diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment.yml b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment.yml index fa2b08d18a50..51f72a065cae 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment.yml +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment.yml @@ -5,15 +5,17 @@ description: |- Given an IP address, port, and protocol of a service, this playbook enriches on-prem integrations to find the related firewall rule and other related information. Conditions: - This is currently limited to standalone firewalls for PAN-OS. + - Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW). + - !pan-os-security-policy-match fails if any firewall is disconnected (Panorama). + - Matching on different rules for different firewalls not supported (Panorama). starttaskid: "0" tasks: "0": id: "0" - taskid: bd09ee3f-c77e-461a-8574-958584097a38 + taskid: 4627b363-29d7-4351-880f-f69276a11174 type: start task: - id: bd09ee3f-c77e-461a-8574-958584097a38 + id: 4627b363-29d7-4351-880f-f69276a11174 version: -1 name: "" iscommand: false @@ -40,10 +42,10 @@ tasks: isautoswitchedtoquietmode: false "1": id: "1" - taskid: ed8d8371-d765-4cfb-8566-427b549811e0 + taskid: c495e804-5dcc-4474-84fc-29935ff3bb46 type: regular task: - id: ed8d8371-d765-4cfb-8566-427b549811e0 + id: c495e804-5dcc-4474-84fc-29935ff3bb46 version: -1 name: pan-os-show-device-version description: Show firewall device software version. @@ -72,10 +74,10 @@ tasks: isautoswitchedtoquietmode: false "2": id: "2" - taskid: 3f58a27a-4a30-44bb-81fb-dcbdc9928dce + taskid: 9ec49b1d-f3ef-4338-80d5-53f8c0388991 type: regular task: - id: 3f58a27a-4a30-44bb-81fb-dcbdc9928dce + id: 9ec49b1d-f3ef-4338-80d5-53f8c0388991 version: -1 name: pan-os-security-policy-match description: Checks whether a session matches a specified security policy. This command is only available on firewall instances. @@ -97,6 +99,7 @@ tasks: complex: root: inputs.RemoteProtocol transformers: + - operator: toUpperCase - operator: MapPattern args: algorithm: {} @@ -111,7 +114,7 @@ tasks: priority: {} wildcards: {} source: - simple: 1.1.1.1 + simple: 0.0.0.0 separatecontext: false continueonerrortype: "" view: |- @@ -130,13 +133,13 @@ tasks: isautoswitchedtoquietmode: false "4": id: "4" - taskid: 41495cf3-0a25-43e8-8b40-61c32fae2188 + taskid: e62a440c-57ac-4c93-8bb5-ef4e4ce71649 type: condition task: - id: 41495cf3-0a25-43e8-8b40-61c32fae2188 + id: e62a440c-57ac-4c93-8bb5-ef4e4ce71649 version: -1 - name: Was a match found? - description: Check if firewall rule information was found. + name: Was a match found that allows exposure traffic? + description: Check if firewall rule information was found (allow rules only). type: condition iscommand: false brand: "" @@ -158,6 +161,16 @@ tasks: iscontext: true right: value: {} + - - operator: isEqualString + left: + value: + complex: + root: Panorama.SecurityPolicyMatch.Rules + accessor: Action + iscontext: true + right: + value: + simple: allow continueonerrortype: "" view: |- { @@ -175,10 +188,10 @@ tasks: isautoswitchedtoquietmode: false "5": id: "5" - taskid: 0c34774e-809b-400e-8170-c7dca17efde3 + taskid: 0ed129bf-45cb-4997-82d0-f2838151a0f2 type: title task: - id: 0c34774e-809b-400e-8170-c7dca17efde3 + id: 0ed129bf-45cb-4997-82d0-f2838151a0f2 version: -1 name: Continue type: title @@ -193,8 +206,8 @@ tasks: view: |- { "position": { - "x": 140, - "y": 1965 + "x": -350, + "y": 2535 } } note: false @@ -206,10 +219,10 @@ tasks: isautoswitchedtoquietmode: false "6": id: "6" - taskid: a32bee38-d5f2-41dd-868d-1d7b7aaebf73 + taskid: f5797d40-066e-4f19-84b1-8ae33501e28e type: condition task: - id: a32bee38-d5f2-41dd-868d-1d7b7aaebf73 + id: f5797d40-066e-4f19-84b1-8ae33501e28e version: -1 name: Is there a Panorama instance? description: Check if one of the integration instances is for a Panorama device. @@ -220,7 +233,7 @@ tasks: '#default#': - "8" "yes": - - "5" + - '30' separatecontext: false conditions: - label: "yes" @@ -252,10 +265,10 @@ tasks: isautoswitchedtoquietmode: false "8": id: "8" - taskid: 0455d8ba-b8b2-484c-8563-d8cc68f6e94b + taskid: e9f87bca-b353-4aa1-8f33-09145bf2cd38 type: regular task: - id: 0455d8ba-b8b2-484c-8563-d8cc68f6e94b + id: e9f87bca-b353-4aa1-8f33-09145bf2cd38 version: -1 name: pan-os-list-rules description: Returns a list of predefined Security Rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want). @@ -271,13 +284,22 @@ tasks: complex: root: Panorama.SecurityPolicyMatch.Rules accessor: Name + filters: + - - operator: isEqualString + left: + value: + simple: Panorama.SecurityPolicyMatch.Rules.Action + iscontext: true + right: + value: + simple: allow separatecontext: false continueonerrortype: "" view: |- { "position": { - "x": 520, - "y": 1040 + "x": 300, + "y": 990 } } note: false @@ -289,10 +311,10 @@ tasks: isautoswitchedtoquietmode: false "9": id: "9" - taskid: c8e13ab6-9f8b-408e-8714-1b7c6ff12371 + taskid: 8869db45-0714-43e9-8dd2-3c4600729a7b type: regular task: - id: c8e13ab6-9f8b-408e-8714-1b7c6ff12371 + id: 8869db45-0714-43e9-8dd2-3c4600729a7b version: -1 name: Set system IDs grid field (type) description: Sets the type of cloud asset to the grid field for the ASM system IDs object. @@ -319,8 +341,8 @@ tasks: view: |- { "position": { - "x": 450, - "y": 1600 + "x": 440, + "y": 2270 } } note: false @@ -332,10 +354,10 @@ tasks: isautoswitchedtoquietmode: false "10": id: "10" - taskid: c8ad47b4-47ae-4062-827a-2f59bdb7a60d + taskid: a4d9354c-0d88-442e-84e6-732634431c1d type: regular task: - id: c8ad47b4-47ae-4062-827a-2f59bdb7a60d + id: a4d9354c-0d88-442e-84e6-732634431c1d version: -1 name: Set cloud grid field description: |- @@ -368,8 +390,8 @@ tasks: view: |- { "position": { - "x": 890, - "y": 1600 + "x": 880, + "y": 2290 } } note: false @@ -381,10 +403,10 @@ tasks: isautoswitchedtoquietmode: false "13": id: "13" - taskid: 00c3867d-cd18-4ebc-8088-8625090c75e0 + taskid: 55cb16b5-dffa-42bd-8d90-4d1b03d97d56 type: regular task: - id: 00c3867d-cd18-4ebc-8088-8625090c75e0 + id: 55cb16b5-dffa-42bd-8d90-4d1b03d97d56 version: -1 name: Set system IDs grid field (firewall rule name) description: Sets the type of cloud asset to the grid field for the ASM system IDs object. @@ -394,7 +416,7 @@ tasks: brand: Builtin nexttasks: '#none#': - - "14" + - '27' scriptarguments: gridfield: simple: asmsystemids @@ -413,8 +435,8 @@ tasks: view: |- { "position": { - "x": 450, - "y": 1775 + "x": 440, + "y": 2430 } } note: false @@ -426,10 +448,10 @@ tasks: isautoswitchedtoquietmode: false "14": id: "14" - taskid: f1503355-2fd3-4b09-813e-c92d690407ef + taskid: a8b9924f-da5a-4477-857a-1d8f9f0be0ae type: regular task: - id: f1503355-2fd3-4b09-813e-c92d690407ef + id: a8b9924f-da5a-4477-857a-1d8f9f0be0ae version: -1 name: Set true flag for completed enrichment description: Set a value in context under the key you entered. @@ -452,8 +474,8 @@ tasks: view: |- { "position": { - "x": 680, - "y": 1965 + "x": 660, + "y": 3165 } } note: false @@ -465,10 +487,10 @@ tasks: isautoswitchedtoquietmode: false "16": id: "16" - taskid: 92075ebf-888b-4860-8572-973b9dfb9fe1 + taskid: 7c841170-de87-483f-8a8f-bbfec49e4573 type: regular task: - id: 92075ebf-888b-4860-8572-973b9dfb9fe1 + id: 7c841170-de87-483f-8a8f-bbfec49e4573 version: -1 name: Set ASM enrichment status to true description: |- @@ -497,8 +519,8 @@ tasks: view: |- { "position": { - "x": 300, - "y": 2410 + "x": 280, + "y": 3610 } } note: false @@ -510,10 +532,10 @@ tasks: isautoswitchedtoquietmode: false "17": id: "17" - taskid: e79adc9f-a635-4f4c-86b2-b52642754674 + taskid: 7a3e239b-28b0-40cc-8a6c-c47d9cbe9380 type: condition task: - id: e79adc9f-a635-4f4c-86b2-b52642754674 + id: 7a3e239b-28b0-40cc-8a6c-c47d9cbe9380 version: -1 name: Was enrichment performed? description: Check if enrichment was performed by checking for a value of true in the relevant flag variable. @@ -540,8 +562,8 @@ tasks: view: |- { "position": { - "x": 510, - "y": 2180 + "x": 490, + "y": 3380 } } note: false @@ -553,10 +575,10 @@ tasks: isautoswitchedtoquietmode: false "18": id: "18" - taskid: 8917ebd4-8126-427e-8155-50f90998008d + taskid: ba489c19-e205-4184-86a2-5cc77c34f1f9 type: regular task: - id: 8917ebd4-8126-427e-8155-50f90998008d + id: ba489c19-e205-4184-86a2-5cc77c34f1f9 version: -1 name: Set ASM enrichment status to false description: |- @@ -585,8 +607,8 @@ tasks: view: |- { "position": { - "x": 720, - "y": 2410 + "x": 700, + "y": 3610 } } note: false @@ -598,10 +620,10 @@ tasks: isautoswitchedtoquietmode: false "19": id: "19" - taskid: 13f85251-5132-4eec-8782-ce70265faa10 + taskid: 41bdab6f-1603-4da9-8dc5-94bbe94c92ba type: title task: - id: 13f85251-5132-4eec-8782-ce70265faa10 + id: 41bdab6f-1603-4da9-8dc5-94bbe94c92ba version: -1 name: System IDs type: title @@ -616,8 +638,8 @@ tasks: view: |- { "position": { - "x": 450, - "y": 1450 + "x": 440, + "y": 2140 } } note: false @@ -629,10 +651,10 @@ tasks: isautoswitchedtoquietmode: false "20": id: "20" - taskid: 999d3593-60f6-4197-8bb2-700471f13857 + taskid: 9d98d3cc-f234-401f-874a-2002b0dcee46 type: title task: - id: 999d3593-60f6-4197-8bb2-700471f13857 + id: 9d98d3cc-f234-401f-874a-2002b0dcee46 version: -1 name: Cloud type: title @@ -647,8 +669,8 @@ tasks: view: |- { "position": { - "x": 890, - "y": 1450 + "x": 880, + "y": 2140 } } note: false @@ -660,10 +682,10 @@ tasks: isautoswitchedtoquietmode: false "21": id: "21" - taskid: 48c6852d-414f-4454-8d55-7ce2adec31f1 + taskid: fc836b11-f69a-4405-8f28-8e54eacfdd52 type: condition task: - id: 48c6852d-414f-4454-8d55-7ce2adec31f1 + id: fc836b11-f69a-4405-8f28-8e54eacfdd52 version: -1 name: Was rule information found? description: Check if firewall rule information was found. @@ -691,8 +713,8 @@ tasks: view: |- { "position": { - "x": 520, - "y": 1200 + "x": 500, + "y": 1900 } } note: false @@ -704,10 +726,10 @@ tasks: isautoswitchedtoquietmode: false "22": id: "22" - taskid: ff3d1155-2578-49a8-8057-f4b325fb141c + taskid: dbd0896a-ebbc-4b94-8541-564f9fdfd356 type: title task: - id: ff3d1155-2578-49a8-8057-f4b325fb141c + id: dbd0896a-ebbc-4b94-8541-564f9fdfd356 version: -1 name: Complete type: title @@ -719,8 +741,8 @@ tasks: view: |- { "position": { - "x": 520, - "y": 2640 + "x": 500, + "y": 3840 } } note: false @@ -732,10 +754,10 @@ tasks: isautoswitchedtoquietmode: false "24": id: "24" - taskid: e0061687-b532-4e7d-8951-bfd47cd72a2e + taskid: 826cad0a-611a-49dd-825e-f66d78e1cba1 type: condition task: - id: e0061687-b532-4e7d-8951-bfd47cd72a2e + id: 826cad0a-611a-49dd-825e-f66d78e1cba1 version: -1 name: Palo Alto Networks PAN-OS enabled? description: Check whether the PAN-OS integration is enabled. @@ -809,17 +831,548 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + '26': + id: '26' + taskid: 293893d7-56d7-43dc-872f-4681c30f9dc6 + type: regular + task: + id: 293893d7-56d7-43dc-872f-4681c30f9dc6 + version: -1 + name: Set system IDs grid field (device group) + description: Sets the type of cloud asset to the grid field for the ASM system IDs object. + scriptName: GridFieldSetup + type: regular + iscommand: false + brand: Builtin + nexttasks: + '#none#': + - '14' + scriptarguments: + gridfield: + simple: asmsystemids + keys: + simple: type,id,link + val1: + simple: FIREWALL-DEVICE-GROUP + val2: + complex: + root: Panorama.SecurityRule + accessor: Location + val3: + simple: n/a + separatecontext: false + continueonerrortype: '' + view: |- + { + "position": { + "x": 440, + "y": 2980 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '27': + id: '27' + taskid: 5eaf15c4-c5cc-4a9b-8ec2-c8a5c03b609f + type: condition + task: + id: 5eaf15c4-c5cc-4a9b-8ec2-c8a5c03b609f + version: -1 + name: Was there a device group in rule? + description: Check if firewall device group information was found. + type: condition + iscommand: false + brand: '' + nexttasks: + '#default#': + - '14' + other device-group: + - '26' + shared device-group: + - '29' + separatecontext: false + conditions: + - label: other device-group + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: Panorama.SecurityRule + accessor: Location + iscontext: true + - - operator: isEqualString + left: + value: + complex: + root: PanoramaUsed + iscontext: true + right: + value: + simple: 'true' + - label: shared device-group + condition: + - - operator: isEqualString + left: + value: + complex: + root: PanoramaUsed + iscontext: true + right: + value: + simple: 'true' + continueonerrortype: '' + view: |- + { + "position": { + "x": 440, + "y": 2605 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '28': + id: '28' + taskid: 93180524-b691-45bc-8f43-2edae5dec1c1 + type: regular + task: + id: 93180524-b691-45bc-8f43-2edae5dec1c1 + version: -1 + name: Set temporary context (signify Panorama used) + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: '' + nexttasks: + '#none#': + - '32' + scriptarguments: + key: + simple: PanoramaUsed + value: + simple: 'true' + separatecontext: false + continueonerrortype: '' + view: |- + { + "position": { + "x": 830, + "y": 1160 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '29': + id: '29' + taskid: 0490d2ba-549b-4968-89e4-95a28ade32f5 + type: regular + task: + id: 0490d2ba-549b-4968-89e4-95a28ade32f5 + version: -1 + name: Set system IDs grid field (device group) + description: Sets the type of cloud asset to the grid field for the ASM system IDs object. + scriptName: GridFieldSetup + type: regular + iscommand: false + brand: Builtin + nexttasks: + '#none#': + - '34' + scriptarguments: + gridfield: + simple: asmsystemids + keys: + simple: type,id,link + val1: + simple: FIREWALL-DEVICE-GROUP + val2: + simple: shared + val3: + simple: n/a + separatecontext: false + continueonerrortype: '' + view: |- + { + "position": { + "x": 50, + "y": 2800 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '30': + id: '30' + taskid: 048f7537-fa3b-4c13-88d7-ddca9a825ab3 + type: regular + task: + id: 048f7537-fa3b-4c13-88d7-ddca9a825ab3 + version: -1 + name: pan-os-platform-get-device-groups + description: Gets the operational information of the device groups in the topology. (Only device groups with associated devices will be listed by this command). + script: Panorama|||pan-os-platform-get-device-groups + type: regular + iscommand: true + brand: Panorama + nexttasks: + '#none#': + - '28' + separatecontext: false + continueonerrortype: '' + view: |- + { + "position": { + "x": 830, + "y": 1000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '32': + id: '32' + taskid: 26b88096-38cb-49cb-8a46-3631ac412d21 + type: regular + task: + id: 26b88096-38cb-49cb-8a46-3631ac412d21 + version: -1 + name: Set temporary context (secondary device-groups) + description: Set a value in context under the key you entered. + scriptName: Set + type: regular + iscommand: false + brand: '' + nexttasks: + '#none#': + - '33' + - '35' + scriptarguments: + key: + simple: SecondaryDG + value: + complex: + root: PANOS.DeviceGroupOp + filters: + - - operator: in + left: + value: + simple: PANOS.DeviceGroupOp.serial + iscontext: true + right: + value: + simple: Panorama.SecurityPolicyMatch.Device.Serial + iscontext: true + accessor: name + separatecontext: false + continueonerrortype: '' + view: |- + { + "position": { + "x": 830, + "y": 1320 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '33': + id: '33' + taskid: 068e20a0-f298-40b4-8416-8948c9d7235f + type: regular + task: + id: 068e20a0-f298-40b4-8416-8948c9d7235f + version: -1 + name: pan-os-list-rules (device-groups pre-rulebase) + description: Returns a list of predefined security rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want). + script: Panorama|||pan-os-list-rules + type: regular + iscommand: true + brand: Panorama + nexttasks: + '#none#': + - '36' + scriptarguments: + device-group: + complex: + root: SecondaryDG + pre_post: + simple: pre-rulebase + rulename: + complex: + root: Panorama.SecurityPolicyMatch.Rules + filters: + - - operator: isEqualString + left: + value: + simple: Panorama.SecurityPolicyMatch.Rules.Action + iscontext: true + right: + value: + simple: allow + accessor: Name + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: '' + view: |- + { + "position": { + "x": 830, + "y": 1485 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '34': + id: '34' + taskid: deb936be-a71d-4539-8d88-ef3d4fb1c065 + type: regular + task: + id: deb936be-a71d-4539-8d88-ef3d4fb1c065 + version: -1 + name: Set system IDs grid field (secondary device group) + description: Sets the type of cloud asset to the grid field for the ASM system IDs object. + scriptName: GridFieldSetup + type: regular + iscommand: false + brand: Builtin + nexttasks: + '#none#': + - '14' + scriptarguments: + gridfield: + simple: asmsystemids + keys: + simple: type,id,link + val1: + simple: FIREWALL-SECONDARY-DEVICE-GROUP + val2: + complex: + root: SecondaryDG + val3: + simple: n/a + separatecontext: false + continueonerrortype: '' + view: |- + { + "position": { + "x": 50, + "y": 2980 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '35': + id: '35' + taskid: b0ecff52-f5b6-45da-8281-d3defc49d5d5 + type: regular + task: + id: b0ecff52-f5b6-45da-8281-d3defc49d5d5 + version: -1 + name: 'pan-os-list-rules (device-groups post-rulebase) ' + description: Returns a list of predefined security rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want). + script: Panorama|||pan-os-list-rules + type: regular + iscommand: true + brand: Panorama + nexttasks: + '#none#': + - '37' + scriptarguments: + device-group: + complex: + root: SecondaryDG + pre_post: + simple: post-rulebase + rulename: + complex: + root: Panorama.SecurityPolicyMatch.Rules + filters: + - - operator: isEqualString + left: + value: + simple: Panorama.SecurityPolicyMatch.Rules.Action + iscontext: true + right: + value: + simple: allow + accessor: Name + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: '' + view: |- + { + "position": { + "x": 1260, + "y": 1495 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '36': + id: '36' + taskid: 4a269433-06d1-48c9-843f-db146da7e06c + type: regular + task: + id: 4a269433-06d1-48c9-843f-db146da7e06c + version: -1 + name: pan-os-list-rules (shared pre-rulebase) + description: Returns a list of predefined security rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want). + script: Panorama|||pan-os-list-rules + type: regular + iscommand: true + brand: Panorama + nexttasks: + '#none#': + - '21' + scriptarguments: + device-group: + simple: shared + pre_post: + simple: pre-rulebase + rulename: + complex: + root: Panorama.SecurityPolicyMatch.Rules + filters: + - - operator: isEqualString + left: + value: + simple: Panorama.SecurityPolicyMatch.Rules.Action + iscontext: true + right: + value: + simple: allow + accessor: Name + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: '' + view: |- + { + "position": { + "x": 830, + "y": 1675 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '37': + id: '37' + taskid: 7b99a59a-e4e5-4bb1-8c5a-f93b6efe60d9 + type: regular + task: + id: 7b99a59a-e4e5-4bb1-8c5a-f93b6efe60d9 + version: -1 + name: pan-os-list-rules (shared post-rulebase) + description: Returns a list of predefined security rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want). + script: Panorama|||pan-os-list-rules + type: regular + iscommand: true + brand: Panorama + nexttasks: + '#none#': + - '21' + scriptarguments: + device-group: + simple: shared + pre_post: + simple: post-rulebase + rulename: + complex: + root: Panorama.SecurityPolicyMatch.Rules + filters: + - - operator: isEqualString + left: + value: + simple: Panorama.SecurityPolicyMatch.Rules.Action + iscontext: true + right: + value: + simple: allow + accessor: Name + transformers: + - operator: uniq + separatecontext: false + continueonerror: true + continueonerrortype: '' + view: |- + { + "position": { + "x": 1260, + "y": 1675 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": { - "4_5_#default#": 0.39, - "6_5_yes": 0.22 + "21_5_#default#": 0.33, + "24_5_#default#": 0.68, + "4_5_#default#": 0.19 }, "paper": { "dimensions": { - "height": 2865, - "width": 1130, - "x": 140, + "height": 4065, + "width": 1990, + "x": -350, "y": -160 } } @@ -852,4 +1405,6 @@ inputs: outputs: [] tests: - No tests (auto formatted) -fromversion: 6.8.0 +fromversion: 6.8.0 +contentitemexportablefields: + contentitemfields: {} diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment_README.md b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment_README.md index 364b30d05816..91f55eb3f090 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment_README.md +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Enrichment_README.md @@ -1,7 +1,9 @@ Given an IP address, port, and protocol of a service, this playbook enriches on-prem integrations to find the related firewall rule and other related information. Conditions: -This is currently limited to standalone firewalls for PAN-OS. +- Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW). +- !pan-os-security-policy-match fails if any firewall is disconnected (Panorama). +- Matching on different rules for different firewalls not supported (Panorama). ## Dependencies @@ -22,8 +24,9 @@ This playbook does not use any sub-playbooks. ### Commands -* pan-os-list-rules * pan-os-security-policy-match +* pan-os-platform-get-device-groups +* pan-os-list-rules * pan-os-show-device-version ## Playbook Inputs diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation.yml b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation.yml index d22d4022e38f..eb08baafc3bb 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation.yml +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation.yml @@ -5,15 +5,17 @@ description: |- This playbook adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures. Conditions: - This is currently limited to stand-alone firewalls for PAN-OS. + - Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW). + - Multiple rules with the same name in different device-groups not supported (Panorama). + - !pan-os-list-services will fail if there are no services in a specific device-group (Panorama). starttaskid: "0" tasks: "0": id: "0" - taskid: d31ed4f9-0882-4ce6-86d4-a68c1e4eec34 + taskid: 573237c6-7130-41ce-8653-2294f0b6ac94 type: start task: - id: d31ed4f9-0882-4ce6-86d4-a68c1e4eec34 + id: 573237c6-7130-41ce-8653-2294f0b6ac94 version: -1 name: "" iscommand: false @@ -21,14 +23,14 @@ tasks: description: '' nexttasks: '#none#': - - "1" + - '5' separatecontext: false continueonerrortype: "" view: |- { "position": { "x": 460, - "y": -140 + "y": -460 } } note: false @@ -40,10 +42,10 @@ tasks: isautoswitchedtoquietmode: false "1": id: "1" - taskid: d2aa5e89-700a-42fb-88a9-40f887476577 + taskid: 22c135e5-6fc0-4464-87da-f8c0ae25220b type: regular task: - id: d2aa5e89-700a-42fb-88a9-40f887476577 + id: 22c135e5-6fc0-4464-87da-f8c0ae25220b version: -1 name: pan-os-list-rules description: Returns a list of predefined Security Rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want). @@ -53,7 +55,7 @@ tasks: brand: Panorama nexttasks: '#none#': - - "2" + - '8' scriptarguments: rulename: complex: @@ -64,7 +66,7 @@ tasks: { "position": { "x": 460, - "y": 10 + "y": -140 } } note: false @@ -74,15 +76,16 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + continueonerror: true "2": id: "2" - taskid: 712db883-230a-4a69-83db-53391b6b80f2 + taskid: 6db7e419-5848-487b-8eba-03db46a125bc type: playbook task: - id: 712db883-230a-4a69-83db-53391b6b80f2 + id: 6db7e419-5848-487b-8eba-03db46a125bc