From d3e909d6cb921faab17e0e83c81bdfd86277f5eb Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Mon, 15 May 2023 19:16:39 +0300 Subject: [PATCH 01/22] Playbooks --- .../Detect_&_Manage_Phishing_Campaigns.yml | 133 ++++---- .../Playbooks/Phishing_-_Generic_v3_6_5.yml | 307 +++++++++--------- .../Playbooks/Process_Email_-_Generic_v2.yml | 264 ++++++++++++--- 3 files changed, 425 insertions(+), 279 deletions(-) diff --git a/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml b/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml index c4532fcfc18f..0920f9a216d2 100644 --- a/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml +++ b/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml @@ -38,6 +38,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "1": id: "1" taskid: dea6d568-f6a7-4fbc-89a1-181da70c9773 @@ -120,6 +121,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "2": id: "2" taskid: 1a9803be-d5d9-487d-8849-f838bcb8ef15 @@ -128,8 +130,7 @@ tasks: id: 1a9803be-d5d9-487d-8849-f838bcb8ef15 version: -1 name: Were similar incidents found? - description: Checks whether the email was found to be part of a bigger phishing - campaign. + description: Checks whether the email was found to be part of a bigger phishing campaign. type: condition iscommand: false brand: "" @@ -161,6 +162,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "3": id: "3" taskid: 1640dfa4-a4b1-4199-894e-560c6486f2ce @@ -169,8 +171,7 @@ tasks: id: 1640dfa4-a4b1-4199-894e-560c6486f2ce version: -1 name: Search for an existing campaign incident in XSOAR - description: Get the incident campaign's ID for the campaign that is linked - to at least one of the given incidents. + description: Get the incident campaign's ID for the campaign that is linked to at least one of the given incidents. scriptName: IsIncidentPartOfCampaign type: regular iscommand: false @@ -202,6 +203,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "5": id: "5" taskid: 25eca832-bd91-4574-88cd-5c160ee1a9e5 @@ -239,6 +241,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "6": id: "6" taskid: cdc4d170-de3d-45e0-8bac-70a669bf2191 @@ -282,6 +285,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "7": id: "7" taskid: c3405aa2-e455-41fc-80fb-c393a4f4a149 @@ -290,8 +294,7 @@ tasks: id: c3405aa2-e455-41fc-80fb-c393a4f4a149 version: -1 name: Is there an existing campaign incident? - description: Checks whether any of the similar phishing incidents are currently - linked to an existing phishing campaign. + description: Checks whether any of the similar phishing incidents are currently linked to an existing phishing campaign. type: condition iscommand: false brand: "" @@ -324,6 +327,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "8": id: "8" taskid: 571eafa4-5bad-4632-888c-6cdca60a8b89 @@ -354,6 +358,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "9": id: "9" taskid: dbac7d01-7029-4680-8853-f5f93e786cd7 @@ -401,6 +406,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "10": id: "10" taskid: 2a6a9377-03c3-4fbf-8f0e-9022c90a7890 @@ -409,8 +415,7 @@ tasks: id: 2a6a9377-03c3-4fbf-8f0e-9022c90a7890 version: -1 name: Investigate new campaign incident - description: Start investigation of the campaign incident so that the data can - be changed. + description: Start investigation of the campaign incident so that the data can be changed. script: Builtin|||investigate type: regular iscommand: true @@ -438,6 +443,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "12": id: "12" taskid: e824c80a-1df8-4bb2-8314-aba3961a9e27 @@ -446,8 +452,7 @@ tasks: id: e824c80a-1df8-4bb2-8314-aba3961a9e27 version: -1 name: Link the phishing incidents to the campaign incident - description: Links the phishing incidents that were found in the campaign, to - the phishing campaign incident. + description: Links the phishing incidents that were found in the campaign, to the phishing campaign incident. script: Builtin|||linkIncidents type: regular iscommand: true @@ -496,6 +501,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "13": id: "13" taskid: bf08e4d5-db2c-4f32-88c4-b2bff0bd09db @@ -504,9 +510,7 @@ tasks: id: bf08e4d5-db2c-4f32-88c4-b2bff0bd09db version: -1 name: Can the found incidents be linked to the campaign? - description: Checks whether the detected Phishing incidents can be linked to - the Phishing Campaign incident by checking if the AutomaticallyLinkIncidents - playbook input is set to True. + description: Checks whether the detected Phishing incidents can be linked to the Phishing Campaign incident by checking if the AutomaticallyLinkIncidents playbook input is set to True. type: condition iscommand: false brand: "" @@ -543,6 +547,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "15": id: "15" taskid: 54a5ca08-5659-4aa4-85cb-dd5bff80d59f @@ -551,8 +556,7 @@ tasks: id: 54a5ca08-5659-4aa4-85cb-dd5bff80d59f version: -1 name: Resume Campaign Detections - description: Releases the phishing campaign lock to allow other phishing incidents - to detect and find campaigns. + description: Releases the phishing campaign lock to allow other phishing incidents to detect and find campaigns. type: title iscommand: false brand: "" @@ -576,6 +580,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "17": id: "17" taskid: efa98d6f-d321-4719-8858-adc0daafd732 @@ -606,6 +611,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "18": id: "18" taskid: 77e030e4-b3ab-4a48-81d7-2f9344916111 @@ -614,8 +620,7 @@ tasks: id: 77e030e4-b3ab-4a48-81d7-2f9344916111 version: -1 name: Update additional campaign layout sections - description: Updates the EmailCampaignSummary, EmailCampaignMutualIndicators - and EmailCampaignCanvas fields in the Phishing Campaign incident. + description: Updates the EmailCampaignSummary, EmailCampaignMutualIndicators and EmailCampaignCanvas fields in the Phishing Campaign incident. script: Builtin|||setIncident type: regular iscommand: true @@ -666,6 +671,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "19": id: "19" taskid: cb766233-14f3-499d-8f81-ad484901bd6c @@ -674,8 +680,7 @@ tasks: id: cb766233-14f3-499d-8f81-ad484901bd6c version: -1 name: Update additional campaign layout sections - description: Updates the EmailCampaignSummary, EmailCampaignMutualIndicators - and EmailCampaignCanvas fields in the Phishing Campaign incident. + description: Updates the EmailCampaignSummary, EmailCampaignMutualIndicators and EmailCampaignCanvas fields in the Phishing Campaign incident. script: Builtin|||setIncident type: regular iscommand: true @@ -720,6 +725,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "20": id: "20" taskid: dd0e0421-a858-44ad-8af1-c10f8050e6ad @@ -728,9 +734,7 @@ tasks: id: dd0e0421-a858-44ad-8af1-c10f8050e6ad version: -1 name: Can the found incidents be closed? - description: Checks whether the Phishing incidents that were detected can be - automatically closed. If the IncludeSelf parameter is set to True, the current - incident will also be closed. + description: Checks whether the Phishing incidents that were detected can be automatically closed. If the IncludeSelf parameter is set to True, the current incident will also be closed. type: condition iscommand: false brand: "" @@ -767,6 +771,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "21": id: "21" taskid: 937adf0c-aafe-4b00-80b5-5e82086c1ada @@ -775,8 +780,7 @@ tasks: id: 937adf0c-aafe-4b00-80b5-5e82086c1ada version: -1 name: Close all found phishing incidents - description: Closes all the phishing incidents that were found to be part of - the campaign. + description: Closes all the phishing incidents that were found to be part of the campaign. script: Builtin|||closeInvestigation type: regular iscommand: true @@ -809,6 +813,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "23": id: "23" taskid: 30f54b1e-f139-461d-8660-0ae632beecb1 @@ -866,6 +871,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "26": id: "26" taskid: a4f2e248-ec23-490c-84a2-d73d14fd4b9b @@ -874,8 +880,7 @@ tasks: id: a4f2e248-ec23-490c-84a2-d73d14fd4b9b version: -1 name: Is the Demsito Lock integration enabled? - description: Returns 'yes' if integration brand is available. Otherwise returns - 'no' + description: Returns 'yes' if integration brand is available. Otherwise returns 'no' scriptName: IsIntegrationAvailable type: condition iscommand: false @@ -905,6 +910,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "27": id: "27" taskid: 5b05490e-96f4-4032-84ff-b2a1bc739610 @@ -913,9 +919,7 @@ tasks: id: 5b05490e-96f4-4032-84ff-b2a1bc739610 version: -1 name: Lock campaign detection - description: Locks phishing incidents before searching campaigns to prevent - them from all being unable to find an existing campaign at the same time, - and creating multiple new campaign incidents. + description: Locks phishing incidents before searching campaigns to prevent them from all being unable to find an existing campaign at the same time, and creating multiple new campaign incidents. script: '|||demisto-lock-get' type: regular iscommand: true @@ -927,9 +931,7 @@ tasks: execution-timeout: simple: "9000" info: - simple: Locks phishing incidents before searching campaigns to prevent them - from all being unable to find an existing campaign at the same time, and - creating multiple new campaign incidents. + simple: Locks phishing incidents before searching campaigns to prevent them from all being unable to find an existing campaign at the same time, and creating multiple new campaign incidents. name: simple: Phishing - Campaign Detection timeout: @@ -949,6 +951,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "28": id: "28" taskid: e1fe8eaf-f6bf-41b1-8e3f-360465ac25db @@ -984,6 +987,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "29": id: "29" taskid: 009dbbe0-1090-4d46-84c9-a2596df628f7 @@ -992,8 +996,7 @@ tasks: id: 009dbbe0-1090-4d46-84c9-a2596df628f7 version: -1 name: Is the Demsito Lock integration enabled? - description: Returns 'yes' if integration brand is available. Otherwise returns - 'no' + description: Returns 'yes' if integration brand is available. Otherwise returns 'no' scriptName: IsIntegrationAvailable type: condition iscommand: false @@ -1023,6 +1026,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "30": id: "30" taskid: afa6aad3-6c3d-47a7-8cdb-895cc4019d7c @@ -1053,6 +1057,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "32": id: "32" taskid: fb6a1586-e3f4-472f-898a-516cf7e647eb @@ -1080,6 +1085,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" view: |- { "linkLabelsPosition": { @@ -1105,53 +1111,42 @@ inputs: value: simple: "True" required: false - description: Whether to automatically link the incidents that make up the campaign, - to the phishing campaign incident. Can be True (default) or False. It is recommended - not to change the default. + description: Whether to automatically link the incidents that make up the campaign, to the phishing campaign incident. Can be True (default) or False. It is recommended not to change the default. playbookInputQuery: - key: incidentTypeFieldName value: simple: type required: false - description: The name of the incident field in which the incident type is stored. - Default is "type". Change this argument only if you're using a custom field for - specifying the incident type. + description: The name of the incident field in which the incident type is stored. Default is "type". Change this argument only if you're using a custom field for specifying the incident type. playbookInputQuery: - key: incidentTypes value: simple: Phishing required: false - description: A comma-separated list of incident types by which to filter. Specify - "None" to search through all incident types By default, the value is "Phishing" - because the Phishing incident type is used out of the box. + description: A comma-separated list of incident types by which to filter. Specify "None" to search through all incident types By default, the value is "Phishing" because the Phishing incident type is used out of the box. playbookInputQuery: - key: existingIncidentsLookback value: simple: 7 days ago required: false - description: 'The date from which to search for similar incidents. Date format is - the same as in the incidents query page. For example: "3 days ago", "2019-01-01T00:00:00 - +0200".' + description: 'The date from which to search for similar incidents. Date format is the same as in the incidents query page. For example: "3 days ago", "2019-01-01T00:00:00 +0200".' playbookInputQuery: - key: query value: {} required: false - description: Additional text by which to query incidents to find similar Phishing - incidents. Uses the same language to query incidents in the UI. + description: Additional text by which to query incidents to find similar Phishing incidents. Uses the same language to query incidents in the UI. playbookInputQuery: - key: limit value: simple: "1000" required: false - description: The maximum number of incidents to fetch. Determines how many incidents - can be checked for similarity at the time of execution. + description: The maximum number of incidents to fetch. Determines how many incidents can be checked for similarity at the time of execution. playbookInputQuery: - key: emailSubject value: simple: emailsubject required: false - description: The name of the incident field that contains the email subject. By - default this is `emailsubject` (because the email subject is stored under `${incident.emailsubject}`. + description: The name of the incident field that contains the email subject. By default this is `emailsubject` (because the email subject is stored under `${incident.emailsubject}`. playbookInputQuery: - key: emailBody value: @@ -1161,10 +1156,9 @@ inputs: playbookInputQuery: - key: emailBodyHTML value: - simple: emailbodyhtml + simple: emailhtml required: false - description: The name of the incident field that contains the HTML version of the - email body. + description: The name of the incident field that contains the HTML version of the email body. playbookInputQuery: - key: emailFrom value: @@ -1176,40 +1170,31 @@ inputs: value: simple: All required: false - description: Whether to compare the new incident to closed incidents, non closed - incidents, or all incidents. Can be "All", "ClosedOnly", or "NonClosedOnly". Default - is "All". + description: Whether to compare the new incident to closed incidents, non closed incidents, or all incidents. Can be "All", "ClosedOnly", or "NonClosedOnly". Default is "All". playbookInputQuery: - key: threshold value: simple: "0.8" required: false - description: The threshold to consider an incident as similar. The range of values - is 0-1. If needed, make small adjustments and continue to evaluate the required - value. It is recommended not to change the default value of `0.8`.| + description: The threshold to consider an incident as similar. The range of values is 0-1. If needed, make small adjustments and continue to evaluate the required value. It is recommended not to change the default value of `0.8`.| playbookInputQuery: - key: maxIncidentsToReturn value: simple: "200" required: false - description: The maximum number of incidents to display as part of a campaign. If - a campaign includes a higher number of incidents, the results will contain only - these amounts of incidents. + description: The maximum number of incidents to display as part of a campaign. If a campaign includes a higher number of incidents, the results will contain only these amounts of incidents. playbookInputQuery: - key: minIncidentsForCampaign value: simple: "3" required: false - description: The minimum number of incidents to consider as a campaign. For example, - if you specify `10`, but only `9` similar incidents are found, the script will - not find them as part of a campaign.| + description: The minimum number of incidents to consider as a campaign. For example, if you specify `10`, but only `9` similar incidents are found, the script will not find them as part of a campaign.| playbookInputQuery: - key: minUniqueRecipients value: simple: "2" required: false - description: The minimum number of unique recipients of similar email incidents - to consider as a campaign. as a campaign. + description: The minimum number of unique recipients of similar email incidents to consider as a campaign. as a campaign. playbookInputQuery: - key: fieldsToDisplay value: @@ -1223,10 +1208,12 @@ inputs: value: simple: "False" required: false - description: Whether to automatically close the incidents that make up the campaign. - Can be True or False. + description: Whether to automatically close the incidents that make up the campaign. Can be True or False. playbookInputQuery: outputs: [] tests: -- Phishing Investigation - Generic v2 - Campaign Test -fromversion: 6.0.0 \ No newline at end of file +- No tests (auto formatted) +fromversion: 6.0.0 +contentitemexportablefields: + contentitemfields: {} +system: true diff --git a/Packs/Phishing/Playbooks/Phishing_-_Generic_v3_6_5.yml b/Packs/Phishing/Playbooks/Phishing_-_Generic_v3_6_5.yml index e3797587cbaf..318c1a239099 100644 --- a/Packs/Phishing/Playbooks/Phishing_-_Generic_v3_6_5.yml +++ b/Packs/Phishing/Playbooks/Phishing_-_Generic_v3_6_5.yml @@ -1,17 +1,15 @@ id: Phishing - Generic v3 version: -1 -contentitemexportablefields: - contentitemfields: {} name: Phishing - Generic v3 description: "This playbook investigates and remediates a potential phishing incident. It engages with the user who triggered the incident while investigating the incident itself.