issue.initiatorsha256} + required: false + description: '' + playbookInputQuery: null +- key: case_mitre_tactics + value: + simple: ${parentIncidentFields.mitre_tactics_ids_and_names} + required: false + description: '' + playbookInputQuery: null +- key: case_mitre_techniques + value: + simple: ${parentIncidentFields.mitre_techniques_ids_and_names.[0]} + required: false + description: '' + playbookInputQuery: null +- key: case_issue_count + value: + simple: ${parentIncidentFields.alert_count} + required: false + description: '' + playbookInputQuery: null +- key: xdm_sourceprocess_executable_sha256 + value: + simple: ${issue.xdmsourceprocessexecutablesha256} + required: false + description: '' + playbookInputQuery: null +- key: cgo_sha256 + value: + simple: ${issue.cgosha256} + required: false + description: '' + playbookInputQuery: null +- key: tactic_id + value: + simple: ${SOCFramework.Mitre.Tactic.ID} + required: false + description: MITRE ATT&CK tactic ID written by Foundation into SOCFramework.Mitre.Tactic.ID (e.g. TA0002 for Execution). + Used alongside verdict to confirm execution without requiring hash matching when CGO/XDM fields are not populated. + playbookInputQuery: null inputSections: - - inputs: - - host_likely_compromised - - host_suspicious - - host_isolated_signal - - host_high_issue_count - - SHA256 - - verdict - - initiator_sha256 - - case_mitre_tactics - - case_mitre_techniques - - case_issue_count - - xdm_sourceprocess_executable_sha256 - - cgo_sha256 - - tactic_id - name: General (Inputs group) - description: Generic group for inputs +- inputs: + - host_likely_compromised + - host_suspicious + - host_isolated_signal + - host_high_issue_count + - SHA256 + - verdict + - initiator_sha256 + - case_mitre_tactics + - case_mitre_techniques + - case_issue_count + - xdm_sourceprocess_executable_sha256 + - cgo_sha256 + - tactic_id + name: General (Inputs group) + description: Generic group for inputs outputSections: - - outputs: - - Analysis.Endpoint.compromise_level - - Analysis.Endpoint.compromise_decision - name: General (Outputs group) - description: Generic group for outputs +- outputs: + - Analysis.Endpoint.compromise_level + - Analysis.Endpoint.compromise_decision + name: General (Outputs group) + description: Generic group for outputs outputs: - - contextPath: Analysis.Endpoint.compromise_level - description: Is this host considered compromised? - type: unknown - - contextPath: Analysis.Endpoint.compromise_decision - description: Why did this playbook decide this was the finding? - type: unknown +- contextPath: Analysis.Endpoint.compromise_level + description: Is this host considered compromised? + type: unknown +- contextPath: Analysis.Endpoint.compromise_decision + description: Why did this playbook decide this was the finding? + type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Containment_V3.yml index 4aecaeed..95329691 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Containment_V3.yml @@ -1233,4 +1233,4 @@ outputs: - contextPath: Containment.isolated_hosts type: unknown sourceplaybookid: Containment Plan -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Signal_Characterization_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Signal_Characterization_V3.yml index f6ec9294..529294fb 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Signal_Characterization_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Signal_Characterization_V3.yml @@ -2,20 +2,19 @@ fromversion: 5.0.0 adopted: true contentitemexportablefields: contentitemfields: - definitionid: "" + definitionid: '' fromServerVersion: 5.0.0 isoverridable: false itemVersion: 3.0.30 packID: soc-framework-nist-ir packName: SOC Framework Unified - prevname: "" + prevname: '' supportedModules: [] - toServerVersion: "" -description: "Purpose\nDetermine what type of endpoint behavior this is.\nThis is - not attack vector.\nThis is behavioral class.\nCurrent Tasks:\n\nDefine Attack Vector\nIs - Malware? \nIs Injection / Shellcode? \nDoes CGO CMD Exist? \nSet Endpoint Path " -dirtyInputs: true -id: 'SOC Endpoint Signal Characterization_V3' + toServerVersion: '' +description: "Purpose\nDetermine what type of endpoint behavior this is.\nThis is not attack vector.\nThis is behavioral class.\n\ + Current Tasks:\n\nDefine Attack Vector\nIs Malware? \nIs Injection / Shellcode? \nDoes CGO CMD Exist? \nSet Endpoint Path " +dirtyInputs: false +id: SOC Endpoint Signal Characterization_V3 inputSections: - description: Generic group for inputs inputs: @@ -23,7 +22,7 @@ inputSections: - cgo_name name: General (Inputs group) inputs: -- description: "" +- description: '' key: case_name playbookInputQuery: null required: false @@ -33,7 +32,7 @@ inputs: root: issue transformers: - operator: toLowerCase -- description: "" +- description: '' key: cgo_name playbookInputQuery: null required: false @@ -50,7 +49,7 @@ outputs: description: What type of Endpoint Signal is this (i.e. malware, process, behavioral)? type: string sourceplaybookid: SOC Data Analysis_V3 -starttaskid: "0" +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -58,52 +57,46 @@ tags: - NIST 800-61 - EndPoint tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "3" + - '3' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 27ca4564-aefc-483e-8598-fa04dbefbf2e iscommand: false istaskmissingcomponenterrordismissed: false - name: "" + name: '' playbooktaskmissingcomponent: null version: -1 taskid: 27ca4564-aefc-483e-8598-fa04dbefbf2e timertriggers: [] type: start - view: |- - { - "position": { - "x": 592.5, - "y": 50 - } - } - "3": - continueonerrortype: "" - id: "3" + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 50\n }\n}" + '3': + continueonerrortype: '' + id: '3' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "4" + - '4' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: dfb1f62b-258e-4e82-8f1c-b14f17ea13e4 iscommand: false istaskmissingcomponenterrordismissed: false @@ -114,14 +107,8 @@ tasks: taskid: dfb1f62b-258e-4e82-8f1c-b14f17ea13e4 timertriggers: [] type: title - view: |- - { - "position": { - "x": 592.5, - "y": 220 - } - } - "4": + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 220\n }\n}" + '4': conditions: - condition: - - left: @@ -158,27 +145,29 @@ tasks: value: simple: malicious label: Malware - continueonerrortype: "" - id: "4" + continueonerrortype: '' + id: '4' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#default#': - - "5" + - '5' Malware: - - "8" + - '8' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" - description: |- - This captures: + brand: '' + description: 'This captures: + WildFire Malware + Malware Activity - Known Malicious File + + Known Malicious File' id: 58525173-8940-4cae-8796-3af3458bf7d5 iscommand: false istaskmissingcomponenterrordismissed: false @@ -189,14 +178,8 @@ tasks: taskid: 58525173-8940-4cae-8796-3af3458bf7d5 timertriggers: [] type: condition - view: |- - { - "position": { - "x": 592.5, - "y": 390 - } - } - "5": + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 390\n }\n}" + '5': conditions: - condition: - - left: @@ -233,27 +216,29 @@ tasks: value: simple: exploit label: Behavioral - continueonerrortype: "" - id: "5" + continueonerrortype: '' + id: '5' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#default#': - - "10" + - '10' Behavioral: - - "9" + - '9' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" - description: |- - This matches: + brand: '' + description: 'This matches: + Process Injection + In-process shellcode Protection - Exploit-based detections + + Exploit-based detections' id: 503051b3-d89e-4d5c-9cdc-057518241481 iscommand: false istaskmissingcomponenterrordismissed: false @@ -264,16 +249,10 @@ tasks: taskid: 503051b3-d89e-4d5c-9cdc-057518241481 timertriggers: [] type: condition - view: |- - { - "position": { - "x": 807.5, - "y": 575 - } - } - "6": - continueonerrortype: "" - id: "6" + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 575\n }\n}" + '6': + continueonerrortype: '' + id: '6' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -282,7 +261,7 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 0c3c3767-5423-4648-837a-2857fffb8f14 iscommand: false istaskmissingcomponenterrordismissed: false @@ -293,30 +272,24 @@ tasks: taskid: 0c3c3767-5423-4648-837a-2857fffb8f14 timertriggers: [] type: title - view: |- - { - "position": { - "x": 695, - "y": 1130 - } - } - "8": + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 1130\n }\n}" + '8': continueonerror: true - continueonerrortype: "" - id: "8" + continueonerrortype: '' + id: '8' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "6" + - '6' note: false quietmode: 0 scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.signal_type value: @@ -324,14 +297,12 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 90251b08-df0e-4500-a4b4-ed12c43af066 iscommand: false istaskmissingcomponenterrordismissed: false @@ -343,29 +314,23 @@ tasks: taskid: 90251b08-df0e-4500-a4b4-ed12c43af066 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 945 - } - } - "9": - continueonerrortype: "" - id: "9" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 945\n }\n}" + '9': + continueonerrortype: '' + id: '9' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "6" + - '6' note: false quietmode: 0 scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.signal_type value: @@ -373,14 +338,12 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 4905a04f-649e-4919-86fd-72eeb6f0ed39 iscommand: false istaskmissingcomponenterrordismissed: false @@ -392,14 +355,8 @@ tasks: taskid: 4905a04f-649e-4919-86fd-72eeb6f0ed39 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 480, - "y": 945 - } - } - "10": + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 945\n }\n}" + '10': conditions: - condition: - - left: @@ -408,29 +365,33 @@ tasks: simple: inputs.cgo_name operator: isNotEmpty label: Process Execution - continueonerrortype: "" - id: "10" + continueonerrortype: '' + id: '10' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#default#': - - "6" + - '6' Process Execution: - - "11" + - '11' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" - description: |- - This captures: + brand: '' + description: 'This captures: + Suspicious PowerShell + LOLBin misuse + Encoded commands + Script abuse - PsExec, WMI, etc. + + PsExec, WMI, etc.' id: 2515f02b-331a-4450-ab16-14148c327068 iscommand: false istaskmissingcomponenterrordismissed: false @@ -441,29 +402,23 @@ tasks: taskid: 2515f02b-331a-4450-ab16-14148c327068 timertriggers: [] type: condition - view: |- - { - "position": { - "x": 1022.5, - "y": 760 - } - } - "11": - continueonerrortype: "" - id: "11" + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 760\n }\n}" + '11': + continueonerrortype: '' + id: '11' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "6" + - '6' note: false quietmode: 0 scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.signal_type value: @@ -471,14 +426,12 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: fd88680e-db16-4666-9582-ab616eb2fa77 iscommand: false istaskmissingcomponenterrordismissed: false @@ -490,23 +443,7 @@ tasks: taskid: fd88680e-db16-4666-9582-ab616eb2fa77 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 910, - "y": 945 - } - } + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 945\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 1140, - "width": 1352.5, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1140,\n \"width\":\ + \ 1352.5,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Verdict_Resolution_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Verdict_Resolution_V3.yml index 98895420..3b3938b4 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Verdict_Resolution_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Verdict_Resolution_V3.yml @@ -14,9 +14,8 @@ contentitemexportablefields: supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOC Endpoint Verdict Resolution_V3 -description: "Purpose: Is the artifact malicious, suspicious, benign, or unknown?\n\ - \nCurrent Tasks\nWhat is Current File Verdict \nCan We Get the Verdict\nWildFire\ - \ Detonate \nDBot Score \nDoes DBot Think It’s Malicious? \nSet Verdict " +description: "Purpose: Is the artifact malicious, suspicious, benign, or unknown?\n\nCurrent Tasks\nWhat is Current File Verdict\ + \ \nCan We Get the Verdict\nWildFire Detonate \nDBot Score \nDoes DBot Think It’s Malicious? \nSet Verdict " tags: - SOC - SOC_Framework_Unified @@ -81,16 +80,14 @@ tasks: id: 1f2777b4-95d9-4165-bb28-a2058dfb0f76 version: -1 name: WildFire - Detonate file v2 - description: 'Detonate one or more files using the Wildfire v2 integration. - This playbook + description: 'Detonate one or more files using the Wildfire v2 integration. This playbook - returns relevant reports to the War Room and file reputations to the context - data. + returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - - APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PE, PDF, DMG, - PKG, RAR, 7Z, JS, ELF, HTA, LNK, VBS, PS1, PERL, PYTHON, SHELL. + APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PE, PDF, DMG, PKG, RAR, 7Z, JS, ELF, HTA, LNK, VBS, PS1, + PERL, PYTHON, SHELL. Note: Base64 encoded files are currently not supported.' @@ -155,10 +152,9 @@ tasks: skipunavailable: false task: brand: '' - description: Capture the original verdict from the source detection platform - before any enrichment runs. Preserved in Analysis.Endpoint.source_verdict - so downstream playbooks can detect discrepancies between source classification - and enrichment results. + description: Capture the original verdict from the source detection platform before any enrichment runs. Preserved in + Analysis.Endpoint.source_verdict so downstream playbooks can detect discrepancies between source classification and + enrichment results. id: b2c3d4e5-f6a7-8901-bcde-f23456789012 iscommand: false istaskmissingcomponenterrordismissed: false @@ -492,8 +488,7 @@ tasks: id: 18476c9f-e302-479f-812c-0ff30a09de78 version: -1 name: Get Dbot Indicator Score - description: The script calculates the average DBot score for each indicator - in the context. + description: The script calculates the average DBot score for each indicator in the context. scriptName: DBotAverageScore type: regular iscommand: false @@ -521,11 +516,9 @@ tasks: id: 2d37c317-fbcc-47c3-93bf-f8872db22468 version: -1 name: Set Verdict Malicious - description: "Set a value in context under the key you entered. If no value\ - \ is entered, the script doesn't do anything.\n\nThis automation runs using\ - \ the default Limited User role, unless you explicitly change the permissions.\n\ - For more information, see the section about permissions here:\n- For Cortex\ - \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty @@ -564,11 +557,9 @@ tasks: id: bc349f0b-d8ec-4dd4-b6ea-578509e2b929 version: -1 name: Set Verdict Suspicious - description: "Set a value in context under the key you entered. If no value\ - \ is entered, the script doesn't do anything.\n\nThis automation runs using\ - \ the default Limited User role, unless you explicitly change the permissions.\n\ - For more information, see the section about permissions here:\n- For Cortex\ - \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty @@ -607,11 +598,9 @@ tasks: id: 844144f5-b61a-45f0-8e9e-739511f2b43f version: -1 name: Set Verdict Unknown - description: "Set a value in context under the key you entered. If no value\ - \ is entered, the script doesn't do anything.\n\nThis automation runs using\ - \ the default Limited User role, unless you explicitly change the permissions.\n\ - For more information, see the section about permissions here:\n- For Cortex\ - \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty @@ -702,11 +691,9 @@ tasks: id: 05b85087-43b9-4d28-94c9-8ad2c98db66b version: -1 name: Set Verdict Benign - description: "Set a value in context under the key you entered. If no value\ - \ is entered, the script doesn't do anything.\n\nThis automation runs using\ - \ the default Limited User role, unless you explicitly change the permissions.\n\ - For more information, see the section about permissions here:\n- For Cortex\ - \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty @@ -738,9 +725,8 @@ tasks: isoversize: false isautoswitchedtoquietmode: false system: true -view: "{\n \"linkLabelsPosition\": {\n \"19_21_Suspicious\": 0.56\n },\n \"\ - paper\": {\n \"dimensions\": {\n \"height\": 1690,\n \"width\": 1910,\n\ - \ \"x\": 80,\n \"y\": 50\n }\n }\n}" +view: "{\n \"linkLabelsPosition\": {\n \"19_21_Suspicious\": 0.56\n },\n \"paper\": {\n \"dimensions\": {\n \ + \ \"height\": 1690,\n \"width\": 1910,\n \"x\": 80,\n \"y\": 50\n }\n }\n}" inputs: - key: SHA256 value: @@ -768,13 +754,12 @@ outputSections: description: Generic group for outputs outputs: - contextPath: Analysis.Endpoint.verdict - description: Confirmed artifact verdict after all enrichment sources and WildFire/DBot - aggregation + description: Confirmed artifact verdict after all enrichment sources and WildFire/DBot aggregation type: string - contextPath: Analysis.Endpoint.source_verdict - description: Original verdict from the source detection platform before enrichment - (e.g. malicious from CrowdStrike). Preserved for discrepancy detection downstream. + description: Original verdict from the source detection platform before enrichment (e.g. malicious from CrowdStrike). Preserved + for discrepancy detection downstream. type: string sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Eradication_V3.yml index 1d0c6752..18a1ccde 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Eradication_V3.yml @@ -1190,4 +1190,4 @@ outputs: - contextPath: Eradication.story type: unknown sourceplaybookid: SOC Containment_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Analysis_V3.yml index 4b81c02b..fb8082b6 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Analysis_V3.yml @@ -3,51 +3,39 @@ fromversion: 5.0.0 id: SOC Identity Analysis_V3 version: -1 name: SOC Identity Analysis_V3 -description: |- - Identity-specific analysis playbook. Runs inside SOC Analysis_V3 when - SOCFramework.Product.category = "Identity". - - Follows the standard analysis pattern: - 1. SOC Initialize Investigation Context_V3 - clean keys, load case counts - 2. Signal Characterization - evaluate MITRE tactics and identity threat type - 3. Compromise Evaluation - set compromise_level and compromise_decision - 4. Spread Evaluation - set spread_level based on user/host scope - 5. Recommendations - set confidence and response_recommended - 6. SOC Analysis Evaluation_V3 - publish canonical Analysis.* context keys - - Intermediate keys: Analysis.Identity.* - Published keys: canonical Analysis.* consumed by SOC NIST IR (800-61)_V3 - - Value Driver: VD1 (MTTD), VD3 (analyst efficiency - automated assessment) - SOC Challenges: Repetitive Workflows, Analyst Fatigue, Too Many Manual Investigations +description: "Identity-specific analysis playbook. Runs inside SOC Analysis_V3 when\nSOCFramework.Product.category = \"Identity\"\ + .\n\nFollows the standard analysis pattern:\n 1. SOC Initialize Investigation Context_V3 - clean keys, load case counts\n\ + \ 2. Signal Characterization - evaluate MITRE tactics and identity threat type\n 3. Compromise Evaluation - set compromise_level\ + \ and compromise_decision\n 4. Spread Evaluation - set spread_level based on user/host scope\n 5. Recommendations - set\ + \ confidence and response_recommended\n 6. SOC Analysis Evaluation_V3 - publish canonical Analysis.