Skip to content

Commit

Permalink
Cortex xdr incident handling enhancement (demisto#33298)
Browse files Browse the repository at this point in the history 
* added key to continue investigation and response

* RN

* Update 6_1_22.md

* fix conflicts

* change key name to 'ContinueResponseForAlerts'

* fix RN conflicts

* Update Cortex_XDR_Alerts_Handling_v2.yml

removed the unnecessary char

* fixes after review

* updated the doc files
  • Loading branch information
@OmriItzhak
OmriItzhak authored Mar 19, 2024
1 parent 8df0e25 commit bd1dbd7
Show file tree
Hide file tree
Showing 5 changed files with 120 additions and 36 deletions.
124 changes: 101 additions & 23 deletions Packs/CortexXDR/Playbooks/Cortex_XDR_Alerts_Handling_v2.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,14 +59,14 @@ tasks:
- "14"
Identity Analytics:
- "19"
Large Upload:
- "20"
Malware:
- "9"
Port Scan:
- "8"
RDP Brute-Force:
- "13"
Large Upload:
- "20"
separatecontext: false
conditions:
- label: Malware
Expand Down Expand Up @@ -319,7 +319,7 @@ tasks:
description: ''
nexttasks:
'#none#':
- "5"
- "21"
separatecontext: false
continueonerrortype: ""
view: |-
Expand Down Expand Up @@ -448,7 +448,7 @@ tasks:
view: |-
{
"position": {
"x": 920,
"x": 480,
"y": 405
}
}
Expand Down Expand Up @@ -480,7 +480,7 @@ tasks:
brand: ""
nexttasks:
'#none#':
- "5"
- "21"
scriptarguments:
endpoint_id:
complex:
Expand Down Expand Up @@ -585,7 +585,7 @@ tasks:
view: |-
{
"position": {
"x": 480,
"x": 1800,
"y": 405
}
}
Expand Down Expand Up @@ -675,7 +675,7 @@ tasks:
view: |-
{
"position": {
"x": -1330,
"x": -1580,
"y": 750
}
}
Expand Down Expand Up @@ -732,7 +732,7 @@ tasks:
view: |-
{
"position": {
"x": -1330,
"x": -1580,
"y": 405
}
}
Expand All @@ -757,7 +757,7 @@ tasks:
brand: ""
nexttasks:
'#default#':
- "5"
- "22"
Cryptojacking:
- "10"
Data Exfiltration:
Expand Down Expand Up @@ -984,7 +984,7 @@ tasks:
view: |-
{
"position": {
"x": -1330,
"x": -1580,
"y": 560
}
}
Expand Down Expand Up @@ -1261,7 +1261,7 @@ tasks:
view: |-
{
"position": {
"x": -430,
"x": -400,
"y": 405
}
}
Expand Down Expand Up @@ -1326,7 +1326,7 @@ tasks:
view: |-
{
"position": {
"x": -2170,
"x": -2420,
"y": 750
}
}
Expand Down Expand Up @@ -1421,7 +1421,7 @@ tasks:
view: |-
{
"position": {
"x": -1750,
"x": -2000,
"y": 750
}
}
Expand Down Expand Up @@ -1472,7 +1472,7 @@ tasks:
view: |-
{
"position": {
"x": -2590,
"x": -2840,
"y": 750
}
}
Expand Down Expand Up @@ -1552,7 +1552,7 @@ tasks:
view: |-
{
"position": {
"x": 1360,
"x": 920,
"y": 405
}
}
Expand Down Expand Up @@ -1665,7 +1665,7 @@ tasks:
view: |-
{
"position": {
"x": -870,
"x": -840,
"y": 405
}
}
Expand Down Expand Up @@ -1736,7 +1736,7 @@ tasks:
view: |-
{
"position": {
"x": 1790,
"x": 1360,
"y": 405
}
}
Expand All @@ -1747,24 +1747,102 @@ tasks:
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"21":
id: "21"
taskid: 173fd476-12f1-403c-839d-8087028dbf73
type: regular
task:
id: 173fd476-12f1-403c-839d-8087028dbf73
version: -1
name: Set Alert ID to continue with the investigation and response
description: Set a value in context under the key you entered.
scriptName: Set
type: regular
iscommand: false
brand: ""
nexttasks:
'#none#':
- "5"
scriptarguments:
append:
simple: "true"
key:
simple: ContinueResponseForAlerts
value:
simple: ${inputs.alert_id}
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 2230,
"y": 580
