diff --git a/Packs/CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_-_Search_Endpoints_By_Hash.yml b/Packs/CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_-_Search_Endpoints_By_Hash.yml index 1d884c7181b7..78fa37bee286 100644 --- a/Packs/CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_-_Search_Endpoints_By_Hash.yml +++ b/Packs/CrowdStrikeFalcon/Playbooks/playbook-CrowdStrike_Falcon_-_Search_Endpoints_By_Hash.yml @@ -2,8 +2,7 @@ id: CrowdStrike Falcon - Search Endpoints By Hash version: -1 fromversion: 6.5.0 name: CrowdStrike Falcon - Search Endpoints By Hash -description: "This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. -This playbook searches across the organization for other endpoints associated with a specific SHA256 hash." +description: "This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook searches across the organization for other endpoints associated with a specific SHA256 hash." starttaskid: "0" tasks: "0": @@ -19,13 +18,13 @@ tasks: description: '' nexttasks: '#none#': - - "2" + - "6" separatecontext: false view: |- { "position": { - "x": 450, - "y": 50 + "x": 170, + "y": -90 } } note: false @@ -35,6 +34,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "1": id: "1" taskid: 9ce410b8-ddde-4690-8625-2cfab080cd83 @@ -71,6 +71,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "2": id: "2" taskid: 04610f87-fee9-4de1-8980-1649f61b38d0 @@ -107,6 +108,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "3": id: "3" taskid: 0204bfc2-fc2d-483c-869b-8f85d0580b31 @@ -123,7 +125,7 @@ tasks: view: |- { "position": { - "x": 450, + "x": 170, "y": 930 } } @@ -134,6 +136,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "4": id: "4" taskid: 9b555544-59aa-45db-81b2-a12eb98fc56e @@ -145,7 +148,7 @@ tasks: type: condition iscommand: false brand: "" - description: '' + description: 'Was the hash detected on additional hosts?' nexttasks: '#default#': - "3" @@ -177,6 +180,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "5": id: "5" taskid: f7a79437-c0fa-4613-84fa-22581196d8ef @@ -224,15 +228,55 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" + "6": + id: "6" + taskid: 13169d17-92b3-4cbf-8930-86e9b5d6f265 + type: condition + task: + id: 13169d17-92b3-4cbf-8930-86e9b5d6f265 + version: -1 + name: Is Crowdstrike Falcon enabled? + description: Returns 'yes' if the integration brand is available. Otherwise returns 'no'. + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "2" + scriptarguments: + brandname: + simple: CrowdstrikeFalcon + results: + - brandInstances + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 170, + "y": 40 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 945, - "width": 610, - "x": 450, - "y": 50 + "height": 1085, + "width": 890, + "x": 170, + "y": -90 } } } @@ -255,4 +299,7 @@ outputs: description: The number of devices the IOC ran on. type: number tests: - - No tests +- No tests (auto formatted) +contentitemexportablefields: + contentitemfields: {} +system: true diff --git a/Packs/CrowdStrikeFalcon/ReleaseNotes/1_10_26.md b/Packs/CrowdStrikeFalcon/ReleaseNotes/1_10_26.md new file mode 100644 index 000000000000..cde6f6989ee4 --- /dev/null +++ b/Packs/CrowdStrikeFalcon/ReleaseNotes/1_10_26.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### CrowdStrike Falcon - Search Endpoints By Hash + +Added a validation step to ensure that a CrowdStrike Falcon instance is enabled. diff --git a/Packs/CrowdStrikeFalcon/doc_files/CrowdStrike_Falcon_-_Search_Endpoints_By_Hash.png b/Packs/CrowdStrikeFalcon/doc_files/CrowdStrike_Falcon_-_Search_Endpoints_By_Hash.png index 87b201110665..a120c7cef027 100644 Binary files a/Packs/CrowdStrikeFalcon/doc_files/CrowdStrike_Falcon_-_Search_Endpoints_By_Hash.png and b/Packs/CrowdStrikeFalcon/doc_files/CrowdStrike_Falcon_-_Search_Endpoints_By_Hash.png differ diff --git a/Packs/CrowdStrikeFalcon/pack_metadata.json b/Packs/CrowdStrikeFalcon/pack_metadata.json index 3693b1f79104..8b3e1dbd300c 100644 --- a/Packs/CrowdStrikeFalcon/pack_metadata.json +++ b/Packs/CrowdStrikeFalcon/pack_metadata.json @@ -2,7 +2,7 @@ "name": "CrowdStrike Falcon", "description": "The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.", "support": "xsoar", - "currentVersion": "1.10.25", + "currentVersion": "1.10.26", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",