Malware enchantment un-assign analyst to the incidet (demisto#29084)

* Added another step checking if analyst needs to be assigned * RN * Reverted to playbookname
SEKOIA-IO · Aug 27, 2023 · 702f250 · 702f250
1 parent 798e336
commit 702f250
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 33 deletions.
diff --git a/...ionAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler.yml b/...ionAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler.yml
@@ -24,7 +24,7 @@ tasks:
       {
         "position": {
           "x": 450,
-          "y": -1200
+          "y": -1390
         }
       }
     note: false
@@ -142,10 +142,10 @@ tasks:
       version: -1
       name: CrowdStrike Falcon Malware - Investigation and Response
       description: This playbook covers a detailed flow of handling a CrowdStrike Falcon malware investigation, including:\n - Extracting and displaying MITRE data from the EDR and sandboxes\n - Deduplicatimg similar incidents\n - Searching for hashes in an alert in a sandbox to provide their relevant information. If the hashes are not found, retrieving them from the endpoint and detonating them in the sandbox.\n - Verifying the actions taken by the EDR\n - Analyzing the command line\n - Searching for the relevant hashes in additional hosts in the organization\n - Retrieving data about the host, including process list and network connections\n - Performing containment and mitigation actions as part of handling false/true positives \n - Setting the relevant layouts"
-      playbookName: CrowdStrike Falcon Malware - Investigation and Response
       type: playbook
       iscommand: false
       brand: ''
+      playbookName: CrowdStrike Falcon Malware - Investigation and Response
     nexttasks:
       '#none#':
       - '3'
@@ -362,11 +362,11 @@ tasks:
       id: 049146b1-2169-4b9d-884a-1b6916a866b5
       version: -1
       name: Cortex XDR Malware - Investigation And Response
-      playbookName: Cortex XDR Malware - Investigation And Response
       type: playbook
       iscommand: false
       brand: ''
       description: ''
+      playbookName: Cortex XDR Malware - Investigation And Response
     nexttasks:
       '#none#':
       - '3'
@@ -520,10 +520,10 @@ tasks:
       description: |-
         This playbook handles incident ingestion from a SIEM.
         The user provides which EDR system to use, the field containing the incident ID or detection ID, and the field indicating whether the ingested item is an incident or detection.
-      playbookName: Malware SIEM Ingestion - Get Incident Data
       type: playbook
       iscommand: false
       brand: ''
+      playbookName: Malware SIEM Ingestion - Get Incident Data
     nexttasks:
       '#none#':
       - '17'
@@ -738,14 +738,14 @@ tasks:
       brand: Builtin
     nexttasks:
       '#none#':
-      - "20"
+      - "21"
     separatecontext: false
     continueonerrortype: ""
     view: |-
       {
         "position": {
           "x": 450,
-          "y": -1070
+          "y": -1260
         }
       }
     note: false
@@ -791,8 +791,8 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 450,
-          "y": -940
+          "x": 880,
+          "y": -960
         }
       }
     note: false
@@ -802,17 +802,58 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+  "21":
+    conditions:
+    - condition:
+      - - left:
+            iscontext: true
+            value:
+              simple: inputs.OnCall
+          operator: isNotEmpty
+      label: "yes"
+    continueonerrortype: ""
+    id: "21"
+    ignoreworker: false
+    isautoswitchedtoquietmode: false
+    isoversize: false
+    nexttasks:
+      '#default#':
+      - "4"
+      "yes":
+      - "20"
+    note: false
+    quietmode: 0
+    separatecontext: false
+    skipunavailable: false
+    task:
+      brand: ""
+      id: a163ae19-1b11-4bb5-8665-086d73f7d325
+      iscommand: false
+      name: Check If Assign an Analyst Needed To This Incident
+      description: Check If Assign an Analyst Needed To This Incident
+      type: condition
+      version: -1
+    taskid: a163ae19-1b11-4bb5-8665-086d73f7d325
+    timertriggers: []
+    type: condition
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": -1140
+        }
+      }
 view: |-
   {
     "linkLabelsPosition": {
       "1_3_#default#": 0.42
     },
     "paper": {
       "dimensions": {
-        "height": 1785,
+        "height": 1975,
         "width": 1440,
         "x": 160,
-        "y": -1200
+        "y": -1390
       }
     }
   }
@@ -938,10 +979,12 @@ inputs:
   description: |-
     Define whether to assign OnCall to this flow.
     Possible values: True/False.
+    Leave it empty if you do want not to assign an analyst to the incident.
   playbookInputQuery:
 outputs: []
 tests:
 - No tests (auto formatted)
 contentitemexportablefields:
-  contentitemfields: {}
+  contentitemfields:
+    propagationLabels: []
 system: true
diff --git a/...laybooks/playbook-Malware_Investigation_and_Response_Incident_Handler_README.md b/...laybooks/playbook-Malware_Investigation_and_Response_Incident_Handler_README.md
@@ -1,54 +1,66 @@
-This playbook is triggered by a malware incident from an ‘Endpoint’ type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware. The playbook also covers the SIEM ingestion flow in which the fetching integration is the SIEM and the playbook uses the EDR integrations to grab all the additional data.
-Currently supported EDR integrations are 
-XDR, CrowdStrike Falcon and Microsoft Defender for Endpoint and for SIEM QRadar and Splunk
+This playbook is triggered by a malware incident from an endpoint integration. It performs enrichment, detonation, and hunting within the organization, and remediation on the malware. 
+ The playbook also covers the SIEM ingestion flow in which the fetching integration is the SIEM and EDR integrations grab all additional data.
+ Currently supported EDR integrations are XDR, CrowdStrike Falcon, and Microsoft Defender for Endpoint. 
+ Currently supported SIEM integrations are QRadar and Splunk.
 
