From 9ab69835c343685bcf01ef8131e6d3bb94cdde8d Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Fri, 20 Mar 2026 15:27:38 -0400 Subject: [PATCH] feat(dashboards): add Shadow Mode dashboard, rebuild value_tags, fix V3 widget joins and vendor grouping --- .../SOCFrameworkActions_V3_data.json | 407 ++-- .../Lookup/value_tags.json | 257 +-- .../Playbooks/Foundation_-_Enrichment_V3.yml | 198 +- .../Foundation_-_Upon_Trigger_V3.yml | 60 +- .../ReleaseNotes/3_4_2.md | 26 + .../XSIAM_SOC_Value_Metrics_Shadow.json | 1823 +++++++++++++++++ .../XSIAM_SOC_Value_Metrics_V3.json | 40 +- .../pack_metadata.json | 2 +- .../xsoar_config.json | 4 +- pack_catalog.json | 2 +- tools/fixtures/foundation_unit.json | 306 +++ tools/playbook_simulator.py | 29 +- tools/test_playbooks.py | 17 +- 13 files changed, 2634 insertions(+), 537 deletions(-) create mode 100644 Packs/soc-optimization-unified/ReleaseNotes/3_4_2.md create mode 100644 Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_Shadow.json create mode 100644 tools/fixtures/foundation_unit.json diff --git a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json index d13004e1..6245f85d 100644 --- a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json +++ b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json @@ -6,25 +6,25 @@ "Cortex Core - IR": { "command": "core-isolate-endpoint", "inline_args": { - "endpoint_id": "SOCFramework.Artifacts.EndPointID" + "endpoint_id": "${SOCFramework.Artifacts.EndPointID}" } }, "CrowdstrikeFalcon": { "command": "cs-falcon-contain-host", "inline_args": { - "agent_id": "SOCFramework.Artifacts.EndPointID" + "agent_id": "${SOCFramework.Artifacts.EndPointID}" } }, "Trend Micro Vision One V3": { "command": "trendmicro-visionone-isolate-endpoint", "inline_args": { - "endpoint_identifiers": "SOCFramework.Artifacts.EndPointID" + "endpoint_identifiers": "${SOCFramework.Artifacts.EndPointID}" } }, "Microsoft Defender Advanced Threat Protection": { "command": "microsoft-atp-isolate-machine", "inline_args": { - "machine_id": "SOCFramework.Artifacts.EndPointID", + "machine_id": "${SOCFramework.Artifacts.EndPointID}", "comment": "SOCFramework isolate endpoint", "isolation_type": "Full" } @@ -32,19 +32,114 @@ }, "shadow_mode": true }, + "soc-deisolate-endpoint": { + "responses": { + "Cortex Core - IR": { + "command": "core-unisolate-endpoint", + "inline_args": { + "endpoint_id": "${SOCFramework.Artifacts.EndPointID}" + } + }, + "CrowdstrikeFalcon": { + "command": "cs-falcon-lift-host-containment", + "inline_args": { + "agent_id": "${SOCFramework.Artifacts.EndPointID}" + } + }, + "Microsoft Defender Advanced Threat Protection": { + "command": "microsoft-atp-unisolate-machine", + "inline_args": { + "machine_id": "${SOCFramework.Artifacts.EndPointID}" + } + } + }, + "shadow_mode": true + }, + "soc-kill-process": { + "responses": { + "Cortex Core - IR": { + "command": "core-run-script-kill-process", + "inline_args": { + "endpoint_ids": "${SOCFramework.Artifacts.EndPointID}", + "process_names": "${SOCFramework.Artifacts.ProcessName}" + } + }, + "CrowdstrikeFalcon": { + "command": "cs-falcon-run-script", + "inline_args": { + "host_ids": "${SOCFramework.Artifacts.EndPointID}", + "raw": "Stop-Process -Id ${SOCFramework.Artifacts.PID} -Force -ErrorAction SilentlyContinue" + } + }, + "Trend Micro Vision One V3": { + "command": "trendmicro-visionone-terminate-process", + "inline_args": { + "process_identifiers": "${SOCFramework.Artifacts.PID}" + } + } + }, + "shadow_mode": true + }, + "soc-remove-file": { + "responses": { + "Cortex Core - IR": { + "command": "core-run-script-delete-file", + "inline_args": { + "endpoint_id": "${SOCFramework.Artifacts.EndPointID}", + "file_path": "${SOCFramework.Artifacts.FilePath}" + } + }, + "CrowdstrikeFalcon": { + "command": "cs-falcon-run-script", + "inline_args": { + "host_ids": "${SOCFramework.Artifacts.EndPointID}", + "raw": "Remove-Item -Path '${SOCFramework.Artifacts.FilePath}' -Force -ErrorAction SilentlyContinue" + } + }, + "Microsoft Defender Advanced Threat Protection": { + "command": "microsoft-atp-stop-and-quarantine-file", + "inline_args": { + "machine_ids": "${SOCFramework.Artifacts.EndPointID}", + "file_hashes": "${SOCFramework.Artifacts.File}" + } + } + }, + "shadow_mode": true + }, + "soc-remove-persistence": { + "responses": { + "Cortex Core - IR": { + "command": "core-run-script-execute", + "inline_args": { + "endpoint_ids": "${SOCFramework.Artifacts.EndPointID}", + "script_name": "remove_persistence", + "parameters": "${SOCFramework.Artifacts.FilePath}" + } + }, + "CrowdstrikeFalcon": { + "command": "cs-falcon-run-script", + "inline_args": { + "host_ids": "${SOCFramework.Artifacts.EndPointID}", + "raw": "Remove-ItemProperty -Path 'HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '${SOCFramework.Artifacts.ProcessName}' -ErrorAction SilentlyContinue; Unregister-ScheduledTask -TaskName '${SOCFramework.Artifacts.ProcessName}' -Confirm:$false -ErrorAction SilentlyContinue" + } + } + }, + "shadow_mode": true + }, "soc-delete-file": { "responses": { "Cortex Core - IR": { "command": "core-run-script-delete-file", "inline_args": { - "endpoint_id": "SOCFramework.Artifacts.EndPointID", - "file_path": "SOCFramework.Artifacts.FilePath" + "endpoint_id": "${SOCFramework.Artifacts.EndPointID}", + "file_path": "${SOCFramework.Artifacts.FilePath}" } }, "CrowdstrikeFalcon": { - "command": "cs-falcon-delete-file", + "command": "cs-falcon-run-script", "inline_args": { - "file_name": "SOCFramework.Artifacts.ProcessName" + "host_ids": "${SOCFramework.Artifacts.EndPointID}", + "raw": "Remove-Item -Path '${SOCFramework.Artifacts.FilePath}' -Force -ErrorAction SilentlyContinue" } } }, @@ -55,96 +150,135 @@ "Cortex Core - IR": { "command": "core-run-script-file-exists", "inline_args": { - "endpoint_id": "SOCFramework.Artifacts.EndPointID", - "file_path": "SOCFramework.Artifacts.FilePath" + "endpoint_id": "${SOCFramework.Artifacts.EndPointID}", + "file_path": "${SOCFramework.Artifacts.FilePath}" } }, "CrowdstrikeFalcon": { - "command": "cs-falcon-delete-file", + "command": "cs-falcon-run-script", "inline_args": { - "file_name": "SOCFramework.Artifacts.ProcessName" + "host_ids": "${SOCFramework.Artifacts.EndPointID}", + "raw": "Test-Path -Path '${SOCFramework.Artifacts.FilePath}'" } } }, "shadow_mode": false }, + "soc-quarantine-files": { + "responses": { + "Cortex Core - IR": { + "command": "core-quarantine-files", + "inline_args": { + "endpoint_id_list": "${SOCFramework.Artifacts.EndPointID}", + "file_hash": "${SOCFramework.Artifacts.File}", + "file_path": "${SOCFramework.Artifacts.FilePath}" + } + }, + "Microsoft Defender Advanced Threat Protection": { + "command": "microsoft-atp-stop-and-quarantine-file", + "inline_args": { + "machine_ids": "${SOCFramework.Artifacts.EndPointID}", + "file_hashes": "${SOCFramework.Artifacts.File}" + } + } + }, + "shadow_mode": true + }, "soc-disable-user": { "responses": { "Active Directory Query v2": { "command": "disable-user", "inline_args": { - "user_email": "SOCFramework.Artifacts.UserEmail", - "user_name": "SOCFramework.Artifacts.UserName", - "user_id": "SOCFramework.Artifacts.UserID" + "user_email": "${SOCFramework.Artifacts.UserEmail}", + "user_name": "${SOCFramework.Artifacts.UserName}", + "user_id": "${SOCFramework.Artifacts.UserID}" } }, "Microsoft Graph User": { "command": "disable-user", "inline_args": { - "user_email": "SOCFramework.Artifacts.UserEmail", - "user_name": "SOCFramework.Artifacts.UserName", - "user_id": "SOCFramework.Artifacts.UserID" + "user_email": "${SOCFramework.Artifacts.UserEmail}", + "user_name": "${SOCFramework.Artifacts.UserName}", + "user_id": "${SOCFramework.Artifacts.UserID}" } }, "Okta IAM": { "command": "disable-user", "inline_args": { - "user_email": "SOCFramework.Artifacts.UserEmail", - "user_name": "SOCFramework.Artifacts.UserName", - "user_id": "SOCFramework.Artifacts.UserID" + "user_email": "${SOCFramework.Artifacts.UserEmail}", + "user_name": "${SOCFramework.Artifacts.UserName}", + "user_id": "${SOCFramework.Artifacts.UserID}" } }, "Okta V2": { "command": "disable-user", "inline_args": { - "user_email": "SOCFramework.Artifacts.UserEmail", - "user_name": "SOCFramework.Artifacts.UserName", - "user_id": "SOCFramework.Artifacts.UserID" + "user_email": "${SOCFramework.Artifacts.UserEmail}", + "user_name": "${SOCFramework.Artifacts.UserName}", + "user_id": "${SOCFramework.Artifacts.UserID}" } } }, "shadow_mode": true }, - "soc-kill-process": { + "soc-clear-sessions": { "responses": { - "Cortex Core - IR": { - "command": "core-run-script-kill-process", + "Okta v2": { + "command": "okta-clear-user-sessions", "inline_args": { - "endpoint_ids": "SOCFramework.Artifacts.EndPointID", - "process_names": "SOCFramework.Artifacts.ProcessName" + "userId": "${SOCFramework.Artifacts.UserName}" + } + } + }, + "shadow_mode": true + }, + "soc-reset-password": { + "responses": { + "Active Directory Query v2": { + "command": "ad-set-new-password", + "inline_args": { + "sAMAccountName": "${SOCFramework.Artifacts.UserName}", + "password": "auto-generated" } }, - "CrowdstrikeFalcon": { - "command": "cs-falcon-rtr-kill-process", + "Okta v2": { + "command": "okta-expire-password", "inline_args": { - "host_id": "SOCFramework.Artifacts.EndPointID", - "process_ids": "SOCFramework.Artifacts.PID" + "userId": "${SOCFramework.Artifacts.UserName}" + } + } + }, + "shadow_mode": true + }, + "soc-revoke-tokens": { + "responses": { + "Okta v2": { + "command": "okta-clear-user-sessions", + "inline_args": { + "userId": "${SOCFramework.Artifacts.UserName}" } }, - "Trend Micro Vision One V3": { - "command": "trendmicro-visionone-terminate-process", + "Azure Active Directory Identity And Access": { + "command": "msgraph-user-account-disable", "inline_args": { - "process_identifiers": "SOCFramework.Artifacts.PID" + "user": "${SOCFramework.Artifacts.UserName}" } } }, "shadow_mode": true }, - "soc-quarantine-files": { + "soc-enable-user": { "responses": { - "Cortex Core - IR": { - "command": "core-quarantine-files", + "Active Directory Query v2": { + "command": "ad-enable-account", "inline_args": { - "endpoint_id_list": "SOCFramework.Artifacts.EndPointID", - "file_hash": "SOCFramework.Artifacts.File", - "file_path": "SOCFramework.Artifacts.FilePath" + "sAMAccountName": "${SOCFramework.Artifacts.UserName}" } }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-stop-and-quarantine-file", + "Okta v2": { + "command": "okta-activate-user", "inline_args": { - "machine_ids": "SOCFramework.Artifacts.EndPointID", - "file_hashes": "SOCFramework.Artifacts.File" + "userId": "${SOCFramework.Artifacts.UserName}" } } }, @@ -155,43 +289,43 @@ "Active Directory Query v2": { "command": "ad-get-user", "inline_args": { - "username": "SOCFramework.Primary.User" + "username": "${SOCFramework.Primary.User}" } }, "Microsoft Graph User": { "command": "msgraph-user-get", "inline_args": { - "user": "SOCFramework.Primary.User" + "user": "${SOCFramework.Primary.User}" } }, "Okta v2": { "command": "okta-get-user", "inline_args": { - "userId": "SOCFramework.Primary.User" + "userId": "${SOCFramework.Primary.User}" } }, "Okta IAM": { "command": "iam-get-user", "inline_args": { - "user_profile": "SOCFramework.Primary.User" + "user_profile": "${SOCFramework.Primary.User}" } }, "Google Workspace": { "command": "gsuite-user-get", "inline_args": { - "user-key": "SOCFramework.Primary.Email" + "user-key": "${SOCFramework.Primary.Email}" } }, "AWS - IAM": { "command": "aws-iam-get-user", "inline_args": { - "userName": "SOCFramework.Primary.User" + "userName": "${SOCFramework.Primary.User}" } }, "PingOne": { "command": "pingone-get-user", "inline_args": { - "userId": "SOCFramework.Primary.User" + "userId": "${SOCFramework.Primary.User}" } } }, @@ -202,31 +336,31 @@ "Cortex Core - IR": { "command": "core-get-endpoints", "inline_args": { - "endpoint_id_list": "SOCFramework.Primary.Endpoint" + "endpoint_id_list": "${SOCFramework.Primary.Endpoint}" } }, "CrowdstrikeFalcon": { "command": "cs-falcon-search-device", "inline_args": { - "filter": "SOCFramework.Primary.Endpoint" + "filter": "${SOCFramework.Primary.Endpoint}" } }, "Carbon Black EDR": { "command": "cb-edr-sensors-list", "inline_args": { - "hostname": "SOCFramework.Primary.Endpoint" + "hostname": "${SOCFramework.Primary.Endpoint}" } }, "Armis": { "command": "armis-search-devices", "inline_args": { - "name": "SOCFramework.Primary.Endpoint" + "name": "${SOCFramework.Primary.Endpoint}" } }, "ExtraHop": { "command": "extrahop-devices-search", "inline_args": { - "name": "SOCFramework.Primary.Endpoint" + "name": "${SOCFramework.Primary.Endpoint}" } } }, @@ -237,7 +371,7 @@ "Cortex Core - IR": { "command": "core-get-hash-analytics-prevalence", "inline_args": { - "sha256": "SOCFramework.Artifacts.Hash" + "sha256": "${SOCFramework.Artifacts.Hash}" }, "output_map": { "UC.Enrich.File.hash_prevalence_count": "Core.AnalyticsPrevalence.Hash.data.global_prevalence.value", @@ -248,7 +382,7 @@ "WildFire": { "command": "wildfire-get-verdict", "inline_args": { - "hash": "SOCFramework.Artifacts.Hash" + "hash": "${SOCFramework.Artifacts.Hash}" }, "output_map": { "UC.Enrich.File.verdict": "WildFire.Report.verdict", @@ -258,7 +392,7 @@ "VirusTotal (Private API)": { "command": "vt-private-get-file-report", "inline_args": { - "resource": "SOCFramework.Artifacts.Hash" + "resource": "${SOCFramework.Artifacts.Hash}" }, "output_map": { "UC.Enrich.File.verdict": "VirusTotal.File.Verdict", @@ -273,7 +407,7 @@ "Cortex Core - IR": { "command": "core-get-IP-analytics-prevalence", "inline_args": { - "ip_address": "SOCFramework.Artifacts.IP" + "ip_address": "${SOCFramework.Artifacts.IP}" }, "output_map": { "UC.Enrich.IP.prevalence": "Core.AnalyticsPrevalence.IP.prevalence", @@ -283,7 +417,7 @@ "VirusTotal (Private API)": { "command": "vt-private-get-ip-report", "inline_args": { - "ip": "SOCFramework.Artifacts.IP" + "ip": "${SOCFramework.Artifacts.IP}" }, "output_map": { "UC.Enrich.IP.verdict": "VirusTotal.IP.Verdict", @@ -293,7 +427,7 @@ "Recorded Future": { "command": "recordedfuture-intelligence", "inline_args": { - "entity": "SOCFramework.Artifacts.IP", + "entity": "${SOCFramework.Artifacts.IP}", "entity_type": "ip" }, "output_map": { @@ -309,7 +443,7 @@ "Cortex Core - IR": { "command": "core-get-domain-analytics-prevalence", "inline_args": { - "domain": "SOCFramework.Artifacts.Domain" + "domain": "${SOCFramework.Artifacts.Domain}" }, "output_map": { "UC.Enrich.Domain.prevalence": "Core.AnalyticsPrevalence.Domain.prevalence", @@ -319,7 +453,7 @@ "Cisco Umbrella": { "command": "umbrella-domain-categorization", "inline_args": { - "name": "SOCFramework.Artifacts.Domain" + "name": "${SOCFramework.Artifacts.Domain}" }, "output_map": { "UC.Enrich.Domain.category": "Umbrella.Domain.category", @@ -329,7 +463,7 @@ "Recorded Future": { "command": "recordedfuture-intelligence", "inline_args": { - "entity": "SOCFramework.Artifacts.Domain", + "entity": "${SOCFramework.Artifacts.Domain}", "entity_type": "domain" }, "output_map": { @@ -345,20 +479,20 @@ "Cortex Core - IR": { "command": "enrichIndicators", "inline_args": { - "indicators": "SOCFramework.Artifacts" + "indicators": "${SOCFramework.Artifacts}" } }, "Recorded Future": { "command": "recordedfuture-intelligence", "inline_args": { - "entity": "SOCFramework.Artifacts.IP", + "entity": "${SOCFramework.Artifacts.IP}", "entity_type": "indicator" } }, "Proofpoint