\n\nNote:\n- Final remediation tasks are manual by default. can be managed by \"SearchAndDelete\" and \"BlockIndicators\" inputs. \n- Do not rerun this playbook inside a phishing incident since it can produce an unexpected result. Create a new incident instead if needed." starttaskid: "0" tasks: "0": id: "0" - taskid: 1de7eceb-5dd5-43db-8427-7784a33e391c + taskid: 35f6ed2f-b731-4575-8f52-4eafc9f77c63 type: start task: - id: 1de7eceb-5dd5-43db-8427-7784a33e391c + id: 35f6ed2f-b731-4575-8f52-4eafc9f77c63 version: -1 name: "" iscommand: false @@ -38,10 +36,10 @@ tasks: isautoswitchedtoquietmode: false "2": id: "2" - taskid: c2c89771-779e-4684-8d06-36481ab03848 + taskid: acdfd24b-3c08-4ec1-8c89-09b63b1c8b4a type: regular task: - id: c2c89771-779e-4684-8d06-36481ab03848 + id: acdfd24b-3c08-4ec1-8c89-09b63b1c8b4a version: -1 name: Assign to analyst description: Assigns the incident to an analyst based on the analyst's organizational role. @@ -82,10 +80,10 @@ tasks: isautoswitchedtoquietmode: false "7": id: "7" - taskid: 412689a4-cf02-44b5-8e1e-d4ea0276b484 + taskid: 3da2ddc3-729e-4b34-8533-e4559119063f type: regular task: - id: 412689a4-cf02-44b5-8e1e-d4ea0276b484 + id: 3da2ddc3-729e-4b34-8533-e4559119063f version: -1 name: Manually review the incident description: Reviews the incident to determine if the email that the user reported is malicious. @@ -113,10 +111,10 @@ tasks: isautoswitchedtoquietmode: false "8": id: "8" - taskid: 9a70b41d-9fe0-4952-82db-caf5d5a1e4ba + taskid: 0a552844-fef0-4417-8fad-6f919d1a052e type: regular task: - id: 9a70b41d-9fe0-4952-82db-caf5d5a1e4ba + id: 0a552844-fef0-4417-8fad-6f919d1a052e version: -1 name: Close investigation description: Closes the investigation. @@ -146,10 +144,10 @@ tasks: isautoswitchedtoquietmode: false "11": id: "11" - taskid: c9650f2b-6ef8-4496-8007-c1c7d247a382 + taskid: dcba756b-965e-41e7-8f09-de690dcad03a type: title task: - id: c9650f2b-6ef8-4496-8007-c1c7d247a382 + id: dcba756b-965e-41e7-8f09-de690dcad03a version: -1 name: Triage type: title @@ -177,10 +175,10 @@ tasks: isautoswitchedtoquietmode: false "13": id: "13" - taskid: ad3de6f3-b823-4cb4-8246-ded32b1417e0 + taskid: 6d881b15-9d76-45fc-8a83-5559169a08e2 type: regular task: - id: ad3de6f3-b823-4cb4-8246-ded32b1417e0 + id: 6d881b15-9d76-45fc-8a83-5559169a08e2 version: -1 name: Acknowledge incident was received description: | @@ -222,10 +220,10 @@ tasks: isautoswitchedtoquietmode: false "15": id: "15" - taskid: 41bf9e09-118d-48c9-819a-ac9fa66faee0 + taskid: 41eca564-b3ea-4632-86b1-c2750672867c type: condition task: - id: 41bf9e09-118d-48c9-819a-ac9fa66faee0 + id: 41eca564-b3ea-4632-86b1-c2750672867c version: -1 name: Is the email malicious? description: Determines if the email is malicious based on the calculated severity. @@ -266,10 +264,10 @@ tasks: isautoswitchedtoquietmode: false "16": id: "16" - taskid: 30d7c68e-a84b-4fd7-828b-5318f43689fd + taskid: 3835c90c-ac59-4d42-8512-2e5a89310723 type: regular task: - id: 30d7c68e-a84b-4fd7-828b-5318f43689fd + id: 3835c90c-ac59-4d42-8512-2e5a89310723 version: -1 name: Update the user that the reported email is safe description: Sends an email to the user explaining that the email they reported is safe. @@ -318,10 +316,10 @@ tasks: isautoswitchedtoquietmode: false "18": id: "18" - taskid: d7a28b1b-9555-4730-8b67-0d256043e5a5 + taskid: d23a63b3-0e82-4b91-8359-a4546d3b63cd type: title task: - id: d7a28b1b-9555-4730-8b67-0d256043e5a5 + id: d23a63b3-0e82-4b91-8359-a4546d3b63cd version: -1 name: Engage with User type: title @@ -349,10 +347,10 @@ tasks: isautoswitchedtoquietmode: false "22": id: "22" - taskid: 61a095b2-22f4-4f7d-89fc-39bbeb814c1a + taskid: 5dfcd048-15e0-44fa-8afd-5b70b856b6f4 type: playbook task: - id: 61a095b2-22f4-4f7d-89fc-39bbeb814c1a + id: 5dfcd048-15e0-44fa-8afd-5b70b856b6f4 version: -1 name: Detonate File - Generic playbookName: Detonate File - Generic @@ -381,10 +379,10 @@ tasks: isautoswitchedtoquietmode: false "26": id: "26" - taskid: 21d6c60e-f099-4630-89ca-a4df4379e404 + taskid: b4fe1b06-1aef-4ba6-82ce-7d2972f0c792 type: playbook task: - id: 21d6c60e-f099-4630-89ca-a4df4379e404 + id: b4fe1b06-1aef-4ba6-82ce-7d2972f0c792 version: -1 name: Process Email - Generic v2 description: | @@ -483,10 +481,10 @@ tasks: isautoswitchedtoquietmode: false "27": id: "27" - taskid: 0afeccad-58a2-4c05-851f-e74e68e6b985 + taskid: 8ea98a36-7ff8-4393-8c32-fbac48a940ec type: title task: - id: 0afeccad-58a2-4c05-851f-e74e68e6b985 + id: 8ea98a36-7ff8-4393-8c32-fbac48a940ec version: -1 name: Remediation type: title @@ -517,10 +515,10 @@ tasks: isautoswitchedtoquietmode: false "28": id: "28" - taskid: 55bebeae-32f7-4c61-8034-9b616f6a4663 + taskid: f31acf06-07a4-4a50-8aa5-7bb7b9827474 type: playbook task: - id: 55bebeae-32f7-4c61-8034-9b616f6a4663 + id: f31acf06-07a4-4a50-8aa5-7bb7b9827474 version: -1 name: Search And Delete Emails - Generic v2 description: 'This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense' @@ -610,10 +608,10 @@ tasks: isautoswitchedtoquietmode: false "29": id: "29" - taskid: c6980b2d-260a-4978-81c6-5ac79f5a6984 + taskid: 979eec3e-078f-41f7-8007-db12c60ae36b type: title task: - id: c6980b2d-260a-4978-81c6-5ac79f5a6984 + id: 979eec3e-078f-41f7-8007-db12c60ae36b version: -1 name: Done type: title @@ -638,10 +636,10 @@ tasks: isautoswitchedtoquietmode: false "30": id: "30" - taskid: 8a0081a4-4e44-4e1c-80bc-13d9bdc89105 + taskid: 7ad9bfc9-dbe1-44a7-8416-b3b49826132f type: title task: - id: 8a0081a4-4e44-4e1c-80bc-13d9bdc89105 + id: 7ad9bfc9-dbe1-44a7-8416-b3b49826132f version: -1 name: Email Is Malicious type: title @@ -669,10 +667,10 @@ tasks: isautoswitchedtoquietmode: false "31": id: "31" - taskid: 4d2efdea-5293-424e-8ba3-49c2192a83a4 + taskid: b04e6322-402d-4d01-836b-76c74139c95c type: title task: - id: 4d2efdea-5293-424e-8ba3-49c2192a83a4 + id: b04e6322-402d-4d01-836b-76c74139c95c version: -1 name: Undetermined type: title @@ -700,10 +698,10 @@ tasks: isautoswitchedtoquietmode: false "33": id: "33" - taskid: 3945c2b1-79f8-4572-80b6-bde4a220f534 + taskid: 13ff12f2-695e-4a13-8f35-714e1bffeb23 type: condition task: - id: 3945c2b1-79f8-4572-80b6-bde4a220f534 + id: 13ff12f2-695e-4a13-8f35-714e1bffeb23 version: -1 name: Is the email malicious? description: Is the email that the user reported malicious? @@ -733,10 +731,10 @@ tasks: isautoswitchedtoquietmode: false "34": id: "34" - taskid: 8f9cdca2-c3cc-408b-8fc8-7620f3ac65be + taskid: bd51bc21-8579-491d-8d80-8c0173655957 type: regular task: - id: 8f9cdca2-c3cc-408b-8fc8-7620f3ac65be + id: bd51bc21-8579-491d-8d80-8c0173655957 version: -1 name: Manually search & delete emails description: Search for and delete emails with similar attributes of the malicious email using your existing email platfrom. for example - EWS, Office 365, Gmail etc. @@ -764,10 +762,10 @@ tasks: isautoswitchedtoquietmode: false "36": id: "36" - taskid: 4b95ae6d-2db9-42d4-8139-83982d390d18 + taskid: 5f22fd0a-2932-4314-8e29-1d41fbf217a1 type: condition task: - id: 4b95ae6d-2db9-42d4-8139-83982d390d18 + id: 5f22fd0a-2932-4314-8e29-1d41fbf217a1 version: -1 name: Should emails be searched and deleted? description: Checks whether the **SearchAndDelete** playbook input is set to True. @@ -809,10 +807,10 @@ tasks: isautoswitchedtoquietmode: false "39": id: "39" - taskid: cfd46b5e-ae0e-467f-8e2f-eb6ead60661d + taskid: 83ca7497-1cf4-446b-8234-83b3c32a873e type: title task: - id: cfd46b5e-ae0e-467f-8e2f-eb6ead60661d + id: 83ca7497-1cf4-446b-8234-83b3c32a873e version: -1 name: Start Detection Timer type: title @@ -843,10 +841,10 @@ tasks: isautoswitchedtoquietmode: false "43": id: "43" - taskid: da272c61-d18e-45bc-8a79-2fda9333e111 + taskid: a484ddea-b33f-4f56-8828-2beddb8923f9 type: title task: - id: da272c61-d18e-45bc-8a79-2fda9333e111 + id: a484ddea-b33f-4f56-8828-2beddb8923f9 version: -1 name: Stop Remediation Timer type: title @@ -876,10 +874,10 @@ tasks: isautoswitchedtoquietmode: false "52": id: "52" - taskid: f65300dc-97c6-434d-8f0c-aae33d67b0f5 + taskid: 903e3ea6-029d-441f-8cc7-458d66d04ba5 type: title task: - id: f65300dc-97c6-434d-8f0c-aae33d67b0f5 + id: 903e3ea6-029d-441f-8cc7-458d66d04ba5 version: -1 name: Indicator Enrichment type: title @@ -907,10 +905,10 @@ tasks: isautoswitchedtoquietmode: false "53": id: "53" - taskid: 79f50251-09d0-42cd-8f5a-ac394c04e9eb + taskid: 194e2b52-c3a3-4bd1-8c33-c0c210023836 type: playbook task: - id: 79f50251-09d0-42cd-8f5a-ac394c04e9eb + id: 194e2b52-c3a3-4bd1-8c33-c0c210023836 version: -1 name: Email Address Enrichment - Generic v2.1 description: |- @@ -959,10 +957,10 @@ tasks: isautoswitchedtoquietmode: false "55": id: "55" - taskid: bb40f218-f28c-40a8-8708-6e04c5efe8ee + taskid: 099a4d5b-9560-48b1-85bf-2df0295813b2 type: playbook task: - id: bb40f218-f28c-40a8-8708-6e04c5efe8ee + id: 099a4d5b-9560-48b1-85bf-2df0295813b2 version: -1 name: Extract Indicators From File - Generic v2 description: |- @@ -1005,10 +1003,10 @@ tasks: isautoswitchedtoquietmode: false "56": id: "56" - taskid: 7dce4a68-0b0f-4dd2-8414-f1bae499705b + taskid: b8332f19-1dfa-473c-8c48-5d7d8a5ab004 type: title task: - id: 7dce4a68-0b0f-4dd2-8414-f1bae499705b + id: b8332f19-1dfa-473c-8c48-5d7d8a5ab004 version: -1 name: Investigation type: title @@ -1041,10 +1039,10 @@ tasks: isautoswitchedtoquietmode: false "79": id: "79" - taskid: 7d5430f6-05ad-43b0-8981-5ff4ca279b02 + taskid: ca2447a5-6fae-4d46-83c8-9549108c9779 type: condition task: - id: 7d5430f6-05ad-43b0-8981-5ff4ca279b02 + id: ca2447a5-6fae-4d46-83c8-9549108c9779 version: -1 name: Should the email be authenticated? description: Checks whether the email should be authenticated using DKIM, SPF, and DMARC. This checks if "AuthenticateEmail" output is set to "True" and if there are headers from an email to authenticate. @@ -1093,10 +1091,10 @@ tasks: isautoswitchedtoquietmode: false "80": id: "80" - taskid: 3199b5c9-d960-48cf-86a0-50f7ef9976c4 + taskid: 270e4d47-68f5-4428-853e-3b0b82b1b023 type: title task: - id: 3199b5c9-d960-48cf-86a0-50f7ef9976c4 + id: 270e4d47-68f5-4428-853e-3b0b82b1b023 version: -1 name: Email Authenticity Check type: title @@ -1124,10 +1122,10 @@ tasks: isautoswitchedtoquietmode: false "82": id: "82" - taskid: c8261d04-9c8d-4ea0-8c93-c63ce450c2b2 + taskid: 2d9aa7c6-1b8d-416f-85ea-35ae740b9010 type: regular task: - id: c8261d04-9c8d-4ea0-8c93-c63ce450c2b2 + id: 2d9aa7c6-1b8d-416f-85ea-35ae740b9010 version: -1 name: Authenticate email description: Checks the authenticity of an email based on the email's SPF, DMARC, and DKIM. @@ -1167,10 +1165,10 @@ tasks: isautoswitchedtoquietmode: false "83": id: "83" - taskid: 970b2c8f-2a4d-422e-838b-5b3789d31391 + taskid: 4f28fe6e-126a-4493-886d-e6b17a77f972 type: regular task: - id: 970b2c8f-2a4d-422e-838b-5b3789d31391 + id: 4f28fe6e-126a-4493-886d-e6b17a77f972 version: -1 name: Save authenticity check result to incident field description: Saves the email authenticity verdict in an incident field. @@ -1242,10 +1240,10 @@ tasks: isautoswitchedtoquietmode: false "84": id: "84" - taskid: e3764474-07ff-4c01-8f63-314ce3930612 + taskid: c2570447-01e6-4f66-8a48-4c0edcca1dbe type: playbook task: - id: e3764474-07ff-4c01-8f63-314ce3930612 + id: c2570447-01e6-4f66-8a48-4c0edcca1dbe version: -1 name: Calculate Severity - Generic v2 playbookName: Calculate Severity - Generic v2 @@ -1274,10 +1272,10 @@ tasks: isautoswitchedtoquietmode: false "85": id: "85" - taskid: 8a356572-82b3-4bcb-8d4c-3be1d7c9759c + taskid: 53172145-5ff6-4e91-812b-600ac03e5708 type: regular task: - id: 8a356572-82b3-4bcb-8d4c-3be1d7c9759c + id: 53172145-5ff6-4e91-812b-600ac03e5708 version: -1 name: Save reporter email address in field description: Saves the email address of the email reporter in an incident field. @@ -1315,10 +1313,10 @@ tasks: isautoswitchedtoquietmode: false "88": id: "88" - taskid: a559978b-ee2b-4aea-86a3-2e0e11792426 + taskid: 4352ddf7-191e-4b2a-88f6-7acdb7a8761b type: title task: - id: a559978b-ee2b-4aea-86a3-2e0e11792426 + id: 4352ddf7-191e-4b2a-88f6-7acdb7a8761b version: -1 name: Machine Learning type: title @@ -1346,10 +1344,10 @@ tasks: isautoswitchedtoquietmode: false "92": id: "92" - taskid: 2882a1aa-fa10-46a4-8433-63e9006a104b + taskid: 50ddb1ae-3a66-49db-8a8f-d20acfb9b92d type: playbook task: - id: 2882a1aa-fa10-46a4-8433-63e9006a104b + id: 50ddb1ae-3a66-49db-8a8f-d20acfb9b92d version: -1 name: Entity Enrichment - Phishing v2 description: Enrich entities using one or more integrations @@ -1459,10 +1457,10 @@ tasks: isautoswitchedtoquietmode: false "97": id: "97" - taskid: 0e1be0d2-b53f-4906-82a3-45f5e9f7f1b1 + taskid: 910e8765-b3b8-4838-8357-6f46998e84a7 type: title task: - id: 0e1be0d2-b53f-4906-82a3-45f5e9f7f1b1 + id: 910e8765-b3b8-4838-8357-6f46998e84a7 version: -1 name: Block Indicators type: title @@ -1490,10 +1488,10 @@ tasks: isautoswitchedtoquietmode: false "98": id: "98" - taskid: c76a7049-1448-41cd-8d9f-7a65be7ce808 + taskid: 6fbaaed5-2eab-4d4d-8ee2-50e4ab9e2fde type: title task: - id: c76a7049-1448-41cd-8d9f-7a65be7ce808 + id: 6fbaaed5-2eab-4d4d-8ee2-50e4ab9e2fde version: -1 name: Search & Delete Email type: title @@ -1521,10 +1519,10 @@ tasks: isautoswitchedtoquietmode: false "101": id: "101" - taskid: c8231b7e-4ec4-4d15-838c-517280a1618c + taskid: e7b426e2-6807-4c28-80dc-ed3717db8e5a type: title task: - id: c8231b7e-4ec4-4d15-838c-517280a1618c + id: e7b426e2-6807-4c28-80dc-ed3717db8e5a version: -1 name: Email Campaign Search type: title @@ -1552,10 +1550,10 @@ tasks: isautoswitchedtoquietmode: false "126": id: "126" - taskid: 6bbdb96d-f6c3-40d5-8fae-9504691e0d01 + taskid: 755d4399-51db-4717-894c-e910edf1d7a9 type: playbook task: - id: 6bbdb96d-f6c3-40d5-8fae-9504691e0d01 + id: 755d4399-51db-4717-894c-e910edf1d7a9 version: -1 name: Detect & Manage Phishing Campaigns description: |- @@ -1598,10 +1596,10 @@ tasks: isautoswitchedtoquietmode: false "131": id: "131" - taskid: facfcc4c-908f-43bb-820e-13ea738f5393 + taskid: 3d5af7e8-0ccd-4988-8671-a8e6ada68fc5 type: title task: - id: facfcc4c-908f-43bb-820e-13ea738f5393 + id: 3d5af7e8-0ccd-4988-8671-a8e6ada68fc5 version: -1 name: Microsoft's Headers Check type: title @@ -1629,10 +1627,10 @@ tasks: isautoswitchedtoquietmode: false "132": id: "132" - taskid: a2c4cb6b-ebcd-4626-846d-8f7163f33ec2 + taskid: 932c677d-074b-482a-80c4-7d7a080b988a type: condition task: - id: a2c4cb6b-ebcd-4626-846d-8f7163f33ec2 + id: 932c677d-074b-482a-80c4-7d7a080b988a version: -1 name: Check Microsoft's Headers? description: Whether to check Microsoft's proprietary email headers. @@ -1673,10 +1671,10 @@ tasks: isautoswitchedtoquietmode: false "133": id: "133" - taskid: 0adbc122-d00f-464b-84dc-0b9212e9615b + taskid: c176d816-7abb-4c4b-898f-4e6923552f95 type: playbook task: - id: 0adbc122-d00f-464b-84dc-0b9212e9615b + id: c176d816-7abb-4c4b-898f-4e6923552f95 version: -1 name: Process Microsoft's Anti-Spam Headers description: "This playbook stores the SCL, BCL, and PCL scores if they exist to the associated incident fields (Phishing SCL Score, Phishing PCL Score, and Phishing BCL Score).\nIt also does the following:\n1) Sets the email classification to \"spam\" if the SCL score is equal to or greater than 5.\n2) Sets the incident severity according to the playbook inputs (default is: PCL/BCL - Medium, SCL - Low). The severity of the incident is set only when one (or more) of the following occurs:\n - PCL (Phishing Confidence Level) score between and including 4-8: The message content is likely to be phishing.\n - [BCL](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values?view=o365-worldwide) (Bulk Complaint Level) score between and including 4-7: The message is from a bulk sender that generates a mixed number of complaints. \n For a score between and including 8-9: The message is from a bulk sender that generates a high number of complaints.\n - [SCL](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels?view=o365-worldwide) (Spam Confidence Level) score between and including 5-6: Spam filtering marks the message as spam. \n For a score of 9: Spam filtering marks the message as high confidence spam. See [anti-spam stamps](https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps?view=exchserver-2019)." @@ -1705,10 +1703,10 @@ tasks: isautoswitchedtoquietmode: false "135": id: "135" - taskid: a7af8e52-9693-46d3-8532-25e557d91136 + taskid: f2075a81-8e36-4029-8a22-69856ce0c05c type: playbook task: - id: a7af8e52-9693-46d3-8532-25e557d91136 + id: f2075a81-8e36-4029-8a22-69856ce0c05c version: -1 name: Detonate URL - Generic description: This playbook detonates URLs using active integrations that support URL detonation. @@ -1748,10 +1746,10 @@ tasks: isautoswitchedtoquietmode: false "137": id: "137" - taskid: beafe4ee-c41d-4691-845b-a4441cc2904e + taskid: f021a518-77b3-4e39-8448-2c723aa231af type: condition task: - id: beafe4ee-c41d-4691-845b-a4441cc2904e + id: f021a518-77b3-4e39-8448-2c723aa231af version: -1 name: Detonate URL? description: Whether to detonate URLs in supported sandboxes. @@ -1793,10 +1791,10 @@ tasks: isautoswitchedtoquietmode: false "148": id: "148" - taskid: 2d396b3f-9b41-4567-87f6-0085debc2cbd + taskid: 0bef7402-740c-44e7-8eb8-82c5a1f8b1ae type: regular task: - id: 2d396b3f-9b41-4567-87f6-0085debc2cbd + id: 0bef7402-740c-44e7-8eb8-82c5a1f8b1ae version: -1 name: Update the user that the reported email is malicious description: Sends an email to the user explaining that the email they reported is malicious. @@ -1843,10 +1841,10 @@ tasks: isautoswitchedtoquietmode: false "149": id: "149" - taskid: 85a88cc4-822e-45d3-8c91-2ea8429fb5de + taskid: 3cafb4a7-844e-444a-8a01-859075857e59 type: condition task: - id: 85a88cc4-822e-45d3-8c91-2ea8429fb5de + id: 3cafb4a7-844e-444a-8a01-859075857e59 version: -1 name: Can the user be informed about the verdict? description: Checks whether the user can be informed about the verdict of the incident. @@ -1925,10 +1923,10 @@ tasks: isautoswitchedtoquietmode: false "150": id: "150" - taskid: 8690c7f2-7d21-479e-8ebb-5ead69f4d365 + taskid: 340bf6f8-bdca-48f2-86b7-fceb045e6cab type: regular task: - id: 8690c7f2-7d21-479e-8ebb-5ead69f4d365 + id: 340bf6f8-bdca-48f2-86b7-fceb045e6cab version: -1 name: Update the user that the email is a malicious campaign description: Sends an email to the user explaining that the email they reported is malicious. @@ -1975,10 +1973,10 @@ tasks: isautoswitchedtoquietmode: false "151": id: "151" - taskid: 24f60f13-9374-4819-8f45-1661e29a5297 + taskid: e351cca4-6a09-40f3-82c9-2a5b47390ce0 type: condition task: - id: 24f60f13-9374-4819-8f45-1661e29a5297 + id: e351cca4-6a09-40f3-82c9-2a5b47390ce0 version: -1 name: Can the user be informed about the verdict? description: Checks whether the user can be informed about the verdict of the incident. @@ -2030,10 +2028,10 @@ tasks: isautoswitchedtoquietmode: false "152": id: "152" - taskid: 2b316bdf-fc22-44c7-8991-38bac2e1947d + taskid: 08fb57b9-6f25-45a0-8e87-30b1b7d5d874 type: condition task: - id: 2b316bdf-fc22-44c7-8991-38bac2e1947d + id: 08fb57b9-6f25-45a0-8e87-30b1b7d5d874 version: -1 name: Check if original email was retrieved description: Checks if the original email was retrieved using the email listener integration. @@ -2073,10 +2071,10 @@ tasks: isautoswitchedtoquietmode: false "153": id: "153" - taskid: 54c0f37b-b540-413b-8d1d-ff2f3c44e100 + taskid: 52489dc2-a128-4d5f-8de0-5154a62c582b type: condition task: - id: 54c0f37b-b540-413b-8d1d-ff2f3c44e100 + id: 52489dc2-a128-4d5f-8de0-5154a62c582b version: -1 name: Did domain-squatting occur? description: Checks whether the attacker tried to squat another domain involved in this incident. @@ -2143,10 +2141,10 @@ tasks: isautoswitchedtoquietmode: false "154": id: "154" - taskid: 74f8be3e-bd84-492b-8e45-e6ebd2d4cdd9 + taskid: 7829ed88-8994-4d0c-8805-736cb9ff1da7 type: title task: - id: 74f8be3e-bd84-492b-8e45-e6ebd2d4cdd9 + id: 7829ed88-8994-4d0c-8805-736cb9ff1da7 version: -1 name: Domain-squatting type: title @@ -2174,10 +2172,10 @@ tasks: isautoswitchedtoquietmode: false "155": id: "155" - taskid: b58fc3ce-c37a-46c4-839b-ea035ef824de + taskid: 0439fba3-e3ae-4f2d-82aa-b8d75aac4f81 type: regular task: - id: b58fc3ce-c37a-46c4-839b-ea035ef824de + id: 0439fba3-e3ae-4f2d-82aa-b8d75aac4f81 version: -1 name: Save domain-squatting result to incident field description: commands.local.cmd.set.incident @@ -2257,10 +2255,10 @@ tasks: isautoswitchedtoquietmode: false "157": id: "157" - taskid: da6b5b52-1e6b-49b3-8b06-e05fa81f57fe + taskid: 2d1d5b0f-14a0-4b75-8861-9057e3ab1376 type: title task: - id: da6b5b52-1e6b-49b3-8b06-e05fa81f57fe + id: 