diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Cortex_Endpoint_Enrichment.yml b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Cortex_Endpoint_Enrichment.yml new file mode 100644 index 000000000000..606301cbd3be --- /dev/null +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Cortex_Endpoint_Enrichment.yml @@ -0,0 +1,1431 @@ +id: Cortex ASM - Cortex Endpoint Enrichment +inputs: +- description: IP address of service + key: RemoteIP + playbookInputQuery: + required: false + value: {} +name: Cortex ASM - Cortex Endpoint Enrichment +outputs: [] +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + - "44" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0238da21-5885-4f70-804b-f6eeac7dbcd7 + iscommand: false + name: "" + version: -1 + description: '' + taskid: 0238da21-5885-4f70-804b-f6eeac7dbcd7 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 670, + "y": -40 + } + } + "6": + continueonerror: true + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + public_ip_list: + complex: + root: inputs.RemoteIP + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoints from the start of the result set (start by counting from 0). + id: fa22e7e1-68bc-4759-8ac4-b1a432d13b3f + iscommand: true + name: Core IR Search device + script: Cortex Core - IR|||core-get-endpoints + type: regular + version: -1 + taskid: fa22e7e1-68bc-4759-8ac4-b1a432d13b3f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 460, + "y": 300 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 79053a42-f0cb-4751-826c-e08a359d3990 + iscommand: false + name: Closing Stage + type: title + version: -1 + description: '' + taskid: 79053a42-f0cb-4751-826c-e08a359d3990 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 60, + "y": 2080 + } + } + "9": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Cortex Core - IR + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + - - left: + iscontext: true + value: + complex: + root: inputs.RemoteIP + operator: isExists + label: "yes" + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is an active instance of the Core - IR integration enabled and input values are defined to pull enrichment data. + id: 17e91dd6-4328-46db-85de-8fd0b7e50f84 + iscommand: false + name: Is Core IR enabled and input value defined? + type: condition + version: -1 + taskid: 17e91dd6-4328-46db-85de-8fd0b7e50f84 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 460, + "y": 100 + } + } + "10": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + root: Core.Endpoint + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "26" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the last command returned endpoint information or not. + id: 1616c292-8f7d-4c62-892f-352b62c56290 + iscommand: false + name: Was there a response? + type: condition + version: -1 + taskid: 1616c292-8f7d-4c62-892f-352b62c56290 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 670, + "y": 660 + } + } + "12": + continueonerrortype: "" + id: "12" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "21" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmsystemids + keys: + simple: type,id,link + val1: + simple: ASSET-TYPE + val2: + simple: Cortex Endpoint + val3: + simple: n/a + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the type of cloud asset to the grid field for the ASM system IDs object. + id: ba68749e-b4c5-4603-82f6-a18d67da78a1 + iscommand: false + name: Set system IDs grid field (type) + script: GridFieldSetup + type: regular + version: -1 + taskid: ba68749e-b4c5-4603-82f6-a18d67da78a1 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2400, + "y": 1200 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "12" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 20271aae-a5a2-45d2-8a41-9f260804db89 + iscommand: false + name: System IDs + type: title + version: -1 + description: '' + taskid: 20271aae-a5a2-45d2-8a41-9f260804db89 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 2400, + "y": 1070 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "19" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: asm_fields_set_for_cortex_endpoint + value: + simple: "true" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 8f5e8e13-6670-4273-8c6a-3e7877a502e7 + iscommand: false + name: Set true flag for completed enrichment + script: Set + type: regular + version: -1 + taskid: 8f5e8e13-6670-4273-8c6a-3e7877a502e7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1250, + "y": 2005 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "42" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmenrichmentstatus + keys: + simple: source,record_exists,timestamp + val1: + simple: CORTEX-ENDPOINT + val2: + simple: "true" + val3: + simple: TIMESTAMP + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter `TIMESTAMP` to get the current timestamp in ISO format. For example: + `!GridFieldSetup keys=ip,src,timestamp val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" val3="TIMESTAMP" gridfiled="gridfield"` + id: 43d30f3b-f283-40ea-83f5-3a61e5dcf552 + iscommand: false + name: Set ASM enrichment status to true + script: GridFieldSetup + type: regular + version: -1 + taskid: 43d30f3b-f283-40ea-83f5-3a61e5dcf552 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": -140, + "y": 2430 + } + } + "19": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: asm_fields_set_for_cortex_endpoint + operator: isTrue + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "19" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "20" + "yes": + - "18" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check if enrichment was performed by checking for a value of true in the relevant flag variable. + id: a086cad1-cfe6-4dff-84f8-724c46336b3c + iscommand: false + name: Was enrichment