TAP": { "command": "proofpoint-get-forensics", "inline_args": { - "threatId": "SOCFramework.Artifacts.Hash" + "threatId": "${SOCFramework.Artifacts.Hash}" } } }, @@ -371,7 +505,7 @@ "inline_args": { "interval": "P7D", "threatType": "url", - "url": "SOCFramework.Artifacts.Email.ThreatURL" + "url": "${SOCFramework.Artifacts.Email.ThreatURL}" }, "output_map": { "UC.Email.Events.messages_delivered": "Proofpoint.MessagesDelivered", @@ -384,7 +518,7 @@ "inline_args": { "interval": "P7D", "threatType": "url", - "url": "SOCFramework.Artifacts.Email.ThreatURL" + "url": "${SOCFramework.Artifacts.Email.ThreatURL}" }, "output_map": { "UC.Email.Events.clicks_permitted": "Proofpoint.ClicksPermitted", @@ -400,8 +534,8 @@ "Proofpoint TAP v2": { "command": "proofpoint-get-forensics", "inline_args": { - "threatId": "SOCFramework.Email.TAP.ThreatID", - "campaignId": "SOCFramework.Email.TAP.CampaignID", + "threatId": "${SOCFramework.Email.TAP.ThreatID}", + "campaignId": "${SOCFramework.Email.TAP.CampaignID}", "includeCampaignForensics": "true" }, "output_map": { @@ -420,8 +554,8 @@ "Microsoft Graph": { "command": "msgraph-mail-delete-email", "inline_args": { - "user_id": "SOCFramework.Artifacts.Email.To", - "message_id": "SOCFramework.Artifacts.Email.MessageID" + "user_id": "${SOCFramework.Artifacts.Email.To}", + "message_id": "${SOCFramework.Artifacts.Email.MessageID}" }, "output_map": { "UC.Email.Retract.status": "MicrosoftGraph.Mail.Delete.status", @@ -431,8 +565,8 @@ "Gmail": { "command": "gmail-delete-mail", "inline_args": { - "user_id": "SOCFramework.Artifacts.Email.To", - "message_id": "SOCFramework.Artifacts.Email.MessageID" + "user_id": "${SOCFramework.Artifacts.Email.To}", + "message_id": "${SOCFramework.Artifacts.Email.MessageID}" }, "output_map": { "UC.Email.Retract.status": "MicrosoftGraph.Mail.Delete.status", @@ -442,7 +576,7 @@ "O365 Compliance": { "command": "o365-sc-compliance-search-purge", "inline_args": { - "search_name": "SOCFramework.Email.ComplianceSearchName", + "search_name": "${SOCFramework.Email.ComplianceSearchName}", "purge_type": "SoftDelete" }, "output_map": { @@ -458,8 +592,8 @@ "Trend Micro Vision One": { "command": "trendmicro-visionone-quarantine-email-message", "inline_args": { - "message_id": "SOCFramework.Artifacts.Email.MessageID", - "mailbox": "SOCFramework.Artifacts.Email.To" + "message_id": "${SOCFramework.Artifacts.Email.MessageID}", + "mailbox": "${SOCFramework.Artifacts.Email.To}" }, "output_map": { "UC.Email.Quarantine.status": "TrendMicro.QuarantineEmail.status", @@ -469,7 +603,7 @@ "Mimecast": { "command": "mimecast-reject-held-message", "inline_args": { - "id": "SOCFramework.Artifacts.Email.MessageID", + "id": "${SOCFramework.Artifacts.Email.MessageID}", "reason": "Quarantined by SOC Framework automated response" }, "output_map": { @@ -485,7 +619,7 @@ "Mimecast": { "command": "mimecast-create-blocked-sender-policy", "inline_args": { - "sender": "SOCFramework.Artifacts.Email.From", + "sender": "${SOCFramework.Artifacts.Email.From}", "description": "Blocked by SOC Framework — threat sender" }, "output_map": { @@ -496,7 +630,7 @@ "Microsoft Defender Advanced Threat Protection": { "command": "microsoft-atp-add-tiindicator", "inline_args": { - "indicator_value": "SOCFramework.Artifacts.Email.From", + "indicator_value": "${SOCFramework.Artifacts.Email.From}", "indicator_type": "EmailSenderAddress", "action": "BlockAndRemediate", "description": "SOCFramework block sender", @@ -510,7 +644,7 @@ "Proofpoint TAP v2": { "command": "proofpoint-block-sender", "inline_args": { - "sender_address": "SOCFramework.Artifacts.Email.From", + "sender_address": "${SOCFramework.Artifacts.Email.From}", "action": "block" }, "output_map": { @@ -526,7 +660,7 @@ "Mimecast": { "command": "mimecast-delete-blocked-sender-policy", "inline_args": { - "sender": "SOCFramework.Artifacts.Email.From" + "sender": "${SOCFramework.Artifacts.Email.From}" }, "output_map": { "UC.Email.UnblockSender.status": "Mimecast.DeleteBlockedSender.status", @@ -536,7 +670,7 @@ "Microsoft Defender Advanced Threat Protection": { "command": "microsoft-atp-sc-delete-indicator", "inline_args": { - "indicator_value": "SOCFramework.Artifacts.Email.From" + "indicator_value": "${SOCFramework.Artifacts.Email.From}" }, "output_map": { "UC.Email.UnblockSender.status": "Mimecast.DeleteBlockedSender.status", @@ -546,7 +680,7 @@ "Proofpoint TAP v2": { "command": "proofpoint-delete-blocked-sender", "inline_args": { - "sender": "SOCFramework.Artifacts.Email.From" + "sender": "${SOCFramework.Artifacts.Email.From}" }, "output_map": { "UC.Email.UnblockSender.status": "Mimecast.DeleteBlockedSender.status", @@ -554,110 +688,21 @@ } } }, - "phase": "Recovery", - "category": "Email", - "description": "Remove a blocked sender entry. Used in Recovery phase when a false positive is confirmed.", - "shadow_mode": true - }, - "soc-clear-sessions": { - "responses": { - "Okta v2": { - "command": "okta-clear-user-sessions", - "arguments": { - "userId": "SOCFramework.Artifacts.UserName" - } - } - }, - "shadow_mode": true - }, - "soc-reset-password": { - "responses": { - "Active Directory Query v2": { - "command": "ad-set-new-password", - "arguments": { - "sAMAccountName": "SOCFramework.Artifacts.UserName", - "password": "auto-generated" - } - }, - "Okta v2": { - "command": "okta-expire-password", - "arguments": { - "userId": "SOCFramework.Artifacts.UserName" - } - } - }, - "shadow_mode": true - }, - "soc-revoke-tokens": { - "responses": { - "Okta v2": { - "command": "okta-clear-user-sessions", - "arguments": { - "userId": "SOCFramework.Artifacts.UserName" - } - }, - "Azure Active Directory Identity And Access": { - "command": "msgraph-user-account-disable", - "arguments": { - "user": "SOCFramework.Artifacts.UserName" - } - } - }, - "shadow_mode": true - }, - "soc-enable-user": { - "responses": { - "Active Directory Query v2": { - "command": "ad-enable-account", - "arguments": { - "sAMAccountName": "SOCFramework.Artifacts.UserName" - } - }, - "Okta v2": { - "command": "okta-activate-user", - "arguments": { - "userId": "SOCFramework.Artifacts.UserName" - } - } - }, "shadow_mode": true }, "soc-remove-inbox-rule": { - "shadow_mode": true, "responses": { "Microsoft Graph Mail": { "command": "msgraph-mail-delete-rule", "inline_args": { - "user_id": "SOCFramework.Artifacts.Email.To", - "rule_id": "SOCFramework.Email.InboxRule.ID" + "user_id": "${SOCFramework.Artifacts.Email.To}", + "rule_id": "${SOCFramework.Email.InboxRule.ID}" }, "output_map": { "UC.Email.RemoveInboxRule.status": "MicrosoftGraph.Mail.Rule.Delete.status" } } - } - }, - "soc-deisolate-endpoint": { - "shadow_mode": true, - "responses": { - "Cortex Core - IR": { - "command": "core-unisolate-endpoint", - "inline_args": { - "endpoint_id": "SOCFramework.Artifacts.EndPointID" - } - }, - "CrowdstrikeFalcon": { - "command": "cs-falcon-lift-host-containment", - "inline_args": { - "agent_id": "SOCFramework.Artifacts.EndPointID" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-unisolate-machine", - "inline_args": { - "machine_id": "SOCFramework.Artifacts.EndPointID" - } - } - } + }, + "shadow_mode": true } } diff --git a/Packs/soc-optimization-unified/Lookup/value_tags.json b/Packs/soc-optimization-unified/Lookup/value_tags.json index 5f2a0cb2..7c4f194c 100644 --- a/Packs/soc-optimization-unified/Lookup/value_tags.json +++ b/Packs/soc-optimization-unified/Lookup/value_tags.json @@ -1,188 +1,69 @@ -{"Category": "enrichment", "PlaybookID": null, "Product": "Vision One", "ScriptID": "trendmicro-visionone-get-alert-details", "Tag": "trend_get_alert_details", "TaskName": null, "Time": "2", "Vendor": "Trend Micro", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1760123994, "_update_time": 1760123994} -{"Category": "case_management", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|setAlert", "Tag": "set_alert", "TaskName": null, "Time": null, "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "wildfire-get-verdict", "Tag": "wildfire_get_verdict", "TaskName": "Get Wildfire verdict on file", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "WAF", "ScriptID": "akamai-add-elements-to-network-list", "Tag": "akamai_block_ip", "TaskName": "Block IP on Akamai WAF", "Time": "2", "Vendor": "Akamai", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "reset_session_sso", "TaskName": "", "Time": "10", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Secure Cloud Analysis", "ScriptID": "|sw-block-domain-or-ip", "Tag": "cisco_sw_block_domain_or_ip", "TaskName": "Block IP or Domain on Cisco Secure Cloud", "Time": "2", "Vendor": "Cisco", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "IAM", "ScriptID": "okta-get-user", "Tag": "okta_get_user", "TaskName": "Get User Info on Okta", "Time": "2", "Vendor": "Okta", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "iam-get-user", "Tag": "iam_get_user", "TaskName": "Get User From IAM solution", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-retrieve-files", "Tag": "retrieve_files", "TaskName": "Retrieves fiels from endpoint", "Time": "10", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradication", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-run-script-execute-commands", "Tag": "core_run_script_execute_command", "TaskName": "Kill Process with PID", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "GCP IAM", "ScriptID": "gcp-iam-service-account-keys-get", "Tag": "gcp_iam_service_account_keys_get", "TaskName": "GCP IAM Get Service Account Key", "Time": "2", "Vendor": "Google", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "escalation", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "escalate_snow_restore_system", "TaskName": "", "Time": "20", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "case_management", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|closeInvestigation", "Tag": "close_investigation", "TaskName": "Close and Investigation", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "SMA", "ScriptID": "cisco-sma-list-entry-append", "Tag": "cisco_sma_append_blocklist", "TaskName": "Add Email to Block List", "Time": "2", "Vendor": "Cisco", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "AWS", "ScriptID": "aws-iam-list-user-policies", "Tag": "aws_iam_list_user_policies", "TaskName": "AWS List user inline policies", "Time": "2", "Vendor": "Amazon", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "IPToHost", "Tag": "IPToHost", "TaskName": "Find Host Name of IP", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|ip", "Tag": "ip_enrichment", "TaskName": "", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-cmd-analytics-prevalence", "Tag": "core_get_cmd_analytics_prevalence", "TaskName": "Get CMD Prevalence", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "a990fd0d-ef61-4b7f-8624-445c540db9ae", "Product": null, "ScriptID": null, "Tag": "Alert_Source_PAN_NGFW", "TaskName": "NGFW Alerts", "Time": "60", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "ba7aa520-0767-4b3c-87ed-79e32b5ad5dd", "Product": null, "ScriptID": "", "Tag": "phishing_click_permitted", "TaskName": "", "Time": "60", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "IAM", "ScriptID": "iam-disable-user", "Tag": "iam_disable_user", "TaskName": "Disable User on IAM Tool", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Falcon", "ScriptID": "|cs-falcon-device-count-ioc", "Tag": "hash_search", "TaskName": "", "Time": "2", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "enrichIndicators", "Tag": "enrich_indicators", "TaskName": null, "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-endpoints", "Tag": "core_get_endpoints", "TaskName": "Get Endpoint Info", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "ThreatX", "ScriptID": "threatx-blacklist-ip", "Tag": "threatx_blacklist_ip", "TaskName": "Block IP on ThreatX", "Time": "2", "Vendor": "ThreatX", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "vt-private-get-ip-report", "Tag": "vt_get_ip_report", "TaskName": "Get Virus Total Report on IP", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-IP-analytics-prevalence", "Tag": "core_get_ip_analytics_prevalence", "TaskName": "Get IP Prevalence", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|endpoint", "Tag": "get_endpoint", "TaskName": "Returns information about an endpoint", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-cmd-analytics-prevalence", "Tag": "cmd_prevalence", "TaskName": "Get teh prevalence of a process_command_line", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradication", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-terminate-causality", "Tag": "terminate_causality", "TaskName": "Terminate a process tree by its causlity ID", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "xpanse_rdp_server", "TaskName": "", "Time": "3600", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "email_enrichment", "TaskName": "", "Time": "2", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Azure", "ScriptID": "msgraph-user-get", "Tag": "azure_get_user", "TaskName": "MS Graph Get User Info", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "XSIAM Starter Configuration Setup", "Product": "XSIAM", "ScriptID": null, "Tag": "Framework Install", "TaskName": "PoV Installer", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "core-iocs-disable", "Tag": "core_iocs_disable", "TaskName": "Disable IOC", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "EDR", "ScriptID": "cb-edr-sensors-list", "Tag": "carbon_black_get_host", "TaskName": "Get Host Info from Carbon Black", "Time": "2", "Vendor": "Carbon Black", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Reveal(X)", "ScriptID": "extrahop-devices-search", "Tag": "extrahop_get_host", "TaskName": "Get Host Info from Extrahop", "Time": "2", "Vendor": "Extrahop", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "20fb8df8-0bff-41a7-813f-0353e556276f", "Product": null, "ScriptID": null, "Tag": "malware_analytics", "TaskName": "Use Case - Crowdstrike Analytics", "Time": "20", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "AWS", "ScriptID": "aws-iam-list-access-keys-for-user", "Tag": "aws_iam_list_acccess_keys_for_users", "TaskName": "List AWS User Access Keys", "Time": "2", "Vendor": "Amazon", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XDR", "ScriptID": "xdr-get-endpoints", "Tag": "xdr_get_endpoints", "TaskName": "Get Host Info from XDR", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": "", "Product": "Falcon", "ScriptID": "|cs-falcon-rtr-list-processes", "Tag": "forensic_enrichment", "TaskName": "", "Time": "2", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "24e24f21-de4a-47a6-8ae5-faa2e135b976", "Product": null, "ScriptID": null, "Tag": "Generic_Tasks", "TaskName": null, "Time": "60", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Mimecast", "ScriptID": "mimecast-create-policy", "Tag": "mimecast_create_policy", "TaskName": "Mimecast Block Email", "Time": "2", "Vendor": "Mimecast", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "ThreatX", "ScriptID": "threatx-block-ip", "Tag": "threatx_block_ip", "TaskName": "Block IP on ThreatX 30 