From bc9090fe93604f19fab9c09a726f041f6926213e Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Fri, 20 Mar 2026 07:48:43 -0400 Subject: [PATCH 1/3] Commit: Email security playbook fixes + test harness Bug fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SOC_Email_Verdict_Resolution_V3 — Fixed OR/AND condition logic on tasks 9 (DBot override) and 14 (response recommendation routing) SOC_Email_Exposure_Evaluation_V3 — Replaced unsupported if-then-else transformer with condition+set pattern; fixed missing id/name underscore; added UUIDs and canvas layout SOC_Email_Signal_Characterization_V3 — Fixed continueonerrortype: errorPath on domain prevalence check that was halting EP_IR_NIST; fixed gate task UUIDs and canvas positions; corrected SenderIP input binding SOC_Email_IOC_Enrichment_V3 / SOC_Email_Forensics_Evaluation_V3 — Gate task UUID and canvas fixes SOC_Identity_Analysis/Eradication/Recovery_V3 — Replaced human-readable taskids with valid UUIDs SOC_EndPoint_Eradication_V3 — Shifted negative canvas positions All playbooks — Cleared dirtyInputs SOCCommandWrapper — Soft-fail on integration not installed (error 23); logs to dataset as integration_unavailable, nulls UC output keys, emits warroom warning, playbook continues tools/ — Added test_playbooks.py + playbook_simulator.py + fixtures. 69 tests covering Email (unit + e2e), Endpoint, Identity. Run before upload: python3 tools/test_playbooks.py --category all --suite all --- .../SOC Trend Micro Vision One V3.yml | 134 +- .../SOCTrendMicroVisionOneModelingRules.yml | 3 +- ...endMicroVisionOneModelingRules_schema.json | 962 ++++----- .../pack_metadata.json | 60 +- .../Playbooks/EP_IR_NIST_(800-61).yml | 2 +- .../Playbooks/SOC_Analysis_Evaluation_V3.yml | 886 ++++----- .../Playbooks/SOC_Analysis_V3.yml | 414 ++-- .../SOC_Containment_Evaluation_V3.yml | 215 +- .../Playbooks/SOC_Containment_V3.yml | 69 +- .../Playbooks/SOC_Data_Analysis_V3.yml | 89 +- .../Playbooks/SOC_Data_Containment_V3.yml | 2 +- .../Playbooks/SOC_Data_Eradication_V3.yml | 2 +- .../Playbooks/SOC_Data_Recovery_V3.yml | 2 +- .../Playbooks/SOC_Email_Analysis_V3.yml | 4 +- .../SOC_Email_Exposure_Evaluation_V3.yml | 913 ++++++--- .../SOC_Email_Forensics_Evaluation_V3.yml | 113 +- .../Playbooks/SOC_Email_IOC_Enrichment_V3.yml | 184 +- .../SOC_Email_Signal_Characterization_V3.yml | 580 +++--- .../SOC_Email_Verdict_Resolution_V3.yml | 65 +- .../Playbooks/SOC_EndPoint_Analysis_V3.yml | 621 +++--- .../Playbooks/SOC_EndPoint_Eradication_V3.yml | 90 +- .../Playbooks/SOC_EndPoint_Recovery_V3.yml | 2 +- .../SOC_EndPoint_Spread_Evaluation_V3.yml | 2 +- .../SOC_Endpoint_Compromise_Evaluation_V3.yml | 1721 ++++++++--------- .../Playbooks/SOC_Endpoint_Containment_V3.yml | 2 +- ...OC_Endpoint_Signal_Characterization_V3.yml | 277 +-- .../SOC_Endpoint_Verdict_Resolution_V3.yml | 71 +- .../Playbooks/SOC_Eradication_V3.yml | 2 +- .../Playbooks/SOC_Identity_Analysis_V3.yml | 757 +++----- .../Playbooks/SOC_Identity_Containment_V3.yml | 2 +- .../Playbooks/SOC_Identity_Eradication_V3.yml | 66 +- .../Playbooks/SOC_Identity_Recovery_V3.yml | 50 +- ...OC_Initialize_Investigation_Context_V3.yml | 245 +-- .../Playbooks/SOC_NIST_IR_(800-61)_V3.yml | 56 +- .../Playbooks/SOC_Network_Analysis_V3.yml | 91 +- .../Playbooks/SOC_Network_Containment_V3.yml | 2 +- .../Playbooks/SOC_Network_Eradication_V3.yml | 2 +- .../Playbooks/SOC_Network_Recovery_V3.yml | 2 +- .../Playbooks/SOC_Recovery_V3.yml | 2 +- .../Playbooks/SOC_SaaS_Analysis_V3.yml | 91 +- .../Playbooks/SOC_SaaS_Containment_V3.yml | 2 +- .../Playbooks/SOC_SaaS_Eradication_V3.yml | 2 +- .../Playbooks/SOC_SaaS_Recovery_V3.yml | 2 +- .../Playbooks/SOC_Workload_Analysis_V3.yml | 91 +- .../Playbooks/SOC_Workload_Containment_V3.yml | 2 +- .../Playbooks/SOC_Workload_Eradication_V3.yml | 2 +- .../Playbooks/SOC_Workload_Recovery_V3.yml | 2 +- .../soc-framework-nist-ir/pack_metadata.json | 2 +- Packs/soc-framework-nist-ir/xsoar_config.json | 4 +- .../SOCCommandWrapper/SOCCommandWrapper.py | 36 +- pack_catalog.json | 2 +- .../SOCFramework_AIVerdictSummary.py | 0 .../SOCFramework_IdentityScoreAnalysis.py | 0 53 files changed, 4122 insertions(+), 4878 deletions(-) rename {Packs/soc-framework-nist-ir/Playbooks => tools}/SOCFramework_AIVerdictSummary.py (100%) rename {Packs/soc-framework-nist-ir/Playbooks => tools}/SOCFramework_IdentityScoreAnalysis.py (100%) diff --git a/Packs/SocFrameworkTrendMicroVisionOne/CorrelationRules/SOC Trend Micro Vision One V3.yml b/Packs/SocFrameworkTrendMicroVisionOne/CorrelationRules/SOC Trend Micro Vision One V3.yml index d30d3001..f2200391 100644 --- a/Packs/SocFrameworkTrendMicroVisionOne/CorrelationRules/SOC Trend Micro Vision One V3.yml +++ b/Packs/SocFrameworkTrendMicroVisionOne/CorrelationRules/SOC Trend Micro Vision One V3.yml @@ -38,10 +38,10 @@ alert_fields: trendmicrovisiononexdrpriorityscore: score userid: user_id alert_name: Trend Micro - $alert_name -alert_type: null -crontab: null +alert_type: +crontab: dataset: alerts -description: null +description: drilldown_query_timeframe: ALERT execution_mode: REAL_TIME global_rule_id: SOC Trend Micro Vision One V3 @@ -52,126 +52,14 @@ mapping_strategy: CUSTOM mitre_defs: {} name: SOC Trend Micro Vision One V3 rule_id: 0 -search_window: null +search_window: severity: User Defined -simple_schedule: null -suppression_duration: null +simple_schedule: +suppression_duration: suppression_enabled: false -suppression_fields: null -timezone: null -user_defined_category: null +suppression_fields: +timezone: +user_defined_category: user_defined_severity: severity -xql_query: "dataset = trend_micro_vision_one_v3_generic_alert_raw\n| filter alert_provider\ - \ = \"SAE\"\n\n| alter j = _alert_data -> raw_json\n\n/* --- MITRE technique (cheap)\ - \ --- */\n| alter j_str = to_string(j)\n| alter mitre_technique_id_raw =\n json_extract_scalar(j_str,\ - \ \"$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]\")\n| alter j_str\ - \ = null\n\n| alter mitre_ids_str =\n if(\n mitre_technique_id_raw != null\ - \ and mitre_technique_id_raw != \"\",\n replace(replace(mitre_technique_id_raw,\ - \ \"\\\"\",\"\"), \"\\\\.[0-9]+$\",\"\"),\n \"\u2014\"\n )\n| alter mitre_ids_str\ - \ =\n if(mitre_ids_str contains \".\", arrayindex(regextract(mitre_ids_str, \"\ - (.*)\\.\"), 0), mitre_ids_str)\n\n/* --- MITRE Tactics Arrays ---- */\n| alter ta0043_reconnaissance\ - \ = arraycreate(\"T1590\",\"T1591\",\"T1592\",\"T1593\",\"T1594\",\"T1595\"\ - ,\"T1596\",\"T1597\",\"T1598\",\"T1599\")\n| alter ta0042_resource_development =\ - \ arraycreate(\"T1583\",\"T1584\",\"T1585\",\"T1586\",\"T1587\",\"T1650\")\n| alter\ - \ ta0001_initial_access = arraycreate(\"T1078\",\"T1189\",\"T1190\",\"T1195\"\ - ,\"T1133\",\"T1200\",\"T1566\",\"T1091\")\n| alter ta0002_execution =\ - \ arraycreate(\"T1059\",\"T1106\",\"T1047\",\"T1203\",\"T1129\",\"T1559\")\n| alter\ - \ ta0003_persistence = arraycreate(\"T1547\",\"T1543\",\"T1136\",\"T1505\"\ - ,\"T1053\",\"T1078\")\n| alter ta0004_privilege_escalation = arraycreate(\"T1548\"\ - ,\"T1068\",\"T1078\",\"T1055\",\"T1134\")\n| alter ta0005_defense_evasion =\ - \ arraycreate(\"T1027\",\"T1070\",\"T1218\",\"T1140\",\"T1562\",\"T1036\",\"T1055\"\ - )\n| alter ta0006_credential_access = arraycreate(\"T1003\",\"T1555\",\"T1552\"\ - ,\"T1110\",\"T1621\")\n| alter ta0007_discovery = arraycreate(\"T1082\"\ - ,\"T1083\",\"T1046\",\"T1057\",\"T1016\",\"T1049\",\"T1033\")\n| alter ta0008_lateral_movement\ - \ = arraycreate(\"T1021\",\"T1210\",\"T1091\",\"T1072\")\n| alter ta0009_collection\ - \ = arraycreate(\"T1005\",\"T1039\",\"T1113\",\"T1114\",\"T1115\")\n|\ - \ alter ta0011_command_and_control = arraycreate(\"T1071\",\"T1095\",\"T1105\"\ - ,\"T1571\",\"T1572\",\"T1041\")\n| alter ta0010_exfiltration = arraycreate(\"\ - T1041\",\"T1567\",\"T1020\")\n| alter ta0040_impact = arraycreate(\"\ - T1485\",\"T1486\",\"T1490\",\"T1499\",\"T1561\")\n\n/* --- Match Tactic Name + ID\ - \ --- */\n| alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, \"Impact\"\ - )\n| alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, \"Exfiltration\"\ - , mitre_tactic)\n| alter mitre_tactic = if (ta0011_command_and_control contains\ - \ mitre_ids_str, \"Command and Control\", mitre_tactic)\n| alter mitre_tactic =\ - \ if (ta0009_collection contains mitre_ids_str, \"Collection\", mitre_tactic)\n\ - | alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, \"Lateral\ - \ Movement\", mitre_tactic)\n| alter mitre_tactic = if (ta0007_discovery contains\ - \ mitre_ids_str, \"Discovery\", mitre_tactic)\n| alter mitre_tactic = if (ta0006_credential_access\ - \ contains mitre_ids_str, \"Credential Access\", mitre_tactic)\n| alter mitre_tactic\ - \ = if (ta0005_defense_evasion contains mitre_ids_str, \"Defense Evasion\", mitre_tactic)\n\ - | alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, \"\ - Privilege Escalation\", mitre_tactic)\n| alter mitre_tactic = if (ta0003_persistence\ - \ contains mitre_ids_str, \"Persistence\", mitre_tactic)\n| alter mitre_tactic =\ - \ if (ta0002_execution contains mitre_ids_str, \"Execution\", mitre_tactic)\n| alter\ - \ mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, \"Initial Access\"\ - , mitre_tactic)\n| alter mitre_tactic = if (ta0042_resource_development contains\ - \ mitre_ids_str, \"Resource Development\", mitre_tactic)\n| alter mitre_tactic =\ - \ if (ta0043_reconnaissance contains mitre_ids_str, \"Reconnaissance\", mitre_tactic)\n\ - \n| alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, \"TA0040\"\ - )\n| alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, \"\ - TA0010\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0011_command_and_control\ - \ contains mitre_ids_str, \"TA0011\", mitre_tactic_id)\n| alter mitre_tactic_id\ - \ = if (ta0009_collection contains mitre_ids_str, \"TA0009\", mitre_tactic_id)\n\ - | alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, \"\ - TA0008\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0007_discovery contains\ - \ mitre_ids_str, \"TA0007\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0006_credential_access\ - \ contains mitre_ids_str, \"TA0006\", mitre_tactic_id)\n| alter mitre_tactic_id\ - \ = if (ta0005_defense_evasion contains mitre_ids_str, \"TA0005\", mitre_tactic_id)\n\ - | alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str,\ - \ \"TA0004\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0003_persistence\ - \ contains mitre_ids_str, \"TA0003\", mitre_tactic_id)\n| alter mitre_tactic_id\ - \ = if (ta0002_execution contains mitre_ids_str, \"TA0002\", mitre_tactic_id)\n\ - | alter mitre_tactic_id = if (ta0001_initial_access contains mitre_ids_str, \"TA0001\"\ - , mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0042_resource_development contains\ - \ mitre_ids_str, \"TA0042\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0043_reconnaissance\ - \ contains mitre_ids_str, \"TA0043\", mitre_tactic_id)\n\n/* ---- Split Anchor (required)\ - \ ---- */\n| alter\n mitre_technique_id = mitre_ids_str,\n mitre_technique\ - \ = null,\n mitre_tactic_id = mitre_tactic_id,\n mitre_tactic \ - \ = mitre_tactic\n\n/* ---- Core metadata (keep legacy field names you mapped) ----\ - \ */\n| alter\n id = j -> id,\n status = j\ - \ -> status,\n investigation_status = j -> investigation_status,\n investigation_result\ - \ = j -> investigation_result,\n workbench_link = j -> workbench_link,\n\ - \ alert_provider = j -> alert_provider,\n alert_name = j ->\ - \ model,\n score = to_integer(j -> score),\n severity \ - \ = j -> severity,\n alert_time = j -> created_date_time,\n\ - \ alert_description = j -> description,\n alert_source = coalesce(j\ - \ -> alert_provider, \"Trend Micro Vision One\"),\n indicators = j\ - \ -> indicators[]\n\n/* ---- FAST indicator extraction (no arraymap/indexof) ----\ - \ */\n/* host */\n| alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ - @element\",\"$.type\") = \"host\"), 0)\n| alter\n v1_host_guid = json_extract_scalar(i_host,\ - \ \"$.value.guid\"),\n v1_host_name = json_extract_scalar(i_host, \"$.value.name\"\ - ),\n local_ip = replace(json_extract_scalar(i_host, \"$.value.ips[0]\"),\ - \ \"\\\"\", \"\")\n\n/* mac (host indicator value has multiple possibilities in\ - \ some feeds; keep best-effort) */\n| alter mac_address =\n coalesce(\n \ - \ json_extract_scalar(i_host, \"$.value.mac\"),\n json_extract_scalar(i_host,\ - \ \"$.value.mac_address\"),\n json_extract_scalar(i_host, \"$.value.macs[0]\"\ - ),\n json_extract_scalar(i_host, \"$.value.macAddresses[0]\")\n )\n\n/*\ - \ user */\n| alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ - @element\",\"$.type\") = \"user_account\"), 0)\n| alter\n user_name = json_extract_scalar(i_user,\ - \ \"$.value\"),\n user_id = null\n\n/* cmdline */\n| alter i_cmd1 = arrayindex(arrayfilter(indicators,\ - \ json_extract_scalar(\"@element\",\"$.type\") = \"command_line\"), 0)\n| alter\ - \ i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"\ - $.field\") = \"processCmd\"), 0)\n| alter cmdline = coalesce(json_extract_scalar(i_cmd1,\ - \ \"$.value\"), json_extract_scalar(i_cmd2, \"$.value\"))\n\n/* sha256 (main) */\n\ - | alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\"\ - ,\"$.type\") = \"file_sha256\"), 0)\n| alter sha256 = json_extract_scalar(i_sha,\ - \ \"$.value\")\n\n/* remote ip + domain */\n| alter i_peer = arrayindex(arrayfilter(indicators,\ - \ json_extract_scalar(\"@element\",\"$.field\") = \"peerIp\"), 0)\n| alter remote_ip_str\ - \ = json_extract_scalar(i_peer, \"$.value\")\n\n| alter i_dom = arrayindex(arrayfilter(indicators,\ - \ json_extract_scalar(\"@element\",\"$.field\") = \"domain\"), 0)\n| alter domain\ - \ = json_extract_scalar(i_dom, \"$.value\")\n\n/* parent process path */\n| alter\ - \ i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"\ - $.field\") = \"parentFilePath\"), 0)\n| alter parent_process_path = json_extract_scalar(i_pfp,\ - \ \"$.value\")\n| alter parent_process_name = replace(parent_process_path, \"^.*[\\\ - \\\\\\/]\", \"\")\n\n/* filepath / filename (from registry object or cmdline fallback)\ - \ */\n| alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar(\"\ - @element\",\"$.field\") = \"objectRegistryData\"), 0)\n| alter reg_path = json_extract_scalar(i_reg,\ - \ \"$.value\")\n\n| alter filepath =\n coalesce(\n reg_path,\n arrayindex(regextract(cmdline,\ - \ \"^\\\\s*([^\\\\s]+)\"), 0)\n )\n| alter filename = replace(filepath, \"^.*[\\\ - \\\\\\/]\", \"\")\n\n/* convenience */\n| alter ioc_value = coalesce(sha256, null)\n\ - \n| fields\n id, workbench_link, alert_name, alert_source, status,\n investigation_status,\ - \ investigation_result,\n score, severity, alert_time, alert_description,\n \ - \ v1_host_guid, v1_host_name, local_ip, mac_address,\n user_name, user_id,\n\ - \ filename, filepath, parent_process_path, parent_process_name, cmdline,\n \ - \ sha256, ioc_value, domain, remote_ip_str,\n mitre_technique, mitre_technique_id,\ - \ mitre_tactic, mitre_tactic_id, mitre_ids_str\n" +xql_query: "dataset = trend_micro_vision_one_v3_generic_alert_raw\n| filter alert_provider = \"SAE\"\n\n| alter j = _alert_data -> raw_json\n\n/* --- MITRE technique (cheap) --- */\n| alter j_str = to_string(j)\n| alter mitre_technique_id_raw =\n json_extract_scalar(j_str, \"$.matched_rules[0].matched_filters[0].mitre_technique_ids[0]\")\n| alter j_str = null\n\n| alter mitre_ids_str =\n if(\n mitre_technique_id_raw != null and mitre_technique_id_raw != \"\",\n replace(replace(mitre_technique_id_raw, \"\\\"\",\"\"), \"\\\\.[0-9]+$\",\"\"),\n \"—\"\n )\n| alter mitre_ids_str =\n if(mitre_ids_str contains \".\", arrayindex(regextract(mitre_ids_str, \"(.*)\\.\"), 0), mitre_ids_str)\n\n/* --- MITRE Tactics Arrays ---- */\n| alter ta0043_reconnaissance = arraycreate(\"T1590\",\"T1591\",\"T1592\",\"T1593\",\"T1594\",\"T1595\",\"T1596\",\"T1597\",\"T1598\",\"T1599\")\n| alter ta0042_resource_development = arraycreate(\"T1583\",\"T1584\",\"T1585\",\"T1586\",\"T1587\",\"T1650\")\n| alter ta0001_initial_access = arraycreate(\"T1078\",\"T1189\",\"T1190\",\"T1195\",\"T1133\",\"T1200\",\"T1566\",\"T1091\")\n| alter ta0002_execution = arraycreate(\"T1059\",\"T1106\",\"T1047\",\"T1203\",\"T1129\",\"T1559\")\n| alter ta0003_persistence = arraycreate(\"T1547\",\"T1543\",\"T1136\",\"T1505\",\"T1053\",\"T1078\")\n| alter ta0004_privilege_escalation = arraycreate(\"T1548\",\"T1068\",\"T1078\",\"T1055\",\"T1134\")\n| alter ta0005_defense_evasion = arraycreate(\"T1027\",\"T1070\",\"T1218\",\"T1140\",\"T1562\",\"T1036\",\"T1055\")\n| alter ta0006_credential_access = arraycreate(\"T1003\",\"T1555\",\"T1552\",\"T1110\",\"T1621\")\n| alter ta0007_discovery = arraycreate(\"T1082\",\"T1083\",\"T1046\",\"T1057\",\"T1016\",\"T1049\",\"T1033\")\n| alter ta0008_lateral_movement = arraycreate(\"T1021\",\"T1210\",\"T1091\",\"T1072\")\n| alter ta0009_collection = arraycreate(\"T1005\",\"T1039\",\"T1113\",\"T1114\",\"T1115\")\n| alter ta0011_command_and_control = arraycreate(\"T1071\",\"T1095\",\"T1105\",\"T1571\",\"T1572\",\"T1041\")\n| alter ta0010_exfiltration = arraycreate(\"T1041\",\"T1567\",\"T1020\")\n| alter ta0040_impact = arraycreate(\"T1485\",\"T1486\",\"T1490\",\"T1499\",\"T1561\")\n\n/* --- Match Tactic Name + ID --- */\n| alter mitre_tactic = if (ta0040_impact contains mitre_ids_str, \"Impact\")\n| alter mitre_tactic = if (ta0010_exfiltration contains mitre_ids_str, \"Exfiltration\", mitre_tactic)\n| alter mitre_tactic = if (ta0011_command_and_control contains mitre_ids_str, \"Command and Control\", mitre_tactic)\n| alter mitre_tactic = if (ta0009_collection contains mitre_ids_str, \"Collection\", mitre_tactic)\n| alter mitre_tactic = if (ta0008_lateral_movement contains mitre_ids_str, \"Lateral Movement\", mitre_tactic)\n| alter mitre_tactic = if (ta0007_discovery contains mitre_ids_str, \"Discovery\", mitre_tactic)\n| alter mitre_tactic = if (ta0006_credential_access contains mitre_ids_str, \"Credential Access\", mitre_tactic)\n| alter mitre_tactic = if (ta0005_defense_evasion contains mitre_ids_str, \"Defense Evasion\", mitre_tactic)\n| alter mitre_tactic = if (ta0004_privilege_escalation contains mitre_ids_str, \"Privilege Escalation\", mitre_tactic)\n| alter mitre_tactic = if (ta0003_persistence contains mitre_ids_str, \"Persistence\", mitre_tactic)\n| alter mitre_tactic = if (ta0002_execution contains mitre_ids_str, \"Execution\", mitre_tactic)\n| alter mitre_tactic = if (ta0001_initial_access contains mitre_ids_str, \"Initial Access\", mitre_tactic)\n| alter mitre_tactic = if (ta0042_resource_development contains mitre_ids_str, \"Resource Development\", mitre_tactic)\n| alter mitre_tactic = if (ta0043_reconnaissance contains mitre_ids_str, \"Reconnaissance\", mitre_tactic)\n\n| alter mitre_tactic_id = if (ta0040_impact contains mitre_ids_str, \"TA0040\")\n| alter mitre_tactic_id = if (ta0010_exfiltration contains mitre_ids_str, \"TA0010\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0011_command_and_control contains mitre_ids_str, \"TA0011\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0009_collection contains mitre_ids_str, \"TA0009\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0008_lateral_movement contains mitre_ids_str, \"TA0008\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0007_discovery contains mitre_ids_str, \"TA0007\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0006_credential_access contains mitre_ids_str, \"TA0006\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0005_defense_evasion contains mitre_ids_str, \"TA0005\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0004_privilege_escalation contains mitre_ids_str, \"TA0004\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0003_persistence contains mitre_ids_str, \"TA0003\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0002_execution contains mitre_ids_str, \"TA0002\", mitre_tactic_id)\n| alter mitre_tactic_id + = if (ta0001_initial_access contains mitre_ids_str, \"TA0001\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0042_resource_development contains mitre_ids_str, \"TA0042\", mitre_tactic_id)\n| alter mitre_tactic_id = if (ta0043_reconnaissance contains mitre_ids_str, \"TA0043\", mitre_tactic_id)\n\n/* ---- Split Anchor (required) ---- */\n| alter\n mitre_technique_id = mitre_ids_str,\n mitre_technique = null,\n mitre_tactic_id = mitre_tactic_id,\n mitre_tactic = mitre_tactic\n\n/* ---- Core metadata (keep legacy field names you mapped) ---- */\n| alter\n id = j -> id,\n status = j -> status,\n investigation_status = j -> investigation_status,\n investigation_result = j -> investigation_result,\n workbench_link = j -> workbench_link,\n alert_provider = j -> alert_provider,\n alert_name = j -> model,\n score = to_integer(j -> score),\n severity = j -> severity,\n alert_time = j -> created_date_time,\n alert_description = j -> description,\n alert_source = coalesce(j -> alert_provider, \"Trend Micro Vision One\"),\n indicators = j -> indicators[]\n\n/* ---- FAST indicator extraction (no arraymap/indexof) ---- */\n/* host */\n| alter i_host = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.type\") = \"host\"), 0)\n| alter\n v1_host_guid = json_extract_scalar(i_host, \"$.value.guid\"),\n v1_host_name = json_extract_scalar(i_host, \"$.value.name\"),\n local_ip = replace(json_extract_scalar(i_host, \"$.value.ips[0]\"), \"\\\"\", \"\")\n\n/* mac (host indicator value has multiple possibilities in some feeds; keep best-effort) */\n| alter mac_address =\n coalesce(\n json_extract_scalar(i_host, \"$.value.mac\"),\n json_extract_scalar(i_host, \"$.value.mac_address\"),\n json_extract_scalar(i_host, \"$.value.macs[0]\"),\n json_extract_scalar(i_host, \"$.value.macAddresses[0]\")\n )\n\n/* user */\n| alter i_user = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.type\") = \"user_account\"), 0)\n| alter\n user_name = json_extract_scalar(i_user, \"$.value\"),\n user_id = null\n\n/* cmdline */\n| alter i_cmd1 = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.type\") = \"command_line\"), 0)\n| alter i_cmd2 = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"processCmd\"), 0)\n| alter cmdline = coalesce(json_extract_scalar(i_cmd1, \"$.value\"), json_extract_scalar(i_cmd2, \"$.value\"))\n\n/* sha256 (main) */\n| alter i_sha = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.type\") = \"file_sha256\"), 0)\n| alter sha256 = json_extract_scalar(i_sha, \"$.value\")\n\n/* remote ip + domain */\n| alter i_peer = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"peerIp\"), 0)\n| alter remote_ip_str = json_extract_scalar(i_peer, \"$.value\")\n\n| alter i_dom = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"domain\"), 0)\n| alter domain = json_extract_scalar(i_dom, \"$.value\")\n\n/* parent process path */\n| alter i_pfp = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"parentFilePath\"), 0)\n| alter parent_process_path = json_extract_scalar(i_pfp, \"$.value\")\n| alter parent_process_name = replace(parent_process_path, \"^.*[\\\\\\\\/]\", \"\")\n\n/* filepath / filename (from registry object or cmdline fallback) */\n| alter i_reg = arrayindex(arrayfilter(indicators, json_extract_scalar(\"@element\",\"$.field\") = \"objectRegistryData\"), 0)\n| alter reg_path = json_extract_scalar(i_reg, \"$.value\")\n\n| alter filepath =\n coalesce(\n reg_path,\n arrayindex(regextract(cmdline, \"^\\\\s*([^\\\\s]+)\"), 0)\n )\n| alter filename = replace(filepath, \"^.*[\\\\\\\\/]\", \"\")\n\n/* convenience */\n| alter ioc_value = coalesce(sha256, null)\n\n| fields\n id, workbench_link, alert_name, alert_source, status,\n investigation_status, investigation_result,\n score, severity, alert_time, alert_description,\n v1_host_guid, v1_host_name, local_ip, mac_address,\n user_name, user_id,\n filename, filepath, parent_process_path, parent_process_name, cmdline,\n sha256, ioc_value, domain, remote_ip_str,\n mitre_technique, mitre_technique_id, mitre_tactic, mitre_tactic_id, mitre_ids_str\n" diff --git a/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules.yml b/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules.yml index 6a98bdf9..f35956cf 100644 --- a/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules.yml +++ b/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules.yml @@ -1,6 +1,5 @@ fromversion: 8.3.1 -adopted: true id: SOC_TrendMicro_VisionOne_ModelingRule name: SOC TrendMicro VisionOne Modeling Rule rules: '' -schema: '' \ No newline at end of file +schema: '' diff --git a/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules_schema.json b/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules_schema.json index 1b3fd740..d8a8ab18 100644 --- a/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules_schema.json +++ b/Packs/SocFrameworkTrendMicroVisionOne/ModelingRules/SOCTrendMicroVisionOneModelingRules/SOCTrendMicroVisionOneModelingRules_schema.json @@ -1,484 +1,484 @@ { - "trend_micro_vision_one_v3_generic_alert_raw": { - "alert_provider": { - "type": "string", - "is_array": false - }, - "impact_scope": { - "type": "json", - "is_array": false - }, - "indicators": { - "type": "json", - "is_array": false - }, - "matched_rules": { - "type": "json", - "is_array": false - }, - "_raw_json": { - "type": "json", - "is_array": false - }, - "id": { - "type": "string", - "is_array": false - }, - "model": { - "type": "string", - "is_array": false - }, - "model_type": { - "type": "string", - "is_array": false - }, - "severity": { - "type": "string", - "is_array": false - }, - "status": { - "type": "string", - "is_array": false - }, - "investigation_status": { - "type": "string", - "is_array": false - }, - "investigation_result": { - "type": "string", - "is_array": false - }, - "description": { - "type": "string", - "is_array": false - }, - "workbench_link": { - "type": "string", - "is_array": false - }, - "score": { - "type": "string", - "is_array": false - }, - "Entities": { - "type": "string", - "is_array": false - }, - "Indicators": { - "type": "string", - "is_array": false - }, - "Rules": { - "type": "string", - "is_array": false - }, - "action": { - "type": "string", - "is_array": false - }, - "agent": { - "type": "string", - "is_array": false - }, - "alert": { - "type": "string", - "is_array": false - }, - "application": { - "type": "string", - "is_array": false - }, - "application_protocol": { - "type": "string", - "is_array": false - }, - "application_protocol_category": { - "type": "string", - "is_array": false - }, - "command_line": { - "type": "string", - "is_array": false - }, - "contains": { - "type": "string", - "is_array": false - }, - "content_version": { - "type": "string", - "is_array": false - }, - "dataset": { - "type": "string", - "is_array": false - }, - "device_id": { - "type": "string", - "is_array": false - }, - "domain": { - "type": "string", - "is_array": false - }, - "entityIdsAccountIdentifier": { - "type": "string", - "is_array": false - }, - "entityIdsDeviceId": { - "type": "string", - "is_array": false - }, - "entityIdsEmailIdentifier": { - "type": "string", - "is_array": false - }, - "entityValueGuidsHostname": { - "type": "string", - "is_array": false - }, - "entityValueGuidsUpn": { - "type": "string", - "is_array": false - }, - "entityValueGuidsUserName": { - "type": "string", - "is_array": false - }, - "entityValueIps": { - "type": "string", - "is_array": false - }, - "entityValueNamesHostName": { - "type": "string", - "is_array": false - }, - "entityValueNamesUpn": { - "type": "string", - "is_array": false - }, - "entityValueNamesUserName": { - "type": "string", - "is_array": false - }, - "entityValuesUserName": { - "type": "string", - "is_array": false - }, - "event": { - "type": "string", - "is_array": false - }, - "executable": { - "type": "string", - "is_array": false - }, - "extract_source_ipv4": { - "type": "string", - "is_array": false - }, - "extract_source_ipv6": { - "type": "string", - "is_array": false - }, - "extract_target_ip": { - "type": "string", - "is_array": false - }, - "file": { - "type": "string", - "is_array": false - }, - "file_before": { - "type": "string", - "is_array": false - }, - "file_type": { - "type": "string", - "is_array": false - }, - "filename": { - "type": "string", - "is_array": false - }, - "host": { - "type": "string", - "is_array": false - }, - "hostname": { - "type": "string", - "is_array": false - }, - "http": { - "type": "string", - "is_array": false - }, - "identifier": { - "type": "string", - "is_array": false - }, - "identityType": { - "type": "string", - "is_array": false - }, - "identity_type": { - "type": "string", - "is_array": false - }, - "indicatorsValuesCommandLine": { - "type": "string", - "is_array": false - }, - "indicatorsValuesExecPath": { - "type": "string", - "is_array": false - }, - "indicatorsValuesHostname": { - "type": "string", - "is_array": false - }, - "indicatorsValuesProcessId": { - "type": "string", - "is_array": false - }, - "indicatorsValuesProcessName": { - "type": "string", - "is_array": false - }, - "indicatorsValuesRegistryKey": { - "type": "string", - "is_array": false - }, - "indicatorsValuesRegistryVal": { - "type": "string", - "is_array": false - }, - "intermediate": { - "type": "string", - "is_array": false - }, - "ipv4": { - "type": "string", - "is_array": false - }, - "ipv4_addresses": { - "type": "string", - "is_array": false - }, - "ipv6": { - "type": "string", - "is_array": false - }, - "key": { - "type": "string", - "is_array": false - }, - "mac_addresses": { - "type": "string", - "is_array": false - }, - "matchedRulesIds": { - "type": "string", - "is_array": false - }, - "matchedRulesNames": { - "type": "string", - "is_array": false - }, - "md5": { - "type": "string", - "is_array": false - }, - "mitreTacticsRaw": { - "type": "string", - "is_array": false - }, - "mitreTechniquesRaw": { - "type": "string", - "is_array": false - }, - "mitre_tactics": { - "type": "string", - "is_array": false - }, - "mitre_tactics_raw": { - "type": "string", - "is_array": false - }, - "mitre_techniques": { - "type": "string", - "is_array": false - }, - "module": { - "type": "string", - "is_array": false - }, - "name": { - "type": "string", - "is_array": false - }, - "network": { - "type": "string", - "is_array": false - }, - "observer": { - "type": "string", - "is_array": false - }, - "operation_sub_type": { - "type": "string", - "is_array": false - }, - "originalThreatName": { - "type": "string", - "is_array": false - }, - "original_alert_id": { - "type": "string", - "is_array": false - }, - "original_event_type": { - "type": "string", - "is_array": false - }, - "original_threat_name": { - "type": "string", - "is_array": false - }, - "os": { - "type": "string", - "is_array": false - }, - "outcome_reason": { - "type": "string", - "is_array": false - }, - "parent_id": { - "type": "string", - "is_array": false - }, - "path": { - "type": "string", - "is_array": false - }, - "pid": { - "type": "string", - "is_array": false - }, - "port": { - "type": "string", - "is_array": false - }, - "process": { - "type": "string", - "is_array": false - }, - "protocol_version": { - "type": "string", - "is_array": false - }, - "provenances": { - "type": "string", - "is_array": false - }, - "referrer": { - "type": "string", - "is_array": false - }, - "registry": { - "type": "string", - "is_array": false - }, - "relatedEntities": { - "type": "string", - "is_array": false - }, - "resource": { - "type": "string", - "is_array": false - }, - "rule": { - "type": "string", - "is_array": false - }, - "session_context_id": { - "type": "string", - "is_array": false - }, - "session_id": { - "type": "string", - "is_array": false - }, - "sha256": { - "type": "string", - "is_array": false - }, - "signature_status": { - "type": "string", - "is_array": false - }, - "signer": { - "type": "string", - "is_array": false - }, - "size": { - "type": "string", - "is_array": false - }, - "source": { - "type": "string", - "is_array": false - }, - "subcategory": { - "type": "string", - "is_array": false - }, - "target": { - "type": "string", - "is_array": false - }, - "tls": { - "type": "string", - "is_array": false - }, - "type": { - "type": "string", - "is_array": false - }, - "unique_identifier": { - "type": "string", - "is_array": false - }, - "upn": { - "type": "string", - "is_array": false - }, - "url": { - "type": "string", - "is_array": false - }, - "user": { - "type": "string", - "is_array": false - }, - "user_agent": { - "type": "string", - "is_array": false - }, - "username": { - "type": "string", - "is_array": false - }, - "value": { - "type": "string", - "is_array": false - }, - "version": { - "type": "string", - "is_array": false - }, - "vlan": { - "type": "string", - "is_array": false + "trend_micro_vision_one_v3_generic_alert_raw": { + "alert_provider": { + "type": "string", + "is_array": false + }, + "impact_scope": { + "type": "json", + "is_array": false + }, + "indicators": { + "type": "json", + "is_array": false + }, + "matched_rules": { + "type": "json", + "is_array": false + }, + "_raw_json": { + "type": "json", + "is_array": false + }, + "id": { + "type": "string", + "is_array": false + }, + "model": { + "type": "string", + "is_array": false + }, + "model_type": { + "type": "string", + "is_array": false + }, + "severity": { + "type": "string", + "is_array": false + }, + "status": { + "type": "string", + "is_array": false + }, + "investigation_status": { + "type": "string", + "is_array": false + }, + "investigation_result": { + "type": "string", + "is_array": false + }, + "description": { + "type": "string", + "is_array": false + }, + "workbench_link": { + "type": "string", + "is_array": false + }, + "score": { + "type": "string", + "is_array": false + }, + "Entities": { + "type": "string", + "is_array": false + }, + "Indicators": { + "type": "string", + "is_array": false + }, + "Rules": { + "type": "string", + "is_array": false + }, + "action": { + "type": "string", + "is_array": false + }, + "agent": { + "type": "string", + "is_array": false + }, + "alert": { + "type": "string", + "is_array": false + }, + "application": { + "type": "string", + "is_array": false + }, + "application_protocol": { + "type": "string", + "is_array": false + }, + "application_protocol_category": { + "type": "string", + "is_array": false + }, + "command_line": { + "type": "string", + "is_array": false + }, + "contains": { + "type": "string", + "is_array": false + }, + "content_version": { + "type": "string", + "is_array": false + }, + "dataset": { + "type": "string", + "is_array": false + }, + "device_id": { + "type": "string", + "is_array": false + }, + "domain": { + "type": "string", + "is_array": false + }, + "entityIdsAccountIdentifier": { + "type": "string", + "is_array": false + }, + "entityIdsDeviceId": { + "type": "string", + "is_array": false + }, + "entityIdsEmailIdentifier": { + "type": "string", + "is_array": false + }, + "entityValueGuidsHostname": { + "type": "string", + "is_array": false + }, + "entityValueGuidsUpn": { + "type": "string", + "is_array": false + }, + "entityValueGuidsUserName": { + "type": "string", + "is_array": false + }, + "entityValueIps": { + "type": "string", + "is_array": false + }, + "entityValueNamesHostName": { + "type": "string", + "is_array": false + }, + "entityValueNamesUpn": { + "type": "string", + "is_array": false + }, + "entityValueNamesUserName": { + "type": "string", + "is_array": false + }, + "entityValuesUserName": { + "type": "string", + "is_array": false + }, + "event": { + "type": "string", + "is_array": false + }, + "executable": { + "type": "string", + "is_array": false + }, + "extract_source_ipv4": { + "type": "string", + "is_array": false + }, + "extract_source_ipv6": { + "type": "string", + "is_array": false + }, + "extract_target_ip": { + "type": "string", + "is_array": false + }, + "file": { + "type": "string", + "is_array": false + }, + "file_before": { + "type": "string", + "is_array": false + }, + "file_type": { + "type": "string", + "is_array": false + }, + "filename": { + "type": "string", + "is_array": false + }, + "host": { + "type": "string", + "is_array": false + }, + "hostname": { + "type": "string", + "is_array": false + }, + "http": { + "type": "string", + "is_array": false + }, + "identifier": { + "type": "string", + "is_array": false + }, + "identityType": { + "type": "string", + "is_array": false + }, + "identity_type": { + "type": "string", + "is_array": false + }, + "indicatorsValuesCommandLine": { + "type": "string", + "is_array": false + }, + "indicatorsValuesExecPath": { + "type": "string", + "is_array": false + }, + "indicatorsValuesHostname": { + "type": "string", + "is_array": false + }, + "indicatorsValuesProcessId": { + "type": "string", + "is_array": false + }, + "indicatorsValuesProcessName": { + "type": "string", + "is_array": false + }, + "indicatorsValuesRegistryKey": { + "type": "string", + "is_array": false + }, + "indicatorsValuesRegistryVal": { + "type": "string", + "is_array": false + }, + "intermediate": { + "type": "string", + "is_array": false + }, + "ipv4": { + "type": "string", + "is_array": false + }, + "ipv4_addresses": { + "type": "string", + "is_array": false + }, + "ipv6": { + "type": "string", + "is_array": false + }, + "key": { + "type": "string", + "is_array": false + }, + "mac_addresses": { + "type": "string", + "is_array": false + }, + "matchedRulesIds": { + "type": "string", + "is_array": false + }, + "matchedRulesNames": { + "type": "string", + "is_array": false + }, + "md5": { + "type": "string", + "is_array": false + }, + "mitreTacticsRaw": { + "type": "string", + "is_array": false + }, + "mitreTechniquesRaw": { + "type": "string", + "is_array": false + }, + "mitre_tactics": { + "type": "string", + "is_array": false + }, + "mitre_tactics_raw": { + "type": "string", + "is_array": false + }, + "mitre_techniques": { + "type": "string", + "is_array": false + }, + "module": { + "type": "string", + "is_array": false + }, + "name": { + "type": "string", + "is_array": false + }, + "network": { + "type": "string", + "is_array": false + }, + "observer": { + "type": "string", + "is_array": false + }, + "operation_sub_type": { + "type": "string", + "is_array": false + }, + "originalThreatName": { + "type": "string", + "is_array": false + }, + "original_alert_id": { + "type": "string", + "is_array": false + }, + "original_event_type": { + "type": "string", + "is_array": false + }, + "original_threat_name": { + "type": "string", + "is_array": false + }, + "os": { + "type": "string", + "is_array": false + }, + "outcome_reason": { + "type": "string", + "is_array": false + }, + "parent_id": { + "type": "string", + "is_array": false + }, + "path": { + "type": "string", + "is_array": false + }, + "pid": { + "type": "string", + "is_array": false + }, + "port": { + "type": "string", + "is_array": false + }, + "process": { + "type": "string", + "is_array": false + }, + "protocol_version": { + "type": "string", + "is_array": false + }, + "provenances": { + "type": "string", + "is_array": false + }, + "referrer": { + "type": "string", + "is_array": false + }, + "registry": { + "type": "string", + "is_array": false + }, + "relatedEntities": { + "type": "string", + "is_array": false + }, + "resource": { + "type": "string", + "is_array": false + }, + "rule": { + "type": "string", + "is_array": false + }, + "session_context_id": { + "type": "string", + "is_array": false + }, + "session_id": { + "type": "string", + "is_array": false + }, + "sha256": { + "type": "string", + "is_array": false + }, + "signature_status": { + "type": "string", + "is_array": false + }, + "signer": { + "type": "string", + "is_array": false + }, + "size": { + "type": "string", + "is_array": false + }, + "source": { + "type": "string", + "is_array": false + }, + "subcategory": { + "type": "string", + "is_array": false + }, + "target": { + "type": "string", + "is_array": false + }, + "tls": { + "type": "string", + "is_array": false + }, + "type": { + "type": "string", + "is_array": false + }, + "unique_identifier": { + "type": "string", + "is_array": false + }, + "upn": { + "type": "string", + "is_array": false + }, + "url": { + "type": "string", + "is_array": false + }, + "user": { + "type": "string", + "is_array": false + }, + "user_agent": { + "type": "string", + "is_array": false + }, + "username": { + "type": "string", + "is_array": false + }, + "value": { + "type": "string", + "is_array": false + }, + "version": { + "type": "string", + "is_array": false + }, + "vlan": { + "type": "string", + "is_array": false + } } - } } diff --git a/Packs/SocFrameworkTrendMicroVisionOne/pack_metadata.json b/Packs/SocFrameworkTrendMicroVisionOne/pack_metadata.json index 24ec73ed..2157f973 100644 --- a/Packs/SocFrameworkTrendMicroVisionOne/pack_metadata.json +++ b/Packs/SocFrameworkTrendMicroVisionOne/pack_metadata.json @@ -1,33 +1,33 @@ { - "name": "SOC Trend Micro Enhancement for Cortex XSIAM", - "id": "soc-trendmicro-visionone", - "description": "This contains enhancement content for Trend Micro Vision One including correlation rules, modeling rules, and layout for XSIAM.", - "support": "community", - "currentVersion": "1.0.29", - "author": "Palo Alto Networks", - "url": "https://github.com/Palo-Cortex/soc-optimization-unified", - "email": "", - "categories": [ - "Endpoint" - ], - "tags": [ - "SOC", - "SOC_Framework", - "Palo Alto Networks Products", - "EndPoint" - ], - "dependencies": { - "TrendMicroVisionOneV3": { - "mandatory": true, - "display_name": "Trend Micro Vision One" + "name": "SOC Trend Micro Enhancement for Cortex XSIAM", + "id": "soc-trendmicro-visionone", + "description": "This contains enhancement content for Trend Micro Vision One including correlation rules, modeling rules, and layout for XSIAM.", + "support": "community", + "currentVersion": "1.0.29", + "author": "Palo Alto Networks", + "url": "https://github.com/Palo-Cortex/soc-optimization-unified", + "email": "", + "categories": [ + "Endpoint" + ], + "tags": [ + "SOC", + "SOC_Framework", + "Palo Alto Networks Products", + "EndPoint" + ], + "dependencies": { + "TrendMicroVisionOneV3": { + "mandatory": true, + "display_name": "Trend Micro Vision One" + }, + "": { + "mandatory": true + } }, - "": { - "mandatory": true - } - }, - "useCases": [], - "keywords": [], - "marketplaces": [ - "marketplacev2" - ] + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] } diff --git a/Packs/soc-framework-nist-ir/Playbooks/EP_IR_NIST_(800-61).yml b/Packs/soc-framework-nist-ir/Playbooks/EP_IR_NIST_(800-61).yml index 2c0964b4..c313a1ca 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/EP_IR_NIST_(800-61).yml +++ b/Packs/soc-framework-nist-ir/Playbooks/EP_IR_NIST_(800-61).yml @@ -205,5 +205,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: 51ffcd5a-f5bb-4e09-84ae-e1efdc5165ac -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_Evaluation_V3.yml index 1ff1b71a..1e0d1d59 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_Evaluation_V3.yml @@ -7,9 +7,9 @@ contentitemexportablefields: packName: SOC Framework Unified itemVersion: 3.1.4 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false @@ -18,32 +18,26 @@ tags: - SOC - SOC_Framework_Unified - Detection & Analysis -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 type: start task: id: 7e6a701e-667b-4a70-8a74-14564da75fc7 version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "31" + - '31' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -51,8 +45,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "2": - id: "2" + '2': + id: '2' taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 type: title task: @@ -61,18 +55,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 60, - "y": 4240 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 4240\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -80,48 +68,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "31": - id: "31" + '31': + id: '31' taskid: da61ef8d-7840-4b48-9dcc-aa88221204b7 type: regular task: id: da61ef8d-7840-4b48-9dcc-aa88221204b7 version: -1 name: Set Case Risk Score - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_score value: simple: ${inputs.case_score} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -129,48 +109,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "32": - id: "32" + '32': + id: '32' taskid: 70bb5690-7d22-4b90-9db6-5ea5b648fa19 type: regular task: id: 70bb5690-7d22-4b90-9db6-5ea5b648fa19 version: -1 name: Set Compromise Suspicious - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "44" + - '44' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.compromise_level value: simple: ${inputs.compromise_level} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -178,48 +150,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "35": - id: "35" + '35': + id: '35' taskid: d728a61c-7878-4595-96ff-4f232562b11f type: regular task: id: d728a61c-7878-4595-96ff-4f232562b11f version: -1 name: Set Verdict - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "36" + - '36' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.verdict value: simple: ${inputs.verdict} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 775 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -227,48 +191,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "36": - id: "36" + '36': + id: '36' taskid: 28c28837-feb4-4488-a1e8-4ed377d2b172 type: regular task: id: 28c28837-feb4-4488-a1e8-4ed377d2b172 version: -1 name: Set Confidence - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "37" + - '37' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.confidence value: simple: ${inputs.confidence} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 960 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 960\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -276,48 +232,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "37": - id: "37" + '37': + id: '37' taskid: a7faa095-dc8c-46a9-92fa-e3724e99ee18 type: regular task: id: a7faa095-dc8c-46a9-92fa-e3724e99ee18 version: -1 name: Set Response Recommendation - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "38" + - '38' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.response_recommended value: simple: ${inputs.response_recommended} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1145 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1145\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -325,48 +273,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "38": - id: "38" + '38': + id: '38' taskid: 5b48fa18-6d81-467c-83e5-3c0982ec5cc1 type: regular task: id: 5b48fa18-6d81-467c-83e5-3c0982ec5cc1 version: -1 name: Set Case Category - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "39" + - '39' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_category value: simple: ${inputs.case_category} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1330 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1330\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -374,48 +314,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "39": - id: "39" + '39': + id: '39' taskid: d5f28fc2-d810-4113-9f1e-073ff60df0c3 type: regular task: id: d5f28fc2-d810-4113-9f1e-073ff60df0c3 version: -1 name: Set Primary Entity Type - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "50" + - '50' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.primary_entity_type value: simple: ${inputs.primary_entity_type} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1515 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1515\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -423,48 +355,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "40": - id: "40" + '40': + id: '40' taskid: 719b7f9d-c386-4f2f-8ebb-dc083820eb7e type: regular task: id: 719b7f9d-c386-4f2f-8ebb-dc083820eb7e version: -1 name: Set Persistence Types - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "41" + - '41' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.persistence_type value: simple: ${inputs.persistence_type} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1885 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1885\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -472,48 +396,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "41": - id: "41" + '41': + id: '41' taskid: 4297d1f6-862f-4fa6-bcfb-a0d33a48eb3e type: regular task: id: 4297d1f6-862f-4fa6-bcfb-a0d33a48eb3e version: -1 name: Set Spread Level - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "42" + - '42' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.spread_level value: simple: ${inputs.spread_level} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2070 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2070\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -521,48 +437,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "42": - id: "42" + '42': + id: '42' taskid: 30a3e2af-9499-4f3e-ad97-54dfa893bcaf type: regular task: id: 30a3e2af-9499-4f3e-ad97-54dfa893bcaf version: -1 name: Set User Count - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_user_count value: simple: ${inputs.case_user_count} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2255 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2255\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -570,48 +478,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "43": - id: "43" + '43': + id: '43' taskid: 2dfca0ab-5915-40a5-becd-4e4d45dbefa5 type: regular task: id: 2dfca0ab-5915-40a5-becd-4e4d45dbefa5 version: -1 name: Set Story - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.story value: simple: ${inputs.story} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 