* context keys\n\nIntermediate\ + \ keys: Analysis.Identity.*\nPublished keys: canonical Analysis.* consumed by SOC NIST IR (800-61)_V3\n\nValue Driver: VD1\ + \ (MTTD), VD3 (analyst efficiency - automated assessment)\nSOC Challenges: Repetitive Workflows, Analyst Fatigue, Too Many\ + \ Manual Investigations" tags: - SOC - SOC_Framework_Unified - Detection & Analysis - NIST 800-61 - Identity -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" - taskid: id-ia-start-0001 + '0': + id: '0' + taskid: 84141e91-8042-5fa8-af29-04659ee420f0 type: start task: - id: id-ia-start-0001 + id: 84141e91-8042-5fa8-af29-04659ee420f0 version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "1" + - '1' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 50 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 50 }\n}" note: false timertriggers: [] ignoreworker: false @@ -55,29 +43,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "1": - id: "1" - taskid: id-ia-prep-title-0002 + '1': + id: '1' + taskid: 4a5e020d-8b0e-589f-ac7d-4ef6a4b625aa type: title task: - id: id-ia-prep-title-0002 + id: 4a5e020d-8b0e-589f-ac7d-4ef6a4b625aa version: -1 name: Preparation description: Clean context keys and load case counts from incident fields. type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "2" + - '2' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 185 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 185 }\n}" note: false timertriggers: [] ignoreworker: false @@ -85,24 +69,23 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "2": - id: "2" - taskid: id-ia-init-ctx-0003 + '2': + id: '2' + taskid: 22d64792-9228-5a41-b01c-7bf4cd620e63 type: playbook task: - id: id-ia-init-ctx-0003 + id: 22d64792-9228-5a41-b01c-7bf4cd620e63 version: -1 name: SOC Initialize Investigation Context description: Clean up the data context and prepare to perform the investigation. playbookName: SOC Initialize Investigation Context_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "3" + - '3' scriptarguments: case_host_count: simple: ${parentIncidentFields.host_count} @@ -115,16 +98,13 @@ tasks: reset_issue_keys: simple: Investigation, Analysis, Containment, Eradication, Recovery separatecontext: false - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { "x": 480, "y": 330 } - } + view: "{\n \"position\": { \"x\": 480, \"y\": 330 }\n}" note: false timertriggers: [] ignoreworker: false @@ -132,29 +112,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "3": - id: "3" - taskid: id-ia-sigchar-title-0004 + '3': + id: '3' + taskid: 425b0e53-ab75-59fc-8a5a-621e17279ecc type: title task: - id: id-ia-sigchar-title-0004 + id: 425b0e53-ab75-59fc-8a5a-621e17279ecc version: -1 name: Signal Characterization description: Evaluate MITRE tactics and classify the identity threat type. type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "4" + - '4' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 500 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 500 }\n}" note: false timertriggers: [] ignoreworker: false @@ -162,31 +138,30 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "4": - id: "4" - taskid: id-ia-tactic-check-0005 + '4': + id: '4' + taskid: 96b14199-3610-55d2-9f29-0108fc6752f4 type: condition task: - id: id-ia-tactic-check-0005 + id: 96b14199-3610-55d2-9f29-0108fc6752f4 version: -1 name: Identity Threat Signal Type description: Classifies the primary identity threat from MITRE tactics in the case. type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#default#': - - "5" + - '5' Credential Access: - - "10" + - '10' Privilege Escalation: - - "11" + - '11' Persistence: - - "12" + - '12' Lateral Movement: - - "13" + - '13' separatecontext: false conditions: - label: Privilege Escalation @@ -229,11 +204,8 @@ tasks: right: value: simple: TA0006 - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 640 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 640 }\n}" note: false timertriggers: [] ignoreworker: false @@ -241,38 +213,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "5": - id: "5" - taskid: id-ia-sigtype-default-0006 + '5': + id: '5' + taskid: 6751050a-dbd9-511b-b640-7ac6c9cc7bea type: regular task: - id: id-ia-sigtype-default-0006 + id: 6751050a-dbd9-511b-b640-7ac6c9cc7bea version: -1 name: Set Signal Type - Identity Anomaly scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: identity_anomaly separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -280,38 +248,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "10": - id: "10" - taskid: id-ia-sigtype-cred-0010 + '10': + id: '10' + taskid: cc760965-e609-59ed-bf68-a29be2048037 type: regular task: - id: id-ia-sigtype-cred-0010 + id: cc760965-e609-59ed-bf68-a29be2048037 version: -1 name: Set Signal Type - Credential Access scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: credential_access separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 0, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 0, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -319,38 +283,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "11": - id: "11" - taskid: id-ia-sigtype-privesc-0011 + '11': + id: '11' + taskid: a17e0f64-917f-5557-9cd7-2464f293872d type: regular task: - id: id-ia-sigtype-privesc-0011 + id: a17e0f64-917f-5557-9cd7-2464f293872d version: -1 name: Set Signal Type - Privilege Escalation scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: privilege_escalation separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -358,38 +318,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "12": - id: "12" - taskid: id-ia-sigtype-persist-0012 + '12': + id: '12' + taskid: cec1a43d-e86c-5912-9f0f-a56a95ed6639 type: regular task: - id: id-ia-sigtype-persist-0012 + id: cec1a43d-e86c-5912-9f0f-a56a95ed6639 version: -1 name: Set Signal Type - Persistence scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: identity_persistence separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -397,38 +353,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "13": - id: "13" - taskid: id-ia-sigtype-lateral-0013 + '13': + id: '13' + taskid: f9f68f79-e221-5e5e-bb1b-4f2f7175d42d type: regular task: - id: id-ia-sigtype-lateral-0013 + id: f9f68f79-e221-5e5e-bb1b-4f2f7175d42d version: -1 name: Set Signal Type - Lateral Movement scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: lateral_movement separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 960, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 960, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -436,29 +388,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "20": - id: "20" - taskid: id-ia-compromise-title-0020 + '20': + id: '20' + taskid: 991c4c11-13b6-5a95-a217-4967662c41cc type: title task: - id: id-ia-compromise-title-0020 + id: 991c4c11-13b6-5a95-a217-4967662c41cc version: -1 name: Compromise Evaluation description: Evaluate compromise level based on XSIAM risk score and signal type. type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "21" + - '21' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 1020 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 1020 }\n}" note: false timertriggers: [] ignoreworker: false @@ -466,25 +414,24 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "21": - id: "21" - taskid: id-ia-risk-score-check-0021 + '21': + id: '21' + taskid: 771a5d10-c92a-5de0-bc10-104bbe2a2ffe type: condition task: - id: id-ia-risk-score-check-0021 + id: 771a5d10-c92a-5de0-bc10-104bbe2a2ffe version: -1 name: Risk Score - High? description: Score >= 70 OR privilege_escalation/persistence signal drives likely_compromised. type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#default#': - - "23" + - '23' high: - - "22" + - '22' separatecontext: false conditions: - label: high @@ -496,7 +443,7 @@ tasks: iscontext: true right: value: - simple: "70" + simple: '70' - operator: isEqualString left: value: @@ -512,7 +459,7 @@ tasks: iscontext: true right: value: - simple: "70" + simple: '70' - operator: isEqualString left: value: @@ -528,12 +475,9 @@ tasks: iscontext: true right: value: - simple: "85" - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 1165 } - } + simple: '85' + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 1165 }\n}" note: false timertriggers: [] ignoreworker: false @@ -541,38 +485,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "22": - id: "22" - taskid: id-ia-compromise-high-0022 + '22': + id: '22' + taskid: e27ea7e7-477c-59bd-8497-0f5ffe33900f type: regular task: - id: id-ia-compromise-high-0022 + id: e27ea7e7-477c-59bd-8497-0f5ffe33900f version: -1 name: Set Compromise Level - likely_compromised scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "24" + - '24' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.compromise_level value: simple: likely_compromised separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 1350 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 1350 }\n}" note: false timertriggers: [] ignoreworker: false @@ -580,38 +520,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "23": - id: "23" - taskid: id-ia-compromise-med-0023 + '23': + id: '23' + taskid: fb404fe4-f0d0-577e-a8b7-c86533ebdc09 type: regular task: - id: id-ia-compromise-med-0023 + id: fb404fe4-f0d0-577e-a8b7-c86533ebdc09 version: -1 name: Set Compromise Level - suspicious scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "25" + - '25' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.compromise_level value: simple: suspicious separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 1350 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 1350 }\n}" note: false timertriggers: [] ignoreworker: false @@ -619,38 +555,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "24": - id: "24" - taskid: id-ia-decision-malicious-0024 + '24': + id: '24' + taskid: 8352879c-c557-5ffc-8a00-1aabb1445b5e type: regular task: - id: id-ia-decision-malicious-0024 + id: 8352879c-c557-5ffc-8a00-1aabb1445b5e version: -1 name: Set Compromise Decision - malicious scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "30" + - '30' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.compromise_decision value: simple: malicious separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 1530 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 1530 }\n}" note: false timertriggers: [] ignoreworker: false @@ -658,38 +590,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "25": - id: "25" - taskid: id-ia-decision-suspicious-0025 + '25': + id: '25' + taskid: e5a4b347-5185-531b-9115-ff079ad4e4e6 type: regular task: - id: id-ia-decision-suspicious-0025 + id: e5a4b347-5185-531b-9115-ff079ad4e4e6 version: -1 name: Set Compromise Decision - suspicious_activity scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "30" + - '30' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.compromise_decision value: simple: suspicious_activity separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 1530 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 1530 }\n}" note: false timertriggers: [] ignoreworker: false @@ -697,28 +625,24 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "30": - id: "30" - taskid: id-ia-spread-title-0030 + '30': + id: '30' + taskid: b75bd97e-5b31-5eef-abdd-21e2c6213597 type: title task: - id: id-ia-spread-title-0030 + id: b75bd97e-5b31-5eef-abdd-21e2c6213597 version: -1 name: Evaluate Spread Level type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "31" + - '31' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 1710 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 1710 }\n}" note: false timertriggers: [] ignoreworker: false @@ -726,25 +650,24 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "31": - id: "31" - taskid: id-ia-spread-check-0031 + '31': + id: '31' + taskid: 301d93ad-f4a3-5baf-8f11-c244c4ada62b type: condition task: - id: id-ia-spread-check-0031 + id: 301d93ad-f4a3-5baf-8f11-c244c4ada62b version: -1 name: Spread Level - Multi-User? description: multi_entity if 3+ users or lateral movement signal. type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#default#': - - "33" + - '33' multi_entity: - - "32" + - '32' separatecontext: false conditions: - label: multi_entity @@ -756,7 +679,7 @@ tasks: iscontext: true right: value: - simple: "3" + simple: '3' - - operator: isEqualString left: value: @@ -765,11 +688,8 @@ tasks: right: value: simple: lateral_movement - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 1850 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 1850 }\n}" note: false timertriggers: [] ignoreworker: false @@ -777,38 +697,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "32": - id: "32" - taskid: id-ia-spread-multi-0032 + '32': + id: '32' + taskid: 03a40676-0aa9-503e-99bf-633e0f7c743f type: regular task: - id: id-ia-spread-multi-0032 + id: 03a40676-0aa9-503e-99bf-633e0f7c743f version: -1 name: Set Spread Level - multi_entity scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "40" + - '40' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.spread_level value: simple: multi_entity separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 2030 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 2030 }\n}" note: false timertriggers: [] ignoreworker: false @@ -816,38 +732,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "33": - id: "33" - taskid: id-ia-spread-single-0033 + '33': + id: '33' + taskid: f74499c8-44cd-5e83-a527-0479bea99002 type: regular task: - id: id-ia-spread-single-0033 + id: f74499c8-44cd-5e83-a527-0479bea99002 version: -1 name: Set Spread Level - single_entity scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "40" + - '40' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.spread_level value: simple: single_entity separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 2030 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 2030 }\n}" note: false timertriggers: [] ignoreworker: false @@ -855,29 +767,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "40": - id: "40" - taskid: id-ia-recommend-title-0040 + '40': + id: '40' + taskid: 9651a4fc-9db6-525e-9ee6-c765e893d9c3 type: title task: - id: id-ia-recommend-title-0040 + id: 9651a4fc-9db6-525e-9ee6-c765e893d9c3 version: -1 name: Make Recommendations description: Set confidence and response_recommended based on compromise evaluation. type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "41" + - '41' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2215 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2215 }\n}" note: false timertriggers: [] ignoreworker: false @@ -885,26 +793,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "41": - id: "41" - taskid: id-ia-confidence-check-0041 + '41': + id: '41' + taskid: 739f4119-7867-5359-ae11-327553d967cd type: condition task: - id: id-ia-confidence-check-0041 + id: 739f4119-7867-5359-ae11-327553d967cd version: -1 name: Analysis Confidence type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#default#': - - "44" + - '44' high: - - "42" + - '42' medium: - - "43" + - '43' separatecontext: false conditions: - label: high @@ -967,11 +874,8 @@ tasks: right: value: simple: likely_compromised - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2370 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2370 }\n}" note: false timertriggers: [] ignoreworker: false @@ -979,38 +883,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "42": - id: "42" - taskid: id-ia-confidence-high-0042 + '42': + id: '42' + taskid: 614781f6-0256-5015-9570-e411a06eac70 type: regular task: - id: id-ia-confidence-high-0042 + id: 614781f6-0256-5015-9570-e411a06eac70 version: -1 name: Investigation Confidence High scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.confidence value: simple: high separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 2560 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 2560 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1018,38 +918,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "43": - id: "43" - taskid: id-ia-confidence-med-0043 + '43': + id: '43' + taskid: 28d71874-9c02-5ba6-afb8-bc32f156d4b9 type: regular task: - id: id-ia-confidence-med-0043 + id: 28d71874-9c02-5ba6-afb8-bc32f156d4b9 version: -1 name: Investigation Confidence Medium scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.confidence value: simple: medium separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 2560 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 2560 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1057,38 +953,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "44": - id: "44" - taskid: id-ia-confidence-low-0044 + '44': + id: '44' + taskid: cfe7c506-7d41-5e61-b97f-21c749812fa3 type: regular task: - id: id-ia-confidence-low-0044 + id: cfe7c506-7d41-5e61-b97f-21c749812fa3 version: -1 name: Investigation Confidence Low scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "46" + - '46' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.confidence value: simple: low separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2560 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2560 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1096,38 +988,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "45": - id: "45" - taskid: id-ia-response-yes-0045 + '45': + id: '45' + taskid: e101470d-c24a-58c7-a37e-780938269ce8 type: regular task: - id: id-ia-response-yes-0045 + id: e101470d-c24a-58c7-a37e-780938269ce8 version: -1 name: Analysis Response Recommended scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "50" + - '50' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.response_recommended value: - simple: "true" + simple: 'true' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2745 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2745 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1135,38 +1023,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "46": - id: "46" - taskid: id-ia-response-no-0046 + '46': + id: '46' + taskid: 0d1d268c-9a7a-5e96-9af9-b150c955733b type: regular task: - id: id-ia-response-no-0046 + id: 0d1d268c-9a7a-5e96-9af9-b150c955733b version: -1 name: Analysis Response NOT Recommended scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "50" + - '50' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.response_recommended value: - simple: "false" + simple: 'false' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2745 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2745 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1174,24 +1058,23 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "50": - id: "50" - taskid: id-ia-eval-publish-0050 + '50': + id: '50' + taskid: 698089f4-af29-5db4-abe4-acd405c24f21 type: playbook task: - id: id-ia-eval-publish-0050 + id: 698089f4-af29-5db4-abe4-acd405c24f21 version: -1 name: SOC Analysis Evaluation_V3 description: Publishes Analysis.Identity.* to canonical Analysis.* keys consumed by SOC NIST IR. playbookName: SOC Analysis Evaluation_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "99" + - '99' scriptarguments: case_category: simple: ${Analysis.Identity.signal_type} @@ -1230,29 +1113,40 @@ tasks: spread_level: simple: ${Analysis.Identity.spread_level} story: - simple: "Identity Analysis Summary\n\nThe primary identity under investigation\ - \ is \"${SOCFramework.Artifacts.UserName}\".