From 2894b5b56f173ce002b44338873af74ee6bb7a8d Mon Sep 17 00:00:00 2001 From: TalNos <112805149+TalNos@users.noreply.github.com> Date: Wed, 15 May 2024 19:48:26 +0300 Subject: [PATCH] Fixes For 'Cortex XDR - Large Upload' Playbook (#34343) * changed the conditions in task number 3 and 69 * RN * RN * removed the inputs.SrcHostname, inputs.SrcIPAddress, inputs.Username used within tasks number 112 and 56 * added browser names to secrets ignore file * added FW app ID to secrets ignore file * revert changes in secrets ignore file * added browser names and FW app ID to secrets ignore file --- Packs/CortexXDR/.secrets-ignore | 13 ++ .../Playbooks/Cortex_XDR_-_Large_Upload.yml | 130 ++++++++++++------ .../Cortex_XDR_-_Large_Upload_README.md | 12 +- Packs/CortexXDR/ReleaseNotes/6_1_34.md | 7 + Packs/CortexXDR/pack_metadata.json | 2 +- 5 files changed, 114 insertions(+), 50 deletions(-) create mode 100644 Packs/CortexXDR/ReleaseNotes/6_1_34.md diff --git a/Packs/CortexXDR/.secrets-ignore b/Packs/CortexXDR/.secrets-ignore index 1ba51880fdf..6e8cae4587c 100644 --- a/Packs/CortexXDR/.secrets-ignore +++ b/Packs/CortexXDR/.secrets-ignore @@ -93,3 +93,16 @@ dummy@dummy.com dummy1@dummy.com dummy2@dummy.com dummy3@dummy.com +brave.exe +msedge.exe +iexplore.exe +Safari.exe +Opera.exe +Firefox.exe +Chrome.exe +ip +tcp +udp +ssl +syslog +quic \ No newline at end of file diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Large_Upload.yml b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Large_Upload.yml index c297ca567bd..a98327018c8 100644 --- a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Large_Upload.yml +++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Large_Upload.yml @@ -67,10 +67,10 @@ tasks: isautoswitchedtoquietmode: false "3": id: "3" - taskid: 2864f683-d804-43bb-8946-4d90039fc751 + taskid: f8019971-848d-42ea-8092-41468c83a05c type: condition task: - id: 2864f683-d804-43bb-8946-4d90039fc751 + id: f8019971-848d-42ea-8092-41468c83a05c version: -1 name: Found Results? description: Determine if previous false positive incidents have been detected with similar characteristics. @@ -86,15 +86,13 @@ tasks: conditions: - label: "yes" condition: - - - operator: isEqualString + - - operator: isTrue left: value: complex: root: DBotFindSimilarIncidents + accessor: isSimilarIncidentFound iscontext: true - right: - value: - simple: "True" ignorecase: true - - operator: containsGeneral left: @@ -1824,10 +1822,10 @@ tasks: isautoswitchedtoquietmode: false "56": id: "56" - taskid: 6171569a-753b-4669-840f-1929e5f5ad53 + taskid: f48d9fbb-df56-480b-81a9-83d55cc474a5 type: playbook task: - id: 6171569a-753b-4669-840f-1929e5f5ad53 + id: f48d9fbb-df56-480b-81a9-83d55cc474a5 version: -1 name: Cortex XDR - Isolate Endpoint description: This playbook accepts an XDR endpoint ID and isolates it using the 'Palo Alto Networks Cortex XDR - Investigation and Response' integration. @@ -1845,25 +1843,24 @@ tasks: accessor: agent_id transformers: - operator: uniq - - operator: SetIfEmpty - args: - applyIfEmpty: - value: - simple: "true" - defaultValue: - value: - simple: Missing endpoint ID.Answers.0 - iscontext: true hostname: complex: - root: inputs.SrcHostname + root: PaloAltoNetworksXDR.Incident.alerts transformers: + - operator: append + args: + item: + value: + simple: PaloAltoNetworksXDR.OriginalAlert._all_events.agent_hostname + iscontext: true - operator: uniq + accessor: host_name ip_list: complex: - root: inputs.SrcIPAddress + root: PaloAltoNetworksXDR.OriginalAlert._all_events transformers: - operator: uniq + accessor: action_local_ip separatecontext: true continueonerrortype: "" loop: @@ -2367,10 +2364,10 @@ tasks: isautoswitchedtoquietmode: false "78": id: "78" - taskid: aeec3291-f750-4743-8442-77286d075ff8 + taskid: f70c3820-f3f8-47d0-89c4-12976b23af85 type: condition task: - id: aeec3291-f750-4743-8442-77286d075ff8 + id: f70c3820-f3f8-47d0-89c4-12976b23af85 version: -1 name: Check Uploaded Data Volume description: Determines if the amount of data uploaded to an external host exceeds the defined threshold amount. @@ -2398,7 +2395,7 @@ tasks: flags: {} groups: value: - simple: "2" + simple: "1" keys: {} regex: value: @@ -2408,7 +2405,7 @@ tasks: value: simple: GB ignorecase: true - - operator: greaterThanOrEqual + - operator: isEqualString left: value: complex: @@ -2425,19 +2422,12 @@ tasks: regex: value: simple: uploaded\s(.*(MB|GB|TB)) - - operator: StripChars - args: - chars: - value: - simple: MB - - operator: SumList iscontext: true right: value: - complex: - root: inputs.Transferred_Data _Threshold - iscontext: true - - operator: isEqualString + simple: TB + ignorecase: true + - operator: greaterThanOrEqual left: value: complex: @@ -2449,16 +2439,32 @@ tasks: flags: {} groups: value: - simple: "2" + simple: "0" keys: {} regex: value: simple: uploaded\s(.