3365 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 3365\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -619,48 +519,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "44": - id: "44" + '44': + id: '44' taskid: 80711a69-e679-4322-aa8d-db3dd12f47ca type: regular task: id: 80711a69-e679-4322-aa8d-db3dd12f47ca version: -1 name: Set Compromise Decision - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "35" + - '35' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.compromise_decision value: simple: ${inputs.compromise_decision} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -668,48 +560,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "45": - id: "45" + '45': + id: '45' taskid: b023b41f-1a96-4c2f-8f48-05994a0759e9 type: regular task: id: b023b41f-1a96-4c2f-8f48-05994a0759e9 version: -1 name: Set Hash Prevalence Count - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "46" + - '46' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.global_hash_prevalence_count value: simple: ${inputs.global_hash_prevalence_count} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2440 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2440\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -717,48 +601,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "46": - id: "46" + '46': + id: '46' taskid: 2af6504f-a21c-4e90-9d6e-64eb7cb41214 type: regular task: id: 2af6504f-a21c-4e90-9d6e-64eb7cb41214 version: -1 name: Set Case Issue Count - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "47" + - '47' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_issue_count value: simple: ${inputs.case_issue_count} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2625 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2625\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -766,48 +642,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "47": - id: "47" + '47': + id: '47' taskid: 1e0f8dd0-c124-4a4f-b611-305a6a2c3fb0 type: regular task: id: 1e0f8dd0-c124-4a4f-b611-305a6a2c3fb0 version: -1 name: Set Case Host Count - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "48" + - '48' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.case_host_count value: simple: ${inputs.case_host_count} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2810 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2810\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -815,48 +683,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "48": - id: "48" + '48': + id: '48' taskid: 9e7d5761-ff0a-45a4-bd8a-7ad2d887b9c4 type: regular task: id: 9e7d5761-ff0a-45a4-bd8a-7ad2d887b9c4 version: -1 name: Set Case Entity User - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "49" + - '49' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.primary_entity_user value: simple: ${inputs.primary_entity_user} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 2995 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2995\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -864,49 +724,41 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "49": - id: "49" + '49': + id: '49' taskid: e8e79b5c-465b-4b3c-8d3f-e4dc956cfb14 type: regular task: id: e8e79b5c-465b-4b3c-8d3f-e4dc956cfb14 version: -1 name: Set Case Entity Name - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "51" - - "43" + - '51' + - '43' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.primary_entity_name value: simple: ${inputs.primary_entity_name} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 3180 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 3180\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -914,48 +766,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "50": - id: "50" + '50': + id: '50' taskid: 8742c793-705c-427f-89ab-ce5177e715b4 type: regular task: id: 8742c793-705c-427f-89ab-ce5177e715b4 version: -1 name: Set Primary Entity ID - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "40" + - '40' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.primary_entity_id value: simple: ${inputs.primary_entity_id} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 1700 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1700\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -963,8 +807,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "51": - id: "51" + '51': + id: '51' taskid: a8565059-98e8-419d-be67-4537cc738b13 type: title task: @@ -973,21 +817,15 @@ tasks: name: MITRE Techniques & Tactics type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "52" + - '52' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3290 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3290\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -995,48 +833,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "52": - id: "52" + '52': + id: '52' taskid: d355f6d4-194d-4711-8496-e4feb6773661 type: regular task: id: d355f6d4-194d-4711-8496-e4feb6773661 version: -1 name: Set MITRE Tactic - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "53" + - '53' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.mitre_tactic value: simple: ${inputs.mitre_tactic} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3410 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3410\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1044,48 +874,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "53": - id: "53" + '53': + id: '53' taskid: f7129588-7d49-43f6-bee8-6a6e0beb92b7 type: regular task: id: f7129588-7d49-43f6-bee8-6a6e0beb92b7 version: -1 name: Set MITRE Technique - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "56" + - '56' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.mitre_technique value: simple: ${inputs.mitre_technique} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3600 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3600\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1093,48 +915,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "55": - id: "55" + '55': + id: '55' taskid: bbf16a46-d12f-48ed-93a9-7b0d68bd596f type: regular task: id: bbf16a46-d12f-48ed-93a9-7b0d68bd596f version: -1 name: Set MITRE Technique ID - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.mitre_technique_id value: simple: ${inputs.mitre_technique_id} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3990 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3990\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1142,48 +956,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "56": - id: "56" + '56': + id: '56' taskid: b1e006d4-b723-42e1-a3d5-26362ce639ab type: regular task: id: b1e006d4-b723-42e1-a3d5-26362ce639ab version: -1 name: Set MITRE Tactic ID - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "55" + - '55' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.mitre_tactic_id value: simple: ${inputs.mitre_tactic_id} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 3790 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 3790\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1192,48 +998,38 @@ tasks: isoversize: false isautoswitchedtoquietmode: false system: true -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 4250, - "width": 830, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 4250,\n \"width\":\ + \ 830,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: case_score value: simple: ${parentIncidentFields.predicted_score} required: false - description: "" + description: '' playbookInputQuery: null - key: compromise_level value: simple: ${Analysis.Endpoint.compromise_level} required: false - description: "" + description: '' playbookInputQuery: null - key: verdict value: simple: ${Analysis.Endpoint.verdict} required: false - description: "" + description: '' playbookInputQuery: null - key: confidence value: simple: ${Analysis.Endpoint.confidence} required: false - description: "" + description: '' playbookInputQuery: null - key: response_recommended value: simple: ${Analysis.Endpoint.response_recommended} required: false - description: "" + description: '' playbookInputQuery: null - key: case_category value: @@ -1243,110 +1039,108 @@ inputs: transformers: - operator: toLowerCase required: false - description: "" + description: '' playbookInputQuery: null - key: primary_entity_type value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null - key: primary_entity_id value: simple: ${SOCFramework.Artifacts.EndPointID} required: false - description: "" + description: '' playbookInputQuery: null - key: spread_level value: simple: ${Analysis.Endpoint.spread_level} required: false - description: "" + description: '' playbookInputQuery: null - key: global_hash_prevalence_count value: simple: ${Core.AnalyticsPrevalence.Hash.[0].data.global_prevalence.value} required: false - description: "" + description: '' playbookInputQuery: null - key: story value: - simple: "Endpoint Analysis Summary\n\nA file with verdict \"${SOCFramework.Artifacts.Verdict}\" - was observed in this case.\n\nThe endpoint compromise level has been assessed - as \"${Analysis.Endpoint.compromise_level}\", based on execution correlation - and observed MITRE ATT&CK behavioral patterns.\n\nActivity scope:\n• Hosts involved: - ${Analysis.Endpoint.host_count}\n• Users involved: ${Analysis.Endpoint.user_count}\n• - Environmental hash prevalence: ${Analysis.Endpoint.hash_prevalence_count}\n• - Spread level: ${Analysis.Endpoint.spread_level}\n\nInvestigation confidence - is \"${Analysis.Endpoint.confidence}\". \nResponse recommendation: ${Analysis.Endpoint.response_recommended}." + simple: "Endpoint Analysis Summary\n\nA file with verdict \"${SOCFramework.Artifacts.Verdict}\" was observed in this case.\n\ + \nThe endpoint compromise level has been assessed as \"${Analysis.Endpoint.compromise_level}\", based on execution correlation\ + \ and observed MITRE ATT&CK behavioral patterns.\n\nActivity scope:\n• Hosts involved: ${Analysis.Endpoint.host_count}\n\ + • Users involved: ${Analysis.Endpoint.user_count}\n• Environmental hash prevalence: ${Analysis.Endpoint.hash_prevalence_count}\n\ + • Spread level: ${Analysis.Endpoint.spread_level}\n\nInvestigation confidence is \"${Analysis.Endpoint.confidence}\"\ + . \nResponse recommendation: ${Analysis.Endpoint.response_recommended}." required: false - description: "" + description: '' playbookInputQuery: null - key: case_host_count value: simple: ${Analysis.Endpoint.host_count} required: false - description: "" + description: '' playbookInputQuery: null - key: case_issue_count value: simple: ${Analysis.Endpoint.issue_count} required: false - description: "" + description: '' playbookInputQuery: null - key: compromise_decision value: simple: ${Analysis.Endpoint.compromise_decision} required: false - description: "" + description: '' playbookInputQuery: null - key: case_user_count value: simple: ${Analysis.Endpoint.user_count} required: false - description: "" + description: '' playbookInputQuery: null - key: primary_entity_name value: simple: ${SOCFramework.Artifacts.HostName} required: false - description: "" + description: '' playbookInputQuery: null - key: persistence_type value: simple: ${Analysis.Endpoint.persistence_type} required: false - description: "" + description: '' playbookInputQuery: null - key: primary_entity_user value: simple: ${SOCFramework.Artifacts.UserName} required: false - description: "" + description: '' playbookInputQuery: null - key: mitre_tactic_id value: simple: ${SOCFramework.Mitre.Tactic.ID} required: false - description: "" + description: '' playbookInputQuery: null - key: mitre_technique_id value: simple: ${SOCFramework.Mitre.Technique.ID} required: false - description: "" + description: '' playbookInputQuery: null - key: mitre_technique value: simple: ${SOCFramework.Mitre.Technique} required: false - description: "" + description: '' playbookInputQuery: null - key: mitre_tactic value: simple: ${SOCFramework.Mitre.Tactic} required: false - description: "" + description: '' playbookInputQuery: null inputSections: - inputs: @@ -1450,5 +1244,5 @@ outputs: - contextPath: Analysis.mitre_tactic type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_V3.yml index 9c756d64..d8d4077d 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Analysis_V3.yml @@ -7,65 +7,71 @@ contentitemexportablefields: packName: SOC Framework Unified itemVersion: 3.1.4 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOC Analysis_V3 -description: |- - Identify potential security events, determine whether they represent true alerts, understand their scope and impact, and establish the actionable context needed to respond effectively. +description: 'Identify potential security events, determine whether they represent true alerts, understand their scope and + impact, and establish the actionable context needed to respond effectively. + What this phase includes: + Monitoring security telemetry from logs, alerts, sensors, EDR, SIEM/XSIAM analytics, threat intel, and user reports. + Triaging events to distinguish benign activity, false positives, and true security alerts. - Enriching indicators and artifacts (e.g., IPs, hashes, domains, user accounts, processes, network connections) using internal data and external threat intelligence. + + Enriching indicators and artifacts (e.g., IPs, hashes, domains, user accounts, processes, network connections) using internal + data and external threat intelligence. + Correlating events across systems to understand the timeline, root cause, attack vector, and potential lateral movement. + Assigning alert classification, severity, priority, and category for consistent response. + Documenting findings, evidence, and hypotheses while preserving forensic integrity. + Determining the initial scope and business impact to decide how aggressive containment must be. + Outcome: - A validated and well-understood security alert with clear context, severity, indicators, and scope—enabling the organization to transition into Containment with confidence and accuracy. + + A validated and well-understood security alert with clear context, severity, indicators, and scope—enabling the organization + to transition into Containment with confidence and accuracy.' tags: - SOC - SOC_Framework_Unified - NIST 800-61 - Analysis -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 2d9b464e-b61d-4ff1-8425-1dec11c5d731 type: start task: id: 2d9b464e-b61d-4ff1-8425-1dec11c5d731 version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "10" + - '10' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1175, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1175,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -73,8 +79,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "1": - id: "1" + '1': + id: '1' taskid: 57a5da65-400a-4cd5-826c-3436a01618f8 type: playbook task: @@ -84,21 +90,15 @@ tasks: playbookName: SOC Data Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 162.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -106,41 +106,48 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "3": - id: "3" + '3': + id: '3' taskid: 8789348a-ffb7-44b8-bf30-a449ccd3b55d type: playbook task: id: 8789348a-ffb7-44b8-bf30-a449ccd3b55d version: -1 name: SOC EndPoint Analysis_V3 - description: |- - This is the analyst’s core domain. + description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the alert (category, severity, impact). + Document findings and escalate confirmed alerts. + Outcome: Determine whether an event is a legitimate alert and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' playbookName: SOC EndPoint Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' scriptarguments: Alert_Subtype: simple: ${SOCFramework.Product.category} @@ -163,19 +170,13 @@ tasks: XSIAM_RiskScore: simple: ${SOCFramework.Investigation.RiskScore} separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 1062.5, - "y": 590 - } - } + view: "{\n \"position\": {\n \"x\": 1062.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -183,8 +184,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "5": - id: "5" + '5': + id: '5' taskid: d7385c3a-2283-4938-81b3-58ea63cc75f2 type: playbook task: @@ -194,21 +195,15 @@ tasks: playbookName: SOC Identity Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1512.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1512.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -216,8 +211,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "6": - id: "6" + '6': + id: '6' taskid: e2089744-16e7-4227-8a13-0c65f8278895 type: playbook task: @@ -227,21 +222,15 @@ tasks: playbookName: SOC Network Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1962.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1962.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -249,8 +238,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "7": - id: "7" + '7': + id: '7' taskid: 4b7573be-bd91-4fe6-8959-2bc5d4aaa78c type: playbook task: @@ -260,21 +249,15 @@ tasks: playbookName: SOC SaaS Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 2412.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 2412.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -282,8 +265,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "8": - id: "8" + '8': + id: '8' taskid: 3d8bf25e-863c-4ee5-8a18-47d621adbc11 type: playbook task: @@ -293,21 +276,15 @@ tasks: playbookName: SOC Workload Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 2862.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 2862.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -315,8 +292,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "9": - id: "9" + '9': + id: '9' taskid: 8ceb5aed-c39b-452d-8fd8-f5f2ed8eb896 type: title task: @@ -325,18 +302,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1287.5, - "y": 775 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1287.5,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -344,8 +315,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "10": - id: "10" + '10': + id: '10' taskid: 92178e4d-7444-47c9-8229-cca9ce09d331 type: condition task: @@ -354,26 +325,26 @@ tasks: name: Product Category type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Data: - - "13" + - '13' Email: - - "18" + - '18' Endpoint: - - "12" + - '12' Identity: - - "14" + - '14' Network: - - "15" + - '15' SaaS: - - "16" + - '16' Workload: - - "17" + - '17' separatecontext: false conditions: - label: Data @@ -446,14 +417,8 @@ tasks: right: value: simple: Network - continueonerrortype: "" - view: |- - { - "position": { - "x": 1175, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1175,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -461,8 +426,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "12": - id: "12" + '12': + id: '12' taskid: 51a32d2e-ec43-4029-8faa-f5c1ab7f7799 type: condition task: @@ -471,14 +436,14 @@ tasks: name: Endpoint Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "3" + - '3' separatecontext: false conditions: - label: Default @@ -525,14 +490,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 950, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -540,8 +499,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "13": - id: "13" + '13': + id: '13' taskid: bdabddaf-0b19-4e96-971a-d3f85479805e type: condition task: @@ -550,14 +509,14 @@ tasks: name: Data Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "1" + - '1' separatecontext: false conditions: - label: Default @@ -604,14 +563,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -619,8 +572,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "14": - id: "14" + '14': + id: '14' taskid: 1333bc58-8ac4-4522-b913-52c76f5cc116 type: condition task: @@ -629,14 +582,14 @@ tasks: name: Identity Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "5" + - '5' separatecontext: false conditions: - label: Default @@ -683,14 +636,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 1400, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1400,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -698,8 +645,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "15": - id: "15" + '15': + id: '15' taskid: dca31f2e-7363-4767-bfdd-42af9b9a5066 type: condition task: @@ -708,14 +655,14 @@ tasks: name: Network Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "6" + - '6' separatecontext: false conditions: - label: Default @@ -762,14 +709,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 1850, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1850,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -777,8 +718,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "16": - id: "16" + '16': + id: '16' taskid: 419f92e1-5c35-47f4-ae4e-8b75acf42e57 type: condition task: @@ -787,14 +728,14 @@ tasks: name: SaaS Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "7" + - '7' separatecontext: false conditions: - label: Default @@ -841,14 +782,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 2300, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 2300,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -856,8 +791,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "17": - id: "17" + '17': + id: '17' taskid: 866225a9-2ae1-434f-b042-8907793f102f type: condition task: @@ -866,14 +801,14 @@ tasks: name: Workload Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "8" + - '8' separatecontext: false conditions: - label: Default @@ -920,14 +855,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 2750, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 2750,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -935,8 +864,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "18": - id: "18" + '18': + id: '18' taskid: e96a6c41-f225-4ae6-9939-0bb1639cdecb type: condition task: @@ -945,14 +874,14 @@ tasks: name: Email Analysis Execution Branch type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - '9' Default: - - "19" + - '19' separatecontext: false conditions: - label: Default @@ -999,14 +928,8 @@ tasks: right: value: simple: custom - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1014,50 +937,51 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "19": - id: "19" + '19': + id: '19' taskid: 8d429896-10a1-417b-8289-dbaeb060bcce type: playbook task: id: 8d429896-10a1-417b-8289-dbaeb060bcce version: -1 name: SOC Email Analysis_V3 - description: |- - This is the analyst’s core domain. + description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the alert (category, severity, impact). + Document findings and escalate confirmed alerts. + Outcome: Determine whether an event is a legitimate alert and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' playbookName: SOC Email Analysis_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - '9' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 612.5, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1066,29 +990,15 @@ tasks: isoversize: false isautoswitchedtoquietmode: false system: true -view: |- - { - "linkLabelsPosition": { - "10_14_Identity": 0.88, - "10_16_SaaS": 0.82, - "10_17_Workload": 0.9, - "18_19_Default": 0.8 - }, - "paper": { - "dimensions": { - "height": 785, - "width": 3192.5, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {\n \"10_14_Identity\": 0.88,\n \"10_16_SaaS\": 0.82,\n \"10_17_Workload\": 0.9,\n\ + \ \"18_19_Default\": 0.8\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 785,\n \"width\": 3192.5,\n\ + \ \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: ExecutionBranch value: simple: ${lists.SOCExecutionList_V3} required: false - description: "" + description: '' playbookInputQuery: null - key: ProductCategory value: @@ -1174,5 +1084,5 @@ outputs: - contextPath: Analysis.case_user_count type: unknown sourceplaybookid: SOC Containment_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_Evaluation_V3.yml index 232934c7..5908470e 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_Evaluation_V3.yml @@ -7,9 +7,9 @@ contentitemexportablefields: packName: SOC Framework Unified itemVersion: 3.1.4 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false @@ -18,32 +18,26 @@ tags: - SOC - SOC_Framework_Unified - Containment -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 type: start task: id: 7e6a701e-667b-4a70-8a74-14564da75fc7 version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "31" + - '31' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -51,8 +45,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "2": - id: "2" + '2': + id: '2' taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 type: title task: @@ -61,18 +55,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 960 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 960\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -80,48 +68,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "31": - id: "31" + '31': + id: '31' taskid: ccfd4d07-3d48-4610-bf9d-9ed0f49551eb type: regular task: id: ccfd4d07-3d48-4610-bf9d-9ed0f49551eb version: -1 name: Set Containment Status - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Containment.status value: simple: ${inputs.status} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -129,48 +109,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "32": - id: "32" + '32': + id: '32' taskid: 7ba489bd-a62b-47f4-a5d4-2a157d7dd7fe type: regular task: id: 7ba489bd-a62b-47f4-a5d4-2a157d7dd7fe version: -1 name: Set Containment Isolated Hosts - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "44" + - '44' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Containment.isolate_hosts value: simple: ${inputs.isolated_hosts} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 405 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -178,48 +150,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "43": - id: "43" + '43': + id: '43' taskid: fde09d0c-93d8-423c-926d-5f0562365364 type: regular task: id: fde09d0c-93d8-423c-926d-5f0562365364 version: -1 name: Set Story - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Containment.story value: simple: ${inputs.story} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 775 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -227,48 +191,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "44": - id: "44" + '44': + id: '44' taskid: db106c52-f407-4794-bfab-6545966cb9c1 type: regular task: id: db106c52-f407-4794-bfab-6545966cb9c1 version: -1 name: Set Containment Action - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "43" + - '43' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Containment.action value: simple: ${inputs.action} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 50, - "y": 590 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -276,47 +232,42 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 970, - "width": 380, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 970,\n \"width\": 380,\n\ + \ \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: status value: {} required: false - description: "" + description: '' playbookInputQuery: null - key: isolated_hosts value: {} required: false - description: "" + description: '' playbookInputQuery: null - key: story value: - simple: |- - Malware execution confirmed on ${Analysis.case_host_count} host(s). + simple: 'Malware execution confirmed on ${Analysis.case_host_count} host(s). + Spread level assessed as ${Analysis.spread_level}. + Compromise level: ${Analysis.compromise_level}. + Case risk score: ${Analysis.case_score}. + Containment action taken: ${Containment.action}. + Hosts isolated: ${Containment.isolated_hosts}. - Users disabled: ${Containment.disabled_users}. + + Users disabled: ${Containment.disabled_users}.' required: false - description: "" + description: '' playbookInputQuery: null - key: action value: simple: isolate_host required: false - description: "" + description: '' playbookInputQuery: null inputSections: - inputs: @@ -344,5 +295,5 @@ outputs: - contextPath: Containment.action type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_V3.yml index 044ba675..97950f8f 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Containment_V3.yml @@ -1,12 +1,11 @@ -adopted: true fromversion: 5.0.0 id: SOC Containment_V3 -version: 21 +version: 49 contentitemexportablefields: contentitemfields: packID: soc-framework-nist-ir - packName: SOC Framework Unified - itemVersion: 3.1.4 + packName: SOC Framework NIST IR (800-61) + itemVersion: 1.1.0 fromServerVersion: 5.0.0 toServerVersion: '' definitionid: '' @@ -69,7 +68,7 @@ tasks: - '21' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1250,\n \"y\": -100\n }\n}" + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -99,7 +98,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -107,7 +105,7 @@ tasks: exitCondition: '' wait: 1 max: 0 - view: "{\n \"position\": {\n \"x\": 1145,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 1605,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -137,7 +135,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -145,7 +142,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 2025,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 2485,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -175,7 +172,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -183,7 +179,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 622.5,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -213,7 +209,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -221,7 +216,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 1052.5,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -244,7 +239,7 @@ tasks: istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1595,\n \"y\": 775\n }\n}" + view: "{\n \"position\": {\n \"x\": 2045,\n \"y\": 960\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -355,7 +350,7 @@ tasks: value: simple: Workload continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1257.5,\n \"y\": 220\n }\n}" + view: "{\n \"position\": {\n \"x\": 1717.5,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -429,7 +424,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 2925,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 3385,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -501,7 +496,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 2475,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 2935,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -531,7 +526,6 @@ tasks: nexttasks: '#none#': - '8' - scriptarguments: {} separatecontext: true continueonerrortype: '' loop: @@ -539,7 +533,7 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 3375,\n \"y\": 590\n }\n}" + view: "{\n \"position\": {\n \"x\": 3835,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -614,7 +608,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1687.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 2250,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -687,7 +681,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1032.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 1492.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -760,7 +754,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 2362.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 2822.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -833,7 +827,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 3262.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 3722.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -906,7 +900,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 520,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -977,7 +971,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 1052.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1050,7 +1044,7 @@ tasks: value: simple: custom continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 2812.5,\n \"y\": 405\n }\n}" + view: "{\n \"position\": {\n \"x\": 3272.5,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1088,7 +1082,7 @@ tasks: right: value: {} continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1250,\n \"y\": 30\n }\n}" + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1114,7 +1108,7 @@ tasks: - '8' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1595,\n \"y\": 597.5\n }\n}" + view: "{\n \"position\": {\n \"x\": 2055,\n \"y\": 782.5\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1124,7 +1118,7 @@ tasks: isautoswitchedtoquietmode: false '30': id: '30' - taskid: fcd0fd59-4997-4a18-9c90-421c06c00366 + taskid: c47d557d-c843-42bd-84b3-7825d3179091 type: regular task: id: c47d557d-c843-42bd-84b3-7825d3179091 @@ -1151,7 +1145,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 530\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1161,7 +1155,7 @@ tasks: isautoswitchedtoquietmode: false '31': id: '31' - taskid: b3cb345b-d2b6-4a59-a261-b4ee219a3e14 + taskid: 188c332a-c6aa-4204-b61d-7498a069d059 type: regular task: id: 188c332a-c6aa-4204-b61d-7498a069d059 @@ -1188,7 +1182,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 700\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 590\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1198,7 +1192,7 @@ tasks: isautoswitchedtoquietmode: false '32': id: '32' - taskid: 145113c3-8a3f-4a0d-bfa3-1dbfe25ac7b2 + taskid: da7884c4-ccd3-4497-9c37-b0295e4096aa type: regular task: id: da7884c4-ccd3-4497-9c37-b0295e4096aa @@ -1232,7 +1226,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 870\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 775\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1242,8 +1236,8 @@ tasks: isautoswitchedtoquietmode: false system: true view: "{\n \"linkLabelsPosition\": {\n \"9_16_Endpoint\": 0.9,\n \"9_17_Network\": 0.3,\n \"9_20_Identity\": 0.9\n\ - \ },\n \"paper\": {\n \"dimensions\": {\n \"height\": 935,\n \"width\": 3705,\n \"x\": 50,\n \"\ - y\": -100\n }\n }\n}" + \ },\n \"paper\": {\n \"dimensions\": {\n \"height\": 970,\n \"width\": 4165,\n \"x\": 50,\n \"\ + y\": 50\n }\n }\n}" inputs: - key: ProductCategory value: @@ -1281,4 +1275,5 @@ outputs: - contextPath: Containment.story type: unknown sourceplaybookid: SOC Containment_V3 -dirtyInputs: true +dirtyInputs: false +adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Analysis_V3.yml index a39339aa..8d8d7711 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Analysis_V3.yml @@ -1,27 +1,34 @@ adopted: true -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the incident (category, severity, impact). + Document findings and escalate confirmed incidents. + Outcome: Determine whether an event is a legitimate incident and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. -id: 'SOC Data Analysis_V3' + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' +id: SOC Data Analysis_V3 inputs: [] name: SOC Data Analysis_V3 outputs: [] -starttaskid: "0" +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -29,39 +36,33 @@ tags: - Detection & Analysis - NIST 800-61 tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false - name: "" - playbooktaskmissingcomponent: + name: '' + playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 450, - "y": 50 - } - } - "1": - continueonerrortype: "" - id: "1" + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -70,27 +71,21 @@ tasks: separatecontext: true skipunavailable: false task: - brand: "" + brand: '' id: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa iscommand: false name: Foundation - Error Handling_V3 playbookId: Foundation - Error Handling_V3 - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: playbook version: -1 taskid: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa timertriggers: [] type: playbook - view: |- - { - "position": { - "x": 740, - "y": 290 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 290\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -99,34 +94,18 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false name: Done - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: title version: -1 taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 430, - "y": 470 - } - } + view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 470\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 480, - "width": 690, - "x": 430, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 480,\n \"width\": 690,\n\ + \ \"x\": 430,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Containment_V3.yml index 1162cede..322ecebe 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Containment_V3.yml @@ -114,4 +114,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Eradication_V3.yml index 8d3ebdaf..a20062bd 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Eradication_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Recovery_V3.yml index c909e826..bad0754f 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Data_Recovery_V3.yml @@ -109,5 +109,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Analysis_V3.yml index 7d3cb8bd..38fa7031 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Analysis_V3.yml @@ -417,10 +417,10 @@ tasks: isautoswitchedtoquietmode: false '15': id: '15' - taskid: bf21gc03-d4e5-5f6a-c7b8-90123456bcde + taskid: c125bb93-7ce0-5b63-bfcb-48c6c5a37642 type: playbook task: - id: bf21gc03-d4e5-5f6a-c7b8-90123456bcde + id: c125bb93-7ce0-5b63-bfcb-48c6c5a37642 version: -1 name: SOC Email Spread Evaluation_V3 description: Maps RecipientScope to canonical spread_level (single_entity / limited_entity / multi_entity) and audits diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml index 71bb2126..87d26f7d 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml @@ -1,114 +1,185 @@ adopted: true -id: SOC Email Exposure Evaluation V3 -name: SOC Email Exposure Evaluation V3 +id: SOC Email Exposure Evaluation_V3 +name: SOC Email Exposure Evaluation_V3 version: -1 fromversion: 5.0.0 -description: Evaluates Proofpoint TAP email exposure via Universal Command. Determines click/delivered/blocked exposure level, recipient scope, and high-value user involvement. No XQL dependency. +description: Evaluates Proofpoint TAP email exposure via Universal Command. Determines click/delivered/blocked exposure level, + recipient scope, and high-value user involvement. No XQL dependency. tags: - - Email - - SOCFramework - - Analysis -starttaskid: "0" - +- Email +- SOCFramework +- Analysis +starttaskid: '0' inputs: [] - -outputs: [] - +outputs: +- contextPath: Email.Exposure.level + description: 'Exposure level: clicked / delivered / blocked' + type: String +- contextPath: Email.Exposure.click_count + description: Number of click events observed for the threat URL + type: Number +- contextPath: Email.Exposure.delivered_count + description: Number of delivered message events for the threat URL + type: Number +- contextPath: Email.Exposure.mailbox_count + description: Total number of affected mailboxes (blast radius) + type: Number +- contextPath: Email.Exposure.recipient_scope + description: 'Recipient scope: targeted (≤5 mailboxes) / broad (>5)' + type: String +- contextPath: Email.Exposure.message_id + description: Proofpoint GUID for downstream correlation + type: String +- contextPath: Email.Exposure.high_value_user + description: true if a high-value user was targeted + type: String +- contextPath: Email.Classification + description: 'Email classification from TAP alert: phish / malware / spam' + type: String tasks: - "0": - id: "0" - taskid: "0" + '0': + id: '0' + taskid: 41afcaf6-108b-5bc5-af11-cd02c873e084 type: start task: - id: "0" - name: "" + id: 41afcaf6-108b-5bc5-af11-cd02c873e084 + name: '' iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "1" + - '1' separatecontext: false - continueonerrortype: "" - - "1": - id: "1" - taskid: "1" + continueonerrortype: '' + view: '{"position": {"x": 592, "y": 50}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '1': + id: '1' + taskid: 32dff903-6c43-5958-9050-2eff3f0b3ae2 type: title task: - id: "1" + id: 32dff903-6c43-5958-9050-2eff3f0b3ae2 name: Query Delivery & Click Events type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' separatecontext: false - - "2": - id: "2" - taskid: "2" + view: '{"position": {"x": 592, "y": 195}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '2': + id: '2' + taskid: 6f0e4c70-e000-5c0e-839c-bbd635ae2da8 type: condition task: - id: "2" + id: 6f0e4c70-e000-5c0e-839c-bbd635ae2da8 name: Is Click Event? - description: Checks alert.type directly to determine whether the triggering event is a click or delivery event. No XQL required. If click, seeds click_count=1 before API call so count is never zero even if API interval misses this event. + description: Checks alert.type directly to determine whether the triggering event is a click or delivery event. No XQL + required. If click, seeds click_count=1 before API call so count is never zero even if API interval misses this event. type: condition iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false conditions: - - label: "YES" - condition: - - - operator: isEqualString - left: - value: - simple: ${alert.type} - iscontext: true - right: - value: - simple: clicks permitted - ignorecase: true + - label: 'YES' + condition: + - - operator: isEqualString + left: + value: + simple: ${alert.type} + iscontext: true + right: + value: + simple: clicks permitted + ignorecase: true nexttasks: - "YES": - - "3" + 'YES': + - '3' '#default#': - - "4" + - '4' separatecontext: false - - "3": - id: "3" - taskid: "3" + view: '{"position": {"x": 592, "y": 360}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '3': + id: '3' + taskid: ee2cb1ec-3409-5f86-b500-fe08effd6eac type: regular task: - id: "3" + id: ee2cb1ec-3409-5f86-b500-fe08effd6eac name: Seed Click Count - Alert Is Click Event - description: Sets click_count=1 as a floor. Subsequent Set Click Count task uses SetAndHandleEmpty which will only overwrite if the API returns a non-empty result. If API interval misses this event, the seed of 1 is preserved. + description: Sets click_count=1 as a floor. Subsequent Set Click Count task uses SetAndHandleEmpty which will only overwrite + if the API returns a non-empty result. If API interval misses this event, the seed of 1 is preserved. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.click_count value: - simple: "1" + simple: '1' append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "4" + - '4' separatecontext: false - - "4": - id: "4" - taskid: "4" + view: '{"position": {"x": 250, "y": 555}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '4': + id: '4' + taskid: db8a924c-9a49-5d3a-8240-1a4b598b4e2b type: regular task: - id: "4" + id: db8a924c-9a49-5d3a-8240-1a4b598b4e2b name: Get Email Events via Universal Command - description: Calls soc-get-email-events via SOCCommandWrapper. Runs proofpoint-get-messages-delivered and proofpoint-get-clicks-permitted against the threat URL. shadow_mode=false so enrichment is never suppressed. + description: Calls soc-get-email-events via SOCCommandWrapper. Runs proofpoint-get-messages-delivered and proofpoint-get-clicks-permitted + against the threat URL. shadow_mode=false so enrichment is never suppressed. script: SOCCommandWrapper iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: action: simple: soc-get-email-events @@ -116,21 +187,32 @@ tasks: simple: SOCFrameworkActions_V3 nexttasks: '#none#': - - "5" + - '5' separatecontext: false - continueonerrortype: "" - - "5": - id: "5" - taskid: "5" + continueonerrortype: '' + view: '{"position": {"x": 592, "y": 740}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '5': + id: '5' + taskid: 874a9608-29e0-5205-bd58-26ba982990d7 type: regular task: - id: "5" + id: 874a9608-29e0-5205-bd58-26ba982990d7 name: Get Email Forensics via Universal Command - description: Calls soc-get-email-forensics via SOCCommandWrapper. Runs proofpoint-get-forensics with threatId and campaignId. shadow_mode=false so enrichment is never suppressed. + description: Calls soc-get-email-forensics via SOCCommandWrapper. Runs proofpoint-get-forensics with threatId and campaignId. + shadow_mode=false so enrichment is never suppressed. script: SOCCommandWrapper iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: action: simple: soc-get-email-forensics @@ -138,21 +220,32 @@ tasks: simple: SOCFrameworkActions_V3 nexttasks: '#none#': - - "6" + - '6' separatecontext: false - continueonerrortype: "" - - "6": - id: "6" - taskid: "6" + continueonerrortype: '' + view: '{"position": {"x": 592, "y": 920}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '6': + id: '6' + taskid: f63228bb-9090-563a-8092-4e88a71655eb type: regular task: - id: "6" + id: f63228bb-9090-563a-8092-4e88a71655eb name: Set Click Count - description: Count entries in UC.Email.Events.clicks_permitted array. SetAndHandleEmpty only overwrites if non-empty, preserving the seeded value of 1 if the API returned no results. + description: Count entries in UC.Email.Events.clicks_permitted array. SetAndHandleEmpty only overwrites if non-empty, + preserving the seeded value of 1 if the API returned no results. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.click_count @@ -160,25 +253,36 @@ tasks: complex: root: UC.Email.Events.clicks_permitted transformers: - - operator: count + - operator: count append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "7" + - '7' separatecontext: false - - "7": - id: "7" - taskid: "7" + view: '{"position": {"x": 592, "y": 1100}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '7': + id: '7' + taskid: ad7724f4-30fa-5621-bf1d-a76d92c8b7bb type: regular task: - id: "7" + id: ad7724f4-30fa-5621-bf1d-a76d92c8b7bb name: Set Delivered Count description: Count entries in UC.Email.Events.messages_delivered array. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.delivered_count @@ -186,25 +290,36 @@ tasks: complex: root: UC.Email.Events.messages_delivered transformers: - - operator: count + - operator: count append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "8" + - '8' separatecontext: false - - "8": - id: "8" - taskid: "8" + view: '{"position": {"x": 592, "y": 1280}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '8': + id: '8' + taskid: 57870dec-108e-5ced-9299-298b059b24eb type: regular task: - id: "8" + id: 57870dec-108e-5ced-9299-298b059b24eb name: Set Mailbox Count description: Derives total mailbox count from delivered messages array length. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.mailbox_count @@ -212,25 +327,36 @@ tasks: complex: root: UC.Email.Events.messages_delivered transformers: - - operator: count + - operator: count append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "9" + - '9' separatecontext: false - - "9": - id: "9" - taskid: "9" + view: '{"position": {"x": 592, "y": 1460}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '9': + id: '9' + taskid: dfb7fffa-9458-51d9-ba6f-97d2663ad05c type: regular task: - id: "9" + id: dfb7fffa-9458-51d9-ba6f-97d2663ad05c name: Set Message ID description: Store the Proofpoint GUID for downstream correlation. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.message_id @@ -239,38 +365,60 @@ tasks: root: UC.Email.Events accessor: message_id append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "10" + - '10' separatecontext: false - - "10": - id: "10" - taskid: "10" + view: '{"position": {"x": 592, "y": 1640}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '10': + id: '10' + taskid: da1fe29c-2599-57d0-bd41-c3793077de04 type: title task: - id: "10" + id: da1fe29c-2599-57d0-bd41-c3793077de04 name: Set Classification type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "11" + - '11' separatecontext: false - - "11": - id: "11" - taskid: "11" + view: '{"position": {"x": 592, "y": 1820}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '11': + id: '11' + taskid: a116216b-cbac-5e4f-ae46-0057986cf135 type: regular task: - id: "11" + id: a116216b-cbac-5e4f-ae46-0057986cf135 name: Set Email Classification description: Pulls classification label directly from the alert field (phish/malware/spam). No secondary lookup needed. script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Classification @@ -279,270 +427,479 @@ tasks: root: alert accessor: classification append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "12" + - '12' separatecontext: false - - "12": - id: "12" - taskid: "12" + view: '{"position": {"x": 592, "y": 1990}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '12': + id: '12' + taskid: 06d02667-ba52-50bc-8071-9ca66854944b type: title task: - id: "12" + id: 06d02667-ba52-50bc-8071-9ca66854944b name: Determine Exposure Level type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "13" + - '13' separatecontext: false - - "13": - id: "13" - taskid: "13" + view: '{"position": {"x": 592, "y": 2170}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '13': + id: '13' + taskid: edc3ca1e-957f-50d6-9103-7bc47a42b18f type: condition task: - id: "13" + id: edc3ca1e-957f-50d6-9103-7bc47a42b18f name: Exposure Level? description: CLICKED takes priority over DELIVERED. Default with no clicks or deliveries is blocked. type: condition iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false conditions: - - label: CLICKED - condition: - - - operator: isNotEmpty - left: - value: - simple: ${Email.Exposure.click_count} - iscontext: true - - operator: greaterThan - left: - value: - simple: ${Email.Exposure.click_count} - iscontext: true - right: - value: - simple: "0" - - label: DELIVERED - condition: - - - operator: isNotEmpty - left: - value: - simple: ${Email.Exposure.delivered_count} - iscontext: true - - operator: greaterThan - left: - value: - simple: ${Email.Exposure.delivered_count} - iscontext: true - right: - value: - simple: "0" + - label: CLICKED + condition: + - - operator: isNotEmpty + left: + value: + simple: ${Email.Exposure.click_count} + iscontext: true + - operator: greaterThan + left: + value: + simple: ${Email.Exposure.click_count} + iscontext: true + right: + value: + simple: '0' + - label: DELIVERED + condition: + - - operator: isNotEmpty + left: + value: + simple: ${Email.Exposure.delivered_count} + iscontext: true + - operator: greaterThan + left: + value: + simple: ${Email.Exposure.delivered_count} + iscontext: true + right: + value: + simple: '0' nexttasks: CLICKED: - - "14" + - '14' DELIVERED: - - "15" + - '15' '#default#': - - "16" + - '16' separatecontext: false - - "14": - id: "14" - taskid: "14" + view: '{"position": {"x": 592, "y": 2340}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '14': + id: '14' + taskid: eb971bc0-bd59-5ea6-a07c-3473fe8a3949 type: regular task: - id: "14" + id: eb971bc0-bd59-5ea6-a07c-3473fe8a3949 name: Set Exposure Level - clicked script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.level value: simple: clicked append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "17" + - '17' separatecontext: false - - "15": - id: "15" - taskid: "15" + view: '{"position": {"x": 150, "y": 2540}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '15': + id: '15' + taskid: 18a5cca2-e3f4-51cc-b387-475f43394077 type: regular task: - id: "15" + id: 18a5cca2-e3f4-51cc-b387-475f43394077 name: Set Exposure Level - delivered script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.level value: simple: delivered append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "17" + - '17' separatecontext: false - - "16": - id: "16" - taskid: "16" + view: '{"position": {"x": 592, "y": 2540}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '16': + id: '16' + taskid: dbf84b1c-c45b-5357-a3c8-6dc6ff187e3a type: regular task: - id: "16" + id: dbf84b1c-c45b-5357-a3c8-6dc6ff187e3a name: Set Exposure Level - blocked script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.level value: simple: blocked append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "17" + - '17' separatecontext: false - - "17": - id: "17" - taskid: "17" + view: '{"position": {"x": 1020, "y": 2540}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '17': + id: '17' + taskid: a4ee6ff5-88f9-56e6-b0ab-368c3cebe620 type: title task: - id: "17" + id: a4ee6ff5-88f9-56e6-b0ab-368c3cebe620 name: Determine Recipient Scope type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "18" + - '18' separatecontext: false - - "18": - id: "18" - taskid: "18" - type: regular + view: '{"position": {"x": 592, "y": 2730}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '18': + id: '18' + taskid: f66dbd21-6781-5ba1-bcb3-2d316b6ba1a3 + type: condition task: - id: "18" - name: Set Recipient Scope - description: Classifies blast radius as targeted (1-5 mailboxes) or broad (more than 5). Feeds Analysis verdict severity and blast radius fields. - script: SetAndHandleEmpty + id: f66dbd21-6781-5ba1-bcb3-2d316b6ba1a3 + version: -1 + name: Targeted Scope? (≤5 mailboxes) + description: Classifies recipient scope as targeted (1-5 mailboxes) or broad (>5). Replaces if-then-else transformer + which is not supported in XSIAM (error 52). + type: condition iscommand: false - brand: "" - scriptarguments: - key: - simple: Email.Exposure.recipient_scope - value: - complex: - root: Email.Exposure.mailbox_count - transformers: - - operator: if-then-else - args: - condition: - value: - simple: lte,5 - thenValue: - value: - simple: targeted - elseValue: - value: - simple: broad - append: - simple: "false" + brand: '' + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: - '#none#': - - "19" + 'yes': + - 18a + '#default#': + - 18b + conditions: + - label: 'yes' + condition: + - - operator: lessThanOrEqual + left: + value: + simple: ${Email.Exposure.mailbox_count} + iscontext: true + right: + value: + simple: '5' separatecontext: false - - "19": - id: "19" - taskid: "19" + continueonerrortype: '' + view: '{"position": {"x": 592, "y": 2905}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '19': + id: '19' + taskid: 4fa0c2f1-85b3-571c-bd7e-ab2dfc27aea1 type: title task: - id: "19" + id: 4fa0c2f1-85b3-571c-bd7e-ab2dfc27aea1 name: High Value User Check type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "20" + - '20' separatecontext: false - - "20": - id: "20" - taskid: "20" + view: '{"position": {"x": 592, "y": 3080}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '20': + id: '20' + taskid: 72081240-6e86-5299-86da-104f60736cde type: condition task: - id: "20" + id: 72081240-6e86-5299-86da-104f60736cde name: Is Recipient a High Value User? - description: Checks whether the alert username appears in the SOCFWHighValueUsers list. If matched, sets Email.Exposure.high_value_user=true to escalate priority in the parent Analysis playbook. + description: Checks whether the alert username appears in the SOCFWHighValueUsers list. If matched, sets Email.Exposure.high_value_user=true + to escalate priority in the parent Analysis playbook. type: condition iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false conditions: - - label: "YES" - condition: - - - operator: inList - left: - value: - simple: ${alert.username} - iscontext: true - right: - value: - simple: ${lists.SOCFWHighValueUsers} - iscontext: true + - label: 'YES' + condition: + - - operator: inList + left: + value: + simple: ${alert.username} + iscontext: true + right: + value: + simple: ${lists.SOCFWHighValueUsers} + iscontext: true nexttasks: - "YES": - - "21" + 'YES': + - '21' '#default#': - - "22" + - '22' separatecontext: false - - "21": - id: "21" - taskid: "21" + view: '{"position": {"x": 592, "y": 3250}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '21': + id: '21' + taskid: 3714f59d-5bf3-5075-9bc3-035a5e635edd type: regular task: - id: "21" + id: 3714f59d-5bf3-5075-9bc3-035a5e635edd name: Set High Value User Involved script: SetAndHandleEmpty iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false scriptarguments: key: simple: Email.Exposure.high_value_user value: - simple: "true" + simple: 'true' append: - simple: "false" + simple: 'false' nexttasks: '#none#': - - "22" + - '22' separatecontext: false - - "22": - id: "22" - taskid: "22" + view: '{"position": {"x": 950, "y": 3450}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + '22': + id: '22' + taskid: 7988e1a7-1621-5254-938e-47d363c8c96b type: title task: - id: "22" + id: 7988e1a7-1621-5254-938e-47d363c8c96b name: Done type: title iscommand: false - brand: "" + brand: '' + version: -1 + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + separatecontext: false + view: '{"position": {"x": 592, "y": 3640}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: '' + 18a: + id: 18a + taskid: 6f597fb5-14f0-55f4-b4f4-21800c6be361 + type: regular + task: + id: 6f597fb5-14f0-55f4-b4f4-21800c6be361 + version: -1 + name: Set Recipient Scope — targeted + type: regular + iscommand: false + brand: '' + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + scriptName: SetAndHandleEmpty + nexttasks: + '#none#': + - '19' + scriptarguments: + key: + simple: Email.Exposure.recipient_scope + value: + simple: targeted + append: + simple: 'false' + force: + simple: 'true' + separatecontext: false + continueonerrortype: '' + view: '{"position": {"x": 250, "y": 3090}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + 18b: + id: 18b + taskid: d1c24651-1cd5-5f16-9e17-a724f00fd63b + type: regular + task: + id: d1c24651-1cd5-5f16-9e17-a724f00fd63b + version: -1 + name: Set Recipient Scope — broad + type: regular + iscommand: false + brand: '' + playbooktaskmissingcomponent: null + istaskmissingcomponenterrordismissed: false + scriptName: SetAndHandleEmpty + nexttasks: + '#none#': + - '19' + scriptarguments: + key: + simple: Email.Exposure.recipient_scope + value: + simple: broad + append: + simple: 'false' + force: + simple: 'true' separatecontext: false + continueonerrortype: '' + view: '{"position": {"x": 935, "y": 3090}}' + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 3900, "width": 1400, "x": 50, "y": 50}}}' +contentitemexportablefields: + contentitemfields: + definitionid: '' + fromServerVersion: 5.0.0 + isoverridable: false + itemVersion: 1.1.0 + packID: soc-framework-nist-ir + packName: SOC Framework NIST IR + prevname: '' + supportedModules: [] + toServerVersion: '' diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Forensics_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Forensics_Evaluation_V3.yml index 296c9604..3bc26b70 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Forensics_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Forensics_Evaluation_V3.yml @@ -1,8 +1,19 @@ -adopted: true +fromversion: 5.0.0 id: SOC Email Forensics Evaluation_V3 +version: 48 +contentitemexportablefields: + contentitemfields: + packID: soc-framework-nist-ir + packName: SOC Framework NIST IR (800-61) + itemVersion: 1.1.0 + fromServerVersion: 6.10.0 + toServerVersion: '' + definitionid: '' + prevname: '' + isoverridable: false + supportedModules: [] +vcShouldKeepItemLegacyProdMachine: false name: SOC Email Forensics Evaluation_V3 -version: -1 -fromversion: 6.10.0 description: "NIST IR 800-61 — Detection & Analysis — Email Forensics Evaluation\n\nAnswers: what did this threat actually\ \ do, and what forensic evidence exists?\n\nValue Driver: VD1 (Reduce Risk) — forensic data drives accurate verdict confidence\ \ and informs eradication scope.\nValue Driver: VD3 (Efficiency) — automated forensics retrieval replaces manual Proofpoint\ @@ -26,7 +37,7 @@ starttaskid: '0' tasks: '0': id: '0' - taskid: 8ee1fe1d-e767-491c-b669-2a96023346d2 + taskid: 58238c60-26f4-4a51-a449-354a86a91458 type: start task: id: 58238c60-26f4-4a51-a449-354a86a91458 @@ -41,7 +52,7 @@ tasks: - '1' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 50\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -51,7 +62,7 @@ tasks: isautoswitchedtoquietmode: false '1': id: '1' - taskid: 52d84739-32bb-489c-ad29-026452a6a423 + taskid: 23698d40-5318-4874-a3fc-2df29e48818f type: title task: id: 23698d40-5318-4874-a3fc-2df29e48818f @@ -67,7 +78,7 @@ tasks: - '2' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 195\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -77,7 +88,7 @@ tasks: isautoswitchedtoquietmode: false '2': id: '2' - taskid: 7975a7ce-95f4-4b76-b968-473048a9785f + taskid: a9ab15d4-5b0f-417b-972d-f99222f79469 type: regular task: id: a9ab15d4-5b0f-417b-972d-f99222f79469 @@ -108,7 +119,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 365\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 390\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -118,7 +129,7 @@ tasks: isautoswitchedtoquietmode: false '3': id: '3' - taskid: db3bd46e-1001-462f-9d6d-615c972b644a + taskid: 34c83a91-5113-49ec-9467-a2e512f9c36e type: regular task: id: 34c83a91-5113-49ec-9467-a2e512f9c36e @@ -149,7 +160,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 365\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -159,7 +170,7 @@ tasks: isautoswitchedtoquietmode: false '4': id: '4' - taskid: 54b447d0-4e39-4700-af82-e3bf1b19c76c + taskid: e3ab0dcd-c048-455d-a693-92dbc2b1b1c8 type: title task: id: e3ab0dcd-c048-455d-a693-92dbc2b1b1c8 @@ -175,7 +186,7 @@ tasks: - '5' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 555\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 760\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -185,13 +196,12 @@ tasks: isautoswitchedtoquietmode: false '5': id: '5' - taskid: 051c11cd-2a92-4159-a8c5-ebe6d41f6514 + taskid: 26c1fc39-ddc3-4489-b62d-b236d88025c0 type: condition task: id: 26c1fc39-ddc3-4489-b62d-b236d88025c0 version: -1 name: IDs Available? - type: condition description: 'Routes forensics retrieval based on which IDs are present. Campaign+Threat: fetch by threat ID with campaign forensics included. @@ -201,6 +211,7 @@ tasks: Threat Only: fetch by threat ID. Default (neither): skip forensics, proceed to summarize.' + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -214,6 +225,7 @@ tasks: - '6' Threat Only: - '6' + separatecontext: false conditions: - label: Campaign + Threat condition: @@ -257,9 +269,8 @@ tasks: value: simple: SOCFramework.Email.TAP.ThreatID iscontext: true - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 725\n }\n}" + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 930\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -293,7 +304,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: errorPath - view: '{"position": {"x": 480, "y": 560}}' + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 1115\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -303,7 +314,7 @@ tasks: isautoswitchedtoquietmode: false '9': id: '9' - taskid: 2dfa82e2-c0a3-4257-b8fa-465d2995be0e + taskid: ad9b27bc-08eb-4964-a077-276fd21c6806 type: title task: id: ad9b27bc-08eb-4964-a077-276fd21c6806 @@ -319,7 +330,7 @@ tasks: - '10' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 920\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1300\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -329,7 +340,7 @@ tasks: isautoswitchedtoquietmode: false '10': id: '10' - taskid: 20ee7e5a-788b-41c0-8555-0f06b388d496 + taskid: 3a59d92c-4751-4a3a-8c8d-14216a33dea6 type: title task: id: 3a59d92c-4751-4a3a-8c8d-14216a33dea6 @@ -345,7 +356,7 @@ tasks: - '11' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1110\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1470\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -355,18 +366,18 @@ tasks: isautoswitchedtoquietmode: false '11': id: '11' - taskid: 9f0ddb17-9f95-4cb7-b17f-fd4ed9d9d056 + taskid: 4922ac4e-dbc1-443e-ad10-d6fb584a0cf7 type: condition task: id: 4922ac4e-dbc1-443e-ad10-d6fb584a0cf7 version: -1 name: Forensics Data Exists? - type: condition description: 'Checks for Proofpoint.Report.Behavior as the presence signal for forensics data. Behavior is always populated when forensics are returned. Future: swap to UC.Email.Forensics.behavior when SOCCommandWrapper output_map is implemented.' + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -376,6 +387,7 @@ tasks: - '13' 'yes': - '12' + separatecontext: false conditions: - label: 'yes' condition: @@ -384,9 +396,8 @@ tasks: value: simple: Proofpoint.Report.Behavior iscontext: true - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1280\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1640\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -396,19 +407,19 @@ tasks: isautoswitchedtoquietmode: false '12': id: '12' - taskid: 6a1304af-0509-49c1-b087-4eba3e2fd23d + taskid: d04043ad-70d5-49d8-8f48-974eea15cd6b type: regular task: id: d04043ad-70d5-49d8-8f48-974eea15cd6b version: -1 name: Summarize Forensic Data description: Write forensics summary to warroom. + script: Builtin|||setIssue type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||setIssue nexttasks: '#none#': - '13' @@ -477,7 +488,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1465\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 1825\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -487,7 +498,7 @@ tasks: isautoswitchedtoquietmode: false '13': id: '13' - taskid: 92681567-a6a3-4f7c-ab37-be78ea3e7c10 + taskid: 56453e3b-ec35-42a6-8bcd-bff24e97838c type: regular task: id: 56453e3b-ec35-42a6-8bcd-bff24e97838c @@ -515,7 +526,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1655\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2010\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -525,7 +536,7 @@ tasks: isautoswitchedtoquietmode: false '14': id: '14' - taskid: a1ed723f-c2b6-4c76-b98c-012287bf2fe8 + taskid: de4bb3fe-9e59-4e52-af23-e84c194c80ab type: title task: id: de4bb3fe-9e59-4e52-af23-e84c194c80ab @@ -536,10 +547,9 @@ tasks: brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: {} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1835\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2195\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -547,8 +557,18 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false +system: true +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 2205,\n \"width\":\ + \ 492.5,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: [] -inputSections: [] +outputSections: +- outputs: + - SOCFramework.Email.TAP.CampaignID + - SOCFramework.Email.TAP.ThreatID + - Analysis.Email.forensics_available + name: Forensics Contract + description: CampaignID and ThreatID consumed by Exposure Evaluation XQL filter. forensics_available consumed by Analysis + Evaluation narrative. outputs: - contextPath: SOCFramework.Email.TAP.CampaignID description: Proofpoint TAP campaign ID — extracted from alert.proofpointtapcampaignid @@ -560,25 +580,4 @@ outputs: - contextPath: Analysis.Email.forensics_available description: True if Proofpoint.Report.Behavior was populated by forensics retrieval type: boolean -outputSections: -- outputs: - - SOCFramework.Email.TAP.CampaignID - - SOCFramework.Email.TAP.ThreatID - - Analysis.Email.forensics_available - name: Forensics Contract - description: CampaignID and ThreatID consumed by Exposure Evaluation XQL filter. forensics_available consumed by Analysis - Evaluation narrative. -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1890,\n \"width\":\ - \ 1350,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" -contentitemexportablefields: - contentitemfields: - definitionid: '' - fromServerVersion: 6.10.0 - isoverridable: false - itemVersion: 3.0.0 - packID: soc-framework-nist-ir - packName: SOC Framework NIST IR - prevname: '' - supportedModules: [] - toServerVersion: '' -dirtyInputs: false +adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_IOC_Enrichment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_IOC_Enrichment_V3.yml index eee3dc9f..05b06b70 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_IOC_Enrichment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_IOC_Enrichment_V3.yml @@ -1,8 +1,19 @@ -adopted: true +fromversion: 5.0.0 id: SOC Email IOC Enrichment_V3 +version: 41 +contentitemexportablefields: + contentitemfields: + packID: soc-framework-nist-ir + packName: SOC Framework NIST IR (800-61) + itemVersion: 1.1.0 + fromServerVersion: 6.10.0 + toServerVersion: '' + definitionid: '' + prevname: '' + isoverridable: false + supportedModules: [] +vcShouldKeepItemLegacyProdMachine: false name: SOC Email IOC Enrichment_V3 -version: -1 -fromversion: 6.10.0 description: "NIST IR 800-61 — Detection & Analysis — Email IOC Enrichment\n\nCreates indicators in XSIAM TIM, assigns Proofpoint\ \ DBot scores, and checks sender prevalence before Signal Characterization runs.\n\nMUST run before SOC Email Signal Characterization_V3\ \ — Signal Characterization reads DBotScore.Score via GetIndicatorDBotScoreFromCache. If no indicator exists with a score,\ @@ -26,7 +37,7 @@ starttaskid: '0' tasks: '0': id: '0' - taskid: 4dbf16a9-878a-4f02-81f8-bbc7d84ab027 + taskid: 51b4a7c9-3f34-480b-a0f8-bf48cbe81ca5 type: start task: id: 51b4a7c9-3f34-480b-a0f8-bf48cbe81ca5 @@ -42,7 +53,7 @@ tasks: - '2' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 50\n }\n}" + view: "{\n \"position\": {\n \"x\": 275,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -52,16 +63,16 @@ tasks: isautoswitchedtoquietmode: false '1': id: '1' - taskid: b9e71c8d-a4ee-40ef-9e10-4be78fba8eea + taskid: 3ef80573-d0c0-4812-b210-a6ba459d5df7 type: condition task: id: 3ef80573-d0c0-4812-b210-a6ba459d5df7 version: -1 name: Is URL Threat? - type: condition description: 'Routes to URL IOC creation if threatType contains "url". Source: alert.proofpointtapthreatinfomap.threatType' + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -71,6 +82,7 @@ tasks: - '10' 'yes': - '3' + separatecontext: false conditions: - label: 'yes' condition: @@ -83,9 +95,8 @@ tasks: value: simple: url ignorecase: true - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 220\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -95,16 +106,16 @@ tasks: isautoswitchedtoquietmode: false '2': id: '2' - taskid: 445d06e5-1448-45a2-ad49-ae786bb96b17 + taskid: 84eb463d-e7c3-44e4-b860-264f5ed4c2b0 type: condition task: id: 84eb463d-e7c3-44e4-b860-264f5ed4c2b0 version: -1 name: Is Attachment Threat? - type: condition description: 'Routes to File IOC creation if threatType contains "attachment". Source: alert.proofpointtapthreatinfomap.threatType' + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -114,6 +125,7 @@ tasks: - '10' 'yes': - '6' + separatecontext: false conditions: - label: 'yes' condition: @@ -126,9 +138,8 @@ tasks: value: simple: attachment ignorecase: true - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 220\n }\n}" + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -138,7 +149,7 @@ tasks: isautoswitchedtoquietmode: false '3': id: '3' - taskid: 5d24be2e-ef81-45de-a428-6f74f9eb1edc + taskid: 7374b5c1-3696-4a0d-905b-7219add8b604 type: title task: id: 7374b5c1-3696-4a0d-905b-7219add8b604 @@ -154,7 +165,7 @@ tasks: - '4' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 410\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -164,33 +175,33 @@ tasks: isautoswitchedtoquietmode: false '4': id: '4' - taskid: 4bddec58-29a6-499a-9294-fd8197baf0aa + taskid: d0a414b4-2386-452a-8845-3d8f093d97c1 type: regular task: id: d0a414b4-2386-452a-8845-3d8f093d97c1 version: -1 name: Create URL Indicator description: commands.local.cmd.new.indicator + script: Builtin|||createNewIndicator type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||createNewIndicator nexttasks: '#none#': - '5' scriptarguments: + proofpointtaplink: + simple: ${inputs.ThreatURL} type: simple: URL value: simple: ${inputs.ThreatURL} - proofpointtaplink: - simple: ${inputs.ThreatURL} separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 580\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -200,7 +211,7 @@ tasks: isautoswitchedtoquietmode: false '5': id: '5' - taskid: 4ee8414d-6347-4af9-8405-2adf07865451 + taskid: 3442ffab-32ee-4a8a-bcb0-199f1d213433 type: regular task: id: 3442ffab-32ee-4a8a-bcb0-199f1d213433 @@ -237,16 +248,16 @@ tasks: accessor: threat indicatorType: simple: URL - score: - simple: '2' reliability: simple: C - Fairly reliable + score: + simple: '2' vendor: simple: Proofpoint TAP separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 750\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 760\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -256,7 +267,7 @@ tasks: isautoswitchedtoquietmode: false '6': id: '6' - taskid: a067fb55-ca99-4d8c-b30d-f223279a8873 + taskid: 75fc0a2c-1eee-45aa-9c18-4dcd9930b090 type: title task: id: 75fc0a2c-1eee-45aa-9c18-4dcd9930b090 @@ -272,7 +283,7 @@ tasks: - '7' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 410\n }\n}" + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 405\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -282,23 +293,25 @@ tasks: isautoswitchedtoquietmode: false '7': id: '7' - taskid: d23dba56-3b32-40e5-a5cf-b074dc0ee249 + taskid: 6eb0b22e-c455-4017-909b-fcac0dcadef9 type: regular task: id: 6eb0b22e-c455-4017-909b-fcac0dcadef9 version: -1 name: Create File Indicator description: commands.local.cmd.new.indicator + script: Builtin|||createNewIndicator type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||createNewIndicator nexttasks: '#none#': - '8' scriptarguments: + proofpointtaplink: + simple: ${inputs.ThreatURL} type: simple: File value: @@ -314,12 +327,10 @@ tasks: value: simple: attachment accessor: threat - proofpointtaplink: - simple: ${inputs.ThreatURL} separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 580\n }\n}" + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -329,7 +340,7 @@ tasks: isautoswitchedtoquietmode: false '8': id: '8' - taskid: ce5967db-a458-4f65-9604-1f236f5e6880 + taskid: 3fcdac81-a1ab-40a5-a7c3-db7d4c938146 type: regular task: id: 3fcdac81-a1ab-40a5-a7c3-db7d4c938146 @@ -364,16 +375,16 @@ tasks: accessor: threat indicatorType: simple: File - score: - simple: '2' reliability: simple: C - Fairly reliable + score: + simple: '2' vendor: simple: Proofpoint TAP separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 750\n }\n}" + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 760\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -383,7 +394,7 @@ tasks: isautoswitchedtoquietmode: false '10': id: '10' - taskid: 8f826b03-587b-403f-8510-e53142377b3a + taskid: 5836d8b7-0139-4593-9591-6f76ecd5e12c type: title task: id: 5836d8b7-0139-4593-9591-6f76ecd5e12c @@ -399,7 +410,7 @@ tasks: - '11' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 940\n }\n}" + view: "{\n \"position\": {\n \"x\": 275,\n \"y\": 945\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -409,19 +420,19 @@ tasks: isautoswitchedtoquietmode: false '11': id: '11' - taskid: dc1fd8e1-fa0d-49f0-803b-c7f29039c258 + taskid: 909e7a45-863f-4386-9512-f2b74b6e3394 type: regular task: id: 909e7a45-863f-4386-9512-f2b74b6e3394 version: -1 name: Tag Indicators — ProofpointTAPThreat description: commands.local.cmd.set.indicators + script: Builtin|||setIndicators type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||setIndicators nexttasks: '#none#': - '12' @@ -441,7 +452,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1110\n }\n}" + view: "{\n \"position\": {\n \"x\": 275,\n \"y\": 1115\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -451,7 +462,7 @@ tasks: isautoswitchedtoquietmode: false '12': id: '12' - taskid: bfb1f0b3-d369-464b-b168-8676f0644f44 + taskid: d69488a6-e95c-4093-9ef3-42a309a558de type: title task: id: d69488a6-e95c-4093-9ef3-42a309a558de @@ -468,7 +479,7 @@ tasks: - g14i separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1295\n }\n}" + view: "{\n \"position\": {\n \"x\": 275,\n \"y\": 1300\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -478,7 +489,7 @@ tasks: isautoswitchedtoquietmode: false '13': id: '13' - taskid: 09c034a7-8cce-4f8d-857c-b6c07b6e7c8e + taskid: 8b0aa331-6462-474b-a197-794408e55a53 type: regular task: id: 8b0aa331-6462-474b-a197-794408e55a53 @@ -513,7 +524,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: errorPath - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1465\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 1655\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -523,7 +534,7 @@ tasks: isautoswitchedtoquietmode: false '14': id: '14' - taskid: 28c03dbd-1d0e-40b6-a826-38fc076f6296 + taskid: a5c33cc5-43e6-4fb4-9c45-7edd74671856 type: regular task: id: a5c33cc5-43e6-4fb4-9c45-7edd74671856 @@ -542,14 +553,14 @@ tasks: '#none#': - '16' scriptarguments: - ip_address: - simple: ${alert.localip} extend-context: simple: Core=. + ip_address: + simple: ${alert.localip} separatecontext: false continueonerror: true continueonerrortype: errorPath - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 1465\n }\n}" + view: "{\n \"position\": {\n \"x\": 612.5,\n \"y\": 1655\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -559,14 +570,14 @@ tasks: isautoswitchedtoquietmode: false '15': id: '15' - taskid: b24c7af1-db37-46d4-bc6d-34a7cd382c91 + taskid: 3d5dfa1e-914d-4a49-8646-35a649e78e59 type: condition task: id: 3d5dfa1e-914d-4a49-8646-35a649e78e59 version: -1 name: Non-Prevalent Domain? - type: condition description: isFalse = prevalence returned 0 or false — domain is uncommon in environment. + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -576,6 +587,7 @@ tasks: - '18' 'yes': - '17' + separatecontext: false conditions: - label: 'yes' condition: @@ -586,9 +598,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1640\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1840\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -598,14 +609,14 @@ tasks: isautoswitchedtoquietmode: false '16': id: '16' - taskid: 153c3a70-ff56-4947-a785-35ead26c8401 + taskid: 15c6b46c-d16a-4d18-928c-f6c9fbf7573a type: condition task: id: 15c6b46c-d16a-4d18-928c-f6c9fbf7573a version: -1 name: Non-Prevalent IP? - type: condition description: isFalse = prevalence returned 0 or false — IP is uncommon in environment. + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null @@ -615,6 +626,7 @@ tasks: - '18' 'yes': - '17' + separatecontext: false conditions: - label: 'yes' condition: @@ -625,9 +637,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 1640\n }\n}" + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1840\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -637,19 +648,19 @@ tasks: isautoswitchedtoquietmode: false '17': id: '17' - taskid: 639b7a40-749a-42fe-bd3b-710988a06fd9 + taskid: 477cd42f-a96c-4fdc-bf00-bca587ca6d5c type: regular task: id: 477cd42f-a96c-4fdc-bf00-bca587ca6d5c version: -1 name: Tag Indicators — Uncommon description: commands.local.cmd.set.indicators + script: Builtin|||setIndicators type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - script: Builtin|||setIndicators nexttasks: '#none#': - '18' @@ -679,7 +690,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1830\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 2025\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -689,7 +700,7 @@ tasks: isautoswitchedtoquietmode: false '18': id: '18' - taskid: ed1fa2dc-a6ee-4dc0-b466-d8b9c677f8b5 + taskid: 76fe7d6f-983f-4e02-a951-b4486c6df70e type: title task: id: 76fe7d6f-983f-4e02-a951-b4486c6df70e @@ -705,7 +716,7 @@ tasks: - '19' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 2015\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 2210\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -715,7 +726,7 @@ tasks: isautoswitchedtoquietmode: false '19': id: '19' - taskid: f84b5358-1d0b-4ba6-b023-c55718879d50 + taskid: c8d44496-0e09-4142-a02e-d26e5f35efaa type: regular task: id: c8d44496-0e09-4142-a02e-d26e5f35efaa @@ -742,7 +753,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 2185\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 2380\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -752,7 +763,7 @@ tasks: isautoswitchedtoquietmode: false '20': id: '20' - taskid: a761892d-3a24-44a2-9c01-7c123ba38b3f + taskid: 86d7087c-5dad-4030-8568-d9de9c2025d0 type: title task: id: 86d7087c-5dad-4030-8568-d9de9c2025d0 @@ -763,10 +774,9 @@ tasks: brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - nexttasks: {} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 2355\n }\n}" + view: "{\n \"position\": {\n \"x\": 162.5,\n \"y\": 2565\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -776,10 +786,10 @@ tasks: isautoswitchedtoquietmode: false g13: id: g13 - taskid: gateg13-sig-alert.pr-check1234 + taskid: 058bc382-11ec-5a21-8a2f-69ad191b87d7 type: condition task: - id: gateg13-sig-alert.pr-check1234 + id: 058bc382-11ec-5a21-8a2f-69ad191b87d7 version: -1 name: Sender Domain Available? description: Skip Sender Domain prevalence check if value is empty — continueonerror fallback. @@ -793,6 +803,7 @@ tasks: - '15' 'yes': - '13' + separatecontext: false conditions: - label: 'yes' condition: @@ -803,9 +814,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: '{"position": {"x": 480, "y": 0}}' + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1470\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -815,10 +825,10 @@ tasks: isautoswitchedtoquietmode: false g14i: id: g14i - taskid: gateg14i-sig-alert.lo-check1234 + taskid: e83f74d6-846e-5f27-a381-27a791b2b82c type: condition task: - id: gateg14i-sig-alert.lo-check1234 + id: e83f74d6-846e-5f27-a381-27a791b2b82c version: -1 name: Sender IP Available? description: Skip Sender IP prevalence check if value is empty — continueonerror fallback. @@ -832,6 +842,7 @@ tasks: - '16' 'yes': - '14' + separatecontext: false conditions: - label: 'yes' condition: @@ -842,9 +853,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: '{"position": {"x": 480, "y": 0}}' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1470\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -852,6 +862,9 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false +system: true +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 2575,\n \"width\":\ + \ 942.5,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: ThreatURL value: @@ -864,27 +877,14 @@ inputSections: - ThreatURL name: IOC Enrichment Inputs description: Inputs passed from SOC Email Analysis_V3. -outputs: -- contextPath: Analysis.Email.ioc_enriched - description: true when IOC creation and DBot score assignment completed - type: boolean outputSections: - outputs: - Analysis.Email.ioc_enriched name: Enrichment Contract description: Flag consumed by Analysis Evaluation story. DBotScore.* written to context and consumed by Signal Characterization GetIndicatorDBotScoreFromCache. -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 2410,\n \"width\":\ - \ 1200,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" -contentitemexportablefields: - contentitemfields: - definitionid: '' - fromServerVersion: 6.10.0 - isoverridable: false - itemVersion: 3.0.0 - packID: soc-framework-nist-ir - packName: SOC Framework NIST IR - prevname: '' - supportedModules: [] - toServerVersion: '' -dirtyInputs: false +outputs: +- contextPath: Analysis.Email.ioc_enriched + description: true when IOC creation and DBot score assignment completed + type: boolean +adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Signal_Characterization_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Signal_Characterization_V3.yml index 760cf5d6..e7c085ca 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Signal_Characterization_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Signal_Characterization_V3.yml @@ -1,8 +1,19 @@ -adopted: true +fromversion: 5.0.0 id: SOC Email Signal Characterization_V3 +version: 11 +contentitemexportablefields: + contentitemfields: + packID: soc-framework-nist-ir + packName: SOC Framework NIST IR (800-61) + itemVersion: 1.1.0 + fromServerVersion: 6.10.0 + toServerVersion: '' + definitionid: '' + prevname: '' + isoverridable: false + supportedModules: [] +vcShouldKeepItemLegacyProdMachine: false name: SOC Email Signal Characterization_V3 -version: -1 -fromversion: 6.10.0 description: "Purpose\nDetermine what kind of email threat this is and build the indicator intelligence needed for verdict\ \ resolution.\n\nThis is not verdict determination — that belongs in SOC Email Verdict Resolution_V3.\nThis playbook answers:\ \ what is the nature of the threat object?\n\nSignal Types Produced:\n url_phish — threat type is URL (phishing link,\ @@ -36,7 +47,7 @@ tasks: - '1' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 50\n }\n}" + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -52,17 +63,17 @@ tasks: id: 5bdf589d-bd70-4316-b817-34b201a9952c version: -1 name: Characterize Threat Type + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - '2' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 195\n }\n}" + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -78,29 +89,20 @@ tasks: id: c2893eed-6d85-4b5a-9564-19e8cec61f2e version: -1 name: What is the Threat Type? + description: Routes on SOCFramework.Artifacts.Email.ThreatType to determine IOC creation and enrichment path. + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Routes on SOCFramework.Artifacts.Email.ThreatType to determine IOC creation and enrichment path. - type: condition nexttasks: '#default#': - '10' - URL: - - '3' Attachment: - '7' + URL: + - '3' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 365\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: URL condition: @@ -124,6 +126,15 @@ tasks: value: simple: attachment ignorecase: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 390\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '3': id: '3' taskid: 88bbf74f-0a0a-4fa3-b8fc-ad62b38a7eeb @@ -132,19 +143,26 @@ tasks: id: 88bbf74f-0a0a-4fa3-b8fc-ad62b38a7eeb version: -1 name: Create URL Indicator + description: Creates a URL indicator from the threat URL extracted at entry point. + script: Builtin|||createNewIndicator + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Creates a URL indicator from the threat URL extracted at entry point. - type: regular - script: Builtin|||createNewIndicator nexttasks: '#none#': - '4' + scriptarguments: + proofpointtaplink: + simple: ${inputs.ThreatURL} + type: + simple: URL + value: + simple: ${inputs.ThreatURL} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 560\n }\n}" + view: "{\n \"position\": {\n \"x\": 265,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -152,13 +170,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - value: - simple: ${inputs.ThreatURL} - type: - simple: URL - proofpointtaplink: - simple: ${inputs.ThreatURL} '4': id: '4' taskid: 0e891e39-9645-463f-86d0-b0ec9101f706 @@ -167,38 +178,38 @@ tasks: id: 0e891e39-9645-463f-86d0-b0ec9101f706 version: -1 name: Assign DBot Score — URL + description: Seeds DBot score for the threat URL from Proofpoint TAP signal. + scriptName: AddDBotScoreToContext + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Seeds DBot score for the threat URL from Proofpoint TAP signal. - type: regular - scriptName: AddDBotScoreToContext nexttasks: '#none#': - '5' - '6' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 740\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 2 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicator: simple: ${inputs.ThreatURL} indicatorType: simple: URL - score: - simple: '2' reliability: simple: C - Fairly reliable + score: + simple: '2' vendor: simple: Proofpoint TAP + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 265,\n \"y\": 760\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false '5': id: '5' taskid: 3b410dc5-8726-46bb-a70e-159b99fb1bd8 @@ -207,19 +218,22 @@ tasks: id: 3b410dc5-8726-46bb-a70e-159b99fb1bd8 version: -1 name: Extract Domains from URL Threat + description: Extracts domain indicators from the threat URL for prevalence analysis. + script: Builtin|||extractIndicators + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Extracts domain indicators from the threat URL for prevalence analysis. - type: regular - script: Builtin|||extractIndicators nexttasks: '#none#': - '11' + scriptarguments: + text: + simple: ${inputs.ThreatURL} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 920\n }\n}" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 945\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -227,9 +241,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - text: - simple: ${inputs.ThreatURL} '6': id: '6' taskid: b4161365-b353-4eba-9886-5051c8909f3d @@ -238,19 +249,23 @@ tasks: id: b4161365-b353-4eba-9886-5051c8909f3d version: -1 name: Rasterize URL + description: Captures a screenshot of the threat URL for analyst review. Best-effort — continues on error. + script: '|||rasterize' + type: regular iscommand: true brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Captures a screenshot of the threat URL for analyst review. Best-effort — continues on error. - type: regular - script: '|||rasterize' nexttasks: '#none#': - '11' + scriptarguments: + url: + simple: ${inputs.ThreatURL} separatecontext: false + continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 920\n }\n}" + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 945\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -258,10 +273,6 @@ tasks: quietmode: 2 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - url: - simple: ${inputs.ThreatURL} - continueonerror: true '7': id: '7' taskid: 0b69ca12-08ef-4b3e-afaf-3862617168dd @@ -270,19 +281,26 @@ tasks: id: 0b69ca12-08ef-4b3e-afaf-3862617168dd version: -1 name: Create File Indicator + description: Creates a File indicator from the attachment hash extracted at entry point. + script: Builtin|||createNewIndicator + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Creates a File indicator from the attachment hash extracted at entry point. - type: regular - script: Builtin|||createNewIndicator nexttasks: '#none#': - '8' + scriptarguments: + proofpointtaplink: + simple: ${inputs.ThreatURL} + type: + simple: File + value: + simple: ${inputs.ThreatIndicator} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 560\n }\n}" + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 760\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -290,13 +308,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - value: - simple: ${inputs.ThreatIndicator} - type: - simple: File - proofpointtaplink: - simple: ${inputs.ThreatURL} '8': id: '8' taskid: e0106919-475c-4d4a-af74-2b7e3ca023c5 @@ -305,37 +316,37 @@ tasks: id: e0106919-475c-4d4a-af74-2b7e3ca023c5 version: -1 name: Assign DBot Score — File + description: Seeds DBot score for the attachment hash from Proofpoint TAP signal. + scriptName: AddDBotScoreToContext + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Seeds DBot score for the attachment hash from Proofpoint TAP signal. - type: regular - scriptName: AddDBotScoreToContext nexttasks: '#none#': - '11' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 740\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 2 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicator: simple: ${inputs.ThreatIndicator} indicatorType: simple: File - score: - simple: '2' reliability: simple: C - Fairly reliable + score: + simple: '2' vendor: simple: Proofpoint TAP + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 945\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false '10': id: '10' taskid: 597e2d1e-b058-462b-b10a-ca9c460a07dd @@ -344,17 +355,17 @@ tasks: id: 597e2d1e-b058-462b-b10a-ca9c460a07dd version: -1 name: Unknown Threat Type + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - '11' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1280,\n \"y\": 560\n }\n}" + view: "{\n \"position\": {\n \"x\": 1340,\n \"y\": 952.5\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -370,17 +381,17 @@ tasks: id: a6a7a4c2-216f-4453-bdfe-2e5329a49f79 version: -1 name: Sender Prevalence Checks + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - g12 separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1110\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 1130\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -396,27 +407,17 @@ tasks: id: 7d6781b0-a2be-4d00-8d74-6911e25d1c04 version: -1 name: Sender Domain Prevalence Check + description: Checks whether the sender domain has been seen before in the environment. Low prevalence is an indicator + of a first-seen phishing domain. + script: '|||core-get-domain-analytics-prevalence' + type: regular iscommand: true brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Checks whether the sender domain has been seen before in the environment. Low prevalence is an indicator - of a first-seen phishing domain. - type: regular - script: '|||core-get-domain-analytics-prevalence' nexttasks: '#none#': - '13' - separatecontext: false - continueonerrortype: errorPath - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1280\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: domain_name: complex: @@ -429,7 +430,17 @@ tasks: simple: '@' extend-context: simple: Core=. + separatecontext: false continueonerror: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 582.5,\n \"y\": 1485\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '13': id: '13' taskid: 0205ceb1-4015-4b2d-ab0b-07157927e28a @@ -438,26 +449,17 @@ tasks: id: 0205ceb1-4015-4b2d-ab0b-07157927e28a version: -1 name: Non-Prevalent Domain? + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: condition nexttasks: '#default#': - g14 'yes': - '15' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1460\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: 'yes' condition: @@ -474,6 +476,15 @@ tasks: iscontext: true accessor: value iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 1670\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '14': id: '14' taskid: a0e1cb99-bb2f-4beb-b72d-8a1ac9a371b2 @@ -482,19 +493,25 @@ tasks: id: a0e1cb99-bb2f-4beb-b72d-8a1ac9a371b2 version: -1 name: Sender IP Prevalence Check + description: Checks sender IP prevalence. Low prevalence may indicate a new sending infrastructure. + script: '|||core-get-IP-analytics-prevalence' + type: regular iscommand: true brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Checks sender IP prevalence. Low prevalence may indicate a new sending infrastructure. - type: regular - script: '|||core-get-IP-analytics-prevalence' nexttasks: '#none#': - '16' + scriptarguments: + extend-context: + simple: Core=. + ip_address: + simple: ${inputs.SenderIP} separatecontext: false + continueonerror: true continueonerrortype: errorPath - view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 1650\n }\n}" + view: "{\n \"position\": {\n \"x\": 582.5,\n \"y\": 2225\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -502,12 +519,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - ip_address: - simple: ${inputs.SenderIP} - extend-context: - simple: Core=. - continueonerror: true '15': id: '15' taskid: 171e6204-bb58-431f-9307-f4f3e202097f @@ -516,25 +527,15 @@ tasks: id: 171e6204-bb58-431f-9307-f4f3e202097f version: -1 name: Tag Domain — Uncommon + script: Builtin|||setIndicators + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - script: Builtin|||setIndicators nexttasks: '#none#': - g14 - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 340,\n \"y\": 1650\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicatorsValues: complex: @@ -558,6 +559,16 @@ tasks: simple: ',' tags: simple: Uncommon + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 1855\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '16': id: '16' taskid: 8369ebbf-da84-4ec0-8472-83ee1cbb7b8f @@ -566,26 +577,17 @@ tasks: id: 8369ebbf-da84-4ec0-8472-83ee1cbb7b8f version: -1 name: Non-Prevalent IP? + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: condition nexttasks: '#default#': - '17' 'yes': - '18' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 1835\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: 'yes' condition: @@ -602,6 +604,15 @@ tasks: iscontext: true accessor: value iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 2410\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '17': id: '17' taskid: 5a8cc61c-8e3e-47bd-9fad-755db1711b87 @@ -610,17 +621,17 @@ tasks: id: 5a8cc61c-8e3e-47bd-9fad-755db1711b87 version: -1 name: Tag Indicators + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - '19' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 2025\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 2780\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -636,25 +647,15 @@ tasks: id: 5a9b09d2-5d6e-47d9-8f15-506fb793be98 version: -1 name: Tag IP — Uncommon + script: Builtin|||setIndicators + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - script: Builtin|||setIndicators nexttasks: '#none#': - '17' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 600,\n \"y\": 2025\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicatorsValues: complex: @@ -678,6 +679,16 @@ tasks: simple: ',' tags: simple: Uncommon + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 2595\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '19': id: '19' taskid: d63ac3d3-a6ca-41dc-88f8-ea9309fe1450 @@ -686,26 +697,16 @@ tasks: id: d63ac3d3-a6ca-41dc-88f8-ea9309fe1450 version: -1 name: Tag Threat Indicators + description: Tags all threat indicators with the detection source for downstream filtering and reporting. + script: Builtin|||setIndicators + type: regular iscommand: true brand: Builtin playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Tags all threat indicators with the detection source for downstream filtering and reporting. - type: regular - script: Builtin|||setIndicators nexttasks: '#none#': - '20' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2210\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: indicatorsValues: complex: @@ -718,6 +719,16 @@ tasks: simple: ',' tags: simple: ProofpointTAPThreat + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 2950\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '20': id: '20' taskid: c22b6d6c-cb2a-4870-98e8-75d350a5d666 @@ -726,26 +737,17 @@ tasks: id: c22b6d6c-cb2a-4870-98e8-75d350a5d666 version: -1 name: Threat Indicator Defined? + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: condition nexttasks: '#default#': - '23' 'yes': - '21' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2400\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: 'yes' condition: @@ -754,6 +756,15 @@ tasks: value: simple: inputs.ThreatIndicator iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 3135\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '21': id: '21' taskid: 160fc4ae-0779-4852-89e5-9c6b80fd678a @@ -762,19 +773,23 @@ tasks: id: 160fc4ae-0779-4852-89e5-9c6b80fd678a version: -1 name: Get Indicator DBot Score + description: Retrieves the cached DBot score for the threat indicator to use in verdict resolution. + scriptName: GetIndicatorDBotScoreFromCache + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Retrieves the cached DBot score for the threat indicator to use in verdict resolution. - type: regular - scriptName: GetIndicatorDBotScoreFromCache nexttasks: '#none#': - '22' + scriptarguments: + value: + simple: ${inputs.ThreatIndicator} separatecontext: false + continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 2590\n }\n}" + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 3320\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -782,10 +797,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - value: - simple: ${inputs.ThreatIndicator} - continueonerror: true '22': id: '22' taskid: 97d2885d-b15b-4b36-b1c0-40e01db2fbbe @@ -794,28 +805,22 @@ tasks: id: 97d2885d-b15b-4b36-b1c0-40e01db2fbbe version: -1 name: Set Email Source Verdict from DBot + description: Maps the numeric DBot score to the standard source_verdict string used in Analysis. Used as a secondary + signal — primary verdict comes from Proofpoint ThreatStatus. + scriptName: SetAndHandleEmpty + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - description: Maps the numeric DBot score to the standard source_verdict string used in Analysis. Used as a secondary - signal — primary verdict comes from Proofpoint ThreatStatus. - type: regular - scriptName: SetAndHandleEmpty nexttasks: '#none#': - '23' - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 2775\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false scriptarguments: + append: + simple: 'false' + force: + simple: 'true' key: simple: Analysis.Email.source_verdict value: @@ -838,10 +843,16 @@ tasks: value: simple: benign,suspicious,malicious sep: {} - append: - simple: 'false' - force: - simple: 'true' + separatecontext: false + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 3505\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '23': id: '23' taskid: 779d977b-7cd8-4322-8045-cbab913210e0 @@ -850,17 +861,17 @@ tasks: id: 779d977b-7cd8-4322-8045-cbab913210e0 version: -1 name: Set Signal Type + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title nexttasks: '#none#': - '24' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 2960\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 3690\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -876,28 +887,19 @@ tasks: id: c91af9b6-2a49-4585-a96f-8e94b1572c1c version: -1 name: Classify Signal Type + type: condition iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: condition nexttasks: '#default#': - '27' - URL Phish: - - '25' File Malware: - '26' + URL Phish: + - '25' separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 3130\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false conditions: - label: URL Phish condition: @@ -921,6 +923,15 @@ tasks: value: simple: attachment ignorecase: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 3860\n }\n}" + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false '25': id: '25' taskid: 2b8c2bd5-c608-4083-bf1b-d598cfa93e97 @@ -929,18 +940,27 @@ tasks: id: 2b8c2bd5-c608-4083-bf1b-d598cfa93e97 version: -1 name: Set Signal Type — url_phish + scriptName: SetAndHandleEmpty + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - scriptName: SetAndHandleEmpty nexttasks: '#none#': - '28' + scriptarguments: + append: + simple: 'false' + force: + simple: 'true' + key: + simple: Analysis.Email.signal_type + value: + simple: url_phish separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 3320\n }\n}" + view: "{\n \"position\": {\n \"x\": 265,\n \"y\": 4045\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -948,15 +968,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - key: - simple: Analysis.Email.signal_type - value: - simple: url_phish - append: - simple: 'false' - force: - simple: 'true' '26': id: '26' taskid: ace0321d-e7e3-4fea-a901-583b475a9687 @@ -965,18 +976,27 @@ tasks: id: ace0321d-e7e3-4fea-a901-583b475a9687 version: -1 name: Set Signal Type — file_malware + scriptName: SetAndHandleEmpty + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - scriptName: SetAndHandleEmpty nexttasks: '#none#': - '28' + scriptarguments: + append: + simple: 'false' + force: + simple: 'true' + key: + simple: Analysis.Email.signal_type + value: + simple: file_malware separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 3320\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 4045\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -984,15 +1004,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - key: - simple: Analysis.Email.signal_type - value: - simple: file_malware - append: - simple: 'false' - force: - simple: 'true' '27': id: '27' taskid: 733d359e-2a41-4ce2-bb62-e9bbcebc0234 @@ -1001,18 +1012,27 @@ tasks: id: 733d359e-2a41-4ce2-bb62-e9bbcebc0234 version: -1 name: Set Signal Type — unknown + scriptName: SetAndHandleEmpty + type: regular iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: regular - scriptName: SetAndHandleEmpty nexttasks: '#none#': - '28' + scriptarguments: + append: + simple: 'false' + force: + simple: 'true' + key: + simple: Analysis.Email.signal_type + value: + simple: unknown separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 3320\n }\n}" + view: "{\n \"position\": {\n \"x\": 1125,\n \"y\": 4045\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1020,15 +1040,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - scriptarguments: - key: - simple: Analysis.Email.signal_type - value: - simple: unknown - append: - simple: 'false' - force: - simple: 'true' '28': id: '28' taskid: dfd77dbc-f8ca-44c3-b95d-63f4f3bb028f @@ -1037,15 +1048,14 @@ tasks: id: dfd77dbc-f8ca-44c3-b95d-63f4f3bb028f version: -1 name: Done + type: title iscommand: false brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false - type: title - nexttasks: {} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 3510\n }\n}" + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 4230\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1055,10 +1065,10 @@ tasks: isautoswitchedtoquietmode: false g12: id: g12 - taskid: gateg12-sig-inputs.S-check1234 + taskid: 3f7e2d1c-4b5a-4987-b8c9-d0e1f2a3b4c5 type: condition task: - id: gateg12-sig-inputs.S-check1234 + id: 3f7e2d1c-4b5a-4987-b8c9-d0e1f2a3b4c5 version: -1 name: Sender Domain Available? description: Skip Sender Domain prevalence check if value is empty — continueonerror fallback. @@ -1072,6 +1082,7 @@ tasks: - '13' 'yes': - '12' + separatecontext: false conditions: - label: 'yes' condition: @@ -1082,9 +1093,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: '{"position": {"x": 480, "y": 0}}' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 1300\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1094,10 +1104,10 @@ tasks: isautoswitchedtoquietmode: false g14: id: g14 - taskid: gateg14-sig-inputs.S-check1234 + taskid: 4e8f3d2c-5c6b-4098-c9da-e1f2a3b4c5d6 type: condition task: - id: gateg14-sig-inputs.S-check1234 + id: 4e8f3d2c-5c6b-4098-c9da-e1f2a3b4c5d6 version: -1 name: Sender IP Available? description: Skip Sender IP prevalence check if value is empty — continueonerror fallback. @@ -1111,6 +1121,7 @@ tasks: - '16' 'yes': - '14' + separatecontext: false conditions: - label: 'yes' condition: @@ -1121,9 +1132,8 @@ tasks: iscontext: true right: value: {} - separatecontext: false continueonerrortype: '' - view: '{"position": {"x": 480, "y": 0}}' + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 2040\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1131,6 +1141,9 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false +system: true +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 4240,\n \"width\":\ + \ 1670,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" inputs: - key: ThreatType value: @@ -1178,6 +1191,12 @@ inputSections: - SenderIP name: Sender description: Sender identity inputs for prevalence analysis +outputSections: +- outputs: + - Analysis.Email.signal_type + - Analysis.Email.source_verdict + name: Signal Characterization + description: '' outputs: - contextPath: Analysis.Email.signal_type description: 'Behavioral classification of the email threat: url_phish / file_malware / unknown' @@ -1186,23 +1205,4 @@ outputs: description: 'DBot-derived indicator verdict: malicious / suspicious / benign. Secondary signal — primary verdict comes from ThreatStatus in SOC Email Verdict Resolution_V3.' type: string -outputSections: -- outputs: - - Analysis.Email.signal_type - - Analysis.Email.source_verdict - name: Signal Characterization - description: '' -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 3530,\n \"width\":\ - \ 1620,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" -contentitemexportablefields: - contentitemfields: - definitionid: '' - fromServerVersion: 6.10.0 - isoverridable: false - itemVersion: 3.0.0 - packID: soc-framework-nist-ir - packName: SOC Framework Unified - prevname: '' - supportedModules: [] - toServerVersion: '' -dirtyInputs: true +adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Verdict_Resolution_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Verdict_Resolution_V3.yml index d2be2148..40cc6535 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Verdict_Resolution_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Verdict_Resolution_V3.yml @@ -36,7 +36,7 @@ tasks: - '1' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 50\n }\n}" + view: '{"position": {"x": 592, "y": 50}}' note: false timertriggers: [] ignoreworker: false @@ -62,7 +62,7 @@ tasks: - '2' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 195\n }\n}" + view: '{"position": {"x": 592, "y": 195}}' note: false timertriggers: [] ignoreworker: false @@ -97,7 +97,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 365\n }\n}" + view: '{"position": {"x": 592, "y": 365}}' note: false timertriggers: [] ignoreworker: false @@ -123,7 +123,7 @@ tasks: - '4' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 555\n }\n}" + view: '{"position": {"x": 592, "y": 555}}' note: false timertriggers: [] ignoreworker: false @@ -190,7 +190,7 @@ tasks: ignorecase: true separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 725\n }\n}" + view: '{"position": {"x": 592, "y": 725}}' note: false timertriggers: [] ignoreworker: false @@ -225,7 +225,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 920\n }\n}" + view: '{"position": {"x": 200, "y": 920}}' note: false timertriggers: [] ignoreworker: false @@ -260,7 +260,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 920\n }\n}" + view: '{"position": {"x": 592, "y": 920}}' note: false timertriggers: [] ignoreworker: false @@ -295,7 +295,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 920\n }\n}" + view: '{"position": {"x": 985, "y": 920}}' note: false timertriggers: [] ignoreworker: false @@ -321,7 +321,7 @@ tasks: - '9' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1105\n }\n}" + view: '{"position": {"x": 592, "y": 1110}}' note: false timertriggers: [] ignoreworker: false @@ -361,7 +361,7 @@ tasks: value: simple: malicious ignorecase: true - - operator: isEqualString + - - operator: isEqualString left: value: simple: Analysis.Email.verdict @@ -372,7 +372,7 @@ tasks: ignorecase: true separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1270\n }\n}" + view: '{"position": {"x": 592, "y": 1280}}' note: false timertriggers: [] ignoreworker: false @@ -398,7 +398,7 @@ tasks: - '12' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1450\n }\n}" + view: '{"position": {"x": 592, "y": 1470}}' note: false timertriggers: [] ignoreworker: false @@ -433,7 +433,7 @@ tasks: simple: Analysis separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 985,\n \"y\": 1450\n }\n}" + view: '{"position": {"x": 985, "y": 1470}}' note: false timertriggers: [] ignoreworker: false @@ -479,7 +479,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1620\n }\n}" + view: '{"position": {"x": 592, "y": 1640}}' note: false timertriggers: [] ignoreworker: false @@ -505,7 +505,7 @@ tasks: - '14' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1805\n }\n}" + view: '{"position": {"x": 592, "y": 1825}}' note: false timertriggers: [] ignoreworker: false @@ -551,14 +551,14 @@ tasks: value: simple: malicious ignorecase: true - - operator: isEqualString + - - operator: isEqualString left: value: simple: inputs.HighValueUserInvolved iscontext: true right: value: - simple: 'True' + simple: 'true' ignorecase: true - label: search_and_purge condition: @@ -571,7 +571,7 @@ tasks: value: simple: malicious ignorecase: true - - operator: greaterThan + - - operator: greaterThan left: value: simple: inputs.ClickCount @@ -590,7 +590,7 @@ tasks: value: simple: malicious ignorecase: true - - operator: greaterThan + - - operator: greaterThan left: value: simple: inputs.DeliveredCount @@ -598,7 +598,7 @@ tasks: right: value: simple: '0' - - operator: isEqualNumber + - - operator: isEqualNumber left: value: simple: inputs.ClickCount @@ -617,7 +617,7 @@ tasks: value: simple: malicious ignorecase: true - - operator: isEqualNumber + - - operator: isEqualNumber left: value: simple: inputs.DeliveredCount @@ -627,7 +627,7 @@ tasks: simple: '0' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 1975\n }\n}" + view: '{"position": {"x": 592, "y": 2000}}' note: false timertriggers: [] ignoreworker: false @@ -663,7 +663,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 50, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -699,7 +699,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 330,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 330, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -735,7 +735,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 592, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -771,7 +771,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 855,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 855, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -807,7 +807,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1120,\n \"y\": 2165\n }\n}" + view: '{"position": {"x": 1120, "y": 2200}}' note: false timertriggers: [] ignoreworker: false @@ -831,7 +831,7 @@ tasks: nexttasks: {} separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 592,\n \"y\": 2360\n }\n}" + view: '{"position": {"x": 592, "y": 2780}}' note: false timertriggers: [] ignoreworker: false @@ -942,7 +942,7 @@ tasks: ignorecase: true separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1985\n }\n}" + view: '{"position": {"x": 592, "y": 2400}}' note: false timertriggers: [] ignoreworker: false @@ -979,7 +979,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 2155\n }\n}" + view: '{"position": {"x": 250, "y": 2590}}' note: false timertriggers: [] ignoreworker: false @@ -1016,7 +1016,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 2155\n }\n}" + view: '{"position": {"x": 935, "y": 2590}}' note: false timertriggers: [] ignoreworker: false @@ -1098,8 +1098,7 @@ outputSections: - Analysis.Email.response_recommended name: Verdict Contract description: Consumed by SOC Email Analysis_V3 orchestrator and passed to Containment phase -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 2380,\n \"width\":\ - \ 1350,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" +view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 2900, "width": 1300, "x": 50, "y": 50}}}' contentitemexportablefields: contentitemfields: definitionid: '' diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Analysis_V3.yml index f603391b..b894e2e8 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Analysis_V3.yml @@ -7,63 +7,64 @@ contentitemexportablefields: packName: SOC Framework Unified itemVersion: 3.1.4 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOC EndPoint Analysis_V3 -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the alert (category, severity, impact). + Document findings and escalate confirmed alerts. + Outcome: Determine whether an event is a legitimate alert and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' tags: - SOC - SOC_Framework_Unified - Detection & Analysis - NIST 800-61 - EndPoint -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 27ca4564-aefc-483e-8598-fa04dbefbf2e type: start task: id: 27ca4564-aefc-483e-8598-fa04dbefbf2e version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "59" + - '59' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 480, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -71,8 +72,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "2": - id: "2" + '2': + id: '2' taskid: eacb150f-a5d1-4b77-8945-e7f68a68424d type: title task: @@ -81,18 +82,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 3400 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 3400\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -100,8 +95,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "3": - id: "3" + '3': + id: '3' taskid: dfb1f62b-258e-4e82-8f1c-b14f17ea13e4 type: title task: @@ -110,21 +105,15 @@ tasks: name: Define Attack Vector type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "66" + - '66' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 480, - "y": 575 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 575\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -132,36 +121,32 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "6": - id: "6" + '6': + id: '6' taskid: 61337536-2acd-4281-af6c-6da3a9a6ec8c type: title task: id: 61337536-2acd-4281-af6c-6da3a9a6ec8c version: -1 name: Investigate Artifacts - description: |- - This captures: + description: 'This captures: + WildFire Malware + Malware Activity - Known Malicious File + + Known Malicious File' type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "72" + - '72' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 930 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 930\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -169,35 +154,30 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "17": - id: "17" + '17': + id: '17' taskid: 1e3625cf-1808-4765-8323-46f42118c05d type: title task: id: 1e3625cf-1808-4765-8323-46f42118c05d version: -1 name: Make Recommendations - description: |- - What should an analysis or automation do? + description: 'What should an analysis or automation do? + What is our level of confidence? - i.e. Is Containment Justified? + + i.e. Is Containment Justified?' type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "41" + - '41' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2490 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2490\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -205,8 +185,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "41": - id: "41" + '41': + id: '41' taskid: bffb3c22-b13a-429e-8695-b7c4c8f68abe type: condition task: @@ -215,16 +195,16 @@ tasks: name: Analysis Confidence type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "44" + - '44' high: - - "42" + - '42' medium: - - "43" + - '43' separatecontext: false conditions: - label: high @@ -252,7 +232,7 @@ tasks: iscontext: true right: value: - simple: "3" + simple: '3' - operator: isEqualString left: value: @@ -280,14 +260,8 @@ tasks: value: simple: inputs.host_high_issue_count iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2660 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2660\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -295,48 +269,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "42": - id: "42" + '42': + id: '42' taskid: 03ffec5b-25f2-4610-816b-e988acd1c518 type: regular task: id: 03ffec5b-25f2-4610-816b-e988acd1c518 version: -1 name: Investigation Confidence High - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.confidence value: simple: high separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2845 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2845\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -344,48 +310,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "43": - id: "43" + '43': + id: '43' taskid: 0f08ef52-69b0-4947-8550-0ed220208608 type: regular task: id: 0f08ef52-69b0-4947-8550-0ed220208608 version: -1 name: Investigation Confidence Medium - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.confidence value: simple: medium separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 940, - "y": 2845 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 2845\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -393,48 +351,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "44": - id: "44" + '44': + id: '44' taskid: 4b9c3d18-0eb9-4193-82e4-144f9cf2f714 type: regular task: id: 4b9c3d18-0eb9-4193-82e4-144f9cf2f714 version: -1 name: Investigation Confidence Low - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "46" + - '46' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.confidence value: simple: low separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 80, - "y": 2845 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 2845\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -442,48 +392,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "45": - id: "45" + '45': + id: '45' taskid: 369b4d28-ffb1-40f8-88cf-dd311fda4b65 type: regular task: id: 369b4d28-ffb1-40f8-88cf-dd311fda4b65 version: -1 name: Analysis Response Recommended - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "74" + - '74' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.response_recommended value: - simple: "true" + simple: 'true' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 725, - "y": 3030 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 725,\n \"y\": 3030\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -491,48 +433,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "46": - id: "46" + '46': + id: '46' taskid: 2804eb79-4c2d-4438-8d29-214a78cbcf92 type: regular task: id: 2804eb79-4c2d-4438-8d29-214a78cbcf92 version: -1 name: Analysis Response NOT Recommended - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "74" + - '74' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.response_recommended value: - simple: "false" + simple: 'false' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 80, - "y": 3030 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 80,\n \"y\": 3030\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -540,8 +474,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "52": - id: "52" + '52': + id: '52' taskid: 2fd935ad-6e86-4bfc-8078-7c81b439bbfd type: title task: @@ -550,21 +484,15 @@ tasks: name: Evaluate Spread Level type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "71" + - '71' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 1825 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1825\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -572,8 +500,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "59": - id: "59" + '59': + id: '59' taskid: 83d2afba-5835-433d-8516-ca98aa42357d type: title task: @@ -583,21 +511,15 @@ tasks: description: Clean Out Keys for the Investigation and Analysis type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "65" + - '65' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 480, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -605,8 +527,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "65": - id: "65" + '65': + id: '65' taskid: 7a1fb408-753f-4af3-ab79-f8e46d372eab type: playbook task: @@ -617,12 +539,12 @@ tasks: playbookName: SOC Initialize Investigation Context_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "3" + - '3' scriptarguments: case_host_count: simple: ${parentIncidentFields.host_count} @@ -635,19 +557,13 @@ tasks: reset_issue_keys: simple: Investigation, Analysis, Containment, Eradication, Recovery separatecontext: false - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 480, - "y": 390 - } - } + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 390\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -655,27 +571,26 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "66": - id: "66" + '66': + id: '66' taskid: e6069e69-8290-4781-aa2b-5a843821676d type: playbook task: id: e6069e69-8290-4781-aa2b-5a843821676d version: -1 name: SOC Endpoint Signal Characterization_V3 - description: "Purpose\nDetermine what type of endpoint behavior this is.\nThis - is not attack vector.\nThis is behavioral class.\nCurrent Tasks:\n\nDefine - Attack Vector\nIs Malware? \nIs Injection / Shellcode? \nDoes CGO CMD Exist? - \nSet Endpoint Path " + description: "Purpose\nDetermine what type of endpoint behavior this is.\nThis is not attack vector.\nThis is behavioral\ + \ class.\nCurrent Tasks:\n\nDefine Attack Vector\nIs Malware? \nIs Injection / Shellcode? \nDoes CGO CMD Exist? \n\ + Set Endpoint Path " playbookName: SOC Endpoint Signal Characterization_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "6" + - '6' scriptarguments: case_name: complex: @@ -686,19 +601,13 @@ tasks: cgo_name: simple: ${SOCFramework.Artifacts.CommandLine} separatecontext: false - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 480, - "y": 745 - } - } + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 745\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -706,8 +615,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "68": - id: "68" + '68': + id: '68' taskid: 7931e941-7495-4368-a91c-521cf74d9071 type: title task: @@ -716,21 +625,15 @@ tasks: name: Verdict Resolved type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "69" + - '69' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 500, - "y": 1280 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1280\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -738,8 +641,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "69": - id: "69" + '69': + id: '69' taskid: bf19e707-75b4-455c-b713-3ccd9731a059 type: title task: @@ -748,21 +651,15 @@ tasks: name: Investigate Case & Issues type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "73" + - '73' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 1470 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1470\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -770,8 +667,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "71": - id: "71" + '71': + id: '71' taskid: ae300369-1218-4032-9c7d-ac5837a06f8c type: playbook task: @@ -781,12 +678,12 @@ tasks: playbookName: SOC EndPoint Spread Evaluation_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "75" + - '75' scriptarguments: SHA256: simple: ${SOCFramework.Artifacts.File} @@ -797,29 +694,23 @@ tasks: case_user_count: simple: ${Analysis.Endpoint.user_count} high_hash_count_per_case: - simple: "3" + simple: '3' high_host_count_per_case: - simple: "3" + simple: '3' limited_hash_count_per_case: - simple: "2" + simple: '2' limited_host_count_per_case: - simple: "2" + simple: '2' limited_user_count_per_case: - simple: "2" + simple: '2' separatecontext: false - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 510, - "y": 1985 - } - } + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1985\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -827,45 +718,38 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "72": - id: "72" + '72': + id: '72' taskid: 5502afb5-7005-4ebf-a246-509c3be1a3e4 type: playbook task: id: 5502afb5-7005-4ebf-a246-509c3be1a3e4 version: -1 name: SOC Endpoint Verdict Resolution_V3 - description: "Purpose: Is the artifact malicious, suspicious, benign, or unknown?\n\nCurrent - Tasks\nWhat is Current File Verdict \nCan We Get the Verdict\nWildFire Detonate - \nDBot Score \nDoes DBot Think It’s Malicious? \nSet Verdict " + description: "Purpose: Is the artifact malicious, suspicious, benign, or unknown?\n\nCurrent Tasks\nWhat is Current\ + \ File Verdict \nCan We Get the Verdict\nWildFire Detonate \nDBot Score \nDoes DBot Think It’s Malicious? \nSet Verdict " playbookName: SOC Endpoint Verdict Resolution_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "69" + - '69' scriptarguments: SHA256: simple: ${SOCFramework.Artifacts.File} verdict: simple: ${SOCFramework.Artifacts.Verdict} separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 500, - "y": 1090 - } - } + view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1090\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -873,8 +757,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "73": - id: "73" + '73': + id: '73' taskid: 7ffff426-0520-44b0-8c0c-d318968abc90 type: playbook task: @@ -884,21 +768,15 @@ tasks: playbookName: SOC Endpoint Compromise Evaluation_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "52" + - '52' separatecontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 1640 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1640\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -906,8 +784,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "74": - id: "74" + '74': + id: '74' taskid: eb85d106-1d55-4fbd-995d-831c3912e421 type: playbook task: @@ -917,12 +795,12 @@ tasks: playbookName: SOC Analysis Evaluation_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - '2' scriptarguments: case_category: complex: @@ -969,31 +847,22 @@ tasks: spread_level: simple: ${Analysis.Endpoint.spread_level} story: - simple: "Endpoint Analysis Summary\n\nA file with verdict \"${SOCFramework.Artifacts.Verdict}\" - was observed in this case.\n\nThe endpoint compromise level has been assessed - as \"${Analysis.Endpoint.compromise_level}\", based on execution correlation - and observed MITRE ATT&CK behavioral patterns.\n\nActivity scope:\n• Hosts - involved: ${Analysis.Endpoint.host_count}\n• Users involved: ${Analysis.Endpoint.user_count}\n• - Environmental hash prevalence: ${Analysis.Endpoint.hash_prevalence_count}\n• - Spread level: ${Analysis.Endpoint.spread_level}\n\nInvestigation confidence - is \"${Analysis.Endpoint.confidence}\". \nResponse recommendation: - ${Analysis.Endpoint.response_recommended}." + simple: "Endpoint Analysis Summary\n\nA file with verdict \"${SOCFramework.Artifacts.Verdict}\" was observed in this\ + \ case.\n\nThe endpoint compromise level has been assessed as \"${Analysis.Endpoint.compromise_level}\", based on\ + \ execution correlation and observed MITRE ATT&CK behavioral patterns.\n\nActivity scope:\n• Hosts involved: ${Analysis.Endpoint.host_count}\n\ + • Users involved: ${Analysis.Endpoint.user_count}\n• Environmental hash prevalence: ${Analysis.Endpoint.hash_prevalence_count}\n\ + • Spread level: ${Analysis.Endpoint.spread_level}\n\nInvestigation confidence is \"${Analysis.Endpoint.confidence}\"\ + . \nResponse recommendation: ${Analysis.Endpoint.response_recommended}." verdict: simple: ${SOCFramework.Artifacts.Verdict} separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { - "x": 510, - "y": 3215 - } - } + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 3215\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1001,8 +870,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "75": - id: "75" + '75': + id: '75' taskid: e808dafe-8229-48a1-b0bb-f914ba0a14f3 type: title task: @@ -1011,21 +880,15 @@ tasks: name: Get Persistence Type type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "76" + - '76' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2180 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2180\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1033,30 +896,28 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "76": - id: "76" + '76': + id: '76' taskid: 6ff3604f-c87a-44cc-a6be-33136836985f type: regular task: id: 6ff3604f-c87a-44cc-a6be-33136836985f version: -1 name: Get MITRE Technique Name - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "17" + - '17' scriptarguments: key: simple: Analysis.Endpoint.persistence_type @@ -1075,14 +936,8 @@ tasks: accessor: Technique separatecontext: false continueonerror: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 510, - "y": 2330 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 2330\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1091,18 +946,8 @@ tasks: isoversize: false isautoswitchedtoquietmode: false system: true -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 3410, - "width": 1240, - "x": 80, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 3410,\n \"width\":\ + \ 1240,\n \"x\": 80,\n \"y\": 50\n }\n }\n}" inputs: - key: entity_id value: @@ -1114,19 +959,19 @@ inputs: value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null - key: entity_type value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null - key: SHA256 value: simple: ${SOCFramework.Artifacts.File} required: false - description: "" + description: '' playbookInputQuery: null inputSections: - inputs: @@ -1208,5 +1053,5 @@ outputs: - contextPath: Analysis.case_user_count type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Eradication_V3.yml index a6548b33..48ec51ae 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Eradication_V3.yml @@ -44,7 +44,7 @@ tasks: - '4' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 320,\n \"y\": -560\n }\n}" + view: '{"position": {"x": 320, "y": 50}}' note: false timertriggers: [] ignoreworker: false @@ -67,7 +67,7 @@ tasks: istaskmissingcomponenterrordismissed: false separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3900\n }\n}" + view: '{"position": {"x": 530, "y": 4510}}' note: false timertriggers: [] ignoreworker: false @@ -109,7 +109,7 @@ tasks: right: value: {} continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 320,\n \"y\": -400\n }\n}" + view: '{"position": {"x": 320, "y": 210}}' note: false timertriggers: [] ignoreworker: false @@ -135,7 +135,7 @@ tasks: - '8' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": -160\n }\n}" + view: '{"position": {"x": 820, "y": 450}}' note: false timertriggers: [] ignoreworker: false @@ -210,7 +210,7 @@ tasks: value: simple: isolated_signal continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 130\n }\n}" + view: '{"position": {"x": 820, "y": 740}}' note: false timertriggers: [] ignoreworker: false @@ -249,7 +249,7 @@ tasks: value: simple: persistence continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 980,\n \"y\": 2340\n }\n}" + view: '{"position": {"x": 980, "y": 2950}}' note: false timertriggers: [] ignoreworker: false @@ -291,7 +291,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3452.5\n }\n}" + view: '{"position": {"x": 110, "y": 4062.5}}' note: false timertriggers: [] ignoreworker: false @@ -334,7 +334,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3705\n }\n}" + view: '{"position": {"x": 110, "y": 4315}}' note: false timertriggers: [] ignoreworker: false @@ -360,7 +360,7 @@ tasks: - '44' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3167.5\n }\n}" + view: '{"position": {"x": 110, "y": 3777.5}}' note: false timertriggers: [] ignoreworker: false @@ -402,7 +402,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 2160\n }\n}" + view: '{"position": {"x": 820, "y": 2770}}' note: false timertriggers: [] ignoreworker: false @@ -428,7 +428,7 @@ tasks: - '18' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": 1820\n }\n}" + view: '{"position": {"x": 1310, "y": 2430}}' note: false timertriggers: [] ignoreworker: false @@ -470,7 +470,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": 1990\n }\n}" + view: '{"position": {"x": 1310, "y": 2600}}' note: false timertriggers: [] ignoreworker: false @@ -506,7 +506,7 @@ tasks: - '54' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 980,\n \"y\": 2505\n }\n}" + view: '{"position": {"x": 980, "y": 3115}}' note: false timertriggers: [] ignoreworker: false @@ -532,7 +532,7 @@ tasks: - '30' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3167.5\n }\n}" + view: '{"position": {"x": 530, "y": 3777.5}}' note: false timertriggers: [] ignoreworker: false @@ -574,7 +574,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3335\n }\n}" + view: '{"position": {"x": 530, "y": 3945}}' note: false timertriggers: [] ignoreworker: false @@ -616,7 +616,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3577.5\n }\n}" + view: '{"position": {"x": 530, "y": 4187.5}}' note: false timertriggers: [] ignoreworker: false @@ -679,7 +679,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3705\n }\n}" + view: '{"position": {"x": 530, "y": 4315}}' note: false timertriggers: [] ignoreworker: false @@ -705,7 +705,7 @@ tasks: - '36' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 550\n }\n}" + view: '{"position": {"x": 820, "y": 1160}}' note: false timertriggers: [] ignoreworker: false @@ -776,7 +776,7 @@ tasks: value: simple: single_entity continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 710\n }\n}" + view: '{"position": {"x": 820, "y": 1320}}' note: false timertriggers: [] ignoreworker: false @@ -802,7 +802,7 @@ tasks: - '41' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 1040\n }\n}" + view: '{"position": {"x": 1780, "y": 1650}}' note: false timertriggers: [] ignoreworker: false @@ -845,7 +845,7 @@ tasks: value: simple: malicious_and_executed continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1190\n }\n}" + view: '{"position": {"x": 820, "y": 1800}}' note: false timertriggers: [] ignoreworker: false @@ -871,7 +871,7 @@ tasks: - '63' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1360\n }\n}" + view: '{"position": {"x": 820, "y": 1970}}' note: false timertriggers: [] ignoreworker: false @@ -897,7 +897,7 @@ tasks: - '64' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1820\n }\n}" + view: '{"position": {"x": 820, "y": 2430}}' note: false timertriggers: [] ignoreworker: false @@ -939,7 +939,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 1990\n }\n}" + view: '{"position": {"x": 1780, "y": 2600}}' note: false timertriggers: [] ignoreworker: false @@ -965,7 +965,7 @@ tasks: - '13' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 685\n }\n}" + view: '{"position": {"x": 110, "y": 1295}}' note: false timertriggers: [] ignoreworker: false @@ -1007,7 +1007,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 3452.5\n }\n}" + view: '{"position": {"x": 530, "y": 4062.5}}' note: false timertriggers: [] ignoreworker: false @@ -1049,7 +1049,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3335\n }\n}" + view: '{"position": {"x": 110, "y": 3945}}' note: false timertriggers: [] ignoreworker: false @@ -1091,7 +1091,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 3577.5\n }\n}" + view: '{"position": {"x": 110, "y": 4187.5}}' note: false timertriggers: [] ignoreworker: false @@ -1117,7 +1117,7 @@ tasks: - '38' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1050\n }\n}" + view: '{"position": {"x": 820, "y": 1660}}' note: false timertriggers: [] ignoreworker: false @@ -1159,7 +1159,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3335\n }\n}" + view: '{"position": {"x": 1780, "y": 3945}}' note: false timertriggers: [] ignoreworker: false @@ -1201,7 +1201,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3452.5\n }\n}" + view: '{"position": {"x": 1780, "y": 4062.5}}' note: false timertriggers: [] ignoreworker: false @@ -1243,7 +1243,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3577.5\n }\n}" + view: '{"position": {"x": 1780, "y": 4187.5}}' note: false timertriggers: [] ignoreworker: false @@ -1306,7 +1306,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3705\n }\n}" + view: '{"position": {"x": 1780, "y": 4315}}' note: false timertriggers: [] ignoreworker: false @@ -1332,7 +1332,7 @@ tasks: - '48' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1780,\n \"y\": 3167.5\n }\n}" + view: '{"position": {"x": 1780, "y": 3777.5}}' note: false timertriggers: [] ignoreworker: false @@ -1358,7 +1358,7 @@ tasks: - '60' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1240,\n \"y\": 2690\n }\n}" + view: '{"position": {"x": 1240, "y": 3300}}' note: false timertriggers: [] ignoreworker: false @@ -1384,7 +1384,7 @@ tasks: - '59' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 2690\n }\n}" + view: '{"position": {"x": 690, "y": 3300}}' note: false timertriggers: [] ignoreworker: false @@ -1410,7 +1410,7 @@ tasks: - '36' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1280,\n \"y\": 400\n }\n}" + view: '{"position": {"x": 1280, "y": 1010}}' note: false timertriggers: [] ignoreworker: false @@ -1436,7 +1436,7 @@ tasks: - '35' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 410\n }\n}" + view: '{"position": {"x": 820, "y": 1020}}' note: false timertriggers: [] ignoreworker: false @@ -1462,7 +1462,7 @@ tasks: - '62' separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1370,\n \"y\": 1360\n }\n}" + view: '{"position": {"x": 1370, "y": 1970}}' note: false timertriggers: [] ignoreworker: false @@ -1504,7 +1504,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 2805\n }\n}" + view: '{"position": {"x": 690, "y": 3415}}' note: false timertriggers: [] ignoreworker: false @@ -1546,7 +1546,7 @@ tasks: separatecontext: false continueonerror: true continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 1240,\n \"y\": 2805\n }\n}" + view: '{"position": {"x": 1240, "y": 3415}}' note: false timertriggers: [] ignoreworker: false @@ -1608,7 +1608,7 @@ tasks: simple: Shadow Mode, Eradication separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1650\n }\n}" + view: '{"position": {"x": 820, "y": 2260}}' note: false timertriggers: [] ignoreworker: false @@ -1669,7 +1669,7 @@ tasks: simple: Shadow Mode,Eradication separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1490\n }\n}" + view: '{"position": {"x": 820, "y": 2100}}' note: false timertriggers: [] ignoreworker: false @@ -1730,7 +1730,7 @@ tasks: simple: Shadow Mode,Eradication separatecontext: false continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 820,\n \"y\": 1990\n }\n}" + view: '{"position": {"x": 820, "y": 2600}}' note: false timertriggers: [] ignoreworker: false @@ -1780,4 +1780,4 @@ outputs: - contextPath: Eradication.attempted type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Recovery_V3.yml index 37945fb1..6875a719 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Recovery_V3.yml @@ -871,4 +871,4 @@ outputs: - contextPath: Recovery.restore_method type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Spread_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Spread_Evaluation_V3.yml index 61244f4c..4d6bd710 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Spread_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_EndPoint_Spread_Evaluation_V3.yml @@ -471,4 +471,4 @@ outputs: type: unknown description: Hash global prevalence count from soc-enrich-file UC call sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml index dc0420f4..3709f91e 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Compromise_Evaluation_V3.yml @@ -7,69 +7,75 @@ contentitemexportablefields: packName: SOC Framework NIST IR (800-61) itemVersion: 1.1.0 fromServerVersion: 5.0.0 - toServerVersion: "" - definitionid: "" - prevname: "" + toServerVersion: '' + definitionid: '' + prevname: '' isoverridable: false supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOC Endpoint Compromise Evaluation_V3 -description: |- - It evaluates three signals: +description: 'It evaluates three signals: + File verdict (malicious / suspicious / benign) + Execution evidence (file SHA256 matches executed process hashes in the issue context) + Behavioral indicators (MITRE tactics/techniques such as Persistence, Command & Control, Privilege Escalation, Process Injection) + Outputs + likely_compromised + Malicious file executed or strong post-exploitation behavior observed. + suspicious + Malicious or suspicious activity present but no definitive execution or compromise proof. + isolated_signal + Single weak signal with no execution or strong behavioral indicators. + no_evidence + Benign verdict and no supporting compromise indicators. - The playbook does not use case risk score or alert volume; it focuses strictly on endpoint-level forensic evidence. + + The playbook does not use case risk score or alert volume; it focuses strictly on endpoint-level forensic evidence.' tags: - - SOC - - SOC_Framework_Unified - - Detection & Analysis - - NIST 800-61 - - EndPoint -starttaskid: "0" +- SOC +- SOC_Framework_Unified +- Detection & Analysis +- NIST 800-61 +- EndPoint +starttaskid: '0' tasks: - "0": - id: "0" + '0': + id: '0' taskid: 27ca4564-aefc-483e-8598-fa04dbefbf2e type: start task: id: 27ca4564-aefc-483e-8598-fa04dbefbf2e version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "69" + - '69' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 592.5, - "y": 50 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 50\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -77,48 +83,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "29": - id: "29" + '29': + id: '29' taskid: 4c010df0-1d0e-46e8-b043-672358f7ddbd type: regular task: id: 4c010df0-1d0e-46e8-b043-672358f7ddbd version: -1 name: Set Compromise Likely - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" + - '70' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_level value: simple: likely_compromised separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": -620, - "y": 2550 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": -620,\n \"y\": 2550\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -126,48 +124,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "30": - id: "30" + '30': + id: '30' taskid: 4371bae8-fa9c-479e-ac55-d10a704a8938 type: regular task: id: 4371bae8-fa9c-479e-ac55-d10a704a8938 version: -1 name: Set Description Malicious And No Excecution - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: malicious_no_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 315, - "y": 1485 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 315,\n \"y\": 1485\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -175,48 +165,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "31": - id: "31" + '31': + id: '31' taskid: a328a8d5-b8de-47b4-8a6a-69003e9e388d type: regular task: id: a328a8d5-b8de-47b4-8a6a-69003e9e388d version: -1 name: Set Description Suspicious with Execution - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: suspicious_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 212.5, - "y": 1670 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 212.5,\n \"y\": 1670\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -224,48 +206,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "32": - id: "32" + '32': + id: '32' taskid: 7b4a8594-365d-40d8-84cd-5590cb809f0d type: regular task: id: 7b4a8594-365d-40d8-84cd-5590cb809f0d version: -1 name: Set Compromise Suspicious - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" + - '70' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: suspicious_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": -80, - "y": 2550 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": -80,\n \"y\": 2550\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -273,48 +247,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "33": - id: "33" + '33': + id: '33' taskid: 673a1f63-6c99-4218-8520-8e5226cda124 type: regular task: id: 673a1f63-6c99-4218-8520-8e5226cda124 version: -1 name: Set Compromise Isolated - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" + - '70' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_level value: simple: isolate_signal separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 652.5, - "y": 2550 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 652.5,\n \"y\": 2550\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -322,8 +288,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "69": - id: "69" + '69': + id: '69' taskid: 9e094f2a-5581-4510-9292-6bb1be80aebd type: title task: @@ -332,21 +298,15 @@ tasks: name: Investigate type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "82" + - '82' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 592.5, - "y": 220 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 220\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -354,8 +314,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "70": - id: "70" + '70': + id: '70' taskid: 26cd8ee9-1d01-40d1-9b3a-dbd76a8cfa1e type: title task: @@ -364,18 +324,12 @@ tasks: name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 827.5, - "y": 2735 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 827.5,\n \"y\": 2735\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -383,48 +337,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "75": - id: "75" + '75': + id: '75' taskid: 9a3a0cd8-7536-4b2b-9cad-5448e9602fc5 type: regular task: id: 9a3a0cd8-7536-4b2b-9cad-5448e9602fc5 version: -1 name: Set Compromise No Evidence - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "70" + - '70' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_level value: simple: no_evidence separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1340, - "y": 2550 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1340,\n \"y\": 2550\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -432,8 +378,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "76": - id: "76" + '76': + id: '76' taskid: 54387c7d-89ee-44c5-b977-07dab20e908e type: condition task: @@ -442,85 +388,79 @@ tasks: name: Compromised Host Malicious and Executed? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "81" + - '81' Likely Compromised: - - "87" + - '87' separatecontext: false conditions: - - label: Likely Compromised - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: malicious - - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: isEqualString - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: isEqualString - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - - label: Likely Compromised - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: malicious - - - operator: isEqualString - left: - value: - simple: inputs.tactic_id - iscontext: true - right: - value: - simple: TA0002 - continueonerrortype: "" - view: |- - { - "position": { - "x": 592.5, - "y": 560 - } - } + - label: Likely Compromised + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: isEqualString + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: isEqualString + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + - label: Likely Compromised + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: isEqualString + left: + value: + simple: inputs.tactic_id + iscontext: true + right: + value: + simple: TA0002 + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 560\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -528,8 +468,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "77": - id: "77" + '77': + id: '77' taskid: 34027e15-2aef-4b0a-8878-957e370550ce type: condition task: @@ -538,64 +478,58 @@ tasks: name: Compromised Malicious No Execution? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "78" + - '78' Suspicious: - - "30" + - '30' separatecontext: false conditions: - - label: Suspicious - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: malicious - - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 920, - "y": 1300 - } - } + - label: Suspicious + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1300\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -603,8 +537,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "78": - id: "78" + '78': + id: '78' taskid: 9422d3f6-ce78-45bb-bea3-69c58b2ee781 type: condition task: @@ -613,64 +547,58 @@ tasks: name: Compromised Suspicious with Execution? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "86" + - '86' Suspicious: - - "31" + - '31' separatecontext: false conditions: - - label: Suspicious - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: suspicious - - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1032.5, - "y": 1485 - } - } + - label: Suspicious + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: suspicious + - - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1032.5,\n \"y\": 1485\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -678,8 +606,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "79": - id: "79" + '79': + id: '79' taskid: 28ea7aab-be63-4e6c-b9d9-63520cab7f0e type: condition task: @@ -688,101 +616,96 @@ tasks: name: Isolated Signal? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "80" + - '80' Isolated Signal: - - "91" + - '91' separatecontext: false conditions: - - label: Isolated Signal - condition: - - - operator: in - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: | - ("unknown","suspicious")) - - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - - - operator: notIn - left: - value: - simple: TA0011 - iscontext: true - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - - operator: notIn - left: - value: - simple: TA0003 - iscontext: true - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - - operator: notIn - left: - value: - simple: T1055 - iscontext: true - right: - value: - simple: inputs.case_mitre_techniques - iscontext: true - - - operator: isEqualString - left: - value: - simple: TA0004 - iscontext: true - right: - value: - simple: inputs.case_mitre_techniques - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1155, - "y": 2040 - } - } + - label: Isolated Signal + condition: + - - operator: in + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: '("unknown","suspicious")) + + ' + - - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + - - operator: notIn + left: + value: + simple: TA0011 + iscontext: true + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - - operator: notIn + left: + value: + simple: TA0003 + iscontext: true + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - - operator: notIn + left: + value: + simple: T1055 + iscontext: true + right: + value: + simple: inputs.case_mitre_techniques + iscontext: true + - - operator: isEqualString + left: + value: + simple: TA0004 + iscontext: true + right: + value: + simple: inputs.case_mitre_techniques + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1155,\n \"y\": 2040\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -790,8 +713,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "80": - id: "80" + '80': + id: '80' taskid: 510e58df-e742-49b3-9910-02f691e96640 type: condition task: @@ -800,64 +723,58 @@ tasks: name: No Evidence? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "70" + - '70' No Evidence: - - "92" + - '92' separatecontext: false conditions: - - label: No Evidence - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: benign - - - operator: containsGeneral - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: containsGeneral - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: containsGeneral - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1085, - "y": 2255 - } - } + - label: No Evidence + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: benign + - - operator: containsGeneral + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: containsGeneral + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: containsGeneral + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1085,\n \"y\": 2255\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -865,8 +782,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "81": - id: "81" + '81': + id: '81' taskid: 98a68f9b-8748-4de0-83b6-ae46d324c1e2 type: condition task: @@ -875,69 +792,63 @@ tasks: name: Execution + Strong Exploit Tactics type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "85" + - '85' Likely Compromised: - - "88" + - '88' separatecontext: false conditions: - - label: Likely Compromised - condition: - - - operator: in - left: - value: - simple: TA0011 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - operator: in - left: - value: - simple: TA0003 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: in - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 705, - "y": 745 - } - } + - label: Likely Compromised + condition: + - - operator: in + left: + value: + simple: TA0011 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - operator: in + left: + value: + simple: TA0003 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: in + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": 745\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -945,8 +856,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "82": - id: "82" + '82': + id: '82' taskid: 21ba8f6d-bdff-425f-9c4b-f19cccf4de83 type: title task: @@ -955,21 +866,15 @@ tasks: name: Evaluate Malicious type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "76" + - '76' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 592.5, - "y": 390 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 390\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -977,8 +882,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "83": - id: "83" + '83': + id: '83' taskid: 289cfa9b-dc82-4e6f-be72-b0002e049a00 type: title task: @@ -987,21 +892,15 @@ tasks: name: Evaluate Suspicious type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "77" + - '77' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 920, - "y": 1122.5 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1122.5\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1009,8 +908,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "84": - id: "84" + '84': + id: '84' taskid: 2e46b5b4-7337-4691-b9df-349934c95fd7 type: title task: @@ -1019,21 +918,15 @@ tasks: name: Evaluate Isolated Signal type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "79" + - '79' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1155, - "y": 1862.5 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1155,\n \"y\": 1862.5\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1041,8 +934,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "85": - id: "85" + '85': + id: '85' taskid: b57df6ec-9f5d-481c-b732-7f1f59026dbd type: condition task: @@ -1051,53 +944,47 @@ tasks: name: Malicious Strong Exploit Tactics type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "83" + - '83' Likely Compromised: - - "89" + - '89' separatecontext: false conditions: - - label: Likely Compromised - condition: - - - operator: isEqualString - left: - value: - complex: - root: inputs.verdict - transformers: - - operator: toLowerCase - iscontext: true - right: - value: - simple: malicious - - - operator: in - left: - value: - simple: TA0011 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - operator: in - left: - value: - simple: TA0003 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 910, - "y": 930 - } - } + - label: Likely Compromised + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.verdict + transformers: + - operator: toLowerCase + iscontext: true + right: + value: + simple: malicious + - - operator: in + left: + value: + simple: TA0011 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - operator: in + left: + value: + simple: TA0003 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 930\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1105,8 +992,8 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "86": - id: "86" + '86': + id: '86' taskid: a6c34090-a35f-400d-b4f4-30dc4d0ff3c8 type: condition task: @@ -1115,70 +1002,64 @@ tasks: name: Compromised Strong Tactics No Execution? type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "84" + - '84' Suspicious: - - "32" - - "90" + - '32' + - '90' separatecontext: false conditions: - - label: Suspicious - condition: - - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.xdm_sourceprocess_executable_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.initiator_sha256 - iscontext: true - - operator: notIn - left: - value: - simple: inputs.SHA256 - iscontext: true - right: - value: - simple: inputs.cgo_sha256 - iscontext: true - - - operator: in - left: - value: - simple: TA0011 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - - operator: in - left: - value: - simple: TA0003 - right: - value: - simple: inputs.case_mitre_tactics - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1155, - "y": 1670 - } - } + - label: Suspicious + condition: + - - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.xdm_sourceprocess_executable_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.initiator_sha256 + iscontext: true + - operator: notIn + left: + value: + simple: inputs.SHA256 + iscontext: true + right: + value: + simple: inputs.cgo_sha256 + iscontext: true + - - operator: in + left: + value: + simple: TA0011 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + - operator: in + left: + value: + simple: TA0003 + right: + value: + simple: inputs.case_mitre_tactics + iscontext: true + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1155,\n \"y\": 1670\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1186,48 +1067,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "87": - id: "87" + '87': + id: '87' taskid: 1e4dec76-91c3-45a2-9ec3-7e57564c7c32 type: regular task: id: 1e4dec76-91c3-45a2-9ec3-7e57564c7c32 version: -1 name: Set Description To Malicious And Executed - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "29" + - '29' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: malicious_and_executed separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": -42.5, - "y": 745 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": -42.5,\n \"y\": 745\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1235,48 +1108,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "88": - id: "88" + '88': + id: '88' taskid: 353dc2b8-f205-4dc6-abca-c9c00d6d34e9 type: regular task: id: 353dc2b8-f205-4dc6-abca-c9c00d6d34e9 version: -1 name: Set Description Execution And Strong Tactics - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "29" + - '29' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: execution_strong_tactics separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 200, - "y": 930 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 930\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1284,48 +1149,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "89": - id: "89" + '89': + id: '89' taskid: bcbc6174-fcc2-488e-83fb-dc73560cfa4d type: regular task: id: bcbc6174-fcc2-488e-83fb-dc73560cfa4d version: -1 name: Set Description Malicioius And Strong Tactics - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "29" + - '29' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: malicious_strong_tactics separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 387.5, - "y": 1115 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 387.5,\n \"y\": 1115\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1333,48 +1190,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "90": - id: "90" + '90': + id: '90' taskid: 9b9d105e-134e-4397-b80f-949c549cd6be type: regular task: id: 9b9d105e-134e-4397-b80f-949c549cd6be version: -1 name: Set Description Suspicious with Execution - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - '32' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: strong_tactics_no_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 447.5, - "y": 1855 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 447.5,\n \"y\": 1855\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1382,48 +1231,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "91": - id: "91" + '91': + id: '91' taskid: c0ae4ecb-c687-49e8-84d7-e15087f2c7b3 type: regular task: id: c0ae4ecb-c687-49e8-84d7-e15087f2c7b3 version: -1 name: Set Description Suspicious, No Execution, No Tactics - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "33" + - '33' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: suspcious_no_tactics_no_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 652.5, - "y": 2255 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 652.5,\n \"y\": 2255\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1431,48 +1272,40 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "92": - id: "92" + '92': + id: '92' taskid: f14be6c5-632b-4ab2-95c0-ccea72352e00 type: regular task: id: f14be6c5-632b-4ab2-95c0-ccea72352e00 version: -1 name: Set Description Benign, No Execution - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "75" + - '75' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.compromise_decision value: simple: benign_no_execution separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1340, - "y": 2410 - } - } + continueonerrortype: '' + view: "{\n \"position\": {\n \"x\": 1340,\n \"y\": 2410\n }\n}" note: false timertriggers: [] ignoreworker: false @@ -1480,142 +1313,128 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false -view: |- - { - "linkLabelsPosition": { - "76_81_#default#": 0.9 - }, - "paper": { - "dimensions": { - "height": 2745, - "width": 2340, - "x": -620, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {\n \"76_81_#default#\": 0.9\n },\n \"paper\": {\n \"dimensions\": {\n \"\ + height\": 2745,\n \"width\": 2340,\n \"x\": -620,\n \"y\": 50\n }\n }\n}" inputs: - - key: host_likely_compromised - value: - simple: "70" - required: false - description: Threshold for DBot Predicted Score for Host Likely Compromised - playbookInputQuery: null - - key: host_suspicious - value: - simple: "40" - required: false - description: Threshold for DBot Predicted Score for Host Suspicious. This value - will be between the host_likely_compromised and this value host_suspicious values. - playbookInputQuery: null - - key: host_isolated_signal - value: - simple: "40" - required: false - description: Anything less than this number will be an Isolated Signal for the host. - playbookInputQuery: null - - key: host_high_issue_count - value: - simple: "3" - required: false - description: "" - playbookInputQuery: null - - key: SHA256 - value: - complex: - root: SOCFramework.Artifacts.File - transformers: - - operator: join - args: - separator: - value: - simple: ',' - required: false - description: "" - playbookInputQuery: null - - key: verdict - value: - simple: ${Analysis.Endpoint.verdict} - required: false - description: Enriched artifact verdict resolved by SOC_Endpoint_Verdict_Resolution_V3 - after all TI sources and WildFire detonation. Use Analysis.Endpoint.verdict, not - SOCFramework.Artifacts.Verdict, to ensure compromise evaluation uses the aggregated - DBot-normalized result rather than the raw source classification. - playbookInputQuery: null - - key: initiator_sha256 - value: - simple: ${issue.initiatorsha256} - required: false - description: "" - playbookInputQuery: null - - key: case_mitre_tactics - value: - simple: ${parentIncidentFields.mitre_tactics_ids_and_names} - required: false - description: "" - playbookInputQuery: null - - key: case_mitre_techniques - value: - simple: ${parentIncidentFields.mitre_techniques_ids_and_names.[0]} - required: false - description: "" - playbookInputQuery: null - - key: case_issue_count - value: - simple: ${parentIncidentFields.alert_count} - required: false - description: "" - playbookInputQuery: null - - key: xdm_sourceprocess_executable_sha256 - value: - simple: ${issue.xdmsourceprocessexecutablesha256} - required: false - description: "" - playbookInputQuery: null - - key: cgo_sha256 - value: - simple: ${issue.cgosha256} - required: false - description: "" - playbookInputQuery: null - - key: tactic_id - value: - simple: ${SOCFramework.Mitre.Tactic.ID} - required: false - description: MITRE ATT&CK tactic ID written by Foundation into SOCFramework.Mitre.Tactic.ID - (e.g. TA0002 for Execution). Used alongside verdict to confirm execution without - requiring hash matching when CGO/XDM fields are not populated. - playbookInputQuery: null +- key: host_likely_compromised + value: + simple: '70' + required: false + description: Threshold for DBot Predicted Score for Host Likely Compromised + playbookInputQuery: null +- key: host_suspicious + value: + simple: '40' + required: false + description: Threshold for DBot Predicted Score for Host Suspicious. This value will be between the host_likely_compromised + and this value host_suspicious values. + playbookInputQuery: null +- key: host_isolated_signal + value: + simple: '40' + required: false + description: Anything less than this number will be an Isolated Signal for the host. + playbookInputQuery: null +- key: host_high_issue_count + value: + simple: '3' + required: false + description: '' + playbookInputQuery: null +- key: SHA256 + value: + complex: + root: SOCFramework.Artifacts.File + transformers: + - operator: join + args: + separator: + value: + simple: ',' + required: false + description: '' + playbookInputQuery: null +- key: verdict + value: + simple: ${Analysis.Endpoint.verdict} + required: false + description: Enriched artifact verdict resolved by SOC_Endpoint_Verdict_Resolution_V3 after all TI sources and WildFire + detonation. Use Analysis.Endpoint.verdict, not SOCFramework.Artifacts.Verdict, to ensure compromise evaluation uses the + aggregated DBot-normalized result rather than the raw source classification. + playbookInputQuery: null +- key: initiator_sha256 + value: + simple: ${issue.initiatorsha256} + required: false + description: '' + playbookInputQuery: null +- key: case_mitre_tactics + value: + simple: ${parentIncidentFields.mitre_tactics_ids_and_names} + required: false + description: '' + playbookInputQuery: null +- key: case_mitre_techniques + value: + simple: ${parentIncidentFields.mitre_techniques_ids_and_names.[0]} + required: false + description: '' + playbookInputQuery: null +- key: case_issue_count + value: + simple: ${parentIncidentFields.alert_count} + required: false + description: '' + playbookInputQuery: null +- key: xdm_sourceprocess_executable_sha256 + value: + simple: ${issue.xdmsourceprocessexecutablesha256} + required: false + description: '' + playbookInputQuery: null +- key: cgo_sha256 + value: + simple: ${issue.cgosha256} + required: false + description: '' + playbookInputQuery: null +- key: tactic_id + value: + simple: ${SOCFramework.Mitre.Tactic.ID} + required: false + description: MITRE ATT&CK tactic ID written by Foundation into SOCFramework.Mitre.Tactic.ID (e.g. TA0002 for Execution). + Used alongside verdict to confirm execution without requiring hash matching when CGO/XDM fields are not populated. + playbookInputQuery: null inputSections: - - inputs: - - host_likely_compromised - - host_suspicious - - host_isolated_signal - - host_high_issue_count - - SHA256 - - verdict - - initiator_sha256 - - case_mitre_tactics - - case_mitre_techniques - - case_issue_count - - xdm_sourceprocess_executable_sha256 - - cgo_sha256 - - tactic_id - name: General (Inputs group) - description: Generic group for inputs +- inputs: + - host_likely_compromised + - host_suspicious + - host_isolated_signal + - host_high_issue_count + - SHA256 + - verdict + - initiator_sha256 + - case_mitre_tactics + - case_mitre_techniques + - case_issue_count + - xdm_sourceprocess_executable_sha256 + - cgo_sha256 + - tactic_id + name: General (Inputs group) + description: Generic group for inputs outputSections: - - outputs: - - Analysis.Endpoint.compromise_level - - Analysis.Endpoint.compromise_decision - name: General (Outputs group) - description: Generic group for outputs +- outputs: + - Analysis.Endpoint.compromise_level + - Analysis.Endpoint.compromise_decision + name: General (Outputs group) + description: Generic group for outputs outputs: - - contextPath: Analysis.Endpoint.compromise_level - description: Is this host considered compromised? - type: unknown - - contextPath: Analysis.Endpoint.compromise_decision - description: Why did this playbook decide this was the finding? - type: unknown +- contextPath: Analysis.Endpoint.compromise_level + description: Is this host considered compromised? + type: unknown +- contextPath: Analysis.Endpoint.compromise_decision + description: Why did this playbook decide this was the finding? + type: unknown sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Containment_V3.yml index 4aecaeed..95329691 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Containment_V3.yml @@ -1233,4 +1233,4 @@ outputs: - contextPath: Containment.isolated_hosts type: unknown sourceplaybookid: Containment Plan -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Signal_Characterization_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Signal_Characterization_V3.yml index f6ec9294..529294fb 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Signal_Characterization_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Signal_Characterization_V3.yml @@ -2,20 +2,19 @@ fromversion: 5.0.0 adopted: true contentitemexportablefields: contentitemfields: - definitionid: "" + definitionid: '' fromServerVersion: 5.0.0 isoverridable: false itemVersion: 3.0.30 packID: soc-framework-nist-ir packName: SOC Framework Unified - prevname: "" + prevname: '' supportedModules: [] - toServerVersion: "" -description: "Purpose\nDetermine what type of endpoint behavior this is.\nThis is - not attack vector.\nThis is behavioral class.\nCurrent Tasks:\n\nDefine Attack Vector\nIs - Malware? \nIs Injection / Shellcode? \nDoes CGO CMD Exist? \nSet Endpoint Path " -dirtyInputs: true -id: 'SOC Endpoint Signal Characterization_V3' + toServerVersion: '' +description: "Purpose\nDetermine what type of endpoint behavior this is.\nThis is not attack vector.\nThis is behavioral class.\n\ + Current Tasks:\n\nDefine Attack Vector\nIs Malware? \nIs Injection / Shellcode? \nDoes CGO CMD Exist? \nSet Endpoint Path " +dirtyInputs: false +id: SOC Endpoint Signal Characterization_V3 inputSections: - description: Generic group for inputs inputs: @@ -23,7 +22,7 @@ inputSections: - cgo_name name: General (Inputs group) inputs: -- description: "" +- description: '' key: case_name playbookInputQuery: null required: false @@ -33,7 +32,7 @@ inputs: root: issue transformers: - operator: toLowerCase -- description: "" +- description: '' key: cgo_name playbookInputQuery: null required: false @@ -50,7 +49,7 @@ outputs: description: What type of Endpoint Signal is this (i.e. malware, process, behavioral)? type: string sourceplaybookid: SOC Data Analysis_V3 -starttaskid: "0" +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -58,52 +57,46 @@ tags: - NIST 800-61 - EndPoint tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "3" + - '3' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 27ca4564-aefc-483e-8598-fa04dbefbf2e iscommand: false istaskmissingcomponenterrordismissed: false - name: "" + name: '' playbooktaskmissingcomponent: null version: -1 taskid: 27ca4564-aefc-483e-8598-fa04dbefbf2e timertriggers: [] type: start - view: |- - { - "position": { - "x": 592.5, - "y": 50 - } - } - "3": - continueonerrortype: "" - id: "3" + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 50\n }\n}" + '3': + continueonerrortype: '' + id: '3' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "4" + - '4' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: dfb1f62b-258e-4e82-8f1c-b14f17ea13e4 iscommand: false istaskmissingcomponenterrordismissed: false @@ -114,14 +107,8 @@ tasks: taskid: dfb1f62b-258e-4e82-8f1c-b14f17ea13e4 timertriggers: [] type: title - view: |- - { - "position": { - "x": 592.5, - "y": 220 - } - } - "4": + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 220\n }\n}" + '4': conditions: - condition: - - left: @@ -158,27 +145,29 @@ tasks: value: simple: malicious label: Malware - continueonerrortype: "" - id: "4" + continueonerrortype: '' + id: '4' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#default#': - - "5" + - '5' Malware: - - "8" + - '8' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" - description: |- - This captures: + brand: '' + description: 'This captures: + WildFire Malware + Malware Activity - Known Malicious File + + Known Malicious File' id: 58525173-8940-4cae-8796-3af3458bf7d5 iscommand: false istaskmissingcomponenterrordismissed: false @@ -189,14 +178,8 @@ tasks: taskid: 58525173-8940-4cae-8796-3af3458bf7d5 timertriggers: [] type: condition - view: |- - { - "position": { - "x": 592.5, - "y": 390 - } - } - "5": + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 390\n }\n}" + '5': conditions: - condition: - - left: @@ -233,27 +216,29 @@ tasks: value: simple: exploit label: Behavioral - continueonerrortype: "" - id: "5" + continueonerrortype: '' + id: '5' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#default#': - - "10" + - '10' Behavioral: - - "9" + - '9' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" - description: |- - This matches: + brand: '' + description: 'This matches: + Process Injection + In-process shellcode Protection - Exploit-based detections + + Exploit-based detections' id: 503051b3-d89e-4d5c-9cdc-057518241481 iscommand: false istaskmissingcomponenterrordismissed: false @@ -264,16 +249,10 @@ tasks: taskid: 503051b3-d89e-4d5c-9cdc-057518241481 timertriggers: [] type: condition - view: |- - { - "position": { - "x": 807.5, - "y": 575 - } - } - "6": - continueonerrortype: "" - id: "6" + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 575\n }\n}" + '6': + continueonerrortype: '' + id: '6' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -282,7 +261,7 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 0c3c3767-5423-4648-837a-2857fffb8f14 iscommand: false istaskmissingcomponenterrordismissed: false @@ -293,30 +272,24 @@ tasks: taskid: 0c3c3767-5423-4648-837a-2857fffb8f14 timertriggers: [] type: title - view: |- - { - "position": { - "x": 695, - "y": 1130 - } - } - "8": + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 1130\n }\n}" + '8': continueonerror: true - continueonerrortype: "" - id: "8" + continueonerrortype: '' + id: '8' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "6" + - '6' note: false quietmode: 0 scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.signal_type value: @@ -324,14 +297,12 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 90251b08-df0e-4500-a4b4-ed12c43af066 iscommand: false istaskmissingcomponenterrordismissed: false @@ -343,29 +314,23 @@ tasks: taskid: 90251b08-df0e-4500-a4b4-ed12c43af066 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 945 - } - } - "9": - continueonerrortype: "" - id: "9" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 945\n }\n}" + '9': + continueonerrortype: '' + id: '9' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "6" + - '6' note: false quietmode: 0 scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.signal_type value: @@ -373,14 +338,12 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 4905a04f-649e-4919-86fd-72eeb6f0ed39 iscommand: false istaskmissingcomponenterrordismissed: false @@ -392,14 +355,8 @@ tasks: taskid: 4905a04f-649e-4919-86fd-72eeb6f0ed39 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 480, - "y": 945 - } - } - "10": + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 945\n }\n}" + '10': conditions: - condition: - - left: @@ -408,29 +365,33 @@ tasks: simple: inputs.cgo_name operator: isNotEmpty label: Process Execution - continueonerrortype: "" - id: "10" + continueonerrortype: '' + id: '10' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#default#': - - "6" + - '6' Process Execution: - - "11" + - '11' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" - description: |- - This captures: + brand: '' + description: 'This captures: + Suspicious PowerShell + LOLBin misuse + Encoded commands + Script abuse - PsExec, WMI, etc. + + PsExec, WMI, etc.' id: 2515f02b-331a-4450-ab16-14148c327068 iscommand: false istaskmissingcomponenterrordismissed: false @@ -441,29 +402,23 @@ tasks: taskid: 2515f02b-331a-4450-ab16-14148c327068 timertriggers: [] type: condition - view: |- - { - "position": { - "x": 1022.5, - "y": 760 - } - } - "11": - continueonerrortype: "" - id: "11" + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 760\n }\n}" + '11': + continueonerrortype: '' + id: '11' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "6" + - '6' note: false quietmode: 0 scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Endpoint.signal_type value: @@ -471,14 +426,12 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: fd88680e-db16-4666-9582-ab616eb2fa77 iscommand: false istaskmissingcomponenterrordismissed: false @@ -490,23 +443,7 @@ tasks: taskid: fd88680e-db16-4666-9582-ab616eb2fa77 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 910, - "y": 945 - } - } + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 945\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 1140, - "width": 1352.5, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1140,\n \"width\":\ + \ 1352.5,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Verdict_Resolution_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Verdict_Resolution_V3.yml index 98895420..3b3938b4 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Verdict_Resolution_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Endpoint_Verdict_Resolution_V3.yml @@ -14,9 +14,8 @@ contentitemexportablefields: supportedModules: [] vcShouldKeepItemLegacyProdMachine: false name: SOC Endpoint Verdict Resolution_V3 -description: "Purpose: Is the artifact malicious, suspicious, benign, or unknown?\n\ - \nCurrent Tasks\nWhat is Current File Verdict \nCan We Get the Verdict\nWildFire\ - \ Detonate \nDBot Score \nDoes DBot Think It’s Malicious? \nSet Verdict " +description: "Purpose: Is the artifact malicious, suspicious, benign, or unknown?\n\nCurrent Tasks\nWhat is Current File Verdict\ + \ \nCan We Get the Verdict\nWildFire Detonate \nDBot Score \nDoes DBot Think It’s Malicious? \nSet Verdict " tags: - SOC - SOC_Framework_Unified @@ -81,16 +80,14 @@ tasks: id: 1f2777b4-95d9-4165-bb28-a2058dfb0f76 version: -1 name: WildFire - Detonate file v2 - description: 'Detonate one or more files using the Wildfire v2 integration. - This playbook + description: 'Detonate one or more files using the Wildfire v2 integration. This playbook - returns relevant reports to the War Room and file reputations to the context - data. + returns relevant reports to the War Room and file reputations to the context data. The detonation supports the following file types - - APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PE, PDF, DMG, - PKG, RAR, 7Z, JS, ELF, HTA, LNK, VBS, PS1, PERL, PYTHON, SHELL. + APK, JAR, DOC, DOCX, RTF, XLS, XLSX, PPT, PPTX, OOXML, PE32, PE, PDF, DMG, PKG, RAR, 7Z, JS, ELF, HTA, LNK, VBS, PS1, + PERL, PYTHON, SHELL. Note: Base64 encoded files are currently not supported.' @@ -155,10 +152,9 @@ tasks: skipunavailable: false task: brand: '' - description: Capture the original verdict from the source detection platform - before any enrichment runs. Preserved in Analysis.Endpoint.source_verdict - so downstream playbooks can detect discrepancies between source classification - and enrichment results. + description: Capture the original verdict from the source detection platform before any enrichment runs. Preserved in + Analysis.Endpoint.source_verdict so downstream playbooks can detect discrepancies between source classification and + enrichment results. id: b2c3d4e5-f6a7-8901-bcde-f23456789012 iscommand: false istaskmissingcomponenterrordismissed: false @@ -492,8 +488,7 @@ tasks: id: 18476c9f-e302-479f-812c-0ff30a09de78 version: -1 name: Get Dbot Indicator Score - description: The script calculates the average DBot score for each indicator - in the context. + description: The script calculates the average DBot score for each indicator in the context. scriptName: DBotAverageScore type: regular iscommand: false @@ -521,11 +516,9 @@ tasks: id: 2d37c317-fbcc-47c3-93bf-f8872db22468 version: -1 name: Set Verdict Malicious - description: "Set a value in context under the key you entered. If no value\ - \ is entered, the script doesn't do anything.\n\nThis automation runs using\ - \ the default Limited User role, unless you explicitly change the permissions.\n\ - For more information, see the section about permissions here:\n- For Cortex\ - \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty @@ -564,11 +557,9 @@ tasks: id: bc349f0b-d8ec-4dd4-b6ea-578509e2b929 version: -1 name: Set Verdict Suspicious - description: "Set a value in context under the key you entered. If no value\ - \ is entered, the script doesn't do anything.\n\nThis automation runs using\ - \ the default Limited User role, unless you explicitly change the permissions.\n\ - For more information, see the section about permissions here:\n- For Cortex\ - \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty @@ -607,11 +598,9 @@ tasks: id: 844144f5-b61a-45f0-8e9e-739511f2b43f version: -1 name: Set Verdict Unknown - description: "Set a value in context under the key you entered. If no value\ - \ is entered, the script doesn't do anything.\n\nThis automation runs using\ - \ the default Limited User role, unless you explicitly change the permissions.\n\ - For more information, see the section about permissions here:\n- For Cortex\ - \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty @@ -702,11 +691,9 @@ tasks: id: 05b85087-43b9-4d28-94c9-8ad2c98db66b version: -1 name: Set Verdict Benign - description: "Set a value in context under the key you entered. If no value\ - \ is entered, the script doesn't do anything.\n\nThis automation runs using\ - \ the default Limited User role, unless you explicitly change the permissions.\n\ - For more information, see the section about permissions here:\n- For Cortex\ - \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" scriptName: SetAndHandleEmpty @@ -738,9 +725,8 @@ tasks: isoversize: false isautoswitchedtoquietmode: false system: true -view: "{\n \"linkLabelsPosition\": {\n \"19_21_Suspicious\": 0.56\n },\n \"\ - paper\": {\n \"dimensions\": {\n \"height\": 1690,\n \"width\": 1910,\n\ - \ \"x\": 80,\n \"y\": 50\n }\n }\n}" +view: "{\n \"linkLabelsPosition\": {\n \"19_21_Suspicious\": 0.56\n },\n \"paper\": {\n \"dimensions\": {\n \ + \ \"height\": 1690,\n \"width\": 1910,\n \"x\": 80,\n \"y\": 50\n }\n }\n}" inputs: - key: SHA256 value: @@ -768,13 +754,12 @@ outputSections: description: Generic group for outputs outputs: - contextPath: Analysis.Endpoint.verdict - description: Confirmed artifact verdict after all enrichment sources and WildFire/DBot - aggregation + description: Confirmed artifact verdict after all enrichment sources and WildFire/DBot aggregation type: string - contextPath: Analysis.Endpoint.source_verdict - description: Original verdict from the source detection platform before enrichment - (e.g. malicious from CrowdStrike). Preserved for discrepancy detection downstream. + description: Original verdict from the source detection platform before enrichment (e.g. malicious from CrowdStrike). Preserved + for discrepancy detection downstream. type: string sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false adopted: true diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Eradication_V3.yml index 1d0c6752..18a1ccde 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Eradication_V3.yml @@ -1190,4 +1190,4 @@ outputs: - contextPath: Eradication.story type: unknown sourceplaybookid: SOC Containment_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Analysis_V3.yml index 4b81c02b..fb8082b6 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Analysis_V3.yml @@ -3,51 +3,39 @@ fromversion: 5.0.0 id: SOC Identity Analysis_V3 version: -1 name: SOC Identity Analysis_V3 -description: |- - Identity-specific analysis playbook. Runs inside SOC Analysis_V3 when - SOCFramework.Product.category = "Identity". - - Follows the standard analysis pattern: - 1. SOC Initialize Investigation Context_V3 - clean keys, load case counts - 2. Signal Characterization - evaluate MITRE tactics and identity threat type - 3. Compromise Evaluation - set compromise_level and compromise_decision - 4. Spread Evaluation - set spread_level based on user/host scope - 5. Recommendations - set confidence and response_recommended - 6. SOC Analysis Evaluation_V3 - publish canonical Analysis.* context keys - - Intermediate keys: Analysis.Identity.* - Published keys: canonical Analysis.* consumed by SOC NIST IR (800-61)_V3 - - Value Driver: VD1 (MTTD), VD3 (analyst efficiency - automated assessment) - SOC Challenges: Repetitive Workflows, Analyst Fatigue, Too Many Manual Investigations +description: "Identity-specific analysis playbook. Runs inside SOC Analysis_V3 when\nSOCFramework.Product.category = \"Identity\"\ + .\n\nFollows the standard analysis pattern:\n 1. SOC Initialize Investigation Context_V3 - clean keys, load case counts\n\ + \ 2. Signal Characterization - evaluate MITRE tactics and identity threat type\n 3. Compromise Evaluation - set compromise_level\ + \ and compromise_decision\n 4. Spread Evaluation - set spread_level based on user/host scope\n 5. Recommendations - set\ + \ confidence and response_recommended\n 6. SOC Analysis Evaluation_V3 - publish canonical Analysis.* context keys\n\nIntermediate\ + \ keys: Analysis.Identity.*\nPublished keys: canonical Analysis.* consumed by SOC NIST IR (800-61)_V3\n\nValue Driver: VD1\ + \ (MTTD), VD3 (analyst efficiency - automated assessment)\nSOC Challenges: Repetitive Workflows, Analyst Fatigue, Too Many\ + \ Manual Investigations" tags: - SOC - SOC_Framework_Unified - Detection & Analysis - NIST 800-61 - Identity -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" - taskid: id-ia-start-0001 + '0': + id: '0' + taskid: 84141e91-8042-5fa8-af29-04659ee420f0 type: start task: - id: id-ia-start-0001 + id: 84141e91-8042-5fa8-af29-04659ee420f0 version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "1" + - '1' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 50 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 50 }\n}" note: false timertriggers: [] ignoreworker: false @@ -55,29 +43,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "1": - id: "1" - taskid: id-ia-prep-title-0002 + '1': + id: '1' + taskid: 4a5e020d-8b0e-589f-ac7d-4ef6a4b625aa type: title task: - id: id-ia-prep-title-0002 + id: 4a5e020d-8b0e-589f-ac7d-4ef6a4b625aa version: -1 name: Preparation description: Clean context keys and load case counts from incident fields. type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "2" + - '2' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 185 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 185 }\n}" note: false timertriggers: [] ignoreworker: false @@ -85,24 +69,23 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "2": - id: "2" - taskid: id-ia-init-ctx-0003 + '2': + id: '2' + taskid: 22d64792-9228-5a41-b01c-7bf4cd620e63 type: playbook task: - id: id-ia-init-ctx-0003 + id: 22d64792-9228-5a41-b01c-7bf4cd620e63 version: -1 name: SOC Initialize Investigation Context description: Clean up the data context and prepare to perform the investigation. playbookName: SOC Initialize Investigation Context_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "3" + - '3' scriptarguments: case_host_count: simple: ${parentIncidentFields.host_count} @@ -115,16 +98,13 @@ tasks: reset_issue_keys: simple: Investigation, Analysis, Containment, Eradication, Recovery separatecontext: false - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { "x": 480, "y": 330 } - } + view: "{\n \"position\": { \"x\": 480, \"y\": 330 }\n}" note: false timertriggers: [] ignoreworker: false @@ -132,29 +112,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "3": - id: "3" - taskid: id-ia-sigchar-title-0004 + '3': + id: '3' + taskid: 425b0e53-ab75-59fc-8a5a-621e17279ecc type: title task: - id: id-ia-sigchar-title-0004 + id: 425b0e53-ab75-59fc-8a5a-621e17279ecc version: -1 name: Signal Characterization description: Evaluate MITRE tactics and classify the identity threat type. type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "4" + - '4' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 500 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 500 }\n}" note: false timertriggers: [] ignoreworker: false @@ -162,31 +138,30 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "4": - id: "4" - taskid: id-ia-tactic-check-0005 + '4': + id: '4' + taskid: 96b14199-3610-55d2-9f29-0108fc6752f4 type: condition task: - id: id-ia-tactic-check-0005 + id: 96b14199-3610-55d2-9f29-0108fc6752f4 version: -1 name: Identity Threat Signal Type description: Classifies the primary identity threat from MITRE tactics in the case. type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#default#': - - "5" + - '5' Credential Access: - - "10" + - '10' Privilege Escalation: - - "11" + - '11' Persistence: - - "12" + - '12' Lateral Movement: - - "13" + - '13' separatecontext: false conditions: - label: Privilege Escalation @@ -229,11 +204,8 @@ tasks: right: value: simple: TA0006 - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 640 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 640 }\n}" note: false timertriggers: [] ignoreworker: false @@ -241,38 +213,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "5": - id: "5" - taskid: id-ia-sigtype-default-0006 + '5': + id: '5' + taskid: 6751050a-dbd9-511b-b640-7ac6c9cc7bea type: regular task: - id: id-ia-sigtype-default-0006 + id: 6751050a-dbd9-511b-b640-7ac6c9cc7bea version: -1 name: Set Signal Type - Identity Anomaly scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: identity_anomaly separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -280,38 +248,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "10": - id: "10" - taskid: id-ia-sigtype-cred-0010 + '10': + id: '10' + taskid: cc760965-e609-59ed-bf68-a29be2048037 type: regular task: - id: id-ia-sigtype-cred-0010 + id: cc760965-e609-59ed-bf68-a29be2048037 version: -1 name: Set Signal Type - Credential Access scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: credential_access separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 0, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 0, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -319,38 +283,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "11": - id: "11" - taskid: id-ia-sigtype-privesc-0011 + '11': + id: '11' + taskid: a17e0f64-917f-5557-9cd7-2464f293872d type: regular task: - id: id-ia-sigtype-privesc-0011 + id: a17e0f64-917f-5557-9cd7-2464f293872d version: -1 name: Set Signal Type - Privilege Escalation scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: privilege_escalation separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -358,38 +318,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "12": - id: "12" - taskid: id-ia-sigtype-persist-0012 + '12': + id: '12' + taskid: cec1a43d-e86c-5912-9f0f-a56a95ed6639 type: regular task: - id: id-ia-sigtype-persist-0012 + id: cec1a43d-e86c-5912-9f0f-a56a95ed6639 version: -1 name: Set Signal Type - Persistence scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: identity_persistence separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -397,38 +353,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "13": - id: "13" - taskid: id-ia-sigtype-lateral-0013 + '13': + id: '13' + taskid: f9f68f79-e221-5e5e-bb1b-4f2f7175d42d type: regular task: - id: id-ia-sigtype-lateral-0013 + id: f9f68f79-e221-5e5e-bb1b-4f2f7175d42d version: -1 name: Set Signal Type - Lateral Movement scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "20" + - '20' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.signal_type value: simple: lateral_movement separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 960, "y": 830 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 960, \"y\": 830 }\n}" note: false timertriggers: [] ignoreworker: false @@ -436,29 +388,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "20": - id: "20" - taskid: id-ia-compromise-title-0020 + '20': + id: '20' + taskid: 991c4c11-13b6-5a95-a217-4967662c41cc type: title task: - id: id-ia-compromise-title-0020 + id: 991c4c11-13b6-5a95-a217-4967662c41cc version: -1 name: Compromise Evaluation description: Evaluate compromise level based on XSIAM risk score and signal type. type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "21" + - '21' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 1020 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 1020 }\n}" note: false timertriggers: [] ignoreworker: false @@ -466,25 +414,24 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "21": - id: "21" - taskid: id-ia-risk-score-check-0021 + '21': + id: '21' + taskid: 771a5d10-c92a-5de0-bc10-104bbe2a2ffe type: condition task: - id: id-ia-risk-score-check-0021 + id: 771a5d10-c92a-5de0-bc10-104bbe2a2ffe version: -1 name: Risk Score - High? description: Score >= 70 OR privilege_escalation/persistence signal drives likely_compromised. type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#default#': - - "23" + - '23' high: - - "22" + - '22' separatecontext: false conditions: - label: high @@ -496,7 +443,7 @@ tasks: iscontext: true right: value: - simple: "70" + simple: '70' - operator: isEqualString left: value: @@ -512,7 +459,7 @@ tasks: iscontext: true right: value: - simple: "70" + simple: '70' - operator: isEqualString left: value: @@ -528,12 +475,9 @@ tasks: iscontext: true right: value: - simple: "85" - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 1165 } - } + simple: '85' + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 1165 }\n}" note: false timertriggers: [] ignoreworker: false @@ -541,38 +485,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "22": - id: "22" - taskid: id-ia-compromise-high-0022 + '22': + id: '22' + taskid: e27ea7e7-477c-59bd-8497-0f5ffe33900f type: regular task: - id: id-ia-compromise-high-0022 + id: e27ea7e7-477c-59bd-8497-0f5ffe33900f version: -1 name: Set Compromise Level - likely_compromised scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "24" + - '24' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.compromise_level value: simple: likely_compromised separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 1350 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 1350 }\n}" note: false timertriggers: [] ignoreworker: false @@ -580,38 +520,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "23": - id: "23" - taskid: id-ia-compromise-med-0023 + '23': + id: '23' + taskid: fb404fe4-f0d0-577e-a8b7-c86533ebdc09 type: regular task: - id: id-ia-compromise-med-0023 + id: fb404fe4-f0d0-577e-a8b7-c86533ebdc09 version: -1 name: Set Compromise Level - suspicious scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "25" + - '25' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.compromise_level value: simple: suspicious separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 1350 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 1350 }\n}" note: false timertriggers: [] ignoreworker: false @@ -619,38 +555,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "24": - id: "24" - taskid: id-ia-decision-malicious-0024 + '24': + id: '24' + taskid: 8352879c-c557-5ffc-8a00-1aabb1445b5e type: regular task: - id: id-ia-decision-malicious-0024 + id: 8352879c-c557-5ffc-8a00-1aabb1445b5e version: -1 name: Set Compromise Decision - malicious scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "30" + - '30' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.compromise_decision value: simple: malicious separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 1530 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 1530 }\n}" note: false timertriggers: [] ignoreworker: false @@ -658,38 +590,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "25": - id: "25" - taskid: id-ia-decision-suspicious-0025 + '25': + id: '25' + taskid: e5a4b347-5185-531b-9115-ff079ad4e4e6 type: regular task: - id: id-ia-decision-suspicious-0025 + id: e5a4b347-5185-531b-9115-ff079ad4e4e6 version: -1 name: Set Compromise Decision - suspicious_activity scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "30" + - '30' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.compromise_decision value: simple: suspicious_activity separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 1530 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 1530 }\n}" note: false timertriggers: [] ignoreworker: false @@ -697,28 +625,24 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "30": - id: "30" - taskid: id-ia-spread-title-0030 + '30': + id: '30' + taskid: b75bd97e-5b31-5eef-abdd-21e2c6213597 type: title task: - id: id-ia-spread-title-0030 + id: b75bd97e-5b31-5eef-abdd-21e2c6213597 version: -1 name: Evaluate Spread Level