performed? + type: condition + version: -1 + taskid: a086cad1-cfe6-4dff-84f8-724c46336b3c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 60, + "y": 2240 + } + } + "20": + continueonerrortype: "" + id: "20" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "42" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmenrichmentstatus + keys: + simple: source,record_exists,timestamp + val1: + simple: CORTEX-ENDPOINT + val2: + simple: "false" + val3: + simple: TIMESTAMP + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter `TIMESTAMP` to get the current timestamp in ISO format. For example: + `!GridFieldSetup keys=ip,src,timestamp val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" val3="TIMESTAMP" gridfiled="gridfield"` + id: 77bcd196-a02e-4a58-8a2f-5c9bcca304f2 + iscommand: false + name: Set ASM enrichment status to false + script: GridFieldSetup + type: regular + version: -1 + taskid: 77bcd196-a02e-4a58-8a2f-5c9bcca304f2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 280, + "y": 2430 + } + } + "21": + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "37" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmsystemids + keys: + simple: type,id,link + val1: + simple: CORTEX-ENDPOINT-ASSET-ID + val2: + complex: + accessor: endpoint_id + root: Core.Endpoint + val3: + simple: n/a + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the type of cloud asset to the grid field for the ASM system IDs object. + id: feeb2ba4-4e38-4f9d-8df5-da5547fd9a25 + iscommand: false + name: Set system IDs grid field (endpoint ID) + script: GridFieldSetup + type: regular + version: -1 + taskid: feeb2ba4-4e38-4f9d-8df5-da5547fd9a25 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2400, + "y": 1370 + } + } + "22": + continueonerrortype: "" + id: "22" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmprivateip + keys: + simple: ip,source + val1: + complex: + accessor: ip + root: Core.Endpoint + val2: + simple: Cortex Endpoint + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: + `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` + id: e7fc4ec3-ddff-4218-8345-e15db0428b26 + iscommand: false + name: Set private IP grid field + script: GridFieldSetup + type: regular + version: -1 + taskid: e7fc4ec3-ddff-4218-8345-e15db0428b26 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1250, + "y": 1445 + } + } + "23": + continueonerrortype: "" + id: "23" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "22" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a906956a-9dd9-4829-8338-04aa50b151a8 + iscommand: false + name: Private IP + type: title + version: -1 + description: '' + taskid: a906956a-9dd9-4829-8338-04aa50b151a8 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1250, + "y": 1295 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "35" + - "38" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7823bb62-660b-4032-8821-b42673988e82 + iscommand: false + name: Tags + type: title + version: -1 + description: '' + taskid: 7823bb62-660b-4032-8821-b42673988e82 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 620, + "y": 1295 + } + } + "25": + continueonerrortype: "" + id: "25" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmtags + keys: + simple: key,value,source + val1: + complex: + accessor: endpoint_tags + root: Core.Endpoint.tags + val2: + simple: n/a + val3: + simple: Cortex Endpoint + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: + `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` + id: ab07529f-6400-40d3-8b92-a1951fc14cce + iscommand: false + name: Set tags grid field + script: GridFieldSetup + type: regular + version: -1 + taskid: ab07529f-6400-40d3-8b92-a1951fc14cce + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 440, + "y": 1690 + } + } + "26": + continueonerrortype: "" + id: "26" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "14" + - "32" + - "33" + - "36" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b5dd0794-e238-4341-892c-3af9c2ee0157 + iscommand: false + name: Set grid fields + type: title + version: -1 + description: '' + taskid: b5dd0794-e238-4341-892c-3af9c2ee0157 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 680, + "y": 880 + } + } + "27": + continueonerrortype: "" + id: "27" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "28" + note: false + quietmode: 0 + scriptarguments: + text: + complex: + accessor: users + root: Core.Endpoint + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.extract.indicators + id: de72ce19-b695-470f-88b0-32da6b4a9e70 + iscommand: true + name: Extract indicators + script: Builtin|||extractIndicators + type: regular + version: -1 + taskid: de72ce19-b695-470f-88b0-32da6b4a9e70 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1760, + "y": 1445 + } + } + "28": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Email + root: ExtractedIndicators + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "28" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "40" + "yes": + - "29" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the last command extracted an email address or not. + id: 2b145bfe-7056-410c-8fc6-a8aba70fc1cb + iscommand: false + name: Was an email found? + type: condition + version: -1 + taskid: 2b145bfe-7056-410c-8fc6-a8aba70fc1cb + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1780, + "y": 1620 + } + } + "29": + continueonerrortype: "" + id: "29" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmserviceownerunrankedraw + keys: + simple: name,email,source,timestamp + val1: + simple: n/a + val2: + complex: + accessor: Email + root: ExtractedIndicators + val3: + simple: Cortex Endpoint + val4: + simple: TIMESTAMP + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: + `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` + id: 