*(MB|GB|TB)) + - operator: StripChars + args: + chars: + value: + simple: MB + - operator: RegexGroups + args: + flags: {} + groups: + value: + simple: "0" + keys: {} + regex: + value: + simple: (\d+)\. iscontext: true right: value: - simple: TB - ignorecase: true + complex: + root: inputs.Transferred_Data _Threshold + iscontext: true continueonerrortype: "" view: |- { @@ -2978,10 +2984,10 @@ tasks: isautoswitchedtoquietmode: false "112": id: "112" - taskid: 2e32afa9-757a-4aa0-83b1-2736da8d3bc0 + taskid: 95e865d5-ec80-49d2-8982-b1db90c547a6 type: condition task: - id: 2e32afa9-757a-4aa0-83b1-2736da8d3bc0 + id: 95e865d5-ec80-49d2-8982-b1db90c547a6 version: -1 name: Calculate Verdict description: Estimate the verdict for the 'large upload HTTPS' Cortex XDR alerts. @@ -3162,7 +3168,7 @@ tasks: iscontext: true right: value: - simple: inputs.Username + simple: PaloAltoNetworksXDR.OriginalAlert._all_events.causality_actor_primary_normalized_user.username iscontext: true ignorecase: true accessor: risk_level @@ -3184,7 +3190,17 @@ tasks: iscontext: true right: value: - simple: inputs.SrcHostname + simple: PaloAltoNetworksXDR.Incident.alerts.host_name + iscontext: true + ignorecase: true + - operator: isEqualString + left: + value: + simple: PaloAltoNetworksXDR.RiskyHost.id + iscontext: true + right: + value: + simple: PaloAltoNetworksXDR.OriginalAlert._all_events.agent_hostname iscontext: true ignorecase: true accessor: 'risk_level ' @@ -3695,10 +3711,10 @@ tasks: isautoswitchedtoquietmode: false "114": id: "114" - taskid: 1a69ce4f-fcbe-40e7-8164-c4d8dc304ac4 + taskid: 422ddc12-44eb-4b4b-8508-cd59c892834f type: playbook task: - id: 1a69ce4f-fcbe-40e7-8164-c4d8dc304ac4 + id: 422ddc12-44eb-4b4b-8508-cd59c892834f version: -1 name: Entity Enrichment - Generic v3 description: Enrich entities using one or more integrations. @@ -3809,6 +3825,34 @@ tasks: accessor: username transformers: - operator: uniq + CVE: + complex: + root: CVE + accessor: ID + Email: + complex: + root: Account + accessor: Email.Address + transformers: + - operator: uniq + MD5: + complex: + root: File + accessor: MD5 + transformers: + - operator: uniq + SHA1: + complex: + root: File + accessor: SHA1 + transformers: + - operator: uniq + URL: + complex: + root: URL + accessor: Data + transformers: + - operator: uniq separatecontext: true continueonerrortype: "" loop: @@ -4013,4 +4057,4 @@ tests: - No tests (auto formatted) fromversion: 6.10.0 marketplaces: -- xsoar \ No newline at end of file +- xsoar diff --git a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Large_Upload_README.md b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Large_Upload_README.md index 7c7f4f299e9..5bd96c24a5c 100644 --- a/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Large_Upload_README.md +++ b/Packs/CortexXDR/Playbooks/Cortex_XDR_-_Large_Upload_README.md @@ -21,15 +21,15 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks -* Block Indicators - Generic v3 -* Entity Enrichment - Generic v3 +* User Investigation - Generic * TIM - Indicator Relationships Analysis +* Entity Enrichment - Generic v3 +* Command-Line Analysis +* Threat Hunting - Generic * Cortex XDR - Isolate Endpoint * Cortex XDR - Endpoint Investigation * Cortex XDR - Search and Compare Process Executions - XDR Alerts -* User Investigation - Generic -* Threat Hunting - Generic -* Command-Line Analysis +* Block Indicators - Generic v3 ### Integrations @@ -37,8 +37,8 @@ This playbook uses the following sub-playbooks, integrations, and scripts. ### Scripts -* Set * DBotFindSimilarIncidents +* Set ### Commands diff --git a/Packs/CortexXDR/ReleaseNotes/6_1_34.md b/Packs/CortexXDR/ReleaseNotes/6_1_34.md new file mode 100644 index 00000000000..fb7c1cac865 --- /dev/null +++ b/Packs/CortexXDR/ReleaseNotes/6_1_34.md @@ -0,0 +1,7 @@ + +#### Playbooks + +##### Cortex XDR - Large Upload + +- Fixed an issue where incorrect object was configured for the *'Found Results?'* conditional task. +- Added additional regex expressions to the *'Check Uploaded Data Volume'* task in order to remove decimal points from the amount of uploaded data before it is compared with the *'Transferred_Data _Threshold'* playbook input. \ No newline at end of file diff --git a/Packs/CortexXDR/pack_metadata.json b/Packs/CortexXDR/pack_metadata.json index b4a8994b6cd..0ae6cb58006 100644 --- a/Packs/CortexXDR/pack_metadata.json +++ b/Packs/CortexXDR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex XDR by Palo Alto Networks", "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.", "support": "xsoar", - "currentVersion": "6.1.33", + "currentVersion": "6.1.34", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",