\n\nThe identity threat signal\ - \ has been classified as \"${Analysis.Identity.signal_type}\" with a compromise\ - \ level of \"${Analysis.Identity.compromise_level}\", based on MITRE ATT&CK\ - \ tactic correlation and XSIAM risk scoring.\n\nActivity scope:\n\u2022\ - \ Users involved: ${parentIncidentFields.user_count}\n\u2022 Hosts involved:\ - \ ${parentIncidentFields.host_count}\n\u2022 Alerts in case: ${parentIncidentFields.alert_count}\n\ - \u2022 Spread level: ${Analysis.Identity.spread_level}\n\nInvestigation\ - \ confidence is \"${Analysis.Identity.confidence}\".\nResponse recommendation:\ - \ ${Analysis.Identity.response_recommended}." + simple: 'Identity Analysis Summary + + + The primary identity under investigation is "${SOCFramework.Artifacts.UserName}". + + + The identity threat signal has been classified as "${Analysis.Identity.signal_type}" with a compromise level of + "${Analysis.Identity.compromise_level}", based on MITRE ATT&CK tactic correlation and XSIAM risk scoring. + + + Activity scope: + + • Users involved: ${parentIncidentFields.user_count} + + • Hosts involved: ${parentIncidentFields.host_count} + + • Alerts in case: ${parentIncidentFields.alert_count} + + • Spread level: ${Analysis.Identity.spread_level} + + + Investigation confidence is "${Analysis.Identity.confidence}". + + Response recommendation: ${Analysis.Identity.response_recommended}.' verdict: simple: ${Analysis.Identity.compromise_decision} separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { "x": 480, "y": 2930 } - } + view: "{\n \"position\": { \"x\": 480, \"y\": 2930 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1260,25 +1154,21 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "99": - id: "99" - taskid: id-ia-done-0099 + '99': + id: '99' + taskid: 96a551b1-7b03-5f98-88a5-593448331d8b type: title task: - id: id-ia-done-0099 + id: 96a551b1-7b03-5f98-88a5-593448331d8b version: -1 name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 3120 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 3120 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1286,7 +1176,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - inputs: - key: entity_id value: @@ -1298,13 +1187,13 @@ inputs: value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null - key: entity_type value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null inputSections: - inputs: @@ -1378,17 +1267,7 @@ outputs: type: unknown - contextPath: Analysis.case_user_count type: unknown -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 3130, - "width": 1340, - "x": 0, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 3130,\n \"width\":\ + \ 1340,\n \"x\": 0,\n \"y\": 50\n }\n }\n}" sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Containment_V3.yml index 96ea646a..829814c9 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Containment_V3.yml @@ -707,4 +707,4 @@ outputs: - contextPath: Core.Isolation.endpoint_id description: The isolated endpoint ID. sourceplaybookid: Containment Plan -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Eradication_V3.yml index 77f83463..65af3c41 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Eradication_V3.yml @@ -20,10 +20,10 @@ starttaskid: '0' tasks: '0': id: '0' - taskid: id-ie-start-0001 + taskid: a02a81bf-dfe5-54fd-b3b9-101064463cc1 type: start task: - id: id-ie-start-0001 + id: a02a81bf-dfe5-54fd-b3b9-101064463cc1 version: -1 name: '' iscommand: false @@ -44,10 +44,10 @@ tasks: isautoswitchedtoquietmode: false '1': id: '1' - taskid: id-ie-response-gate-0001 + taskid: 5a0d1ea9-fed2-5530-bdc2-021f3fa93940 type: condition task: - id: id-ie-response-gate-0001 + id: 5a0d1ea9-fed2-5530-bdc2-021f3fa93940 version: -1 name: Recommended Response? description: Skip eradication entirely if analysis did not recommend a response. @@ -83,10 +83,10 @@ tasks: isautoswitchedtoquietmode: false '2': id: '2' - taskid: id-ie-compromise-check-0002 + taskid: a487d443-721b-576e-8eae-572184ac75be type: condition task: - id: id-ie-compromise-check-0002 + id: a487d443-721b-576e-8eae-572184ac75be version: -1 name: Compromised Level? description: 'likely_compromised = full reset (password + tokens). @@ -136,10 +136,10 @@ tasks: isautoswitchedtoquietmode: false '20': id: '20' - taskid: id-ie-full-erad-title-0020 + taskid: 9daf5386-bbf3-5082-afc8-504c14b89a85 type: title task: - id: id-ie-full-erad-title-0020 + id: 9daf5386-bbf3-5082-afc8-504c14b89a85 version: -1 name: Full Eradication - Reset + Revoke type: title @@ -161,10 +161,10 @@ tasks: isautoswitchedtoquietmode: false '21': id: '21' - taskid: id-ie-reset-password-0021 + taskid: 5e9d32a5-7a16-556c-9d12-59b9a0cf8e84 type: regular task: - id: id-ie-reset-password-0021 + id: 5e9d32a5-7a16-556c-9d12-59b9a0cf8e84 version: -1 name: Reset Password - Universal Command scriptName: SOCCommandWrapper @@ -223,10 +223,10 @@ tasks: isautoswitchedtoquietmode: false '22': id: '22' - taskid: id-ie-set-creds-reset-0022 + taskid: 55faf68e-460c-5e6c-a548-932b360d1bd9 type: regular task: - id: id-ie-set-creds-reset-0022 + id: 55faf68e-460c-5e6c-a548-932b360d1bd9 version: -1 name: Set Credentials Reset scriptName: SetAndHandleEmpty @@ -258,10 +258,10 @@ tasks: isautoswitchedtoquietmode: false '30': id: '30' - taskid: id-ie-revoke-only-title-0030 + taskid: 656c7121-ccfe-578e-99d3-e36888aa6d06 type: title task: - id: id-ie-revoke-only-title-0030 + id: 656c7121-ccfe-578e-99d3-e36888aa6d06 version: -1 name: Token Revocation Only type: title @@ -283,10 +283,10 @@ tasks: isautoswitchedtoquietmode: false '31': id: '31' - taskid: id-ie-set-creds-not-reset-0031 + taskid: fba8f3c8-f62f-54de-b88b-ee0db6fe85ee type: regular task: - id: id-ie-set-creds-not-reset-0031 + id: fba8f3c8-f62f-54de-b88b-ee0db6fe85ee version: -1 name: Set Credentials NOT Reset scriptName: SetAndHandleEmpty @@ -318,10 +318,10 @@ tasks: isautoswitchedtoquietmode: false '29': id: '29' - taskid: id-ie-revoke-tokens-0029 + taskid: 84b38bfc-cc25-54a2-b65e-09159468f3f6 type: regular task: - id: id-ie-revoke-tokens-0029 + id: 84b38bfc-cc25-54a2-b65e-09159468f3f6 version: -1 name: Revoke Tokens - Universal Command scriptName: SOCCommandWrapper @@ -380,10 +380,10 @@ tasks: isautoswitchedtoquietmode: false '40': id: '40' - taskid: id-ie-finalize-title-0040 + taskid: 18c221f1-0f9b-59c1-98a6-2f2693da0f2f type: title task: - id: id-ie-finalize-title-0040 + id: 18c221f1-0f9b-59c1-98a6-2f2693da0f2f version: -1 name: Eradication Attempted type: title @@ -405,10 +405,10 @@ tasks: isautoswitchedtoquietmode: false '41': id: '41' - taskid: id-ie-set-attempted-0041 + taskid: bbc23e09-ec5e-5170-b465-c07a93aaed70 type: regular task: - id: id-ie-set-attempted-0041 + id: bbc23e09-ec5e-5170-b465-c07a93aaed70 version: -1 name: Set Eradication Attempted scriptName: SetAndHandleEmpty @@ -440,10 +440,10 @@ tasks: isautoswitchedtoquietmode: false '42': id: '42' - taskid: id-ie-set-tokens-revoked-0042 + taskid: 2bfa8905-0035-5e61-abd4-c7121d9cec0c type: regular task: - id: id-ie-set-tokens-revoked-0042 + id: 2bfa8905-0035-5e61-abd4-c7121d9cec0c version: -1 name: Set Tokens Revoked scriptName: SetAndHandleEmpty @@ -475,10 +475,10 @@ tasks: isautoswitchedtoquietmode: false '43': id: '43' - taskid: id-ie-set-story-0043 + taskid: f60802bb-5b51-5a83-9a96-6283b9a757bd type: regular task: - id: id-ie-set-story-0043 + id: f60802bb-5b51-5a83-9a96-6283b9a757bd version: -1 name: Set Eradication Story scriptName: SetAndHandleEmpty @@ -527,10 +527,10 @@ tasks: isautoswitchedtoquietmode: false '11': id: '11' - taskid: id-ie-no-erad-0011 + taskid: 062df020-51da-5d2a-8af6-0b31cd23c72e type: regular task: - id: id-ie-no-erad-0011 + id: 062df020-51da-5d2a-8af6-0b31cd23c72e version: -1 name: Set Eradication Not Attempted scriptName: SetAndHandleEmpty @@ -562,10 +562,10 @@ tasks: isautoswitchedtoquietmode: false '12': id: '12' - taskid: id-ie-no-erad-story-0012 + taskid: 196209f0-1c8b-50f0-9b7c-b1da83ebaf6a type: regular task: - id: id-ie-no-erad-story-0012 + id: 196209f0-1c8b-50f0-9b7c-b1da83ebaf6a version: -1 name: Set No Eradication Story scriptName: SetAndHandleEmpty @@ -607,10 +607,10 @@ tasks: isautoswitchedtoquietmode: false '99': id: '99' - taskid: id-ie-done-0099 + taskid: 25915e27-6b7c-5519-af59-5262df416cc9 type: title task: - id: id-ie-done-0099 + id: 25915e27-6b7c-5519-af59-5262df416cc9 version: -1 name: Done type: title @@ -680,4 +680,4 @@ outputs: view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1860,\n \"width\":\ \ 1100,\n \"x\": 0,\n \"y\": 50\n }\n }\n}" sourceplaybookid: SOC Data Eradication_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Recovery_V3.yml index 2b3aeae7..adff25c6 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Recovery_V3.yml @@ -19,10 +19,10 @@ starttaskid: '0' tasks: '0': id: '0' - taskid: id-ir-start-0001 + taskid: 2cf144a5-06d4-5eeb-9e6e-c705782ad551 type: start task: - id: id-ir-start-0001 + id: 2cf144a5-06d4-5eeb-9e6e-c705782ad551 version: -1 name: '' iscommand: false @@ -43,10 +43,10 @@ tasks: isautoswitchedtoquietmode: false '1': id: '1' - taskid: id-ir-erad-gate-0001 + taskid: 5fbbe322-6516-5073-aea4-e23d1dbcd481 type: condition task: - id: id-ir-erad-gate-0001 + id: 5fbbe322-6516-5073-aea4-e23d1dbcd481 version: -1 name: Did Eradication Happen? description: 'Only proceed with recovery if eradication was attempted. @@ -84,10 +84,10 @@ tasks: isautoswitchedtoquietmode: false '2': id: '2' - taskid: id-ir-recovery-title-0002 + taskid: 2739bf0e-4810-5302-840f-5fad677896db type: title task: - id: id-ir-recovery-title-0002 + id: 2739bf0e-4810-5302-840f-5fad677896db version: -1 name: Identity Recovery Actions type: title @@ -109,10 +109,10 @@ tasks: isautoswitchedtoquietmode: false '200': id: '200' - taskid: id-ir-enable-user-0200 + taskid: 0c8201d0-dfbb-5adc-83a7-df14f680ff60 type: regular task: - id: id-ir-enable-user-0200 + id: 0c8201d0-dfbb-5adc-83a7-df14f680ff60 version: -1 name: Re-enable User Account - Universal Command scriptName: SOCCommandWrapper @@ -171,10 +171,10 @@ tasks: isautoswitchedtoquietmode: false '3': id: '3' - taskid: id-ir-set-attempted-0003 + taskid: a1bd3e77-3bef-5929-95cd-b2322fdad3fd type: regular task: - id: id-ir-set-attempted-0003 + id: a1bd3e77-3bef-5929-95cd-b2322fdad3fd version: -1 name: Set Recovery Attempted scriptName: SetAndHandleEmpty @@ -206,10 +206,10 @@ tasks: isautoswitchedtoquietmode: false '4': id: '4' - taskid: id-ir-set-account-restored-0004 + taskid: 48e962e5-864f-503b-be8e-987e6c89c964 type: regular task: - id: id-ir-set-account-restored-0004 + id: 48e962e5-864f-503b-be8e-987e6c89c964 version: -1 name: Set Account Restored scriptName: SetAndHandleEmpty @@ -241,10 +241,10 @@ tasks: isautoswitchedtoquietmode: false '5': id: '5' - taskid: id-ir-set-monitoring-0005 + taskid: a3bdd25b-00bd-5a38-935d-f037f3b47f20 type: regular task: - id: id-ir-set-monitoring-0005 + id: a3bdd25b-00bd-5a38-935d-f037f3b47f20 version: -1 name: Set Monitoring Required scriptName: SetAndHandleEmpty @@ -276,10 +276,10 @@ tasks: isautoswitchedtoquietmode: false '6': id: '6' - taskid: id-ir-set-restore-method-0006 + taskid: e1c9a288-02dd-50c9-a003-a8474fb84777 type: regular task: - id: id-ir-set-restore-method-0006 + id: e1c9a288-02dd-50c9-a003-a8474fb84777 version: -1 name: Set Restore Method scriptName: SetAndHandleEmpty @@ -311,10 +311,10 @@ tasks: isautoswitchedtoquietmode: false '7': id: '7' - taskid: id-ir-set-story-0007 + taskid: 4c55b721-438a-59ec-8f4c-923dd8493647 type: regular task: - id: id-ir-set-story-0007 + id: 4c55b721-438a-59ec-8f4c-923dd8493647 version: -1 name: Set Recovery Story scriptName: SetAndHandleEmpty @@ -367,10 +367,10 @@ tasks: isautoswitchedtoquietmode: false '10': id: '10' - taskid: id-ir-no-recovery-0010 + taskid: 48642fd6-397d-5841-86a9-71ec0ebd2930 type: regular task: - id: id-ir-no-recovery-0010 + id: 48642fd6-397d-5841-86a9-71ec0ebd2930 version: -1 name: Set Recovery Not Attempted scriptName: SetAndHandleEmpty @@ -402,10 +402,10 @@ tasks: isautoswitchedtoquietmode: false '11': id: '11' - taskid: id-ir-no-recovery-story-0011 + taskid: 6c10f89f-3e71-5310-86c7-7314b4d28e1c type: regular task: - id: id-ir-no-recovery-story-0011 + id: 6c10f89f-3e71-5310-86c7-7314b4d28e1c version: -1 name: Set No Recovery Story scriptName: SetAndHandleEmpty @@ -447,10 +447,10 @@ tasks: isautoswitchedtoquietmode: false '99': id: '99' - taskid: id-ir-done-0099 + taskid: a4a8a958-69c5-5907-b6db-fafba8f327ee type: title task: - id: id-ir-done-0099 + id: a4a8a958-69c5-5907-b6db-fafba8f327ee version: -1 name: Done type: title @@ -502,4 +502,4 @@ outputs: view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1500,\n \"width\":\ \ 1100,\n \"x\": 0,\n \"y\": 50\n }\n }\n}" sourceplaybookid: SOC Data Recovery_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Initialize_Investigation_Context_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Initialize_Investigation_Context_V3.yml index 3e341ac6..1e2e966d 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Initialize_Investigation_Context_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Initialize_Investigation_Context_V3.yml @@ -2,18 +2,18 @@ fromversion: 5.0.0 adopted: true contentitemexportablefields: contentitemfields: - definitionid: "" + definitionid: '' fromServerVersion: 5.0.0 isoverridable: false itemVersion: 3.0.30 packID: soc-framework-nist-ir packName: SOC Framework Unified - prevname: "" + prevname: '' supportedModules: [] - toServerVersion: "" + toServerVersion: '' description: Clean up the data context and prepare to perform the investigation. -dirtyInputs: true -id: 'SOC Initialize Investigation Context_V3' +dirtyInputs: false +id: SOC Initialize Investigation Context_V3 inputSections: - description: Generic group for inputs inputs: @@ -24,13 +24,13 @@ inputSections: - case_user_count name: General (Inputs group) inputs: -- description: "" +- description: '' key: reset_issue_keys playbookInputQuery: null required: false value: simple: Investigation, Analysis -- description: "" +- description: '' key: case_host_count playbookInputQuery: null required: false @@ -48,7 +48,7 @@ inputs: required: false value: simple: ${parentIncidentFields.alert_count} -- description: "" +- description: '' key: case_user_count playbookInputQuery: null required: false @@ -75,47 +75,41 @@ outputs: - contextPath: Analysis.Endpoint.issue_count type: unknown sourceplaybookid: SOC Data Analysis_V3 -starttaskid: "0" +starttaskid: '0' tags: - SOC - SOC_Framework_Unified - Detection & Analysis - EndPoint tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "59" + - '59' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false istaskmissingcomponenterrordismissed: false - name: "" + name: '' playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 50, - "y": 50 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 50\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -124,7 +118,7 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false istaskmissingcomponenterrordismissed: false @@ -135,28 +129,22 @@ tasks: taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 50, - "y": 1315 - } - } - "59": - continueonerrortype: "" - id: "59" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1315\n }\n}" + '59': + continueonerrortype: '' + id: '59' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "60" + - '60' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' description: Clean Out Keys for the Investigation and Analysis id: f3b5ab33-1507-4366-8af0-148333ec3b05 iscommand: false @@ -168,39 +156,32 @@ tasks: taskid: f3b5ab33-1507-4366-8af0-148333ec3b05 timertriggers: [] type: title - view: |- - { - "position": { - "x": 50, - "y": 220 - } - } - "60": - continueonerrortype: "" - id: "60" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 220\n }\n}" + '60': + continueonerrortype: '' + id: '60' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "61" + - '61' note: false quietmode: 0 scriptarguments: all: - simple: "no" + simple: 'no' key: simple: ${inputs.reset_issue_keys} separatecontext: false skipunavailable: false task: - brand: "" - description: "Delete field from context.\n\nThis automation runs using the default - Limited User role, unless you explicitly change the permissions.\nFor more - information, see the section about permissions here:\n- For Cortex XSOAR 6 - see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Delete field from context.\n\nThis automation runs using the default Limited User role, unless you explicitly\ + \ change the permissions.\nFor more information, see the section about permissions here:\n- For Cortex XSOAR 6 see\ + \ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For\ + \ Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 4e81fc47-8bc9-4471-8aa6-15072395b46c iscommand: false istaskmissingcomponenterrordismissed: false @@ -212,22 +193,16 @@ tasks: taskid: 4e81fc47-8bc9-4471-8aa6-15072395b46c timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 390 - } - } - "61": - continueonerrortype: "" - id: "61" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 390\n }\n}" + '61': + continueonerrortype: '' + id: '61' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "62" + - '62' note: false quietmode: 0 scriptarguments: @@ -241,19 +216,17 @@ tasks: applyIfEmpty: {} defaultValue: value: - simple: "0" + simple: '0' operator: SetIfEmpty separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: afa3e542-5d82-43d5-b60e-8996db4e3613 iscommand: false istaskmissingcomponenterrordismissed: false @@ -265,22 +238,16 @@ tasks: taskid: afa3e542-5d82-43d5-b60e-8996db4e3613 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 575 - } - } - "62": - continueonerrortype: "" - id: "62" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 575\n }\n}" + '62': + continueonerrortype: '' + id: '62' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "63" + - '63' note: false quietmode: 0 scriptarguments: @@ -294,19 +261,17 @@ tasks: applyIfEmpty: {} defaultValue: value: - simple: "0" + simple: '0' operator: SetIfEmpty separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 0087c50d-d9d3-4e6d-ae85-bde48c122d1f iscommand: false istaskmissingcomponenterrordismissed: false @@ -318,22 +283,16 @@ tasks: taskid: 0087c50d-d9d3-4e6d-ae85-bde48c122d1f timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 760 - } - } - "63": - continueonerrortype: "" - id: "63" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 760\n }\n}" + '63': + continueonerrortype: '' + id: '63' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "64" + - '64' note: false quietmode: 0 scriptarguments: @@ -347,19 +306,17 @@ tasks: applyIfEmpty: {} defaultValue: value: - simple: "0" + simple: '0' operator: SetIfEmpty separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 8e226db5-e54d-4292-8a0e-dd8492ddeaa0 iscommand: false istaskmissingcomponenterrordismissed: false @@ -371,22 +328,16 @@ tasks: taskid: 8e226db5-e54d-4292-8a0e-dd8492ddeaa0 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 945 - } - } - "64": - continueonerrortype: "" - id: "64" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 945\n }\n}" + '64': + continueonerrortype: '' + id: '64' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 scriptarguments: @@ -400,19 +351,17 @@ tasks: applyIfEmpty: {} defaultValue: value: - simple: "0" + simple: '0' operator: SetIfEmpty separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 8c637a4c-cf08-472f-bc51-f5a6a2f8d854 iscommand: false istaskmissingcomponenterrordismissed: false @@ -424,23 +373,7 @@ tasks: taskid: 8c637a4c-cf08-472f-bc51-f5a6a2f8d854 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 