2d1d5b0f-14a0-4b75-8861-9057e3ab1376 version: -1 name: Reporter Address specified type: title @@ -2289,10 +2287,10 @@ tasks: isautoswitchedtoquietmode: false "160": id: "160" - taskid: a549cbfe-fd79-4ccc-8701-5998ed42e51d + taskid: ab7cc271-03ad-4102-833c-5be700a30d58 type: playbook task: - id: a549cbfe-fd79-4ccc-8701-5998ed42e51d + id: ab7cc271-03ad-4102-833c-5be700a30d58 version: -1 name: Phishing - Machine Learning Analysis playbookName: Phishing - Machine Learning Analysis @@ -2350,10 +2348,10 @@ tasks: isautoswitchedtoquietmode: false "161": id: "161" - taskid: de1d06a0-e330-4fcc-8583-40f697e2342f + taskid: eb4102e0-7169-4427-8ee0-f3ff6b0aa827 type: condition task: - id: de1d06a0-e330-4fcc-8583-40f697e2342f + id: eb4102e0-7169-4427-8ee0-f3ff6b0aa827 version: -1 name: Was the reporter of the phishing email specified? description: Checks whether the email address of the phishing email reporter was specified on incident creation, so that an acknowledgement email can be sent to them. @@ -2422,16 +2420,16 @@ tasks: isautoswitchedtoquietmode: false "162": id: "162" - taskid: 16c50c85-20d5-4abe-874d-ff7033a668b4 + taskid: 6f2d639f-95bc-4f92-8b17-c4fb3b5bbf36 type: condition task: - id: 16c50c85-20d5-4abe-874d-ff7033a668b4 + id: 6f2d639f-95bc-4f92-8b17-c4fb3b5bbf36 version: -1 name: Was a file with macro found? + description: "" type: condition iscommand: false brand: "" - description: "" nexttasks: '#default#': - "52" @@ -2465,10 +2463,10 @@ tasks: isautoswitchedtoquietmode: false "163": id: "163" - taskid: bd58f4b7-8f39-4650-8766-836143279d85 + taskid: b2aaa263-e105-494c-8f40-7ebb732b3421 type: regular task: - id: bd58f4b7-8f39-4650-8766-836143279d85 + id: b2aaa263-e105-494c-8f40-7ebb732b3421 version: -1 name: Set Macro Source Code field description: commands.local.cmd.set.incident @@ -2502,10 +2500,10 @@ tasks: isautoswitchedtoquietmode: false "170": id: "170" - taskid: b52489d5-597e-468b-8ba5-3f3277ff2890 + taskid: 4f046dd7-c435-4028-8cb5-b4a53680f7b3 type: title task: - id: b52489d5-597e-468b-8ba5-3f3277ff2890 + id: 4f046dd7-c435-4028-8cb5-b4a53680f7b3 version: -1 name: Email Indicators Hunting type: title @@ -2533,16 +2531,16 @@ tasks: isautoswitchedtoquietmode: false "179": id: "179" - taskid: ca0d4a0f-2c78-49de-8792-63b4eb33720b + taskid: 256f1b7e-fb6f-42c1-8753-a5e9dc9107e9 type: condition task: - id: ca0d4a0f-2c78-49de-8792-63b4eb33720b + id: 256f1b7e-fb6f-42c1-8753-a5e9dc9107e9 version: -1 name: Hunt email indicators? + description: "" type: condition iscommand: false brand: "" - description: "" nexttasks: '#default#': - "84" @@ -2663,10 +2661,10 @@ tasks: isautoswitchedtoquietmode: false "211": id: "211" - taskid: b48c1fe5-04a9-45a5-8065-ba32f45a9697 + taskid: 5b6df47a-fc67-43be-89b1-cc6e596142de type: playbook task: - id: b48c1fe5-04a9-45a5-8065-ba32f45a9697 + id: 5b6df47a-fc67-43be-89b1-cc6e596142de version: -1 name: Phishing - Indicators Hunting description: | @@ -2724,10 +2722,10 @@ tasks: isautoswitchedtoquietmode: false "212": id: "212" - taskid: fb5399de-7b6d-4c38-8d94-81f79246c46c + taskid: 879287c6-d862-4d2d-88bb-269f08a7669f type: regular task: - id: fb5399de-7b6d-4c38-8d94-81f79246c46c + id: 879287c6-d862-4d2d-88bb-269f08a7669f version: -1 name: Set Listener Mailbox description: In order to exclude the listener mailbox from hunting actions, it is needed to save it (before it changes) in a dedicated field. @@ -2754,13 +2752,13 @@ tasks: value: simple: incident.emailto iscontext: true - equals: { } + equals: {} lhs: value: simple: inputs.ListenerMailbox iscontext: true - options: { } - rhs: { } + options: {} + rhs: {} then: value: simple: inputs.ListenerMailbox @@ -2783,10 +2781,10 @@ tasks: isautoswitchedtoquietmode: false "213": id: "213" - taskid: 3236a5b0-5234-448d-8842-67142d698e5d + taskid: 8b00b280-841c-419b-82b8-43f54d59ff97 type: playbook task: - id: 3236a5b0-5234-448d-8842-67142d698e5d + id: 8b00b280-841c-419b-82b8-43f54d59ff97 version: -1 name: Block Indicators - Generic v3 description: |+ @@ -3015,13 +3013,12 @@ tasks: isautoswitchedtoquietmode: false "214": id: "214" - taskid: d52768e3-e3b4-4ef1-8b97-9f6acbc14e88 + taskid: 599e80ea-091c-4aa7-8e29-2aa3c87d7eb9 type: condition task: - id: d52768e3-e3b4-4ef1-8b97-9f6acbc14e88 + id: 599e80ea-091c-4aa7-8e29-2aa3c87d7eb9 version: -1 name: Phishing email sender address exist? - description: '' type: condition iscommand: false brand: "" @@ -3058,10 +3055,10 @@ tasks: isautoswitchedtoquietmode: false "215": id: "215" - taskid: 04d6d0cd-28fb-4473-8a27-cfe1b8f16460 + taskid: c619c33f-acc4-4326-8f79-e47cda8c539b type: regular task: - id: 04d6d0cd-28fb-4473-8a27-cfe1b8f16460 + id: c619c33f-acc4-4326-8f79-e47cda8c539b version: -1 name: Set phishing email sender address verdict as malicious description: commands.local.cmd.set.indicator @@ -3097,10 +3094,10 @@ tasks: isautoswitchedtoquietmode: false "216": id: "216" - taskid: 774d29ad-0044-48f0-8ed8-8bde43ca7fb8 + taskid: 6d36bb6d-568c-49ae-8352-e9b9f2b8df24 type: title task: - id: 774d29ad-0044-48f0-8ed8-8bde43ca7fb8 + id: 6d36bb6d-568c-49ae-8352-e9b9f2b8df24 version: -1 name: Threat Intelligence Analysis type: title @@ -3128,10 +3125,10 @@ tasks: isautoswitchedtoquietmode: false "217": id: "217" - taskid: f18ca3f8-df34-40f4-8466-57f1140952a8 + taskid: a6b22f25-3e3a-49c1-8d2a-937daa2bb0f6 type: playbook task: - id: f18ca3f8-df34-40f4-8466-57f1140952a8 + id: a6b22f25-3e3a-49c1-8d2a-937daa2bb0f6 version: -1 name: TIM - Indicator Relationships Analysis playbookName: TIM - Indicator Relationships Analysis @@ -3185,16 +3182,15 @@ tasks: isautoswitchedtoquietmode: false "218": id: "218" - taskid: 44a904d8-10cd-4f8c-8d9f-1560df2b6d40 + taskid: f0fcffd7-6b05-45d8-8a9b-9d21165bf2a2 type: condition task: - id: 44a904d8-10cd-4f8c-8d9f-1560df2b6d40 + id: f0fcffd7-6b05-45d8-8a9b-9d21165bf2a2 version: -1 name: Incident indicators related to campaign/report from TIM? type: condition iscommand: false brand: "" - description: '' nexttasks: '#default#': - "84" @@ -3233,10 +3229,10 @@ tasks: isautoswitchedtoquietmode: false "219": id: "219" - taskid: 5d9db4d3-8f4c-4835-815f-874362252bae + taskid: 8ba6c274-aa36-4453-8954-0b2abb748e6b type: regular task: - id: 5d9db4d3-8f4c-4835-815f-874362252bae + id: 8ba6c274-aa36-4453-8954-0b2abb748e6b version: -1 name: Set Threat Intel findings to layout description: commands.local.cmd.set.incident @@ -3273,16 +3269,15 @@ tasks: isautoswitchedtoquietmode: false "220": id: "220" - taskid: 224a0570-4019-4dc8-8d76-5f44f766859e + taskid: 4cb402b3-246b-46fe-8d0d-16c5e112f543 type: condition task: - id: 224a0570-4019-4dc8-8d76-5f44f766859e + id: 4cb402b3-246b-46fe-8d0d-16c5e112f543 version: -1 name: Automatically block indicators? type: condition iscommand: false brand: "" - description: '' nexttasks: '#default#': - "221" @@ -3319,10 +3314,10 @@ tasks: isautoswitchedtoquietmode: false "221": id: "221" - taskid: 92133fbe-7c78-4df5-89e3-3c7b82629767 + taskid: 44056ed3-32ca-4e54-813a-4e4d04ab4808 type: regular task: - id: 92133fbe-7c78-4df5-89e3-3c7b82629767 + id: 44056ed3-32ca-4e54-813a-4e4d04ab4808 version: -1 name: Set all indicators to semi-automated block options description: Set a value in context under the key you entered. @@ -3382,10 +3377,10 @@ tasks: isautoswitchedtoquietmode: false "222": id: "222" - taskid: 8b370acf-362f-45b2-81f6-10f886fb4d58 + taskid: c355c3ae-fc8b-4d0f-8b65-b76752478311 type: condition task: - id: 8b370acf-362f-45b2-81f6-10f886fb4d58 + id: c355c3ae-fc8b-4d0f-8b65-b76752478311 version: -1 name: Engage with the user? description: Checks whether to inform the user about the verdict of the incident. @@ -3435,16 +3430,15 @@ tasks: isautoswitchedtoquietmode: false "223": id: "223" - taskid: 04046165-90c9-4bcc-8aad-fdf13f03568c + taskid: 8da352fc-3775-4503-8215-3227c80c1426 type: condition task: - id: 04046165-90c9-4bcc-8aad-fdf13f03568c + id: 8da352fc-3775-4503-8215-3227c80c1426 version: -1 name: Pause to manually perform additional actions? type: condition iscommand: false brand: "" - description: '' nexttasks: '#default#': - "8" @@ -3481,10 +3475,10 @@ tasks: isautoswitchedtoquietmode: false "224": id: "224" - taskid: 29be8530-7a2a-4454-81cf-90f3478b7c8b + taskid: f7d84d5d-0392-4bf2-8316-023d3907d7e4 type: regular task: - id: 29be8530-7a2a-4454-81cf-90f3478b7c8b + id: f7d84d5d-0392-4bf2-8316-023d3907d7e4 version: -1 name: Take manual actions description: 'Take notes and additional necessary manual actions before continuing. Once this task will be completed, the incident will be closed.' @@ -3714,9 +3708,7 @@ inputs: - key: SendMailInstance value: {} required: false - description: The name of the instance to be used when executing the "send-mail" - command in the playbook. In case it will be empty, all available instances will - be used (default). + description: The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used (default). playbookInputQuery: - key: OriginalAuthenticationHeader value: {} @@ -3743,6 +3735,7 @@ inputs: playbookInputQuery: outputs: [] tests: -- Phishing v3 - Get Original Email + Search & Delete - Test +- playbook-checkEmailAuthenticity-test - Phishing v3 - DomainSquatting+EML+MaliciousIndicators - Test +- Phishing v3 - Get Original Email + Search & Delete - Test fromversion: 6.5.0 diff --git a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml index 1366449e174d..76fbafbe52a7 100644 --- a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml +++ b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml @@ -48,6 +48,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '1': id: '1' taskid: aa7ddce2-5a85-46fe-8e35-6c4ebbe62059 @@ -87,12 +88,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '2': id: '2' - taskid: 1b16e2d5-3ef1-45ad-8e0d-d4aa1f2df746 + taskid: 2d5a394a-96eb-4d6c-8228-0118f1a8e1f9 type: regular task: - id: 1b16e2d5-3ef1-45ad-8e0d-d4aa1f2df746 + id: 2d5a394a-96eb-4d6c-8228-0118f1a8e1f9 version: -1 name: Add original email details to context description: Sets the details of the email that was forwarded under the email context key. Also saves the HTML or email text to the email body section in the layout. @@ -123,12 +125,65 @@ tasks: - incidentfield: Rendered HTML output: complex: - root: inputs.EmailHtml + root: . transformers: - - operator: SetIfEmpty + - operator: If-Then-Else args: - applyIfEmpty: {} - defaultValue: + condition: + value: + simple: lhs==rhs + conditionB: + value: + simple: lhsB!=rhsB + conditionInBetween: + value: + simple: and + else: {} + equals: {} + lhs: + value: + simple: inputs.UseOldHTMLFields + iscontext: true + lhsB: + value: + simple: inputs.EmailHtml + iscontext: true + options: {} + optionsB: {} + rhs: + value: + simple: "True" + rhsB: {} + then: + value: + simple: inputs.EmailHtml + iscontext: true + - operator: If-Then-Else + args: + condition: + value: + simple: lhs==rhs + conditionB: + value: + simple: lhsB!=rhsB + conditionInBetween: {} + else: {} + equals: {} + lhs: + value: + simple: inputs.UseOldHTMLFields + iscontext: true + lhsB: + value: + simple: inputs.EmailText + iscontext: true + options: {} + optionsB: {} + rhs: + value: + simple: "True" + rhsB: {} + then: value: simple: inputs.EmailText iscontext: true @@ -136,6 +191,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '3': id: '3' taskid: 5802b254-fac3-4c94-8b2d-89038b4239e5 @@ -159,8 +215,6 @@ tasks: complex: root: inputs.EmailFileToExtract reputationcalc: 2 - results: - - AttachmentName separatecontext: false view: |- { @@ -176,6 +230,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '4': id: '4' taskid: d6c5b273-5d28-487a-8ccf-aefb1759d1f5 @@ -246,6 +301,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '5': id: '5' taskid: b50d466b-3299-40c7-8ba4-e18f05bb0d3c @@ -287,6 +343,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '6': id: '6' taskid: 68d4779d-e845-4c51-8b7d-628f42bf4a96 @@ -314,6 +371,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '11': id: '11' taskid: 02bb525c-7801-4a05-8368-323b10f7bc4d @@ -344,6 +402,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '16': id: '16' taskid: 1e92b0fe-4a08-4667-856d-8393f0f18b58 @@ -409,6 +468,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '18': id: '18' taskid: 5d4f7213-dbe7-4a40-8960-f177324ac530 @@ -450,12 +510,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '19': id: '19' - taskid: f9acc75d-f15f-4e8f-8744-c3420b86bcc4 + taskid: 1e6ab05a-d0ce-4847-8d2a-e50433d904f7 type: regular task: - id: f9acc75d-f15f-4e8f-8744-c3420b86bcc4 + id: 1e6ab05a-d0ce-4847-8d2a-e50433d904f7 version: -1 name: Display email information in layout description: Updates Cortex XSOAR incident fields using data from the email object. @@ -522,10 +583,32 @@ tasks: accessor: BodyFormat emailbodyhtml: complex: - root: Email - accessor: HTML + root: . transformers: - - operator: Stringify + - operator: If-Then-Else + args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + value: + simple: inputs.UseOldHTMLFields + iscontext: true + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: "True" + rhsB: {} + then: + value: + simple: Email.HTML + iscontext: true emailcc: complex: root: Email @@ -549,7 +632,15 @@ tasks: root: Email accessor: HTML transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: Email.Text + iscontext: true - operator: uniq + - operator: Stringify emailimage: complex: root: Email @@ -671,13 +762,69 @@ tasks: root: EmailUrlClicked renderedhtml: complex: - root: Email - accessor: HTML + root: . transformers: - - operator: SetIfEmpty + - operator: If-Then-Else args: - applyIfEmpty: {} - defaultValue: + condition: + value: + simple: lhs==rhs + conditionB: + value: + simple: lhsB!=rhsB + conditionInBetween: + value: + simple: and + else: + value: + simple: . + equals: {} + lhs: + value: + simple: inputs.UseOldHTMLFields + iscontext: true + lhsB: + value: + simple: Email.HTML + iscontext: true + options: {} + optionsB: {} + rhs: + value: + simple: "True" + rhsB: {} + then: + value: + simple: Email.HTML + iscontext: true + - operator: If-Then-Else + args: + condition: + value: + simple: lhs==rhs + conditionB: + value: + simple: lhsB==rhsB + conditionInBetween: + value: + simple: and + else: {} + equals: {} + lhs: + value: + simple: inputs.UseOldHTMLFields + iscontext: true + lhsB: + value: + simple: Email.HTML + iscontext: true + options: {} + optionsB: {} + rhs: + value: + simple: "True" + rhsB: {} + then: value: simple: Email.Text iscontext: true @@ -746,6 +893,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '20': id: '20' taskid: 293d898d-dc20-44ff-81bd-81ebb1056023 @@ -792,6 +940,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '21': id: '21' taskid: 0388326d-fb71-4386-8a1f-b9e33eb70242 @@ -843,6 +992,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '22': id: '22' taskid: 6bb8388f-977a-4fd5-83c0-c62843fc8857 @@ -874,12 +1024,13 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '23': id: '23' - taskid: 24798019-cf27-4fbd-8f2d-e1443ede01e5 + taskid: 8398a7c0-fb88-4a69-83fc-3493ea024fa3 type: condition task: - id: 24798019-cf27-4fbd-8f2d-e1443ede01e5 + id: 8398a7c0-fb88-4a69-83fc-3493ea024fa3 version: -1 name: Are there any files in the incident? description: Checks whether the incident contains any kind of file. @@ -902,6 +1053,8 @@ tasks: root: inputs.File accessor: EntryID iscontext: true + right: + value: {} view: |- { "position": { @@ -916,6 +1069,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '24': id: '24' taskid: 73335578-482c-4f91-8d4c-dde807dbd8cf @@ -953,6 +1107,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '25': id: '25' taskid: 609256a1-714e-42d2-83f9-a245b903ddd4 @@ -988,6 +1143,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '26': id: '26' taskid: fc7c93bd-a76d-4329-804e-9e36a56e6d0f @@ -1043,6 +1199,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '27': id: '27' taskid: cb1897a4-77db-478e-83de-5cfd82749846 @@ -1103,6 +1260,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '28': id: '28' taskid: fd5a4fa8-7edb-4342-88fe-b842a41906f8 @@ -1163,6 +1321,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '29': id: '29' taskid: 48d7ce37-ace0-433c-86d9-5ec0e75982a5 @@ -1223,6 +1382,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '30': id: '30' taskid: e3200e4e-7fbe-45cd-89c8-6f76b32cf65f @@ -1283,6 +1443,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '31': id: '31' taskid: 5c020da7-dd25-41dd-8208-c24d0c28c941 @@ -1343,6 +1504,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '32': id: '32' taskid: b01edbd3-8f20-4abf-8344-7b28dddc35f9 @@ -1388,6 +1550,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '33': id: '33' taskid: 06309202-bd36-411d-85fb-026d39e3767c @@ -1426,6 +1589,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '34': id: '34' taskid: 9e32420a-cbe7-44aa-892e-5112ba7364a2 @@ -1487,6 +1651,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '36': id: '36' taskid: efef13c9-b8f6-49e4-8fd8-a51c5c664481 @@ -1526,6 +1691,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '37': id: '37' taskid: 5ce226b3-dafb-4503-867a-453e0326b7d4 @@ -1572,6 +1738,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '38': id: '38' taskid: 92eff262-ab72-45d1-8ce0-b5a353ee0599 @@ -1654,6 +1821,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '39': id: '39' taskid: 9f007781-ed52-47a4-8ee6-4714d5be06ca @@ -1696,6 +1864,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '40': id: '40' taskid: fd58d739-4b2b-4b54-881d-403a91126651 @@ -1739,6 +1908,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '41': id: '41' taskid: b0f67d11-6da9-4d36-8d1c-6ad107972fbe @@ -1806,6 +1976,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '42': id: '42' taskid: cf61d30f-5608-4e1f-884d-8b53c3a987d9 @@ -1895,6 +2066,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '43': id: '43' taskid: 4696b16c-670b-44f6-8595-1d6e09016766 @@ -1935,6 +2107,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '44': id: '44' taskid: be817d7a-f6d7-482f-84a1-b9d734af50cf @@ -1971,6 +2144,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '45': id: '45' taskid: 4df560a8-e403-4170-84d5-e56a1a92b871 @@ -2005,6 +2179,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '46': id: '46' taskid: fa6dfbef-a424-47eb-80a7-0b06238025e7 @@ -2041,6 +2216,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '47': id: '47' taskid: ce085c9a-03b6-4155-8755-ea1d3d9744b3 @@ -2077,6 +2253,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '48': id: '48' taskid: c455a74c-0b75-4448-8f83-9b26622f9da0 @@ -2107,6 +2284,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '49': id: '49' taskid: bb94119b-622f-4098-873c-9a52e65b8540 @@ -2137,6 +2315,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '50': id: '50' taskid: 6a08d29d-324b-4451-85c6-d1711c01a651 @@ -2167,6 +2346,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '55': id: '55' taskid: d92b905f-b6f6-408c-896b-6910ed0f9251 @@ -2226,6 +2406,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" '56': id: '56' taskid: 6ed6697b-5d7a-4700-8b04-41bf375be00f @@ -2237,7 +2418,6 @@ tasks: type: condition iscommand: false brand: '' - description: '' nexttasks: '#default#': - '6' @@ -2271,32 +2451,6 @@ tasks: iscontext: true right: value: {} - - - operator: isExists - left: - value: - complex: - root: modules - filters: - - - operator: isEqualString - left: - value: - simple: modules.brand - iscontext: true - right: - value: - simple: Core REST API - ignorecase: true - - - operator: isEqualString - left: - value: - simple: modules.state - iscontext: true - right: - value: - simple: active - ignorecase: true - accessor: brand - iscontext: true continueonerrortype: "" view: |- { @@ -2342,6 +2496,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" system: true view: |- { @@ -2509,6 +2664,17 @@ inputs: Outer file: The file at the first level is parsed. All files: All files are parsed. Do not use this option in the phishing playbook, as there should only be one phishing email per playbook run. playbookInputQuery: +- key: UseOldHTMLFields + value: + simple: "True" + required: false + description: |- + This input is used to preserve backward-compatibility. It determines whether the playbook should set email fields that are no longer being used in the out-of-the-box content. + If set to True, the playbook will save data into the the "Email Body HTML" and "Rendered HTML" incident fields. + If set to False, the playbook will not save data into those fields, and will simply be using the Email HTML field. + If you are ingesting large emails which are causing issues with large amounts of data being saved into incident fields, you should set the value to False. + We recommend setting the value to False unless you are certain that you need the "Email Body HTML" and "Rendered HTML" incident fields. + playbookInputQuery: outputs: - contextPath: Email.HTML description: The email HTML body if it exists. @@ -2544,6 +2710,6 @@ outputs: description: The file object. type: string tests: -- Phishing v3 - Get Original Email + Search & Delete - Test - Phishing v3 - DomainSquatting+EML+MaliciousIndicators - Test -fromversion: 6.0.0 \ No newline at end of file +- Phishing v3 - Get Original Email + Search & Delete - Test +fromversion: 6.0.0 From 49785fecb3d0b2456110816ca046a8f9d3aa808b Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Tue, 16 May 2023 16:41:48 +0300 Subject: [PATCH 02/22] Fixed and simplified process email (previously there was a problem where Email.Text would take precedence over Email.HTML if we keep the old fields) --- .../Playbooks/Process_Email_-_Generic_v2.yml | 1467 +++++++++++------ 1 file changed, 951 insertions(+), 516 deletions(-) diff --git a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml index 76fbafbe52a7..f8686707a42e 100644 --- a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml +++ b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml @@ -89,109 +89,6 @@ tasks: isoversize: false isautoswitchedtoquietmode: false continueonerrortype: "" - '2': - id: '2' - taskid: 2d5a394a-96eb-4d6c-8228-0118f1a8e1f9 - type: regular - task: - id: 2d5a394a-96eb-4d6c-8228-0118f1a8e1f9 - version: -1 - name: Add original email details to context - description: Sets the details of the email that was forwarded under the email context key. Also saves the HTML or email text to the email body section in the layout. - scriptName: Set - type: regular - iscommand: false - brand: '' - nexttasks: - '#none#': - - '11' - scriptarguments: - key: - simple: Email - value: - simple: "${inputs={To: val['Email'], CC: val['EmailCC'], From: val['EmailFrom'], Subject: val['EmailSubject'], Text: val['EmailText'], HTML: val['EmailHtml'], Headers: val['EmailHeaders'], Format: val['EmailFormat']}}" - separatecontext: false - view: |- - { - "position": { - "x": -470, - "y": 2960 - } - } - note: false - timertriggers: [] - ignoreworker: false - fieldMapping: - - incidentfield: Rendered HTML - output: - complex: - root: . - transformers: - - operator: If-Then-Else - args: - condition: - value: - simple: lhs==rhs - conditionB: - value: - simple: lhsB!=rhsB - conditionInBetween: - value: - simple: and - else: {} - equals: {} - lhs: - value: - simple: inputs.UseOldHTMLFields - iscontext: true - lhsB: - value: - simple: inputs.EmailHtml - iscontext: true - options: {} - optionsB: {} - rhs: - value: - simple: "True" - rhsB: {} - then: - value: - simple: inputs.EmailHtml - iscontext: true - - operator: If-Then-Else - args: - condition: - value: - simple: lhs==rhs - conditionB: - value: - simple: lhsB!=rhsB - conditionInBetween: {} - else: {} - equals: {} - lhs: - value: - simple: inputs.UseOldHTMLFields - iscontext: true - lhsB: - value: - simple: inputs.EmailText - iscontext: true - options: {} - optionsB: {} - rhs: - value: - simple: "True" - rhsB: {} - then: - value: - simple: inputs.EmailText - iscontext: true - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - continueonerrortype: "" '3': id: '3' taskid: 5802b254-fac3-4c94-8b2d-89038b4239e5 @@ -290,8 +187,8 @@ tasks: view: |- { "position": { - "x": 290, - "y": 3500 + "x": 350, + "y": 3970 } } note: false @@ -332,8 +229,8 @@ tasks: view: |- { "position": { - "x": 50, - "y": 3720 + "x": 110, + "y": 4190 } } note: false @@ -360,8 +257,8 @@ tasks: view: |- { "position": { - "x": 290, - "y": 3950 + "x": 350, + "y": 4420 } } note: false @@ -391,8 +288,8 @@ tasks: view: |- { "position": { - "x": 290, - "y": 3370 + "x": 350, + "y": 3840 } } note: false @@ -513,403 +410,66 @@ tasks: continueonerrortype: "" '19': id: '19' - taskid: 1e6ab05a-d0ce-4847-8d2a-e50433d904f7 + taskid: 22392e6a-e7ba-455a-81c5-6b6a188812c1 + type: condition + task: + id: 22392e6a-e7ba-455a-81c5-6b6a188812c1 + version: -1 + name: Keep backward-compatibility? + description: Whether to keep this sub-playbook backward-compatible in terms of the incident fields being set. Opting out will result in the Rendered HTML and Email Body HTML not being set, and the Email HTML field will be used instead. + type: condition + iscommand: false + brand: Builtin + nexttasks: + '#default#': + - "68" + "yes": + - "66" + separatecontext: false + view: |- + { + "position": { + "x": 920, + "y": 3200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UseOldHTMLFields + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + '20': + id: '20' + taskid: 293d898d-dc20-44ff-81bd-81ebb1056023 type: regular task: - id: 1e6ab05a-d0ce-4847-8d2a-e50433d904f7 + id: 293d898d-dc20-44ff-81bd-81ebb1056023 version: -1 - name: Display email information in layout - description: Updates Cortex XSOAR incident fields using data from the email object. - script: Builtin|||setIncident + name: Display email headers in layout - Email.Headers + description: Fills the "Email Headers" field in the incident layout with the retrieved email headers. + scriptName: SetGridField type: regular - iscommand: true - brand: Builtin + iscommand: false + brand: '' nexttasks: '#none#': - - '11' - - '57' - scriptarguments: - attachmentcount: - complex: - root: Email - accessor: | - Attachment.Count - attachmentextension: - complex: - root: Email - accessor: Attachment.Extension - attachmenthash: - complex: - root: Email - accessor: Attachment.Hash - attachmentid: - complex: - root: Email - accessor: Attachment.ID - attachmentitem: - complex: - root: Email - accessor: Attachment.Item - attachmentname: - complex: - root: Email - accessor: Attachment.Name - attachmentsize: - complex: - root: Email - accessor: Attachment.Size - attachmenttype: - complex: - root: Email - accessor: Attachment.Type - deleteEmptyField: - simple: 'True' - emailbcc: - complex: - root: Email - accessor: HeadersMap.BCC - transformers: - - operator: uniq - - operator: Stringify - emailbody: - complex: - root: Email - accessor: Text - transformers: - - operator: Stringify - emailbodyformat: - complex: - root: Email - accessor: BodyFormat - emailbodyhtml: - complex: - root: . - transformers: - - operator: If-Then-Else - args: - condition: - value: - simple: lhs==rhs - conditionB: {} - conditionInBetween: {} - else: {} - equals: {} - lhs: - value: - simple: inputs.UseOldHTMLFields - iscontext: true - lhsB: {} - options: {} - optionsB: {} - rhs: - value: - simple: "True" - rhsB: {} - then: - value: - simple: Email.HTML - iscontext: true - emailcc: - complex: - root: Email - accessor: CC - transformers: - - operator: uniq - - operator: Stringify - emailclientname: - complex: - root: Email - accessor: ClientName - emailfrom: - complex: - root: Email - accessor: From - transformers: - - operator: uniq - - operator: Stringify - emailhtml: - complex: - root: Email - accessor: HTML - transformers: - - operator: SetIfEmpty - args: - applyIfEmpty: {} - defaultValue: - value: - simple: Email.Text - iscontext: true - - operator: uniq - - operator: Stringify - emailimage: - complex: - root: Email - accessor: Image - emailinreplyto: - complex: - root: Email - accessor: InReplyTo - emailkeywords: - complex: - root: Email - accessor: Keywords - emailmessageid: - complex: - root: incident.emailheaders - filters: - - - operator: isEqualString - left: - value: - simple: incident.emailheaders.headername - iscontext: true - right: - value: - simple: Message-ID - accessor: headervalue - transformers: - - operator: uniq - emailrecipientscount: - complex: - root: Email - accessor: To - transformers: - - operator: uniq - - operator: split - args: - delimiter: - value: - simple: ',' - - operator: count - emailreplyto: - complex: - root: incident.emailheaders - filters: - - - operator: isEqualString - left: - value: - simple: incident.emailheaders.headername - iscontext: true - right: - value: - simple: Reply-To - accessor: headervalue - transformers: - - operator: uniq - emailreturnpath: - complex: - root: incident.emailheaders - filters: - - - operator: isEqualString - left: - value: - simple: incident.emailheaders.headername - iscontext: true - right: - value: - simple: Return-Path - accessor: headervalue - transformers: - - operator: uniq - emailsenderip: - complex: - root: Email - accessor: SenderIP - transformers: - - operator: uniq - emailsize: - complex: - root: Email - accessor: Size - transformers: - - operator: uniq - emailsource: - complex: - root: Email - accessor: Source - transformers: - - operator: uniq - emailsubject: - complex: - root: Email - accessor: Subject - transformers: - - operator: uniq - - operator: Stringify - emailto: - complex: - root: Email - accessor: To - transformers: - - operator: uniq - - operator: join - args: - separator: - value: - simple: ',' - emailtocount: - complex: - root: Email - accessor: To - transformers: - - operator: uniq - - operator: split - args: - delimiter: - value: {} - - operator: count - emailurlclicked: - complex: - root: EmailUrlClicked - renderedhtml: - complex: - root: . - transformers: - - operator: If-Then-Else - args: - condition: - value: - simple: lhs==rhs - conditionB: - value: - simple: lhsB!=rhsB - conditionInBetween: - value: - simple: and - else: - value: - simple: . - equals: {} - lhs: - value: - simple: inputs.UseOldHTMLFields - iscontext: true - lhsB: - value: - simple: Email.HTML - iscontext: true - options: {} - optionsB: {} - rhs: - value: - simple: "True" - rhsB: {} - then: - value: - simple: Email.HTML - iscontext: true - - operator: If-Then-Else - args: - condition: - value: - simple: lhs==rhs - conditionB: - value: - simple: lhsB==rhsB - conditionInBetween: - value: - simple: and - else: {} - equals: {} - lhs: - value: - simple: inputs.UseOldHTMLFields - iscontext: true - lhsB: - value: - simple: Email.HTML - iscontext: true - options: {} - optionsB: {} - rhs: - value: - simple: "True" - rhsB: {} - then: - value: - simple: Email.Text - iscontext: true - reportedemailcc: - complex: - root: Email - accessor: CC - transformers: - - operator: uniq - - operator: Stringify - reportedemailfrom: - complex: - root: Email - accessor: From - transformers: - - operator: uniq - - operator: Stringify - reportedemailmessageid: - complex: - root: incident.emailheaders - filters: - - - operator: isEqualString - left: - value: - simple: incident.emailheaders.headername - iscontext: true - right: - value: - simple: Message-ID - accessor: headervalue - transformers: - - operator: uniq - reportedemailorigin: - complex: - root: ReportedEmailOrigin - reportedemailsubject: - complex: - root: Email - accessor: Subject - transformers: - - operator: uniq - - operator: Stringify - reportedemailto: - complex: - root: Email - accessor: To - transformers: - - operator: uniq - - operator: join - args: - separator: - value: - simple: ',' - separatecontext: false - view: |- - { - "position": { - "x": 920, - "y": 3200 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - continueonerrortype: "" - '20': - id: '20' - taskid: 293d898d-dc20-44ff-81bd-81ebb1056023 - type: regular - task: - id: 293d898d-dc20-44ff-81bd-81ebb1056023 - version: -1 - name: Display email headers in layout - Email.Headers - description: Fills the "Email Headers" field in the incident layout with the retrieved email headers. - scriptName: SetGridField - type: regular - iscommand: false - brand: '' - nexttasks: - '#none#': - - '19' + - '19' scriptarguments: columns: simple: headername,headervalue @@ -955,7 +515,7 @@ tasks: brand: '' nexttasks: '#default#': - - '2' + - "63" Headers: - '20' HeadersMap: @@ -2160,7 +1720,7 @@ tasks: brand: Builtin nexttasks: '#none#': - - '2' + - "63" scriptarguments: reportedemailorigin: simple: None @@ -2395,8 +1955,8 @@ tasks: view: |- { "position": { - "x": 1400, - "y": 3700 + "x": 1460, + "y": 4170 } } note: false @@ -2455,8 +2015,8 @@ tasks: view: |- { "position": { - "x": 1400, - "y": 3520 + "x": 1460, + "y": 3990 } } note: false @@ -2485,34 +2045,909 @@ tasks: view: |- { "position": { - "x": 1400, - "y": 3370 + "x": 1460, + "y": 3840 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + continueonerrortype: "" + "59": + id: "59" + taskid: 091bf8a2-8d3f-4b57-8179-98c2b22565f4 + type: title + task: + id: 091bf8a2-8d3f-4b57-8179-98c2b22565f4 + version: -1 + name: Keep Old Field Mapping + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "60" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -940, + "y": 3020 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "60": + id: "60" + taskid: 1e874c19-fbe3-4f87-805f-5ca7a2c8fed8 + type: regular + task: + id: 1e874c19-fbe3-4f87-805f-5ca7a2c8fed8 + version: -1 + name: Add original email details to context + description: Sets the details of the email that was forwarded under the email context key. Also saves the HTML or email text to the email body section in the layout. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + key: + simple: Email + value: + simple: '${inputs={To: val[''Email''], CC: val[''EmailCC''], From: val[''EmailFrom''], Subject: val[''EmailSubject''], Text: val[''EmailText''], HTML: val[''EmailHtml''], Headers: val[''EmailHeaders''], Format: val[''EmailFormat'']}}' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -940, + "y": 3160 } } note: false timertriggers: [] ignoreworker: false + fieldMapping: + - incidentfield: Rendered HTML + output: + complex: + root: inputs.EmailHtml + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: inputs.EmailText + iscontext: true skipunavailable: false quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "61": + id: "61" + taskid: 7fb9c52d-f820-4875-84e5-10d5bd448afc + type: title + task: + id: 7fb9c52d-f820-4875-84e5-10d5bd448afc + version: -1 + name: No Field Mapping + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "62" + separatecontext: false continueonerrortype: "" + view: |- + { + "position": { + "x": -500, + "y": 3025 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "62": + id: "62" + taskid: 3a7de419-9074-45ec-8509-c0c20db5d21f + type: regular + task: + id: 3a7de419-9074-45ec-8509-c0c20db5d21f + version: -1 + name: Add original email details to context + description: Sets the details of the email that was forwarded under the email context key. Also saves the HTML or email text to the email body section in the layout. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + key: + simple: Email + value: + simple: '${inputs={To: val[''Email''], CC: val[''EmailCC''], From: val[''EmailFrom''], Subject: val[''EmailSubject''], Text: val[''EmailText''], HTML: val[''EmailHtml''], Headers: val[''EmailHeaders''], Format: val[''EmailFormat'']}}' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -500, + "y": 3160 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "63": + id: "63" + taskid: 2b2898ad-5e86-4522-8c82-9563ea1c68ad + type: condition + task: + id: 2b2898ad-5e86-4522-8c82-9563ea1c68ad + version: -1 + name: Keep backward-compatibility? + description: Whether to keep this sub-playbook backward-compatible in terms of the incident fields being set. Opting out will result in the Rendered HTML and Email Body HTML not being set, and the Email HTML field will be used instead. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "61" + "yes": + - "59" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.UseOldHTMLFields + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": -710, + "y": 2840 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "65": + id: "65" + taskid: d7d180f3-26e2-4e14-8843-9ea46c71764e + type: regular + task: + id: d7d180f3-26e2-4e14-8843-9ea46c71764e + version: -1 + name: Display email information in layout + description: Updates Cortex XSOAR incident fields using data from the email object. + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "69" + scriptarguments: + attachmentcount: + complex: + root: Email + accessor: | + Attachment.Count + attachmentextension: + complex: + root: Email + accessor: Attachment.Extension + attachmenthash: + complex: + root: Email + accessor: Attachment.Hash + attachmentid: + complex: + root: Email + accessor: Attachment.ID + attachmentitem: + complex: + root: Email + accessor: Attachment.Item + attachmentname: + complex: + root: Email + accessor: Attachment.Name + attachmentsize: + complex: + root: Email + accessor: Attachment.Size + attachmenttype: + complex: + root: Email + accessor: Attachment.Type + deleteEmptyField: + simple: "True" + emailbcc: + complex: + root: Email + accessor: HeadersMap.BCC + transformers: + - operator: uniq + - operator: Stringify + emailbody: + complex: + root: Email + accessor: Text + transformers: + - operator: Stringify + emailbodyformat: + complex: + root: Email + accessor: BodyFormat + emailcc: + complex: + root: Email + accessor: CC + transformers: + - operator: uniq + - operator: Stringify + emailclientname: + complex: + root: Email + accessor: ClientName + emailfrom: + complex: + root: Email + accessor: From + transformers: + - operator: uniq + - operator: Stringify + emailhtml: + complex: + root: Email + accessor: HTML + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: Email.Text + iscontext: true + - operator: uniq + - operator: Stringify + emailimage: + complex: + root: Email + accessor: Image + emailinreplyto: + complex: + root: Email + accessor: InReplyTo + emailkeywords: + complex: + root: Email + accessor: Keywords + emailmessageid: + complex: + root: incident.emailheaders + filters: + - - operator: isEqualString + left: + value: + simple: incident.emailheaders.headername + iscontext: true + right: + value: + simple: Message-ID + accessor: headervalue + transformers: + - operator: uniq + emailrecipientscount: + complex: + root: Email + accessor: To + transformers: + - operator: uniq + - operator: split + args: + delimiter: + value: + simple: ',' + - operator: count + emailreplyto: + complex: + root: incident.emailheaders + filters: + - - operator: isEqualString + left: + value: + simple: incident.emailheaders.headername + iscontext: true + right: + value: + simple: Reply-To + accessor: headervalue + transformers: + - operator: uniq + emailreturnpath: + complex: + root: incident.emailheaders + filters: + - - operator: isEqualString + left: + value: + simple: incident.emailheaders.headername + iscontext: true + right: + value: + simple: Return-Path + accessor: headervalue + transformers: + - operator: uniq + emailsenderip: + complex: + root: Email + accessor: SenderIP + transformers: + - operator: uniq + emailsize: + complex: + root: Email + accessor: Size + transformers: + - operator: uniq + emailsource: + complex: + root: Email + accessor: Source + transformers: + - operator: uniq + emailsubject: + complex: + root: Email + accessor: Subject + transformers: + - operator: uniq + - operator: Stringify + emailto: + complex: + root: Email + accessor: To + transformers: + - operator: uniq + - operator: join + args: + separator: + value: + simple: ',' + emailtocount: + complex: + root: Email + accessor: To + transformers: + - operator: uniq + - operator: split + args: + delimiter: + value: {} + - operator: count + emailurlclicked: + complex: + root: EmailUrlClicked + reportedemailcc: + complex: + root: Email + accessor: CC + transformers: + - operator: uniq + - operator: Stringify + reportedemailfrom: + complex: + root: Email + accessor: From + transformers: + - operator: uniq + - operator: Stringify + reportedemailmessageid: + complex: + root: incident.emailheaders + filters: + - - operator: isEqualString + left: + value: + simple: incident.emailheaders.headername + iscontext: true + right: + value: + simple: Message-ID + accessor: headervalue + transformers: + - operator: uniq + reportedemailorigin: + complex: + root: ReportedEmailOrigin + reportedemailsubject: + complex: + root: Email + accessor: Subject + transformers: + - operator: uniq + - operator: Stringify + reportedemailto: + complex: + root: Email + accessor: To + transformers: + - operator: uniq + - operator: join + args: + separator: + value: + simple: ',' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1150, + "y": 3510 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "66": + id: "66" + taskid: 7c6361e7-81a8-4b08-80f5-b1f143c6c134 + type: title + task: + id: 7c6361e7-81a8-4b08-80f5-b1f143c6c134 + version: -1 + name: Keep Old Fields + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "67" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 670, + "y": 3380 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "67": + id: "67" + taskid: 62df369f-0409-4abd-820f-66fba1520ded + type: regular + task: + id: 62df369f-0409-4abd-820f-66fba1520ded + version: -1 + name: Display email information in layout + description: Updates Cortex XSOAR incident fields using data from the email object. + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "69" + scriptarguments: + attachmentcount: + complex: + root: Email + accessor: | + Attachment.Count + attachmentextension: + complex: + root: Email + accessor: Attachment.Extension + attachmenthash: + complex: + root: Email + accessor: Attachment.Hash + attachmentid: + complex: + root: Email + accessor: Attachment.ID + attachmentitem: + complex: + root: Email + accessor: Attachment.Item + attachmentname: + complex: + root: Email + accessor: Attachment.Name + attachmentsize: + complex: + root: Email + accessor: Attachment.Size + attachmenttype: + complex: + root: Email + accessor: Attachment.Type + deleteEmptyField: + simple: "True" + emailbcc: + complex: + root: Email + accessor: HeadersMap.BCC + transformers: + - operator: uniq + - operator: Stringify + emailbody: + complex: + root: Email + accessor: Text + transformers: + - operator: Stringify + emailbodyformat: + complex: + root: Email + accessor: BodyFormat + emailbodyhtml: + complex: + root: Email + accessor: HTML + transformers: + - operator: Stringify + emailcc: + complex: + root: Email + accessor: CC + transformers: + - operator: uniq + - operator: Stringify + emailclientname: + complex: + root: Email + accessor: ClientName + emailfrom: + complex: + root: Email + accessor: From + transformers: + - operator: uniq + - operator: Stringify + emailhtml: + complex: + root: Email + accessor: HTML + transformers: + - operator: uniq + emailimage: + complex: + root: Email + accessor: Image + emailinreplyto: + complex: + root: Email + accessor: InReplyTo + emailkeywords: + complex: + root: Email + accessor: Keywords + emailmessageid: + complex: + root: incident.emailheaders + filters: + - - operator: isEqualString + left: + value: + simple: incident.emailheaders.headername + iscontext: true + right: + value: + simple: Message-ID + accessor: headervalue + transformers: + - operator: uniq + emailrecipientscount: + complex: + root: Email + accessor: To + transformers: + - operator: uniq + - operator: split + args: + delimiter: + value: + simple: ',' + - operator: count + emailreplyto: + complex: + root: incident.emailheaders + filters: + - - operator: isEqualString + left: + value: + simple: incident.emailheaders.headername + iscontext: true + right: + value: + simple: Reply-To + accessor: headervalue + transformers: + - operator: uniq + emailreturnpath: + complex: + root: incident.emailheaders + filters: + - - operator: isEqualString + left: + value: + simple: incident.emailheaders.headername + iscontext: true + right: + value: + simple: Return-Path + accessor: headervalue + transformers: + - operator: uniq + emailsenderip: + complex: + root: Email + accessor: SenderIP + transformers: + - operator: uniq + emailsize: + complex: + root: Email + accessor: Size + transformers: + - operator: uniq + emailsource: + complex: + root: Email + accessor: Source + transformers: + - operator: uniq + emailsubject: + complex: + root: Email + accessor: Subject + transformers: + - operator: uniq + - operator: Stringify + emailto: + complex: + root: Email + accessor: To + transformers: + - operator: uniq + - operator: join + args: + separator: + value: + simple: ',' + emailtocount: + complex: + root: Email + accessor: To + transformers: + - operator: uniq + - operator: split + args: + delimiter: + value: {} + - operator: count + emailurlclicked: + complex: + root: EmailUrlClicked + renderedhtml: + complex: + root: Email + accessor: HTML + transformers: + - operator: SetIfEmpty + args: + applyIfEmpty: {} + defaultValue: + value: + simple: Email.Text + iscontext: true + reportedemailcc: + complex: + root: Email + accessor: CC + transformers: + - operator: uniq + - operator: Stringify + reportedemailfrom: + complex: + root: Email + accessor: From + transformers: + - operator: uniq + - operator: Stringify + reportedemailmessageid: + complex: + root: incident.emailheaders + filters: + - - operator: isEqualString + left: + value: + simple: incident.emailheaders.headername + iscontext: true + right: + value: + simple: Message-ID + accessor: headervalue + transformers: + - operator: uniq + reportedemailorigin: + complex: + root: ReportedEmailOrigin + reportedemailsubject: + complex: + root: Email + accessor: Subject + transformers: + - operator: uniq + - operator: Stringify + reportedemailto: + complex: + root: Email + accessor: To + transformers: + - operator: uniq + - operator: join + args: + separator: + value: + simple: ',' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 670, + "y": 3510 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "68": + id: "68" + taskid: 76f2dc82-4bf3-4e8d-8cdf-9c3320d600db + type: title + task: + id: 76f2dc82-4bf3-4e8d-8cdf-9c3320d600db + version: -1 + name: Don't Keep Old Fields + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "65" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1150, + "y": 3390 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "69": + id: "69" + taskid: 143f39f8-0851-4102-82c6-a03578ea2d4b + type: title + task: + id: 143f39f8-0851-4102-82c6-a03578ea2d4b + version: -1 + name: Continue + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "57" + - "11" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 920, + "y": 3690 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false system: true view: |- { "linkLabelsPosition": { + "19_66_yes": 0.52, + "19_68_#default#": 0.53, "23_24_yes": 0.49, "39_22_yes": 0.31, "41_3_#default#": 0.35, "41_42_yes": 0.5, "4_5_yes": 0.57, - "56_55_yes": 0.46 + "56_55_yes": 0.46, + "63_59_yes": 0.6, + "63_61_#default#": 0.58 }, "paper": { "dimensions": { - "height": 4525, - "width": 3800, - "x": -470, + "height": 4995, + "width": 4270, + "x": -940, "y": -510 } } @@ -2670,8 +3105,8 @@ inputs: required: false description: |- This input is used to preserve backward-compatibility. It determines whether the playbook should set email fields that are no longer being used in the out-of-the-box content. - If set to True, the playbook will save data into the the "Email Body HTML" and "Rendered HTML" incident fields. - If set to False, the playbook will not save data into those fields, and will simply be using the Email HTML field. + If set to True, the playbook will save data into the the "Email Body HTML" and "Rendered HTML" incident fields as it did before. + If set to False, the playbook will not save data into those fields, and will simply be using the Email HTML field instead. If you are ingesting large emails which are causing issues with large amounts of data being saved into incident fields, you should set the value to False. We recommend setting the value to False unless you are certain that you need the "Email Body HTML" and "Rendered HTML" incident fields. playbookInputQuery: From 4b90e8c41abd671f02c595e4997d1ebd3eae519a Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Tue, 16 May 2023 16:51:32 +0300 Subject: [PATCH 03/22] revert phishing playbook changes (no changes required) --- .../Playbooks/Phishing_-_Generic_v3_6_5.yml | 307 +++++++++--------- 1 file changed, 157 insertions(+), 150 deletions(-) diff --git a/Packs/Phishing/Playbooks/Phishing_-_Generic_v3_6_5.yml b/Packs/Phishing/Playbooks/Phishing_-_Generic_v3_6_5.yml index 318c1a239099..e3797587cbaf 100644 --- a/Packs/Phishing/Playbooks/Phishing_-_Generic_v3_6_5.yml +++ b/Packs/Phishing/Playbooks/Phishing_-_Generic_v3_6_5.yml @@ -1,15 +1,17 @@ id: Phishing - Generic v3 version: -1 +contentitemexportablefields: + contentitemfields: {} name: Phishing - Generic v3 description: "This playbook investigates and remediates a potential phishing incident. It engages with the user who triggered the incident while investigating the incident itself.\n\nNote:\n- Final remediation tasks are manual by default. can be managed by \"SearchAndDelete\" and \"BlockIndicators\" inputs. \n- Do not rerun this playbook inside a phishing incident since it can produce an unexpected result. Create a new incident instead if needed." starttaskid: "0" tasks: "0": id: "0" - taskid: 35f6ed2f-b731-4575-8f52-4eafc9f77c63 + taskid: 1de7eceb-5dd5-43db-8427-7784a33e391c type: start task: - id: 35f6ed2f-b731-4575-8f52-4eafc9f77c63 + id: 1de7eceb-5dd5-43db-8427-7784a33e391c version: -1 name: "" iscommand: false @@ -36,10 +38,10 @@ tasks: isautoswitchedtoquietmode: false "2": id: "2" - taskid: acdfd24b-3c08-4ec1-8c89-09b63b1c8b4a + taskid: c2c89771-779e-4684-8d06-36481ab03848 type: regular task: - id: acdfd24b-3c08-4ec1-8c89-09b63b1c8b4a + id: c2c89771-779e-4684-8d06-36481ab03848 version: -1 name: Assign to analyst description: Assigns the incident to an analyst based on the analyst's organizational role. @@ -80,10 +82,10 @@ tasks: isautoswitchedtoquietmode: false "7": id: "7" - taskid: 3da2ddc3-729e-4b34-8533-e4559119063f + taskid: 412689a4-cf02-44b5-8e1e-d4ea0276b484 type: regular task: - id: 3da2ddc3-729e-4b34-8533-e4559119063f + id: 412689a4-cf02-44b5-8e1e-d4ea0276b484 version: -1 name: Manually review the incident description: Reviews the incident to determine if the email that the user reported is malicious. @@ -111,10 +113,10 @@ tasks: isautoswitchedtoquietmode: false "8": id: "8" - taskid: 0a552844-fef0-4417-8fad-6f919d1a052e + taskid: 9a70b41d-9fe0-4952-82db-caf5d5a1e4ba type: regular task: - id: 0a552844-fef0-4417-8fad-6f919d1a052e + id: 9a70b41d-9fe0-4952-82db-caf5d5a1e4ba version: -1 name: Close investigation description: Closes the investigation. @@ -144,10 +146,10 @@ tasks: isautoswitchedtoquietmode: false "11": id: "11" - taskid: dcba756b-965e-41e7-8f09-de690dcad03a + taskid: c9650f2b-6ef8-4496-8007-c1c7d247a382 type: title task: - id: dcba756b-965e-41e7-8f09-de690dcad03a + id: c9650f2b-6ef8-4496-8007-c1c7d247a382 version: -1 name: Triage type: title @@ -175,10 +177,10 @@ tasks: isautoswitchedtoquietmode: false "13": id: "13" - taskid: 6d881b15-9d76-45fc-8a83-5559169a08e2 + taskid: ad3de6f3-b823-4cb4-8246-ded32b1417e0 type: regular task: - id: 6d881b15-9d76-45fc-8a83-5559169a08e2 + id: ad3de6f3-b823-4cb4-8246-ded32b1417e0 version: -1 name: Acknowledge incident was received description: | @@ -220,10 +222,10 @@ tasks: isautoswitchedtoquietmode: false "15": id: "15" - taskid: 41eca564-b3ea-4632-86b1-c2750672867c + taskid: 41bf9e09-118d-48c9-819a-ac9fa66faee0 type: condition task: - id: 41eca564-b3ea-4632-86b1-c2750672867c + id: 41bf9e09-118d-48c9-819a-ac9fa66faee0 version: -1 name: Is the email malicious? description: Determines if the email is malicious based on the calculated severity. @@ -264,10 +266,10 @@ tasks: isautoswitchedtoquietmode: false "16": id: "16" - taskid: 3835c90c-ac59-4d42-8512-2e5a89310723 + taskid: 30d7c68e-a84b-4fd7-828b-5318f43689fd type: regular task: - id: 3835c90c-ac59-4d42-8512-2e5a89310723 + id: 30d7c68e-a84b-4fd7-828b-5318f43689fd version: -1 name: Update the user that the reported email is safe description: Sends an email to the user explaining that the email they reported is safe. @@ -316,10 +318,10 @@ tasks: isautoswitchedtoquietmode: false "18": id: "18" - taskid: d23a63b3-0e82-4b91-8359-a4546d3b63cd + taskid: d7a28b1b-9555-4730-8b67-0d256043e5a5 type: title task: - id: d23a63b3-0e82-4b91-8359-a4546d3b63cd + id: d7a28b1b-9555-4730-8b67-0d256043e5a5 version: -1 name: Engage with User type: title @@ -347,10 +349,10 @@ tasks: isautoswitchedtoquietmode: false "22": id: "22" - taskid: 5dfcd048-15e0-44fa-8afd-5b70b856b6f4 + taskid: 61a095b2-22f4-4f7d-89fc-39bbeb814c1a type: playbook task: - id: 5dfcd048-15e0-44fa-8afd-5b70b856b6f4 + id: 61a095b2-22f4-4f7d-89fc-39bbeb814c1a version: -1 name: Detonate File - Generic playbookName: Detonate File - Generic @@ -379,10 +381,10 @@ tasks: isautoswitchedtoquietmode: false "26": id: "26" - taskid: b4fe1b06-1aef-4ba6-82ce-7d2972f0c792 + taskid: 21d6c60e-f099-4630-89ca-a4df4379e404 type: playbook task: - id: b4fe1b06-1aef-4ba6-82ce-7d2972f0c792 + id: 21d6c60e-f099-4630-89ca-a4df4379e404 version: -1 name: Process Email - Generic v2 description: | @@ -481,10 +483,10 @@ tasks: isautoswitchedtoquietmode: false "27": id: "27" - taskid: 8ea98a36-7ff8-4393-8c32-fbac48a940ec + taskid: 0afeccad-58a2-4c05-851f-e74e68e6b985 type: title task: - id: 8ea98a36-7ff8-4393-8c32-fbac48a940ec + id: 0afeccad-58a2-4c05-851f-e74e68e6b985 version: -1 name: Remediation type: title @@ -515,10 +517,10 @@ tasks: isautoswitchedtoquietmode: false "28": id: "28" - taskid: f31acf06-07a4-4a50-8aa5-7bb7b9827474 + taskid: 55bebeae-32f7-4c61-8034-9b616f6a4663 type: playbook task: - id: f31acf06-07a4-4a50-8aa5-7bb7b9827474 + id: 55bebeae-32f7-4c61-8034-9b616f6a4663 version: -1 name: Search And Delete Emails - Generic v2 description: 'This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense' @@ -608,10 +610,10 @@ tasks: isautoswitchedtoquietmode: false "29": id: "29" - taskid: 979eec3e-078f-41f7-8007-db12c60ae36b + taskid: c6980b2d-260a-4978-81c6-5ac79f5a6984 type: title task: - id: 979eec3e-078f-41f7-8007-db12c60ae36b + id: c6980b2d-260a-4978-81c6-5ac79f5a6984 version: -1 name: Done type: title @@ -636,10 +638,10 @@ tasks: isautoswitchedtoquietmode: false "30": id: "30" - taskid: 7ad9bfc9-dbe1-44a7-8416-b3b49826132f + taskid: 8a0081a4-4e44-4e1c-80bc-13d9bdc89105 type: title task: - id: 7ad9bfc9-dbe1-44a7-8416-b3b49826132f + id: 8a0081a4-4e44-4e1c-80bc-13d9bdc89105 version: -1 name: Email Is Malicious type: title @@ -667,10 +669,10 @@ tasks: isautoswitchedtoquietmode: false "31": id: "31" - taskid: b04e6322-402d-4d01-836b-76c74139c95c + taskid: 4d2efdea-5293-424e-8ba3-49c2192a83a4 type: title task: - id: b04e6322-402d-4d01-836b-76c74139c95c + id: 4d2efdea-5293-424e-8ba3-49c2192a83a4 version: -1 name: Undetermined type: title @@ -698,10 +700,10 @@ tasks: isautoswitchedtoquietmode: false "33": id: "33" - taskid: 13ff12f2-695e-4a13-8f35-714e1bffeb23 + taskid: 3945c2b1-79f8-4572-80b6-bde4a220f534 type: condition task: - id: 13ff12f2-695e-4a13-8f35-714e1bffeb23 + id: 3945c2b1-79f8-4572-80b6-bde4a220f534 version: -1 name: Is the email malicious? description: Is the email that the user reported malicious? @@ -731,10 +733,10 @@ tasks: isautoswitchedtoquietmode: false "34": id: "34" - taskid: bd51bc21-8579-491d-8d80-8c0173655957 + taskid: 8f9cdca2-c3cc-408b-8fc8-7620f3ac65be type: regular task: - id: bd51bc21-8579-491d-8d80-8c0173655957 + id: 8f9cdca2-c3cc-408b-8fc8-7620f3ac65be version: -1 name: Manually search & delete emails description: Search for and delete emails with similar attributes of the malicious email using your existing email platfrom. for example - EWS, Office 365, Gmail etc. @@ -762,10 +764,10 @@ tasks: isautoswitchedtoquietmode: false "36": id: "36" - taskid: 5f22fd0a-2932-4314-8e29-1d41fbf217a1 + taskid: 4b95ae6d-2db9-42d4-8139-83982d390d18 type: condition task: - id: 5f22fd0a-2932-4314-8e29-1d41fbf217a1 + id: 4b95ae6d-2db9-42d4-8139-83982d390d18 version: -1 name: Should emails be searched and deleted? description: Checks whether the **SearchAndDelete** playbook input is set to True. @@ -807,10 +809,10 @@ tasks: isautoswitchedtoquietmode: false "39": id: "39" - taskid: 83ca7497-1cf4-446b-8234-83b3c32a873e + taskid: cfd46b5e-ae0e-467f-8e2f-eb6ead60661d type: title task: - id: 83ca7497-1cf4-446b-8234-83b3c32a873e + id: cfd46b5e-ae0e-467f-8e2f-eb6ead60661d version: -1 name: Start Detection Timer type: title @@ -841,10 +843,10 @@ tasks: isautoswitchedtoquietmode: false "43": id: "43" - taskid: a484ddea-b33f-4f56-8828-2beddb8923f9 + taskid: da272c61-d18e-45bc-8a79-2fda9333e111 type: title task: - id: a484ddea-b33f-4f56-8828-2beddb8923f9 + id: da272c61-d18e-45bc-8a79-2fda9333e111 version: -1 name: Stop Remediation Timer type: title @@ -874,10 +876,10 @@ tasks: isautoswitchedtoquietmode: false "52": id: "52" - taskid: 903e3ea6-029d-441f-8cc7-458d66d04ba5 + taskid: f65300dc-97c6-434d-8f0c-aae33d67b0f5 type: title task: - id: 903e3ea6-029d-441f-8cc7-458d66d04ba5 + id: f65300dc-97c6-434d-8f0c-aae33d67b0f5 version: -1 name: Indicator Enrichment type: title @@ -905,10 +907,10 @@ tasks: isautoswitchedtoquietmode: false "53": id: "53" - taskid: 194e2b52-c3a3-4bd1-8c33-c0c210023836 + taskid: 79f50251-09d0-42cd-8f5a-ac394c04e9eb type: playbook task: - id: 194e2b52-c3a3-4bd1-8c33-c0c210023836 + id: 79f50251-09d0-42cd-8f5a-ac394c04e9eb version: -1 name: Email Address Enrichment - Generic v2.1 description: |- @@ -957,10 +959,10 @@ tasks: isautoswitchedtoquietmode: false "55": id: "55" - taskid: 099a4d5b-9560-48b1-85bf-2df0295813b2 + taskid: bb40f218-f28c-40a8-8708-6e04c5efe8ee type: playbook task: - id: 099a4d5b-9560-48b1-85bf-2df0295813b2 + id: bb40f218-f28c-40a8-8708-6e04c5efe8ee version: -1 name: Extract Indicators From File - Generic v2 description: |- @@ -1003,10 +1005,10 @@ tasks: isautoswitchedtoquietmode: false "56": id: "56" - taskid: b8332f19-1dfa-473c-8c48-5d7d8a5ab004 + taskid: 7dce4a68-0b0f-4dd2-8414-f1bae499705b type: title task: - id: b8332f19-1dfa-473c-8c48-5d7d8a5ab004 + id: 7dce4a68-0b0f-4dd2-8414-f1bae499705b version: -1 name: Investigation type: title @@ -1039,10 +1041,10 @@ tasks: isautoswitchedtoquietmode: false "79": id: "79" - taskid: ca2447a5-6fae-4d46-83c8-9549108c9779 + taskid: 7d5430f6-05ad-43b0-8981-5ff4ca279b02 type: condition task: - id: ca2447a5-6fae-4d46-83c8-9549108c9779 + id: 7d5430f6-05ad-43b0-8981-5ff4ca279b02 version: -1 name: Should the email be authenticated? description: Checks whether the email should be authenticated using DKIM, SPF, and DMARC. This checks if "AuthenticateEmail" output is set to "True" and if there are headers from an email to authenticate. @@ -1091,10 +1093,10 @@ tasks: isautoswitchedtoquietmode: false "80": id: "80" - taskid: 270e4d47-68f5-4428-853e-3b0b82b1b023 + taskid: 3199b5c9-d960-48cf-86a0-50f7ef9976c4 type: title task: - id: 270e4d47-68f5-4428-853e-3b0b82b1b023 + id: 3199b5c9-d960-48cf-86a0-50f7ef9976c4 version: -1 name: Email Authenticity Check type: title @@ -1122,10 +1124,10 @@ tasks: isautoswitchedtoquietmode: false "82": id: "82" - taskid: 2d9aa7c6-1b8d-416f-85ea-35ae740b9010 + taskid: c8261d04-9c8d-4ea0-8c93-c63ce450c2b2 type: regular task: - id: 2d9aa7c6-1b8d-416f-85ea-35ae740b9010 + id: c8261d04-9c8d-4ea0-8c93-c63ce450c2b2 version: -1 name: Authenticate email description: Checks the authenticity of an email based on the email's SPF, DMARC, and DKIM. @@ -1165,10 +1167,10 @@ tasks: isautoswitchedtoquietmode: false "83": id: "83" - taskid: 4f28fe6e-126a-4493-886d-e6b17a77f972 + taskid: 970b2c8f-2a4d-422e-838b-5b3789d31391 type: regular task: - id: 4f28fe6e-126a-4493-886d-e6b17a77f972 + id: 970b2c8f-2a4d-422e-838b-5b3789d31391 version: -1 name: Save authenticity check result to incident field description: Saves the email authenticity verdict in an incident field. @@ -1240,10 +1242,10 @@ tasks: isautoswitchedtoquietmode: false "84": id: "84" - taskid: c2570447-01e6-4f66-8a48-4c0edcca1dbe + taskid: e3764474-07ff-4c01-8f63-314ce3930612 type: playbook task: - id: c2570447-01e6-4f66-8a48-4c0edcca1dbe + id: e3764474-07ff-4c01-8f63-314ce3930612 version: -1 name: Calculate Severity - Generic v2 playbookName: Calculate Severity - Generic v2 @@ -1272,10 +1274,10 @@ tasks: isautoswitchedtoquietmode: false "85": id: "85" - taskid: 53172145-5ff6-4e91-812b-600ac03e5708 + taskid: 8a356572-82b3-4bcb-8d4c-3be1d7c9759c type: regular task: - id: 53172145-5ff6-4e91-812b-600ac03e5708 + id: 8a356572-82b3-4bcb-8d4c-3be1d7c9759c version: -1 name: Save reporter email address in field description: Saves the email address of the email reporter in an incident field. @@ -1313,10 +1315,10 @@ tasks: isautoswitchedtoquietmode: false "88": id: "88" - taskid: 4352ddf7-191e-4b2a-88f6-7acdb7a8761b + taskid: a559978b-ee2b-4aea-86a3-2e0e11792426 type: title task: - id: 4352ddf7-191e-4b2a-88f6-7acdb7a8761b + id: a559978b-ee2b-4aea-86a3-2e0e11792426 version: -1 name: Machine Learning type: title @@ -1344,10 +1346,10 @@ tasks: isautoswitchedtoquietmode: false "92": id: "92" - taskid: 50ddb1ae-3a66-49db-8a8f-d20acfb9b92d + taskid: 2882a1aa-fa10-46a4-8433-63e9006a104b type: playbook task: - id: 50ddb1ae-3a66-49db-8a8f-d20acfb9b92d + id: 2882a1aa-fa10-46a4-8433-63e9006a104b version: -1 name: Entity Enrichment - Phishing v2 description: Enrich entities using one or more integrations @@ -1457,10 +1459,10 @@ tasks: isautoswitchedtoquietmode: false "97": id: "97" - taskid: 910e8765-b3b8-4838-8357-6f46998e84a7 + taskid: 0e1be0d2-b53f-4906-82a3-45f5e9f7f1b1 type: title task: - id: 910e8765-b3b8-4838-8357-6f46998e84a7 + id: 0e1be0d2-b53f-4906-82a3-45f5e9f7f1b1 version: -1 name: Block Indicators type: title @@ -1488,10 +1490,10 @@ tasks: isautoswitchedtoquietmode: false "98": id: "98" - taskid: 6fbaaed5-2eab-4d4d-8ee2-50e4ab9e2fde + taskid: c76a7049-1448-41cd-8d9f-7a65be7ce808 type: title task: - id: 6fbaaed5-2eab-4d4d-8ee2-50e4ab9e2fde + id: c76a7049-1448-41cd-8d9f-7a65be7ce808 version: -1 name: Search & Delete Email type: title @@ -1519,10 +1521,10 @@ tasks: isautoswitchedtoquietmode: false "101": id: "101" - taskid: e7b426e2-6807-4c28-80dc-ed3717db8e5a + taskid: c8231b7e-4ec4-4d15-838c-517280a1618c type: title task: - id: e7b426e2-6807-4c28-80dc-ed3717db8e5a + id: c8231b7e-4ec4-4d15-838c-517280a1618c version: -1 name: Email Campaign Search type: title @@ -1550,10 +1552,10 @@ tasks: isautoswitchedtoquietmode: false "126": id: "126" - taskid: 755d4399-51db-4717-894c-e910edf1d7a9 + taskid: 6bbdb96d-f6c3-40d5-8fae-9504691e0d01 type: playbook task: - id: 755d4399-51db-4717-894c-e910edf1d7a9 + id: 6bbdb96d-f6c3-40d5-8fae-9504691e0d01 version: -1 name: Detect & Manage Phishing Campaigns description: |- @@ -1596,10 +1598,10 @@ tasks: isautoswitchedtoquietmode: false "131": id: "131" - taskid: 3d5af7e8-0ccd-4988-8671-a8e6ada68fc5 + taskid: facfcc4c-908f-43bb-820e-13ea738f5393 type: title task: - id: 3d5af7e8-0ccd-4988-8671-a8e6ada68fc5 + id: facfcc4c-908f-43bb-820e-13ea738f5393 version: -1 name: Microsoft's Headers Check type: title @@ -1627,10 +1629,10 @@ tasks: isautoswitchedtoquietmode: false "132": id: "132" - taskid: 932c677d-074b-482a-80c4-7d7a080b988a + taskid: a2c4cb6b-ebcd-4626-846d-8f7163f33ec2 type: condition task: - id: 932c677d-074b-482a-80c4-7d7a080b988a + id: a2c4cb6b-ebcd-4626-846d-8f7163f33ec2 version: -1 name: Check Microsoft's Headers? description: Whether to check Microsoft's proprietary email headers. @@ -1671,10 +1673,10 @@ tasks: isautoswitchedtoquietmode: false "133": id: "133" - taskid: c176d816-7abb-4c4b-898f-4e6923552f95 + taskid: 0adbc122-d00f-464b-84dc-0b9212e9615b type: playbook task: - id: c176d816-7abb-4c4b-898f-4e6923552f95 + id: 0adbc122-d00f-464b-84dc-0b9212e9615b version: -1 name: Process Microsoft's Anti-Spam Headers description: "This playbook stores the SCL, BCL, and PCL scores if they exist to the associated incident fields (Phishing SCL Score, Phishing PCL Score, and Phishing BCL Score).\nIt also does the following:\n1) Sets the email classification to \"spam\" if the SCL score is equal to or greater than 5.\n2) Sets the incident severity according to the playbook inputs (default is: PCL/BCL - Medium, SCL - Low). The severity of the incident is set only when one (or more) of the following occurs:\n - PCL (Phishing Confidence Level) score between and including 4-8: The message content is likely to be phishing.\n - [BCL](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values?view=o365-worldwide) (Bulk Complaint Level) score between and including 4-7: The message is from a bulk sender that generates a mixed number of complaints. \n For a score between and including 8-9: The message is from a bulk sender that generates a high number of complaints.\n - [SCL](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels?view=o365-worldwide) (Spam Confidence Level) score between and including 5-6: Spam filtering marks the message as spam. \n For a score of 9: Spam filtering marks the message as high confidence spam. See [anti-spam stamps](https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps?view=exchserver-2019)." @@ -1703,10 +1705,10 @@ tasks: isautoswitchedtoquietmode: false "135": id: "135" - taskid: f2075a81-8e36-4029-8a22-69856ce0c05c + taskid: a7af8e52-9693-46d3-8532-25e557d91136 type: playbook task: - id: f2075a81-8e36-4029-8a22-69856ce0c05c + id: a7af8e52-9693-46d3-8532-25e557d91136 version: -1 name: Detonate URL - Generic description: This playbook detonates URLs using active integrations that support URL detonation. @@ -1746,10 +1748,10 @@ tasks: isautoswitchedtoquietmode: false "137": id: "137" - taskid: f021a518-77b3-4e39-8448-2c723aa231af + taskid: beafe4ee-c41d-4691-845b-a4441cc2904e type: condition task: - id: f021a518-77b3-4e39-8448-2c723aa231af + id: beafe4ee-c41d-4691-845b-a4441cc2904e version: -1 name: Detonate URL? description: Whether to detonate URLs in supported sandboxes. @@ -1791,10 +1793,10 @@ tasks: isautoswitchedtoquietmode: false "148": id: "148" - taskid: 0bef7402-740c-44e7-8eb8-82c5a1f8b1ae + taskid: 2d396b3f-9b41-4567-87f6-0085debc2cbd type: regular task: - id: 0bef7402-740c-44e7-8eb8-82c5a1f8b1ae + id: 2d396b3f-9b41-4567-87f6-0085debc2cbd version: -1 name: Update the user that the reported email is malicious description: Sends an email to the user explaining that the email they reported is malicious. @@ -1841,10 +1843,10 @@ tasks: isautoswitchedtoquietmode: false "149": id: "149" - taskid: 3cafb4a7-844e-444a-8a01-859075857e59 + taskid: 85a88cc4-822e-45d3-8c91-2ea8429fb5de type: condition task: - id: 3cafb4a7-844e-444a-8a01-859075857e59 + id: 85a88cc4-822e-45d3-8c91-2ea8429fb5de version: -1 name: Can the user be informed about the verdict? description: Checks whether the user can be informed about the verdict of the incident. @@ -1923,10 +1925,10 @@ tasks: isautoswitchedtoquietmode: false "150": id: "150" - taskid: 340bf6f8-bdca-48f2-86b7-fceb045e6cab + taskid: 8690c7f2-7d21-479e-8ebb-5ead69f4d365 type: regular task: - id: 340bf6f8-bdca-48f2-86b7-fceb045e6cab + id: 8690c7f2-7d21-479e-8ebb-5ead69f4d365 version: -1 name: Update the user that the email is a malicious campaign description: Sends an email to the user explaining that the email they reported is malicious. @@ -1973,10 +1975,10 @@ tasks: isautoswitchedtoquietmode: false "151": id: "151" - taskid: e351cca4-6a09-40f3-82c9-2a5b47390ce0 + taskid: 24f60f13-9374-4819-8f45-1661e29a5297 type: condition task: - id: e351cca4-6a09-40f3-82c9-2a5b47390ce0 + id: 24f60f13-9374-4819-8f45-1661e29a5297 version: -1 name: Can the user be informed about the verdict? description: Checks whether the user can be informed about the verdict of the incident. @@ -2028,10 +2030,10 @@ tasks: isautoswitchedtoquietmode: false "152": id: "152" - taskid: 08fb57b9-6f25-45a0-8e87-30b1b7d5d874 + taskid: 2b316bdf-fc22-44c7-8991-38bac2e1947d type: condition task: - id: 08fb57b9-6f25-45a0-8e87-30b1b7d5d874 + id: 2b316bdf-fc22-44c7-8991-38bac2e1947d version: -1 name: Check if original email was retrieved description: Checks if the original email was retrieved using the email listener integration. @@ -2071,10 +2073,10 @@ tasks: isautoswitchedtoquietmode: false "153": id: "153" - taskid: 52489dc2-a128-4d5f-8de0-5154a62c582b + taskid: 54c0f37b-b540-413b-8d1d-ff2f3c44e100 type: condition task: - id: 52489dc2-a128-4d5f-8de0-5154a62c582b + id: 54c0f37b-b540-413b-8d1d-ff2f3c44e100 version: -1 name: Did domain-squatting occur? description: Checks whether the attacker tried to squat another domain involved in this incident. @@ -2141,10 +2143,10 @@ tasks: isautoswitchedtoquietmode: false "154": id: "154" - taskid: 7829ed88-8994-4d0c-8805-736cb9ff1da7 + taskid: 74f8be3e-bd84-492b-8e45-e6ebd2d4cdd9 type: title task: - id: 7829ed88-8994-4d0c-8805-736cb9ff1da7 + id: 74f8be3e-bd84-492b-8e45-e6ebd2d4cdd9 version: -1 name: Domain-squatting type: title @@ -2172,10 +2174,10 @@ tasks: isautoswitchedtoquietmode: false "155": id: "155" - taskid: 0439fba3-e3ae-4f2d-82aa-b8d75aac4f81 + taskid: b58fc3ce-c37a-46c4-839b-ea035ef824de type: regular task: - id: 0439fba3-e3ae-4f2d-82aa-b8d75aac4f81 + id: b58fc3ce-c37a-46c4-839b-ea035ef824de version: -1 name: Save domain-squatting result to incident field description: commands.local.cmd.set.incident @@ -2255,10 +2257,10 @@ tasks: isautoswitchedtoquietmode: false "157": id: "157" - taskid: 2d1d5b0f-14a0-4b75-8861-9057e3ab1376 + taskid: da6b5b52-1e6b-49b3-8b06-e05fa81f57fe type: title task: - id: 2d1d5b0f-14a0-4b75-8861-9057e3ab1376 + id: da6b5b52-1e6b-49b3-8b06-e05fa81f57fe version: -1 name: Reporter Address specified type: title @@ -2287,10 +2289,10 @@ tasks: isautoswitchedtoquietmode: false "160": id: "160" - taskid: ab7cc271-03ad-4102-833c-5be700a30d58 + taskid: a549cbfe-fd79-4ccc-8701-5998ed42e51d type: playbook task: - id: ab7cc271-03ad-4102-833c-5be700a30d58 + id: a549cbfe-fd79-4ccc-8701-5998ed42e51d version: -1 name: Phishing - Machine Learning Analysis playbookName: Phishing - Machine Learning Analysis @@ -2348,10 +2350,10 @@ tasks: isautoswitchedtoquietmode: false "161": id: "161" - taskid: eb4102e0-7169-4427-8ee0-f3ff6b0aa827 + taskid: de1d06a0-e330-4fcc-8583-40f697e2342f type: condition task: - id: eb4102e0-7169-4427-8ee0-f3ff6b0aa827 + id: de1d06a0-e330-4fcc-8583-40f697e2342f version: -1 name: Was the reporter of the phishing email specified? description: Checks whether the email address of the phishing email reporter was specified on incident creation, so that an acknowledgement email can be sent to them. @@ -2420,16 +2422,16 @@ tasks: isautoswitchedtoquietmode: false "162": id: "162" - taskid: 6f2d639f-95bc-4f92-8b17-c4fb3b5bbf36 + taskid: 16c50c85-20d5-4abe-874d-ff7033a668b4 type: condition task: - id: 6f2d639f-95bc-4f92-8b17-c4fb3b5bbf36 + id: 16c50c85-20d5-4abe-874d-ff7033a668b4 version: -1 name: Was a file with macro found? - description: "" type: condition iscommand: false brand: "" + description: "" nexttasks: '#default#': - "52" @@ -2463,10 +2465,10 @@ tasks: isautoswitchedtoquietmode: false "163": id: "163" - taskid: b2aaa263-e105-494c-8f40-7ebb732b3421 + taskid: bd58f4b7-8f39-4650-8766-836143279d85 type: regular task: - id: b2aaa263-e105-494c-8f40-7ebb732b3421 + id: bd58f4b7-8f39-4650-8766-836143279d85 version: -1 name: Set Macro Source Code field description: commands.local.cmd.set.incident @@ -2500,10 +2502,10 @@ tasks: isautoswitchedtoquietmode: false "170": id: "170" - taskid: 4f046dd7-c435-4028-8cb5-b4a53680f7b3 + taskid: b52489d5-597e-468b-8ba5-3f3277ff2890 type: title task: - id: 4f046dd7-c435-4028-8cb5-b4a53680f7b3 + id: b52489d5-597e-468b-8ba5-3f3277ff2890 version: -1 name: Email Indicators Hunting type: title @@ -2531,16 +2533,16 @@ tasks: isautoswitchedtoquietmode: false "179": id: "179" - taskid: 256f1b7e-fb6f-42c1-8753-a5e9dc9107e9 + taskid: ca0d4a0f-2c78-49de-8792-63b4eb33720b type: condition task: - id: 256f1b7e-fb6f-42c1-8753-a5e9dc9107e9 + id: ca0d4a0f-2c78-49de-8792-63b4eb33720b version: -1 name: Hunt email indicators? - description: "" type: condition iscommand: false brand: "" + description: "" nexttasks: '#default#': - "84" @@ -2661,10 +2663,10 @@ tasks: isautoswitchedtoquietmode: false "211": id: "211" - taskid: 5b6df47a-fc67-43be-89b1-cc6e596142de + taskid: b48c1fe5-04a9-45a5-8065-ba32f45a9697 type: playbook task: - id: 5b6df47a-fc67-43be-89b1-cc6e596142de + id: b48c1fe5-04a9-45a5-8065-ba32f45a9697 version: -1 name: Phishing - Indicators Hunting description: | @@ -2722,10 +2724,10 @@ tasks: isautoswitchedtoquietmode: false "212": id: "212" - taskid: 879287c6-d862-4d2d-88bb-269f08a7669f + taskid: fb5399de-7b6d-4c38-8d94-81f79246c46c type: regular task: - id: 879287c6-d862-4d2d-88bb-269f08a7669f + id: fb5399de-7b6d-4c38-8d94-81f79246c46c version: -1 name: Set Listener Mailbox description: In order to exclude the listener mailbox from hunting actions, it is needed to save it (before it changes) in a dedicated field. @@ -2752,13 +2754,13 @@ tasks: value: simple: incident.emailto iscontext: true - equals: {} + equals: { } lhs: value: simple: inputs.ListenerMailbox iscontext: true - options: {} - rhs: {} + options: { } + rhs: { } then: value: simple: inputs.ListenerMailbox @@ -2781,10 +2783,10 @@ tasks: isautoswitchedtoquietmode: false "213": id: "213" - taskid: 8b00b280-841c-419b-82b8-43f54d59ff97 + taskid: 3236a5b0-5234-448d-8842-67142d698e5d type: playbook task: - id: 8b00b280-841c-419b-82b8-43f54d59ff97 + id: 3236a5b0-5234-448d-8842-67142d698e5d version: -1 name: Block Indicators - Generic v3 description: |+ @@ -3013,12 +3015,13 @@ tasks: isautoswitchedtoquietmode: false "214": id: "214" - taskid: 599e80ea-091c-4aa7-8e29-2aa3c87d7eb9 + taskid: d52768e3-e3b4-4ef1-8b97-9f6acbc14e88 type: condition task: - id: 599e80ea-091c-4aa7-8e29-2aa3c87d7eb9 + id: d52768e3-e3b4-4ef1-8b97-9f6acbc14e88 version: -1 name: Phishing email sender address exist? + description: '' type: condition iscommand: false brand: "" @@ -3055,10 +3058,10 @@ tasks: isautoswitchedtoquietmode: false "215": id: "215" - taskid: c619c33f-acc4-4326-8f79-e47cda8c539b + taskid: 04d6d0cd-28fb-4473-8a27-cfe1b8f16460 type: regular task: - id: c619c33f-acc4-4326-8f79-e47cda8c539b + id: 04d6d0cd-28fb-4473-8a27-cfe1b8f16460 version: -1 name: Set phishing email sender address verdict as malicious description: commands.local.cmd.set.indicator @@ -3094,10 +3097,10 @@ tasks: isautoswitchedtoquietmode: false "216": id: "216" - taskid: 6d36bb6d-568c-49ae-8352-e9b9f2b8df24 + taskid: 774d29ad-0044-48f0-8ed8-8bde43ca7fb8 type: title task: - id: 6d36bb6d-568c-49ae-8352-e9b9f2b8df24 + id: 774d29ad-0044-48f0-8ed8-8bde43ca7fb8 version: -1 name: Threat Intelligence Analysis type: title @@ -3125,10 +3128,10 @@ tasks: isautoswitchedtoquietmode: false "217": id: "217" - taskid: a6b22f25-3e3a-49c1-8d2a-937daa2bb0f6 + taskid: f18ca3f8-df34-40f4-8466-57f1140952a8 type: playbook task: - id: a6b22f25-3e3a-49c1-8d2a-937daa2bb0f6 + id: f18ca3f8-df34-40f4-8466-57f1140952a8 version: -1 name: TIM - Indicator Relationships Analysis playbookName: TIM - Indicator Relationships Analysis @@ -3182,15 +3185,16 @@ tasks: isautoswitchedtoquietmode: false "218": id: "218" - taskid: f0fcffd7-6b05-45d8-8a9b-9d21165bf2a2 + taskid: 44a904d8-10cd-4f8c-8d9f-1560df2b6d40 type: condition task: - id: f0fcffd7-6b05-45d8-8a9b-9d21165bf2a2 + id: 44a904d8-10cd-4f8c-8d9f-1560df2b6d40 version: -1 name: Incident indicators related to campaign/report from TIM? type: condition iscommand: false brand: "" + description: '' nexttasks: '#default#': - "84" @@ -3229,10 +3233,10 @@ tasks: isautoswitchedtoquietmode: false "219": id: "219" - taskid: 8ba6c274-aa36-4453-8954-0b2abb748e6b + taskid: 5d9db4d3-8f4c-4835-815f-874362252bae type: regular task: - id: 8ba6c274-aa36-4453-8954-0b2abb748e6b + id: 5d9db4d3-8f4c-4835-815f-874362252bae version: -1 name: Set Threat Intel findings to layout description: commands.local.cmd.set.incident @@ -3269,15 +3273,16 @@ tasks: isautoswitchedtoquietmode: false "220": id: "220" - taskid: 4cb402b3-246b-46fe-8d0d-16c5e112f543 + taskid: 224a0570-4019-4dc8-8d76-5f44f766859e