version: -1 name: PAN-OS - Block Destination Service - description: This playbook blocks a destination IP and service (TCP or UDP port) by creating a rule for a specific device group on PAN-OS. + description: 'This playbook blocks a destination IP and service (TCP or UDP port) by creating a rule for a specific device group on PAN-OS. ' playbookName: PAN-OS - Block Destination Service type: playbook iscommand: false @@ -124,6 +127,12 @@ tasks: accessor: From WhereRule: simple: top + DeviceGroup: + complex: + root: inputs.DeviceGroup + SecondaryDeviceGroup: + complex: + root: inputs.SecondaryDeviceGroup separatecontext: true continueonerrortype: "" loop: @@ -135,7 +144,7 @@ tasks: { "position": { "x": 460, - "y": 190 + "y": 400 } } note: false @@ -147,10 +156,10 @@ tasks: isautoswitchedtoquietmode: false "4": id: "4" - taskid: 933a2a81-89cf-47c9-8901-07fb3ab8bbb8 + taskid: d74fd530-00ae-4377-8dbf-8681f4a7a605 type: title task: - id: 933a2a81-89cf-47c9-8901-07fb3ab8bbb8 + id: d74fd530-00ae-4377-8dbf-8681f4a7a605 version: -1 name: Complete type: title @@ -163,7 +172,176 @@ tasks: { "position": { "x": 460, - "y": 360 + "y": 590 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '5': + id: '5' + taskid: 58615c42-a7f4-4159-8412-b7095c9854c0 + type: condition + task: + id: 58615c42-a7f4-4159-8412-b7095c9854c0 + version: -1 + name: Is DeviceGroup specified? + description: Checks if DeviceGroup input is specified because of different !pan-os-list-rule commands for standalone firewall vs Panorama. + type: condition + iscommand: false + brand: '' + nexttasks: + '#default#': + - '1' + yes: + - '6' + separatecontext: false + conditions: + - label: yes + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.DeviceGroup + iscontext: true + continueonerrortype: '' + view: |- + { + "position": { + "x": 460, + "y": -340 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '6': + id: '6' + taskid: 54b86def-75f3-4fe8-8779-4fbec1d42728 + type: regular + task: + id: 54b86def-75f3-4fe8-8779-4fbec1d42728 + version: -1 + name: pan-os-list-rules (pre-rulebase) + description: Returns a list of predefined security rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want). + script: Panorama|||pan-os-list-rules + type: regular + iscommand: true + brand: Panorama + nexttasks: + '#none#': + - '7' + scriptarguments: + device-group: + complex: + root: inputs.DeviceGroup + pre_post: + simple: pre-rulebase + rulename: + complex: + root: inputs.RuleName + separatecontext: false + continueonerror: true + continueonerrortype: '' + view: |- + { + "position": { + "x": 890, + "y": -140 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '7': + id: '7' + taskid: a918e4e4-2ea8-4d70-883d-5265ce5be25d + type: regular + task: + id: a918e4e4-2ea8-4d70-883d-5265ce5be25d + version: -1 + name: pan-os-list-rules (post-rulebase) + description: Returns a list of predefined security rules. (When passing a query, all other arguments are overridden. Make sure the query includes all the filters you want). + script: Panorama|||pan-os-list-rules + type: regular + iscommand: true + brand: Panorama + nexttasks: + '#none#': + - '8' + scriptarguments: + device-group: + complex: + root: inputs.DeviceGroup + pre_post: + simple: post-rulebase + rulename: + complex: + root: inputs.RuleName + separatecontext: false + continueonerror: true + continueonerrortype: '' + view: |- + { + "position": { + "x": 890, + "y": 20 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + '8': + id: '8' + taskid: c9013687-cd7c-4bf3-8c8b-89c45aa03d07 + type: condition + task: + id: c9013687-cd7c-4bf3-8c8b-89c45aa03d07 + version: -1 + name: Was rule information found? + description: Check if firewall rule information was found. + type: condition + iscommand: false + brand: '' + nexttasks: + '#default#': + - '4' + yes: + - '2' + separatecontext: false + conditions: + - label: yes + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: Panorama.SecurityRule + accessor: Name + iscontext: true + continueonerrortype: '' + view: |- + { + "position": { + "x": 460, + "y": 190 } } note: false @@ -178,10 +356,10 @@ view: |- "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 565, - "width": 380, + "height": 1115, + "width": 810, "x": 460, - "y": -140 + "y": -460 } } } @@ -215,7 +393,19 @@ inputs: required: true description: Port number of the service. playbookInputQuery: +- key: DeviceGroup + value: {} + required: false + description: Device group of the firewall rule to lookup. + playbookInputQuery: +- key: SecondaryDeviceGroup + value: {} + required: false + description: If the rule, address and service are created in the "Shared" location, we need to know what device groups we can push to because it isn't possible to push to the "Shared" location. + playbookInputQuery: outputs: [] tests: - No tests (auto formatted) fromversion: 6.8.0 +contentitemexportablefields: + contentitemfields: {} diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation_README.md b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation_README.md index c117fbd35c23..db5dc7f78dd7 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation_README.md +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_On_Prem_Remediation_README.md @@ -1,7 +1,9 @@ This playbook adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures. Conditions: -This is currently limited to stand-alone firewalls for PAN-OS. +- Multiple integration instances configured at the same time are not supported (Panorama or standalone NGFW). +- Multiple rules with the same name in different device-groups not supported (Panorama). +- !pan-os-list-services will fail if there are no services in a specific device-group (Panorama). ## Dependencies @@ -33,6 +35,8 @@ This playbook does not use any scripts. | RemoteIP | IP address of the service. | alert.remoteip | Required | | RemoteProtocol | Protocol of the service. | alert.appid | Required | | RemotePort | Port number of the service. | alert.remoteport | Required | +| DeviceGroup | Device group of the firewall rule to lookup. | | Optional | +| SecondaryDeviceGroup | If the rule, address and service are created in the "Shared" location, we need to know what device-groups we can push to because it isn't possible to push to the "Shared" location. | | Optional | ## Playbook Outputs diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml index 35f01351ed16..a6d8614d48af 100644 --- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml +++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml @@ -2,24 +2,24 @@ id: Cortex ASM - Remediation version: -1 name: Cortex ASM - Remediation description: This playbook contains all the cloud provider sub playbooks for remediation. -starttaskid: "0" +starttaskid: '0' tasks: - "0": - id: "0" - taskid: 794ea566-5909-4619-868b-a0c9b134442d + '0': + id: '0' + taskid: 51f75382-1305-4354-8979-49a204553bbd type: start task: - id: 794ea566-5909-4619-868b-a0c9b134442d + id: 51f75382-1305-4354-8979-49a204553bbd version: -1 - name: "" + name: '' iscommand: false - brand: "" + brand: '' description: '' nexttasks: '#none#': - - "3" + - '3' separatecontext: false - continueonerrortype: "" + continueonerrortype: '' view: |- { "position": { @@ -34,31 +34,31 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "3": - id: "3" - taskid: a00d76e7-a156-4f93-8856-22ecae005068 + '3': + id: '3' + taskid: d2a675b7-aab6-4178-827f-689b608a0cd0 type: condition task: - id: a00d76e7-a156-4f93-8856-22ecae005068 + id: d2a675b7-aab6-4178-827f-689b608a0cd0 version: -1 name: What provider is this service? description: Determines which cloud provider the service is in order to direct to the correct enrichment. type: condition iscommand: false - brand: "" + brand: '' nexttasks: '#default#': - - "4" + - '4' AWS: - - "10" - GCP: - - "9" + - '10' Azure: - - "6" - Unclaimed S3 Bucket: - - "7" + - '6' + GCP: + - '9' On Prem: - '12' + Unclaimed S3 Bucket: + - '7' separatecontext: false conditions: - label: AWS @@ -127,7 +127,7 @@ tasks: right: value: simple: On Prem - continueonerrortype: "" + continueonerrortype: '' view: |- { "position": { @@ -142,20 +142,20 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "4": - id: "4" - taskid: a636a097-e2f4-402a-8332-32ca089f03d8 + '4': + id: '4' + taskid: ae695e07-cbca-4f09-8b68-cffb4378a93d type: title task: - id: a636a097-e2f4-402a-8332-32ca089f03d8 + id: ae695e07-cbca-4f09-8b68-cffb4378a93d version: -1 name: Completed type: title iscommand: false - brand: "" + brand: '' description: '' separatecontext: false - continueonerrortype: "" + continueonerrortype: '' view: |- { "position": { @@ -170,29 +170,22 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "6": - id: "6" - taskid: 139354b7-aeae-458a-8c6c-0ec55d135d46 + '6': + id: '6' + taskid: c510a13b-9767-4f1f-807a-3ab0e5651644 type: playbook task: - id: 139354b7-aeae-458a-8c6c-0ec55d135d46 + id: c510a13b-9767-4f1f-807a-3ab0e5651644 version: -1 name: Azure - Network Security Group Remediation - description: |- - This playbook adds new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules will give access only to a private IP address range and block traffic that's exposed to the public internet ([using the private IP of the VM as stated in Azure documentation](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview)). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allows traffic from private IP address and blocks the rest of the RDP traffic. - - Conditions and limitations: - - Limited to one resource group. - - 200 Azure rules viewed at once to find the offending rule. - - 2 priorities lower than the offending rule priority must be available. - - Adds rules to NSGs associated to NICs. + description: "This playbook adds new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules will give access only to a private IP address range and block traffic that's exposed to the public internet ([using the private IP of the VM as stated in Azure documentation](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview)). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allows traffic from private IP address and blocks the rest of the RDP traffic.\n\nConditions and limitations:\n- Limited to one resource group.\n- 200 Azure rules viewed at once to find the offending rule.\n- 2 priorities lower than the offending rule priority must be available.\n- Adds rules to NSGs associated to NICs." playbookName: Azure - Network Security Group Remediation type: playbook iscommand: false - brand: "" + brand: '' nexttasks: '#none#': - - "4" + - '4' scriptarguments: AzureSecurityGroup: complex: @@ -234,10 +227,10 @@ tasks: root: alert accessor: protocol separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 view: |- @@ -254,22 +247,22 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "7": - id: "7" - taskid: 9a8816b4-03c2-4195-8ce3-b0b86c7c9d1a + '7': + id: '7' + taskid: bf0705bb-bdd5-4ba7-808a-e735b2396319 type: playbook task: - id: 9a8816b4-03c2-4195-8ce3-b0b86c7c9d1a + id: bf0705bb-bdd5-4ba7-808a-e735b2396319 version: -1 name: AWS - Unclaimed S3 Bucket Remediation description: The playbook will create the unclaimed S3 bucket. playbookName: AWS - Unclaimed S3 Bucket Remediation type: playbook iscommand: false - brand: "" + brand: '' nexttasks: '#none#': - - "4" + - '4' scriptarguments: S3BucketName: complex: @@ -285,10 +278,10 @@ tasks: simple: S3-BucketName accessor: id separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 view: |- @@ -305,22 +298,22 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "8": - id: "8" - taskid: 250db32f-08b9-4ba4-85cb-97eb57c873fd + '8': + id: '8' + taskid: 00322392-5990-499f-8924-dca8422cb81e type: playbook task: - id: 250db32f-08b9-4ba4-85cb-97eb57c873fd + id: 00322392-5990-499f-8924-dca8422cb81e version: -1 name: AWS - Security Group Remediation v2 description: This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive. It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4. playbookName: AWS - Security Group Remediation v2 type: playbook iscommand: false - brand: "" + brand: '' nexttasks: '#none#': - - "4" + - '4' scriptarguments: InstanceID: complex: @@ -356,13 +349,19 @@ tasks: transformers: - operator: FirstArrayElement separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": -30,\n \"y\": 680\n }\n}" + view: |- + { + "position": { + "x": -30, + "y": 680 + } + } note: false timertriggers: [] ignoreworker: false @@ -370,22 +369,22 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "9": - id: "9" - taskid: b7e49418-8047-4b8d-88b8-51fd2401be05 + '9': + id: '9' + taskid: c99909d1-19d5-4bdd-8e05-b65991ee850c type: playbook task: - id: b7e49418-8047-4b8d-88b8-51fd2401be05 + id: c99909d1-19d5-4bdd-8e05-b65991ee850c version: -1 name: GCP - Firewall Remediation playbookName: GCP - Firewall Remediation type: playbook iscommand: false - brand: "" + brand: '' description: '' nexttasks: '#none#': - - "4" + - '4' scriptarguments: GcpInstance: complex: @@ -441,10 +440,10 @@ tasks: root: alert accessor: protocol separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 0 view: |- @@ -461,26 +460,26 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "10": - id: "10" - taskid: bdbc79b2-528b-4a9a-80de-742695e5c6c8 + '10': + id: '10' + taskid: 244da719-dd83-4ef4-801a-5e009d79259a type: condition task: - id: bdbc79b2-528b-4a9a-80de-742695e5c6c8 + id: 244da719-dd83-4ef4-801a-5e009d79259a version: -1 name: Is AWSAssumeRoleName Input defined? description: Determines which cloud provider the service is in order to direct to the correct enrichment. type: condition iscommand: false - brand: "" + brand: '' nexttasks: '#default#': - - "8" - "yes": - - "11" + - '8' + yes: + - '11' separatecontext: false conditions: - - label: "yes" + - label: yes condition: - - operator: isNotEmpty left: @@ -488,8 +487,14 @@ tasks: complex: root: inputs.AWSAssumeRoleName iscontext: true - continueonerrortype: "" - view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 450\n }\n}" + continueonerrortype: '' + view: |- + { + "position": { + "x": -210, + "y": 450 + } + } note: false timertriggers: [] ignoreworker: false @@ -497,22 +502,22 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "11": - id: "11" - taskid: c2207b16-2040-497b-8c11-a1ead1f33bf7 + '11': + id: '11' + taskid: 0efa486c-40f7-440f-8ff2-fd9202e5f5a7 type: playbook task: - id: c2207b16-2040-497b-8c11-a1ead1f33bf7 + id: 0efa486c-40f7-440f-8ff2-fd9202e5f5a7 version: -1 name: AWS - Security Group Remediation v2 description: This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive. It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4. playbookName: AWS - Security Group Remediation v2 type: playbook iscommand: false - brand: "" + brand: '' nexttasks: '#none#': - - "4" + - '4' scriptarguments: AWSAssumeArn: complex: @@ -569,13 +574,19 @@ tasks: transformers: - operator: FirstArrayElement separatecontext: true - continueonerrortype: "" + continueonerrortype: '' loop: iscommand: false - exitCondition: "" + exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": -460,\n \"y\": 680\n }\n}" + view: |- + { + "position": { + "x": -460, + "y": 680 + } + } note: false timertriggers: [] ignoreworker: false @@ -585,21 +596,34 @@ tasks: isautoswitchedtoquietmode: false '12': id: '12' - taskid: 2c0d5957-47db-4aea-8327-99cbea225660 + taskid: 1787656d-ba63-465a-8f31-b8dfa60fe177 type: playbook task: - id: 2c0d5957-47db-4aea-8327-99cbea225660 + id: 1787656d-ba63-465a-8f31-b8dfa60fe177 version: -1 name: Cortex ASM - On Prem Remediation + description: "This playbook adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures.\n\nConditions:\nThis is currently limited to stand-alone firewalls for PAN-OS." playbookName: Cortex ASM - On Prem Remediation type: playbook iscommand: false brand: '' - description: '' nexttasks: '#none#': - '4' scriptarguments: + DeviceGroup: + complex: + root: alert.asmsystemids + filters: + - - operator: isEqualString + left: + value: + simple: alert.asmsystemids.type + iscontext: true + right: + value: + simple: FIREWALL-DEVICE-GROUP + accessor: id RemoteIP: complex: root: alert @@ -627,6 +651,19 @@ tasks: value: simple: FIREWALL-RULE-NAME accessor: id + SecondaryDeviceGroup: + complex: + root: alert.asmsystemids + filters: + - - operator: isEqualString + left: + value: + simple: alert.asmsystemids.type + iscontext: true + right: + value: + simple: FIREWALL-SECONDARY-DEVICE-GROUP + accessor: id separatecontext: true continueonerrortype: '' loop: @@ -634,7 +671,13 @@ tasks: exitCondition: '' wait: 1 max: 100 - view: "{\n \"position\": {\n \"x\": 1520,\n \"y\": 420\n }\n}" + view: |- + { + "position": { + "x": 1520, + "y": 420 + } + } note: false timertriggers: [] ignoreworker: false @@ -642,7 +685,18 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 875,\n \"width\": 2360,\n \"x\": -460,\n \"y\": 50\n }\n }\n}" +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 875, + "width": 2360, + "x": -460, + "y": 50 + } + } + } inputs: - key: AWSAssumeRoleName value: {} @@ -650,6 +704,6 @@ inputs: description: If assuming roles for AWS, this is the name of the role to assume (should be the same for all organizations) playbookInputQuery: outputs: [] +fromversion: 6.5.0 tests: - No tests (auto formatted) -fromversion: 6.5.0 diff --git a/Packs/CortexAttackSurfaceManagement/README.md b/Packs/CortexAttackSurfaceManagement/README.md index 6ac65967ea34..1c324854091b 100644 --- a/Packs/CortexAttackSurfaceManagement/README.md +++ b/Packs/CortexAttackSurfaceManagement/README.md @@ -48,7 +48,7 @@ Automated remediation is only possible when the right conditions