Minutes", "Time": "2", "Vendor": "ThreatX", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradication", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "remove_malware", "TaskName": "", "Time": "10", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradication", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "reset_password", "TaskName": "", "Time": "10", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Okta", "ScriptID": "okta-clear-user-sessions", "Tag": "okta_clear_user_sessions", "TaskName": "Clear Users Sessions on Okta", "Time": "2", "Vendor": "Okta", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Web Security Cloud", "ScriptID": "fp-add-address-to-category", "Tag": "forcepoint_block_url", "TaskName": "Block a URL on Force Point", "Time": "2", "Vendor": "Force Point", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "EPO", "ScriptID": "epo-find-system", "Tag": "mcafee_epo_get_host", "TaskName": "Get Host info from McAfee EPO", "Time": "2", "Vendor": "McAfee", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Falcon", "ScriptID": "|cs-falcon-rtr-list-network-stats", "Tag": "forensic_enrichment", "TaskName": "", "Time": "2", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|attack-pattern", "Tag": "mitre_enrichment", "TaskName": "", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "case_management", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|send-mail", "Tag": "send_mail", "TaskName": null, "Time": "", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "WAF", "ScriptID": "sigsci-blacklist-add-ip", "Tag": "sigsci_blacklist_add_ip", "TaskName": "Black List IP on Signal Science WAF", "Time": "2", "Vendor": "Signal Science", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "endpoint", "Tag": "endpoint", "TaskName": "Get Host Information XSIAM", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "sso_excessive_failures", "TaskName": "", "Time": "3600", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "19afce31-d945-4a44-800d-efd460f0c9f1", "Product": null, "ScriptID": null, "Tag": "ngfw_prevented", "TaskName": "Use Case - NGFW Prevented", "Time": "1", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XISAM", "ScriptID": "|core-get-registry-analytics", "Tag": "registry_analytics", "TaskName": "Get the prevalence of a reqistry_path", "Time": "10", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "141c1bb9-f832-480c-842c-5f51d16c97c1", "Product": null, "ScriptID": null, "Tag": "MFA_alerts", "TaskName": "Multi Factor Alerts", "Time": "60", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Azure", "ScriptID": "msgraph-identity-protection-risky-user-history-list", "Tag": "msgraph_identity_protection_risky_user_history_list", "TaskName": "Azure IAM List Risky User History", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Identity IQ", "ScriptID": "identityiq-search-identities", "Tag": "identityiq_search_identities", "TaskName": "Get User Info from Identity IQ", "Time": "2", "Vendor": "Sailpoint", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "http", "Tag": "web_enrichment", "TaskName": null, "Time": "", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradication", "PlaybookID": null, "Product": "Active Directory", "ScriptID": "ad-expire-password", "Tag": "ad_expire_password", "TaskName": "Expire Password on Active Directory", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "GetIndicatorDBotScore", "Tag": "indicator_scoring", "TaskName": "Get DBots Indicator Score", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "isolate_endpoint", "TaskName": "", "Time": "10", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "NGFW", "ScriptID": "pan-os-custom-block-rule", "Tag": "pan_os_block_rule", "TaskName": "PAN-OS Custom Block Rule", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradication", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-run-script-kill-process", "Tag": "kill_process", "TaskName": "Initiates a new endpoint script to kill process", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "Custom", "PlaybookID": null, "Product": "Custom Script", "ScriptID": "Custom", "Tag": "custom_script", "TaskName": null, "Time": "2", "Vendor": "Customer", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Fortigate", "ScriptID": "fortigate-ban-ip", "Tag": "fortigate_ban_ip", "TaskName": "Ban IP On Fortigate", "Time": "2", "Vendor": "Fortinet", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "ask_user_email", "TaskName": "", "Time": "20", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "AWS", "ScriptID": "aws-iam-list-attached-user-policies", "Tag": "aws_iam_list_attached_user_policies", "TaskName": "AWS List User Attached Policies", "Time": "2", "Vendor": "Amazon", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Identity Now", "ScriptID": "identitynow-get-accounts", "Tag": "identitynow_get_accounts", "TaskName": "Get Account Info on Identity Now", "Time": "2", "Vendor": "Sailpoint", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "file", "Tag": "file", "TaskName": "Get FIle Enrichment", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "microsoft-atp-sc-indicator-create", "Tag": "ms_atp_sc_indicator_create", "TaskName": "Microsoft ATP Block Indicators", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "wildfire-report", "Tag": "wildfire_report", "TaskName": "Get WildFire Report on File", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "lateral_movement_hunt", "TaskName": "CrowdStrike Falcon - Search Endpoints By Hash", "Time": "3600", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "case_management", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-add-endpoint-tag", "Tag": "tag_endpoint", "TaskName": "Add a tag to one or more endpoints", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Browser", "ScriptID": "netcraft-attack-report", "Tag": "netcraft_block_url", "TaskName": "Block URL on Netcraft", "Time": "2", "Vendor": "Netcraft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "GCP IAM", "ScriptID": "gcp-iam-project-role-list", "Tag": "gcp_iam_project_role_list", "TaskName": "GCP IAM List rols for user's project ID", "Time": "2", "Vendor": "Google", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-endpoint-scan", "Tag": "endpoint_scan", "TaskName": "Run scan on endpoint", "Time": "10", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "b9854746-456a-42d7-894a-69eef4fd99af", "Product": "XSIAM", "ScriptID": null, "Tag": "Upon Trigger", "TaskName": "Use Case - Upon Trigger", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "case_management", "PlaybookID": null, "Product": "Messenger", "ScriptID": "|send-notification", "Tag": "slack_notify", "TaskName": null, "Time": "2", "Vendor": "Slack", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-blocklist-files", "Tag": "core_blocklist_files", "TaskName": "Block Files with XSIAM", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "identity_enrichment", "TaskName": "", "Time": "2", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "escalation", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "escalate_snow_patch", "TaskName": "", "Time": "20", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "GSuite", "ScriptID": "gsuite-user-get", "Tag": "gsuite_user_get", "TaskName": "G Suite Get User Information", "Time": "2", "Vendor": "Google", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradicate", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-run-script-kill-process", "Tag": "core_run_script_kill_process", "TaskName": "Kill Process using scripts on XDR", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "EX", "ScriptID": "fireeye-ex-update-blockedlist", "Tag": "fireeye_ex_update_blockedlist", "TaskName": "Add Email to Fire Eye Blocked List", "Time": "2", "Vendor": "FireEye", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "recovery", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-delete-endpoints", "Tag": "delete_endpoints", "TaskName": "Delete selected endpoints from Cortex", "Time": "10", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "recovery", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-unisolate-endpoint", "Tag": "unisolate_endpoint", "TaskName": "Reverses the isolation of an endpoint", "Time": "10", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-domain-analytics-prevalence", "Tag": "core_get_domain_analytics_prevalence", "TaskName": "Get Domain Prevalence", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-quarantine", "Tag": "quarantine_file", "TaskName": "Quarantines a file on a selected endpoint", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Intelligence", "ScriptID": "|recordedfuture-intelligence", "Tag": "recordedfuture_enrichment", "TaskName": "", "Time": "2", "Vendor": "Recorded Future", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Platform", "ScriptID": "|armis-search-devices", "Tag": "armis_search_devices", "TaskName": null, "Time": "2", "Vendor": "Armis", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "url", "Tag": "url", "TaskName": "Get URL Info", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradication", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-run-script-delete-file", "Tag": "core_run_script_delete_file", "TaskName": "Delete files from OS using XDR", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Azure", "ScriptID": "msgraph-user-get", "Tag": "msgraph_user_get", "TaskName": "Azure IAM Get User Info", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-hash-analytics-prevalence", "Tag": "core_get_hash_analytics_prevalence", "TaskName": "Get Hash Prevalence", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-process-analytics-prevalence", "Tag": "core_get_process_analytics_prevalence", "TaskName": "Get Process Prevalence", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "data_exfiltration", "TaskName": "", "Time": "3600", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "privilege_escalation", "TaskName": "", "Time": "3600", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "27719b9f-70cc-4991-81c6-24ba34e4e231", "Product": null, "ScriptID": null, "Tag": "Alert_Source_XDR_Analytics", "TaskName": "XDR Analytics Alerts", "Time": "60", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "92825389-c225-4f25-81a9-5d973634aca5", "Product": null, "ScriptID": "", "Tag": "phishing_message_delivered", "TaskName": "Use Case - Phishing Malicious Message Delivered", "Time": "10", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "ASA", "ScriptID": "cisco-asa-create-rule", "Tag": "cisco_asa_block_rule", "TaskName": "Add IP to Cisco ASA Block Rule", "Time": "2", "Vendor": "Cisco", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "NGFW", "ScriptID": "pan-os-edit-address-group", "Tag": "pan_os_edit_address_group", "TaskName": "PAN-OS Block IP", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Active Directory", "ScriptID": "ad-get-computer", "Tag": "ad_get_computer", "TaskName": "Get Host Info from Active Directory", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Falcon", "ScriptID": "cs-falcon-search-device", "Tag": "crowdstrike_falcon_get_host", "TaskName": "Get Host Info for Crowd Strike Falcon", "Time": "2", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "PingOne", "ScriptID": "pingone-get-user", "Tag": "pingone_get_user", "TaskName": "Get User Info on PingOne", "Time": "2", "Vendor": "Ping ID", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradication", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "revoke_credentials", "TaskName": "", "Time": "10", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "recovery", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-remove-blocklist", "Tag": "remove_file_blocklist", "TaskName": "Removes a file from the block list", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "malware_detection", "TaskName": "", "Time": "3600", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "block_malcious_domain", "TaskName": "", "Time": "10", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Graph", "ScriptID": "msgraph-user-session-revoke", "Tag": "msgraph_user_session_revoke", "TaskName": "Revoke User Sessions on Microsoft", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Graph", "ScriptID": "msgraph-user-account-disable", "Tag": "msgraph_user_account_disable", "TaskName": "Disable User Account on MS Graph", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "AWS", "ScriptID": "aws-iam-list-groups-for-user", "Tag": "aws_iam_list_groups_for_user", "TaskName": "AWS List User Groups", "Time": "2", "Vendor": "Amazon", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XDR", "ScriptID": "xdr-list-risky-users", "Tag": "xdr_list_risky_users", "TaskName": "Get User Risk Scores XDR", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "domain", "Tag": "domain", "TaskName": "Get Domain Info", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "recovery", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "core-allowlist-files", "Tag": "core_allowlist_files", "TaskName": "Add File to Allow List", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "NGFW", "ScriptID": "pan-os-edit-custom-url-category", "Tag": "pan_os_edit_url_category", "TaskName": "Add URL to Blocked Category", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Silverline", "ScriptID": "f5-silverline-ip-object-add", "Tag": "f5_silverline_ip_add", "TaskName": "Add IP To F5 Silverline", "Time": "2", "Vendor": "F5", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Zscaler", "ScriptID": "zscaler-blacklist-ip", "Tag": "zscaler_blacklist_ip", "TaskName": "Black List IP on Zscaler", "Time": "2", "Vendor": "Zscaler", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Azure", "ScriptID": "msgraph-groups-list-groups", "Tag": "msgraph_groups_list_groups", "TaskName": "Azure IAM List User Group", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "case_management", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "Set", "Tag": "set_context", "TaskName": "Set", "Time": "", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "case_management", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-report-incorrect-wildfire", "Tag": "incorrect_wildfire", "TaskName": "Reports to WildFire about incorrect hash verdicts", "Time": "10", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-quarantine-status", "Tag": "core_get_quarantine_status", "TaskName": "Get Status of a File Quarantined on XSIAM", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "eradication", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "pull_malicious_email", "TaskName": "", "Time": "10", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|rasterize", "Tag": "web_enrichment", "TaskName": null, "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "triage", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "", "Tag": "upon_trigger", "TaskName": "Foundation - Upon Trigger", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "d227107c-3391-409c-86dd-529ed9952ade", "Product": null, "ScriptID": null, "Tag": "Access_to_Cardholder_Data", "TaskName": "Cardholder Data Access", "Time": "60", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Falcon", "ScriptID": "cs-falcon-upload-custom-ioc", "Tag": "crowdstrike_upload_ioc", "TaskName": "Block File on Crowd Strike", "Time": "2", "Vendor": "Crowd Strike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-isolate-endpoint", "Tag": "isolate_network", "TaskName": "Isolates