type: condition task: - id: 4cb402b3-246b-46fe-8d0d-16c5e112f543 + id: 224a0570-4019-4dc8-8d76-5f44f766859e version: -1 name: Automatically block indicators? type: condition iscommand: false brand: "" + description: '' nexttasks: '#default#': - "221" @@ -3314,10 +3319,10 @@ tasks: isautoswitchedtoquietmode: false "221": id: "221" - taskid: 44056ed3-32ca-4e54-813a-4e4d04ab4808 + taskid: 92133fbe-7c78-4df5-89e3-3c7b82629767 type: regular task: - id: 44056ed3-32ca-4e54-813a-4e4d04ab4808 + id: 92133fbe-7c78-4df5-89e3-3c7b82629767 version: -1 name: Set all indicators to semi-automated block options description: Set a value in context under the key you entered. @@ -3377,10 +3382,10 @@ tasks: isautoswitchedtoquietmode: false "222": id: "222" - taskid: c355c3ae-fc8b-4d0f-8b65-b76752478311 + taskid: 8b370acf-362f-45b2-81f6-10f886fb4d58 type: condition task: - id: c355c3ae-fc8b-4d0f-8b65-b76752478311 + id: 8b370acf-362f-45b2-81f6-10f886fb4d58 version: -1 name: Engage with the user? description: Checks whether to inform the user about the verdict of the incident. @@ -3430,15 +3435,16 @@ tasks: isautoswitchedtoquietmode: false "223": id: "223" - taskid: 8da352fc-3775-4503-8215-3227c80c1426 + taskid: 04046165-90c9-4bcc-8aad-fdf13f03568c type: condition task: - id: 8da352fc-3775-4503-8215-3227c80c1426 + id: 04046165-90c9-4bcc-8aad-fdf13f03568c version: -1 name: Pause to manually perform additional actions? type: condition iscommand: false brand: "" + description: '' nexttasks: '#default#': - "8" @@ -3475,10 +3481,10 @@ tasks: isautoswitchedtoquietmode: false "224": id: "224" - taskid: f7d84d5d-0392-4bf2-8316-023d3907d7e4 + taskid: 29be8530-7a2a-4454-81cf-90f3478b7c8b type: regular task: - id: f7d84d5d-0392-4bf2-8316-023d3907d7e4 + id: 29be8530-7a2a-4454-81cf-90f3478b7c8b version: -1 name: Take manual actions description: 'Take notes and additional necessary manual actions before continuing. Once this task will be completed, the incident will be closed.' @@ -3708,7 +3714,9 @@ inputs: - key: SendMailInstance value: {} required: false - description: The name of the instance to be used when executing the "send-mail" command in the playbook. In case it will be empty, all available instances will be used (default). + description: The name of the instance to be used when executing the "send-mail" + command in the playbook. In case it will be empty, all available instances will + be used (default). playbookInputQuery: - key: OriginalAuthenticationHeader value: {} @@ -3735,7 +3743,6 @@ inputs: playbookInputQuery: outputs: [] tests: -- playbook-checkEmailAuthenticity-test -- Phishing v3 - DomainSquatting+EML+MaliciousIndicators - Test - Phishing v3 - Get Original Email + Search & Delete - Test +- Phishing v3 - DomainSquatting+EML+MaliciousIndicators - Test fromversion: 6.5.0 From d56e3686d9be884c4c48113b796bc3b3add07109 Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Wed, 17 May 2023 15:11:07 +0300 Subject: [PATCH 04/22] added empty descr --- Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml index f8686707a42e..93edcb057b82 100644 --- a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml +++ b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml @@ -1975,6 +1975,7 @@ tasks: id: 6ed6697b-5d7a-4700-8b04-41bf375be00f version: -1 name: Check Whether to add attachments + description: "" type: condition iscommand: false brand: '' From b28b87db6bb230a1b0e731aee417cc4304ed22d4 Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Wed, 17 May 2023 15:21:57 +0300 Subject: [PATCH 05/22] Added layout with new dynamic section + moved the email delete result section to be under the email delete button section --- .../layoutscontainer-Phishing_v_3.json | 116 ++++++++---------- 1 file changed, 52 insertions(+), 64 deletions(-) diff --git a/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json b/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json index e944353dfc3b..37cb0d22ad7e 100644 --- a/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json +++ b/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json @@ -41,34 +41,6 @@ "x": 2, "y": 3 }, - { - "description": "", - "displayType": "CARD", - "h": 6, - "hideItemTitleOnlyOne": true, - "hideName": false, - "i": "swtuqptgvs-field-changed-swtuqptgvs-1vduzkpmlh-swtuqptgvs-1vduzkpmlh-swtuqptgvs-5a552190-97ee-11e9-b8bd-0b00be54d2d3", - "isVisible": true, - "items": [ - { - "endCol": 4, - "fieldId": "renderedhtml", - "height": 106, - "id": "08421d50-b022-11ec-8814-456202ce784b", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "moved": false, - "name": "Email Body", - "static": false, - "w": 2, - "x": 0, - "y": 8 - }, { "displayType": "ROW", "h": 3, @@ -181,15 +153,15 @@ "sectionItemType": "field", "startCol": 0 }, - { - "endCol": 2, - "fieldId": "categories", - "height": 22, - "id": "5e2287d0-e502-11ed-ba0f-99a713ead7dc", - "index": 11, - "sectionItemType": "field", - "startCol": 0 - } + { + "endCol": 2, + "fieldId": "categories", + "height": 22, + "id": "5e2287d0-e502-11ed-ba0f-99a713ead7dc", + "index": 11, + "sectionItemType": "field", + "startCol": 0 + } ], "maxW": 3, "minH": 1, @@ -211,6 +183,10 @@ "minH": 1, "moved": false, "name": "Incident Files", + "static": false, + "w": 3, + "x": 0, + "y": 14, "query": { "categories": [ "attachments" @@ -224,11 +200,7 @@ }, "queryType": "warRoomFilter", "readOnly": true, - "static": false, - "type": "invTimeline", - "w": 3, - "x": 0, - "y": 14 + "type": "invTimeline" }, { "displayType": "ROW", @@ -296,7 +268,6 @@ "y": 0 }, { - "description": "", "h": 1, "hideName": true, "i": "swtuqptgvs-field-changed-swtuqptgvs-1vduzkpmlh-swtuqptgvs-1vduzkpmlh-swtuqptgvs-044bccb0-befa-11eb-b351-7bcfe92e5e24", @@ -311,7 +282,8 @@ "type": "dynamic", "w": 1, "x": 2, - "y": 5 + "y": 5, + "description": "" }, { "h": 2, @@ -328,9 +300,7 @@ "y": 6 }, { - "displayType": "ROW", "h": 2, - "hideName": false, "i": "swtuqptgvs-field-changed-swtuqptgvs-1vduzkpmlh-93d51e60-a8fe-11ec-927e-2bbbcff3899b", "items": [ { @@ -411,7 +381,9 @@ "static": false, "w": 1, "x": 2, - "y": 8 + "y": 8, + "displayType": "ROW", + "hideName": false }, { "displayType": "ROW", @@ -448,6 +420,17 @@ "y": 12 }, { + "h": 2, + "i": "swtuqptgvs-field-changed-swtuqptgvs-8f724f40-6b37-11ed-b7c0-2904efd8f7fb", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Linked Incidents", + "static": false, + "w": 3, + "x": 0, + "y": 18, "columns": [ { "displayed": true, @@ -495,36 +478,41 @@ "width": 300 } ], - "h": 2, - "i": "swtuqptgvs-field-changed-swtuqptgvs-8f724f40-6b37-11ed-b7c0-2904efd8f7fb", - "items": [], - "maxW": 3, - "minH": 1, - "moved": false, - "name": "Linked Incidents", - "static": false, - "type": "linkedIncidents", - "w": 3, - "x": 0, - "y": 18 + "type": "linkedIncidents" }, { - "description": "Indicators selected to be blocked.", "h": 2, "i": "swtuqptgvs-1a52c090-c187-11ed-a413-1fc9f082fba8", "items": [], - "maxH": null, "maxW": 3, "minH": 1, "moved": false, "name": "Selected indicators to block", - "query": "tags:\"Blocked Indicator In Systems\"", - "queryType": "input", "static": false, "type": "indicators", "w": 1, "x": 2, - "y": 10 + "y": 10, + "description": "Indicators selected to be blocked.", + "query": "tags:\"Blocked Indicator In Systems\"", + "queryType": "input" + }, + { + "description": "", + "h": 6, + "i": "swtuqptgvs-ca48f510-f322-11ed-8c15-d92844a806b0", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Email Body", + "query": "fca467ab-ca38-4d68-8e3c-2b75a60382e0", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 2, + "x": 0, + "y": 8 } ], "type": "custom" From 14339bcd06579f206a7e6128fc198d86be022020 Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Wed, 17 May 2023 17:03:48 +0300 Subject: [PATCH 06/22] Added RN and breaking RN, and changed the playbook to break by default. --- Packs/Campaign/ReleaseNotes/3_2_23.md | 6 ++++++ Packs/Campaign/pack_metadata.json | 2 +- .../Playbooks/Process_Email_-_Generic_v2.yml | 2 +- Packs/Phishing/ReleaseNotes/3_5_17.json | 1 + Packs/Phishing/ReleaseNotes/3_5_17.md | 12 ++++++++++++ Packs/Phishing/pack_metadata.json | 2 +- 6 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 Packs/Campaign/ReleaseNotes/3_2_23.md create mode 100644 Packs/Phishing/ReleaseNotes/3_5_17.json create mode 100644 Packs/Phishing/ReleaseNotes/3_5_17.md diff --git a/Packs/Campaign/ReleaseNotes/3_2_23.md b/Packs/Campaign/ReleaseNotes/3_2_23.md new file mode 100644 index 000000000000..3375460e2678 --- /dev/null +++ b/Packs/Campaign/ReleaseNotes/3_2_23.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### Detect & Manage Phishing Campaigns + +- Changed the playbook to use the **Email HTML** field instead of the **Email Body HTML**. This change should not affect the functionality of the playbook. diff --git a/Packs/Campaign/pack_metadata.json b/Packs/Campaign/pack_metadata.json index 5dd06101c70d..2c944fcd4fa3 100644 --- a/Packs/Campaign/pack_metadata.json +++ b/Packs/Campaign/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Phishing Campaign", "description": "This pack can help you find related phishing, spam or other types of email incidents and characterize campaigns.", "support": "xsoar", - "currentVersion": "3.2.22", + "currentVersion": "3.2.23", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml index 93edcb057b82..56cacef4101a 100644 --- a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml +++ b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml @@ -3102,7 +3102,7 @@ inputs: playbookInputQuery: - key: UseOldHTMLFields value: - simple: "True" + simple: "False" required: false description: |- This input is used to preserve backward-compatibility. It determines whether the playbook should set email fields that are no longer being used in the out-of-the-box content. diff --git a/Packs/Phishing/ReleaseNotes/3_5_17.json b/Packs/Phishing/ReleaseNotes/3_5_17.json new file mode 100644 index 000000000000..a9a9600030cc --- /dev/null +++ b/Packs/Phishing/ReleaseNotes/3_5_17.json @@ -0,0 +1 @@ +{"breakingChanges":true,"breakingChangesNotes":"The playbook `Process Email - Generic v2` will no longer set the `Email Body HTML` and `Rendered HTML` fields by default. There changes are aimed at reducing duplication of data and improving performance. Adjustments were made in OOTB playbooks. However, if you've built custom content that depends on those incident fields by the `Process Email - Generic v2` playbook, we recommend changing that content to use the `Email HTML` field instead."} \ No newline at end of file diff --git a/Packs/Phishing/ReleaseNotes/3_5_17.md b/Packs/Phishing/ReleaseNotes/3_5_17.md new file mode 100644 index 000000000000..d94039b8b813 --- /dev/null +++ b/Packs/Phishing/ReleaseNotes/3_5_17.md @@ -0,0 +1,12 @@ + +#### Layouts + +##### Phishing Incident v3 + +- Changed the Email Body section to use a dynamic section that will display the rendered HTML or the text of the email. + +#### Playbooks + +##### Process Email - Generic v2 + +- Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. We recommend setting the value for that input to "False" unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". \ No newline at end of file diff --git a/Packs/Phishing/pack_metadata.json b/Packs/Phishing/pack_metadata.json index e41c266d53a6..05a923275b43 100644 --- a/Packs/Phishing/pack_metadata.json +++ b/Packs/Phishing/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Phishing", "description": "Phishing emails still hooking your end users? This Content Pack can drastically reduce the time your security team spends on phishing alerts.", "support": "xsoar", - "currentVersion": "3.5.16", + "currentVersion": "3.5.17", "serverMinVersion": "6.0.0", "videos": [ "https://www.youtube.com/watch?v=SY-3L348PoY" From 40cf7280be74ce6a241d853ec6fccb88107788a6 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Thu, 18 May 2023 07:31:02 +0000 Subject: [PATCH 07/22] Bump pack from version Phishing to 3.5.18. --- .../ReleaseNotes/{3_5_17.json => 3_5_18.json} | 0 Packs/Phishing/ReleaseNotes/3_5_18.md | 12 ++++++++++++ Packs/Phishing/pack_metadata.json | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) rename Packs/Phishing/ReleaseNotes/{3_5_17.json => 3_5_18.json} (100%) create mode 100644 Packs/Phishing/ReleaseNotes/3_5_18.md diff --git a/Packs/Phishing/ReleaseNotes/3_5_17.json b/Packs/Phishing/ReleaseNotes/3_5_18.json similarity index 100% rename from Packs/Phishing/ReleaseNotes/3_5_17.json rename to Packs/Phishing/ReleaseNotes/3_5_18.json diff --git a/Packs/Phishing/ReleaseNotes/3_5_18.md b/Packs/Phishing/ReleaseNotes/3_5_18.md new file mode 100644 index 000000000000..d94039b8b813 --- /dev/null +++ b/Packs/Phishing/ReleaseNotes/3_5_18.md @@ -0,0 +1,12 @@ + +#### Layouts + +##### Phishing Incident v3 + +- Changed the Email Body section to use a dynamic section that will display the rendered HTML or the text of the email. + +#### Playbooks + +##### Process Email - Generic v2 + +- Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. We recommend setting the value for that input to "False" unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". \ No newline at end of file diff --git a/Packs/Phishing/pack_metadata.json b/Packs/Phishing/pack_metadata.json index 05a923275b43..78286c912e73 100644 --- a/Packs/Phishing/pack_metadata.json +++ b/Packs/Phishing/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Phishing", "description": "Phishing emails still hooking your end users? This Content Pack can drastically reduce the time your security team spends on phishing alerts.", "support": "xsoar", - "currentVersion": "3.5.17", + "currentVersion": "3.5.18", "serverMinVersion": "6.0.0", "videos": [ "https://www.youtube.com/watch?v=SY-3L348PoY" From d50c565fd9c29799c61fbee9ec774278c19db063 Mon Sep 17 00:00:00 2001 From: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Date: Thu, 18 May 2023 14:10:22 +0300 Subject: [PATCH 08/22] Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/Campaign/ReleaseNotes/3_2_23.md | 2 +- Packs/Phishing/ReleaseNotes/3_5_18.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/Campaign/ReleaseNotes/3_2_23.md b/Packs/Campaign/ReleaseNotes/3_2_23.md index 3375460e2678..75a9540fa1e8 100644 --- a/Packs/Campaign/ReleaseNotes/3_2_23.md +++ b/Packs/Campaign/ReleaseNotes/3_2_23.md @@ -3,4 +3,4 @@ ##### Detect & Manage Phishing Campaigns -- Changed the playbook to use the **Email HTML** field instead of the **Email Body HTML**. This change should not affect the functionality of the playbook. +Changed the playbook to use the *Email HTML* field instead of the *Email Body HTML*. This change should not affect the functionality of the playbook. diff --git a/Packs/Phishing/ReleaseNotes/3_5_18.md b/Packs/Phishing/ReleaseNotes/3_5_18.md index d94039b8b813..2490fed84f07 100644 --- a/Packs/Phishing/ReleaseNotes/3_5_18.md +++ b/Packs/Phishing/ReleaseNotes/3_5_18.md @@ -3,7 +3,7 @@ ##### Phishing Incident v3 -- Changed the Email Body section to use a dynamic section that will display the rendered HTML or the text of the email. +Changed the Email Body section to use a dynamic section that will display the rendered HTML or the text of the email. #### Playbooks From fe3a7b30cc1f7ce0ec89ac2612c89110b0f959dc Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Thu, 18 May 2023 14:14:28 +0300 Subject: [PATCH 09/22] Fixed invalid reference to dynamic section script --- Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json b/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json index 37cb0d22ad7e..d268c737818f 100644 --- a/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json +++ b/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json @@ -506,7 +506,7 @@ "minH": 1, "moved": false, "name": "Email Body", - "query": "fca467ab-ca38-4d68-8e3c-2b75a60382e0", + "query": "DisplayHtmlWithImages", "queryType": "script", "static": false, "type": "dynamic", From cacd12874bdcc8f379e7eb0cfb51af46c92e6dff Mon Sep 17 00:00:00 2001 From: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Date: Thu, 18 May 2023 14:15:34 +0300 Subject: [PATCH 10/22] Update Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml b/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml index 0920f9a216d2..6aca9b4b5300 100644 --- a/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml +++ b/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml @@ -1194,7 +1194,7 @@ inputs: value: simple: "2" required: false - description: The minimum number of unique recipients of similar email incidents to consider as a campaign. as a campaign. + description: The minimum number of unique recipients of similar email incidents to consider as a campaign. playbookInputQuery: - key: fieldsToDisplay value: From 711f35c6d7a79440e6b292fc9390cd3d1de3d30d Mon Sep 17 00:00:00 2001 From: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Date: Thu, 18 May 2023 14:15:43 +0300 Subject: [PATCH 11/22] Update Packs/Phishing/ReleaseNotes/3_5_18.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/Phishing/ReleaseNotes/3_5_18.