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"22":
id: "22"
taskid: b9efc9da-9971-4e94-885f-ad668b030f3c
type: regular
task:
id: b9efc9da-9971-4e94-885f-ad668b030f3c
version: -1
name: Set Alert ID to continue with the investigation and response
description: Set a value in context under the key you entered.
scriptName: Set
type: regular
iscommand: false
brand: ""
nexttasks:
'#none#':
- "5"
scriptarguments:
append:
simple: "true"
key:
simple: ContinueResponseForAlerts
value:
simple: ${inputs.alert_id}
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": -1160,
"y": 750
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
view: |-
{
"linkLabelsPosition": {
"12_15_IAM User Access": 0.74,
"12_16_Token Theft": 0.58,
"1_11_Cloud": 0.9,
"1_14_First SSO Access": 0.86,
"1_18_ Remote PsExec with LOLBIN command": 0.8,
"1_18_ Remote PsExec with LOLBIN command": 0.67,
"1_19_Identity Analytics": 0.9,
"1_20_Large Upload": 0.9,
"1_20_Large Upload": 0.89,
"1_7_#default#": 0.9,
"1_9_Malware": 0.65
"1_9_Malware": 0.9
},
"paper": {
"dimensions": {
"height": 925,
"width": 5200,
"x": -2590,
"width": 5450,
"x": -2840,
"y": 70
}
}
Expand Down Expand Up @@ -1810,4 +1888,4 @@ tests:
- Test XDR Playbook
fromversion: 6.5.0
marketplaces:
- xsoar
- xsoar
20 changes: 8 additions & 12 deletions Packs/CortexXDR/Playbooks/Cortex_XDR_incident_handling_v3_6_5.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1648,30 +1648,28 @@ tasks:
task:
id: 3ba84f9e-aaf6-4bd3-8d22-cfc00499e075
version: -1
name: Should continue with the playbook's investigation and response?
description: Checks if the playbook should continue or exit.
name: Check whether there are any unhandled alerts?
description: Checks if there are any unhandled alerts and the playbook should continue with the investigation and response or exit.
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "20"
"yes":
- "87"
"yes":
- "20"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: inList
- - operator: isExists
left:
value:
complex:
root: PaloAltoNetworksXDR.Incident.alerts
accessor: name
root: ContinueResponseForAlerts
iscontext: true
right:
value:
simple: Unusual allocation of multiple cloud compute resources
value: {}
continueonerrortype: ""
view: |-
{
Expand Down Expand Up @@ -1981,9 +1979,7 @@ view: |-
"44_46_yes": 0.41,
"52_11_#default#": 0.43,
"52_53_yes": 0.63,
"53_11_#default#": 0.31,
"79_20_#default#": 0.35,
"79_87_yes": 0.89
"53_11_#default#": 0.31
},
"paper": {
"dimensions": {
Expand Down
10 changes: 10 additions & 0 deletions Packs/CortexXDR/ReleaseNotes/6_1_24.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@

#### Playbooks

##### Cortex XDR incident handling v3

Updated the conditional task that determines whether to continue with the investigation and response to any unhandled alerts if they are found.

##### Cortex XDR Alerts Handling v2

Added a new task to set context key for unhandled alerts.
Binary file modified Packs/CortexXDR/doc_files/Cortex_XDR_Alerts_Handling_v2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion Packs/CortexXDR/pack_metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Cortex XDR by Palo Alto Networks",
"description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
"support": "xsoar",
"currentVersion": "6.1.23",
"currentVersion": "6.1.24",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down

0 comments on commit bd1dbd7

Please sign in to comment.