2757aeaa-88f5-4ece-8dbf-c99616df5ab9 + iscommand: false + name: Set service owner grid field + script: GridFieldSetup + type: regular + version: -1 + taskid: 2757aeaa-88f5-4ece-8dbf-c99616df5ab9 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1940, + "y": 1820 + } + } + "31": + continueonerrortype: "" + id: "31" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "27" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6c43dfdc-58c5-4ebf-8113-3b11457ba3de + iscommand: false + name: Service Owner + type: title + version: -1 + description: '' + taskid: 6c43dfdc-58c5-4ebf-8113-3b11457ba3de + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 1760, + "y": 1290 + } + } + "32": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: ip + root: Core.Endpoint + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "32" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "23" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the last command returned endpoint information with private IPs. + id: 9378b3c7-59dd-406c-87ee-17a23bb4924e + iscommand: false + name: Are there private IPs? + type: condition + version: -1 + taskid: 9378b3c7-59dd-406c-87ee-17a23bb4924e + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1250, + "y": 1070 + } + } + "33": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_tags + root: Core.Endpoint.tags + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + accessor: server_tags + root: Core.Endpoint.tags + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "33" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "24" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the last command returned endpoint information with tags. + id: 4d05328c-ffd4-4b38-8305-70f3dd3cfe1a + iscommand: false + name: Are there tags? + type: condition + version: -1 + taskid: 4d05328c-ffd4-4b38-8305-70f3dd3cfe1a + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 610, + "y": 1070 + } + } + "35": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_tags + root: Core.Endpoint.tags + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "35" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "25" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the last command returned endpoint information with tags. + id: 31416513-da7a-47b6-8742-9aaebc89377f + iscommand: false + name: Are there endpoint tags? + type: condition + version: -1 + taskid: 31416513-da7a-47b6-8742-9aaebc89377f + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 440, + "y": 1450 + } + } + "36": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: users + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "36" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "31" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the last command returned endpoint user information. + id: d593576f-d572-4d1f-86f5-e0ad293686fd + iscommand: false + name: Are there potential service owners? + type: condition + version: -1 + taskid: d593576f-d572-4d1f-86f5-e0ad293686fd + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 1750, + "y": 1070 + } + } + "37": + continueonerrortype: "" + id: "37" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmsystemids + keys: + simple: type,id,link + val1: + simple: CORTEX-ENDPOINT-ASSET-NAME + val2: + complex: + accessor: endpoint_name + root: Core.Endpoint + val3: + simple: n/a + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Sets the type of cloud asset to the grid field for the ASM system IDs object. + id: 4ae4d755-7bc7-414e-8288-0bad8cf55311 + iscommand: false + name: Set system IDs grid field (endpoint name) + script: GridFieldSetup + type: regular + version: -1 + taskid: 4ae4d755-7bc7-414e-8288-0bad8cf55311 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 2400, + "y": 1540 + } + } + "38": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: server_tags + root: Core.Endpoint.tags + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "38" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "39" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Check whether the last command returned endpoint information with tags. + id: 7fdb265a-353f-40b8-89ba-dbfb29fac684 + iscommand: false + name: Are there server tags? + type: condition + version: -1 + taskid: 7fdb265a-353f-40b8-89ba-dbfb29fac684 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 840, + "y": 1450 + } + } + "39": + continueonerrortype: "" + id: "39" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmtags + keys: + simple: key,value,source + val1: + complex: + accessor: server_tags + root: Core.Endpoint.tags + val2: + simple: n/a + val3: + simple: Cortex Endpoint + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: + `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` + id: c8e64030-e51c-4030-87f8-8768c79c6a0a + iscommand: false + name: Set tags grid field + script: GridFieldSetup + type: regular + version: -1 + taskid: c8e64030-e51c-4030-87f8-8768c79c6a0a + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 840, + "y": 1690 + } + } + "40": + continueonerrortype: "" + id: "40" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmserviceownerunrankedraw + keys: + simple: name,email,source,timestamp + val1: + complex: + accessor: users + root: Core.Endpoint + val2: + simple: n/a + val3: + simple: Cortex Endpoint + val4: + simple: TIMESTAMP + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: + `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` + id: 3a35e422-b63c-4d7e-80f9-8dea114d3f19 + iscommand: false + name: Set service owner grid field + script: GridFieldSetup + type: regular + version: -1 + taskid: 3a35e422-b63c-4d7e-80f9-8dea114d3f19 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1520, + "y": 1820 + } + } + "42": + continueonerrortype: "" + id: "42" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 0fb551b3-7b30-4fc1-8962-4c81b31f788c + iscommand: false + name: Done + type: title + version: -1 + description: '' + taskid: 0fb551b3-7b30-4fc1-8962-4c81b31f788c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 2650 + } + } + "43": + continueonerrortype: "" + id: "43" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "45" + note: false + quietmode: 0 + scriptarguments: + ignore-outputs: + simple: "false" + public_ip_list: + complex: + root: inputs.RemoteIP + separatecontext: false + skipunavailable: true + task: + brand: "" + description: Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using the AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of endpoints from the start of the result set (start by counting from 0). + id: 4d75150d-52dc-4fb0-85e4-3bde0caf5830 + iscommand: true + name: Cortex XDR Search device + script: Cortex XDR - IR|||xdr-get-endpoints + type: regular + version: -1 + taskid: 4d75150d-52dc-4fb0-85e4-3bde0caf5830 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 880, + "y": 300 + } + } + "44": + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Cortex XDR - IR + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + right: + value: {} + - - left: + iscontext: true + value: + complex: + root: inputs.RemoteIP + operator: isExists + label: "yes" + continueonerrortype: "" + id: "44" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "43" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Checks if there is an active instance of the Cortex XDR integration enabled and input values are defined to pull enrichment data. + id: 1d11fce0-171c-4e32-8a80-98e125d2e2cb + iscommand: false + name: Is Cortex XDR enabled and input value defined? + type: condition + version: -1 + taskid: 1d11fce0-171c-4e32-8a80-98e125d2e2cb + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 880, + "y": 100 + } + } + "45": + continueonerrortype: "" + id: "45" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "true" + key: + simple: Core.Endpoint + value: + simple: ${PaloAltoNetworksXDR.Endpoint} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: ecb38b40-d8bc-40cd-8c1b-5792cf7bf7d8 + iscommand: false + name: Set temporary context + script: Set + type: regular + version: -1 + taskid: ecb38b40-d8bc-40cd-8c1b-5792cf7bf7d8 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 880, + "y": 440 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": { + "10_8_#default#": 0.21, + "32_8_#default#": 0.11, + "33_8_#default#": 0.16, + "35_8_#default#": 0.13, + "36_8_#default#": 0.12, + "38_8_#default#": 0.12, + "44_8_#default#": 0.12, + "9_8_#default#": 0.17 + }, + "paper": { + "dimensions": { + "height": 2755, + "width": 2920, + "x": -140, + "y": -40 + } + } + } +tests: +- No tests (auto formatted) +fromversion: 6.8.0 +description: 'This playbook is used to pull information from Cortex Endpoint (XSIAM/XDR) systems for enrichment purposes.' diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Cortex_Endpoint_Enrichment_README.md b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Cortex_Endpoint_Enrichment_README.md new file mode 100644 index 000000000000..3a8398b5cd10 --- /dev/null +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Cortex_Endpoint_Enrichment_README.md @@ -0,0 +1,44 @@ +This playbook is used to pull information from Cortex Endpoint (XSIAM/XDR) systems for enrichment purposes. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +* Cortex Core - IR +* Cortex XDR - IR + +### Scripts + +* GridFieldSetup +* Set + +### Commands + +* core-get-endpoints +* xdr-get-endpoints +* extractIndicators + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| RemoteIP | IP address of the service. | | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![Cortex ASM - Cortex Endpoint Enrichment](../doc_files/Cortex_ASM_-_Cortex_Endpoint_Enrichment.png) diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Enrichment.yml b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Enrichment.yml index 9e5a95862d7e..ec94ab64077a 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Enrichment.yml +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Enrichment.yml @@ -6,10 +6,10 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: 707ae055-ad09-4095-8efe-52e6f420c6d6 + taskid: 8d5dbe75-e3d4-4313-8bb4-3bc416bb3b8a type: start task: - id: 707ae055-ad09-4095-8efe-52e6f420c6d6 + id: 8d5dbe75-e3d4-4313-8bb4-3bc416bb3b8a version: -1 name: "" iscommand: false @@ -36,10 +36,10 @@ tasks: isautoswitchedtoquietmode: false "1": id: "1" - taskid: afac9400-fc75-453d-846f-273e3bbf13cc + taskid: 8fc95915-ad1a-4e94-8934-50053af216e4 type: condition task: - id: afac9400-fc75-453d-846f-273e3bbf13cc + id: 8fc95915-ad1a-4e94-8934-50053af216e4 version: -1 name: Is there an IP address? description: Determines if the IP address has been supplied to proceed with cloud enrichment. @@ -79,7 +79,7 @@ tasks: { "position": { "x": 110, - "y": 1845 + "y": 1575 } } note: false @@ -91,10 +91,10 @@ tasks: isautoswitchedtoquietmode: false "3": id: "3" - taskid: 2956f9c9-4e87-450a-8ba6-7f9ebe1b0d52 + taskid: bae432f1-a99e-44ef-8dfd-c06cd17b9271 type: title task: - id: 2956f9c9-4e87-450a-8ba6-7f9ebe1b0d52 + id: bae432f1-a99e-44ef-8dfd-c06cd17b9271 version: -1 name: ServiceNow Enrichment type: title @@ -110,7 +110,7 @@ tasks: { "position": { "x": 460, - "y": 2270 + "y": 2080 } } note: false @@ -122,10 +122,10 @@ tasks: isautoswitchedtoquietmode: false "6": id: "6" - taskid: ccfecc2c-304e-4628-838a-be37eb08e210 + taskid: 60b765de-17d1-47f3-81e2-872a28774620 type: condition task: - id: ccfecc2c-304e-4628-838a-be37eb08e210 + id: 60b765de-17d1-47f3-81e2-872a28774620 version: -1 name: Was there a result? description: Determines if there was a result from the