diff --git a/Packs/MalwareInvestigationAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler.yml b/Packs/MalwareInvestigationAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler.yml index ff75d71983d8..7cb38b0ffc6c 100644 --- a/Packs/MalwareInvestigationAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler.yml +++ b/Packs/MalwareInvestigationAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler.yml @@ -24,7 +24,7 @@ tasks: { "position": { "x": 450, - "y": -1200 + "y": -1390 } } note: false @@ -142,10 +142,10 @@ tasks: version: -1 name: CrowdStrike Falcon Malware - Investigation and Response description: This playbook covers a detailed flow of handling a CrowdStrike Falcon malware investigation, including:\n - Extracting and displaying MITRE data from the EDR and sandboxes\n - Deduplicatimg similar incidents\n - Searching for hashes in an alert in a sandbox to provide their relevant information. If the hashes are not found, retrieving them from the endpoint and detonating them in the sandbox.\n - Verifying the actions taken by the EDR\n - Analyzing the command line\n - Searching for the relevant hashes in additional hosts in the organization\n - Retrieving data about the host, including process list and network connections\n - Performing containment and mitigation actions as part of handling false/true positives \n - Setting the relevant layouts" - playbookName: CrowdStrike Falcon Malware - Investigation and Response type: playbook iscommand: false brand: '' + playbookName: CrowdStrike Falcon Malware - Investigation and Response nexttasks: '#none#': - '3' @@ -362,11 +362,11 @@ tasks: id: 049146b1-2169-4b9d-884a-1b6916a866b5 version: -1 name: Cortex XDR Malware - Investigation And Response - playbookName: Cortex XDR Malware - Investigation And Response type: playbook iscommand: false brand: '' description: '' + playbookName: Cortex XDR Malware - Investigation And Response nexttasks: '#none#': - '3' @@ -520,10 +520,10 @@ tasks: description: |- This playbook handles incident ingestion from a SIEM. The user provides which EDR system to use, the field containing the incident ID or detection ID, and the field indicating whether the ingested item is an incident or detection. - playbookName: Malware SIEM Ingestion - Get Incident Data type: playbook iscommand: false brand: '' + playbookName: Malware SIEM Ingestion - Get Incident Data nexttasks: '#none#': - '17' @@ -738,14 +738,14 @@ tasks: brand: Builtin nexttasks: '#none#': - - "20" + - "21" separatecontext: false continueonerrortype: "" view: |- { "position": { "x": 450, - "y": -1070 + "y": -1260 } } note: false @@ -791,8 +791,8 @@ tasks: view: |- { "position": { - "x": 450, - "y": -940 + "x": 880, + "y": -960 } } note: false @@ -802,6 +802,47 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "21": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.OnCall + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "21" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "4" + "yes": + - "20" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: a163ae19-1b11-4bb5-8665-086d73f7d325 + iscommand: false + name: Check If Assign an Analyst Needed To This Incident + description: Check If Assign an Analyst Needed To This Incident + type: condition + version: -1 + taskid: a163ae19-1b11-4bb5-8665-086d73f7d325 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 450, + "y": -1140 + } + } view: |- { "linkLabelsPosition": { @@ -809,10 +850,10 @@ view: |- }, "paper": { "dimensions": { - "height": 1785, + "height": 1975, "width": 1440, "x": 160, - "y": -1200 + "y": -1390 } } } @@ -938,10 +979,12 @@ inputs: description: |- Define whether to assign OnCall to this flow. Possible values: True/False. + Leave it empty if you do want not to assign an analyst to the incident. playbookInputQuery: outputs: [] tests: - No tests (auto formatted) contentitemexportablefields: - contentitemfields: {} + contentitemfields: + propagationLabels: [] system: true diff --git a/Packs/MalwareInvestigationAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler_README.md b/Packs/MalwareInvestigationAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler_README.md index 095d6fac1f70..edca499d23bb 100644 --- a/Packs/MalwareInvestigationAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler_README.md +++ b/Packs/MalwareInvestigationAndResponse/Playbooks/playbook-Malware_Investigation_and_Response_Incident_Handler_README.md @@ -1,54 +1,66 @@ -This playbook is triggered by a malware incident from an ‘Endpoint’ type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware. The playbook also covers the SIEM ingestion flow in which the fetching integration is the SIEM and the playbook uses the EDR integrations to grab all the additional data. -Currently supported EDR integrations are -XDR, CrowdStrike Falcon and Microsoft Defender for Endpoint and for SIEM QRadar and Splunk +This playbook is triggered by a malware incident from an endpoint integration. It performs enrichment, detonation, and hunting within the organization, and remediation on the malware. + The playbook also covers the SIEM ingestion flow in which the fetching integration is the SIEM and EDR integrations grab all additional data. + Currently supported EDR integrations are XDR, CrowdStrike Falcon, and Microsoft Defender for Endpoint. + Currently supported SIEM integrations are QRadar and Splunk. ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks -* Malware SIEM Ingestion - Get Incident Data -* CrowdStrike Falcon - Investigation and Response -* Cortex XDR - Malware Investigation And Response + +* CrowdStrike Falcon Malware - Investigation and Response * MDE Malware - Investigation and Response +* Malware SIEM Ingestion - Get Incident Data +* Cortex XDR Malware - Investigation And Response ### Integrations + This playbook does not use any integrations. ### Scripts + +* AssignAnalystToIncident * Set * SetMultipleValues ### Commands + This playbook does not use any commands. ## Playbook Inputs + --- | **Name** | **Description** | **Default Value** | **Required** | | --- | --- | --- | --- | -| SIEMEDRProductToUse | Values can be CrowdStrike, XDR, Microsoft Defender. Configure this setting if the fetching integration will be a SIEM and not the EDR product | | Optional | -| RetrieveFile | Indicates if file retrieval from the endpoint is allowed.
True/False | True | Optional | -| DetonateFile | Indicates if file detonation is allowed on the sandbox.
True/False | True | Optional | -| EnableDeduplication | Indicates if the deduplication playbook will be used.
True/False | False | Optional | -| TicketingSystemToUse | The name of the ticketing system to use, for example Jira or ServiceNow | | Optional | +| RetrieveFile | Whether file retrieval from the endpoint is allowed. | True | Optional | +| DetonateFile | Whether file detonation is allowed on the sandbox. | True | Optional | +| EnableDeduplication | Whether the deduplication playbook will be used. | False | Optional | +| TicketingSystemToUse | The name of the ticketing system to use, for example Jira or ServiceNow. | | Optional | | MaliciousTagName | The tag to assign for indicators to block. | Bad_Indicator | Optional | -| AutoIsolation | Indicates if host isolation is allowed.
True/False | False | Optional | -| AutoUnisolation | Indicates if automatic un-isolation is allowed
True/False | False | Optional | +| AutoIsolation | Whether host isolation is allowed. | False | Optional | +| AutoUnisolation | Whether automatic un-isolation is allowed. | False | Optional | | BenignTagName | The name of the tag to apply for allowed indicators. | Good_Indicator | Optional | -| SIEMincidentFieldForType | The name of the field that specifies the type of the alert. For example in CrowdStrike this specified if this is a detection or incident. | ${incident.externalcategoryname} | Optional | -| SIEMincidentFieldForID | The name of the field that provides the external id of the alert or incident in the EDR. | ${incident.externalsystemid} | Optional | -| OverrideSIEMSeverity | Indicates if to set the severity according to the ScaleToSetSeverity and SeverityValuesMapping settings \(True\) or keep the original severity as mapped by the SIEM \(False\)
True/False | False | Optional | +| SIEMincidentFieldForType | The name of the field that specifies the type of the alert. For example in CrowdStrike this field specifies a detection or incident. | ${incident.externalcategoryname} | Optional | +| SIEMincidentFieldForID | The name of the field that provides the external ID of the alert or incident in the EDR. | ${incident.externalsystemid} | Optional | +| OverrideSIEMSeverity | Whether to set the severity according to the ScaleToSetSeverity and SeverityValuesMapping settings \(True\) or keep the original severity as mapped by the SIEM \(False\). | False | Optional | | TicketProjectName | For ticketing systems such as Jira a project name is required. | | Optional | -| EnableClosureSteps | Indicates if use of closure steps is allow or incident will close automatically.