 ## Dependencies
+
 This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
-* Malware SIEM Ingestion - Get Incident Data
-* CrowdStrike Falcon - Investigation and Response
-* Cortex XDR - Malware Investigation And Response
+
+* CrowdStrike Falcon Malware - Investigation and Response
 * MDE Malware - Investigation and Response
+* Malware SIEM Ingestion - Get Incident Data
+* Cortex XDR Malware - Investigation And Response
 
 ### Integrations
+
 This playbook does not use any integrations.
 
 ### Scripts
+
+* AssignAnalystToIncident
 * Set
 * SetMultipleValues
 
 ### Commands
+
 This playbook does not use any commands.
 
 ## Playbook Inputs
+
 ---
 
 | **Name** | **Description** | **Default Value** | **Required** |
 | --- | --- | --- | --- |
-| SIEMEDRProductToUse | Values can be CrowdStrike, XDR, Microsoft Defender. Configure this setting if the fetching integration will be a SIEM and not the EDR product |  | Optional |
-| RetrieveFile | Indicates if file retrieval from the endpoint is allowed. <br/>True/False | True | Optional |
-| DetonateFile | Indicates if file detonation is allowed on the sandbox.<br/>True/False | True | Optional |
-| EnableDeduplication | Indicates if the deduplication playbook will be used.<br/>True/False | False | Optional |
-| TicketingSystemToUse | The name of the ticketing system to use, for example Jira or ServiceNow |  | Optional |
+| RetrieveFile | Whether file retrieval from the endpoint is allowed. | True | Optional |
+| DetonateFile | Whether file detonation is allowed on the sandbox. | True | Optional |
+| EnableDeduplication | Whether the deduplication playbook will be used. | False | Optional |
+| TicketingSystemToUse | The name of the ticketing system to use, for example Jira or ServiceNow. |  | Optional |
 | MaliciousTagName | The tag to assign for indicators to block. | Bad_Indicator | Optional |
-| AutoIsolation | Indicates if host isolation is allowed.<br/>True/False | False | Optional |
-| AutoUnisolation | Indicates if automatic un-isolation is allowed<br/>True/False | False | Optional |
+| AutoIsolation | Whether host isolation is allowed. | False | Optional |
+| AutoUnisolation | Whether automatic un-isolation is allowed. | False | Optional |
 | BenignTagName | The name of the tag to apply for allowed indicators. | Good_Indicator | Optional |
-| SIEMincidentFieldForType | The name of the field that specifies the type of the alert. For example in CrowdStrike this specified if this is a detection or incident. | ${incident.externalcategoryname} | Optional |
-| SIEMincidentFieldForID | The name of the field that provides the external id of the alert or incident in the EDR. | ${incident.externalsystemid} | Optional |
-| OverrideSIEMSeverity | Indicates if to set the severity according to the  ScaleToSetSeverity and SeverityValuesMapping settings \(True\) or keep the original severity as mapped by the SIEM \(False\) <br/>True/False | False | Optional |
+| SIEMincidentFieldForType | The name of the field that specifies the type of the alert. For example in CrowdStrike this field specifies a detection or incident. | ${incident.externalcategoryname} | Optional |
+| SIEMincidentFieldForID | The name of the field that provides the external ID of the alert or incident in the EDR. | ${incident.externalsystemid} | Optional |
+| OverrideSIEMSeverity | Whether to set the severity according to the  ScaleToSetSeverity and SeverityValuesMapping settings \(True\) or keep the original severity as mapped by the SIEM \(False\). | False | Optional |