and endpoint", "Time": "10", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "recovery", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-restore-file", "Tag": "restore_file", "TaskName": "Restores a quarantined file", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "triage", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "low_fidelity_alert_triage", "TaskName": "", "Time": "2", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Active Directory", "ScriptID": "|ad-get-user", "Tag": "ad_get_user", "TaskName": "Get User Info on Active Directory", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Falcon", "ScriptID": "|cs-falcon-search-device", "Tag": "host_enrichment", "TaskName": "", "Time": "2", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "GCP IAM", "ScriptID": "gcp-iam-service-accounts-get", "Tag": "gcp_iam_service_accounts_get", "TaskName": "GCP IAM Get Service Account Info", "Time": "2", "Vendor": "Google", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "triage", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "DBotFindSimilarAlerts", "Tag": "dedup_alert", "TaskName": "", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Identity IQ", "ScriptID": "identityiq-disable-account", "Tag": "identityiq_disable_account", "TaskName": "Disable Account on Identity IQ", "Time": "2", "Vendor": "Sailpoint", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-registry-analytics-prevalence", "Tag": "core_get_registry_analytics_prevalence", "TaskName": "Get Registry Prevalence", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|mitre-get-indicator-name", "Tag": "mitre_enrichment", "TaskName": "", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "use_case", "PlaybookID": "b9854746-456a-42d7-894a-69eef4fd99af", "Product": "XSIAM", "ScriptID": "", "Tag": "malware_detection", "TaskName": "Use Case - Malware Investigation & Response Incident Handler", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Packet Intelligence", "ScriptID": "aria-block-dest-subnet", "Tag": "aria_block_dest_subnet", "TaskName": "Block IP on Aria", "Time": "2", "Vendor": "Aria", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Zscaler", "ScriptID": "zscaler-blacklist-url", "Tag": "zscaler_blacklist_url", "TaskName": "Add URL to Zscaler Blacklist", "Time": "2", "Vendor": "Zscaler", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "TAP", "ScriptID": "|proofpoint-get-forensics", "Tag": "proofpoint_forensics", "TaskName": null, "Time": "5", "Vendor": "Proofpoint", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "xdr-list-risky-hosts", "Tag": "xdr_get_risky_hosts", "TaskName": "Get Risky Hosts from XDR", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "escalation", "PlaybookID": null, "Product": "Incident Management", "ScriptID": "|PagerDuty-submit-event", "Tag": "pagerduty_event", "TaskName": null, "Time": "2", "Vendor": "Pager Duty", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "AWS", "ScriptID": "aws-iam-get-user", "Tag": "aws_iam_get_user", "TaskName": "Get User Info on AWS", "Time": "2", "Vendor": "Amazon", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|extractIndicators", "Tag": "dbot_enrichment", "TaskName": null, "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "case_management", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-remove-endpoint-tag", "Tag": "remove_endpoint_tag", "TaskName": "Remove a tag from an endpoint", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "Active Directory", "ScriptID": "ad-disable-account", "Tag": "ad_disable_account", "TaskName": "Disable Active Directory Account", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "core-add-exclusion", "Tag": "core_add_exclusion", "TaskName": "Add Exclusion", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-dynamic-analysis", "Tag": "dynamic_analysis", "TaskName": "Returns dynamic analysis of each alert ID", "Time": "10", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-list-risky-users", "Tag": "risky_users", "TaskName": "Retrieve the risk score of a specific user", "Time": "5", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-quarantine-files", "Tag": "core_quarantine_files", "TaskName": "Quarantine Files with XSIAM", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Umbrella", "ScriptID": "umbrella-domain-categorization", "Tag": "cisco_umbrella_get_domain", "TaskName": "Get Domain Info from Cisco Umbrella", "Time": "2", "Vendor": "Cisco", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "GetIndicatorDBotScoreFromCache", "Tag": "dbot_enrichment", "TaskName": null, "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "escalation", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "escalate_snow_reimage", "TaskName": "", "Time": "20", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "Azure", "ScriptID": "|msgraph-user-get-manager", "Tag": "get_user_manager", "TaskName": "Azure Get User Manager", "Time": null, "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "URLSSLVerification", "Tag": "URLSSLVerification", "TaskName": "Check for SSL", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "rasterize", "Tag": "rasterize", "TaskName": "Get URL Screen Shot", "Time": "2", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-get-asset-details", "Tag": "asset_details", "TaskName": "Get asset information", "Time": "10", "Vendor": "Palo Alto Networks", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "escalation", "PlaybookID": null, "Product": null, "ScriptID": "", "Tag": "escalate_snow_vuln", "TaskName": "", "Time": "20", "Vendor": null, "_collector_name": "API", "_collector_type": "API", "_insert_time": 1759798524, "_update_time": 1759798524} -{"Category": "containment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-block-ip", "Tag": "pan_core_block_ip", "TaskName": "Core Block Ip", "Time": "3", "Vendor": "PAN", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "containment", "PlaybookID": null, "Product": "PAN-OS", "ScriptID": "|panorama-create-edl", "Tag": "pan_panorama_create_edl", "TaskName": "Panorama Create Edl", "Time": "3", "Vendor": "PAN", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "recovery", "PlaybookID": null, "Product": "Falcon", "ScriptID": "|cs-falcon-lift-host-containment", "Tag": "crowdstrike_cs_falcon_lift_host_containment", "TaskName": "Cs Falcon Lift Host Containment", "Time": "3", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "recovery", "PlaybookID": null, "Product": "Defender ATP", "ScriptID": "|microsoft-atp-unisolate-machine", "Tag": "microsoft_microsoft_atp_unisolate_machine", "TaskName": "Microsoft Atp Unisolate Machine", "Time": "3", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "recovery", "PlaybookID": null, "Product": "Vision One", "ScriptID": "|trendmicro-visionone-restore-endpoint", "Tag": "trend_micro_trendmicro_visionone_restore_endpoint", "TaskName": "Trendmicro Visionone Restore Endpoint", "Time": "3", "Vendor": "Trend Micro", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "eradication", "PlaybookID": null, "Product": "Falcon", "ScriptID": "|cs-falcon-delete-file", "Tag": "crowdstrike_cs_falcon_delete_file", "TaskName": "Cs Falcon Delete File", "Time": "3", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "containment", "PlaybookID": null, "Product": "Active Directory", "ScriptID": "|disable-user", "Tag": "microsoft_disable_user", "TaskName": "Disable User", "Time": "3", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "recovery", "PlaybookID": null, "Product": "Active Directory", "ScriptID": "|ad-enable-account", "Tag": "microsoft_ad_enable_account", "TaskName": "Ad Enable Account", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "recovery", "PlaybookID": null, "Product": "Graph", "ScriptID": "|msgraph-user-account-enable", "Tag": "microsoft_msgraph_user_account_enable", "TaskName": "Msgraph User Account Enable", "Time": "2", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "recovery", "PlaybookID": null, "Product": "Okta", "ScriptID": "|okta-activate-user", "Tag": "okta_okta_activate_user", "TaskName": "Okta Activate User", "Time": "2", "Vendor": "Okta", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "recovery", "PlaybookID": null, "Product": "Okta IAM", "ScriptID": "|iam-enable-user", "Tag": "okta_iam_enable_user", "TaskName": "Iam Enable User", "Time": "2", "Vendor": "Okta", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "enrichment", "PlaybookID": null, "Product": "VirusTotal", "ScriptID": "|vt-private-get-file-report", "Tag": "virustotal_vt_private_get_file_report", "TaskName": "Vt Private Get File Report", "Time": "2", "Vendor": "VirusTotal", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "enrichment", "PlaybookID": null, "Product": "VirusTotal", "ScriptID": "|vt-private-get-url-report", "Tag": "virustotal_vt_private_get_url_report", "TaskName": "Vt Private Get Url Report", "Time": "2", "Vendor": "VirusTotal", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "enrichment", "PlaybookID": null, "Product": "XSIAM", "ScriptID": "|core-run-script-file-exists", "Tag": "pan_core_run_script_file_exists", "TaskName": "Core Run Script File Exists", "Time": "2", "Vendor": "PAN", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "enrichment", "PlaybookID": null, "Product": "Falcon", "ScriptID": "|cs-falcon-delete-file", "Tag": "crowdstrike_cs_falcon_delete_file", "TaskName": "Cs Falcon Delete File", "Time": "2", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "containment", "PlaybookID": null, "Product": "Falcon", "ScriptID": "|cs-falcon-contain-host", "Tag": "crowdstrike_cs_falcon_contain_host", "TaskName": "Cs Falcon Contain Host", "Time": "3", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "containment", "PlaybookID": null, "Product": "Vision One", "ScriptID": "|trendmicro-visionone-isolate-endpoint", "Tag": "trend_micro_trendmicro_visionone_isolate_endpoint", "TaskName": "Trendmicro Visionone Isolate Endpoint", "Time": "3", "Vendor": "Trend Micro", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "containment", "PlaybookID": null, "Product": "Defender ATP", "ScriptID": "|microsoft-atp-isolate-machine", "Tag": "microsoft_microsoft_atp_isolate_machine", "TaskName": "Microsoft Atp Isolate Machine", "Time": "3", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "containment", "PlaybookID": null, "Product": "EC2", "ScriptID": "|aws-ec2-modify-instance-attribute", "Tag": "aws_aws_ec2_modify_instance_attribute", "TaskName": "Aws Ec2 Modify Instance Attribute", "Time": "3", "Vendor": "AWS", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "eradication", "PlaybookID": null, "Product": "Falcon", "ScriptID": "|cs-falcon-rtr-kill-process", "Tag": "crowdstrike_cs_falcon_rtr_kill_process", "TaskName": "Cs Falcon Rtr Kill Process", "Time": "3", "Vendor": "CrowdStrike", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "eradication", "PlaybookID": null, "Product": "Vision One", "ScriptID": "|trendmicro-visionone-terminate-process", "Tag": "trend_micro_trendmicro_visionone_terminate_process", "TaskName": "Trendmicro Visionone Terminate Process", "Time": "3", "Vendor": "Trend Micro", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "containment", "PlaybookID": null, "Product": "Defender ATP", "ScriptID": "|microsoft-atp-stop-and-quarantine-file", "Tag": "microsoft_microsoft_atp_stop_and_quarantine_file", "TaskName": "Microsoft Atp Stop And Quarantine File", "Time": "4", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "containment", "PlaybookID": null, "Product": "Vision One", "ScriptID": "|trendmicro-visionone-quarantine-email-message", "Tag": "trend_micro_trendmicro_visionone_quarantine_email_message", "TaskName": "Trendmicro Visionone Quarantine Email Message", "Time": "4", "Vendor": "Trend Micro", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "eradication", "PlaybookID": null, "Product": "Active Directory", "ScriptID": "|set-ad-user-password", "Tag": "microsoft_set_ad_user_password", "TaskName": "Set Ad User Password", "Time": "3", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "eradication", "PlaybookID": null, "Product": "Graph", "ScriptID": "|msgraph-user-reset-password", "Tag": "microsoft_msgraph_user_reset_password", "TaskName": "Msgraph User Reset Password", "Time": "3", "Vendor": "Microsoft", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "eradication", "PlaybookID": null, "Product": "Okta", "ScriptID": "|okta-reset-password", "Tag": "okta_okta_reset_password", "TaskName": "Okta Reset Password", "Time": "3", "Vendor": "Okta", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} -{"Category": "eradication", "PlaybookID": null, "Product": "Okta IAM", "ScriptID": "|iam-reset-user-password", "Tag": "okta_iam_reset_user_password", "TaskName": "Iam Reset User Password", "Time": "3", "Vendor": "Okta", "_collector_name": "API", "_collector_type": "API", "_insert_time": 1773688181, "_update_time": 1773688181} +{"Category": "containment", "Product": "CrowdStrike Falcon", "ScriptID": "|cs-falcon-contain-host", "Tag": "cs_falcon_contain_host", "TaskName": "soc-isolate-endpoint via CrowdStrike", "Time": "15", "Vendor": "CrowdStrike"} +{"Category": "containment", "Product": "Active Directory Query v2", "ScriptID": "|disable-user", "Tag": "disable_user", "TaskName": "soc-disable-user via Microsoft", "Time": "15", "Vendor": "Microsoft"} +{"Category": "containment", "Product": "Microsoft Defender ATP", "ScriptID": "|microsoft-atp-add-tiindicator", "Tag": "microsoft_atp_add_tiindicator", "TaskName": "soc-block-sender via Microsoft", "Time": "15", "Vendor": "Microsoft"} +{"Category": "containment", "Product": "Microsoft Defender ATP", "ScriptID": "|microsoft-atp-isolate-machine", "Tag": "microsoft_atp_isolate_machine", "TaskName": "soc-isolate-endpoint via Microsoft", "Time": "15", "Vendor": "Microsoft"} +{"Category": "containment", "Product": "Microsoft Defender ATP", "ScriptID": "|microsoft-atp-stop-and-quarantine-file", "Tag": "microsoft_atp_stop_and_quarantine_file", "TaskName": "soc-quarantine-files via Microsoft", "Time": "15", "Vendor": "Microsoft"} +{"Category": "containment", "Product": "Azure Active Directory", "ScriptID": "|msgraph-user-account-disable", "Tag": "msgraph_user_account_disable", "TaskName": "soc-revoke-tokens via Microsoft", "Time": "15", "Vendor": "Microsoft"} +{"Category": "containment", "Product": "Mimecast", "ScriptID": "|mimecast-create-blocked-sender-policy", "Tag": "mimecast_create_blocked_sender_policy", "TaskName": "soc-block-sender via Mimecast", "Time": "15", "Vendor": "Mimecast"} +{"Category": "containment", "Product": "Mimecast", "ScriptID": "|mimecast-reject-held-message", "Tag": "mimecast_reject_held_message", "TaskName": "soc-quarantine-email via Mimecast", "Time": "15", "Vendor": "Mimecast"} +{"Category": "containment", "Product": "Okta IAM", "ScriptID": "|disable-user", "Tag": "disable_user", "TaskName": "soc-disable-user via Okta", "Time": "15", "Vendor": "Okta"} +{"Category": "containment", "Product": "Okta v2", "ScriptID": "|okta-clear-user-sessions", "Tag": "okta_clear_user_sessions", "TaskName": "soc-clear-sessions via Okta", "Time": "15", "Vendor": "Okta"} +{"Category": "containment", "Product": "Okta v2", "ScriptID": "|okta-clear-user-sessions", "Tag": "okta_clear_user_sessions", "TaskName": "soc-revoke-tokens via