True/False | True | Optional | -| AdvancedHunting | Choose if you want to run Advance Hunting queries through your relevant integrations. Note that it may take some time. | True | Optional | +| EnableClosureSteps | When closing an incident, whether to use closure steps to close automatically. | True | Optional | +| AdvancedHunting | Choose True to run Advance Hunting queries through your relevant integrations. Note: It may take some time. | True | Optional | | DedupHandleSimilar | "This input defines how to handle Similar incidents.
You may choose between: ""Link"", ""Close"", ""Link and Close"".
Note: that closing incidents will require you to define ""CloseSimilar"" input as well.
Also, note that the closer will apply on at least one of the options \(indicators or fields\) which will match the ""closer percentage"" criteria.
Default: Link " | Link | Optional | -| DedupCloseSimilar | "Define if you would like to close incidents by a similarity percentage. The percentage will be the bottom border for closing inc.
This option will close also exact matches as well \( if there are\).
Value should be between 0 to 1 \[0=low similarity , 1=identical\]" | 0.9 | Optional | -| DedupLimit | The maximum number of incidents to query and set to context data.Default is: 200 | 200 | Optional | +| DedupCloseSimilar | "Defines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed.
For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed.
The value should be between 0 and 1 \[0=low similarity , 1=identical\]." | 0.9 | Optional | +| DedupLimit | The maximum number of incidents to query and set to context data. | 200 | Optional | +| SIEMEDRProductToUse | For EDR alerts routed through a SIEM, provide the supported originating EDR. Possible values: CrowdStrike, XDR, or Microsoft Defender. | | Optional | +| OnCall | Define whether to assign OnCall to this flow.
Possible values: True/False.
Leave it empty if you do want not to assign an analyst to the incident. | False | Optional | ## Playbook Outputs + --- There are no outputs for this playbook. ## Playbook Image + --- -![Malware Investigation & Response Incident Handler](../doc_files/Malware_Investigation_&_Response_Incident_Handler.png) \ No newline at end of file + +![Malware Investigation & Response Incident Handler](../doc_files/Malware_Investigation_&_Response_Incident_Handler.png) diff --git a/Packs/MalwareInvestigationAndResponse/ReleaseNotes/2_0_8.md b/Packs/MalwareInvestigationAndResponse/ReleaseNotes/2_0_8.md new file mode 100644 index 000000000000..133a02fd97a3 --- /dev/null +++ b/Packs/MalwareInvestigationAndResponse/ReleaseNotes/2_0_8.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### Malware Investigation & Response Incident Handler + +Added an option not assigning an analyst to an incident using the "OnCall" input. diff --git a/Packs/MalwareInvestigationAndResponse/doc_files/Malware_Investigation_&_Response_Incident_Handler.png b/Packs/MalwareInvestigationAndResponse/doc_files/Malware_Investigation_&_Response_Incident_Handler.png index 7d7589ebc4f2..ae7a03af90e3 100644 Binary files a/Packs/MalwareInvestigationAndResponse/doc_files/Malware_Investigation_&_Response_Incident_Handler.png and b/Packs/MalwareInvestigationAndResponse/doc_files/Malware_Investigation_&_Response_Incident_Handler.png differ diff --git a/Packs/MalwareInvestigationAndResponse/pack_metadata.json b/Packs/MalwareInvestigationAndResponse/pack_metadata.json index 73cdd7d9c1ca..37734f5ede5c 100644 --- a/Packs/MalwareInvestigationAndResponse/pack_metadata.json +++ b/Packs/MalwareInvestigationAndResponse/pack_metadata.json @@ -5,7 +5,7 @@ "videos": [ "https://www.youtube.com/watch?v=DtGIefyoTao" ], - "currentVersion": "2.0.7", + "currentVersion": "2.0.8", "serverMinVersion": "6.5.0", "author": "Cortex XSOAR", "hidden": false,