previous command to continue cloud enrichment. @@ -153,7 +153,7 @@ tasks: { "position": { "x": 460, - "y": 455 + "y": 435 } } note: false @@ -165,10 +165,10 @@ tasks: isautoswitchedtoquietmode: false "7": id: "7" - taskid: fa0c0f0c-d963-436c-8d42-be65f5678b2d + taskid: b30f029a-f6fe-496c-8c52-c241983692fb type: condition task: - id: fa0c0f0c-d963-436c-8d42-be65f5678b2d + id: b30f029a-f6fe-496c-8c52-c241983692fb version: -1 name: What provider is this service? description: Determines which cloud provider the service is in order to direct to the correct enrichment. @@ -309,7 +309,7 @@ tasks: { "position": { "x": 460, - "y": 1550 + "y": 1400 } } note: false @@ -321,10 +321,10 @@ tasks: isautoswitchedtoquietmode: false "11": id: "11" - taskid: e71df879-5af3-4121-8f31-faa72ced0d55 + taskid: 59d2a4ff-e6e0-4a39-8d0e-9e041fb13f76 type: condition task: - id: e71df879-5af3-4121-8f31-faa72ced0d55 + id: 59d2a4ff-e6e0-4a39-8d0e-9e041fb13f76 version: -1 name: Is Cortex ASM enabled and is there a service? description: Determines if the "Cortex Attack Surface Management" integration instance is configured and that there is a service to continue with enrichment. @@ -377,7 +377,7 @@ tasks: { "position": { "x": 460, - "y": 70 + "y": 0 } } note: false @@ -389,10 +389,10 @@ tasks: isautoswitchedtoquietmode: false "35": id: "35" - taskid: e424f88e-a401-416a-83c0-e6c9217e38b8 + taskid: 5827381b-3e20-45e6-8fd0-82e981f15c06 type: title task: - id: e424f88e-a401-416a-83c0-e6c9217e38b8 + id: 5827381b-3e20-45e6-8fd0-82e981f15c06 version: -1 name: Cloud Enrichment type: title @@ -408,7 +408,7 @@ tasks: { "position": { "x": 460, - "y": 1405 + "y": 1265 } } note: false @@ -420,10 +420,10 @@ tasks: isautoswitchedtoquietmode: false "38": id: "38" - taskid: 90713529-2cdf-4dbf-8f9f-9d359fd604c6 + taskid: 03fb1120-28e7-4a0e-875d-a3b13dc29a8a type: title task: - id: 90713529-2cdf-4dbf-8f9f-9d359fd604c6 + id: 03fb1120-28e7-4a0e-875d-a3b13dc29a8a version: -1 name: Complete type: title @@ -436,7 +436,7 @@ tasks: { "position": { "x": 110, - "y": 5960 + "y": 5610 } } note: false @@ -448,10 +448,10 @@ tasks: isautoswitchedtoquietmode: false "61": id: "61" - taskid: 7117f72b-178d-4f7f-837a-b81dda158360 + taskid: 14e6642a-c405-4706-8367-4c8e708c191d type: playbook task: - id: 7117f72b-178d-4f7f-837a-b81dda158360 + id: 14e6642a-c405-4706-8367-4c8e708c191d version: -1 name: Cortex ASM - ServiceNow CMDB Enrichment type: playbook @@ -477,7 +477,7 @@ tasks: { "position": { "x": 460, - "y": 2420 + "y": 2210 } } note: false @@ -489,10 +489,10 @@ tasks: isautoswitchedtoquietmode: false "62": id: "62" - taskid: 5145cb80-4830-4c71-8825-e449be9e5cdc + taskid: cb1861a2-5f3d-485e-8577-efc1539fcaf9 type: title task: - id: 5145cb80-4830-4c71-8825-e449be9e5cdc + id: cb1861a2-5f3d-485e-8577-efc1539fcaf9 version: -1 name: Tenable.io Enrichment type: title @@ -508,7 +508,7 @@ tasks: { "position": { "x": 460, - "y": 2780 + "y": 2540 } } note: false @@ -520,10 +520,10 @@ tasks: isautoswitchedtoquietmode: false "63": id: "63" - taskid: 1bd916b2-fada-4a0e-82af-498ee53be767 + taskid: 249a0a6e-ec59-4ecf-8bc9-a653b0cc8dcf type: playbook task: - id: 1bd916b2-fada-4a0e-82af-498ee53be767 + id: 249a0a6e-ec59-4ecf-8bc9-a653b0cc8dcf version: -1 name: Cortex ASM - Tenable.io Enrichment description: Given the IP address this playbook enriches Tenable.io information relevant to ASM alerts. @@ -551,7 +551,7 @@ tasks: { "position": { "x": 460, - "y": 2930 + "y": 2670 } } note: false @@ -563,10 +563,10 @@ tasks: isautoswitchedtoquietmode: false "66": id: "66" - taskid: 767d896c-a426-4936-8b95-9d17d79a9a59 + taskid: 961f5823-47ec-4caa-8f05-af42d0ef28bc type: regular task: - id: 767d896c-a426-4936-8b95-9d17d79a9a59 + id: 961f5823-47ec-4caa-8f05-af42d0ef28bc version: -1 name: Get external service information description: Get service details according to the service ID. @@ -594,7 +594,7 @@ tasks: { "position": { "x": 460, - "y": 280 + "y": 270 } } note: false @@ -606,10 +606,10 @@ tasks: isautoswitchedtoquietmode: false "67": id: "67" - taskid: 417cd33b-1bae-4810-89d9-9c8bf20da579 + taskid: 1f83a760-1cd2-4a27-87d3-cfebd7bcb1c3 type: regular task: - id: 417cd33b-1bae-4810-89d9-9c8bf20da579 + id: 1f83a760-1cd2-4a27-87d3-cfebd7bcb1c3 version: -1 name: Set protocol description: commands.local.cmd.set.incident @@ -631,7 +631,7 @@ tasks: { "position": { "x": 460, - "y": 1240 + "y": 1100 } } note: false @@ -643,10 +643,10 @@ tasks: isautoswitchedtoquietmode: false "68": id: "68" - taskid: ed952f0e-11c6-4885-882d-6e8ff891c607 + taskid: 02b9a5b3-011a-4174-8102-47b182af6349 type: regular task: - id: ed952f0e-11c6-4885-882d-6e8ff891c607 + id: 02b9a5b3-011a-4174-8102-47b182af6349 version: -1 name: Infer whether service is used for development (vs. production) description: Identify whether the service is a "development" server. Development servers have no external users and run no production workflows. These servers might be named "dev", but they might also be named "qa", "pre-production", "user acceptance testing", or use other non-production terms. This automation uses both public data visible to anyone (`active_classifications` as derived by Xpanse ASM) as well as checking internal data for AI-learned indicators of development systems (`asm_tags` as derived from integrations with non-public systems). @@ -688,7 +688,7 @@ tasks: { "position": { "x": 110, - "y": 5610 + "y": 5280 } } note: false @@ -700,10 +700,10 @@ tasks: isautoswitchedtoquietmode: false "69": id: "69" - taskid: eee181a6-dd94-4a76-8931-14c08bd4f629 + taskid: e6a6c9b3-95b7-4c85-8ad6-2c9c165d59ca type: playbook task: - id: eee181a6-dd94-4a76-8931-14c08bd4f629 + id: e6a6c9b3-95b7-4c85-8ad6-2c9c165d59ca version: -1 name: Cortex ASM - Azure Enrichment description: Given the IP address, this