Adding MSDE PBs for isolation and unisolation for devices #16144
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- MSDE playbooks for isolation and unisolations - new images of all playbooks - README files Modified: - Common playbooks for isolation and unisolation
…ate_Unisolate_device
…ate_Unisolate_device � Conflicts: � Packs/CommonPlaybooks/ReleaseNotes/2_1_4.md
…ate_Unisolate_device
…ate_Unisolate_device
David-BMS
reviewed
Dec 9, 2021
There was a problem hiding this comment.
-
Please add section headers to the MSDE playbooks
-
Consider adding incident fields for what was isolated and wasn't etc.
Note[Sasha]: Should be taken as a part of our effort with !endpoint (since the information is not structured currently "under 1 roof"). -
Consider adding the isolation type as a playbook input as its support in the command
-
Make sure to use the same terminology (Active Devices VS Non-valid Devices, Device active (single) vs non-active devices (plural))
For the how the process of getting the host details, let's validate when this can be developed, as its low effort maybe it can be added soon
David-BMS
reviewed
Dec 9, 2021
...atProtection/Playbooks/playbook-Microsoft_Defender_For_Endpoint_-_Isolate_Endpoint_README.md
Outdated
Show resolved
Hide resolved
David-BMS
reviewed
Dec 9, 2021
...atProtection/Playbooks/playbook-Microsoft_Defender_For_Endpoint_-_Isolate_Endpoint_README.md
Outdated
Show resolved
Hide resolved
David-BMS
reviewed
Dec 9, 2021
...Protection/Playbooks/playbook-Microsoft_Defender_For_Endpoint_-_Unisolate_Endpoint_README.md
Outdated
Show resolved
Hide resolved
David-BMS
reviewed
Dec 9, 2021
...Protection/Playbooks/playbook-Microsoft_Defender_For_Endpoint_-_Unisolate_Endpoint_README.md
Outdated
Show resolved
Hide resolved
David-BMS
reviewed
Dec 9, 2021
Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_4_0.md
Outdated
Show resolved
Hide resolved
David-BMS
reviewed
Dec 9, 2021
Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_4_0.md
Outdated
Show resolved
Hide resolved
…ate_Unisolate_device
…ate_Unisolate_device
Doc review complete for this file, updated descriptions.
doc review complete for this file. Updated descriptions to align with the yaml file.
minor additional update
Doc review complete for this file, updated descriptions.
Doc review complete for this file, aligned the descriptions with the yaml file.
Doc review complete for this file, minor formatting updates.
Doc review complete for the playbook-Microsoft_Defender_For_Endpoint_-_Isolate_Endpoint.yml file. @ssokolovich please confirm the following: - Lines 314, 368, 591, 645, 695 - the description for **Set Active Device** , **Set Non-valid Devices**, **Set Incorrect ID**, **Set Incorrect IP**, **Set Incorrect Hostname** is "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html" This description is generic - should there be descriptions specific to these tasks? - Line 500 - the description for **Check if there is any provided incorrect info** is "Check if there are any incorrect device IDs." - is this correct (incorrect info = incorrect device ID)? - Line 903 - the description for **Was any data provided?** is "'Validate/Enrich inputs through !endpoint'" - this looks like a boolean task. Is it that if it returns yes, then the playbook returns the data?
|
@ssokolovich - waiting for your feedback on the descriptions for playbook-Microsoft_Defender_For_Endpoint_-_Isolate_Endpoint.yml and playbook-Microsoft_Defender_For_Endpoint_-_Unisolate_Endpoint.yml. Then will need to regenerate the README files to align with the yamls. |
Doc review complete for the playbook-Microsoft_Defender_For_Endpoint_-_Unisolate_Endpoint.yml file. @ssokolovich - please confirm the following: - Lines 278, 333, 501, 551, 605 - the description for **Set Unisolate list**, **Set Inactive Device list**, **Set Incorrect IP**, **Set Incorrect Hostname**, **Set Incorrect ID** is generic, should it be more specific? - Line 399 - the simple description for **Print those that can't be unisolated as are not active** is "The following devices can't be isolated...." - shouldn't it be "The following devices can't be unisolated..."? - Line 659 - the description for **Check if there is any provided incorrect info** is "Check if there are any incorrect device IDs." - is incorrect info = incorrect device ID? - Line 904 - the description for **Was any data provided?** is "'Validate/Enrich inputs through !endpoint'" - is this description correct?
doc review complete for this file. Minor formatting update
doc review complete for this file, minor formatting update
additional minor update
doc review complete for this file, aligned descriptions with the yaml files.
…ate_Unisolate_device � Conflicts: � Packs/CommonPlaybooks/pack_metadata.json � Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_7_0.md
ssokolovich
commented
May 18, 2022
| #### Playbooks | ||
| ##### New: Microsoft Defender For Endpoint - Unisolate Endpoint | ||
| - This playbook will auto unisolate endpoints through Microsoft Defender For Endpoint by using hostnames, IPs, or Device IDs associated with the asset you wish to block (Available from Cortex XSOAR 6.2.0). | ||
| This playbook auto unisolates endpoints with **Microsoft Defender For Endpoint** by using the host name, IP, or device ID associated with the asset you want to block (Available from Cortex XSOAR 6.2.0). |
There was a problem hiding this comment.
@julieschwartz18 - the 'block' at the end should be changed to 'unblock'
Not sure also about the 'auto' term at the beginning. May I suggest 'This playbook will unisolate Microsoft Defender For endpoint devices ' .....
ssokolovich
requested review from
michalgold,
altmannyarden and
idovandijk
as code owners
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Related Issues
fixes: #42389
Description
Added new files:
Modified:
Screenshots
Minimum version of Cortex XSOAR
Does it break backward compatibility?
Must have