Okta", "Time": "15", "Vendor": "Okta"} +{"Category": "containment", "Product": "Cortex Core - IR", "ScriptID": "|core-isolate-endpoint", "Tag": "core_isolate_endpoint", "TaskName": "soc-isolate-endpoint via Palo Alto Networks", "Time": "15", "Vendor": "Palo Alto Networks"} +{"Category": "containment", "Product": "Cortex Core - IR", "ScriptID": "|core-quarantine-files", "Tag": "core_quarantine_files", "TaskName": "soc-quarantine-files via Palo Alto Networks", "Time": "15", "Vendor": "Palo Alto Networks"} +{"Category": "containment", "Product": "Proofpoint TAP v2", "ScriptID": "|proofpoint-block-sender", "Tag": "proofpoint_block_sender", "TaskName": "soc-block-sender via Proofpoint", "Time": "15", "Vendor": "Proofpoint"} +{"Category": "containment", "Product": "Trend Micro Vision One V3", "ScriptID": "|trendmicro-visionone-isolate-endpoint", "Tag": "trendmicro_visionone_isolate_endpoint", "TaskName": "soc-isolate-endpoint via Trend Micro", "Time": "15", "Vendor": "Trend Micro"} +{"Category": "containment", "Product": "Trend Micro Vision One", "ScriptID": "|trendmicro-visionone-quarantine-email-message", "Tag": "trendmicro_visionone_quarantine_email_message", "TaskName": "soc-quarantine-email via Trend Micro", "Time": "15", "Vendor": "Trend Micro"} +{"Category": "enrichment", "Product": "AWS IAM", "ScriptID": "|aws-iam-get-user", "Tag": "aws_iam_get_user", "TaskName": "soc-enrich-user via AWS", "Time": "3", "Vendor": "AWS"} +{"Category": "enrichment", "Product": "Armis", "ScriptID": "|armis-search-devices", "Tag": "armis_search_devices", "TaskName": "soc-enrich-endpoint via Armis", "Time": "3", "Vendor": "Armis"} +{"Category": "enrichment", "Product": "Cisco Umbrella", "ScriptID": "|umbrella-domain-categorization", "Tag": "umbrella_domain_categorization", "TaskName": "soc-enrich-domain via Cisco", "Time": "3", "Vendor": "Cisco"} +{"Category": "enrichment", "Product": "CrowdStrike Falcon", "ScriptID": "|cs-falcon-run-script", "Tag": "cs_falcon_run_script", "TaskName": "soc-file-exists via CrowdStrike", "Time": "3", "Vendor": "CrowdStrike"} +{"Category": "enrichment", "Product": "CrowdStrike Falcon", "ScriptID": "|cs-falcon-search-device", "Tag": "cs_falcon_search_device", "TaskName": "soc-enrich-endpoint via CrowdStrike", "Time": "3", "Vendor": "CrowdStrike"} +{"Category": "enrichment", "Product": "ExtraHop", "ScriptID": "|extrahop-devices-search", "Tag": "extrahop_devices_search", "TaskName": "soc-enrich-endpoint via ExtraHop", "Time": "3", "Vendor": "ExtraHop"} +{"Category": "enrichment", "Product": "Google Workspace", "ScriptID": "|gsuite-user-get", "Tag": "gsuite_user_get", "TaskName": "soc-enrich-user via Google", "Time": "3", "Vendor": "Google"} +{"Category": "enrichment", "Product": "Active Directory Query v2", "ScriptID": "|ad-get-user", "Tag": "ad_get_user", "TaskName": "soc-enrich-user via Microsoft", "Time": "3", "Vendor": "Microsoft"} +{"Category": "enrichment", "Product": "Microsoft Graph", "ScriptID": "|msgraph-user-get", "Tag": "msgraph_user_get", "TaskName": "soc-enrich-user via Microsoft", "Time": "3", "Vendor": "Microsoft"} +{"Category": "enrichment", "Product": "Okta IAM", "ScriptID": "|iam-get-user", "Tag": "iam_get_user", "TaskName": "soc-enrich-user via Okta", "Time": "3", "Vendor": "Okta"} +{"Category": "enrichment", "Product": "Okta v2", "ScriptID": "|okta-get-user", "Tag": "okta_get_user", "TaskName": "soc-enrich-user via Okta", "Time": "3", "Vendor": "Okta"} +{"Category": "enrichment", "Product": "Cortex Core - IR", "ScriptID": "|core-get-IP-analytics-prevalence", "Tag": "core_get_IP_analytics_prevalence", "TaskName": "soc-enrich-ip via Palo Alto Networks", "Time": "3", "Vendor": "Palo Alto Networks"} +{"Category": "enrichment", "Product": "Cortex Core - IR", "ScriptID": "|core-get-domain-analytics-prevalence", "Tag": "core_get_domain_analytics_prevalence", "TaskName": "soc-enrich-domain via Palo Alto Networks", "Time": "3", "Vendor": "Palo Alto Networks"} +{"Category": "enrichment", "Product": "Cortex Core - IR", "ScriptID": "|core-get-endpoints", "Tag": "core_get_endpoints", "TaskName": "soc-enrich-endpoint via Palo Alto Networks", "Time": "3", "Vendor": "Palo Alto Networks"} +{"Category": "enrichment", "Product": "Cortex Core - IR", "ScriptID": "|core-get-hash-analytics-prevalence", "Tag": "core_get_hash_analytics_prevalence", "TaskName": "soc-enrich-file via Palo Alto Networks", "Time": "3", "Vendor": "Palo Alto Networks"} +{"Category": "enrichment", "Product": "Cortex Core - IR", "ScriptID": "|core-run-script-file-exists", "Tag": "core_run_script_file_exists", "TaskName": "soc-file-exists via Palo Alto Networks", "Time": "3", "Vendor": "Palo Alto Networks"} +{"Category": "enrichment", "Product": "Cortex Core - IR", "ScriptID": "|enrichIndicators", "Tag": "enrichIndicators", "TaskName": "soc-enrich-ioc via Palo Alto Networks", "Time": "3", "Vendor": "Palo Alto Networks"} +{"Category": "enrichment", "Product": "WildFire", "ScriptID": "|wildfire-get-verdict", "Tag": "wildfire_get_verdict", "TaskName": "soc-enrich-file via Palo Alto Networks", "Time": "3", "Vendor": "Palo Alto Networks"} +{"Category": "enrichment", "Product": "PingOne", "ScriptID": "|pingone-get-user", "Tag": "pingone_get_user", "TaskName": "soc-enrich-user via PingOne", "Time": "3", "Vendor": "PingOne"} +{"Category": "enrichment", "Product": "Proofpoint TAP v2", "ScriptID": "|proofpoint-get-clicks-permitted", "Tag": "proofpoint_get_clicks_permitted", "TaskName": "soc-get-email-events via Proofpoint", "Time": "3", "Vendor": "Proofpoint"} +{"Category": "enrichment", "Product": "Proofpoint TAP v2", "ScriptID": "|proofpoint-get-forensics", "Tag": "proofpoint_get_forensics", "TaskName": "soc-enrich-ioc via Proofpoint", "Time": "3", "Vendor": "Proofpoint"} +{"Category": "enrichment", "Product": "Proofpoint TAP v2", "ScriptID": "|proofpoint-get-forensics", "Tag": "proofpoint_get_forensics", "TaskName": "soc-get-email-forensics via Proofpoint", "Time": "3", "Vendor": "Proofpoint"} +{"Category": "enrichment", "Product": "Proofpoint TAP v2", "ScriptID": "|proofpoint-get-messages-delivered", "Tag": "proofpoint_get_messages_delivered", "TaskName": "soc-get-email-events via Proofpoint", "Time": "3", "Vendor": "Proofpoint"} +{"Category": "enrichment", "Product": "Recorded Future", "ScriptID": "|recordedfuture-intelligence", "Tag": "recordedfuture_intelligence", "TaskName": "soc-enrich-ip via Recorded Future", "Time": "3", "Vendor": "Recorded Future"} +{"Category": "enrichment", "Product": "Recorded Future", "ScriptID": "|recordedfuture-intelligence", "Tag": "recordedfuture_intelligence", "TaskName": "soc-enrich-domain via Recorded Future", "Time": "3", "Vendor": "Recorded Future"} +{"Category": "enrichment", "Product": "Recorded Future", "ScriptID": "|recordedfuture-intelligence", "Tag": "recordedfuture_intelligence", "TaskName": "soc-enrich-ioc via Recorded Future", "Time": "3", "Vendor": "Recorded Future"} +{"Category": "enrichment", "Product": "Carbon Black EDR", "ScriptID": "|cb-edr-sensors-list", "Tag": "cb_edr_sensors_list", "TaskName": "soc-enrich-endpoint via VMware", "Time": "3", "Vendor": "VMware"} +{"Category": "enrichment", "Product": "VirusTotal (Private API)", "ScriptID": "|vt-private-get-file-report", "Tag": "vt_private_get_file_report", "TaskName": "soc-enrich-file via VirusTotal", "Time": "3", "Vendor": "VirusTotal"} +{"Category": "enrichment", "Product": "VirusTotal (Private API)", "ScriptID": "|vt-private-get-ip-report", "Tag": "vt_private_get_ip_report", "TaskName": "soc-enrich-ip via VirusTotal", "Time": "3", "Vendor": "VirusTotal"} +{"Category": "eradication", "Product": "CrowdStrike Falcon", "ScriptID": "|cs-falcon-run-script", "Tag": "cs_falcon_run_script", "TaskName": "soc-kill-process via CrowdStrike", "Time": "10", "Vendor": "CrowdStrike"} +{"Category": "eradication", "Product": "CrowdStrike Falcon", "ScriptID": "|cs-falcon-run-script", "Tag": "cs_falcon_run_script", "TaskName": "soc-remove-file via CrowdStrike", "Time": "10", "Vendor": "CrowdStrike"} +{"Category": "eradication", "Product": "CrowdStrike Falcon", "ScriptID": "|cs-falcon-run-script", "Tag": "cs_falcon_run_script", "TaskName": "soc-remove-persistence via CrowdStrike", "Time": "10", "Vendor": "CrowdStrike"} +{"Category": "eradication", "Product": "CrowdStrike Falcon", "ScriptID": "|cs-falcon-run-script", "Tag": "cs_falcon_run_script", "TaskName": "soc-delete-file via CrowdStrike", "Time": "10", "Vendor": "CrowdStrike"} +{"Category": "eradication", "Product": "Gmail", "ScriptID": "|gmail-delete-mail", "Tag": "gmail_delete_mail", "TaskName": "soc-retract-email via Google", "Time": "10", "Vendor": "Google"} +{"Category": "eradication", "Product": "Active Directory Query v2", "ScriptID": "|ad-set-new-password", "Tag": "ad_set_new_password", "TaskName": "soc-reset-password via Microsoft", "Time": "10", "Vendor": "Microsoft"} +{"Category": "eradication", "Product": "Microsoft Defender ATP", "ScriptID": "|microsoft-atp-stop-and-quarantine-file", "Tag": "microsoft_atp_stop_and_quarantine_file", "TaskName": "soc-remove-file via Microsoft", "Time": "10", "Vendor": "Microsoft"} +{"Category": "eradication", "Product": "Microsoft Graph", "ScriptID": "|msgraph-mail-delete-email", "Tag": "msgraph_mail_delete_email", "TaskName": "soc-retract-email via Microsoft", "Time": "10", "Vendor": "Microsoft"} +{"Category": "eradication", "Product": "Microsoft Graph", "ScriptID": "|msgraph-mail-delete-rule", "Tag": "msgraph_mail_delete_rule", "TaskName": "soc-remove-inbox-rule via Microsoft", "Time": "10", "Vendor": "Microsoft"} +{"Category": "eradication", "Product": "O365 Compliance", "ScriptID": "|o365-sc-compliance-search-purge", "Tag": "o365_sc_compliance_search_purge", "TaskName": "soc-retract-email via Microsoft", "Time": "10", "Vendor": "Microsoft"} +{"Category": "eradication", "Product": "Okta v2", "ScriptID": "|okta-expire-password", "Tag": "okta_expire_password", "TaskName": "soc-reset-password via Okta", "Time": "10", "Vendor": "Okta"} +{"Category": "eradication", "Product": "Cortex Core - IR", "ScriptID": "|core-run-script-delete-file", "Tag": "core_run_script_delete_file", "TaskName": "soc-remove-file via Palo Alto Networks", "Time": "10", "Vendor": "Palo Alto Networks"} +{"Category": "eradication", "Product": "Cortex Core - IR", "ScriptID": "|core-run-script-delete-file", "Tag": "core_run_script_delete_file", "TaskName": "soc-delete-file via Palo Alto Networks", "Time": "10", "Vendor": "Palo Alto Networks"} +{"Category": "eradication", "Product": "Cortex Core - IR", "ScriptID": "|core-run-script-execute", "Tag": "core_run_script_execute", "TaskName": "soc-remove-persistence via Palo Alto Networks", "Time": "10", "Vendor": "Palo Alto Networks"} +{"Category": "eradication", "Product": "Cortex Core - IR", "ScriptID": "|core-run-script-kill-process", "Tag": "core_run_script_kill_process", "TaskName": "soc-kill-process via Palo Alto Networks", "Time": "10", "Vendor": "Palo Alto Networks"} +{"Category": "eradication", "Product": "Trend Micro Vision One V3", "ScriptID": "|trendmicro-visionone-terminate-process", "Tag": "trendmicro_visionone_terminate_process", "TaskName": "soc-kill-process via Trend Micro", "Time": "10", "Vendor": "Trend Micro"} +{"Category": "recovery", "Product": "CrowdStrike Falcon", "ScriptID": "|cs-falcon-lift-host-containment", "Tag": "cs_falcon_lift_host_containment", "TaskName": "soc-deisolate-endpoint via CrowdStrike", "Time": "10", "Vendor": "CrowdStrike"} +{"Category": "recovery", "Product": "Active Directory Query v2", "ScriptID": "|ad-enable-account", "Tag": "ad_enable_account", "TaskName": "soc-enable-user via Microsoft", "Time": "10", "Vendor": "Microsoft"} +{"Category": "recovery", "Product": "Microsoft Defender ATP", "ScriptID": "|microsoft-atp-sc-delete-indicator", "Tag": "microsoft_atp_sc_delete_indicator", "TaskName": "soc-unblock-sender via Microsoft", "Time": "10", "Vendor": "Microsoft"} +{"Category": "recovery", "Product": "Microsoft Defender ATP", "ScriptID": "|microsoft-atp-unisolate-machine", "Tag": "microsoft_atp_unisolate_machine", "TaskName": "soc-deisolate-endpoint via Microsoft", "Time": "10", "Vendor": "Microsoft"} +{"Category": "recovery", "Product": "Mimecast", "ScriptID": "|mimecast-delete-blocked-sender-policy", "Tag": "mimecast_delete_blocked_sender_policy", "TaskName": "soc-unblock-sender via Mimecast", "Time": "10", "Vendor": "Mimecast"} +{"Category": "recovery", "Product": "Okta v2", "ScriptID": "|okta-activate-user", "Tag": "okta_activate_user", "TaskName": "soc-enable-user via Okta", "Time": "10", "Vendor": "Okta"} +{"Category": "recovery", "Product": "Cortex Core - IR", "ScriptID": "|core-unisolate-endpoint", "Tag": "core_unisolate_endpoint", "TaskName": "soc-deisolate-endpoint via Palo Alto Networks", "Time": "10", "Vendor": "Palo Alto Networks"} +{"Category": "recovery", "Product": "Proofpoint TAP v2", "ScriptID": "|proofpoint-delete-blocked-sender", "Tag": "proofpoint_delete_blocked_sender", "TaskName": "soc-unblock-sender via Proofpoint", "Time": "10", "Vendor": "Proofpoint"} diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml index 42705230..c0608d4a 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml @@ -1,4 +1,4 @@ -fromversion: 5.0.0 +fromversion: 8.0.0 id: Foundation - Enrichment_V3 version: 13 contentitemexportablefields: @@ -6,7 +6,7 @@ contentitemexportablefields: packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.3.13 - fromServerVersion: 5.0.0 + fromServerVersion: 8.0.0 toServerVersion: "" definitionid: "" prevname: "" @@ -18,8 +18,8 @@ description: | Identifies the core fields present and starts tailored enrichment pipelines Generates threat flags based on findings (ex: if we identify a domain controller or admin account) tags: -- SOC -- SOC_Framework_Unified + - SOC + - SOC_Framework_Unified starttaskid: "0" tasks: "0": @@ -36,7 +36,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "33" + - "33" separatecontext: false continueonerrortype: "" view: |- @@ -105,10 +105,10 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "35" - - "36" - - "37" - - "38" + - "35" + - "36" + - "37" + - "38" scriptarguments: key: simple: SOCFramework.Artifacts.CategoryType @@ -116,7 +116,7 @@ tasks: complex: root: inputs.CategoryType transformers: - - operator: toLowerCase + - operator: toLowerCase separatecontext: false continueonerrortype: "" view: |- @@ -150,7 +150,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "4" + - "4" scriptarguments: ip: simple: ${inputs.ip} @@ -186,7 +186,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "60" + - "60" separatecontext: false continueonerrortype: "" view: |- @@ -218,7 +218,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "61" + - "61" separatecontext: false continueonerrortype: "" view: |- @@ -250,7 +250,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "62" + - "62" separatecontext: false continueonerrortype: "" view: |- @@ -282,7 +282,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "63" + - "63" separatecontext: false continueonerrortype: "" view: |- @@ -316,7 +316,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "4" + - "4" scriptarguments: file: simple: ${inputs.file} @@ -354,7 +354,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "4" + - "4" scriptarguments: domain: simple: ${inputs.domain} @@ -392,7 +392,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "4" + - "4" scriptarguments: url: simple: ${inputs.url} @@ -428,18 +428,18 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "4" + - "4" "yes": - - "34" + - "34" separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: - value: - simple: SOCFramework.Artifacts.IP - iscontext: true + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: SOCFramework.Artifacts.IP + iscontext: true continueonerrortype: "" view: |- { @@ -470,18 +470,18 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "4" + - "4" "yes": - - "39" + - "39" separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: - value: - simple: SOCFramework.Artifacts.File - iscontext: true + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: SOCFramework.Artifacts.File + iscontext: true continueonerrortype: "" view: |- { @@ -512,18 +512,18 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "4" + - "4" "yes": - - "40" + - "40" separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: - value: - simple: SOCFramework.Artifacts.Domain - iscontext: true + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: SOCFramework.Artifacts.Domain + iscontext: true continueonerrortype: "" view: |- { @@ -554,18 +554,18 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "4" + - "4" "yes": - - "41" + - "41" separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: - value: - simple: SOCFramework.Artifacts.URL - iscontext: true + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: SOCFramework.Artifacts.URL + iscontext: true continueonerrortype: "" view: |- { @@ -595,53 +595,53 @@ view: |- } } inputs: -- key: CategoryType - value: - complex: - root: issue - accessor: categoryname - transformers: - - operator: toLowerCase - required: false - description: What Category of Alert is this? (malware, phishing, etc.) - playbookInputQuery: null -- key: ip - value: - simple: ${SOCFramework.Artifacts.IP} - required: false - description: "" - playbookInputQuery: null -- key: file - value: - simple: ${SOCFramework.Artifacts.File} - required: false - description: "" - playbookInputQuery: null -- key: url - value: - simple: ${SOCFramework.Artifacts.URL} - required: false - description: "" - playbookInputQuery: null -- key: domain - value: - simple: ${SOCFramework.Artifacts.Domain} - required: false - description: "" - playbookInputQuery: null + - key: CategoryType + value: + complex: + root: issue + accessor: categoryname + transformers: + - operator: toLowerCase + required: false + description: What Category of Alert is this? (malware, phishing, etc.) + playbookInputQuery: null + - key: ip + value: + simple: ${SOCFramework.Artifacts.IP} + required: false + description: "" + playbookInputQuery: null + - key: file + value: + simple: ${SOCFramework.Artifacts.File} + required: false + description: "" + playbookInputQuery: null + - key: url + value: + simple: ${SOCFramework.Artifacts.URL} + required: false + description: "" + playbookInputQuery: null + - key: domain + value: + simple: ${SOCFramework.Artifacts.Domain} + required: false + description: "" + playbookInputQuery: null inputSections: -- inputs: - - CategoryType - - ip - - file - - url - - domain - name: General (Inputs group) - description: Generic group for inputs + - inputs: + - CategoryType + - ip + - file + - url + - domain + name: General (Inputs group) + description: Generic group for inputs outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs + - outputs: [] + name: General (Outputs group) + description: Generic group for outputs outputs: [] sourceplaybookid: Foundation - Enrichment_V3 dirtyInputs: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml index 4bc020e9..32b446b7 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml @@ -1,4 +1,4 @@ -fromversion: 5.0.0 +fromversion: 8.0.0 id: Foundation - Upon Trigger V3 version: 7 contentitemexportablefields: @@ -6,7 +6,7 @@ contentitemexportablefields: packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.3.13 - fromServerVersion: 5.0.0 + fromServerVersion: 8.0.0 toServerVersion: "" definitionid: "" prevname: "" @@ -15,8 +15,8 @@ contentitemexportablefields: vcShouldKeepItemLegacyProdMachine: false name: Foundation - Upon Trigger V3 tags: -- SOC -- SOC_Framework_Unified + - SOC + - SOC_Framework_Unified starttaskid: "0" tasks: "0": @@ -33,7 +33,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "1" + - "1" separatecontext: false continueonerrortype: "" view: |- @@ -65,7 +65,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "27" + - "27" separatecontext: false continueonerrortype: "" view: |- @@ -97,7 +97,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "28" + - "28" separatecontext: false continueonerrortype: "" view: |- @@ -129,7 +129,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "32" + - "32" separatecontext: false continueonerrortype: "" view: |- @@ -161,7 +161,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "35" + - "35" separatecontext: false continueonerrortype: "" view: |- @@ -193,7 +193,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "23" + - "23" separatecontext: false continueonerrortype: "" view: |- @@ -225,7 +225,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "30" + - "30" separatecontext: false continueonerrortype: "" view: |- @@ -257,7 +257,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "31" + - "31" separatecontext: false continueonerrortype: "" view: |- @@ -322,14 +322,14 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "4" + - "4" scriptarguments: CategoryType: complex: root: issue accessor: categoryname transformers: - - operator: toLowerCase + - operator: toLowerCase Remote_IP: simple: ${inputs.Remote_IP} separatecontext: false @@ -372,7 +372,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "2" + - "2" separatecontext: false continueonerrortype: "" loop: @@ -414,7 +414,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "3" + - "3" separatecontext: false continueonerrortype: "" loop: @@ -456,7 +456,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "7" + - "7" separatecontext: true continueonerrortype: "" view: |- @@ -492,7 +492,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "33" + - "33" separatecontext: true continueonerrortype: "" view: |- @@ -529,7 +529,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "36" + - "36" separatecontext: true continueonerrortype: "" loop: @@ -566,7 +566,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "34" + - "34" separatecontext: false continueonerrortype: "" view: |- @@ -599,7 +599,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "8" + - "8" separatecontext: true continueonerrortype: "" view: |- @@ -632,7 +632,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "6" + - "6" separatecontext: true continueonerrortype: "" view: |- @@ -664,7 +664,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "37" + - "37" separatecontext: false continueonerrortype: "" view: |- @@ -697,7 +697,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "5" + - "5" separatecontext: true continueonerrortype: "" view: |- @@ -729,13 +729,13 @@ view: |- } inputs: [] inputSections: -- inputs: [] - name: General (Inputs group) - description: Generic group for inputs + - inputs: [] + name: General (Inputs group) + description: Generic group for inputs outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs + - outputs: [] + name: General (Outputs group) + description: Generic group for outputs outputs: [] sourceplaybookid: Foundation - Upon Trigger quiet: true diff --git a/Packs/soc-optimization-unified/ReleaseNotes/3_4_2.md b/Packs/soc-optimization-unified/ReleaseNotes/3_4_2.md new file mode 100644 index 00000000..c6be3f16 --- /dev/null +++ b/Packs/soc-optimization-unified/ReleaseNotes/3_4_2.md @@ -0,0 +1,26 @@ +## [Unreleased] - March 20, 2026 + +### XSIAMDashboards + +#### XSIAM_SOC_Value_Metrics_V3 +- Removed `execution_mode` filter — dashboard now shows all commands across all modes (production and shadow) for a complete view of XSIAM activity +- Fixed `Tag` field reference in `value_tags` join — backtick quoting now applied correctly, resolving empty widget results +- Fixed Vendor Usage funnel and Tools Used pie — updated grouping to `value_vendor` and `value_product` respectively, replacing the concatenated `tool` field +- Swapped both chart yaxis from `total_soc_hours` to `total_soc_minutes` — prevents zero-value rounding for sub-60-minute datasets + +#### XSIAM_SOC_Value_Metrics_Shadow (new) +- New dashboard cloned from V3 — identical widget set and structure +- Filtered to `execution_mode = "shadow"` for PoV shadow mode visibility +- Unique widget keys (`_shd` suffix) to prevent platform key collision with V3 +- `widgets_data` fully populated — resolves previous 101704 installation failures + +### Lookup + +#### value_tags +- Rebuilt from scratch — all 69 entries now derived directly from `SOCFrameworkActions_V3_data.json` ensuring full command coverage +- Added `cs-falcon-contain-host` (containment, 15 min) — was missing, causing CrowdStrike containment to be invisible in dashboards +- Added `cs-falcon-lift-host-containment` (recovery, 10 min) — was missing, causing CrowdStrike recovery to be invisible in dashboards +- Added `cs-falcon-search-device` (enrichment, 3 min) +- Added full Identity command coverage: `disable-user`, `okta-clear-user-sessions`, `ad-set-new-password`, `okta-expire-password`, `msgraph-user-account-disable`, `ad-enable-account`, `okta-activate-user`, `ad-get-user`, `msgraph-user-get`, `okta-get-user` +- Updated time values: containment actions 15 min, eradication/recovery actions 10 min (previously all 3 min) +- Removed `PlaybookID` field — was causing lookup upload validation failure on XSIAM platform diff --git a/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_Shadow.json b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_Shadow.json new file mode 100644 index 00000000..8e27c534 --- /dev/null +++ b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_Shadow.json @@ -0,0 +1,1823 @@ +{ + "dashboards_data": [ + { + "name": "XSIAM SOC Value Metrics - Shadow Mode", + "description": "Actions taken by XSIAM for the SOC", + "status": "ENABLED", + "layout": [ + { + "id": "row-3521", + "data": [ + { + "key": "xql_1745755921627_shd", + "data": { + "type": "Custom XQL", + "width": 50, + "height": 405, + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_category" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes,total_soc_hours" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "#23ae4f" + ], + "name": "seriescolor" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "#7cb5ec" + ], + "name": "seriescolor" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Time\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Category\"" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "Total SOC Minutes" + ], + "name": "seriestitle" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "Total SOC Hours" + ], + "name": "seriestitle" + } + } + ] + } + } + }, + { + "key": "xql_1745755883243_shd", + "data": { + "type": "Custom XQL", + "width": 50, + "height": 405, + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_tag" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes,total_soc_hours" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "#7cb5ec" + ], + "name": "seriescolor" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "#23ae4f" + ], + "name": "seriescolor" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Time\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Category\"" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "Total SOC Minutes" + ], + "name": "seriestitle" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "Total SOC Hours" + ], + "name": "seriestitle" + } + } + ] + } + } + } + ] + }, + { + "id": "row-8840", + "data": [ + { + "key": "xql_1745756085465_shd", + "data": { + "type": "Custom XQL", + "width": 33.333333333333336, + "height": 352, + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_vendor\n| sort desc total_soc_minutes\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_minutes ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "funnel", + "commands": [ + { + "command": { + "op": "=", + "name": "header", + "value": "\"Most Used Vendors\"" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_vendor" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes" + } + } + ] + } + } + }, + { + "key": "xql_1745755968440_shd", + "data": { + "type": "Custom XQL", + "width": 33.333333333333336, + "height": 352, + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product\n| sort desc total_soc_minutes\n| view graph type = pie subtype = full header = \"Tool Usage in Minutes\" xaxis = value_product yaxis = total_soc_minutes ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "full" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Tool Usage in Minutes\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_product" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes" + } + } + ] + } + } + } + ] + }, + { + "id": "row-7484", + "data": [ + { + "key": "xql_1745756305970_shd", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (task_name = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Use Case Time\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_tag" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + } + ] + } + } + }, + { + "key": "xql_1745756046680_shd", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Hours Saved by XSIAM\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + }, + { + "command": { + "op": "=", + "name": "dataunit", + "value": "\"Hours\"" + } + }, + { + "command": { + "op": "=", + "name": "headcolor", + "value": "\"#f1f7f0\"" + } + }, + { + "command": { + "op": "=", + "name": "font", + "value": "\"Arial\"" + } + }, + { + "command": { + "op": "=", + "name": "headerfontsize", + "value": "6" + } + } + ] + } + } + }, + { + "key": "xql_1750429941149_shd", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "analyst_required" + } + } + ] + } + } + }, + { + "key": "xql_1750429903480_shd", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "config case_sensitive = false\n| dataset = cases\n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| comp count_distinct(xdm.case.id) as total_cases\n| alter incidents_per_day = divide(total_cases, 30)\n| alter incidents_per_hour = divide(incidents_per_day, 8)\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required)\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", + "time_frame": { + "relativeTime": 2592000000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "analyst_required" + } + } + ] + } + } + } + ] + }, + { + "id": "row-1296", + "data": [ + { + "key": "xql_1745756206179_shd", + "data": { + "type": "Custom XQL", + "width": 50, + "height": 400, + "phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Total Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "original_tags" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Data Sources\"" + } + }, + { + "func": { + "args": [ + "total_alerts", + "Alerts by Data Source" + ], + "name": "seriestitle" + } + } + ] + } + } + }, + { + "key": "xql_1745756167461_shd", + "data": { + "type": "Custom XQL", + "width": 50, + "height": 400, + "phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "alert_source" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + } + ] + } + } + }, + { + "key": "alert-lag-detection_shd", + "data": { + "type": "Custom XQL", + "width": 50, + "height": 400, + "phrase": "dataset = alerts\n// Alert Detection Lag: time from event to XSIAM ingestion \u2014 maps to MTTD (VD1 & VD3)\n| alter event_ts_ms = to_integer(arrayindex(event_timestamp, 0))\n| alter ingest_ts_ms = to_epoch(_time, \"millis\")\n| alter lag_ms = subtract(ingest_ts_ms, event_ts_ms)\n| filter lag_ms > 0 and lag_ms < 86400000\n| alter lag_minutes = round(divide(lag_ms, 60000))\n| comp\n avg(lag_minutes) as avg_lag_min,\n max(lag_minutes) as max_lag_min,\n count() as alert_count\n by alert_source\n| sort desc avg_lag_min\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Alert Detection Lag by Source (Avg Minutes)\" xaxis = alert_source yaxis = avg_lag_min,max_lag_min xaxistitle = \"Alert Source\" yaxistitle = \"Minutes\" seriestitle(\"avg_lag_min\",\"Avg Lag (min)\") seriestitle(\"max_lag_min\",\"Max Lag (min)\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Total Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "original_tags" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Data Sources\"" + } + }, + { + "func": { + "args": [ + "total_alerts", + "Alerts by Data Source" + ], + "name": "seriestitle" + } + } + ] + } + } + } + ] + }, + { + "id": "row-9104", + "data": [ + { + "key": "xql_1750692388012_shd", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = cases \n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_incidents" + } + } + ] + } + } + }, + { + "key": "xql_1750243294068_shd", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"RESOLVED\" and (xdm.case.status.resolution_comment = \"Resolved by the Auto Triage Job\" or xdm.case.status.resolution_comment = \"Auto-resolved by Cortex XSIAM because all of the alerts contained in this incident are excluded or resolved\")\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_incidents" + } + } + ] + } + } + }, + { + "key": "xql_1750429296483_shd", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| comp count_distinct(xdm.case.id) as total_cases\n| sort desc total_cases\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_incidents" + } + } + ] + } + } + }, + { + "key": "xql_1750429437464_shd", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_incidents" + } + } + ] + } + } + } + ] + } + ], + "default_dashboard_id": 1, + "global_id": "XSIAM_SOC_Value_Metrics_Shadow", + "metadata": { + "params": [] + } + } + ], + "widgets_data": [ + { + "widget_key": "xql_1750692388012_shd", + "title": "Total Cases", + "creation_time": 1770245296602, + "description": "", + "data": { + "phrase": "dataset = cases \n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 2592000000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_cases" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "sbrumley@paloaltonetworks.com" + }, + { + "widget_key": "xql_1745755968440_shd", + "title": "Tools used by XSIAM by Hour", + "creation_time": 1770245291127, + "description": "Which tools is XSIAM uniquely automating most of the time by number of hours", + "data": { + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product\n| sort desc total_soc_minutes\n| view graph type = pie subtype = full header = \"Tool Usage in Minutes\" xaxis = value_product yaxis = total_soc_minutes ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "full" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Tool Usage in Minutes\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_product" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_socfw_ir_execution_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750429903480_shd", + "title": "Analysts Required post-XSIAM (EPH 8 to 13)", + "creation_time": 1770245294279, + "description": "Given the total number of manual incidents post-XSIAM and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", + "data": { + "phrase": "config case_sensitive = false\n| dataset = cases\n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| comp count_distinct(xdm.case.id) as total_cases\n| alter incidents_per_day = divide(total_cases, 30)\n| alter incidents_per_hour = divide(incidents_per_day, 8)\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required)\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", + "time_frame": { + "relativeTime": 2592000000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "analyst_required" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756305970_shd", + "title": "Common Use Cases", + "creation_time": 1770245292203, + "description": "Which Use Cases are most often being executed", + "data": { + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (task_name = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Use Case Time\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_tag" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_socfw_ir_execution_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756206179_shd", + "title": "Total Alerts", + "creation_time": 1770245291870, + "description": "All alerts firing by data source", + "data": { + "phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Total Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "original_tags" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Data Sources\"" + } + }, + { + "func": { + "args": [ + "total_alerts", + "Alerts by Data Source" + ], + "name": "seriestitle" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "alerts" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750429941149_shd", + "title": "Analysts Required NO XSIAM (EPH 8 to 13)", + "creation_time": 1770245295594, + "description": "Given the total number of manual incidents and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", + "data": { + "phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", + "time_frame": { + "relativeTime": 2592000000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "analyst_required" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "issues" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750243294068_shd", + "title": "Cases Auto Resolved", + "creation_time": 1770245292431, + "description": "This includes deduping (Palo SOC Framework), auto triage, and auto-resolution by XSIAM", + "data": { + "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"RESOLVED\" and (xdm.case.status.resolution_comment = \"Resolved by the Auto Triage Job\" or xdm.case.status.resolution_comment = \"Auto-resolved by Cortex XSIAM because all of the alerts contained in this incident are excluded or resolved\")\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 2592000000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_cases" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756167461_shd", + "title": "Total Alerts By Source", + "creation_time": 1770245291767, + "description": "How many alerts are native XSIAM alerts", + "data": { + "phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "alert_source" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "alerts" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750429437464_shd", + "title": "Total Starred Manual Cases", + "creation_time": 1770245292868, + "description": "", + "data": { + "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_cases" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756046680_shd", + "title": "Total SOC Hours Worked by XSIAM", + "creation_time": 1770245291342, + "description": "The number of hours worked by XSIAM automations", + "data": { + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Hours Saved by XSIAM\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + }, + { + "command": { + "op": "=", + "name": "dataunit", + "value": "\"Hours\"" + } + }, + { + "command": { + "op": "=", + "name": "headcolor", + "value": "\"#f1f7f0\"" + } + }, + { + "command": { + "op": "=", + "name": "font", + "value": "\"Arial\"" + } + }, + { + "command": { + "op": "=", + "name": "headerfontsize", + "value": "6" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_socfw_ir_execution_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750429296483_shd", + "title": "Total Manual Cases", + "creation_time": 1770245292622, + "description": "", + "data": { + "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| comp count_distinct(xdm.case.id) as total_cases\n| sort desc total_cases\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_cases" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745755883243_shd", + "title": "Time Saved by XSIAM per Task", + "creation_time": 1770245290172, + "description": null, + "data": { + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_tag" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes,total_soc_hours" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "#7cb5ec" + ], + "name": "seriescolor" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "#23ae4f" + ], + "name": "seriescolor" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Time\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Category\"" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "Total SOC Minutes" + ], + "name": "seriestitle" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "Total SOC Hours" + ], + "name": "seriestitle" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_socfw_ir_execution_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756085465_shd", + "title": "XSIAM Vendor Usage", + "creation_time": 1770245291562, + "description": "Which Vendors are being most often automated by XSIAM.", + "data": { + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_vendor\n| sort desc total_soc_minutes\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_minutes ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "funnel", + "commands": [ + { + "command": { + "op": "=", + "name": "header", + "value": "\"Most Used Vendors\"" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_vendor" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_socfw_ir_execution_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745755921627_shd", + "title": "Time Save by Category", + "creation_time": 1770245290644, + "description": "Total time saved by Category that XSIAM is helping SOC", + "data": { + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_category" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes,total_soc_hours" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "#23ae4f" + ], + "name": "seriescolor" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "#7cb5ec" + ], + "name": "seriescolor" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Time\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Category\"" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "Total SOC Minutes" + ], + "name": "seriestitle" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "Total SOC Hours" + ], + "name": "seriestitle" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_socfw_ir_execution_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756206179_shd", + "title": "Total Alerts", + "creation_time": 1770245291870, + "description": "All alerts firing by data source", + "data": { + "phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Total Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "original_tags" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Data Sources\"" + } + }, + { + "func": { + "args": [ + "total_alerts", + "Alerts by Data Source" + ], + "name": "seriestitle" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "alerts" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "alert-lag-detection_shd", + "title": "Alert Detection Lag by Source", + "creation_time": 1773887140953, + "description": "Time from source event to XSIAM ingestion by alert source. Maps to MTTD \u2014 VD1 & VD3.", + "data": { + "phrase": "dataset = alerts\n// Alert Detection Lag: time from event to XSIAM ingestion \u2014 maps to MTTD (VD1 & VD3)\n| alter event_ts_ms = to_integer(arrayindex(event_timestamp, 0))\n| alter ingest_ts_ms = to_epoch(_time, \"millis\")\n| alter lag_ms = subtract(ingest_ts_ms, event_ts_ms)\n| filter lag_ms > 0 and lag_ms < 86400000\n| alter lag_minutes = round(divide(lag_ms, 60000))\n| comp\n avg(lag_minutes) as avg_lag_min,\n max(lag_minutes) as max_lag_min,\n count() as alert_count\n by alert_source\n| sort desc avg_lag_min\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Alert Detection Lag by Source (Avg Minutes)\" xaxis = alert_source yaxis = avg_lag_min,max_lag_min xaxistitle = \"Alert Source\" yaxistitle = \"Minutes\" seriestitle(\"avg_lag_min\",\"Avg Lag (min)\") seriestitle(\"max_lag_min\",\"Max Lag (min)\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "alert_source" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "avg_lag_min,max_lag_min" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "alerts" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + } + ], + "fromVersion": "6.10.0" +} diff --git a/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_V3.json b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_V3.json index dfa9dbae..e09196b9 100644 --- a/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_V3.json +++ b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_V3.json @@ -14,7 +14,7 @@ "type": "Custom XQL", "width": 50, "height": 405, - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": { "relativeTime": 86400000 }, @@ -116,7 +116,7 @@ "type": "Custom XQL", "width": 50, "height": 405, - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": { "relativeTime": 86400000 }, @@ -223,7 +223,7 @@ "type": "Custom XQL", "width": 33.333333333333336, "height": 352, - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_vendor\n| sort desc total_soc_minutes\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_minutes ", "time_frame": { "relativeTime": 86400000 }, @@ -262,7 +262,7 @@ "command": { "op": "=", "name": "yaxis", - "value": "total_soc_hours" + "value": "total_soc_minutes" } } ] @@ -275,7 +275,7 @@ "type": "Custom XQL", "width": 33.333333333333336, "height": 352, - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product\n| sort desc total_soc_minutes\n| view graph type = pie subtype = full header = \"Tool Usage in Minutes\" xaxis = value_product yaxis = total_soc_minutes ", "time_frame": { "relativeTime": 604800000 }, @@ -293,21 +293,21 @@ "command": { "op": "=", "name": "header", - "value": "\"Tool Usage in Hours\"" + "value": "\"Tool Usage in Minutes\"" } }, { "command": { "op": "=", "name": "xaxis", - "value": "tool" + "value": "value_product" } }, { "command": { "op": "=", "name": "yaxis", - "value": "total_soc_hours" + "value": "total_soc_minutes" } } ] @@ -325,7 +325,7 @@ "type": "Custom XQL", "width": 25, "height": 400, - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (task_name = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (task_name = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", "time_frame": { "relativeTime": 86400000 }, @@ -377,7 +377,7 @@ "type": "Custom XQL", "width": 25, "height": 400, - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", "time_frame": { "relativeTime": 86400000 }, @@ -884,7 +884,7 @@ "creation_time": 1770245291127, "description": "Which tools is XSIAM uniquely automating most of the time by number of hours", "data": { - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product\n| sort desc total_soc_minutes\n| view graph type = pie subtype = full header = \"Tool Usage in Minutes\" xaxis = value_product yaxis = total_soc_minutes ", "time_frame": { "relativeTime": 604800000 }, @@ -902,21 +902,21 @@ "command": { "op": "=", "name": "header", - "value": "\"Tool Usage in Hours\"" + "value": "\"Tool Usage in Minutes\"" } }, { "command": { "op": "=", "name": "xaxis", - "value": "tool" + "value": "value_product" } }, { "command": { "op": "=", "name": "yaxis", - "value": "total_soc_hours" + "value": "total_soc_minutes" } } ] @@ -977,7 +977,7 @@ "creation_time": 1770245292203, "description": "Which Use Cases are most often being executed", "data": { - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (task_name = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (task_name = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", "time_frame": { "relativeTime": 86400000 }, @@ -1291,7 +1291,7 @@ "creation_time": 1770245291342, "description": "The number of hours worked by XSIAM automations", "data": { - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", "time_frame": { "relativeTime": 86400000 }, @@ -1405,7 +1405,7 @@ "creation_time": 1770245290172, "description": null, "data": { - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": { "relativeTime": 86400000 }, @@ -1516,7 +1516,7 @@ "creation_time": 1770245291562, "description": "Which Vendors are being most often automated by XSIAM.", "data": { - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_vendor\n| sort desc total_soc_minutes\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_minutes ", "time_frame": { "relativeTime": 86400000 }, @@ -1555,7 +1555,7 @@ "command": { "op": "=", "name": "yaxis", - "value": "total_soc_hours" + "value": "total_soc_minutes" } } ] @@ -1577,7 +1577,7 @@ "creation_time": 1770245290644, "description": "Total time saved by Category that XSIAM is helping SOC", "data": { - "phrase": "dataset = xsiam_socfw_ir_execution_raw\n| filter execution_mode = \"shadow\"\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "phrase": "dataset = xsiam_socfw_ir_execution_raw\n\n| alter dedupkey = concat(incident_id, run_id, vendor_command)\n| dedup dedupkey\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| alter ScriptID = replace(ScriptID, \"|\", \"\")\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (vendor_command = vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": { "relativeTime": 86400000 }, diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index dccc0cc4..42e0fef8 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "community", - "currentVersion": "3.4.1", + "currentVersion": "3.4.2", "author": "Palo Alto Networks", "url": "https://github.com/Palo-Cortex/soc-optimization-unified", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 8af1df00..7e439d8f 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -7,8 +7,8 @@ ], "custom_packs": [ { - "id": "soc-optimization-unified-v3.4.1.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.4.1/soc-optimization-unified-v3.4.1.zip", + "id": "soc-optimization-unified-v3.4.2.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.4.2/soc-optimization-unified-v3.4.2.zip", "system": "yes" }, { diff --git a/pack_catalog.json b/pack_catalog.json index 329604dc..75718f60 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -94,7 +94,7 @@ "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", "category": "Use Case", - "version": "3.4.1", + "version": "3.4.2", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" diff --git a/tools/fixtures/foundation_unit.json b/tools/fixtures/foundation_unit.json new file mode 100644 index 00000000..4fabcf43 --- /dev/null +++ b/tools/fixtures/foundation_unit.json @@ -0,0 +1,306 @@ +[ + { + "name": "Dedup \u2014 no similar alerts found \u2192 passes through to Done", + "playbook": "Foundation_-_Dedup", + "category": "foundation", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "parentIncidentFields.incident_id": "INC-001", + "DBotFindSimilarIncidents.isSimilarIncidentFound": false + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "branch_taken", + "target": "16", + "expected": "#default#", + "description": "No similar alerts \u2192 default path \u2192 Done without closing" + }, + { + "type": "task_not_executed", + "target": "14", + "description": "Close As Duplicates must NOT run when no duplicate found" + }, + { + "type": "task_not_executed", + "target": "15", + "description": "Print Duplicate Alerts must NOT run" + } + ] + }, + { + "name": "Dedup \u2014 duplicate found \u2192 prints warning and closes duplicate", + "playbook": "Foundation_-_Dedup", + "category": "foundation", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "parentIncidentFields.incident_id": "INC-001", + "alert.id": "INC-002", + "DBotFindSimilarIncidents.isSimilarIncidentFound": true, + "DBotFindSimilarIncidents.similarIncident": { + "id": "INC-001" + } + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "branch_taken", + "target": "16", + "expected": "yes", + "description": "Duplicate found \u2192 yes branch" + }, + { + "type": "task_executed", + "target": "15", + "description": "Print Duplicate Alerts must run" + }, + { + "type": "task_executed", + "target": "14", + "description": "Close As Duplicates must run" + } + ] + }, + { + "name": "Dedup \u2014 DBotFindSimilarAlerts error \u2192 skipped warning, not halting", + "playbook": "Foundation_-_Dedup", + "category": "foundation", + "suite": "unit", + "tags": [ + "non_happy" + ], + "context_inputs": { + "parentIncidentFields.incident_id": "INC-001" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "task_not_executed", + "target": "14", + "description": "Close As Duplicates must NOT run on error path" + }, + { + "type": "task_not_executed", + "target": "15", + "description": "Print Duplicate Alerts must NOT run on error path" + } + ] + }, + { + "name": "Dedup \u2014 burst duplicate: second alert with same incident_id \u2192 closed", + "playbook": "Foundation_-_Dedup", + "category": "foundation", + "suite": "unit", + "tags": [ + "non_happy", + "race_condition" + ], + "context_inputs": { + "parentIncidentFields.incident_id": "INC-001", + "alert.id": "INC-001-b", + "DBotFindSimilarIncidents.isSimilarIncidentFound": true, + "DBotFindSimilarIncidents.similarIncident": { + "id": "INC-001" + } + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "branch_taken", + "target": "16", + "expected": "yes" + }, + { + "type": "task_executed", + "target": "14", + "description": "Burst duplicate \u2014 second alert must be closed" + } + ] + }, + { + "name": "Product Classification \u2014 Proofpoint TAP maps to Email", + "playbook": "Foundation_-_Product_Classification_V3", + "category": "foundation", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.ProductKey": "Proofpoint TAP", + "SOCFramework.Product.key": "Proofpoint TAP", + "lists.SOCProductCategoryMap_V3": { + "Proofpoint TAP": { + "category": "Email", + "type": "Email", + "confidence": "high", + "response": "proofpoint" + }, + "CrowdStrike Falcon": { + "category": "Endpoint", + "type": "Endpoint", + "confidence": "high", + "response": "crowdstrike" + } + } + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "SOCFramework.Product.category", + "expected": "Email" + }, + { + "type": "branch_taken", + "target": "24", + "expected": "yes", + "description": "Product category map exists \u2192 yes path" + } + ] + }, + { + "name": "Product Classification \u2014 CrowdStrike Falcon maps to Endpoint", + "playbook": "Foundation_-_Product_Classification_V3", + "category": "foundation", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.ProductKey": "CrowdStrike Falcon", + "SOCFramework.Product.key": "CrowdStrike Falcon", + "lists.SOCProductCategoryMap_V3": { + "Proofpoint TAP": { + "category": "Email", + "type": "Email", + "confidence": "high", + "response": "proofpoint" + }, + "CrowdStrike Falcon": { + "category": "Endpoint", + "type": "Endpoint", + "confidence": "high", + "response": "crowdstrike" + } + } + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "SOCFramework.Product.category", + "expected": "Endpoint" + }, + { + "type": "branch_taken", + "target": "24", + "expected": "yes" + } + ] + }, + { + "name": "Product Classification \u2014 unknown source \u2192 default category", + "playbook": "Foundation_-_Product_Classification_V3", + "category": "foundation", + "suite": "unit", + "tags": [ + "non_happy", + "edge_case" + ], + "context_inputs": { + "inputs.ProductKey": "Unknown Vendor XYZ", + "SOCFramework.Product.key": "Unknown Vendor XYZ" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "branch_taken", + "target": "24", + "expected": "#default#", + "description": "No product map in context \u2192 default \u2192 Done without category set" + } + ] + }, + { + "name": "Normalize Artifacts \u2014 email artifact fields populated", + "playbook": "Foundation_-_Normalize_Artifacts_V3", + "category": "foundation", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.EmailFrom": "noreply@sktlocal.it", + "inputs.EmailTo": "Gunter@SKT.LOCAL", + "inputs.EmailSubject": "Windows Security Update - Action Required", + "inputs.EmailThreatURL": "http://brieftragerin.skt.local/update/NTFVersion.exe", + "inputs.EmailThreatType": "url", + "inputs.HostName": "", + "inputs.UserName": "Gunter", + "inputs.SHA256": "", + "inputs.SourceIP": "198.51.100.45" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "SOCFramework.Artifacts.Email.From", + "expected": "noreply@sktlocal.it" + }, + { + "type": "context_key_equals", + "target": "SOCFramework.Artifacts.Email.ThreatType", + "expected": "url" + }, + { + "type": "context_key_equals", + "target": "SOCFramework.Artifacts.Email.ThreatURL", + "expected": "http://brieftragerin.skt.local/update/NTFVersion.exe" + } + ] + }, + { + "name": "Normalize Artifacts \u2014 endpoint artifact fields populated", + "playbook": "Foundation_-_Normalize_Artifacts_V3", + "category": "foundation", + "suite": "unit", + "tags": [ + "happy_path" + ], + "context_inputs": { + "inputs.HostName": "WIN-WORKSTATION-01", + "inputs.EndpointID": "ep-abc-123", + "inputs.SHA256": "a3f8e2d94c1b7065f2a9c8d3e4b51f6a", + "inputs.UserName": "jsmith", + "inputs.SourceIP": "10.20.20.102" + }, + "uc_mocks": {}, + "sub_mocks": {}, + "assertions": [ + { + "type": "context_key_equals", + "target": "SOCFramework.Artifacts.HostName", + "expected": "WIN-WORKSTATION-01" + }, + { + "type": "context_key_equals", + "target": "SOCFramework.Artifacts.UserName", + "expected": "jsmith" + } + ] + } +] diff --git a/tools/playbook_simulator.py b/tools/playbook_simulator.py index b505f831..e5cb6b3b 100644 --- a/tools/playbook_simulator.py +++ b/tools/playbook_simulator.py @@ -55,7 +55,7 @@ def snapshot(self) -> dict: # ── Transformers ───────────────────────────────────────────────────────────── -def apply_transformers(value: Any, transformers: list) -> Any: +def apply_transformers(value: Any, transformers: list, ctx=None) -> Any: for t in transformers: op = t.get('operator') args = t.get('args', {}) @@ -74,8 +74,13 @@ def apply_transformers(value: Any, transformers: list) -> Any: if k not in seen: seen.add(k); out.append(v) value = out elif op == 'getField': - field = args.get('field', {}) - if isinstance(field, dict): field = field.get('value', {}).get('simple', '') + field_spec = args.get('field', {}) + field_iscontext = isinstance(field_spec, dict) and field_spec.get('iscontext', False) + field = field_spec.get('value', {}).get('simple', '') if isinstance(field_spec, dict) else str(field_spec) + if field_iscontext and ctx is not None: + resolved = ctx.get_by_path(field) + if resolved is not None: + field = str(resolved) if isinstance(value, dict) and field: value = value.get(field) elif isinstance(value, list) and field: @@ -154,7 +159,7 @@ def resolve_value_spec(spec: Any, ctx: Context, iscontext: bool = False) -> Any: elif value is None: # root not in context — try flat dotted key value = ctx.get_by_path(f'{root}.{accessor}') - value = apply_transformers(value, transformers) + value = apply_transformers(value, transformers, ctx=ctx) return value return ctx.resolve_string(str(spec)) if spec is not None else None @@ -290,12 +295,23 @@ def mock_set_multiple_values(args: dict, ctx: Context): for key, val in zip(keys, values): ctx.set(f"{prefix}{key}", val) +def mock_dbot_find_similar(args: dict, ctx: Context): + """ + Mock for DBotFindSimilarAlerts. + In test fixtures inject the result directly into context before running: + 'DBotFindSimilarIncidents.isSimilarIncidentFound': True/False + 'DBotFindSimilarIncidents.similarIncident.id': 'INC-001' + This mock is a no-op — the fixture pre-seeds context with the result. + """ + pass # result pre-seeded via context_inputs in fixture + SCRIPT_MOCKS = { 'SetAndHandleEmpty': mock_set_and_handle_empty, 'SetMultipleValues': mock_set_multiple_values, 'SetField': mock_set_and_handle_empty, 'AddDBotScoreToContext': mock_add_dbot_score, 'GetIndicatorDBotScoreFromCache': lambda a, c: None, + 'DBotFindSimilarAlerts': mock_dbot_find_similar, } @@ -437,8 +453,9 @@ def run( elif script_name: result.warnings.append(f"Unmocked script {script_name!r} at task {tid} — skipped") - for targets in nexttasks.values(): - queue.extend(targets) + for key, targets in nexttasks.items(): + if key != '#error#': + queue.extend(targets) elif task_type == 'playbook': sub_name = task_def.get('playbookName', '') diff --git a/tools/test_playbooks.py b/tools/test_playbooks.py index e52a7fd5..b4cb9edf 100644 --- a/tools/test_playbooks.py +++ b/tools/test_playbooks.py @@ -14,10 +14,7 @@ Exit code 0 = all pass. Exit code 1 = failures present. """ - from __future__ import annotations -import sys, os -sys.path.insert(0, os.path.dirname(__file__)) import argparse, json, os, sys, textwrap, time from dataclasses import dataclass, field from typing import Any @@ -32,7 +29,7 @@ class Assertion: """A single assertion on the output context or execution path.""" type: str # context_key_equals | context_key_exists | context_key_absent - # branch_taken | task_executed | task_not_executed + # branch_taken | task_executed | task_not_executed target: str # key name, task id, etc. expected: Any = None description: str = '' @@ -207,9 +204,9 @@ def report(results: list[TestResult], verbose: bool = False) -> bool: if verbose and r.passed: ctx = r.execution.context_after if r.execution else {} relevant = {k: v for k, v in ctx.items() - if any(k.startswith(p) for p in - ('Analysis.', 'Containment.', 'Eradication.', - 'Recovery.', 'Email.', 'DBotScore'))} + if any(k.startswith(p) for p in + ('Analysis.', 'Containment.', 'Eradication.', + 'Recovery.', 'Email.', 'DBotScore'))} if relevant: print(f" Context: {json.dumps(relevant, default=str)}") @@ -271,7 +268,7 @@ def main(): """) ) parser.add_argument('--category', default='all', - choices=['email','endpoint','identity','all']) + choices=['email','endpoint','identity','foundation','all']) parser.add_argument('--suite', default='all', choices=['unit','e2e','all']) parser.add_argument('--playbook', default=None, @@ -310,7 +307,9 @@ def main(): # Filter filtered = all_cases - if args.category != 'all': + if args.category == 'all': + filtered = [c for c in filtered if c.category != 'foundation'] + else: filtered = [c for c in filtered if c.category == args.category] if args.suite != 'all': filtered = [c for c in filtered if c.suite == args.suite]