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Phishing/ReleaseNotes/3_5_18.md b/Packs/Phishing/ReleaseNotes/3_5_18.md index 2490fed84f07..b6bf4e9ea47a 100644 --- a/Packs/Phishing/ReleaseNotes/3_5_18.md +++ b/Packs/Phishing/ReleaseNotes/3_5_18.md @@ -9,4 +9,4 @@ Changed the Email Body section to use a dynamic section that will display the re ##### Process Email - Generic v2 -- Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. We recommend setting the value for that input to "False" unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". \ No newline at end of file +Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. We recommend setting the value for that input to "False" unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". \ No newline at end of file From 752fae393a58ccf798a0a515358f535d5829df2a Mon Sep 17 00:00:00 2001 From: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Date: Thu, 18 May 2023 14:15:50 +0300 Subject: [PATCH 12/22] Update Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml b/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml index 6aca9b4b5300..4638b7bc5ed2 100644 --- a/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml +++ b/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml @@ -880,7 +880,7 @@ tasks: id: a4f2e248-ec23-490c-84a2-d73d14fd4b9b version: -1 name: Is the Demsito Lock integration enabled? - description: Returns 'yes' if integration brand is available. Otherwise returns 'no' + description: Returns 'yes' if integration brand is available. Otherwise returns 'no'. scriptName: IsIntegrationAvailable type: condition iscommand: false From cab09e01c4da91715655aadc0fc32f069911e61e Mon Sep 17 00:00:00 2001 From: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Date: Thu, 18 May 2023 14:15:56 +0300 Subject: [PATCH 13/22] Update Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml b/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml index 4638b7bc5ed2..dd7e6d715766 100644 --- a/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml +++ b/Packs/Campaign/Playbooks/Detect_&_Manage_Phishing_Campaigns.yml @@ -996,7 +996,7 @@ tasks: id: 009dbbe0-1090-4d46-84c9-a2596df628f7 version: -1 name: Is the Demsito Lock integration enabled? - description: Returns 'yes' if integration brand is available. Otherwise returns 'no' + description: Returns 'yes' if integration brand is available. Otherwise returns 'no'. scriptName: IsIntegrationAvailable type: condition iscommand: false From 21df462c81826f16b2745a746a4a27f47d067eb8 Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Sun, 21 May 2023 16:46:29 +0300 Subject: [PATCH 14/22] Changed layout to use the new script name "DisplayHTMLWithImages". --- Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json b/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json index d268c737818f..e778ba84dcd3 100644 --- a/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json +++ b/Packs/Phishing/Layouts/layoutscontainer-Phishing_v_3.json @@ -506,7 +506,7 @@ "minH": 1, "moved": false, "name": "Email Body", - "query": "DisplayHtmlWithImages", + "query": "DisplayHTMLWithImages", "queryType": "script", "static": false, "type": "dynamic", From 1a3e3d7a52abc630411621f326d78bbc116492fe Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Sun, 21 May 2023 17:11:58 +0300 Subject: [PATCH 15/22] Changed the playbook to not break by default --- Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml | 2 +- Packs/Phishing/ReleaseNotes/3_5_18.json | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 Packs/Phishing/ReleaseNotes/3_5_18.json diff --git a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml index 56cacef4101a..93edcb057b82 100644 --- a/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml +++ b/Packs/Phishing/Playbooks/Process_Email_-_Generic_v2.yml @@ -3102,7 +3102,7 @@ inputs: playbookInputQuery: - key: UseOldHTMLFields value: - simple: "False" + simple: "True" required: false description: |- This input is used to preserve backward-compatibility. It determines whether the playbook should set email fields that are no longer being used in the out-of-the-box content. diff --git a/Packs/Phishing/ReleaseNotes/3_5_18.json b/Packs/Phishing/ReleaseNotes/3_5_18.json deleted file mode 100644 index a9a9600030cc..000000000000 --- a/Packs/Phishing/ReleaseNotes/3_5_18.json +++ /dev/null @@ -1 +0,0 @@ -{"breakingChanges":true,"breakingChangesNotes":"The playbook `Process Email - Generic v2` will no longer set the `Email Body HTML` and `Rendered HTML` fields by default. There changes are aimed at reducing duplication of data and improving performance. Adjustments were made in OOTB playbooks. However, if you've built custom content that depends on those incident fields by the `Process Email - Generic v2` playbook, we recommend changing that content to use the `Email HTML` field instead."} \ No newline at end of file From c2d63009a5cc1d3b3a953b5507acb19c9f2db8ea Mon Sep 17 00:00:00 2001 From: Content Bot Date: Sun, 21 May 2023 16:47:07 +0000 Subject: [PATCH 16/22] Bump pack from version Phishing to 3.5.19. --- Packs/Phishing/ReleaseNotes/3_5_19.md | 12 ++++++++++++ Packs/Phishing/pack_metadata.json | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 Packs/Phishing/ReleaseNotes/3_5_19.md diff --git a/Packs/Phishing/ReleaseNotes/3_5_19.md b/Packs/Phishing/ReleaseNotes/3_5_19.md new file mode 100644 index 000000000000..b6bf4e9ea47a --- /dev/null +++ b/Packs/Phishing/ReleaseNotes/3_5_19.md @@ -0,0 +1,12 @@ + +#### Layouts + +##### Phishing Incident v3 + +Changed the Email Body section to use a dynamic section that will display the rendered HTML or the text of the email. + +#### Playbooks + +##### Process Email - Generic v2 + +Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. We recommend setting the value for that input to "False" unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". \ No newline at end of file diff --git a/Packs/Phishing/pack_metadata.json b/Packs/Phishing/pack_metadata.json index 78286c912e73..ca08dae7114d 100644 --- a/Packs/Phishing/pack_metadata.json +++ b/Packs/Phishing/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Phishing", "description": "Phishing emails still hooking your end users? This Content Pack can drastically reduce the time your security team spends on phishing alerts.", "support": "xsoar", - "currentVersion": "3.5.18", + "currentVersion": "3.5.19", "serverMinVersion": "6.0.0", "videos": [ "https://www.youtube.com/watch?v=SY-3L348PoY" From 27d0b186f148284304e3f3a59877eac28d97587e Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Tue, 23 May 2023 12:52:16 +0300 Subject: [PATCH 17/22] new RN --- Packs/Phishing/ReleaseNotes/3_5_19.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Phishing/ReleaseNotes/3_5_19.md b/Packs/Phishing/ReleaseNotes/3_5_19.md index b6bf4e9ea47a..c50b90381516 100644 --- a/Packs/Phishing/ReleaseNotes/3_5_19.md +++ b/Packs/Phishing/ReleaseNotes/3_5_19.md @@ -9,4 +9,4 @@ Changed the Email Body section to use a dynamic section that will display the re ##### Process Email - Generic v2 -Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. We recommend setting the value for that input to "False" unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". \ No newline at end of file +Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. If you are experiencing issues with incidents containing large amounts of data, we recommend setting the value for that input to "False", unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". Note: changing the value of the input to "False" will break backward-compatibility for you if you are using the **Process Email - Generic v2** as a subplaybook to set those fields, and then make use of those fields in other parts of your playbook. However changing it to "False" will also reduce the overall size of the incident which can improve performance and prevent issues with large incidents. \ No newline at end of file From 600e131bddd2ebc478fb967df8fd31eba348ce85 Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Tue, 23 May 2023 12:54:13 +0300 Subject: [PATCH 18/22] RN --- Packs/Phishing/ReleaseNotes/3_5_19.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Phishing/ReleaseNotes/3_5_19.md b/Packs/Phishing/ReleaseNotes/3_5_19.md index c50b90381516..b8e6d08a1419 100644 --- a/Packs/Phishing/ReleaseNotes/3_5_19.md +++ b/Packs/Phishing/ReleaseNotes/3_5_19.md @@ -9,4 +9,4 @@ Changed the Email Body section to use a dynamic section that will display the re ##### Process Email - Generic v2 -Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. If you are experiencing issues with incidents containing large amounts of data, we recommend setting the value for that input to "False", unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". Note: changing the value of the input to "False" will break backward-compatibility for you if you are using the **Process Email - Generic v2** as a subplaybook to set those fields, and then make use of those fields in other parts of your playbook. However changing it to "False" will also reduce the overall size of the incident which can improve performance and prevent issues with large incidents. \ No newline at end of file +Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. If you are experiencing issues with incidents containing large amounts of data, we recommend setting the value for that input to "False", unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". Note: changing the value of the input to "False" will break backward-compatibility for you if you are using a custom playbook which uses **Process Email - Generic v2** as a subplaybook to set those fields, and then make use of those fields in other parts of your playbook. However changing it to "False" will also reduce the overall size of the incident which can improve performance and prevent issues with large incidents. \ No newline at end of file From 6812ef10d9f67cac711639a6af5f92a7f3bb5c07 Mon Sep 17 00:00:00 2001 From: Ido van Dijk <43602124+idovandijk@users.noreply.github.com> Date: Tue, 23 May 2023 13:36:35 +0300 Subject: [PATCH 19/22] Update 3_2_23.md --- Packs/Campaign/ReleaseNotes/3_2_23.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Campaign/ReleaseNotes/3_2_23.md b/Packs/Campaign/ReleaseNotes/3_2_23.md index 75a9540fa1e8..c4401efed8bf 100644 --- a/Packs/Campaign/ReleaseNotes/3_2_23.md +++ b/Packs/Campaign/ReleaseNotes/3_2_23.md @@ -3,4 +3,4 @@ ##### Detect & Manage Phishing Campaigns -Changed the playbook to use the *Email HTML* field instead of the *Email Body HTML*. This change should not affect the functionality of the playbook. +Changed the playbook to use the *Email HTML* field instead of the *Email Body HTML* by default. We recommend that users change to the value locally as well. This change should not affect the functionality of the playbook. From a3fe1105caaec06770e505bbfd6ad2829e273b00 Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Tue, 23 May 2023 17:20:39 +0300 Subject: [PATCH 20/22] Final RN --- Packs/Phishing/ReleaseNotes/3_5_19.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Packs/Phishing/ReleaseNotes/3_5_19.md b/Packs/Phishing/ReleaseNotes/3_5_19.md index b8e6d08a1419..7e850d8a9ce8 100644 --- a/Packs/Phishing/ReleaseNotes/3_5_19.md +++ b/Packs/Phishing/ReleaseNotes/3_5_19.md @@ -9,4 +9,8 @@ Changed the Email Body section to use a dynamic section that will display the re ##### Process Email - Generic v2 -Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. If you are experiencing issues with incidents containing large amounts of data, we recommend setting the value for that input to "False", unless you are exclusively using the Email Body HTML and Rendered HTML fields in your playbooks, and cannot replace those usages with the other fields - "Email HTML" or "Email Body". Note: changing the value of the input to "False" will break backward-compatibility for you if you are using a custom playbook which uses **Process Email - Generic v2** as a subplaybook to set those fields, and then make use of those fields in other parts of your playbook. However changing it to "False" will also reduce the overall size of the incident which can improve performance and prevent issues with large incidents. \ No newline at end of file +Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. +Setting the value to True will keep the old behavior of the playbook. +Setting the value to False will cause the playbook to save less information to incident fields which can help if you are experiencing issues with large incidents. + +Note: If you decide to set the value to False, you may break functionality if your custom playbooks expect those fields to have data in them. The out-of-the-box playbooks will work either way. \ No newline at end of file From 27bb130442f67551454a82a33ffb18380ca07e35 Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Tue, 23 May 2023 17:31:40 +0300 Subject: [PATCH 21/22] Trying to fix RN validation --- Packs/Phishing/.pack-ignore | 1 + Packs/Phishing/ReleaseNotes/3_5_19.md | 6 +----- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/Packs/Phishing/.pack-ignore b/Packs/Phishing/.pack-ignore index c3c2b2d8236f..0806972fd421 100644 --- a/Packs/Phishing/.pack-ignore +++ b/Packs/Phishing/.pack-ignore @@ -165,6 +165,7 @@ CheckEmailAuthenticity DeleteReportedEmail GetBrandDeleteReportedEmail CommonTypes +UseOldHTMLFields [file:LinkToPhishingCampaign.yml] ignore=BA124 \ No newline at end of file diff --git a/Packs/Phishing/ReleaseNotes/3_5_19.md b/Packs/Phishing/ReleaseNotes/3_5_19.md index 7e850d8a9ce8..bcf2e6ad1ff4 100644 --- a/Packs/Phishing/ReleaseNotes/3_5_19.md +++ b/Packs/Phishing/ReleaseNotes/3_5_19.md @@ -9,8 +9,4 @@ Changed the Email Body section to use a dynamic section that will display the re ##### Process Email - Generic v2 -Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. -Setting the value to True will keep the old behavior of the playbook. -Setting the value to False will cause the playbook to save less information to incident fields which can help if you are experiencing issues with large incidents. - -Note: If you decide to set the value to False, you may break functionality if your custom playbooks expect those fields to have data in them. The out-of-the-box playbooks will work either way. \ No newline at end of file +Added an input called "UseOldHTMLFields". The new input determines whether the playbook will set the "Email Body HTML" and "Rendered HTML" fields with the HTML contents of the email. Setting the value to True will keep the old behavior of the playbook. Setting the value to False will cause the playbook to save less information to incident fields which can help if you are experiencing issues with large incidents. Note: If you decide to set the value to False, you may break functionality if your custom playbooks expect those fields to have data in them. The out-of-the-box playbooks will work either way. \ No newline at end of file From 8dce18da2c57f5536ff4b9d6d698ea7e0c82391a Mon Sep 17 00:00:00 2001 From: ivandijk <43602124+idovandijk@users.noreply.github.com> Date: Wed, 24 May 2023 17:46:46 +0300 Subject: [PATCH 22/22] Attempt to fix test playbook --- ...uatting+EML+MaliciousIndicators_-_Test.yml | 82 +++++++++---------- 1 file changed, 38 insertions(+), 44 deletions(-) diff --git a/Packs/Phishing/TestPlaybooks/Phishing_v3_-_DomainSquatting+EML+MaliciousIndicators_-_Test.yml b/Packs/Phishing/TestPlaybooks/Phishing_v3_-_DomainSquatting+EML+MaliciousIndicators_-_Test.yml index 9f780758cc16..3d310572fd15 100644 --- a/Packs/Phishing/TestPlaybooks/Phishing_v3_-_DomainSquatting+EML+MaliciousIndicators_-_Test.yml +++ b/Packs/Phishing/TestPlaybooks/Phishing_v3_-_DomainSquatting+EML+MaliciousIndicators_-_Test.yml @@ -35,6 +35,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "1": id: "1" taskid: 5042a693-d2be-4de8-808a-4deade675e1d @@ -59,7 +60,7 @@ tasks: { "position": { "x": 450, - "y": 5 + "y": 25 } } note: false @@ -69,42 +70,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "6": - id: "6" - taskid: e83cbe50-dc9e-4a57-809b-83898ed5de2a - type: regular - task: - id: e83cbe50-dc9e-4a57-809b-83898ed5de2a - version: -1 - name: Investigate the incident - description: commands.local.investigate - script: Builtin|||investigate - type: regular - iscommand: true - brand: Builtin - nexttasks: - '#none#': - - "37" - scriptarguments: - id: - complex: - root: CreatedIncidentID - separatecontext: false - continueonerror: true - view: |- - { - "position": { - "x": 450, - "y": 930 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 2 - isoversize: false - isautoswitchedtoquietmode: false + continueonerrortype: "" "9": id: "9" taskid: b76d6c27-1504-47d7-8393-ef5bf8c26f94 @@ -170,6 +136,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "11": id: "11" taskid: 6196ea72-1691-4f96-8b61-606e8dde4365 @@ -207,6 +174,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "14": id: "14" taskid: 7a1a8701-e310-43ee-86d5-00fb28b320b7 @@ -243,6 +211,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "15": id: "15" taskid: 1b04f478-9046-4b6f-84e8-82663b14907c @@ -270,6 +239,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "16": id: "16" taskid: e7c142ad-c90a-488f-8963-33c9ceda4eaf @@ -314,6 +284,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "17": id: "17" taskid: f4d79fb1-43e1-4881-8992-b7468d4182b1 @@ -350,6 +321,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "19": id: "19" taskid: ab133692-5569-4090-8962-7359fa9ce8df @@ -394,6 +366,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "20": id: "20" taskid: 41b0da09-6c8f-4da0-871a-63e8cdcc70ef @@ -438,6 +411,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "21": id: "21" taskid: fb1bb036-c86e-4247-8de4-8cef199706f5 @@ -474,6 +448,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "22": id: "22" taskid: 2974383e-6e11-494d-8e9e-d8265fdefe84 @@ -518,6 +493,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "23": id: "23" taskid: 10c8e8b2-1d06-4b3f-8b21-835b2194d21e @@ -549,6 +525,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "24": id: "24" taskid: 173fdb21-a2df-4ef5-80db-04d2fc082a56 @@ -582,6 +559,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "25": id: "25" taskid: 94547612-192b-4e49-828a-1fb575af6b8f @@ -612,6 +590,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "26": id: "26" taskid: bfc68c72-6027-4314-8414-8bf54eb96e11 @@ -642,6 +621,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "27": id: "27" taskid: 9a0d7f9e-805a-4d10-8bd0-a2055e9fc1c9 @@ -672,6 +652,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "29": id: "29" taskid: 145f9612-9002-4432-8ef5-487e481091b8 @@ -705,6 +686,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "30": id: "30" taskid: 1a6ed4ee-e894-4b58-8b8d-bd8365c97679 @@ -749,6 +731,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "31": id: "31" taskid: 3b3374db-78c5-445e-88cd-367ff32deb32 @@ -785,6 +768,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "34": id: "34" taskid: 02f8ecc6-7838-45fd-837d-4cdfd4d9a826 @@ -820,6 +804,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "35": id: "35" taskid: 0acd76c2-138e-4344-8f0c-2adf068566a9 @@ -858,6 +843,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "36": id: "36" taskid: c1a91d45-4a49-44b7-8969-be813c7c7611 @@ -885,6 +871,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "37": id: "37" taskid: 552697b1-74a2-447e-82e3-b91fbd00ffd5 @@ -920,7 +907,7 @@ tasks: { "position": { "x": 450, - "y": 1090 + "y": 1050 } } note: false @@ -930,6 +917,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "38": id: "38" taskid: 8a88dc9c-389d-4921-8823-007c95668a85 @@ -977,6 +965,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "39": id: "39" taskid: be96971c-a3e8-40ba-835e-7377611fa914 @@ -1003,7 +992,7 @@ tasks: { "position": { "x": 450, - "y": 170 + "y": 200 } } note: false @@ -1013,6 +1002,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "41": id: "41" taskid: ecf81c42-9a73-4259-85c7-c79980821ba4 @@ -1048,7 +1038,7 @@ tasks: { "position": { "x": 450, - "y": 540 + "y": 580 } } note: false @@ -1058,6 +1048,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "42": id: "42" taskid: bb23a5df-1aa0-4129-860b-ae1f409e402b @@ -1073,7 +1064,7 @@ tasks: brand: "" nexttasks: '#none#': - - "6" + - "37" scriptarguments: key: simple: CreatedIncidentID @@ -1097,7 +1088,7 @@ tasks: { "position": { "x": 450, - "y": 750 + "y": 800 } } note: false @@ -1107,6 +1098,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "43": id: "43" taskid: 8c19619c-1fc3-4c8f-85e7-784091e8c335 @@ -1144,6 +1136,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "44": id: "44" taskid: 7f993d63-e21f-4bd6-85ae-33abb60e8126 @@ -1168,7 +1161,7 @@ tasks: { "position": { "x": 450, - "y": 350 + "y": 370 } } note: false @@ -1178,6 +1171,7 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerrortype: "" "45": id: "45" taskid: 3428bd12-1557-4c63-80f1-44f71a4665eb @@ -1253,4 +1247,4 @@ inputs: outputs: [] tests: - No tests (auto formatted) -fromversion: 6.2.0 \ No newline at end of file +fromversion: 6.2.0