1130 - } - } + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1130\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 1325, - "width": 380, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1325,\n \"width\":\ + \ 380,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_NIST_IR_(800-61)_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_NIST_IR_(800-61)_V3.yml index 196c5f61..521fb22c 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_NIST_IR_(800-61)_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_NIST_IR_(800-61)_V3.yml @@ -10,16 +10,19 @@ contentitemexportablefields: prevname: '' supportedModules: [] toServerVersion: '' -description: 'This playbook implements the NIST SP 800-61 Alert Response lifecycle in a structured, repeatable way. It serves as the top-level controller, orchestrating all downstream playbooks and automations that align to the four NIST phases: +description: 'This playbook implements the NIST SP 800-61 Alert Response lifecycle in a structured, repeatable way. It serves + as the top-level controller, orchestrating all downstream playbooks and automations that align to the four NIST phases: Preparation – Normalize and stage context (entities, products, alert categories) to ensure consistent execution. - Detection & Analysis – Trigger enrichment and investigation playbooks (endpoint, network, identity, email, cloud) based on normalized entities and mapped MITRE ATT&CK tactics. + Detection & Analysis – Trigger enrichment and investigation playbooks (endpoint, network, identity, email, cloud) based + on normalized entities and mapped MITRE ATT&CK tactics. - Containment, Eradication, Recovery – Call the appropriate static or product-specific playbooks to contain threats, remove malicious artifacts, and restore systems. + Containment, Eradication, Recovery – Call the appropriate static or product-specific playbooks to contain threats, remove + malicious artifacts, and restore systems. Post-Alert Activity – Document lessons learned, update playbook routing matrices, and feed back into SOC optimization. @@ -34,25 +37,26 @@ description: 'This playbook implements the NIST SP 800-61 Alert Response lifecyc Normalization (Upon Trigger of the EntryPoint) ensures entities (hosts, users, IPs, processes, etc.) are handled consistently. - This top-level playbook is the backbone of the SOC Framework: it receives the alert trigger, applies the NIST 800-61 model, and routes execution to the appropriate detection, containment, and response sub-playbooks for standardized alert handling' -dirtyInputs: true + This top-level playbook is the backbone of the SOC Framework: it receives the alert trigger, applies the NIST 800-61 model, + and routes execution to the appropriate detection, containment, and response sub-playbooks for standardized alert handling' +dirtyInputs: false id: SOC NIST IR (800-61)_V3 inputSections: - - description: Generic group for inputs - inputs: [] - name: General (Inputs group) V3 +- description: Generic group for inputs + inputs: [] + name: General (Inputs group) V3 inputs: [] name: SOC NIST IR (800-61)_V3 outputSections: - - description: Generic group for outputs - name: General (Outputs group) - outputs: [] +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] outputs: [] sourceplaybookid: auto-soc_nist_ir_static-5665921e-797f-469f-a938-801fc03ce4b1 starttaskid: '0' tags: - - SOC_Framework_Unified - - SOC +- SOC_Framework_Unified +- SOC tasks: '0': continueonerrortype: '' @@ -62,7 +66,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '1' + - '1' note: false quietmode: 0 separatecontext: false @@ -86,7 +90,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '3' + - '3' note: false quietmode: 0 separatecontext: false @@ -111,7 +115,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '14' + - '14' note: false quietmode: 0 separatecontext: false @@ -136,7 +140,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '13' + - '13' note: false quietmode: 0 separatecontext: false @@ -161,7 +165,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '15' + - '15' note: false quietmode: 0 separatecontext: false @@ -186,7 +190,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '16' + - '16' note: false quietmode: 0 separatecontext: false @@ -233,14 +237,15 @@ tasks: isoversize: false nexttasks: '#none#': - - '7' + - '7' note: false quietmode: 0 separatecontext: true skipunavailable: false task: brand: '' - description: This playbook acts as a container for Containment playbooks acting on Product Category (i.e. EndPoint, Data, Network, Cloud SaaS, Cloud Workload, Identity). + description: This playbook acts as a container for Containment playbooks acting on Product Category (i.e. EndPoint, + Data, Network, Cloud SaaS, Cloud Workload, Identity). id: a496d4a7-564f-43e4-8c6d-b92eeaa462a3 iscommand: false name: SOC Containment_V3 @@ -260,7 +265,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '5' + - '5' note: false quietmode: 0 separatecontext: true @@ -286,7 +291,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '9' + - '9' note: false quietmode: 0 separatecontext: true @@ -312,7 +317,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '11' + - '11' note: false quietmode: 0 separatecontext: true @@ -331,5 +336,6 @@ tasks: type: playbook view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1610\n }\n}" version: -1 -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1900,\n \"width\": 380,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1900,\n \"width\":\ + \ 380,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Analysis_V3.yml index 4543268d..f1e66ed9 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Analysis_V3.yml @@ -1,28 +1,35 @@ adopted: true -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the incident (category, severity, impact). + Document findings and escalate confirmed incidents. + Outcome: Determine whether an event is a legitimate incident and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. -id: 'SOC Network Analysis_V3' + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' +id: SOC Network Analysis_V3 inputs: [] name: SOC Network Analysis_V3 outputs: [] -sourceplaybookid: 'SOC Data Analysis_V3' -starttaskid: "0" +sourceplaybookid: SOC Data Analysis_V3 +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -30,39 +37,33 @@ tags: - NIST 800-61 - Network tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false - name: "" - playbooktaskmissingcomponent: + name: '' + playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 450, - "y": 50 - } - } - "1": - continueonerrortype: "" - id: "1" + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -71,27 +72,21 @@ tasks: separatecontext: true skipunavailable: false task: - brand: "" + brand: '' id: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa iscommand: false name: Foundation - Error Handling_V3 playbookId: Foundation - Error Handling_V3 - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: playbook version: -1 taskid: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa timertriggers: [] type: playbook - view: |- - { - "position": { - "x": 740, - "y": 290 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 290\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -100,34 +95,18 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false name: Done - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: title version: -1 taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 430, - "y": 470 - } - } + view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 470\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 480, - "width": 690, - "x": 430, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 480,\n \"width\": 690,\n\ + \ \"x\": 430,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Containment_V3.yml index c462b22c..e282bcfa 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Containment_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Eradication_V3.yml index 668f3aaa..22d61ae1 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Eradication_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Recovery_V3.yml index 0334ffdc..556a6af3 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Recovery_V3.yml @@ -109,5 +109,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Recovery_V3.yml index bae2bd60..dec0f421 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Recovery_V3.yml @@ -1170,4 +1170,4 @@ outputs: - contextPath: Recovery.restore_method type: unknown sourceplaybookid: SOC Containment_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Analysis_V3.yml index 55cf9c98..f9505d00 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Analysis_V3.yml @@ -1,28 +1,35 @@ adopted: true -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the incident (category, severity, impact). + Document findings and escalate confirmed incidents. + Outcome: Determine whether an event is a legitimate incident and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. -id: 'SOC SaaS Analysis_V3' + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' +id: SOC SaaS Analysis_V3 inputs: [] name: SOC SaaS Analysis_V3 outputs: [] -sourceplaybookid: 'SOC Data Analysis_V3' -starttaskid: "0" +sourceplaybookid: SOC Data Analysis_V3 +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -30,39 +37,33 @@ tags: - NIST 800-61 - Cloud SaaS tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false - name: "" - playbooktaskmissingcomponent: + name: '' + playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 450, - "y": 50 - } - } - "1": - continueonerrortype: "" - id: "1" + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -71,27 +72,21 @@ tasks: separatecontext: true skipunavailable: false task: - brand: "" + brand: '' id: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa iscommand: false name: Foundation - Error Handling_V3 playbookId: Foundation - Error Handling_V3 - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: playbook version: -1 taskid: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa timertriggers: [] type: playbook - view: |- - { - "position": { - "x": 740, - "y": 290 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 290\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -100,34 +95,18 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false name: Done - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: title version: -1 taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 430, - "y": 470 - } - } + view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 470\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 480, - "width": 690, - "x": 430, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 480,\n \"width\": 690,\n\ + \ \"x\": 430,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Containment_V3.yml index a9c9f7cc..4a58213d 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Containment_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Eradication_V3.yml index 3837352c..780228ed 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Eradication_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Recovery_V3.yml index e7c7d6f5..c446178e 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Recovery_V3.yml @@ -109,5 +109,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Analysis_V3.yml index 9a7da458..4a7726ac 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Analysis_V3.yml @@ -1,28 +1,35 @@ adopted: true -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the incident (category, severity, impact). + Document findings and escalate confirmed incidents. + Outcome: Determine whether an event is a legitimate incident and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. -id: 'SOC Workload Analysis_V3' + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' +id: SOC Workload Analysis_V3 inputs: [] name: SOC Workload Analysis_V3 outputs: [] -sourceplaybookid: 'SOC Data Analysis_V3' -starttaskid: "0" +sourceplaybookid: SOC Data Analysis_V3 +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -30,39 +37,33 @@ tags: - NIST 800-61 - Cloud Workload tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false - name: "" - playbooktaskmissingcomponent: + name: '' + playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 450, - "y": 50 - } - } - "1": - continueonerrortype: "" - id: "1" + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -71,27 +72,21 @@ tasks: separatecontext: true skipunavailable: false task: - brand: "" + brand: '' id: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa iscommand: false name: Foundation - Error Handling_V3 playbookId: Foundation - Error Handling_V3 - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: playbook version: -1 taskid: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa timertriggers: [] type: playbook - view: |- - { - "position": { - "x": 740, - "y": 290 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 290\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -100,34 +95,18 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false name: Done - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: title version: -1 taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 430, - "y": 470 - } - } + view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 470\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 480, - "width": 690, - "x": 430, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 480,\n \"width\": 690,\n\ + \ \"x\": 430,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Containment_V3.yml index ff2443f6..f651a13b 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Containment_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Eradication_V3.yml index 185e0712..7277d49e 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Eradication_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Recovery_V3.yml index 7296b8c8..859f9ec4 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Recovery_V3.yml @@ -109,5 +109,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/pack_metadata.json b/Packs/soc-framework-nist-ir/pack_metadata.json index 6f65dd18..3bf88e6b 100644 --- a/Packs/soc-framework-nist-ir/pack_metadata.json +++ b/Packs/soc-framework-nist-ir/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-nist-ir", "description": "SOC Framework \u2013 Incident Response (NIST)\n\nDescription\n\nThe SOC Framework \u2013 Incident Response (NIST) pack provides a standardized set of incident response workflows aligned with the lifecycle defined in NIST SP 800-61. It implements the operational stages of incident response within the SOC Framework, enabling consistent investigation, containment, eradication, recovery, and communication processes across security incidents.\n\nRather than building separate playbooks for each threat scenario, this pack organizes response logic around the incident response lifecycle. Scenarios such as phishing, endpoint compromise, identity abuse, and other security events enter the workflow and progress through the same structured response phases. This approach promotes consistent analyst workflows, reduces duplicated automation logic, and ensures that containment and recovery actions follow a predictable process.\n\nThe playbooks in this pack are designed to operate on standardized artifacts and actions provided by the SOC Framework Core pack. Vendor-specific commands are abstracted through framework actions, allowing the same incident response logic to operate across different security products and environments.", "support": "xsoar", - "currentVersion": "1.1.0", + "currentVersion": "1.2.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-nist-ir/xsoar_config.json b/Packs/soc-framework-nist-ir/xsoar_config.json index f28f9bf7..d8b249f6 100644 --- a/Packs/soc-framework-nist-ir/xsoar_config.json +++ b/Packs/soc-framework-nist-ir/xsoar_config.json @@ -1,8 +1,8 @@ { "custom_packs": [ { - "id": "soc-framework-nist-ir-v1.1.0.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-nist-ir-v1.1.0/soc-framework-nist-ir-v1.1.0.zip", + "id": "soc-framework-nist-ir-v1.2.0.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-nist-ir-v1.2.0/soc-framework-nist-ir-v1.2.0.zip", "system": "yes" } ], diff --git a/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py b/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py index bb4e3152..36705e58 100644 --- a/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py +++ b/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py @@ -647,6 +647,15 @@ def main(): failed, error_msg = integration_failed(result) if failed: + # Check for error 23 — integration not installed or not enabled in this tenant. + # Soft-fail so the playbook can continue in degraded mode rather than halting + # the entire lifecycle. Shadow mode never reaches this path (vendor command is + # suppressed), so this check is execute-only by construction. + integration_unavailable = ( + "Unsupported Command" in (error_msg or "") + or "(23)" in (error_msg or "") + ) + record = { "run_id": run_id, "action": action, @@ -672,12 +681,12 @@ def main(): "action": action, "vendor": vendor, "command": command, - "action_status": "failed", + "action_status": "integration_unavailable" if integration_unavailable else "failed", "action_actor": normalize_action_actor(args.get("Action_Actor"), False), "execution_mode": "production", "shadow_mode_state": "not_applicable", "has_error": True, - "error_type": "command_execution", + "error_type": "integration_unavailable" if integration_unavailable else "command_execution", "error_message": error_msg } @@ -690,6 +699,29 @@ def main(): tags ) + if integration_unavailable: + # Null out UC.* output keys so downstream conditions evaluate cleanly + # (missing key → default/blocked path) rather than raising errors + output_map = vendor_data.get("output_map", {}) + for dest_key in (output_map or {}).keys(): + demisto.setContext(dest_key, None) + + return_warning( + f"[SOCCommandWrapper] Integration not available for action '{action}'. " + f"Command: {command}. " + f"Install and configure the required integration to enable this action." + ) + return_results(CommandResults( + readable_output=( + f"⚠️ Integration unavailable: `{command}`\n\n" + f"Action `{action}` requires an integration that is not installed or enabled. " + f"Playbook continues in degraded mode." + ), + outputs_prefix="UC", + outputs={"action": action, "status": "integration_unavailable", "command": command} + )) + return + return_error(error_msg) record = { diff --git a/pack_catalog.json b/pack_catalog.json index b5dbbadd..7765410d 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -76,7 +76,7 @@ "id": "soc-framework-nist-ir", "display_name": "SOC Framework NIST IR (800-61)", "category": "Utility", - "version": "1.1.0", + "version": "1.2.0", "path": "Packs/soc-framework-nist-ir", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-nist-ir/xsoar_config.json" diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOCFramework_AIVerdictSummary.py b/tools/SOCFramework_AIVerdictSummary.py similarity index 100% rename from Packs/soc-framework-nist-ir/Playbooks/SOCFramework_AIVerdictSummary.py rename to tools/SOCFramework_AIVerdictSummary.py diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOCFramework_IdentityScoreAnalysis.py b/tools/SOCFramework_IdentityScoreAnalysis.py similarity index 100% rename from Packs/soc-framework-nist-ir/Playbooks/SOCFramework_IdentityScoreAnalysis.py rename to tools/SOCFramework_IdentityScoreAnalysis.py