diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_GCP_Enrichment.yml b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_GCP_Enrichment.yml index c86d54a35cf2..a9f050f3bb7b 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_GCP_Enrichment.yml +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_GCP_Enrichment.yml @@ -6,10 +6,10 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: 3d92e4a6-7255-4e59-801c-5a4e5dc3e522 + taskid: a7f4a4df-1d85-4cda-8a12-40806356cb34 type: start task: - id: 3d92e4a6-7255-4e59-801c-5a4e5dc3e522 + id: a7f4a4df-1d85-4cda-8a12-40806356cb34 version: -1 name: "" iscommand: false @@ -36,17 +36,17 @@ tasks: isautoswitchedtoquietmode: false "1": id: "1" - taskid: f6ed9bb6-999e-478c-8481-8b23b52fc24a + taskid: 162b493c-548e-4c93-8ebe-19bb5426b2e7 type: playbook task: - id: f6ed9bb6-999e-478c-8481-8b23b52fc24a + id: 162b493c-548e-4c93-8ebe-19bb5426b2e7 version: -1 name: GCP - Enrichment description: Given the IP address this playbook enriches GCP and Firewall information. - playbookName: GCP - Enrichment type: playbook iscommand: false brand: "" + playbookId: GCP - Enrichment nexttasks: '#none#': - "2" @@ -54,6 +54,14 @@ tasks: GcpIP: complex: root: inputs.RemoteIP + port: + complex: + accessor: remoteport + root: alert + transformers: + - operator: FirstArrayElement + protocol: + simple: ${alert.protocol} separatecontext: true continueonerrortype: "" loop: @@ -77,10 +85,10 @@ tasks: isautoswitchedtoquietmode: false "2": id: "2" - taskid: 559b4cce-1e6a-4e18-8600-1383bb615dfb + taskid: a937c47c-4420-4973-818d-abe4c250d716 type: title task: - id: 559b4cce-1e6a-4e18-8600-1383bb615dfb + id: a937c47c-4420-4973-818d-abe4c250d716 version: -1 name: Set Field type: title @@ -110,10 +118,10 @@ tasks: isautoswitchedtoquietmode: false "3": id: "3" - taskid: b2338e4c-17f4-4dbd-8c0f-5ff6e8aca888 + taskid: 5b2e18a9-e97f-4118-8bf8-66fffd6983ea type: condition task: - id: b2338e4c-17f4-4dbd-8c0f-5ff6e8aca888 + id: 5b2e18a9-e97f-4118-8bf8-66fffd6983ea version: -1 name: Is there VM and IAM information? description: Determines if there is EC2 information to set the private IP, cloud, and tags fields. @@ -157,10 +165,10 @@ tasks: isautoswitchedtoquietmode: false "4": id: "4" - taskid: 0adfefac-bc38-43c7-848b-27b19a3a4cfb + taskid: 14eb1bb7-8317-41bd-8c6b-4d0f3f650e3a type: condition task: - id: 0adfefac-bc38-43c7-848b-27b19a3a4cfb + id: 14eb1bb7-8317-41bd-8c6b-4d0f3f650e3a version: -1 name: Is there IAM information? description: Determines if there is IAM information to set in the service owner field. @@ -211,10 +219,10 @@ tasks: isautoswitchedtoquietmode: false "5": id: "5" - taskid: ca9a1f8a-a200-42ff-869a-bc9dcef19c7b + taskid: a0e844cb-694d-4582-8e31-0eaa804d1644 type: condition task: - id: ca9a1f8a-a200-42ff-869a-bc9dcef19c7b + id: a0e844cb-694d-4582-8e31-0eaa804d1644 version: -1 name: Is there VM and firewall information? description: Determines if there is EC2 and security group information to set in the system IDs field. @@ -239,13 +247,6 @@ tasks: iscontext: true right: value: {} - - - operator: isNotEmpty - left: - value: - complex: - root: GoogleCloudCompute - accessor: Firewalls - iscontext: true continueonerrortype: "" view: |- { @@ -263,19 +264,19 @@ tasks: isautoswitchedtoquietmode: false "10": id: "10" - taskid: bef7481c-215b-4bbe-8e09-dd53062f8fd6 + taskid: 54558151-778a-4393-8ed6-6e07548699fb type: regular task: - id: bef7481c-215b-4bbe-8e09-dd53062f8fd6 + id: 54558151-778a-4393-8ed6-6e07548699fb version: -1 name: Set service