 | TicketProjectName | For ticketing systems such as Jira a project name is required. |  | Optional |
-| EnableClosureSteps | Indicates if use of closure steps is allow or incident will close automatically.<br/>True/False | True | Optional |
-| AdvancedHunting | Choose if you want to run Advance Hunting queries through your relevant integrations. Note that it may take some time. | True | Optional |
+| EnableClosureSteps | When closing an incident, whether to use closure steps to close automatically. | True | Optional |
+| AdvancedHunting | Choose True to run Advance Hunting queries through your relevant integrations. Note: It may take some time. | True | Optional |
 | DedupHandleSimilar | "This input defines how to handle Similar incidents. <br/>You may choose between: ""Link"", ""Close"", ""Link and Close"".<br/>Note: that closing incidents will require you to define ""CloseSimilar"" input as well.<br/>Also, note that the closer will apply on at least one of the options \(indicators or fields\) which will match the ""closer percentage"" criteria.<br/>Default: Link " | Link | Optional |
-| DedupCloseSimilar | "Define if you would like to close incidents by a similarity percentage. The percentage will be the bottom border for closing inc.<br/>This option will close also exact matches as well \( if there are\).<br/>Value should be between 0 to 1 \[0=low similarity , 1=identical\]" | 0.9 | Optional |
-| DedupLimit | The maximum number of incidents to query and set to context data.Default is: 200 | 200 | Optional |
+| DedupCloseSimilar | "Defines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed.<br/>For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed.<br/>The value should be between 0 and 1 \[0=low similarity , 1=identical\]." | 0.9 | Optional |
+| DedupLimit | The maximum number of incidents to query and set to context data. | 200 | Optional |
+| SIEMEDRProductToUse | For EDR alerts routed through a SIEM, provide the supported originating EDR. Possible values: CrowdStrike, XDR, or Microsoft Defender. |  | Optional |
+| OnCall | Define whether to assign OnCall to this flow.<br/>Possible values: True/False.<br/>Leave it empty if you do want not to assign an analyst to the incident. | False | Optional |
 
 ## Playbook Outputs
+
 ---
 There are no outputs for this playbook.
 
 ## Playbook Image
+
 ---
-![Malware Investigation & Response Incident Handler](../doc_files/Malware_Investigation_&_Response_Incident_Handler.png)
+
+![Malware Investigation & Response Incident Handler](../doc_files/Malware_Investigation_&_Response_Incident_Handler.png)
diff --git a/Packs/MalwareInvestigationAndResponse/ReleaseNotes/2_0_8.md b/Packs/MalwareInvestigationAndResponse/ReleaseNotes/2_0_8.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Malware Investigation & Response Incident Handler
+
+Added an option not assigning an analyst to an incident using the "OnCall" input.
diff --git a/...tionAndResponse/doc_files/Malware_Investigation_&_Response_Incident_Handler.png b/...tionAndResponse/doc_files/Malware_Investigation_&_Response_Incident_Handler.png
diff --git a/Packs/MalwareInvestigationAndResponse/pack_metadata.json b/Packs/MalwareInvestigationAndResponse/pack_metadata.json
@@ -5,7 +5,7 @@
     "videos": [
         "https://www.youtube.com/watch?v=DtGIefyoTao"
     ],
-    "currentVersion": "2.0.7",
+    "currentVersion": "2.0.8",
     "serverMinVersion": "6.5.0",
     "author": "Cortex XSOAR",
     "hidden": false,