are met. These - AWS EC2 Instance - Azure Compute Instance - GCP Compute Engine (VM) - - On Prem asset protect with Palo Alto Networks Firewall + - On-prem asset protected with a Palo Alto Networks Firewall - Service owner information found through one of the following: - AWS IAM - Azure IAM @@ -137,7 +137,7 @@ A playbook that utilizes the Remediation Confirmation Scan service to check for A playbook that is used to send email notifications to service owners to notify them of their internet exposures. -![Cortex ASM - Email Notification](https://raw.githubusercontent.com/demisto/content/94341532ed2e30cb0c5fb3235ef10b4411c8337c/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Email_Notification.png) +![Cortex ASM - Email Notification](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Email_Notification.png) #### Cortex ASM - Enrichment @@ -155,19 +155,19 @@ A playbook that given the IP address enriches GCP information relevant to ASM al A playbook that is used to create Jira tickets directed toward service owners to notify them of their internet exposures. -![Cortex ASM - Jira Notification](https://raw.githubusercontent.com/demisto/content/94341532ed2e30cb0c5fb3235ef10b4411c8337c/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Jira_Notification.png) +![Cortex ASM - Jira Notification](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Jira_Notification.png) #### Cortex ASM - On Prem Enrichment A playbook that given an IP address, port, and protocol of a service, enriches using on-prem integrations to find the related firewall rule and other related information. -![Cortex ASM - On Prem Enrichment](https://raw.githubusercontent.com/demisto/content/8eb2a558a040e76040191456fd707f102cb16647/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Enrichment.png) +![Cortex ASM - On Prem Enrichment](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Enrichment.png) #### Cortex ASM - On Prem Remediation A playbook that adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures. -![Cortex ASM - On Prem Remediation](https://raw.githubusercontent.com/demisto/content/8eb2a558a040e76040191456fd707f102cb16647/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Remediation.png) +![Cortex ASM - On Prem Remediation](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Remediation.png) #### Cortex ASM - Prisma Cloud Enrichment @@ -203,7 +203,7 @@ A playbook that pulls remediation guidance off of a list based on ASM RuleID to A playbook that populates the remediation objectives field that is used to display the remediation actions to the end user. -![Cortex ASM - Remediation Objectives](https://raw.githubusercontent.com/demisto/content/5f71853b59431ca60b1b783867b89f819accfefd/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Remediation_Objectives.png) +![Cortex ASM - Remediation Objectives](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Remediation_Objectives.png) #### Cortex ASM - Remediation Path Rules @@ -233,7 +233,7 @@ A playbook that given the IP address enriches ServiceNow CMDB information releva A playbook that is used to create ServiceNow tickets directed toward service owners to notify them of their internet exposures. -![Cortex ASM - ServiceNow Notification](https://raw.githubusercontent.com/demisto/content/94341532ed2e30cb0c5fb3235ef10b4411c8337c/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_ServiceNow_Notification.png) +![Cortex ASM - ServiceNow Notification](https://raw.githubusercontent.com/demisto/content/master/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_ServiceNow_Notification.png) #### Cortex ASM - Splunk Enrichment diff --git a/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_5.md b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_5.md new file mode 100644 index 000000000000..fa4afba5458b --- /dev/null +++ b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_5.md @@ -0,0 +1,16 @@ + +#### Playbooks + +##### Cortex ASM - Remediation + +Added new inputs for the **Cortex ASM - On Prem Remediation** playbook. + +##### Cortex ASM - On Prem Enrichment + +Playbook now supports collecting information on offending rules in Panorama. + +##### Cortex ASM - On Prem Remediation + +Added the following inputs to support blocking internet exposures via Panorama: + - *DeviceGroup* - Device group of the firewall rule to lookup. + - *SecondaryDeviceGroup* - If the rule, address and service are created in the "Shared" location, we need to know what device-groups we can push to because it isn't possible to push to the "Shared" location. \ No newline at end of file diff --git a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Enrichment.png b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Enrichment.png index b347ecd5ad6b..318be025a003 100644 Binary files a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Enrichment.png and b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Enrichment.png differ diff --git a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Remediation.png b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Remediation.png index 9efbec4a4a7a..b283191f7751 100644 Binary files a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Remediation.png and b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_On_Prem_Remediation.png differ diff --git a/Packs/CortexAttackSurfaceManagement/pack_metadata.json b/Packs/CortexAttackSurfaceManagement/pack_metadata.json index ed27fc2c9d51..f158e013789d 100644 --- a/Packs/CortexAttackSurfaceManagement/pack_metadata.json +++ b/Packs/CortexAttackSurfaceManagement/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex Attack Surface Management", "description": "Content for working with Attack Surface Management (ASM).", "support": "xsoar", - "currentVersion": "1.7.4", + "currentVersion": "1.7.5", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",