owner grid field description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "42" @@ -329,10 +330,10 @@ tasks: isautoswitchedtoquietmode: false "11": id: "11" - taskid: 7962748a-77b4-4ad3-818a-d802ae90bd22 + taskid: 8bd81e9e-e2d7-4536-8ef6-635513703be2 type: title task: - id: 7962748a-77b4-4ad3-818a-d802ae90bd22 + id: 8bd81e9e-e2d7-4536-8ef6-635513703be2 version: -1 name: Service Owner type: title @@ -360,19 +361,19 @@ tasks: isautoswitchedtoquietmode: false "13": id: "13" - taskid: dd117e4d-5b23-4398-8611-adb85c205a9e + taskid: ed311cd3-4761-418b-8b4b-6f2dfd7141df type: regular task: - id: dd117e4d-5b23-4398-8611-adb85c205a9e + id: ed311cd3-4761-418b-8b4b-6f2dfd7141df version: -1 name: Set private IP grid field description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "50" @@ -407,10 +408,10 @@ tasks: isautoswitchedtoquietmode: false "14": id: "14" - taskid: e41bfa6d-8627-4f70-836c-7bb648573d7d + taskid: 333606d0-0e81-47a0-8271-e4aea8cf500c type: title task: - id: e41bfa6d-8627-4f70-836c-7bb648573d7d + id: 333606d0-0e81-47a0-8271-e4aea8cf500c version: -1 name: Private IP type: title @@ -438,10 +439,10 @@ tasks: isautoswitchedtoquietmode: false "15": id: "15" - taskid: 871c4cdb-a485-4a9f-8c22-d5c514bc5b51 + taskid: e12c58e4-ccb6-4466-864c-c995a51d8263 type: title task: - id: 871c4cdb-a485-4a9f-8c22-d5c514bc5b51 + id: e12c58e4-ccb6-4466-864c-c995a51d8263 version: -1 name: Cloud type: title @@ -469,19 +470,19 @@ tasks: isautoswitchedtoquietmode: false "16": id: "16" - taskid: 471875e5-872f-4927-8fda-28dca3f159c9 + taskid: c1a2a66d-5801-4b08-89df-5f652b3cf512 type: regular task: - id: 471875e5-872f-4927-8fda-28dca3f159c9 + id: c1a2a66d-5801-4b08-89df-5f652b3cf512 version: -1 name: Set cloud grid field description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "60" @@ -499,17 +500,24 @@ tasks: root: GoogleCloudCompute.Instances.networkInterfaces accessor: network transformers: - - operator: RegexExtractAll + - operator: ExtractInbetween args: - error_if_no_match: {} - ignore_case: {} - multi_line: {} - period_matches_newline: {} - regex: + from: value: - simple: (?<=projects/)[^/]+(?=/global) - unpack_matches: {} - - operator: uniq + simple: projects/ + to: + value: + simple: /global + filters: + - - left: + iscontext: true + value: + simple: GoogleCloudCompute.Instances.networkInterfaces.accessConfigs.natIP + operator: isEqualString + right: + iscontext: true + value: + simple: inputs.RemoteIP val4: complex: root: GoogleCloudCompute.Instances @@ -539,10 +547,10 @@ tasks: isautoswitchedtoquietmode: false "17": id: "17" - taskid: a9848e8b-60f4-4cea-896f-6d9d100bfac8 + taskid: 0fc1baf0-f47a-479a-8199-67587eab8bc3 type: title task: - id: a9848e8b-60f4-4cea-896f-6d9d100bfac8 + id: 0fc1baf0-f47a-479a-8199-67587eab8bc3 version: -1 name: Tags type: title @@ -570,19 +578,19 @@ tasks: isautoswitchedtoquietmode: false "18": id: "18" - taskid: ae3aba7b-d7d5-435a-850e-a25f2131fe4b + taskid: 08ca29ff-e683-466b-878c-ee8f8f9a8c18 type: regular task: - id: ae3aba7b-d7d5-435a-850e-a25f2131fe4b + id: 08ca29ff-e683-466b-878c-ee8f8f9a8c18 version: -1 name: Set tags grid field description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "52" @@ -631,10 +639,10 @@ tasks: isautoswitchedtoquietmode: false "19": id: "19" - taskid: 51b764c7-ae01-44e0-8ace-21cc9cb5d4dc + taskid: 894c4730-4a93-4507-8c79-cf6b7c85ad97 type: title task: - id: 51b764c7-ae01-44e0-8ace-21cc9cb5d4dc + id: 894c4730-4a93-4507-8c79-cf6b7c85ad97 version: -1 name: System IDs type: title @@ -662,22 +670,22 @@ tasks: isautoswitchedtoquietmode: false "20": id: "20" - taskid: dadd311d-7a01-437b-8827-ff70d10e3330 + taskid: 4527aaa0-800d-4ba0-8400-e3ac86961070 type: regular task: - id: dadd311d-7a01-437b-8827-ff70d10e3330 + id: 4527aaa0-800d-4ba0-8400-e3ac86961070 version: -1 name: Set system IDs grid field (VPC) description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - - "21" + - "23" scriptarguments: gridfield: simple: asmsystemids @@ -709,54 +717,7 @@ tasks: { "position": { "x": 950, - "y": 1030 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "21": - id: "21" - taskid: d747cea6-9883-4960-8c1a-5bb9f22fbeb7 - type: regular - task: - id: d747cea6-9883-4960-8c1a-5bb9f22fbeb7 - version: -1 - name: Set system IDs grid field (firewall) - description: "Automation used to more easily populate a grid field. \n\nWhile GCP doesn't use the term \"security group (SG)\" like some other cloud providers (such as AWS), the functionality provided by GCP's Firewall Rules is similar to the security group concept in other platforms." - scriptName: GridFieldSetup - type: regular - iscommand: false - brand: Builtin - nexttasks: - '#none#': - - "23" - scriptarguments: - gridfield: - simple: asmsystemids - keys: - simple: type,id,link - val1: - simple: ASSET-SG - val2: - complex: - root: GoogleCloudCompute.Firewalls - accessor: id - transformers: - - operator: uniq - val3: - simple: n/a - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 950, - "y": 1205 + "y": 980 } } note: false @@ -768,19 +729,19 @@ tasks: isautoswitchedtoquietmode: false "22": id: "22" - taskid: 9f8c4eec-0703-4427-8724-71326629c4e0 + taskid: 291e0df4-8fa2-455a-8f1c-7e5650410df7 type: regular task: - id: 9f8c4eec-0703-4427-8724-71326629c4e0 + id: 291e0df4-8fa2-455a-8f1c-7e5650410df7 version: -1 name: Set system IDs grid field (subnet name) description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "47" @@ -805,7 +766,7 @@ tasks: { "position": { "x": 950, - "y": 2280 + "y": 1990 } } note: false @@ -817,19 +778,19 @@ tasks: isautoswitchedtoquietmode: false "23": id: "23" - taskid: 4456d5d5-61ca-4aec-8502-e54800d8b0b2 + taskid: f8a65ca8-ac84-47d7-8824-7ea7b74fa7b7 type: regular task: - id: 4456d5d5-61ca-4aec-8502-e54800d8b0b2 + id: f8a65ca8-ac84-47d7-8824-7ea7b74fa7b7 version: -1 name: Set system IDs grid field (NIC) description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "24" @@ -854,7 +815,7 @@ tasks: { "position": { "x": 950, - "y": 1370 + "y": 1140 } } note: false @@ -866,19 +827,19 @@ tasks: isautoswitchedtoquietmode: false "24": id: "24" - taskid: 6f8180eb-c6b3-47ab-89cd-bc2592b8bac6 + taskid: 7b6dd98e-7ab7-4be9-83f2-010da1920e7a type: regular task: - id: 6f8180eb-c6b3-47ab-89cd-bc2592b8bac6 + id: 7b6dd98e-7ab7-4be9-83f2-010da1920e7a version: -1 name: Set system IDs grid field (GCE ID) description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "26" @@ -903,7 +864,7 @@ tasks: { "position": { "x": 950, - "y": 1545 + "y": 1300 } } note: false @@ -915,19 +876,19 @@ tasks: isautoswitchedtoquietmode: false "26": id: "26" - taskid: df4adbfe-5588-49e7-8814-03440608b973 + taskid: 16b767f4-9546-443c-88a4-3fe414f97515 type: regular task: - id: df4adbfe-5588-49e7-8814-03440608b973 + id: 16b767f4-9546-443c-88a4-3fe414f97515 version: -1 name: Set system IDs grid field (ZONE) description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "27" @@ -962,7 +923,7 @@ tasks: { "position": { "x": 950, - "y": 1720 + "y": 1460 } } note: false @@ -974,19 +935,19 @@ tasks: isautoswitchedtoquietmode: false "27": id: "27" - taskid: 1039922c-33ac-4aa4-8a82-149c1f700b9c + taskid: 92592bc9-b6c9-4332-8fb1-105fb18bfde9 type: regular task: - id: 1039922c-33ac-4aa4-8a82-149c1f700b9c + id: 92592bc9-b6c9-4332-8fb1-105fb18bfde9 version: -1 name: Set system IDs grid field (GCE name) description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "59" @@ -1011,7 +972,7 @@ tasks: { "position": { "x": 950, - "y": 1895 + "y": 1635 } } note: false @@ -1023,10 +984,10 @@ tasks: isautoswitchedtoquietmode: false "29": id: "29" - taskid: 27e8adfb-124a-43bb-8892-6a3aecdcd242 + taskid: cafe0fad-1e84-44e7-82d5-62155b7996ca type: condition task: - id: 27e8adfb-124a-43bb-8892-6a3aecdcd242 + id: cafe0fad-1e84-44e7-82d5-62155b7996ca version: -1 name: Are there any tags? description: |+ @@ -1070,10 +1031,10 @@ tasks: isautoswitchedtoquietmode: false "31": id: "31" - taskid: e049ee0a-a4b2-44b0-88a2-416a4638c116 + taskid: 19477a1f-2d00-41aa-859a-d39358141f0f type: condition task: - id: e049ee0a-a4b2-44b0-88a2-416a4638c116 + id: 19477a1f-2d00-41aa-859a-d39358141f0f version: -1 name: Is service account field set? description: Determines if a service account associated with the Cloud Compute Instance was discovered and set on the alert. @@ -1111,19 +1072,19 @@ tasks: isautoswitchedtoquietmode: false "32": id: "32" - taskid: 8470bc44-8694-4f3c-87c1-2fc5bd65c30b + taskid: 9ccb13e3-6083-4043-8fbf-de1cac50c14e type: regular task: - id: 8470bc44-8694-4f3c-87c1-2fc5bd65c30b + id: 9ccb13e3-6083-4043-8fbf-de1cac50c14e version: -1 name: Add service account to unranked service owner list description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Example of command: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: "" + script: GridFieldSetup nexttasks: '#none#': - "40" @@ -1166,10 +1127,10 @@ tasks: isautoswitchedtoquietmode: false "33": id: "33" - taskid: 65cc8136-d6c5-4ffc-8a57-21bc21ef2301 + taskid: c6687057-c22e-4f73-8f80-8f6e642413d7 type: condition task: - id: 65cc8136-d6c5-4ffc-8a57-21bc21ef2301 + id: c6687057-c22e-4f73-8f80-8f6e642413d7 version: -1 name: Is there GCP project hierarchy information? description: Determines if there is GCP hierarchy information to set in the system IDs field. @@ -1206,7 +1167,7 @@ tasks: { "position": { "x": 950, - "y": 2650 + "y": 2710 } } note: false @@ -1218,19 +1179,19 @@ tasks: isautoswitchedtoquietmode: false "34": id: "34" - taskid: 2a1b652a-5e9d-42e7-8673-2ad48e63d947 + taskid: 6b7418b0-5146-4568-839b-6111991e4306 type: regular task: - id: 2a1b652a-5e9d-42e7-8673-2ad48e63d947 + id: 6b7418b0-5146-4568-839b-6111991e4306 version: -1 name: Set system IDs grid field (Project-Number) description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "35" @@ -1270,7 +1231,7 @@ tasks: { "position": { "x": 950, - "y": 2880 + "y": 2950 } } note: false @@ -1282,10 +1243,10 @@ tasks: isautoswitchedtoquietmode: false "35": id: "35" - taskid: 56415a77-b61e-4abb-8d66-babc1dd0ee90 + taskid: 936fd977-c6e1-451f-88b5-710fccd7c9ca type: condition task: - id: 56415a77-b61e-4abb-8d66-babc1dd0ee90 + id: 936fd977-c6e1-451f-88b5-710fccd7c9ca version: -1 name: Is there GCP folder hierarchy information? description: Determines if there is GCP folder hierarchy information to set in the system IDs field. @@ -1321,7 +1282,7 @@ tasks: { "position": { "x": 950, - "y": 3090 + "y": 3110 } } note: false @@ -1333,19 +1294,19 @@ tasks: isautoswitchedtoquietmode: false "36": id: "36" - taskid: 77e16236-6023-43a2-8d6b-09805e68a44f + taskid: e67121bb-d75b-4fcb-8d31-fc8d82046071 type: regular task: - id: 77e16236-6023-43a2-8d6b-09805e68a44f + id: e67121bb-d75b-4fcb-8d31-fc8d82046071 version: -1 name: Set system IDs grid field (Folder-Number) description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "43" @@ -1384,7 +1345,7 @@ tasks: { "position": { "x": 950, - "y": 3330 + "y": 3300 } } note: false @@ -1396,17 +1357,17 @@ tasks: isautoswitchedtoquietmode: false "37": id: "37" - taskid: b09ef410-6d9c-4e35-83c5-3790f9fe0c85 + taskid: 2185f514-b618-4943-8d08-b73bf84800be type: regular task: - id: b09ef410-6d9c-4e35-83c5-3790f9fe0c85 + id: 2185f514-b618-4943-8d08-b73bf84800be version: -1 name: Set Folders description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - "16" @@ -1449,17 +1410,17 @@ tasks: isautoswitchedtoquietmode: false "38": id: "38" - taskid: 3df98c3e-16bf-44ee-88bd-32b674e4fe81 + taskid: bd4d883b-4ccb-4b16-8dfe-f4ebbe0bd9aa type: regular task: - id: 3df98c3e-16bf-44ee-88bd-32b674e4fe81 + id: bd4d883b-4ccb-4b16-8dfe-f4ebbe0bd9aa version: -1 name: Set Folders to n/a description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - "16" @@ -1486,10 +1447,10 @@ tasks: isautoswitchedtoquietmode: false "39": id: "39" - taskid: f6cf2504-671d-4bc8-8cbd-5d189301538b + taskid: 6006ad53-3848-424f-88cd-0099d5d9c0e8 type: condition task: - id: f6cf2504-671d-4bc8-8cbd-5d189301538b + id: 6006ad53-3848-424f-88cd-0099d5d9c0e8 version: -1 name: Are there any folders? description: Determines if there is GCP folder information to set in the cloud field. @@ -1537,10 +1498,10 @@ tasks: isautoswitchedtoquietmode: false "40": id: "40" - taskid: 20bb9298-5550-4101-8048-1160bc7efbd2 + taskid: 4b0cefec-3f9e-4cdd-853e-23124ccf0356 type: title task: - id: 20bb9298-5550-4101-8048-1160bc7efbd2 + id: 4b0cefec-3f9e-4cdd-853e-23124ccf0356 version: -1 name: Service Owner - End type: title @@ -1568,17 +1529,17 @@ tasks: isautoswitchedtoquietmode: false "41": id: "41" - taskid: 3af103b6-cfc3-48bc-85ad-a81713b584a5 + taskid: 92e883bc-8f0b-475c-8563-83c54e67738e type: regular task: - id: 3af103b6-cfc3-48bc-85ad-a81713b584a5 + id: 92e883bc-8f0b-475c-8563-83c54e67738e version: -1 name: Set false flag for completed enrichment description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - "43" @@ -1608,17 +1569,17 @@ tasks: isautoswitchedtoquietmode: false "42": id: "42" - taskid: 78853ae1-0109-4973-889f-e47802a02ed9 + taskid: d4a8acf0-5ce6-41f6-8303-8380f6987003 type: regular task: - id: 78853ae1-0109-4973-889f-e47802a02ed9 + id: d4a8acf0-5ce6-41f6-8303-8380f6987003 version: -1 name: Set true flag for completed enrichment description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - "31" @@ -1647,10 +1608,10 @@ tasks: isautoswitchedtoquietmode: false "43": id: "43" - taskid: 9b7517ac-596d-4a50-82eb-2d7d017655c9 + taskid: 10062154-9400-408e-82bd-bbcdfdc3426c type: title task: - id: 9b7517ac-596d-4a50-82eb-2d7d017655c9 + id: 10062154-9400-408e-82bd-bbcdfdc3426c version: -1 name: System IDs - End type: title @@ -1665,8 +1626,8 @@ tasks: view: |- { "position": { - "x": 740, - "y": 3520 + "x": 680, + "y": 3550 } } note: false @@ -1678,10 +1639,10 @@ tasks: isautoswitchedtoquietmode: false "44": id: "44" - taskid: a88cde79-b96d-490a-88c9-19def4d2fb89 + taskid: 44d96677-4291-4292-82b3-314126bddbbe type: title task: - id: a88cde79-b96d-490a-88c9-19def4d2fb89 + id: 44d96677-4291-4292-82b3-314126bddbbe version: -1 name: Complete type: title @@ -1706,10 +1667,10 @@ tasks: isautoswitchedtoquietmode: false "45": id: "45" - taskid: a73a191c-627b-4d73-8601-f2c2c0f6408a + taskid: d5f18e36-63f0-4cd6-86fe-87eabda25991 type: title task: - id: a73a191c-627b-4d73-8601-f2c2c0f6408a + id: d5f18e36-63f0-4cd6-86fe-87eabda25991 version: -1 name: Closing Steps description: |- @@ -1739,20 +1700,20 @@ tasks: isautoswitchedtoquietmode: false "47": id: "47" - taskid: ea02266f-ae26-4a22-860f-ed3e1a47f5a0 + taskid: 7d7fa5d5-761e-40ea-83e8-7d385850c32b type: regular task: - id: ea02266f-ae26-4a22-860f-ed3e1a47f5a0 + id: 7d7fa5d5-761e-40ea-83e8-7d385850c32b version: -1 name: Set true flag for completed enrichment description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - - "33" + - "61" scriptarguments: append: simple: "true" @@ -1766,7 +1727,7 @@ tasks: { "position": { "x": 950, - "y": 2470 + "y": 2150 } } note: false @@ -1778,17 +1739,17 @@ tasks: isautoswitchedtoquietmode: false "48": id: "48" - taskid: 605fdd07-8857-4e92-8b19-c77eb948ad50 + taskid: 897b04ae-8a53-4fc3-8795-382575d10131 type: regular task: - id: 605fdd07-8857-4e92-8b19-c77eb948ad50 + id: 897b04ae-8a53-4fc3-8795-382575d10131 version: -1 name: Set false flag for completed enrichment description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - "45" @@ -1817,10 +1778,10 @@ tasks: isautoswitchedtoquietmode: false "49": id: "49" - taskid: db653cd9-6004-40e6-845f-5f884d08a651 + taskid: b70ac807-5790-4911-8857-6a8ffdb790ba type: title task: - id: db653cd9-6004-40e6-845f-5f884d08a651 + id: b70ac807-5790-4911-8857-6a8ffdb790ba version: -1 name: Tags - End type: title @@ -1848,17 +1809,17 @@ tasks: isautoswitchedtoquietmode: false "50": id: "50" - taskid: 7f6510f5-0595-4816-871b-f486792ef99a + taskid: af1aed61-69fb-4e57-8356-44b6f20a506a type: regular task: - id: 7f6510f5-0595-4816-871b-f486792ef99a + id: af1aed61-69fb-4e57-8356-44b6f20a506a version: -1 name: Set true flag for completed enrichment description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - "51" @@ -1887,10 +1848,10 @@ tasks: isautoswitchedtoquietmode: false "51": id: "51" - taskid: dac4b39d-f266-479b-8778-6ad6ba2dd12e + taskid: aa8a0056-ecda-4b29-8724-685bf5d06e38 type: title task: - id: dac4b39d-f266-479b-8778-6ad6ba2dd12e + id: aa8a0056-ecda-4b29-8724-685bf5d06e38 version: -1 name: Private IP - End type: title @@ -1918,17 +1879,17 @@ tasks: isautoswitchedtoquietmode: false "52": id: "52" - taskid: 064712e8-0586-4b72-834a-de58a9652471 + taskid: 506d3fe5-bdec-49b2-861c-849b19e0f305 type: regular task: - id: 064712e8-0586-4b72-834a-de58a9652471 + id: 506d3fe5-bdec-49b2-861c-849b19e0f305 version: -1 name: Set true flag for completed enrichment description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - "49" @@ -1957,17 +1918,17 @@ tasks: isautoswitchedtoquietmode: false "53": id: "53" - taskid: 37644ea9-348f-4a94-8deb-21f573be270f + taskid: e3e7da5f-a1ad-4430-8164-45628affa501 type: regular task: - id: 37644ea9-348f-4a94-8deb-21f573be270f + id: e3e7da5f-a1ad-4430-8164-45628affa501 version: -1 name: Set true flag for completed enrichment description: Set a value in context under the key you entered. - scriptName: Set type: regular iscommand: false brand: "" + script: Set nexttasks: '#none#': - "54" @@ -1996,10 +1957,10 @@ tasks: isautoswitchedtoquietmode: false "54": id: "54" - taskid: fe2c5846-41cd-4a39-876c-0e360a24f1f0 + taskid: 81501384-d33f-4d7a-802e-8f74eaf24eb0 type: title task: - id: fe2c5846-41cd-4a39-876c-0e360a24f1f0 + id: 81501384-d33f-4d7a-802e-8f74eaf24eb0 version: -1 name: Cloud - End type: title @@ -2027,19 +1988,19 @@ tasks: isautoswitchedtoquietmode: false "55": id: "55" - taskid: 