type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "31" + - '31' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 1710 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 1710 }\n}" note: false timertriggers: [] ignoreworker: false @@ -726,25 +650,24 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "31": - id: "31" - taskid: id-ia-spread-check-0031 + '31': + id: '31' + taskid: 301d93ad-f4a3-5baf-8f11-c244c4ada62b type: condition task: - id: id-ia-spread-check-0031 + id: 301d93ad-f4a3-5baf-8f11-c244c4ada62b version: -1 name: Spread Level - Multi-User? description: multi_entity if 3+ users or lateral movement signal. type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#default#': - - "33" + - '33' multi_entity: - - "32" + - '32' separatecontext: false conditions: - label: multi_entity @@ -756,7 +679,7 @@ tasks: iscontext: true right: value: - simple: "3" + simple: '3' - - operator: isEqualString left: value: @@ -765,11 +688,8 @@ tasks: right: value: simple: lateral_movement - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 1850 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 1850 }\n}" note: false timertriggers: [] ignoreworker: false @@ -777,38 +697,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "32": - id: "32" - taskid: id-ia-spread-multi-0032 + '32': + id: '32' + taskid: 03a40676-0aa9-503e-99bf-633e0f7c743f type: regular task: - id: id-ia-spread-multi-0032 + id: 03a40676-0aa9-503e-99bf-633e0f7c743f version: -1 name: Set Spread Level - multi_entity scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "40" + - '40' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.spread_level value: simple: multi_entity separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 2030 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 2030 }\n}" note: false timertriggers: [] ignoreworker: false @@ -816,38 +732,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "33": - id: "33" - taskid: id-ia-spread-single-0033 + '33': + id: '33' + taskid: f74499c8-44cd-5e83-a527-0479bea99002 type: regular task: - id: id-ia-spread-single-0033 + id: f74499c8-44cd-5e83-a527-0479bea99002 version: -1 name: Set Spread Level - single_entity scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "40" + - '40' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.spread_level value: simple: single_entity separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 2030 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 2030 }\n}" note: false timertriggers: [] ignoreworker: false @@ -855,29 +767,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "40": - id: "40" - taskid: id-ia-recommend-title-0040 + '40': + id: '40' + taskid: 9651a4fc-9db6-525e-9ee6-c765e893d9c3 type: title task: - id: id-ia-recommend-title-0040 + id: 9651a4fc-9db6-525e-9ee6-c765e893d9c3 version: -1 name: Make Recommendations description: Set confidence and response_recommended based on compromise evaluation. type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "41" + - '41' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2215 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2215 }\n}" note: false timertriggers: [] ignoreworker: false @@ -885,26 +793,25 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "41": - id: "41" - taskid: id-ia-confidence-check-0041 + '41': + id: '41' + taskid: 739f4119-7867-5359-ae11-327553d967cd type: condition task: - id: id-ia-confidence-check-0041 + id: 739f4119-7867-5359-ae11-327553d967cd version: -1 name: Analysis Confidence type: condition iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#default#': - - "44" + - '44' high: - - "42" + - '42' medium: - - "43" + - '43' separatecontext: false conditions: - label: high @@ -967,11 +874,8 @@ tasks: right: value: simple: likely_compromised - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2370 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2370 }\n}" note: false timertriggers: [] ignoreworker: false @@ -979,38 +883,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "42": - id: "42" - taskid: id-ia-confidence-high-0042 + '42': + id: '42' + taskid: 614781f6-0256-5015-9570-e411a06eac70 type: regular task: - id: id-ia-confidence-high-0042 + id: 614781f6-0256-5015-9570-e411a06eac70 version: -1 name: Investigation Confidence High scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.confidence value: simple: high separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 240, "y": 2560 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 240, \"y\": 2560 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1018,38 +918,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "43": - id: "43" - taskid: id-ia-confidence-med-0043 + '43': + id: '43' + taskid: 28d71874-9c02-5ba6-afb8-bc32f156d4b9 type: regular task: - id: id-ia-confidence-med-0043 + id: 28d71874-9c02-5ba6-afb8-bc32f156d4b9 version: -1 name: Investigation Confidence Medium scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "45" + - '45' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.confidence value: simple: medium separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 720, "y": 2560 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 720, \"y\": 2560 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1057,38 +953,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "44": - id: "44" - taskid: id-ia-confidence-low-0044 + '44': + id: '44' + taskid: cfe7c506-7d41-5e61-b97f-21c749812fa3 type: regular task: - id: id-ia-confidence-low-0044 + id: cfe7c506-7d41-5e61-b97f-21c749812fa3 version: -1 name: Investigation Confidence Low scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "46" + - '46' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.confidence value: simple: low separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2560 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2560 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1096,38 +988,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "45": - id: "45" - taskid: id-ia-response-yes-0045 + '45': + id: '45' + taskid: e101470d-c24a-58c7-a37e-780938269ce8 type: regular task: - id: id-ia-response-yes-0045 + id: e101470d-c24a-58c7-a37e-780938269ce8 version: -1 name: Analysis Response Recommended scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "50" + - '50' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.response_recommended value: - simple: "true" + simple: 'true' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2745 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2745 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1135,38 +1023,34 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "46": - id: "46" - taskid: id-ia-response-no-0046 + '46': + id: '46' + taskid: 0d1d268c-9a7a-5e96-9af9-b150c955733b type: regular task: - id: id-ia-response-no-0046 + id: 0d1d268c-9a7a-5e96-9af9-b150c955733b version: -1 name: Analysis Response NOT Recommended scriptName: SetAndHandleEmpty type: regular iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "50" + - '50' scriptarguments: append: - simple: "false" + simple: 'false' force: - simple: "true" + simple: 'true' key: simple: Analysis.Identity.response_recommended value: - simple: "false" + simple: 'false' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 2745 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 2745 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1174,24 +1058,23 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "50": - id: "50" - taskid: id-ia-eval-publish-0050 + '50': + id: '50' + taskid: 698089f4-af29-5db4-abe4-acd405c24f21 type: playbook task: - id: id-ia-eval-publish-0050 + id: 698089f4-af29-5db4-abe4-acd405c24f21 version: -1 name: SOC Analysis Evaluation_V3 description: Publishes Analysis.Identity.* to canonical Analysis.* keys consumed by SOC NIST IR. playbookName: SOC Analysis Evaluation_V3 type: playbook iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null nexttasks: '#none#': - - "99" + - '99' scriptarguments: case_category: simple: ${Analysis.Identity.signal_type} @@ -1230,29 +1113,40 @@ tasks: spread_level: simple: ${Analysis.Identity.spread_level} story: - simple: "Identity Analysis Summary\n\nThe primary identity under investigation\ - \ is \"${SOCFramework.Artifacts.UserName}\".\n\nThe identity threat signal\ - \ has been classified as \"${Analysis.Identity.signal_type}\" with a compromise\ - \ level of \"${Analysis.Identity.compromise_level}\", based on MITRE ATT&CK\ - \ tactic correlation and XSIAM risk scoring.\n\nActivity scope:\n\u2022\ - \ Users involved: ${parentIncidentFields.user_count}\n\u2022 Hosts involved:\ - \ ${parentIncidentFields.host_count}\n\u2022 Alerts in case: ${parentIncidentFields.alert_count}\n\ - \u2022 Spread level: ${Analysis.Identity.spread_level}\n\nInvestigation\ - \ confidence is \"${Analysis.Identity.confidence}\".\nResponse recommendation:\ - \ ${Analysis.Identity.response_recommended}." + simple: 'Identity Analysis Summary + + + The primary identity under investigation is "${SOCFramework.Artifacts.UserName}". + + + The identity threat signal has been classified as "${Analysis.Identity.signal_type}" with a compromise level of + "${Analysis.Identity.compromise_level}", based on MITRE ATT&CK tactic correlation and XSIAM risk scoring. + + + Activity scope: + + • Users involved: ${parentIncidentFields.user_count} + + • Hosts involved: ${parentIncidentFields.host_count} + + • Alerts in case: ${parentIncidentFields.alert_count} + + • Spread level: ${Analysis.Identity.spread_level} + + + Investigation confidence is "${Analysis.Identity.confidence}". + + Response recommendation: ${Analysis.Identity.response_recommended}.' verdict: simple: ${Analysis.Identity.compromise_decision} separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: |- - { - "position": { "x": 480, "y": 2930 } - } + view: "{\n \"position\": { \"x\": 480, \"y\": 2930 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1260,25 +1154,21 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - - "99": - id: "99" - taskid: id-ia-done-0099 + '99': + id: '99' + taskid: 96a551b1-7b03-5f98-88a5-593448331d8b type: title task: - id: id-ia-done-0099 + id: 96a551b1-7b03-5f98-88a5-593448331d8b version: -1 name: Done type: title iscommand: false - brand: "" + brand: '' playbooktaskmissingcomponent: null separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { "x": 480, "y": 3120 } - } + continueonerrortype: '' + view: "{\n \"position\": { \"x\": 480, \"y\": 3120 }\n}" note: false timertriggers: [] ignoreworker: false @@ -1286,7 +1176,6 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - inputs: - key: entity_id value: @@ -1298,13 +1187,13 @@ inputs: value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null - key: entity_type value: simple: ${SOCFramework.Product.category} required: false - description: "" + description: '' playbookInputQuery: null inputSections: - inputs: @@ -1378,17 +1267,7 @@ outputs: type: unknown - contextPath: Analysis.case_user_count type: unknown -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 3130, - "width": 1340, - "x": 0, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 3130,\n \"width\":\ + \ 1340,\n \"x\": 0,\n \"y\": 50\n }\n }\n}" sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Containment_V3.yml index 96ea646a..829814c9 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Containment_V3.yml @@ -707,4 +707,4 @@ outputs: - contextPath: Core.Isolation.endpoint_id description: The isolated endpoint ID. sourceplaybookid: Containment Plan -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Eradication_V3.yml index 77f83463..65af3c41 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Eradication_V3.yml @@ -20,10 +20,10 @@ starttaskid: '0' tasks: '0': id: '0' - taskid: id-ie-start-0001 + taskid: a02a81bf-dfe5-54fd-b3b9-101064463cc1 type: start task: - id: id-ie-start-0001 + id: a02a81bf-dfe5-54fd-b3b9-101064463cc1 version: -1 name: '' iscommand: false @@ -44,10 +44,10 @@ tasks: isautoswitchedtoquietmode: false '1': id: '1' - taskid: id-ie-response-gate-0001 + taskid: 5a0d1ea9-fed2-5530-bdc2-021f3fa93940 type: condition task: - id: id-ie-response-gate-0001 + id: 5a0d1ea9-fed2-5530-bdc2-021f3fa93940 version: -1 name: Recommended Response? description: Skip eradication entirely if analysis did not recommend a response. @@ -83,10 +83,10 @@ tasks: isautoswitchedtoquietmode: false '2': id: '2' - taskid: id-ie-compromise-check-0002 + taskid: a487d443-721b-576e-8eae-572184ac75be type: condition task: - id: id-ie-compromise-check-0002 + id: a487d443-721b-576e-8eae-572184ac75be version: -1 name: Compromised Level? description: 'likely_compromised = full reset (password + tokens). @@ -136,10 +136,10 @@ tasks: isautoswitchedtoquietmode: false '20': id: '20' - taskid: id-ie-full-erad-title-0020 + taskid: 9daf5386-bbf3-5082-afc8-504c14b89a85 type: title task: - id: id-ie-full-erad-title-0020 + id: 9daf5386-bbf3-5082-afc8-504c14b89a85 version: -1 name: Full Eradication - Reset + Revoke type: title @@ -161,10 +161,10 @@ tasks: isautoswitchedtoquietmode: false '21': id: '21' - taskid: id-ie-reset-password-0021 + taskid: 5e9d32a5-7a16-556c-9d12-59b9a0cf8e84 type: regular task: - id: id-ie-reset-password-0021 + id: 5e9d32a5-7a16-556c-9d12-59b9a0cf8e84 version: -1 name: Reset Password - Universal Command scriptName: SOCCommandWrapper @@ -223,10 +223,10 @@ tasks: isautoswitchedtoquietmode: false '22': id: '22' - taskid: id-ie-set-creds-reset-0022 + taskid: 55faf68e-460c-5e6c-a548-932b360d1bd9 type: regular task: - id: id-ie-set-creds-reset-0022 + id: 55faf68e-460c-5e6c-a548-932b360d1bd9 version: -1 name: Set Credentials Reset scriptName: SetAndHandleEmpty @@ -258,10 +258,10 @@ tasks: isautoswitchedtoquietmode: false '30': id: '30' - taskid: id-ie-revoke-only-title-0030 + taskid: 656c7121-ccfe-578e-99d3-e36888aa6d06 type: title task: - id: id-ie-revoke-only-title-0030 + id: 656c7121-ccfe-578e-99d3-e36888aa6d06 version: -1 name: Token Revocation Only type: title @@ -283,10 +283,10 @@ tasks: isautoswitchedtoquietmode: false '31': id: '31' - taskid: id-ie-set-creds-not-reset-0031 + taskid: fba8f3c8-f62f-54de-b88b-ee0db6fe85ee type: regular task: - id: id-ie-set-creds-not-reset-0031 + id: fba8f3c8-f62f-54de-b88b-ee0db6fe85ee version: -1 name: Set Credentials NOT Reset scriptName: SetAndHandleEmpty @@ -318,10 +318,10 @@ tasks: isautoswitchedtoquietmode: false '29': id: '29' - taskid: id-ie-revoke-tokens-0029 + taskid: 84b38bfc-cc25-54a2-b65e-09159468f3f6 type: regular task: - id: id-ie-revoke-tokens-0029 + id: 84b38bfc-cc25-54a2-b65e-09159468f3f6 version: -1 name: Revoke Tokens - Universal Command scriptName: SOCCommandWrapper @@ -380,10 +380,10 @@ tasks: isautoswitchedtoquietmode: false '40': id: '40' - taskid: id-ie-finalize-title-0040 + taskid: 18c221f1-0f9b-59c1-98a6-2f2693da0f2f type: title task: - id: id-ie-finalize-title-0040 + id: 18c221f1-0f9b-59c1-98a6-2f2693da0f2f version: -1 name: Eradication Attempted type: title @@ -405,10 +405,10 @@ tasks: isautoswitchedtoquietmode: false '41': id: '41' - taskid: id-ie-set-attempted-0041 + taskid: bbc23e09-ec5e-5170-b465-c07a93aaed70 type: regular task: - id: id-ie-set-attempted-0041 + id: bbc23e09-ec5e-5170-b465-c07a93aaed70 version: -1 name: Set Eradication Attempted scriptName: SetAndHandleEmpty @@ -440,10 +440,10 @@ tasks: isautoswitchedtoquietmode: false '42': id: '42' - taskid: id-ie-set-tokens-revoked-0042 + taskid: 2bfa8905-0035-5e61-abd4-c7121d9cec0c type: regular task: - id: id-ie-set-tokens-revoked-0042 + id: 2bfa8905-0035-5e61-abd4-c7121d9cec0c version: -1 name: Set Tokens Revoked scriptName: SetAndHandleEmpty @@ -475,10 +475,10 @@ tasks: isautoswitchedtoquietmode: false '43': id: '43' - taskid: id-ie-set-story-0043 + taskid: f60802bb-5b51-5a83-9a96-6283b9a757bd type: regular task: - id: id-ie-set-story-0043 + id: f60802bb-5b51-5a83-9a96-6283b9a757bd version: -1 name: Set Eradication Story scriptName: SetAndHandleEmpty @@ -527,10 +527,10 @@ tasks: isautoswitchedtoquietmode: false '11': id: '11' - taskid: id-ie-no-erad-0011 + taskid: 062df020-51da-5d2a-8af6-0b31cd23c72e type: regular task: - id: id-ie-no-erad-0011 + id: 062df020-51da-5d2a-8af6-0b31cd23c72e version: -1 name: Set Eradication Not Attempted scriptName: SetAndHandleEmpty @@ -562,10 +562,10 @@ tasks: isautoswitchedtoquietmode: false '12': id: '12' - taskid: id-ie-no-erad-story-0012 + taskid: 196209f0-1c8b-50f0-9b7c-b1da83ebaf6a type: regular task: - id: id-ie-no-erad-story-0012 + id: 196209f0-1c8b-50f0-9b7c-b1da83ebaf6a version: -1 name: Set No Eradication Story scriptName: SetAndHandleEmpty @@ -607,10 +607,10 @@ tasks: isautoswitchedtoquietmode: false '99': id: '99' - taskid: id-ie-done-0099 + taskid: 25915e27-6b7c-5519-af59-5262df416cc9 type: title task: - id: id-ie-done-0099 + id: 25915e27-6b7c-5519-af59-5262df416cc9 version: -1 name: Done type: title @@ -680,4 +680,4 @@ outputs: view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1860,\n \"width\":\ \ 1100,\n \"x\": 0,\n \"y\": 50\n }\n }\n}" sourceplaybookid: SOC Data Eradication_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Recovery_V3.yml index 2b3aeae7..adff25c6 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Identity_Recovery_V3.yml @@ -19,10 +19,10 @@ starttaskid: '0' tasks: '0': id: '0' - taskid: id-ir-start-0001 + taskid: 2cf144a5-06d4-5eeb-9e6e-c705782ad551 type: start task: - id: id-ir-start-0001 + id: 2cf144a5-06d4-5eeb-9e6e-c705782ad551 version: -1 name: '' iscommand: false @@ -43,10 +43,10 @@ tasks: isautoswitchedtoquietmode: false '1': id: '1' - taskid: id-ir-erad-gate-0001 + taskid: 5fbbe322-6516-5073-aea4-e23d1dbcd481 type: condition task: - id: id-ir-erad-gate-0001 + id: 5fbbe322-6516-5073-aea4-e23d1dbcd481 version: -1 name: Did Eradication Happen? description: 'Only proceed with recovery if eradication was attempted. @@ -84,10 +84,10 @@ tasks: isautoswitchedtoquietmode: false '2': id: '2' - taskid: id-ir-recovery-title-0002 + taskid: 2739bf0e-4810-5302-840f-5fad677896db type: title task: - id: id-ir-recovery-title-0002 + id: 2739bf0e-4810-5302-840f-5fad677896db version: -1 name: Identity Recovery Actions type: title @@ -109,10 +109,10 @@ tasks: isautoswitchedtoquietmode: false '200': id: '200' - taskid: id-ir-enable-user-0200 + taskid: 0c8201d0-dfbb-5adc-83a7-df14f680ff60 type: regular task: - id: id-ir-enable-user-0200 + id: 0c8201d0-dfbb-5adc-83a7-df14f680ff60 version: -1 name: Re-enable User Account - Universal Command scriptName: SOCCommandWrapper @@ -171,10 +171,10 @@ tasks: isautoswitchedtoquietmode: false '3': id: '3' - taskid: id-ir-set-attempted-0003 + taskid: a1bd3e77-3bef-5929-95cd-b2322fdad3fd type: regular task: - id: id-ir-set-attempted-0003 + id: a1bd3e77-3bef-5929-95cd-b2322fdad3fd version: -1 name: Set Recovery Attempted scriptName: SetAndHandleEmpty @@ -206,10 +206,10 @@ tasks: isautoswitchedtoquietmode: false '4': id: '4' - taskid: id-ir-set-account-restored-0004 + taskid: 48e962e5-864f-503b-be8e-987e6c89c964 type: regular task: - id: id-ir-set-account-restored-0004 + id: 48e962e5-864f-503b-be8e-987e6c89c964 version: -1 name: Set Account Restored scriptName: SetAndHandleEmpty @@ -241,10 +241,10 @@ tasks: isautoswitchedtoquietmode: false '5': id: '5' - taskid: id-ir-set-monitoring-0005 + taskid: a3bdd25b-00bd-5a38-935d-f037f3b47f20 type: regular task: - id: id-ir-set-monitoring-0005 + id: a3bdd25b-00bd-5a38-935d-f037f3b47f20 version: -1 name: Set Monitoring Required scriptName: SetAndHandleEmpty @@ -276,10 +276,10 @@ tasks: isautoswitchedtoquietmode: false '6': id: '6' - taskid: id-ir-set-restore-method-0006 + taskid: e1c9a288-02dd-50c9-a003-a8474fb84777 type: regular task: - id: id-ir-set-restore-method-0006 + id: e1c9a288-02dd-50c9-a003-a8474fb84777 version: -1 name: Set Restore Method scriptName: SetAndHandleEmpty @@ -311,10 +311,10 @@ tasks: isautoswitchedtoquietmode: false '7': id: '7' - taskid: id-ir-set-story-0007 + taskid: 4c55b721-438a-59ec-8f4c-923dd8493647 type: regular task: - id: id-ir-set-story-0007 + id: 4c55b721-438a-59ec-8f4c-923dd8493647 version: -1 name: Set Recovery Story scriptName: SetAndHandleEmpty @@ -367,10 +367,10 @@ tasks: isautoswitchedtoquietmode: false '10': id: '10' - taskid: id-ir-no-recovery-0010 + taskid: 48642fd6-397d-5841-86a9-71ec0ebd2930 type: regular task: - id: id-ir-no-recovery-0010 + id: 48642fd6-397d-5841-86a9-71ec0ebd2930 version: -1 name: Set Recovery Not Attempted scriptName: SetAndHandleEmpty @@ -402,10 +402,10 @@ tasks: isautoswitchedtoquietmode: false '11': id: '11' - taskid: id-ir-no-recovery-story-0011 + taskid: 6c10f89f-3e71-5310-86c7-7314b4d28e1c type: regular task: - id: id-ir-no-recovery-story-0011 + id: 6c10f89f-3e71-5310-86c7-7314b4d28e1c version: -1 name: Set No Recovery Story scriptName: SetAndHandleEmpty @@ -447,10 +447,10 @@ tasks: isautoswitchedtoquietmode: false '99': id: '99' - taskid: id-ir-done-0099 + taskid: a4a8a958-69c5-5907-b6db-fafba8f327ee type: title task: - id: id-ir-done-0099 + id: a4a8a958-69c5-5907-b6db-fafba8f327ee version: -1 name: Done type: title @@ -502,4 +502,4 @@ outputs: view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1500,\n \"width\":\ \ 1100,\n \"x\": 0,\n \"y\": 50\n }\n }\n}" sourceplaybookid: SOC Data Recovery_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Initialize_Investigation_Context_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Initialize_Investigation_Context_V3.yml index 3e341ac6..1e2e966d 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Initialize_Investigation_Context_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Initialize_Investigation_Context_V3.yml @@ -2,18 +2,18 @@ fromversion: 5.0.0 adopted: true contentitemexportablefields: contentitemfields: - definitionid: "" + definitionid: '' fromServerVersion: 5.0.0 isoverridable: false itemVersion: 3.0.30 packID: soc-framework-nist-ir packName: SOC Framework Unified - prevname: "" + prevname: '' supportedModules: [] - toServerVersion: "" + toServerVersion: '' description: Clean up the data context and prepare to perform the investigation. -dirtyInputs: true -id: 'SOC Initialize Investigation Context_V3' +dirtyInputs: false +id: SOC Initialize Investigation Context_V3 inputSections: - description: Generic group for inputs inputs: @@ -24,13 +24,13 @@ inputSections: - case_user_count name: General (Inputs group) inputs: -- description: "" +- description: '' key: reset_issue_keys playbookInputQuery: null required: false value: simple: Investigation, Analysis -- description: "" +- description: '' key: case_host_count playbookInputQuery: null required: false @@ -48,7 +48,7 @@ inputs: required: false value: simple: ${parentIncidentFields.alert_count} -- description: "" +- description: '' key: case_user_count playbookInputQuery: null required: false @@ -75,47 +75,41 @@ outputs: - contextPath: Analysis.Endpoint.issue_count type: unknown sourceplaybookid: SOC Data Analysis_V3 -starttaskid: "0" +starttaskid: '0' tags: - SOC - SOC_Framework_Unified - Detection & Analysis - EndPoint tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "59" + - '59' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false istaskmissingcomponenterrordismissed: false - name: "" + name: '' playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 50, - "y": 50 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 50\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -124,7 +118,7 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false istaskmissingcomponenterrordismissed: false @@ -135,28 +129,22 @@ tasks: taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 50, - "y": 1315 - } - } - "59": - continueonerrortype: "" - id: "59" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1315\n }\n}" + '59': + continueonerrortype: '' + id: '59' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "60" + - '60' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' description: Clean Out Keys for the Investigation and Analysis id: f3b5ab33-1507-4366-8af0-148333ec3b05 iscommand: false @@ -168,39 +156,32 @@ tasks: taskid: f3b5ab33-1507-4366-8af0-148333ec3b05 timertriggers: [] type: title - view: |- - { - "position": { - "x": 50, - "y": 220 - } - } - "60": - continueonerrortype: "" - id: "60" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 220\n }\n}" + '60': + continueonerrortype: '' + id: '60' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "61" + - '61' note: false quietmode: 0 scriptarguments: all: - simple: "no" + simple: 'no' key: simple: ${inputs.reset_issue_keys} separatecontext: false skipunavailable: false task: - brand: "" - description: "Delete field from context.\n\nThis automation runs using the default - Limited User role, unless you explicitly change the permissions.\nFor more - information, see the section about permissions here:\n- For Cortex XSOAR 6 - see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Delete field from context.\n\nThis automation runs using the default Limited User role, unless you explicitly\ + \ change the permissions.\nFor more information, see the section about permissions here:\n- For Cortex XSOAR 6 see\ + \ https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For\ + \ Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 4e81fc47-8bc9-4471-8aa6-15072395b46c iscommand: false istaskmissingcomponenterrordismissed: false @@ -212,22 +193,16 @@ tasks: taskid: 4e81fc47-8bc9-4471-8aa6-15072395b46c timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 390 - } - } - "61": - continueonerrortype: "" - id: "61" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 390\n }\n}" + '61': + continueonerrortype: '' + id: '61' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "62" + - '62' note: false quietmode: 0 scriptarguments: @@ -241,19 +216,17 @@ tasks: applyIfEmpty: {} defaultValue: value: - simple: "0" + simple: '0' operator: SetIfEmpty separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: afa3e542-5d82-43d5-b60e-8996db4e3613 iscommand: false istaskmissingcomponenterrordismissed: false @@ -265,22 +238,16 @@ tasks: taskid: afa3e542-5d82-43d5-b60e-8996db4e3613 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 575 - } - } - "62": - continueonerrortype: "" - id: "62" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 575\n }\n}" + '62': + continueonerrortype: '' + id: '62' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "63" + - '63' note: false quietmode: 0 scriptarguments: @@ -294,19 +261,17 @@ tasks: applyIfEmpty: {} defaultValue: value: - simple: "0" + simple: '0' operator: SetIfEmpty separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 0087c50d-d9d3-4e6d-ae85-bde48c122d1f iscommand: false istaskmissingcomponenterrordismissed: false @@ -318,22 +283,16 @@ tasks: taskid: 0087c50d-d9d3-4e6d-ae85-bde48c122d1f timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 760 - } - } - "63": - continueonerrortype: "" - id: "63" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 760\n }\n}" + '63': + continueonerrortype: '' + id: '63' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "64" + - '64' note: false quietmode: 0 scriptarguments: @@ -347,19 +306,17 @@ tasks: applyIfEmpty: {} defaultValue: value: - simple: "0" + simple: '0' operator: SetIfEmpty separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 8e226db5-e54d-4292-8a0e-dd8492ddeaa0 iscommand: false istaskmissingcomponenterrordismissed: false @@ -371,22 +328,16 @@ tasks: taskid: 8e226db5-e54d-4292-8a0e-dd8492ddeaa0 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 945 - } - } - "64": - continueonerrortype: "" - id: "64" + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 945\n }\n}" + '64': + continueonerrortype: '' + id: '64' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 scriptarguments: @@ -400,19 +351,17 @@ tasks: applyIfEmpty: {} defaultValue: value: - simple: "0" + simple: '0' operator: SetIfEmpty separatecontext: false skipunavailable: false task: - brand: "" - description: "Set a value in context under the key you entered. If no value - is entered, the script doesn't do anything.\n\nThis automation runs using - the default Limited User role, unless you explicitly change the permissions.\nFor - more information, see the section about permissions here:\n- For Cortex XSOAR - 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\ + \nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more\ + \ information, see the section about permissions here:\n- For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" id: 8c637a4c-cf08-472f-bc51-f5a6a2f8d854 iscommand: false istaskmissingcomponenterrordismissed: false @@ -424,23 +373,7 @@ tasks: taskid: 8c637a4c-cf08-472f-bc51-f5a6a2f8d854 timertriggers: [] type: regular - view: |- - { - "position": { - "x": 50, - "y": 1130 - } - } + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1130\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 1325, - "width": 380, - "x": 50, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1325,\n \"width\":\ + \ 380,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_NIST_IR_(800-61)_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_NIST_IR_(800-61)_V3.yml index 196c5f61..521fb22c 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_NIST_IR_(800-61)_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_NIST_IR_(800-61)_V3.yml @@ -10,16 +10,19 @@ contentitemexportablefields: prevname: '' supportedModules: [] toServerVersion: '' -description: 'This playbook implements the NIST SP 800-61 Alert Response lifecycle in a structured, repeatable way. It serves as the top-level controller, orchestrating all downstream playbooks and automations that align to the four NIST phases: +description: 'This playbook implements the NIST SP 800-61 Alert Response lifecycle in a structured, repeatable way. It serves + as the top-level controller, orchestrating all downstream playbooks and automations that align to the four NIST phases: Preparation – Normalize and stage context (entities, products, alert categories) to ensure consistent execution. - Detection & Analysis – Trigger enrichment and investigation playbooks (endpoint, network, identity, email, cloud) based on normalized entities and mapped MITRE ATT&CK tactics. + Detection & Analysis – Trigger enrichment and investigation playbooks (endpoint, network, identity, email, cloud) based + on normalized entities and mapped MITRE ATT&CK tactics. - Containment, Eradication, Recovery – Call the appropriate static or product-specific playbooks to contain threats, remove malicious artifacts, and restore systems. + Containment, Eradication, Recovery – Call the appropriate static or product-specific playbooks to contain threats, remove + malicious artifacts, and restore systems. Post-Alert Activity – Document lessons learned, update playbook routing matrices, and feed back into SOC optimization. @@ -34,25 +37,26 @@ description: 'This playbook implements the NIST SP 800-61 Alert Response lifecyc Normalization (Upon Trigger of the EntryPoint) ensures entities (hosts, users, IPs, processes, etc.) are handled consistently. - This top-level playbook is the backbone of the SOC Framework: it receives the alert trigger, applies the NIST 800-61 model, and routes execution to the appropriate detection, containment, and response sub-playbooks for standardized alert handling' -dirtyInputs: true + This top-level playbook is the backbone of the SOC Framework: it receives the alert trigger, applies the NIST 800-61 model, + and routes execution to the appropriate detection, containment, and response sub-playbooks for standardized alert handling' +dirtyInputs: false id: SOC NIST IR (800-61)_V3 inputSections: - - description: Generic group for inputs - inputs: [] - name: General (Inputs group) V3 +- description: Generic group for inputs + inputs: [] + name: General (Inputs group) V3 inputs: [] name: SOC NIST IR (800-61)_V3 outputSections: - - description: Generic group for outputs - name: General (Outputs group) - outputs: [] +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] outputs: [] sourceplaybookid: auto-soc_nist_ir_static-5665921e-797f-469f-a938-801fc03ce4b1 starttaskid: '0' tags: - - SOC_Framework_Unified - - SOC +- SOC_Framework_Unified +- SOC tasks: '0': continueonerrortype: '' @@ -62,7 +66,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '1' + - '1' note: false quietmode: 0 separatecontext: false @@ -86,7 +90,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '3' + - '3' note: false quietmode: 0 separatecontext: false @@ -111,7 +115,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '14' + - '14' note: false quietmode: 0 separatecontext: false @@ -136,7 +140,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '13' + - '13' note: false quietmode: 0 separatecontext: false @@ -161,7 +165,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '15' + - '15' note: false quietmode: 0 separatecontext: false @@ -186,7 +190,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '16' + - '16' note: false quietmode: 0 separatecontext: false @@ -233,14 +237,15 @@ tasks: isoversize: false nexttasks: '#none#': - - '7' + - '7' note: false quietmode: 0 separatecontext: true skipunavailable: false task: brand: '' - description: This playbook acts as a container for Containment playbooks acting on Product Category (i.e. EndPoint, Data, Network, Cloud SaaS, Cloud Workload, Identity). + description: This playbook acts as a container for Containment playbooks acting on Product Category (i.e. EndPoint, + Data, Network, Cloud SaaS, Cloud Workload, Identity). id: a496d4a7-564f-43e4-8c6d-b92eeaa462a3 iscommand: false name: SOC Containment_V3 @@ -260,7 +265,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '5' + - '5' note: false quietmode: 0 separatecontext: true @@ -286,7 +291,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '9' + - '9' note: false quietmode: 0 separatecontext: true @@ -312,7 +317,7 @@ tasks: isoversize: false nexttasks: '#none#': - - '11' + - '11' note: false quietmode: 0 separatecontext: true @@ -331,5 +336,6 @@ tasks: type: playbook view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 1610\n }\n}" version: -1 -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1900,\n \"width\": 380,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 1900,\n \"width\":\ + \ 380,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Analysis_V3.yml index 4543268d..f1e66ed9 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Analysis_V3.yml @@ -1,28 +1,35 @@ adopted: true -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the incident (category, severity, impact). + Document findings and escalate confirmed incidents. + Outcome: Determine whether an event is a legitimate incident and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. -id: 'SOC Network Analysis_V3' + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' +id: SOC Network Analysis_V3 inputs: [] name: SOC Network Analysis_V3 outputs: [] -sourceplaybookid: 'SOC Data Analysis_V3' -starttaskid: "0" +sourceplaybookid: SOC Data Analysis_V3 +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -30,39 +37,33 @@ tags: - NIST 800-61 - Network tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false - name: "" - playbooktaskmissingcomponent: + name: '' + playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 450, - "y": 50 - } - } - "1": - continueonerrortype: "" - id: "1" + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -71,27 +72,21 @@ tasks: separatecontext: true skipunavailable: false task: - brand: "" + brand: '' id: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa iscommand: false name: Foundation - Error Handling_V3 playbookId: Foundation - Error Handling_V3 - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: playbook version: -1 taskid: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa timertriggers: [] type: playbook - view: |- - { - "position": { - "x": 740, - "y": 290 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 290\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -100,34 +95,18 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false name: Done - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: title version: -1 taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 430, - "y": 470 - } - } + view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 470\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 480, - "width": 690, - "x": 430, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 480,\n \"width\": 690,\n\ + \ \"x\": 430,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Containment_V3.yml index c462b22c..e282bcfa 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Containment_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Eradication_V3.yml index 668f3aaa..22d61ae1 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Eradication_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Recovery_V3.yml index 0334ffdc..556a6af3 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Network_Recovery_V3.yml @@ -109,5 +109,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Recovery_V3.yml index bae2bd60..dec0f421 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Recovery_V3.yml @@ -1170,4 +1170,4 @@ outputs: - contextPath: Recovery.restore_method type: unknown sourceplaybookid: SOC Containment_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Analysis_V3.yml index 55cf9c98..f9505d00 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Analysis_V3.yml @@ -1,28 +1,35 @@ adopted: true -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the incident (category, severity, impact). + Document findings and escalate confirmed incidents. + Outcome: Determine whether an event is a legitimate incident and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. -id: 'SOC SaaS Analysis_V3' + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' +id: SOC SaaS Analysis_V3 inputs: [] name: SOC SaaS Analysis_V3 outputs: [] -sourceplaybookid: 'SOC Data Analysis_V3' -starttaskid: "0" +sourceplaybookid: SOC Data Analysis_V3 +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -30,39 +37,33 @@ tags: - NIST 800-61 - Cloud SaaS tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false - name: "" - playbooktaskmissingcomponent: + name: '' + playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 450, - "y": 50 - } - } - "1": - continueonerrortype: "" - id: "1" + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -71,27 +72,21 @@ tasks: separatecontext: true skipunavailable: false task: - brand: "" + brand: '' id: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa iscommand: false name: Foundation - Error Handling_V3 playbookId: Foundation - Error Handling_V3 - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: playbook version: -1 taskid: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa timertriggers: [] type: playbook - view: |- - { - "position": { - "x": 740, - "y": 290 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 290\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -100,34 +95,18 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false name: Done - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: title version: -1 taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 430, - "y": 470 - } - } + view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 470\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 480, - "width": 690, - "x": 430, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 480,\n \"width\": 690,\n\ + \ \"x\": 430,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Containment_V3.yml index a9c9f7cc..4a58213d 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Containment_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Eradication_V3.yml index 3837352c..780228ed 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Eradication_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Recovery_V3.yml index e7c7d6f5..c446178e 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_SaaS_Recovery_V3.yml @@ -109,5 +109,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Analysis_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Analysis_V3.yml index 9a7da458..4a7726ac 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Analysis_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Analysis_V3.yml @@ -1,28 +1,35 @@ adopted: true -description: |- - This is the analyst’s core domain. +description: 'This is the analyst’s core domain. + Key tasks: + Investigate alerts and anomalies. + Validate true/false positives. + Perform triage, correlation, and root cause analysis. + Classify the incident (category, severity, impact). + Document findings and escalate confirmed incidents. + Outcome: Determine whether an event is a legitimate incident and assess its scope. - This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics. -id: 'SOC Workload Analysis_V3' + + This phase measures alert fidelity, investigation efficiency, and time to validate — all analyst performance metrics.' +id: SOC Workload Analysis_V3 inputs: [] name: SOC Workload Analysis_V3 outputs: [] -sourceplaybookid: 'SOC Data Analysis_V3' -starttaskid: "0" +sourceplaybookid: SOC Data Analysis_V3 +starttaskid: '0' tags: - SOC - SOC_Framework_Unified @@ -30,39 +37,33 @@ tags: - NIST 800-61 - Cloud Workload tasks: - "0": - continueonerrortype: "" - id: "0" + '0': + continueonerrortype: '' + id: '0' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false nexttasks: '#none#': - - "2" + - '2' note: false quietmode: 0 separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 7e6a701e-667b-4a70-8a74-14564da75fc7 iscommand: false - name: "" - playbooktaskmissingcomponent: + name: '' + playbooktaskmissingcomponent: null version: -1 taskid: 7e6a701e-667b-4a70-8a74-14564da75fc7 timertriggers: [] type: start - view: |- - { - "position": { - "x": 450, - "y": 50 - } - } - "1": - continueonerrortype: "" - id: "1" + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -71,27 +72,21 @@ tasks: separatecontext: true skipunavailable: false task: - brand: "" + brand: '' id: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa iscommand: false name: Foundation - Error Handling_V3 playbookId: Foundation - Error Handling_V3 - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: playbook version: -1 taskid: 7fad044e-60c9-4baa-8bb6-316d5aea8cfa timertriggers: [] type: playbook - view: |- - { - "position": { - "x": 740, - "y": 290 - } - } - "2": - continueonerrortype: "" - id: "2" + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 290\n }\n}" + '2': + continueonerrortype: '' + id: '2' ignoreworker: false isautoswitchedtoquietmode: false isoversize: false @@ -100,34 +95,18 @@ tasks: separatecontext: false skipunavailable: false task: - brand: "" + brand: '' id: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 iscommand: false name: Done - playbooktaskmissingcomponent: + playbooktaskmissingcomponent: null type: title version: -1 taskid: 6944e944-2ade-4f6d-b6e0-0f6b8e2c3253 timertriggers: [] type: title - view: |- - { - "position": { - "x": 430, - "y": 470 - } - } + view: "{\n \"position\": {\n \"x\": 430,\n \"y\": 470\n }\n}" version: -1 -view: |- - { - "linkLabelsPosition": {}, - "paper": { - "dimensions": { - "height": 480, - "width": 690, - "x": 430, - "y": 50 - } - } - } +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 480,\n \"width\": 690,\n\ + \ \"x\": 430,\n \"y\": 50\n }\n }\n}" fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Containment_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Containment_V3.yml index ff2443f6..f651a13b 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Containment_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Containment_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Eradication_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Eradication_V3.yml index 185e0712..7277d49e 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Eradication_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Eradication_V3.yml @@ -113,4 +113,4 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Recovery_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Recovery_V3.yml index 7296b8c8..859f9ec4 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Recovery_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Workload_Recovery_V3.yml @@ -109,5 +109,5 @@ outputSections: description: Generic group for outputs outputs: [] sourceplaybookid: SOC Data Analysis_V3 -dirtyInputs: true +dirtyInputs: false fromversion: 5.0.0 diff --git a/Packs/soc-framework-nist-ir/pack_metadata.json b/Packs/soc-framework-nist-ir/pack_metadata.json index 6f65dd18..3bf88e6b 100644 --- a/Packs/soc-framework-nist-ir/pack_metadata.json +++ b/Packs/soc-framework-nist-ir/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-nist-ir", "description": "SOC Framework \u2013 Incident Response (NIST)\n\nDescription\n\nThe SOC Framework \u2013 Incident Response (NIST) pack provides a standardized set of incident response workflows aligned with the lifecycle defined in NIST SP 800-61. It implements the operational stages of incident response within the SOC Framework, enabling consistent investigation, containment, eradication, recovery, and communication processes across security incidents.\n\nRather than building separate playbooks for each threat scenario, this pack organizes response logic around the incident response lifecycle. Scenarios such as phishing, endpoint compromise, identity abuse, and other security events enter the workflow and progress through the same structured response phases. This approach promotes consistent analyst workflows, reduces duplicated automation logic, and ensures that containment and recovery actions follow a predictable process.\n\nThe playbooks in this pack are designed to operate on standardized artifacts and actions provided by the SOC Framework Core pack. Vendor-specific commands are abstracted through framework actions, allowing the same incident response logic to operate across different security products and environments.", "support": "xsoar", - "currentVersion": "1.1.0", + "currentVersion": "1.2.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-nist-ir/xsoar_config.json b/Packs/soc-framework-nist-ir/xsoar_config.json index f28f9bf7..d8b249f6 100644 --- a/Packs/soc-framework-nist-ir/xsoar_config.json +++ b/Packs/soc-framework-nist-ir/xsoar_config.json @@ -1,8 +1,8 @@ { "custom_packs": [ { - "id": "soc-framework-nist-ir-v1.1.0.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-nist-ir-v1.1.0/soc-framework-nist-ir-v1.1.0.zip", + "id": "soc-framework-nist-ir-v1.2.0.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-nist-ir-v1.2.0/soc-framework-nist-ir-v1.2.0.zip", "system": "yes" } ], diff --git a/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py b/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py index bb4e3152..36705e58 100644 --- a/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py +++ b/Packs/soc-optimization-unified/Scripts/SOCCommandWrapper/SOCCommandWrapper.py @@ -647,6 +647,15 @@ def main(): failed, error_msg = integration_failed(result) if failed: + # Check for error 23 — integration not installed or not enabled in this tenant. + # Soft-fail so the playbook can continue in degraded mode rather than halting + # the entire lifecycle. Shadow mode never reaches this path (vendor command is + # suppressed), so this check is execute-only by construction. + integration_unavailable = ( + "Unsupported Command" in (error_msg or "") + or "(23)" in (error_msg or "") + ) + record = { "run_id": run_id, "action": action, @@ -672,12 +681,12 @@ def main(): "action": action, "vendor": vendor, "command": command, - "action_status": "failed", + "action_status": "integration_unavailable" if integration_unavailable else "failed", "action_actor": normalize_action_actor(args.get("Action_Actor"), False), "execution_mode": "production", "shadow_mode_state": "not_applicable", "has_error": True, - "error_type": "command_execution", + "error_type": "integration_unavailable" if integration_unavailable else "command_execution", "error_message": error_msg } @@ -690,6 +699,29 @@ def main(): tags ) + if integration_unavailable: + # Null out UC.