playbook enriches Azure information relevant to ASM alerts. @@ -725,7 +725,13 @@ tasks: exitCondition: "" wait: 1 max: 0 - view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1830\n }\n}" + view: |- + { + "position": { + "x": 1070, + "y": 1680 + } + } note: false timertriggers: [] ignoreworker: false @@ -735,10 +741,10 @@ tasks: isautoswitchedtoquietmode: false "70": id: "70" - taskid: cfc67225-41c6-4c9d-8da6-049af541962a + taskid: f4e5d947-fbc0-46af-82c7-581ff23547fc type: title task: - id: cfc67225-41c6-4c9d-8da6-049af541962a + id: f4e5d947-fbc0-46af-82c7-581ff23547fc version: -1 name: Splunk Enrichment type: title @@ -754,7 +760,7 @@ tasks: { "position": { "x": 460, - "y": 3100 + "y": 2830 } } note: false @@ -766,10 +772,10 @@ tasks: isautoswitchedtoquietmode: false "71": id: "71" - taskid: 77e554f5-6d68-4c68-8b01-a5b02728d97c + taskid: 42597166-447c-4f51-8eec-f9ee56a39cfa type: playbook task: - id: 77e554f5-6d68-4c68-8b01-a5b02728d97c + id: 42597166-447c-4f51-8eec-f9ee56a39cfa version: -1 name: Cortex ASM - Splunk Enrichment description: 'Given the IP address this playbook enriches information from Splunk results relevant to ASM alerts. ' @@ -797,7 +803,7 @@ tasks: { "position": { "x": 460, - "y": 3240 + "y": 2960 } } note: false @@ -809,10 +815,10 @@ tasks: isautoswitchedtoquietmode: false "72": id: "72" - taskid: 26a8fb38-eece-4f85-8772-a5bea1ef5bf3 + taskid: fcf58aef-87c8-44dc-8721-2bfd92278810 type: playbook task: - id: 26a8fb38-eece-4f85-8772-a5bea1ef5bf3 + id: fcf58aef-87c8-44dc-8721-2bfd92278810 version: -1 name: Cortex ASM - Rapid7 Enrichment description: Given the IP address this playbook enriches Rapid7 InsightVM (Nexpose) information relevant to ASM alerts. @@ -840,7 +846,7 @@ tasks: { "position": { "x": 460, - "y": 3540 + "y": 3250 } } note: false @@ -852,10 +858,10 @@ tasks: isautoswitchedtoquietmode: false "73": id: "73" - taskid: ff4cb6f6-4a95-480d-8372-274be35cd716 + taskid: 80e14db8-5a6e-4974-8ee9-2592f8faf339 type: title task: - id: ff4cb6f6-4a95-480d-8372-274be35cd716 + id: 80e14db8-5a6e-4974-8ee9-2592f8faf339 version: -1 name: Rapid7 Enrichment type: title @@ -871,7 +877,7 @@ tasks: { "position": { "x": 460, - "y": 3410 + "y": 3120 } } note: false @@ -883,10 +889,10 @@ tasks: isautoswitchedtoquietmode: false "74": id: "74" - taskid: e0c3749d-a1a8-48d0-839f-f46bced5908a + taskid: 511d3c2e-4e40-4b5e-81fa-4448d0617cee type: title task: - id: e0c3749d-a1a8-48d0-839f-f46bced5908a + id: 511d3c2e-4e40-4b5e-81fa-4448d0617cee version: -1 name: Qualys Enrichment type: title @@ -902,7 +908,7 @@ tasks: { "position": { "x": 460, - "y": 3710 + "y": 3410 } } note: false @@ -914,10 +920,10 @@ tasks: isautoswitchedtoquietmode: false "75": id: "75" - taskid: d89b0824-c2db-4763-8a5f-6abc308a1bbc + taskid: 83fc6f7a-6408-417c-8f4c-c294fa71b6af type: playbook task: - id: d89b0824-c2db-4763-8a5f-6abc308a1bbc + id: 83fc6f7a-6408-417c-8f4c-c294fa71b6af version: -1 name: Cortex ASM - Qualys Enrichment description: Given the IP address this playbook enriches information from Qualys assets. @@ -945,7 +951,7 @@ tasks: { "position": { "x": 460, - "y": 3860 + "y": 3540 } } note: false @@ -957,10 +963,10 @@ tasks: isautoswitchedtoquietmode: false "76": id: "76" - taskid: 68c813fd-d7ac-42c7-816d-491602271006 + taskid: b2e4a2b0-c98a-4b26-891e-f0e46e3051c3 type: playbook task: - id: 68c813fd-d7ac-42c7-816d-491602271006 + id: b2e4a2b0-c98a-4b26-891e-f0e46e3051c3 version: -1 name: Cortex ASM - GCP Enrichment description: Given the IP address this playbook enriches GCP information relevant to ASM alerts. @@ -973,7 +979,13 @@ tasks: - "3" separatecontext: true continueonerrortype: "" - view: "{\n \"position\": {\n \"x\": 790,\n \"y\": 1940\n }\n}" + view: |- + { + "position": { + "x": 800, + "y": 1790 + } + } note: false timertriggers: [] ignoreworker: false @@ -983,10 +995,10 @@ tasks: isautoswitchedtoquietmode: false "78": id: "78" - taskid: 2c9ccf25-d6d7-4190-8c99-1fc8070543b8 + taskid: b47dd9bc-3b60-481b-80e3-7c28f00d8d60 type: playbook task: - id: 2c9ccf25-d6d7-4190-8c99-1fc8070543b8 + id: b47dd9bc-3b60-481b-80e3-7c28f00d8d60 version: -1 name: Cortex ASM - Service Ownership type: playbook @@ -1003,7 +1015,7 @@ tasks: { "position": { "x": 110, - "y": 5780 + "y": 5440 } } note: false @@ -1015,10 +1027,10 @@ tasks: isautoswitchedtoquietmode: false "79": id: "79" - taskid: 30f84900-27fd-424d-8051-a91c4d87af6d + taskid: fc7041a9-0b73-473f-8383-28a7e8f27b5f type: playbook task: - id: 30f84900-27fd-424d-8051-a91c4d87af6d + id: fc7041a9-0b73-473f-8383-28a7e8f27b5f version: -1 name: Cortex ASM - Prisma Cloud Enrichment description: Given the IP address this playbook enriches information from Prisma Cloud. @@ -1050,7 +1062,7 @@ tasks: { "position": { "x": 460, - "y": 4190 + "y": 3830 } } note: false @@ -1062,10 +1074,10 @@ tasks: isautoswitchedtoquietmode: false "80": id: "80" - taskid: eed7577f-162a-4042-8eaa-c4384adef815 + taskid: 86ea25e8-35ac-41ed-84b5-79d9edba8c67 type: condition task: - id: eed7577f-162a-4042-8eaa-c4384adef815 + id: 86ea25e8-35ac-41ed-84b5-79d9edba8c67 version: -1 name: Are there any emails in tags? description: Checks if there is email in the tags. @@ -1113,7 +1125,7 @@ tasks: { "position": { "x": 460, - "y": 4780 + "y": 4570 } } note: false @@ -1125,10 +1137,10 @@ tasks: isautoswitchedtoquietmode: false "81": id: "81" - taskid: f0de2cb0-8219-45d8-8f48-7b60800debd4 + taskid: 772ea111-00e3-496f-8e31-ca431de2353b type: title task: - id: f0de2cb0-8219-45d8-8f48-7b60800debd4 + id: 772ea111-00e3-496f-8e31-ca431de2353b version: -1 name: Service Owner from Tags type: title @@ -1144,7 +1156,7 @@ tasks: { "position": { "x": 460, - "y": 5050 + "y": 4820 } } note: false @@ -1156,10 +1168,10 @@ tasks: isautoswitchedtoquietmode: false "82": id: "82" - taskid: 89126ba3-8333-4af3-8f83-616e09d691fd + taskid: e5e7e221-bd10-41b9-850d-3255de42395c type: regular task: - id: 89126ba3-8333-4af3-8f83-616e09d691fd + id: e5e7e221-bd10-41b9-850d-3255de42395c version: -1 name: Get current time description: | @@ -1177,7 +1189,7 @@ tasks: { "position": { "x": 460, - "y": 5190 + "y": 4950 } } note: false @@ -1189,10 +1201,10 @@ tasks: isautoswitchedtoquietmode: false "83": id: "83" - taskid: 78f5637d-4f48-41ab-841b-895674d3abcb + taskid: bebad225-af88-459a-8922-c895da3b4b22 type: regular task: - id: 78f5637d-4f48-41ab-841b-895674d3abcb + id: bebad225-af88-459a-8922-c895da3b4b22 version: -1 name: Set service owners from Tag grid field description: |- @@ -1259,7 +1271,7 @@ tasks: { "position": { "x": 460, - "y": 5380 + "y": 5110 } } note: false @@ -1271,10 +1283,10 @@ tasks: isautoswitchedtoquietmode: false "84": id: "84" - taskid: 050b5d22-2fb0-4814-8276-f08c52d61550 + taskid: 575e1330-58ac-46f4-865d-90b726f4913a type: playbook task: - id: 050b5d22-2fb0-4814-8276-f08c52d61550 + id: 575e1330-58ac-46f4-865d-90b726f4913a version: -1 name: Cortex ASM - AWS Enrichment type: playbook @@ -1302,7 +1314,13 @@ tasks: exitCondition: "" wait: 1 max: 0 - view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 2055\n }\n}" + view: |- + { + "position": { + "x": 460, + "y": 1905 + } + } note: false timertriggers: [] ignoreworker: false @@ -1312,10 +1330,10 @@ tasks: isautoswitchedtoquietmode: false "85": id: "85" - taskid: 3461edd7-5812-4d17-8400-790a579d22f9 + taskid: c3569b49-537f-4bec-8669-bc9b871c700d type: regular task: - id: 3461edd7-5812-4d17-8400-790a579d22f9 + id: c3569b49-537f-4bec-8669-bc9b871c700d version: -1 name: Sleep for 1 hour description: Sleep for X seconds @@ -1337,7 +1355,7 @@ tasks: { "position": { "x": 940, - "y": 640 + "y": 610 } } note: false @@ -1349,10 +1367,10 @@ tasks: isautoswitchedtoquietmode: false "86": id: "86" - taskid: 38d3fe39-1010-4002-8b80-ac576f6ff0de + taskid: 530bee0a-c292-456c-8fb4-df383e8c1ceb type: condition task: - id: 38d3fe39-1010-4002-8b80-ac576f6ff0de + id: 530bee0a-c292-456c-8fb4-df383e8c1ceb version: -1 name: Was there a result? description: Determines if there was a result from the previous command to continue cloud enrichment. @@ -1380,7 +1398,7 @@ tasks: { "position": { "x": 940, - "y": 1040 + "y": 930 } } note: false @@ -1392,10 +1410,10 @@ tasks: isautoswitchedtoquietmode: false "87": id: "87" - taskid: c6dcc51d-3f02-4487-83a9-8792a9ffe086 + taskid: 2639a169-6226-4fc6-89cf-b18e94ab8364 type: regular task: - id: c6dcc51d-3f02-4487-83a9-8792a9ffe086 + id: 2639a169-6226-4fc6-89cf-b18e94ab8364 version: -1 name: Get external service information description: Get service details according to the service ID. @@ -1423,7 +1441,7 @@ tasks: { "position": { "x": 940, - "y": 830 + "y": 770 } } note: false @@ -1435,10 +1453,10 @@ tasks: isautoswitchedtoquietmode: false '88': id: '88' - taskid: 125cd39f-8428-4912-814d-24dccb282501 + taskid: b2dbfba1-bd1e-4ad8-856f-7f5588e5e87c type: playbook task: - id: 125cd39f-8428-4912-814d-24dccb282501 + id: b2dbfba1-bd1e-4ad8-856f-7f5588e5e87c version: -1 name: Cortex ASM - On Prem Enrichment type: playbook @@ -1468,7 +1486,13 @@ tasks: exitCondition: '' wait: 1 max: 0 - view: "{\n \"position\": {\n \"x\": 1350,\n \"y\": 1720\n }\n}" + view: |- + { + "position": { + "x": 1340, + "y": 1575 + } + } note: false timertriggers: [] ignoreworker: false @@ -1478,10 +1502,10 @@ tasks: isautoswitchedtoquietmode: false '89': id: '89' - taskid: e59153b9-d279-4431-85cd-6995de62fd4c + taskid: 3a6a9a5b-9caa-49c2-84fc-4278c39c360c type: playbook task: - id: e59153b9-d279-4431-85cd-6995de62fd4c + id: 3a6a9a5b-9caa-49c2-84fc-4278c39c360c version: -1 name: Cortex ASM - ServiceNow ITSM Enrichment type: playbook @@ -1541,7 +1565,7 @@ tasks: { "position": { "x": 460, - "y": 2605 + "y": 2375 } } note: false @@ -1566,20 +1590,20 @@ tasks: skipunavailable: false task: brand: "" - id: cc19c840-2c26-4065-851e-67a9ef8b327c + id: 6c285b25-4a3a-417d-8db9-7bab605df0c9 iscommand: false name: Prisma Cloud Enrichment type: title version: -1 description: '' - taskid: cc19c840-2c26-4065-851e-67a9ef8b327c + taskid: 6c285b25-4a3a-417d-8db9-7bab605df0c9 timertriggers: [] type: title view: |- { "position": { "x": 460, - "y": 4030 + "y": 3700 } } "91": @@ -1597,20 +1621,20 @@ tasks: skipunavailable: false task: brand: "" - id: 160f232f-015d-41f0-8607-f5907e0ac530 + id: 330ce148-45fe-4a28-8b87-b6930b300857 iscommand: false name: Active Directory Enrichment type: title version: -1 description: '' - taskid: 160f232f-015d-41f0-8607-f5907e0ac530 + taskid: 330ce148-45fe-4a28-8b87-b6930b300857 timertriggers: [] type: title view: |- { "position": { "x": 460, - "y": 4380 + "y": 3990 } } "93": @@ -1626,7 +1650,7 @@ tasks: wait: 1 nexttasks: '#none#': - - "80" + - "95" note: false quietmode: 0 scriptarguments: @@ -1637,20 +1661,91 @@ tasks: task: brand: "" description: Playbook to enriches Service owner in Azure directory. - id: 3a35a0de-0312-4243-8dd6-31f69c85dc65 + id: 64221fe1-7d24-4116-8433-7dde23e88a2b iscommand: false name: Cortex ASM - Active Directory Enrichment playbookId: Cortex ASM - Active Directory Enrichment type: playbook version: -1 - taskid: 3a35a0de-0312-4243-8dd6-31f69c85dc65 + taskid: 64221fe1-7d24-4116-8433-7dde23e88a2b timertriggers: [] type: playbook view: |- { "position": { "x": 460, - "y": 4550 + "y": 4120 + } + } + "94": + continueonerrortype: "" + id: "94" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: "" + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - "80" + note: false + quietmode: 0 + scriptarguments: + RemoteIP: + simple: ${inputs.RemoteIP} + separatecontext: true + skipunavailable: false + task: + brand: "" + description: This playbook is used to pull