7384a454-2ea2-492a-8d65-b04330f1143e + taskid: e34b7dcb-5b10-4446-8660-6eaea683ec37 type: regular task: - id: 7384a454-2ea2-492a-8d65-b04330f1143e + id: e34b7dcb-5b10-4446-8660-6eaea683ec37 version: -1 name: Set ASM enrichment status to true description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter `TIMESTAMP` to get the current timestamp in ISO format. For example: `!GridFieldSetup keys=ip,src,timestamp val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" val3="TIMESTAMP" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "44" @@ -2072,10 +2033,10 @@ tasks: isautoswitchedtoquietmode: false "56": id: "56" - taskid: ee5d636a-5b87-475e-8ceb-c02fbec77866 + taskid: 3a2dbe45-2862-4aa4-8b4b-44a1ed6ac1b2 type: condition task: - id: ee5d636a-5b87-475e-8ceb-c02fbec77866 + id: 3a2dbe45-2862-4aa4-8b4b-44a1ed6ac1b2 version: -1 name: Was enrichment performed? description: Check if enrichment was performed by checking for a value of true in the relevant flag variable. @@ -2117,19 +2078,19 @@ tasks: isautoswitchedtoquietmode: false "57": id: "57" - taskid: dd64ebcd-d230-4865-80b3-fb7b2ffc5895 + taskid: 04e9afaa-2d98-4384-86d6-06985fbed673 type: regular task: - id: dd64ebcd-d230-4865-80b3-fb7b2ffc5895 + id: 04e9afaa-2d98-4384-86d6-06985fbed673 version: -1 name: Set ASM enrichment status to false description: |- Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. Instead of a value you can enter `TIMESTAMP` to get the current timestamp in ISO format. For example: `!GridFieldSetup keys=ip,src,timestamp val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" val3="TIMESTAMP" gridfiled="gridfield"` - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "44" @@ -2162,17 +2123,17 @@ tasks: isautoswitchedtoquietmode: false "58": id: "58" - taskid: 895dd0ef-da96-44a7-838d-1e0b7fc37313 + taskid: 11662ef5-6612-43ca-84d2-3a9f86bb9eee type: regular task: - id: 895dd0ef-da96-44a7-838d-1e0b7fc37313 + id: 11662ef5-6612-43ca-84d2-3a9f86bb9eee version: -1 name: Set system IDs grid field (type) description: Sets the type of cloud asset to the grid field for the ASM system IDs object. - scriptName: GridFieldSetup type: regular iscommand: false brand: Builtin + script: GridFieldSetup nexttasks: '#none#': - "20" @@ -2193,7 +2154,7 @@ tasks: { "position": { "x": 950, - "y": 835 + "y": 820 } } note: false @@ -2205,10 +2166,10 @@ tasks: isautoswitchedtoquietmode: false "59": id: "59" - taskid: 83f2b2a8-169d-4993-8e78-14bfa1cadb6e + taskid: 9abad720-b44e-4dac-897a-8a3a52a82612 type: condition task: - id: 83f2b2a8-169d-4993-8e78-14bfa1cadb6e + id: 9abad720-b44e-4dac-897a-8a3a52a82612 version: -1 name: Is there GCP subnet information? description: Determines if there is GCP subnet information to set in the system IDs field. @@ -2238,7 +2199,7 @@ tasks: { "position": { "x": 950, - "y": 2060 + "y": 1800 } } note: false @@ -2250,10 +2211,10 @@ tasks: isautoswitchedtoquietmode: false "60": id: "60" - taskid: 12b466a5-b53d-4190-800b-cac067479c4e + taskid: a7181458-aac4-4e37-830c-2244ea8b7d73 type: regular task: - id: 12b466a5-b53d-4190-800b-cac067479c4e + id: a7181458-aac4-4e37-830c-2244ea8b7d73 version: -1 name: Set hierarchy field description: commands.local.cmd.set.incident @@ -2297,6 +2258,94 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "61": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: GCPOffendingFirewallRule + operator: isExists + right: + value: {} + label: "yes" + continueonerrortype: "" + id: "61" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "33" + "yes": + - "62" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Determines if there are GCP potential offending firewall rule(s) found. + id: fb420c9a-7183-4b06-8393-1415ad5a83a1 + iscommand: false + name: Were GCP offending firewall rule(s) found? + type: condition + version: -1 + taskid: fb420c9a-7183-4b06-8393-1415ad5a83a1 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 950, + "y": 2330 + } + } + "62": + continueonerrortype: "" + id: "62" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "33" + note: false + quietmode: 0 + scriptarguments: + gridfield: + simple: asmsystemids + keys: + simple: type,id,link + val1: + simple: FIREWALL-RULE-NAME + val2: + simple: ${GCPOffendingFirewallRule} + val3: + simple: n/a + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: |- + Automation used to more easily populate a grid field. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. For example: + `!GridFieldSetup keys=ip,src val1=${AWS.EC2.Instances.NetworkInterfaces.PrivateIpAddress} val2="AWS" gridfiled="gridfield"` + id: d170a931-fa76-44bd-888d-d11c8cee7129 + iscommand: false + name: Set system IDs grid field (offending firewall rule(s)) + script: GridFieldSetup + type: regular + version: -1 + taskid: d170a931-fa76-44bd-888d-d11c8cee7129 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 950, + "y": 2520 + } + } view: |- { "linkLabelsPosition": { @@ -2310,6 +2359,7 @@ view: |- "39_38_#default#": 0.65, "3_17_yes": 0.76, "4_41_#default#": 0.31, + "59_22_yes": 0.49, "5_41_#default#": 0.41 }, "paper": { diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_GCP_Enrichment_README.md b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_GCP_Enrichment_README.md index ed4de7862cb7..37c8e53ae922 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_GCP_Enrichment_README.md +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_GCP_Enrichment_README.md @@ -14,13 +14,12 @@ This playbook does not use any integrations. ### Scripts -* GridFieldSetup * Set -* GetTime +GridFieldSetup ### Commands -This playbook does not use any commands. +setAlert ## Playbook Inputs diff --git a/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_29.md b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_29.md new file mode 100644 index 000000000000..58551ace40c1 --- /dev/null +++ b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_29.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### Cortex ASM - GCP Enrichment + +Updated the playbook to incorporate the outputs of the **GCPOffendingFirewallRule** script to store potential offending GCP firewall rules. diff --git a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_GCP_Enrichment.png b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_GCP_Enrichment.png index 3e3b2e88baee..1f1f023df7fc 100644 Binary files a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_GCP_Enrichment.png and b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_GCP_Enrichment.png differ diff --git a/Packs/CortexAttackSurfaceManagement/pack_metadata.json b/Packs/CortexAttackSurfaceManagement/pack_metadata.json index 309d303ed1b5..38dfed7651f2 100644 --- a/Packs/CortexAttackSurfaceManagement/pack_metadata.json +++ b/Packs/CortexAttackSurfaceManagement/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex Attack Surface Management", "description": "Content for working with Attack Surface Management (ASM).", "support": "xsoar", - "currentVersion": "1.7.28", + "currentVersion": "1.7.29", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",