* output keys so downstream conditions evaluate cleanly + # (missing key → default/blocked path) rather than raising errors + output_map = vendor_data.get("output_map", {}) + for dest_key in (output_map or {}).keys(): + demisto.setContext(dest_key, None) + + return_warning( + f"[SOCCommandWrapper] Integration not available for action '{action}'. " + f"Command: {command}. " + f"Install and configure the required integration to enable this action." + ) + return_results(CommandResults( + readable_output=( + f"⚠️ Integration unavailable: `{command}`\n\n" + f"Action `{action}` requires an integration that is not installed or enabled. " + f"Playbook continues in degraded mode." + ), + outputs_prefix="UC", + outputs={"action": action, "status": "integration_unavailable", "command": command} + )) + return + return_error(error_msg) record = { diff --git a/pack_catalog.json b/pack_catalog.json index b5dbbadd..7765410d 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -76,7 +76,7 @@ "id": "soc-framework-nist-ir", "display_name": "SOC Framework NIST IR (800-61)", "category": "Utility", - "version": "1.1.0", + "version": "1.2.0", "path": "Packs/soc-framework-nist-ir", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-nist-ir/xsoar_config.json" diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOCFramework_AIVerdictSummary.py b/tools/SOCFramework_AIVerdictSummary.py similarity index 100% rename from Packs/soc-framework-nist-ir/Playbooks/SOCFramework_AIVerdictSummary.py rename to tools/SOCFramework_AIVerdictSummary.py diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOCFramework_IdentityScoreAnalysis.py b/tools/SOCFramework_IdentityScoreAnalysis.py similarity index 100% rename from Packs/soc-framework-nist-ir/Playbooks/SOCFramework_IdentityScoreAnalysis.py rename to tools/SOCFramework_IdentityScoreAnalysis.py From dbc297d2fd0fed2a4437132bb63d1e18700c9165 Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Fri, 20 Mar 2026 07:55:37 -0400 Subject: [PATCH 2/3] - testing fixtures, playbook simulator - Version / Catalog Bump --- .../pack_metadata.json | 2 +- .../xsoar_config.json | 4 +- TOOLING_test_playbooks.md | 207 +++++ pack_catalog.json | 2 +- tools/README.md | 171 +++++ tools/fixtures/email_e2e.json | 536 +++++++++++++ tools/fixtures/email_unit.json | 711 ++++++++++++++++++ tools/fixtures/endpoint_unit.json | 449 +++++++++++ tools/fixtures/identity_unit.json | 456 +++++++++++ tools/playbook_simulator.py | 465 ++++++++++++ tools/test_playbooks.py | 334 ++++++++ 11 files changed, 3333 insertions(+), 4 deletions(-) create mode 100644 TOOLING_test_playbooks.md create mode 100644 tools/README.md create mode 100644 tools/fixtures/email_e2e.json create mode 100644 tools/fixtures/email_unit.json create mode 100644 tools/fixtures/endpoint_unit.json create mode 100644 tools/fixtures/identity_unit.json create mode 100644 tools/playbook_simulator.py create mode 100644 tools/test_playbooks.py diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index d717897c..dccc0cc4 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "community", - "currentVersion": "3.4.0", + "currentVersion": "3.4.1", "author": "Palo Alto Networks", "url": "https://github.com/Palo-Cortex/soc-optimization-unified", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 5f2f73bc..8af1df00 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -7,8 +7,8 @@ ], "custom_packs": [ { - "id": "soc-optimization-unified-v3.4.0.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.4.0/soc-optimization-unified-v3.4.0.zip", + "id": "soc-optimization-unified-v3.4.1.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.4.1/soc-optimization-unified-v3.4.1.zip", "system": "yes" }, { diff --git a/TOOLING_test_playbooks.md b/TOOLING_test_playbooks.md new file mode 100644 index 00000000..c0e7d6c8 --- /dev/null +++ b/TOOLING_test_playbooks.md @@ -0,0 +1,207 @@ +# Tool: test_playbooks.py + playbook_simulator.py + +**Location:** `tools/test_playbooks.py` · `tools/playbook_simulator.py` +**Fixtures:** `tools/fixtures/` +**Added:** 2026-03-20 + +--- + +## Purpose + +Static execution engine and test runner for SOC Framework NIST IR playbooks. +Parses playbook YAML, walks the task graph against injected context, evaluates +conditions, simulates known script behavior, and asserts on output context keys +and execution paths — without needing a live XSIAM tenant. + +Sits in the pre-upload pipeline **after `fix_errors.py`** and **before upload**. + +--- + +## Pipeline Position + +``` +pack_prep.py → fix_errors.py → test_playbooks.py → upload_package.sh +``` + +Recommended invocation before upload: + +```bash +python3 tools/test_playbooks.py --category all --suite all +``` + +Exit code `0` = all pass. Exit code `1` = failures. CI-safe. + +--- + +## Quick Start + +```bash +# All tests across all categories +python3 tools/test_playbooks.py --category all --suite all + +# Email only — unit + e2e +python3 tools/test_playbooks.py --category email --suite all --verbose + +# Single playbook +python3 tools/test_playbooks.py --playbook SOC_Email_Verdict_Resolution_V3 + +# Non-default playbook directory +python3 tools/test_playbooks.py \ + --pb-dir Packs/soc-framework-nist-ir/Playbooks \ + --fixtures tools/fixtures \ + --category all --suite all +``` + +--- + +## Test Coverage (69 tests) + +| Category | Suite | Count | Scenarios | +|---|---|---|---| +| Email | unit | 25 | Signal Char · Exposure · IOC Enrichment · Forensics · Verdict · Containment · Eradication · Recovery | +| Email | e2e | 16 | Turla Carbon chain · File Malware · False Positive · Broad Campaign / HVU | +| Endpoint | unit | 16 | Signal Char · Verdict · Compromise Evaluation · Containment · Eradication · Recovery · Spread | +| Identity | unit | 12 | Analysis (4 tactics) · Containment · Eradication (3 paths) · Recovery (3 paths) | + +--- + +## Playbook Bugs Found During Test Build + +These real bugs were surfaced by the harness and fixed in the playbook files: + +### `SOC_Email_Verdict_Resolution_V3` + +**Task 9 — DBot Confirms Malicious?** +Condition body had both checks in a single inner OR group: +``` +(source_verdict == "malicious") OR (verdict == "benign") +``` +Fires on ANY malicious source verdict regardless of current verdict — overwriting +every malicious path with suspicious/medium. Fixed: split into two AND groups so +it only fires when `source_verdict=malicious AND verdict=benign` (the intended +upgrade path from a benign classification). + +**Task 14 — Recommend Action?** +All four action labels (`escalate_IR`, `search_and_purge`, `retract_message`, +`quarantine`) had their conditions as single OR groups. `escalate_IR` fired on +`verdict==malicious OR HVU==True` — meaning every malicious verdict escalated to +IR regardless of HVU status. Fixed: each label now uses separate AND groups so +conditions are properly combined: +- `escalate_IR`: `verdict=malicious AND HVU=true` +- `search_and_purge`: `verdict=malicious AND clicks>0` +- `retract_message`: `verdict=malicious AND delivered>0 AND clicks==0` +- `quarantine`: `verdict=malicious AND delivered==0` + +### `SOC_Identity_Containment_V3` + +**Tasks 157 and 159 — Disable Account? / Clear User Sessions?** +Both condition blocks have `conditions: null` (empty). Nexttasks are wired: +`Yes → soc-disable-user` / `Yes → soc-clear-sessions`, but the conditions that +would evaluate `inputs.UserContainment` and `inputs.ClearUserSessions` were never +authored. The tasks always route to `#default#` (No → Done), meaning the +Universal Commands are **never executed automatically**. + +**Fix needed:** Add condition bodies: +- t157: `isEqualString inputs.UserContainment "true"` +- t159: `isEqualString inputs.ClearUserSessions "true"` + +--- + +## Simulator Capabilities + +**Scripts mocked:** +`SetAndHandleEmpty`, `SetField`, `SetMultipleValues` (with `parent` namespace), +`AddDBotScoreToContext`, `GetIndicatorDBotScoreFromCache` + +**Condition operators:** +`isEqualString`, `isNotEqualString`, `isEqualNumber`, `isNotEmpty`, `isEmpty`, +`isExists`, `isTrue`, `isFalse`, `containsGeneral`, `containsString`, `contains`, +`in`, `notIn`, `match` (regex), `greaterThan`, `greaterThanOrEqual`, `lessThan`, +`lessThanOrEqual` + +**Transformers:** +`join`, `count`, `uniq`, `substringFrom`, `toLowerCase`, `toUpperCase`, +`MapRangeValues`, `if-then-else` (lte/gte), `getField` + +**Routing:** +- Outer condition list = AND (all groups must pass) +- Inner condition list = OR (any condition in group passes the group) +- YAML boolean labels (`true`/`false`) mapped to string nexttask keys +- Playbook input pre-population from input definitions +- Sub-playbook recursion or mock injection via `sub_mocks` +- Universal Command (SOCCommandWrapper) mock injection via `uc_mocks` +- Complex value spec with flat-key fallback for dotted accessor paths + +**What it cannot simulate:** +- Live integration API calls +- XSIAM-native runtime context (case scoring, asset enrichment populated by platform) +- Scripts not in the mock library (warns and skips, does not fail) +- The dedup playbook or Foundation layer (test those separately) + +--- + +## Writing Fixtures + +Fixtures are JSON arrays in `tools/fixtures/`. Filename pattern: `{category}_{suite}.json`. +Auto-discovered by the runner — no registration required. + +```json +{ + "name": "Human-readable test name", + "playbook": "SOC_Email_Signal_Characterization_V3", + "category": "email", + "suite": "unit", + "tags": ["happy_path"], + + "context_inputs": { + "SOCFramework.Artifacts.Email.ThreatType": "url", + "alert.senderip": "198.51.100.45" + }, + + "uc_mocks": { + "soc-get-email-events": { + "UC.Email.Events.clicks_permitted": ["click1"] + } + }, + + "sub_mocks": { + "SOC Analysis Evaluation_V3": { + "Analysis.verdict": "malicious" + } + }, + + "assertions": [ + { "type": "context_key_equals", "target": "Analysis.Email.signal_type", "expected": "url_phish" }, + { "type": "context_key_exists", "target": "Analysis.Email.source_verdict" }, + { "type": "context_key_absent", "target": "SomeKey.That.Should.Not.Exist" }, + { "type": "branch_taken", "target": "2", "expected": "URL" }, + { "type": "task_executed", "target": "3" }, + { "type": "task_not_executed", "target": "7" } + ] +} +``` + +### Key input patterns + +| What you want | How to inject | +|---|---| +| Playbook input `inputs.ThreatType` | `"inputs.ThreatType": "url"` | +| Context key with `${...}` reference | Use the resolved key directly: `"Analysis.Email.source_verdict": "malicious"` | +| Alert field `alert.senderip` | `"alert.senderip": "198.51.100.45"` | +| Nested alert dict (accessor pattern) | `"alert": {"proofpointtapcampaignid": "abc123"}` | +| Flat dotted accessor fallback | Both `"alert.field": "val"` and `"alert": {"field": "val"}` work | +| XSIAM list | `"lists.SOCFWHighValueUsers": "ceo@corp.com,cfo@corp.com"` | +| Eradication.attempted (bool gate) | `"Eradication.attempted": "true"` (string, not Python bool) | + +--- + +## Backlog (BL-005) + +- [ ] Fix `SOC_Identity_Containment_V3` tasks 157/159 empty condition bodies +- [ ] Add Network/DNS category fixtures once playbooks are built +- [ ] Add SaaS category fixtures +- [ ] E2E Identity scenario (Okta credential stuffing chain) +- [ ] E2E Endpoint scenario (CrowdStrike → lateral movement chain) +- [ ] Foundation / Dedup unit tests (separate fixture file) +- [ ] `--tag` filter flag (run only `happy_path` or `playbook_bug` tagged tests) +- [ ] JUnit XML output flag for CI pipeline integration diff --git a/pack_catalog.json b/pack_catalog.json index 7765410d..329604dc 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -94,7 +94,7 @@ "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", "category": "Use Case", - "version": "3.4.0", + "version": "3.4.1", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" diff --git a/tools/README.md b/tools/README.md new file mode 100644 index 00000000..904f579f --- /dev/null +++ b/tools/README.md @@ -0,0 +1,171 @@ +# SOC Framework Playbook Test Harness + +Static execution engine and test runner for XSIAM SOC Framework playbooks. + +## What it does + +Parses playbook YAML, walks the task graph against a given input context, evaluates +conditions, simulates known script behavior, and asserts on output context keys and +execution paths — without needing a live XSIAM tenant. + +## Directory layout + +``` +tools/ + test_playbooks.py # CLI test runner — run this + playbook_simulator.py # Static execution engine (imported by runner) + fixtures/ + email_unit.json # Per-playbook unit tests for all Email playbooks + email_e2e.json # End-to-end scenarios: Turla Carbon, FP, broad campaign + endpoint_unit.json # Per-playbook unit tests for Endpoint playbooks + identity_unit.json # Per-playbook unit tests for Identity playbooks +``` + +## Quick start + +```bash +# From repo root — run all email tests +python3 tools/test_playbooks.py --category email --suite all + +# Run only e2e (includes Turla Carbon scenario chain) +python3 tools/test_playbooks.py --category email --suite e2e --verbose + +# Run a single playbook +python3 tools/test_playbooks.py --playbook SOC_Email_Signal_Characterization_V3 --verbose + +# Run everything +python3 tools/test_playbooks.py --category all --suite all + +# Point at a different playbook directory +python3 tools/test_playbooks.py --pb-dir /path/to/Playbooks --category email +``` + +## CLI options + +| Flag | Default | Description | +|---|---|---| +| `--category` | `all` | `email` / `endpoint` / `identity` / `all` | +| `--suite` | `all` | `unit` / `e2e` / `all` | +| `--playbook` | — | Run tests for a specific playbook name only | +| `--pb-dir` | `Packs/soc-framework-nist-ir/Playbooks` | Path to playbook YAML files | +| `--fixtures` | `tools/fixtures` | Path to fixtures directory | +| `--verbose` | off | Print warnings and output context for each test | + +Exit code: `0` = all pass, `1` = failures present. CI-safe. + +## Writing test fixtures + +Fixtures are JSON arrays. Each test case: + +```json +{ + "name": "Human-readable test name", + "playbook": "SOC_Email_Signal_Characterization_V3", + "category": "email", + "suite": "unit", + "tags": ["happy_path"], + + "context_inputs": { + "SOCFramework.Artifacts.Email.ThreatType": "url", + "alert.senderip": "198.51.100.45" + }, + + "uc_mocks": { + "soc-get-email-events": { + "UC.Email.Events.clicks_permitted": ["click1"] + } + }, + + "sub_mocks": { + "SOC_Email_Exposure_Evaluation_V3": { + "Email.Exposure.level": "clicked" + } + }, + + "assertions": [ + { "type": "context_key_equals", "target": "Analysis.Email.signal_type", "expected": "url_phish" }, + { "type": "context_key_exists", "target": "Analysis.Email.source_verdict" }, + { "type": "context_key_absent", "target": "SomeKey.That.Should.Not.Exist" }, + { "type": "branch_taken", "target": "2", "expected": "URL" }, + { "type": "task_executed", "target": "3" }, + { "type": "task_not_executed", "target": "7" } + ] +} +``` + +### context_inputs + +Flat key/value dict. These are injected into the simulator context before +playbook execution starts. Use the same key names you'd see in XSIAM context +(e.g. `inputs.ThreatType`, `SOCFramework.Artifacts.Email.ThreatType`, +`alert.username`). + +### uc_mocks + +Maps Universal Command action names (from `SOCFrameworkActions_V3`) to the +context keys they should write. The simulator calls SOCCommandWrapper, looks up +the action, finds the mock, and writes those keys into context. + +```json +"uc_mocks": { + "soc-isolate-endpoint": { "Containment.isolated_hosts": ["host1"] }, + "soc-reset-password": { "Eradication.credentials_reset": true } +} +``` + +### sub_mocks + +Maps sub-playbook names to context writes. Use this to stub out a dependent +playbook without recursing into it. If a sub-playbook is called but has no +mock, the simulator will try to recurse into it (and look it up from `--pb-dir`). + +### assertion types + +| Type | target | expected | Notes | +|---|---|---|---| +| `context_key_equals` | key path | value | Exact match after execution | +| `context_key_exists` | key path | — | Key is present (any value) | +| `context_key_absent` | key path | — | Key must not be set | +| `context_key_not_equals` | key path | value | Key exists but value differs | +| `branch_taken` | task id | label string | Which condition branch fired | +| `task_executed` | task id | — | Task appeared in execution trace | +| `task_not_executed` | task id | — | Task did NOT appear in trace | + +## What the simulator can and cannot do + +### Can simulate +- `SetAndHandleEmpty` / `SetField` → context key writes +- `AddDBotScoreToContext` → DBotScore context stub +- `GetIndicatorDBotScoreFromCache` → reads DBotScore stub +- All condition operators: `containsGeneral`, `isEqualString`, `isNotEmpty`, + `isFalse`, `inList`, `greaterThan`, `isExists` +- Transformers: `join`, `count`, `uniq`, `substringFrom`, `MapRangeValues`, + `if-then-else` (lte/gte) +- Sub-playbook recursion (or mock injection) +- Universal Command (SOCCommandWrapper) via uc_mocks + +### Cannot simulate +- Live integration commands (actual API calls to CrowdStrike, Okta, etc.) +- XSIAM-native context variables populated by the platform at runtime + (e.g. enriched asset data, case scoring) +- Scripts not in the mock library (warns and skips — does not fail) +- The dedup playbook or Foundation layer (test those separately) + +## Adding a new category (e.g. Network) + +1. Create `tools/fixtures/network_unit.json` with your test cases +2. Set `"category": "network"` in each test case +3. Run: `python3 tools/test_playbooks.py --category network` + +The runner auto-discovers fixture files by scanning the fixtures directory — +no registration needed. + +## Known limitations / backlog + +- `if-then-else` transformer only supports `lte` and `gte` operators +- Complex filter expressions on `complex` value specs are simplified + (existence-check only) +- No parallel branch tracking — queue-based traversal visits one branch at a time +- No timer or timeout simulation +- `inList` against `${lists.*}` requires the list value to be injected as a + comma-separated string in context_inputs diff --git a/tools/fixtures/email_e2e.json b/tools/fixtures/email_e2e.json new file mode 100644 index 00000000..58324333 --- /dev/null +++ b/tools/fixtures/email_e2e.json @@ -0,0 +1,536 @@ +[ + { + "name": "E2E/Turla \u2014 Signal Char (URL phish)", + "playbook": "SOC_Email_Signal_Characterization_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "turla_carbon" + ], + "context_inputs": { + "SOCFramework.Artifacts.Email.ThreatType": "url", + "SOCFramework.Artifacts.Email.ThreatURL": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "SOCFramework.Artifacts.Email.From": "noreply@sktlocal.it", + "alert.senderip": "198.51.100.45" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.signal_type", + "expected": "url_phish" + } + ] + }, + { + "name": "E2E/Turla \u2014 Exposure (click event, targeted scope)", + "playbook": "SOC_Email_Exposure_Evaluation_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "turla_carbon" + ], + "context_inputs": { + "alert.type": "clicks permitted", + "alert.username": "Gunter@SKT.LOCAL", + "lists.SOCFWHighValueUsers": "" + }, + "uc_mocks": { + "soc-get-email-events": { + "UC.Email.Events.clicks_permitted": [ + { + "GUID": "TAP-GUID-TURLA-CLICK-002", + "clickIP": "10.20.20.102" + } + ], + "UC.Email.Events.messages_delivered": [ + { + "GUID": "TAP-GUID-TURLA-DELIVERY-001", + "recipient": "Gunter@SKT.LOCAL" + } + ] + }, + "soc-get-email-forensics": { + "UC.Email.Forensics": { + "threatType": "url", + "display": "NTFVersion.exe redirect" + } + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Email.Exposure.level", + "expected": "clicked" + }, + { + "type": "context_key_equals", + "target": "Email.Exposure.recipient_scope", + "expected": "targeted" + }, + { + "type": "context_key_equals", + "target": "Email.Exposure.click_count", + "expected": 1 + } + ] + }, + { + "name": "E2E/Turla \u2014 IOC Enrichment (URL path, domain tagged)", + "playbook": "SOC_Email_IOC_Enrichment_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "turla_carbon" + ], + "context_inputs": { + "inputs.ThreatURL": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "SOCFramework.Artifacts.Email.ThreatType": "url", + "alert.senderip": "198.51.100.45" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.ioc_enriched", + "expected": true + } + ] + }, + { + "name": "E2E/Turla \u2014 Forensics (campaign+threat IDs present)", + "playbook": "SOC_Email_Forensics_Evaluation_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "turla_carbon" + ], + "context_inputs": { + "alert": { + "proofpointtapcampaignid": "turla-carbon-spearphish-skt-2025", + "proofpointtapthreatid": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0" + } + }, + "uc_mocks": { + "soc-get-email-forensics": { + "UC.Email.Forensics": { + "threatType": "url", + "display": "NTFVersion.exe malicious redirect" + } + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.forensics_available", + "expected": true + }, + { + "type": "context_key_exists", + "target": "SOCFramework.Email.TAP.CampaignID" + }, + { + "type": "context_key_exists", + "target": "SOCFramework.Email.TAP.ThreatID" + } + ] + }, + { + "name": "E2E/Turla \u2014 Verdict (active \u2192 malicious/high/search_and_purge)", + "playbook": "SOC_Email_Verdict_Resolution_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "turla_carbon" + ], + "context_inputs": { + "inputs.ThreatStatus": "active", + "inputs.Classification": "phish", + "inputs.HighValueUserInvolved": "false", + "inputs.ClickCount": "1", + "inputs.DeliveredCount": "1", + "Analysis.Email.source_verdict": "malicious" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.verdict", + "expected": "malicious" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.confidence", + "expected": "high" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.response_recommended", + "expected": "search_and_purge" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.internal_lateral_risk", + "expected": false + } + ] + }, + { + "name": "E2E/Turla \u2014 Containment (search_and_purge in shadow mode)", + "playbook": "SOC_Email_Containment_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "turla_carbon" + ], + "context_inputs": { + "inputs.Verdict": "malicious", + "inputs.Confidence": "high", + "inputs.ResponseRecommended": "search_and_purge", + "inputs.ExposureLevel": "clicked" + }, + "uc_mocks": { + "soc-email-search-and-purge": { + "Containment.action": "search_and_purge", + "Containment.story": "Shadow mode \u2014 search_and_purge logged" + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Containment.required", + "expected": true + }, + { + "type": "context_key_equals", + "target": "Containment.action", + "expected": "search_and_purge" + } + ] + }, + { + "name": "E2E/Turla \u2014 Eradication (message deleted)", + "playbook": "SOC_Email_Eradication_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "turla_carbon" + ], + "context_inputs": { + "inputs.ContainmentRequired": "true", + "inputs.ResponseRecommended": "search_and_purge", + "inputs.PersistenceType": "none" + }, + "uc_mocks": { + "soc-email-delete-message": { + "Eradication.success": true + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Eradication.attempted", + "expected": true + }, + { + "type": "context_key_equals", + "target": "Eradication.success", + "expected": true + } + ] + }, + { + "name": "E2E/Turla \u2014 Recovery (complete, monitoring on)", + "playbook": "SOC_Email_Recovery_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "turla_carbon" + ], + "context_inputs": { + "inputs.EradicationAttempted": "true", + "inputs.EradicationSuccess": "true", + "inputs.Verdict": "malicious" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Recovery.status", + "expected": "contained" + }, + { + "type": "context_key_equals", + "target": "Recovery.monitoring_required", + "expected": true + } + ] + }, + { + "name": "E2E/File Malware \u2014 Signal Char (attachment)", + "playbook": "SOC_Email_Signal_Characterization_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "file_malware" + ], + "context_inputs": { + "SOCFramework.Artifacts.Email.ThreatType": "attachment", + "SOCFramework.Artifacts.Email.ThreatURL": "http://cdn.evil.io/payload.exe", + "SOCFramework.Artifacts.Email.From": "billing@evil.io", + "alert.senderip": "203.0.113.42", + "alert.proofpointtapthreatinfomap": [ + { + "threat": "deadbeef1234deadbeef1234deadbeef1234deadbeef1234deadbeef1234dead" + } + ] + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.signal_type", + "expected": "file_malware" + } + ] + }, + { + "name": "E2E/File Malware \u2014 Verdict (active/malware \u2192 quarantine)", + "playbook": "SOC_Email_Verdict_Resolution_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "happy_path", + "file_malware" + ], + "context_inputs": { + "inputs.ThreatStatus": "active", + "inputs.Classification": "malware", + "inputs.ClickCount": "0", + "inputs.DeliveredCount": "3", + "Analysis.Email.source_verdict": "malicious" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.verdict", + "expected": "malicious" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.response_recommended", + "expected": "retract_message", + "description": "delivered=3, clicks=0 \u2192 retract delivered messages (quarantine only if delivered==0)" + } + ] + }, + { + "name": "E2E/False Positive \u2014 Verdict (cleared \u2192 benign/no_action)", + "playbook": "SOC_Email_Verdict_Resolution_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "non_happy", + "false_positive" + ], + "context_inputs": { + "inputs.ThreatStatus": "cleared", + "inputs.Classification": "spam", + "inputs.ClickCount": "0", + "inputs.DeliveredCount": "0", + "Analysis.Email.source_verdict": "benign" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.verdict", + "expected": "benign" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.confidence", + "expected": "low" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.response_recommended", + "expected": "no_action" + } + ] + }, + { + "name": "E2E/False Positive \u2014 Containment (benign \u2192 not required)", + "playbook": "SOC_Email_Containment_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "non_happy", + "false_positive" + ], + "context_inputs": { + "inputs.Verdict": "benign", + "inputs.Confidence": "low", + "inputs.ResponseRecommended": "no_action", + "inputs.ExposureLevel": "blocked" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Containment.required", + "expected": false + } + ] + }, + { + "name": "E2E/False Positive \u2014 Recovery (FP \u2192 unblock sender path)", + "playbook": "SOC_Email_Recovery_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "non_happy", + "false_positive" + ], + "context_inputs": { + "inputs.EradicationAttempted": "true", + "inputs.EradicationSuccess": "true", + "inputs.Verdict": "benign" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Recovery.status", + "expected": "false_positive_cleared" + } + ] + }, + { + "name": "E2E/Broad Campaign \u2014 Exposure (12 mailboxes \u2192 broad)", + "playbook": "SOC_Email_Exposure_Evaluation_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "non_happy", + "broad_campaign" + ], + "context_inputs": { + "alert.type": "messages delivered", + "alert.username": "user@corp.com" + }, + "uc_mocks": { + "soc-get-email-events": { + "UC.Email.Events.clicks_permitted": [], + "UC.Email.Events.messages_delivered": [ + "m1", + "m2", + "m3", + "m4", + "m5", + "m6", + "m7", + "m8", + "m9", + "m10", + "m11", + "m12" + ] + }, + "soc-get-email-forensics": {} + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Email.Exposure.recipient_scope", + "expected": "broad" + }, + { + "type": "context_key_equals", + "target": "Email.Exposure.level", + "expected": "delivered" + } + ] + }, + { + "name": "E2E/Broad Campaign \u2014 Verdict (HVU + wide click \u2192 escalate_IR)", + "playbook": "SOC_Email_Verdict_Resolution_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "non_happy", + "broad_campaign" + ], + "context_inputs": { + "inputs.ThreatStatus": "active", + "inputs.Classification": "phish", + "inputs.HighValueUserInvolved": "true", + "inputs.ClickCount": "8", + "inputs.DeliveredCount": "12", + "Analysis.Email.source_verdict": "malicious" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.verdict", + "expected": "malicious" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.response_recommended", + "expected": "escalate_IR" + } + ] + }, + { + "name": "E2E/Broad Campaign \u2014 Eradication (escalate_IR \u2192 no automation)", + "playbook": "SOC_Email_Eradication_V3", + "category": "email", + "suite": "e2e", + "tags": [ + "non_happy", + "broad_campaign" + ], + "context_inputs": { + "inputs.ContainmentRequired": "true", + "inputs.ResponseRecommended": "escalate_IR", + "inputs.PersistenceType": "none" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Eradication.attempted", + "expected": false, + "description": "escalate_IR: analyst takes over, no automated eradication" + } + ] + } +] diff --git a/tools/fixtures/email_unit.json b/tools/fixtures/email_unit.json new file mode 100644 index 00000000..fb0190df --- /dev/null +++ b/tools/fixtures/email_unit.json @@ -0,0 +1,711 @@ +[ + { + "name": "Signal Char \u2014 URL phish happy path", + "playbook": "SOC_Email_Signal_Characterization_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "SOCFramework.Artifacts.Email.ThreatType": "url", + "SOCFramework.Artifacts.Email.ThreatURL": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "SOCFramework.Artifacts.Email.From": "noreply@sktlocal.it", + "alert.senderip": "198.51.100.45" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.signal_type", + "expected": "url_phish" + } + ] + }, + { + "name": "Signal Char \u2014 attachment/file malware path", + "playbook": "SOC_Email_Signal_Characterization_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "SOCFramework.Artifacts.Email.ThreatType": "attachment", + "SOCFramework.Artifacts.Email.ThreatURL": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "SOCFramework.Artifacts.Email.From": "noreply@sktlocal.it", + "alert.senderip": "198.51.100.45", + "alert.proofpointtapthreatinfomap": [ + { + "threat": "a3f8e2d94c1b7065f2a9c8d3e4b51f6a7c0d2e9b8f4a1c3d5e7b9f2a4c6e8d0a" + } + ] + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.signal_type", + "expected": "file_malware" + } + ] + }, + { + "name": "Signal Char \u2014 unknown threat type falls to default", + "playbook": "SOC_Email_Signal_Characterization_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "SOCFramework.Artifacts.Email.ThreatType": "spam", + "SOCFramework.Artifacts.Email.From": "noreply@sktlocal.it" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.signal_type", + "expected": "unknown" + } + ] + }, + { + "name": "Signal Char \u2014 empty SenderDomain skips prevalence check", + "playbook": "SOC_Email_Signal_Characterization_V3", + "category": "email", + "suite": "unit", + "tags": [ + "edge_case" + ], + "context_inputs": { + "SOCFramework.Artifacts.Email.ThreatType": "url", + "SOCFramework.Artifacts.Email.ThreatURL": "http://evil.com/payload", + "SOCFramework.Artifacts.Email.From": "" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.signal_type", + "expected": "url_phish" + }, + { + "type": "task_not_executed", + "target": "12", + "description": "Sender Domain Prevalence Check gated" + } + ] + }, + { + "name": "Exposure \u2014 click event seeds clicked level", + "playbook": "SOC_Email_Exposure_Evaluation_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "alert.type": "clicks permitted", + "alert.username": "jsmith@corp.com", + "lists.SOCFWHighValueUsers": "ceo@corp.com,cfo@corp.com" + }, + "uc_mocks": { + "soc-get-email-events": { + "UC.Email.Events.clicks_permitted": [ + "click1" + ], + "UC.Email.Events.messages_delivered": [ + "msg1" + ] + }, + "soc-get-email-forensics": {} + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Email.Exposure.level", + "expected": "clicked" + }, + { + "type": "context_key_equals", + "target": "Email.Exposure.recipient_scope", + "expected": "targeted", + "description": "1 mailbox = targeted (<=5)" + } + ] + }, + { + "name": "Exposure \u2014 delivery only \u2192 delivered", + "playbook": "SOC_Email_Exposure_Evaluation_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "alert.type": "messages delivered", + "alert.username": "jsmith@corp.com" + }, + "uc_mocks": { + "soc-get-email-events": { + "UC.Email.Events.clicks_permitted": [], + "UC.Email.Events.messages_delivered": [ + "msg1", + "msg2", + "msg3" + ] + }, + "soc-get-email-forensics": {} + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Email.Exposure.level", + "expected": "delivered" + }, + { + "type": "context_key_equals", + "target": "Email.Exposure.recipient_scope", + "expected": "targeted" + } + ] + }, + { + "name": "Exposure \u2014 no events \u2192 blocked", + "playbook": "SOC_Email_Exposure_Evaluation_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "alert.type": "messages blocked", + "alert.username": "jsmith@corp.com" + }, + "uc_mocks": { + "soc-get-email-events": {}, + "soc-get-email-forensics": {} + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Email.Exposure.level", + "expected": "blocked" + } + ] + }, + { + "name": "Exposure \u2014 broad blast (>5 mailboxes) \u2192 broad scope", + "playbook": "SOC_Email_Exposure_Evaluation_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "alert.type": "messages delivered", + "alert.username": "jsmith@corp.com" + }, + "uc_mocks": { + "soc-get-email-events": { + "UC.Email.Events.clicks_permitted": [], + "UC.Email.Events.messages_delivered": [ + "m1", + "m2", + "m3", + "m4", + "m5", + "m6", + "m7", + "m8" + ] + }, + "soc-get-email-forensics": {} + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Email.Exposure.recipient_scope", + "expected": "broad" + } + ] + }, + { + "name": "Exposure \u2014 high value user flagged", + "playbook": "SOC_Email_Exposure_Evaluation_V3", + "category": "email", + "suite": "unit", + "tags": [ + "edge_case" + ], + "context_inputs": { + "alert.type": "clicks permitted", + "alert.username": "ceo@corp.com", + "lists.SOCFWHighValueUsers": "ceo@corp.com,cfo@corp.com" + }, + "uc_mocks": { + "soc-get-email-events": { + "UC.Email.Events.clicks_permitted": [ + "c1" + ], + "UC.Email.Events.messages_delivered": [ + "m1" + ] + }, + "soc-get-email-forensics": {} + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Email.Exposure.high_value_user", + "expected": "true" + } + ] + }, + { + "name": "Verdict \u2014 active ThreatStatus \u2192 malicious high confidence + search_and_purge", + "playbook": "SOC_Email_Verdict_Resolution_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.ThreatStatus": "active", + "inputs.Classification": "phish", + "inputs.HighValueUserInvolved": "false", + "inputs.ClickCount": "1", + "inputs.DeliveredCount": "1", + "Analysis.Email.source_verdict": "malicious" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.verdict", + "expected": "malicious" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.confidence", + "expected": "high" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.response_recommended", + "expected": "search_and_purge" + } + ] + }, + { + "name": "Verdict \u2014 suspicious ThreatStatus \u2192 medium confidence malicious", + "playbook": "SOC_Email_Verdict_Resolution_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.ThreatStatus": "suspicious", + "inputs.Classification": "phish", + "inputs.ClickCount": "0", + "inputs.DeliveredCount": "1", + "Analysis.Email.source_verdict": "suspicious" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.verdict", + "expected": "malicious" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.confidence", + "expected": "medium" + } + ] + }, + { + "name": "Verdict \u2014 cleared ThreatStatus \u2192 benign low confidence no action", + "playbook": "SOC_Email_Verdict_Resolution_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.ThreatStatus": "cleared", + "inputs.Classification": "spam", + "inputs.ClickCount": "0", + "inputs.DeliveredCount": "0" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.verdict", + "expected": "benign" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.confidence", + "expected": "low" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.response_recommended", + "expected": "no_action" + } + ] + }, + { + "name": "Forensics \u2014 both IDs available \u2192 forensics returned", + "playbook": "SOC_Email_Forensics_Evaluation_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "alert": { + "proofpointtapcampaignid": "turla-carbon-spearphish-skt-2025", + "proofpointtapthreatid": "a1b2c3d4e5f6a7b8c9d0" + } + }, + "uc_mocks": { + "soc-get-email-forensics": { + "UC.Email.Forensics": { + "threatType": "url", + "display": "Malicious redirect observed" + } + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_exists", + "target": "SOCFramework.Email.TAP.CampaignID" + }, + { + "type": "context_key_exists", + "target": "SOCFramework.Email.TAP.ThreatID" + }, + { + "type": "context_key_equals", + "target": "Analysis.Email.forensics_available", + "expected": true + } + ] + }, + { + "name": "Forensics \u2014 no IDs \u2192 no forensics call", + "playbook": "SOC_Email_Forensics_Evaluation_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": {}, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.forensics_available", + "expected": "true", + "description": "Task 13 always runs \u2014 forensics_available always set true (playbook limitation)" + } + ] + }, + { + "name": "IOC Enrichment \u2014 URL threat enriched and flagged", + "playbook": "SOC_Email_IOC_Enrichment_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.ThreatURL": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "SOCFramework.Artifacts.Email.ThreatType": "url", + "alert.senderip": "198.51.100.45" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.ioc_enriched", + "expected": true + } + ] + }, + { + "name": "IOC Enrichment \u2014 file attachment path", + "playbook": "SOC_Email_IOC_Enrichment_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "SOCFramework.Artifacts.Email.ThreatType": "attachment", + "alert.proofpointtapthreatinfomap.threatType": "attachment", + "alert.proofpointtapthreatinfomap": { + "threatType": "attachment", + "threat": "a3f8e2d94c1b7065" + } + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.ioc_enriched", + "expected": true + }, + { + "type": "task_executed", + "target": "7", + "description": "Create File Indicator should run" + }, + { + "type": "task_not_executed", + "target": "3", + "description": "URL IOC Path skipped" + } + ] + }, + { + "name": "IOC Enrichment \u2014 no threat type \u2192 still completes", + "playbook": "SOC_Email_IOC_Enrichment_V3", + "category": "email", + "suite": "unit", + "tags": [ + "edge_case" + ], + "context_inputs": {}, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Email.ioc_enriched", + "expected": true + } + ] + }, + { + "name": "Containment \u2014 malicious + search_and_purge \u2192 required", + "playbook": "SOC_Email_Containment_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.Verdict": "malicious", + "inputs.Confidence": "high", + "inputs.ResponseRecommended": "search_and_purge", + "inputs.ExposureLevel": "clicked" + }, + "uc_mocks": { + "soc-email-search-and-purge": { + "Containment.action": "search_and_purge" + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Containment.required", + "expected": true + } + ] + }, + { + "name": "Containment \u2014 benign verdict \u2192 not required", + "playbook": "SOC_Email_Containment_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.Verdict": "benign", + "inputs.Confidence": "low", + "inputs.ResponseRecommended": "no_action", + "inputs.ExposureLevel": "blocked" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Containment.required", + "expected": false + } + ] + }, + { + "name": "Eradication \u2014 containment required \u2192 eradication attempted", + "playbook": "SOC_Email_Eradication_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.ContainmentRequired": "true", + "inputs.ResponseRecommended": "search_and_purge", + "inputs.PersistenceType": "none" + }, + "uc_mocks": { + "soc-email-delete-message": {} + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Eradication.attempted", + "expected": true + } + ] + }, + { + "name": "Eradication \u2014 escalate_IR skips automated eradication", + "playbook": "SOC_Email_Eradication_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.ContainmentRequired": "true", + "inputs.ResponseRecommended": "escalate_IR", + "inputs.PersistenceType": "none" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Eradication.attempted", + "expected": false, + "description": "escalate_IR skips automated eradication" + } + ] + }, + { + "name": "Eradication \u2014 no containment \u2192 not attempted", + "playbook": "SOC_Email_Eradication_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.ContainmentRequired": "false", + "inputs.ResponseRecommended": "no_action" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Eradication.attempted", + "expected": false + } + ] + }, + { + "name": "Recovery \u2014 eradication succeeded \u2192 complete", + "playbook": "SOC_Email_Recovery_V3", + "category": "email", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.EradicationAttempted": "true", + "inputs.EradicationSuccess": "true", + "inputs.Verdict": "malicious" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Recovery.status", + "expected": "contained" + }, + { + "type": "context_key_equals", + "target": "Recovery.monitoring_required", + "expected": true + } + ] + }, + { + "name": "Recovery \u2014 eradication failed \u2192 partial", + "playbook": "SOC_Email_Recovery_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.EradicationAttempted": "true", + "inputs.EradicationSuccess": "false", + "inputs.Verdict": "malicious" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Recovery.status", + "expected": "eradication_failed" + } + ] + }, + { + "name": "Recovery \u2014 false positive \u2192 unblock sender path", + "playbook": "SOC_Email_Recovery_V3", + "category": "email", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.EradicationAttempted": "true", + "inputs.EradicationSuccess": "true", + "inputs.Verdict": "benign" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Recovery.status", + "expected": "false_positive_cleared", + "description": "FP path: verdict=benign \u2192 unblock sender \u2192 false_positive_cleared" + } + ] + } +] diff --git a/tools/fixtures/endpoint_unit.json b/tools/fixtures/endpoint_unit.json new file mode 100644 index 00000000..80d4e1ed --- /dev/null +++ b/tools/fixtures/endpoint_unit.json @@ -0,0 +1,449 @@ +[ + { + "name": "Endpoint Signal Char \u2014 malware in case name", + "playbook": "SOC_Endpoint_Signal_Characterization_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.case_name": "Malware: CrowdStrike Falcon Detection", + "inputs.cgo_name": "" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Endpoint.signal_type", + "expected": "file_malware", + "description": "Malware case name \u2192 file_malware signal type" + } + ] + }, + { + "name": "Endpoint Signal Char \u2014 wildfire in case name \u2192 malware path", + "playbook": "SOC_Endpoint_Signal_Characterization_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.case_name": "wildfire", + "inputs.cgo_name": "" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_exists", + "target": "Analysis.Endpoint.signal_type" + } + ] + }, + { + "name": "Endpoint Signal Char \u2014 no match \u2192 default signal type", + "playbook": "SOC_Endpoint_Signal_Characterization_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.case_name": "Suspicious Network Activity", + "inputs.cgo_name": "" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_absent", + "target": "Analysis.Endpoint.signal_type", + "description": "No matching case_name pattern \u2192 no signal_type written (playbook design)" + } + ] + }, + { + "name": "Endpoint Verdict \u2014 malicious verdict \u2192 malicious output", + "playbook": "SOC_Endpoint_Verdict_Resolution_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.verdict": "malicious", + "inputs.SHA256": "a3f8e2d94c1b7065f2a9c8d3e4b51f6a7c0d2e9b8f4a1c3d5e7b9f2a4c6e8d0a", + "DBotAvgScore": { + "Indicator": "a3f8e2d94c1b7065f2a9c8d3e4b51f6a", + "Score": "3" + } + }, + "uc_mocks": {}, + "sub_mocks": { + "WildFire - Detonate file v2": {} + }, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Endpoint.verdict", + "expected": "malicious" + } + ] + }, + { + "name": "Endpoint Verdict \u2014 benign verdict \u2192 benign output", + "playbook": "SOC_Endpoint_Verdict_Resolution_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.verdict": "benign", + "inputs.SHA256": "0000000000000000000000000000000000000000000000000000000000000000", + "DBotAvgScore": { + "Indicator": "0000000000000000000000000000000000000000000000000000000000000000", + "Score": "1" + } + }, + "uc_mocks": {}, + "sub_mocks": { + "WildFire - Detonate file v2": {} + }, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Endpoint.verdict", + "expected": "benign" + } + ] + }, + { + "name": "Endpoint Verdict \u2014 suspicious verdict", + "playbook": "SOC_Endpoint_Verdict_Resolution_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.verdict": "suspicious", + "inputs.SHA256": "a3f8e2d94c1b7065f2a9c8d3e4b51f6a7c0d2e9b8f4a1c3d5e7b9f2a4c6e8d0a", + "DBotAvgScore": { + "Indicator": "a3f8e2d94c1b7065f2a9c8d3e4b51f6a", + "Score": "2" + } + }, + "uc_mocks": {}, + "sub_mocks": { + "WildFire - Detonate file v2": {} + }, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Endpoint.verdict", + "expected": "suspicious" + } + ] + }, + { + "name": "Endpoint Compromise \u2014 host likely compromised, execution confirmed", + "playbook": "SOC_Endpoint_Compromise_Evaluation_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.host_likely_compromised": "true", + "inputs.host_suspicious": "true", + "inputs.host_isolated_signal": "false", + "inputs.host_high_issue_count": "true", + "inputs.SHA256": "a3f8e2d94c1b7065f2a9c8d3e4b51f6a7c0d2e9b8f4a1c3d5e7b9f2a4c6e8d0a", + "inputs.verdict": "malicious", + "inputs.initiator_sha256": "", + "inputs.case_mitre_tactics": "TA0002,TA0003", + "inputs.case_mitre_techniques": "T1059", + "inputs.case_issue_count": "15", + "inputs.tactic_id": "TA0002", + "inputs.xdm_sourceprocess_executable_sha256": "", + "inputs.cgo_sha256": "" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_exists", + "target": "Analysis.Endpoint.compromise_level" + }, + { + "type": "context_key_exists", + "target": "Analysis.Endpoint.compromise_decision" + } + ] + }, + { + "name": "Endpoint Compromise \u2014 benign verdict, no execution \u2192 no_evidence path", + "playbook": "SOC_Endpoint_Compromise_Evaluation_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.host_likely_compromised": "false", + "inputs.host_suspicious": "false", + "inputs.host_isolated_signal": "false", + "inputs.host_high_issue_count": "false", + "inputs.verdict": "benign", + "inputs.case_issue_count": "1", + "inputs.SHA256": "", + "inputs.case_mitre_tactics": "", + "inputs.tactic_id": "", + "inputs.initiator_sha256": "", + "inputs.cgo_sha256": "", + "inputs.xdm_sourceprocess_executable_sha256": "" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Analysis.Endpoint.compromise_level", + "expected": "no_evidence" + } + ] + }, + { + "name": "Endpoint Containment \u2014 auto-contain high confidence malicious", + "playbook": "SOC_Endpoint_Containment_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.AutoContainment": "true", + "inputs.FileRemediation": "true", + "inputs.FeaturedHost": "WIN-WORKSTATION-01", + "inputs.Verdict": "malicious", + "inputs.SourceBrand": "CrowdStrike Falcon", + "inputs.Confidence": "high", + "inputs.ExecutionConfirmed": "malicious_and_executed", + "inputs.CompromiseLevel": "likely_compromised", + "inputs.CaseScore": "90" + }, + "uc_mocks": { + "soc-isolate-endpoint": { + "Containment.isolated_hosts": [ + "WIN-WORKSTATION-01" + ], + "Containment.status": "isolated" + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Containment.status", + "expected": "isolated" + } + ] + }, + { + "name": "Endpoint Containment \u2014 low confidence no containment", + "playbook": "SOC_Endpoint_Containment_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.AutoContainment": "false", + "inputs.Verdict": "suspicious", + "inputs.Confidence": "low", + "inputs.CompromiseLevel": "not_compromised", + "inputs.CaseScore": "20" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "branch_taken", + "target": "171", + "expected": "#default#", + "description": "Low confidence \u2192 Potentially Contain condition fails \u2192 Done directly" + } + ] + }, + { + "name": "Endpoint Eradication \u2014 response recommended \u2192 eradication attempted", + "playbook": "SOC_EndPoint_Eradication_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.Analysis": { + "response_recommended": "true", + "compromise_level": "Likely Compromised", + "spread_level": "Single Entity", + "persistence_type": "none" + } + }, + "uc_mocks": { + "soc-remove-file": { + "Eradication.files_removed": true + }, + "soc-remove-persistence": { + "Eradication.persistence_removed": true + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_exists", + "target": "Eradication.attempted" + } + ] + }, + { + "name": "Endpoint Eradication \u2014 no response recommended \u2192 skipped", + "playbook": "SOC_EndPoint_Eradication_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.Analysis": { + "response_recommended": "false", + "compromise_level": "Isolated Signal" + } + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_exists", + "target": "Eradication.attempted" + } + ] + }, + { + "name": "Endpoint Recovery \u2014 malicious_and_executed compromise \u2192 restore required", + "playbook": "SOC_EndPoint_Recovery_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.compromise_decision": "malicious_and_executed", + "Eradication.status": "true", + "Eradication.reimage_required": "true" + }, + "uc_mocks": { + "soc-deisolate-endpoint": { + "Recovery.restore_required": true + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Recovery.status", + "expected": "rebuild_required" + } + ] + }, + { + "name": "Endpoint Recovery \u2014 isolated signal only \u2192 monitoring not isolation", + "playbook": "SOC_EndPoint_Recovery_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.compromise_decision": "isolated_signal", + "Eradication.status": "false" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_exists", + "target": "Recovery.status" + } + ] + }, + { + "name": "Endpoint Spread \u2014 multi-host, multi-hash \u2192 Multi Entity", + "playbook": "SOC_EndPoint_Spread_Evaluation_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.case_host_count": "8", + "inputs.case_user_count": "4", + "inputs.high_host_count_per_case": "5", + "inputs.high_hash_count_per_case": "3", + "inputs.limited_host_count_per_case": "3", + "inputs.limited_hash_count_per_case": "2", + "inputs.limited_user_count_per_case": "2", + "inputs.SHA256": "a3f8e2d94c1b7065f2a9c8d3e4b51f6a", + "inputs.case_tactics": "TA0002,TA0008" + }, + "uc_mocks": { + "soc-get-file-hash-prevalence": { + "UC.Enrich.File.hash_prevalence_count": 