information from Cortex Endpoint (XSIAM/XDR) systems for enrichment purposes. + id: 40eef9bd-ae5a-4ea4-8a5c-9c3d55dabdd2 + iscommand: false + name: Cortex ASM - Cortex Endpoint Enrichment + playbookId: Cortex ASM - Cortex Endpoint Enrichment + type: playbook + version: -1 + taskid: 40eef9bd-ae5a-4ea4-8a5c-9c3d55dabdd2 + timertriggers: [] + type: playbook + view: |- + { + "position": { + "x": 460, + "y": 4410 + } + } + "95": + continueonerrortype: "" + id: "95" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "94" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2ec48b64-a84e-41ce-8a75-52385e333823 + iscommand: false + name: Cortex Endpoint Enrichment + type: title + version: -1 + description: '' + taskid: 2ec48b64-a84e-41ce-8a75-52385e333823 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 460, + "y": 4280 } } view: |- @@ -1665,8 +1760,8 @@ view: |- }, "paper": { "dimensions": { - "height": 6155, - "width": 1620, + "height": 5805, + "width": 1610, "x": 110, "y": -130 } diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Enrichment_README.md b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Enrichment_README.md index 11c992e80940..75f8814c0cb3 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Enrichment_README.md +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Enrichment_README.md @@ -7,14 +7,15 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks * Cortex ASM - AWS Enrichment +* Cortex ASM - Active Directory Enrichment * Cortex ASM - Azure Enrichment +* Cortex ASM - Cortex Endpoint Enrichment_Core_Combo * Cortex ASM - GCP Enrichment * Cortex ASM - On Prem Enrichment * Cortex ASM - Prisma Cloud Enrichment * Cortex ASM - Qualys Enrichment -* Cortex ASM - Rapid7 Enrichment -* Cortex ASM - Service Ownership * Cortex ASM - ServiceNow CMDB Enrichment +* Cortex ASM - ServiceNow ITSM Enrichment * Cortex ASM - Splunk Enrichment * Cortex ASM - Tenable.io Enrichment @@ -25,9 +26,9 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Scripts * Sleep +* InferWhetherServiceIsDev * GetTime * GridFieldSetup -* InferWhetherServiceIsDev ### Commands diff --git a/Packs/CortexAttackSurfaceManagement/README.md b/Packs/CortexAttackSurfaceManagement/README.md index 5b61ca9a5888..da9f97d5fd47 100644 --- a/Packs/CortexAttackSurfaceManagement/README.md +++ b/Packs/CortexAttackSurfaceManagement/README.md @@ -77,7 +77,7 @@ The main active response playbook is the `Cortex ASM - ASM Alert` playbook. This - [Cortex ASM - ASM Alert](#cortex-asm---asm-alert) - [Cortex ASM - AWS Enrichment](#cortex-asm---aws-enrichment) - [Cortex ASM - Azure Enrichment](#cortex-asm---azure-enrichment) - - [Cortex ASM - Decision](#cortex-asm---decision) + - [Cortex ASM - Cortex Endpoint Enrichment](#cortex-asm---cortex-endpoint-enrichment) - [Cortex ASM - Detect Service](#cortex-asm---detect-service) - [Cortex ASM - Email Notification](#cortex-asm---email-notification) - [Cortex ASM - Enrichment](#cortex-asm---enrichment) @@ -133,11 +133,11 @@ A playbook that given the IP address enriches Azure information relevant to ASM ![Cortex ASM - Azure Enrichment](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Azure_Enrichment.png) -#### Cortex ASM - Decision +#### Cortex ASM - Cortex Endpoint Enrichment -A playbook that returns "RemediationAction" options based on meeting "Automated Remediation Requirements" as well as whether ServiceNowV2 integration is set up. +This playbook is used to pull information from Cortex Endpoint (XSIAM/XDR) systems for enrichment purposes. -![Cortex ASM - Decision](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Decision.png) +![Cortex ASM - Cortex Endpoint Enrichment](https://raw.githubusercontent.com/demisto/content/935a77339c2b1ecde3b9ea64992018bd625c61ed/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Cortex_Endpoint_Enrichment.png) #### Cortex ASM - Detect Service diff --git a/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_27.md b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_27.md new file mode 100644 index 000000000000..6d805fcaaf15 --- /dev/null +++ b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_27.md @@ -0,0 +1,10 @@ + +#### Playbooks + +##### New: Cortex ASM - Cortex Endpoint Enrichment + +- New: This playbook is used to pull information from Cortex Endpoint (XSIAM/XDR) systems for enrichment purposes. (Available from Cortex XSOAR 6.8.0). + +##### Cortex ASM - Enrichment + +Updated the playbook to include the new **Cortex ASM - Cortex Endpoint Enrichment** playbook. diff --git a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Cortex_Endpoint_Enrichment.png b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Cortex_Endpoint_Enrichment.png new file mode 100644 index 000000000000..a6503fb4928e Binary files /dev/null and b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Cortex_Endpoint_Enrichment.png differ diff --git a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Enrichment.png b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Enrichment.png index 2444a846ae1c..c72d04f230fe 100644 Binary files a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Enrichment.png and b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Enrichment.png differ diff --git a/Packs/CortexAttackSurfaceManagement/pack_metadata.json b/Packs/CortexAttackSurfaceManagement/pack_metadata.json index 13486956b4a7..a0fd96a534ef 100644 --- a/Packs/CortexAttackSurfaceManagement/pack_metadata.json +++ b/Packs/CortexAttackSurfaceManagement/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex Attack Surface Management", "description": "Content for working with Attack Surface Management (ASM).", "support": "xsoar", - "currentVersion": "1.7.26", + "currentVersion": "1.7.27", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",