12 + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_exists", + "target": "Analysis.Endpoint.spread_level" + } + ] + }, + { + "name": "Endpoint Spread \u2014 single host, single hash \u2192 Single Entity", + "playbook": "SOC_EndPoint_Spread_Evaluation_V3", + "category": "endpoint", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.case_host_count": "1", + "inputs.case_user_count": "1", + "inputs.high_host_count_per_case": "5", + "inputs.high_hash_count_per_case": "3", + "inputs.limited_host_count_per_case": "3", + "inputs.limited_hash_count_per_case": "2", + "inputs.limited_user_count_per_case": "2", + "inputs.SHA256": "a3f8e2d94c1b7065f2a9c8d3e4b51f6a", + "inputs.case_tactics": "TA0002" + }, + "uc_mocks": { + "soc-get-file-hash-prevalence": { + "UC.Enrich.File.hash_prevalence_count": 1 + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_exists", + "target": "Analysis.Endpoint.spread_level" + } + ] + } +] diff --git a/tools/fixtures/identity_unit.json b/tools/fixtures/identity_unit.json new file mode 100644 index 00000000..47d87420 --- /dev/null +++ b/tools/fixtures/identity_unit.json @@ -0,0 +1,456 @@ +[ + { + "name": "Identity Analysis \u2014 Credential Access \u2192 signal_type + medium confidence", + "playbook": "SOC_Identity_Analysis_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.entity_id": "user-001", + "inputs.case_category": "identity", + "inputs.entity_type": "user", + "parentIncidentFields.mitre_tactics_ids_and_names": "TA0006 - Credential Access", + "parentIncidentFields.predicted_score": "75", + "parentIncidentFields.user_count": "1", + "parentIncidentFields.host_count": "1", + "parentIncidentFields.alert_count": "5" + }, + "uc_mocks": {}, + "sub_mocks": { + "SOC Initialize Investigation Context_V3": {}, + "SOC Analysis Evaluation_V3": { + "Analysis.verdict": "malicious", + "Analysis.confidence": "medium", + "Analysis.response_recommended": "true" + } + }, + "assertions": [ + { + "type": "branch_taken", + "target": "4", + "expected": "Credential Access" + }, + { + "type": "context_key_equals", + "target": "Analysis.Identity.signal_type", + "expected": "credential_access" + }, + { + "type": "context_key_equals", + "target": "Analysis.Identity.compromise_level", + "expected": "suspicious", + "description": "score=75 (<85) \u2192 t21 group2 fails \u2192 #default# \u2192 suspicious" + }, + { + "type": "context_key_equals", + "target": "Analysis.verdict", + "expected": "malicious" + } + ] + }, + { + "name": "Identity Analysis \u2014 Lateral Movement \u2192 lateral_movement signal", + "playbook": "SOC_Identity_Analysis_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.entity_id": "user-002", + "inputs.case_category": "identity", + "inputs.entity_type": "user", + "parentIncidentFields.mitre_tactics_ids_and_names": "TA0008 - Lateral Movement", + "parentIncidentFields.predicted_score": "75", + "parentIncidentFields.user_count": "3", + "parentIncidentFields.host_count": "2", + "parentIncidentFields.alert_count": "8" + }, + "uc_mocks": {}, + "sub_mocks": { + "SOC Initialize Investigation Context_V3": {}, + "SOC Analysis Evaluation_V3": { + "Analysis.verdict": "malicious", + "Analysis.confidence": "high", + "Analysis.response_recommended": "true" + } + }, + "assertions": [ + { + "type": "branch_taken", + "target": "4", + "expected": "Lateral Movement" + }, + { + "type": "context_key_equals", + "target": "Analysis.Identity.signal_type", + "expected": "lateral_movement" + }, + { + "type": "context_key_equals", + "target": "Analysis.verdict", + "expected": "malicious" + } + ] + }, + { + "name": "Identity Analysis \u2014 Privilege Escalation \u2192 privilege_escalation signal", + "playbook": "SOC_Identity_Analysis_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.entity_id": "user-003", + "inputs.case_category": "identity", + "inputs.entity_type": "user", + "parentIncidentFields.mitre_tactics_ids_and_names": "TA0004 - Privilege Escalation", + "parentIncidentFields.predicted_score": "90", + "parentIncidentFields.user_count": "1", + "parentIncidentFields.host_count": "1", + "parentIncidentFields.alert_count": "3" + }, + "uc_mocks": {}, + "sub_mocks": { + "SOC Initialize Investigation Context_V3": {}, + "SOC Analysis Evaluation_V3": { + "Analysis.verdict": "malicious", + "Analysis.confidence": "high" + } + }, + "assertions": [ + { + "type": "branch_taken", + "target": "4", + "expected": "Privilege Escalation" + }, + { + "type": "context_key_equals", + "target": "Analysis.Identity.signal_type", + "expected": "privilege_escalation" + }, + { + "type": "context_key_equals", + "target": "Analysis.Identity.compromise_level", + "expected": "likely_compromised", + "description": "score=90 (>=85) \u2192 t21 group2 passes \u2192 high \u2192 t22 \u2192 likely_compromised" + } + ] + }, + { + "name": "Identity Analysis \u2014 Persistence \u2192 identity_persistence signal", + "playbook": "SOC_Identity_Analysis_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.entity_id": "user-004", + "inputs.case_category": "identity", + "inputs.entity_type": "user", + "parentIncidentFields.mitre_tactics_ids_and_names": "TA0003 - Persistence", + "parentIncidentFields.predicted_score": "70", + "parentIncidentFields.user_count": "1", + "parentIncidentFields.host_count": "1", + "parentIncidentFields.alert_count": "2" + }, + "uc_mocks": {}, + "sub_mocks": { + "SOC Initialize Investigation Context_V3": {}, + "SOC Analysis Evaluation_V3": { + "Analysis.verdict": "suspicious" + } + }, + "assertions": [ + { + "type": "branch_taken", + "target": "4", + "expected": "Persistence" + }, + { + "type": "context_key_equals", + "target": "Analysis.Identity.signal_type", + "expected": "identity_persistence" + } + ] + }, + { + "name": "Identity Containment \u2014 auto-contain \u2192 soc-disable-user and soc-clear-sessions", + "playbook": "SOC_Identity_Containment_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.AutoContainment": "true", + "inputs.UserContainment": "true", + "inputs.ClearUserSessions": "true", + "inputs.Username": "gunter.skt", + "inputs.IAMUserDomain": "SKT.LOCAL", + "inputs.FeaturedUser": "gunter.skt@SKT.LOCAL", + "inputs.FeaturedAD": "SKT.LOCAL", + "issue.mitreattcktechnique": "T1078" + }, + "uc_mocks": { + "soc-disable-user": { + "Containment.user_disabled": true + }, + "soc-clear-sessions": { + "Containment.sessions_cleared": true + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "branch_taken", + "target": "164", + "expected": "yes", + "description": "MITRE T1078 matches \u2192 disable-user decision point reached" + }, + { + "type": "branch_taken", + "target": "166", + "expected": "yes", + "description": "MITRE T1078 matches \u2192 clear-sessions decision point reached" + }, + { + "type": "branch_taken", + "target": "157", + "expected": "#default#", + "description": "PLAYBOOK GAP: t157 Disable Account? has no condition body \u2192 always defaults to Done" + }, + { + "type": "branch_taken", + "target": "159", + "expected": "#default#", + "description": "PLAYBOOK GAP: t159 Clear Sessions? has no condition body \u2192 always defaults to Done" + } + ] + }, + { + "name": "Identity Containment \u2014 auto-contain disabled \u2192 manual path, no UC calls", + "playbook": "SOC_Identity_Containment_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.AutoContainment": "false", + "inputs.UserContainment": "false", + "inputs.ClearUserSessions": "false", + "inputs.Username": "jsmith", + "inputs.IAMUserDomain": "CORP.LOCAL", + "inputs.FeaturedUser": "jsmith@CORP.LOCAL", + "inputs.FeaturedAD": "CORP.LOCAL" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "branch_taken", + "target": "138", + "expected": "#default#", + "description": "AutoContainment=false \u2192 goes to manual analyst path" + } + ] + }, + { + "name": "Identity Eradication \u2014 likely_compromised \u2192 reset password + revoke tokens", + "playbook": "SOC_Identity_Eradication_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.compromise_level": "likely_compromised", + "inputs.compromise_decision": "confirmed_compromise", + "inputs.response_recommended": "true", + "inputs.primary_entity_user": "gunter.skt@SKT.LOCAL" + }, + "uc_mocks": { + "soc-reset-password": { + "Eradication.credentials_reset": true + }, + "soc-revoke-tokens": { + "Eradication.tokens_revoked": true + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Eradication.attempted", + "expected": true + }, + { + "type": "context_key_equals", + "target": "Eradication.credentials_reset", + "expected": true + }, + { + "type": "context_key_equals", + "target": "Eradication.tokens_revoked", + "expected": true + }, + { + "type": "task_executed", + "target": "21", + "description": "Reset Password UC task executed" + }, + { + "type": "task_executed", + "target": "29", + "description": "Revoke Tokens UC task executed" + } + ] + }, + { + "name": "Identity Eradication \u2014 suspicious \u2192 tokens revoked only (no password reset)", + "playbook": "SOC_Identity_Eradication_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.compromise_level": "suspicious", + "inputs.compromise_decision": "possible_compromise", + "inputs.response_recommended": "true", + "inputs.primary_entity_user": "jsmith@CORP.LOCAL" + }, + "uc_mocks": { + "soc-revoke-tokens": { + "Eradication.tokens_revoked": true + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Eradication.attempted", + "expected": true + }, + { + "type": "branch_taken", + "target": "2", + "expected": "suspicious", + "description": "suspicious path \u2192 revoke only, no password reset" + }, + { + "type": "task_not_executed", + "target": "21", + "description": "Password reset skipped for suspicious (not likely_compromised)" + } + ] + }, + { + "name": "Identity Eradication \u2014 response_recommended=false \u2192 not attempted", + "playbook": "SOC_Identity_Eradication_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.compromise_level": "none", + "inputs.compromise_decision": "false_positive", + "inputs.response_recommended": "false", + "inputs.primary_entity_user": "" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Eradication.attempted", + "expected": false + } + ] + }, + { + "name": "Identity Recovery \u2014 eradication attempted \u2192 re-enable user", + "playbook": "SOC_Identity_Recovery_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.compromise_decision": "confirmed_compromise", + "Eradication.attempted": "true" + }, + "uc_mocks": { + "soc-enable-user": { + "Recovery.account_restored": true + } + }, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Recovery.attempted", + "expected": true + }, + { + "type": "context_key_equals", + "target": "Recovery.account_restored", + "expected": true + }, + { + "type": "task_executed", + "target": "200", + "description": "soc-enable-user UC task executed" + } + ] + }, + { + "name": "Identity Recovery \u2014 eradication not attempted \u2192 no recovery", + "playbook": "SOC_Identity_Recovery_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "inputs.compromise_decision": "false_positive", + "Eradication.attempted": "false" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Recovery.attempted", + "expected": false + } + ] + }, + { + "name": "Identity Recovery \u2014 no eradication context set \u2192 not attempted", + "playbook": "SOC_Identity_Recovery_V3", + "category": "identity", + "suite": "unit", + "tags": [ + "edge_case" + ], + "context_inputs": { + "inputs.compromise_decision": "possible_compromise" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "Recovery.attempted", + "expected": false + } + ] + } +] diff --git a/tools/playbook_simulator.py b/tools/playbook_simulator.py new file mode 100644 index 00000000..b505f831 --- /dev/null +++ b/tools/playbook_simulator.py @@ -0,0 +1,465 @@ +""" +playbook_simulator.py +───────────────────── +Static execution engine for XSIAM SOC Framework playbooks. +""" + +from __future__ import annotations +import yaml, json, re, os +from dataclasses import dataclass, field +from typing import Any +from copy import deepcopy + + +# ── Context ─────────────────────────────────────────────────────────────────── + +class Context: + def __init__(self, initial: dict | None = None): + self._data: dict = {} + if initial: + for k, v in initial.items(): + self.set(k, v) + + def set(self, key: str, value: Any, append: bool = False): + if append and key in self._data: + existing = self._data[key] + self._data[key] = (existing if isinstance(existing, list) else [existing]) + \ + (value if isinstance(value, list) else [value]) + else: + self._data[key] = value + + def get(self, key: str, default: Any = None) -> Any: + return self._data.get(key, default) + + def get_by_path(self, path: str) -> Any: + """Look up a dotted key path in context. Returns the value or None.""" + return self._data.get(path) + + def resolve_string(self, expr: str) -> Any: + """Resolve ${Key.path} references within a string. Returns raw value for pure references.""" + pattern = re.compile(r'\$\{([^}]+)\}') + matches = list(pattern.finditer(expr)) + if not matches: + return expr + if len(matches) == 1 and matches[0].group(0) == expr.strip(): + return self.get(matches[0].group(1)) + result = expr + for m in reversed(matches): + val = self.get(m.group(1)) + result = result[:m.start()] + str(val or '') + result[m.end():] + return result + + def snapshot(self) -> dict: + return deepcopy(self._data) + + +# ── Transformers ───────────────────────────────────────────────────────────── + +def apply_transformers(value: Any, transformers: list) -> Any: + for t in transformers: + op = t.get('operator') + args = t.get('args', {}) + if op == 'join': + sep = args.get('separator', {}) + if isinstance(sep, dict): sep = sep.get('value', {}) + if isinstance(sep, dict): sep = sep.get('simple', ',') + value = sep.join(str(v) for v in value) if isinstance(value, list) else (str(value) if value is not None else '') + elif op == 'count': + value = len(value) if isinstance(value, list) else (1 if value is not None else 0) + elif op == 'uniq': + if isinstance(value, list): + seen, out = set(), [] + for v in value: + k = str(v) + if k not in seen: seen.add(k); out.append(v) + value = out + elif op == 'getField': + field = args.get('field', {}) + if isinstance(field, dict): field = field.get('value', {}).get('simple', '') + if isinstance(value, dict) and field: + value = value.get(field) + elif isinstance(value, list) and field: + value = [item.get(field) for item in value if isinstance(item, dict)] + elif op == 'toLowerCase': + value = str(value).lower() if value is not None else '' + elif op == 'toUpperCase': + value = str(value).upper() if value is not None else '' + elif op == 'substringFrom': + from_val = args.get('from', {}) + if isinstance(from_val, dict): from_val = from_val.get('value', {}) + if isinstance(from_val, dict): from_val = from_val.get('simple', '@') + if isinstance(value, str) and from_val in value: + value = value[value.index(from_val) + len(from_val):] + elif op == 'MapRangeValues': + mf = args.get('map_from', {}); mt = args.get('map_to', {}) + if isinstance(mf, dict): mf = mf.get('value', {}).get('simple', '') + if isinstance(mt, dict): mt = mt.get('value', {}).get('simple', '') + try: + score = int(value) + for r, label in zip(mf.split(','), mt.split(',')): + lo, hi = (int(x) for x in r.split('-')) + if lo <= score <= hi: value = label; break + except Exception: pass + elif op == 'if-then-else': + cond = args.get('condition', {}) + then_val = args.get('thenValue', {}) + else_val = args.get('elseValue', {}) + if isinstance(cond, dict): cond = cond.get('value', {}).get('simple', '') + if isinstance(then_val, dict): then_val = then_val.get('value', {}).get('simple', '') + if isinstance(else_val, dict): else_val = else_val.get('value', {}).get('simple', '') + if cond.startswith('lte,'): + try: + value = then_val if (isinstance(value, (int,float)) and value <= int(cond.split(',',1)[1])) else else_val + except Exception: value = else_val + elif cond.startswith('gte,'): + try: + value = then_val if (isinstance(value, (int,float)) and value >= int(cond.split(',',1)[1])) else else_val + except Exception: value = else_val + return value + + +def resolve_value_spec(spec: Any, ctx: Context, iscontext: bool = False) -> Any: + """ + Resolve a playbook value specification against context. + iscontext=True means the 'simple' value is a context key path, not a literal. + """ + if spec is None: + return None + if isinstance(spec, dict): + if 'simple' in spec: + raw = spec['simple'] + # If iscontext flag is on the parent condition operand, or the value + # contains ${...}, resolve as context reference + if iscontext and isinstance(raw, str) and not raw.startswith('${'): + # Treat as context key path directly + return ctx.get_by_path(raw) + return ctx.resolve_string(raw) if isinstance(raw, str) else raw + if 'complex' in spec: + c = spec['complex'] + root = c.get('root', '') + accessor = c.get('accessor') + transformers = c.get('transformers', []) + value = ctx.get_by_path(root) if root else None + if value is None and root: + value = ctx.resolve_string(f'${{{root}}}') + if accessor: + if isinstance(value, dict): + val = value.get(accessor) + if val is None: + # Fallback: try flat dotted key root.accessor + val = ctx.get_by_path(f'{root}.{accessor}') + value = val + elif isinstance(value, list): + value = [item.get(accessor) for item in value if isinstance(item, dict)] + elif value is None: + # root not in context — try flat dotted key + value = ctx.get_by_path(f'{root}.{accessor}') + value = apply_transformers(value, transformers) + return value + return ctx.resolve_string(str(spec)) if spec is not None else None + + +def _resolve_cond_operand(operand: dict, ctx: Context) -> Any: + """Resolve a condition left/right operand respecting iscontext.""" + val_spec = operand.get('value', {}) + iscontext = operand.get('iscontext', False) + return resolve_value_spec(val_spec, ctx, iscontext=iscontext) + + +# ── Condition evaluation ────────────────────────────────────────────────────── + +def _truthy(v) -> bool: + if v is None: return False + if isinstance(v, bool): return v + if isinstance(v, (int, float)): return v != 0 + if isinstance(v, str): return v.lower() not in ('', 'false', 'none', '0') + if isinstance(v, list): return len(v) > 0 + return bool(v) + + +def evaluate_single_condition(cond: dict, ctx: Context) -> bool: + op = cond.get('operator', '') + left = _resolve_cond_operand(cond.get('left', {}), ctx) + right = _resolve_cond_operand(cond.get('right', {}), ctx) + icase = cond.get('ignorecase', False) + + if icase: + if isinstance(left, str): left = left.lower() + if isinstance(right, str): right = right.lower() + + if op == 'isNotEmpty': return _truthy(left) + if op == 'isEmpty': return not _truthy(left) + if op == 'isTrue': return left is True or str(left).lower() == 'true' + if op == 'isFalse': return not _truthy(left) + if op == 'isExists': return left is not None + if op == 'isEqualString': return str(left or '').strip() == str(right or '').strip() + if op == 'isEqualNumber': + try: return float(left or 0) == float(right or 0) + except Exception: return str(left or '') == str(right or '') + if op == 'isNotEqualString': return str(left or '') != str(right or '') + if op in ('containsGeneral', 'contains', 'containsString'): + return str(right or '') in str(left or '') + if op == 'inList': + lst = right if isinstance(right, list) else str(right or '').split(',') + return str(left or '') in [str(x).strip() for x in lst] + if op == 'match': + import re as _re + try: return bool(_re.search(str(right or ''), str(left or ''))) + except Exception: return False + if op == 'in': + # XSIAM 'in': checks if left value exists within right (list or comma-separated string) + if isinstance(right, list): + return str(left or '') in [str(r) for r in right] + return str(left or '') in str(right or '') + if op == 'notIn': + if isinstance(right, list): + return str(left or '') not in [str(r) for r in right] + return str(left or '') not in str(right or '') + if op == 'greaterThan': + try: return float(left or 0) > float(right or 0) + except Exception: return False + if op == 'greaterThanOrEqual': + try: return float(left or 0) >= float(right or 0) + except Exception: return False + if op == 'lessThanOrEqual': + try: return float(left or 0) <= float(right or 0) + except Exception: return False + if op == 'lessThan': + try: return float(left or 0) < float(right or 0) + except Exception: return False + return False + + +def evaluate_condition_label(label_conditions: list, ctx: Context) -> bool: + """ + XSIAM condition evaluation: + outer list (label_conditions) = AND — all groups must pass + inner list (and_group) = OR — any condition in the group passes the group + This models the XSIAM condition builder where multiple rows in one group are OR'd, + and multiple groups are AND'd together. + """ + for and_group in label_conditions: + if not any(evaluate_single_condition(c, ctx) for c in and_group): + return False + return True + + +# ── Script mocks ────────────────────────────────────────────────────────────── + +def _resolve_arg(args: dict, key: str, ctx: Context) -> Any: + spec = args.get(key, {}) + if isinstance(spec, dict) and 'simple' in spec: + return ctx.resolve_string(spec['simple']) + return resolve_value_spec(spec, ctx) + + +def mock_set_and_handle_empty(args: dict, ctx: Context): + key = _resolve_arg(args, 'key', ctx) + value = resolve_value_spec(args.get('value'), ctx) + append = str(_resolve_arg(args, 'append', ctx) or 'false').lower() == 'true' + if key and value is not None and value != '': + ctx.set(key, value, append=append) + + +def mock_add_dbot_score(args: dict, ctx: Context): + indicator = resolve_value_spec(args.get('indicator'), ctx) + score = resolve_value_spec(args.get('score'), ctx) + vendor = _resolve_arg(args, 'vendor', ctx) or 'Unknown' + ind_type = _resolve_arg(args, 'indicatorType', ctx) or 'Unknown' + if indicator: + ctx.set('DBotScore', { + 'Indicator': indicator, 'Score': int(score or 0), + 'Type': ind_type, 'Vendor': vendor, + }) + + + +def mock_set_multiple_values(args: dict, ctx: Context): + """ + SetMultipleValues: writes multiple keys at once. + args: keys (csv), values (csv), parent (optional namespace prefix) + e.g. parent=Analysis keys=Email.verdict,Email.confidence values=malicious,high + → sets Analysis.Email.verdict=malicious, Analysis.Email.confidence=high + """ + keys_raw = _resolve_arg(args, 'keys', ctx) or '' + values_raw = _resolve_arg(args, 'values', ctx) or '' + parent = _resolve_arg(args, 'parent', ctx) or '' + keys = [k.strip() for k in keys_raw.split(',') if k.strip()] + values = [v.strip() for v in values_raw.split(',') if v.strip()] + prefix = f"{parent}." if parent else "" + for key, val in zip(keys, values): + ctx.set(f"{prefix}{key}", val) + +SCRIPT_MOCKS = { + 'SetAndHandleEmpty': mock_set_and_handle_empty, + 'SetMultipleValues': mock_set_multiple_values, + 'SetField': mock_set_and_handle_empty, + 'AddDBotScoreToContext': mock_add_dbot_score, + 'GetIndicatorDBotScoreFromCache': lambda a, c: None, +} + + +# ── Execution result ────────────────────────────────────────────────────────── + +@dataclass +class ExecutionResult: + playbook_name: str + executed_tasks: list[str] = field(default_factory=list) + branch_taken: dict = field(default_factory=dict) + context_before: dict = field(default_factory=dict) + context_after: dict = field(default_factory=dict) + warnings: list[str] = field(default_factory=list) + errors: list[str] = field(default_factory=list) + + +# ── Simulator ───────────────────────────────────────────────────────────────── + +class PlaybookSimulator: + def __init__(self, playbook_dir: str): + self.playbook_dir = playbook_dir + self._cache: dict[str, dict] = {} + + def _load(self, name: str) -> dict: + if name in self._cache: + return self._cache[name] + candidates = [ + os.path.join(self.playbook_dir, name + '.yml'), + os.path.join(self.playbook_dir, name.replace(' ', '_') + '.yml'), + ] + for path in candidates: + if os.path.exists(path): + with open(path) as f: + d = yaml.safe_load(f) + self._cache[name] = d + return d + raise FileNotFoundError(f"Playbook not found: {name!r}") + + def _prepopulate_inputs(self, pb: dict, ctx: Context): + """ + Pre-populate inputs.* keys from playbook input definitions. + In XSIAM, conditions that read 'inputs.Foo' (iscontext=true) resolve + against the playbook's input namespace, which in turn resolves its + default expression against the outer context. + """ + for inp in pb.get('inputs', []): + key = inp.get('key', '') + if not key: + continue + input_key = f'inputs.{key}' + # If already injected by test, leave it + if ctx.get_by_path(input_key) is not None: + continue + # Resolve the default value from context + val_spec = inp.get('value', {}) + value = resolve_value_spec(val_spec, ctx) + if value is not None: + ctx.set(input_key, value) + + def run( + self, + playbook_name: str, + context: Context, + uc_mocks: dict | None = None, + sub_mocks: dict | None = None, + max_steps: int = 200, + ) -> ExecutionResult: + + result = ExecutionResult( + playbook_name=playbook_name, + context_before=context.snapshot() + ) + uc_mocks = uc_mocks or {} + sub_mocks = sub_mocks or {} + + try: + pb = self._load(playbook_name) + except FileNotFoundError as e: + result.errors.append(str(e)) + return result + + self._prepopulate_inputs(pb, context) + + tasks = pb.get('tasks', {}) + start = str(pb.get('starttaskid', '0')) + queue = [start] + visited = set() + steps = 0 + + while queue and steps < max_steps: + tid = queue.pop(0) + if tid in visited: + continue + visited.add(tid) + steps += 1 + + task = tasks.get(tid) + if task is None: + result.warnings.append(f"Task {tid!r} not found") + continue + + result.executed_tasks.append(tid) + task_type = task.get('type', 'regular') + task_def = task.get('task', {}) + nexttasks = task.get('nexttasks', {}) + + if task_type in ('start', 'title'): + for targets in nexttasks.values(): + queue.extend(targets) + + elif task_type == 'condition': + matched = None + for entry in task.get('conditions', []): + if evaluate_condition_label(entry.get('condition', []), context): + matched = entry.get('label') + break + result.branch_taken[tid] = matched if matched is not None else '#default#' + # YAML bool labels (True/False) need to map to string nexttask keys + lookup = matched + if matched is True: lookup = 'true' + if matched is False: lookup = 'false' + targets = nexttasks.get(lookup, nexttasks.get('#default#', [])) + queue.extend(targets) + + elif task_type == 'regular': + script_name = (task_def.get('scriptName') or + task_def.get('script', '').split('|||')[-1]) + script_args = task.get('scriptarguments', {}) + + if script_name == 'SOCCommandWrapper': + action = resolve_value_spec(script_args.get('action', {}).get('simple'), context) + if action in uc_mocks: + for k, v in uc_mocks[action].items(): + context.set(k, v) + else: + result.warnings.append(f"No UC mock for action={action!r} (task {tid})") + elif script_name in SCRIPT_MOCKS: + SCRIPT_MOCKS[script_name](script_args, context) + elif script_name: + result.warnings.append(f"Unmocked script {script_name!r} at task {tid} — skipped") + + for targets in nexttasks.values(): + queue.extend(targets) + + elif task_type == 'playbook': + sub_name = task_def.get('playbookName', '') + if sub_name in sub_mocks: + for k, v in sub_mocks[sub_name].items(): + context.set(k, v) + else: + sub_result = self.run(sub_name, context, uc_mocks, sub_mocks, max_steps) + result.warnings.extend([f"[sub:{sub_name}] {w}" for w in sub_result.warnings]) + result.errors.extend([f"[sub:{sub_name}] {e}" for e in sub_result.errors]) + + for targets in nexttasks.values(): + queue.extend(targets) + + else: + result.warnings.append(f"Unknown task type {task_type!r} at task {tid}") + for targets in nexttasks.values(): + queue.extend(targets) + + if steps >= max_steps: + result.errors.append(f"Max steps ({max_steps}) reached — possible loop") + + result.context_after = context.snapshot() + return result diff --git a/tools/test_playbooks.py b/tools/test_playbooks.py new file mode 100644 index 00000000..e52a7fd5 --- /dev/null +++ b/tools/test_playbooks.py @@ -0,0 +1,334 @@ +""" +test_playbooks.py +───────────────── +Test runner for SOC Framework playbooks. + +Usage: + python3 tools/test_playbooks.py [--category email|endpoint|identity|all] + [--suite unit|e2e|all] + [--playbook SOC_Email_Signal_Characterization_V3] + [--pb-dir Packs/soc-framework-nist-ir/Playbooks] + [--fixtures tools/fixtures] + [--verbose] + +Exit code 0 = all pass. Exit code 1 = failures present. +""" + + +from __future__ import annotations +import sys, os +sys.path.insert(0, os.path.dirname(__file__)) +import argparse, json, os, sys, textwrap, time +from dataclasses import dataclass, field +from typing import Any +from playbook_simulator import PlaybookSimulator, Context, ExecutionResult + + +# ────────────────────────────────────────────────────────────────────────────── +# Test case schema +# ────────────────────────────────────────────────────────────────────────────── + +@dataclass +class Assertion: + """A single assertion on the output context or execution path.""" + type: str # context_key_equals | context_key_exists | context_key_absent + # branch_taken | task_executed | task_not_executed + target: str # key name, task id, etc. + expected: Any = None + description: str = '' + + +@dataclass +class TestCase: + name: str + playbook: str + category: str # email | endpoint | identity + suite: str # unit | e2e + context_inputs: dict = field(default_factory=dict) + uc_mocks: dict = field(default_factory=dict) # action → {key: val} + sub_mocks: dict = field(default_factory=dict) # pb_name → {key: val} + assertions: list[Assertion] = field(default_factory=list) + tags: list[str] = field(default_factory=list) # happy_path | non_happy | edge_case + + +@dataclass +class TestResult: + test_case: TestCase + passed: bool + failures: list[str] + warnings: list[str] + errors: list[str] + duration_ms: float + execution: ExecutionResult | None = None + + +# ────────────────────────────────────────────────────────────────────────────── +# Assertion evaluator +# ────────────────────────────────────────────────────────────────────────────── + +def evaluate_assertions(tc: TestCase, exec_result: ExecutionResult) -> list[str]: + failures = [] + ctx = exec_result.context_after + + for a in tc.assertions: + if a.type == 'context_key_equals': + actual = ctx.get(a.target) + # Normalize bool vs string: playbooks write "true"/"false" as strings + def _normalize(v): + if isinstance(v, bool): return v + if isinstance(v, str) and v.lower() == 'true': return True + if isinstance(v, str) and v.lower() == 'false': return False + return v + if _normalize(actual) != _normalize(a.expected): + failures.append( + f"[{a.target}] expected={a.expected!r} actual={actual!r}" + + (f" — {a.description}" if a.description else '') + ) + elif a.type == 'context_key_exists': + if a.target not in ctx: + failures.append( + f"[{a.target}] expected to exist but was absent" + + (f" — {a.description}" if a.description else '') + ) + elif a.type == 'context_key_absent': + if a.target in ctx: + failures.append( + f"[{a.target}] expected absent but was {ctx[a.target]!r}" + + (f" — {a.description}" if a.description else '') + ) + elif a.type == 'context_key_not_equals': + actual = ctx.get(a.target) + if actual == a.expected: + failures.append( + f"[{a.target}] expected != {a.expected!r} but got same value" + + (f" — {a.description}" if a.description else '') + ) + elif a.type == 'branch_taken': + # target is task id, expected is label string + actual = exec_result.branch_taken.get(a.target) + if actual != a.expected: + failures.append( + f"task {a.target} branch: expected={a.expected!r} actual={actual!r}" + + (f" — {a.description}" if a.description else '') + ) + elif a.type == 'task_executed': + if a.target not in exec_result.executed_tasks: + failures.append(f"task {a.target} expected to execute but did not") + elif a.type == 'task_not_executed': + if a.target in exec_result.executed_tasks: + failures.append(f"task {a.target} expected NOT to execute but did") + else: + failures.append(f"Unknown assertion type: {a.type!r}") + + return failures + + +# ────────────────────────────────────────────────────────────────────────────── +# Test runner +# ────────────────────────────────────────────────────────────────────────────── + +class TestRunner: + def __init__(self, pb_dir: str, verbose: bool = False): + self.simulator = PlaybookSimulator(pb_dir) + self.verbose = verbose + + def run_test(self, tc: TestCase) -> TestResult: + ctx = Context(tc.context_inputs) + t0 = time.monotonic() + exec_result = self.simulator.run( + tc.playbook, ctx, + uc_mocks=tc.uc_mocks, + sub_mocks=tc.sub_mocks, + ) + duration_ms = (time.monotonic() - t0) * 1000 + + failures = evaluate_assertions(tc, exec_result) + if exec_result.errors: + failures.extend([f"[SIM ERROR] {e}" for e in exec_result.errors]) + + return TestResult( + test_case=tc, + passed=len(failures) == 0, + failures=failures, + warnings=exec_result.warnings, + errors=exec_result.errors, + duration_ms=duration_ms, + execution=exec_result, + ) + + def run_suite(self, test_cases: list[TestCase]) -> list[TestResult]: + return [self.run_test(tc) for tc in test_cases] + + +# ────────────────────────────────────────────────────────────────────────────── +# Reporter +# ────────────────────────────────────────────────────────────────────────────── + +PASS = "\033[32m✓\033[0m" +FAIL = "\033[31m✗\033[0m" +WARN = "\033[33m⚠\033[0m" + +def report(results: list[TestResult], verbose: bool = False) -> bool: + """Print report, return True if all passed.""" + total = len(results) + passed = sum(1 for r in results if r.passed) + failed = total - passed + + # Group by category + suite + from itertools import groupby + grouped: dict[tuple, list[TestResult]] = {} + for r in results: + key = (r.test_case.category, r.test_case.suite) + grouped.setdefault(key, []).append(r) + + print() + print("═" * 70) + print(" SOC Framework Playbook Test Results") + print("═" * 70) + + for (category, suite), group in sorted(grouped.items()): + group_pass = sum(1 for r in group if r.passed) + print(f"\n [{category.upper()} / {suite}] {group_pass}/{len(group)} passed") + print(" " + "─" * 60) + + for r in group: + icon = PASS if r.passed else FAIL + tag_str = ' '.join(f"[{t}]" for t in r.test_case.tags) + print(f" {icon} {r.test_case.name:<50} {r.duration_ms:5.1f}ms {tag_str}") + + if not r.passed: + for f in r.failures: + print(f" {FAIL} {f}") + + if verbose and r.warnings: + for w in r.warnings: + print(f" {WARN} {w}") + + if verbose and r.passed: + ctx = r.execution.context_after if r.execution else {} + relevant = {k: v for k, v in ctx.items() + if any(k.startswith(p) for p in + ('Analysis.', 'Containment.', 'Eradication.', + 'Recovery.', 'Email.', 'DBotScore'))} + if relevant: + print(f" Context: {json.dumps(relevant, default=str)}") + + print() + print("═" * 70) + status = "\033[32mALL PASS\033[0m" if failed == 0 else f"\033[31m{failed} FAILED\033[0m" + print(f" {passed}/{total} passed — {status}") + print("═" * 70) + print() + return failed == 0 + + +# ────────────────────────────────────────────────────────────────────────────── +# Fixture loader +# ────────────────────────────────────────────────────────────────────────────── + +def _assertion_from_dict(d: dict) -> Assertion: + return Assertion( + type=d['type'], + target=d['target'], + expected=d.get('expected'), + description=d.get('description', ''), + ) + + +def load_fixtures(fixture_path: str) -> list[TestCase]: + with open(fixture_path) as f: + raw = json.load(f) + cases = [] + for tc in raw: + cases.append(TestCase( + name=tc['name'], + playbook=tc['playbook'], + category=tc.get('category', 'unknown'), + suite=tc.get('suite', 'unit'), + context_inputs=tc.get('context_inputs', {}), + uc_mocks=tc.get('uc_mocks', {}), + sub_mocks=tc.get('sub_mocks', {}), + assertions=[_assertion_from_dict(a) for a in tc.get('assertions', [])], + tags=tc.get('tags', []), + )) + return cases + + +# ────────────────────────────────────────────────────────────────────────────── +# CLI +# ────────────────────────────────────────────────────────────────────────────── + +def main(): + parser = argparse.ArgumentParser( + description='SOC Framework Playbook Test Runner', + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=textwrap.dedent("""\ + Examples: + python3 tools/test_playbooks.py --category email --suite unit + python3 tools/test_playbooks.py --category email --suite e2e --verbose + python3 tools/test_playbooks.py --category all --suite all + python3 tools/test_playbooks.py --playbook SOC_Email_Signal_Characterization_V3 + """) + ) + parser.add_argument('--category', default='all', + choices=['email','endpoint','identity','all']) + parser.add_argument('--suite', default='all', + choices=['unit','e2e','all']) + parser.add_argument('--playbook', default=None, + help='Run only tests for this specific playbook') + parser.add_argument('--pb-dir', default='Packs/soc-framework-nist-ir/Playbooks', + help='Path to playbooks directory') + parser.add_argument('--fixtures', default='tools/fixtures', + help='Path to fixtures directory') + parser.add_argument('--verbose', action='store_true', + help='Show warnings and context after each test') + + args = parser.parse_args() + + # Discover fixture files + fixture_dir = args.fixtures + if not os.path.isdir(fixture_dir): + print(f"Fixtures directory not found: {fixture_dir}") + sys.exit(1) + + all_cases: list[TestCase] = [] + for fname in sorted(os.listdir(fixture_dir)): + if not fname.endswith('.json'): + continue + # filename pattern: {category}_{suite}.json e.g. email_unit.json + try: + cat, suite_name = fname.replace('.json', '').rsplit('_', 1) + except ValueError: + cat, suite_name = fname.replace('.json', ''), 'unit' + + cases = load_fixtures(os.path.join(fixture_dir, fname)) + # Tag with category/suite from filename if not set in fixture + for c in cases: + if c.category == 'unknown': c.category = cat + if c.suite == 'unit' and suite_name == 'e2e': c.suite = 'e2e' + all_cases.extend(cases) + + # Filter + filtered = all_cases + if args.category != 'all': + filtered = [c for c in filtered if c.category == args.category] + if args.suite != 'all': + filtered = [c for c in filtered if c.suite == args.suite] + if args.playbook: + filtered = [c for c in filtered if c.playbook == args.playbook] + + if not filtered: + print(f"No test cases matched filters " + f"(category={args.category}, suite={args.suite}, playbook={args.playbook})") + sys.exit(0) + + print(f"\nRunning {len(filtered)} test(s) from {args.pb_dir}") + + runner = TestRunner(args.pb_dir, verbose=args.verbose) + results = runner.run_suite(filtered) + all_passed = report(results, verbose=args.verbose) + sys.exit(0 if all_passed else 1) + + +if __name__ == '__main__': + main() From fa7ffb21798c52a42910dc14c69fd2858227f53a Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Fri, 20 Mar 2026 08:09:29 -0400 Subject: [PATCH 3/3] - Fix to Pre-flight for xsoar_config.py. It was not accepting dependency packs in custom packs. --- tools/pack_prep.py | 23 ++++-- tools/preflight_xsoar_config.py | 142 ++++++++++++++++++++++++-------- 2 files changed, 124 insertions(+), 41 deletions(-) diff --git a/tools/pack_prep.py b/tools/pack_prep.py index b2ee6445..d18e507e 100644 --- a/tools/pack_prep.py +++ b/tools/pack_prep.py @@ -23,26 +23,39 @@ def main(): pack_name = pack_path.name failed = False - # ── Step 1: Normalize rule IDs and adopted flags ───────────────────────── + # ── Step 1: Normalize rule IDs and adopted flags ────────────────────────── print(f"\n=== Normalizing rule IDs: {pack_path} ===\n") subprocess.run( [sys.executable, "tools/normalize_ruleid_adopted.py", "--root", str(pack_path), "--fix"] ) - # ── Step 2: Validate xsoar_config.json (if present) ────────────────────── + # ── Step 2: Validate xsoar_config.json — JSON validity ─────────────────── config_path = pack_path / "xsoar_config.json" if config_path.exists(): - print(f"\n=== Checking xsoar_config.json: {config_path} ===\n") + print(f"\n=== Checking xsoar_config.json (JSON validity): {config_path} ===\n") rc = subprocess.run( [sys.executable, "tools/validate_xsoar_configs.py", "--packs", pack_name] ).returncode if rc != 0: - print(f"xsoar_config.json is invalid — fix before uploading.") + print("xsoar_config.json is invalid JSON — fix before uploading.") failed = True else: print(f"\n--- No xsoar_config.json in {pack_path} — skipping config check ---") - # ── Step 3: demisto-sdk validate ───────────────────────────────────────── + # ── Step 3: Preflight xsoar_config.json — URL format check (no HTTP) ───── + # Runs format validation only (--no-http skips doc URL live checks). + # Full HTTP checks run in CI via the preflight job. + if config_path.exists() and not failed: + print(f"\n=== Preflight xsoar_config.json (URL format): {config_path} ===\n") + rc = subprocess.run( + [sys.executable, "tools/preflight_xsoar_config.py", + "--packs", pack_name, "--no-http"] + ).returncode + if rc != 0: + print("xsoar_config.json preflight failed — fix zip URL format before uploading.") + failed = True + + # ── Step 4: demisto-sdk validate ───────────────────────────────────────── output_dir = Path("output") output_dir.mkdir(exist_ok=True) error_log = output_dir / "sdk_errors.txt" diff --git a/tools/preflight_xsoar_config.py b/tools/preflight_xsoar_config.py index 4346bb51..486b637b 100644 --- a/tools/preflight_xsoar_config.py +++ b/tools/preflight_xsoar_config.py @@ -6,8 +6,12 @@ Checks: 1. custom_packs[*].url — Format validation only (release doesn't exist - yet pre-merge). Verifies pack name matches - directory name and version matches pack_metadata.json. + yet pre-merge). Each entry's pack name and version + are derived from its own 'id' field, so dependency + entries (e.g. soc-framework-nist-ir inside + soc-optimization-unified) are validated correctly. + If the entry matches the primary pack, its version + is also cross-checked against pack_metadata.json. 2. pre_config_docs[*].url — HTTP check (file must exist on main) 3. post_config_docs[*].url — HTTP check (file must exist on main) @@ -21,11 +25,12 @@ import argparse import json +import re import sys import urllib.request import urllib.error from pathlib import Path -from typing import List, Tuple +from typing import List, Optional, Tuple GITHUB_REPO = "Palo-Cortex/secops-framework" @@ -66,6 +71,30 @@ def check_url(url: str, label: str) -> Tuple[bool, str]: return False, f" ✗ {label}: Unreachable — {url}" +def parse_entry_id(entry_id: str) -> Optional[Tuple[str, str]]: + """ + Derive pack name and version from a custom_packs entry 'id' field. + + Expected format: {pack_name}-v{version}.zip + e.g. 'soc-framework-nist-ir-v1.1.0.zip' → ('soc-framework-nist-ir', '1.1.0') + + Uses rfind('-v') so hyphenated pack names (soc-framework-nist-ir) are + handled correctly regardless of depth. + + Returns None if the format is unrecognisable. + """ + stem = entry_id.removesuffix(".zip") # soc-framework-nist-ir-v1.1.0 + idx = stem.rfind("-v") + if idx == -1: + return None + pack_name = stem[:idx] # soc-framework-nist-ir + version = stem[idx + 2:] # 1.1.0 + # Version must look like semver (digits and dots only, e.g. 1.1.0) + if not pack_name or not re.fullmatch(r"\d+\.\d+[\.\d]*", version): + return None + return pack_name, version + + def validate_zip_url_format( url: str, pack_id: str, version: str, label: str ) -> Tuple[bool, str]: @@ -75,8 +104,8 @@ def validate_zip_url_format( The release zip doesn't exist yet at PR time — we can't HTTP check it. Instead verify the URL is structurally correct: - References the right repo - - Pack name in URL matches the directory name (pack_id) - - Version in URL matches pack_metadata.json version + - Pack name in URL matches pack_id + - Version in URL matches version Expected format: https://github.com/{repo}/releases/download/{pack_id}-v{version}/{pack_id}-v{version}.zip @@ -102,14 +131,14 @@ def validate_zip_url_format( return False, ( f" ✗ {label} format error — {detail}\n" - f" was: {url}\n" + f" was: {url}\n" f" want: {expected}" ) # ── Per-pack validation ─────────────────────────────────────────────────────── -def validate_pack(pack_dir: Path) -> List[str]: +def validate_pack(pack_dir: Path, no_http: bool = False) -> List[str]: """ Validate xsoar_config.json for a single pack. Returns a list of error strings. Empty = all checks passed. @@ -123,64 +152,99 @@ def validate_pack(pack_dir: Path) -> List[str]: cfg = load_json(config_path) - # Read version from pack_metadata.json — source of truth + # Read version from pack_metadata.json — source of truth for the primary pack meta_path = pack_dir / "pack_metadata.json" if not meta_path.exists(): errors.append(f" ✗ pack_metadata.json not found in {pack_dir}") return errors meta = load_json(meta_path) - version = meta.get("version") or meta.get("currentVersion") or "" - if not version: + primary_version = meta.get("version") or meta.get("currentVersion") or "" + if not primary_version: errors.append(f" ✗ No version found in pack_metadata.json") return errors pack_id = pack_dir.name - # ── 1. custom_packs zip URL — format check only ─────────────────────────── + # ── 1. custom_packs zip URLs — format check only ────────────────────────── + # Each entry validates against its OWN pack name + version derived from + # its 'id' field. Dependency packs (e.g. soc-framework-nist-ir listed + # inside soc-optimization-unified) are therefore checked correctly. + # If the entry is the primary pack, its version is also cross-checked + # against pack_metadata.json. custom_packs = cfg.get("custom_packs", []) if custom_packs: - print(f" Checking custom_packs zip URL format (pack={pack_id}, version={version})...") + print(f" Checking custom_packs zip URL format (pack={pack_id}, version={primary_version})...") + for entry in custom_packs: + entry_id = entry.get("id", "") url = entry.get("url", "") + if not url: - errors.append(f" ✗ custom_packs entry missing 'url': {entry.get('id', '?')}") + errors.append(f" ✗ custom_packs entry missing 'url': {entry_id or '?'}") continue - ok, msg = validate_zip_url_format(url, pack_id, version, f"zip [{entry.get('id', '?')}]") + + # Derive the expected pack name + version from the entry's own id. + parsed = parse_entry_id(entry_id) if entry_id else None + + if parsed: + entry_pack, entry_version = parsed + + # If this entry is the primary pack, version must match pack_metadata.json + if entry_pack == pack_id and entry_version != primary_version: + errors.append( + f" ✗ zip [{entry_id}] version mismatch — " + f"id says v{entry_version} but pack_metadata.json says v{primary_version}" + ) + continue + else: + # Unrecognisable id — fall back to primary pack context and warn + print(f" ! zip [{entry_id or '?'}] id format unrecognisable — falling back to primary pack context") + entry_pack, entry_version = pack_id, primary_version + + ok, msg = validate_zip_url_format(url, entry_pack, entry_version, f"zip [{entry_id or '?'}]") print(msg) if not ok: errors.append(msg) - # ── 2. pre_config_docs URLs — HTTP check ───────────────────────────────── + # ── 2. pre_config_docs URLs — HTTP check ────────────────────────────────── pre_docs = cfg.get("pre_config_docs", []) if pre_docs: - print(" Checking pre_config_docs URLs...") - for entry in pre_docs: - url = entry.get("url", "") - if not url: - continue - ok, msg = check_url(url, f"pre_doc [{entry.get('name', '?')}]") - print(msg) - if not ok: - errors.append(msg) + if no_http: + print(" Skipping pre_config_docs URL checks (--no-http).") + else: + print(" Checking pre_config_docs URLs...") + if not no_http: + for entry in pre_docs: + url = entry.get("url", "") + if not url: + continue + ok, msg = check_url(url, f"pre_doc [{entry.get('name', '?')}]") + print(msg) + if not ok: + errors.append(msg) - # ── 3. post_config_docs URLs — HTTP check ──────────────────────────────── + # ── 3. post_config_docs URLs — HTTP check ───────────────────────────────── post_docs = cfg.get("post_config_docs", []) if post_docs: - print(" Checking post_config_docs URLs...") - for entry in post_docs: - url = entry.get("url", "") - if not url: - continue - ok, msg = check_url(url, f"post_doc [{entry.get('name', '?')}]") - print(msg) - if not ok: - errors.append(msg) + if no_http: + print(" Skipping post_config_docs URL checks (--no-http).") + else: + print(" Checking post_config_docs URLs...") + if not no_http: + for entry in post_docs: + url = entry.get("url", "") + if not url: + continue + ok, msg = check_url(url, f"post_doc [{entry.get('name', '?')}]") + print(msg) + if not ok: + errors.append(msg) return errors -# ── Main ───────────────────────────────────────────────────────────────────── +# ── Main ────────────────────────────────────────────────────────────────────── def main(): parser = argparse.ArgumentParser( @@ -200,6 +264,12 @@ def main(): default="Packs", help="Root packs directory (default: Packs)", ) + parser.add_argument( + "--no-http", + action="store_true", + help="Skip live HTTP checks for doc URLs. Only zip URL format is validated. " + "Use locally to avoid network latency; CI always runs full checks.", + ) args = parser.parse_args() @@ -228,7 +298,7 @@ def main(): print(msg) all_errors.append(msg) continue - errors = validate_pack(pack_dir) + errors = validate_pack(pack_dir, no_http=args.no_http) all_errors.extend(errors) print()