Skip to content

Commit

Permalink
Xsiam-remote-psexec-lolbin-command-execution-playbook (demisto#31748)
Browse files Browse the repository at this point in the history 
* Replacing the deprecated sub-playbook within the 'NGFW Internal Scan'… (#31197)

* Replacing the deprecated sub-playbook within the 'NGFW Internal Scan' XSIAM playbook

* RN

* [Marketplace Contribution] CISO Metrics (#30641) (#31213)

* "pack contribution initial commit"

* Update pack_metadata.json

* Update and rename dashboard-98f353a2-312b-49f2-8e58-d71f60daf3a7-CISO_Metrics.json to dashboard-98f353a2-312b-49f2-8e58-d71f60daf3a7-CommunityCommonDashboards.json

Rename to CommunityCommonDashboards

* Update pack_metadata.json

Renamed  "name": "CommunityCommonDashboards"

* Update README.md

Added description

* Update README.md

* Update and rename README.md to README.md

* Rename dashboard-98f353a2-312b-49f2-8e58-d71f60daf3a7-CommunityCommonDashboards.json to dashboard-98f353a2-312b-49f2-8e58-d71f60daf3a7-CommunityCommonDashboards.json

* Rename .pack-ignore to .pack-ignore

* Rename .secrets-ignore to .secrets-ignore

* Rename pack_metadata.json to pack_metadata.json

* Update .pack-ignore

* Update pack_metadata.json

* Update .pack-ignore

* Update and rename dashboard-98f353a2-312b-49f2-8e58-d71f60daf3a7-CommunityCommonDashboards.json to CISOMetrics.json

Renamed to CISOMetrics

* Update pack_metadata.json

* Update pack_metadata.json

* Update README.md

---------

Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com>
Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>
Co-authored-by: David Uhrlaub <90627446+rurhrlaub@users.noreply.github.com>

* Cybereason xsoar v 2.1.14 (#30647) (#31225)

* added v2.1.14 codebase

* fix pr comments

* replace dummy md5 placeholder

* Update Packs/Cybereason/Integrations/Cybereason/Cybereason.py



* updated docker image python version

* updated release notes docker version

* added pagination params

* updated docker image

* fix lint errors

* fix demisto validate errors

* updated release notes

* updated release notes

* updated release notes

* updated command name as per PR comment

* removed manual filtering for response

* updated function name to match the command name format

* updated unit test as per new command name

* added machinename filter to api query

* moved empty output message to the top

* updated docker image tag to latest

* undo changes from unisolate endpoint playbook

---------

Co-authored-by: suraj-metron <87964764+suraj-metron@users.noreply.github.com>
Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>

* fixed polling support (#30873)

* fixed polling support

* fixed rn

* added rn

* added rn

* XSUP-30786/Fix (#31168)

* Added failing UT

* Fixed the issue

* Updated docker image

* Updated RN

* Update Packs/PAN-OS/ReleaseNotes/2_1_15.md

Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com>

* Updated the bug fix and the UT

* updated docker image

---------

Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com>

* rewrite to js FirstArrayElement and LastArrayElement (#31228)

* rewrite to js

* added tpb

* added empty test case to tpb

* precommit fixes

* change fromversion so build wont fail

* Enable Core REST API with general XSIAM endpoints (#31226)

* mostly works

* added release notes

* fixes from review

* F5 APM fixed the marketplace build failure (#31236)

* F5 APM Remove XSIAM tags

* fix marketplace error

* Add incidents field (#30393) (#31233)

* add rawJSON field to incidents

* release notes

* update docker image tag

* nit

* fetching incident details

* mapper + incident fields

* remove incorrect incident field files

* new incident field files, new mapper

* sdk validate command changes

* update release noteS

* validation errors

* fix validation errors

* undo release notes changes

* undo release notes change

* undo release notes

* undo release notes

* undo release notes

* nit

* new release notes

* remove playbook id

* update docker image tag

* revert release notes

* revert RN

* nit- remove filters used for testing

* add details field to threats

* remove try/except blocks

* changing version

* Update Abnormal_Security_Custom_Incident_types.json change from version

* nit - remove changes used for demo

* updating docker image

* update docker image tag

---------

Co-authored-by: William Olyslager <wolyslager@abnormalsecurity.com>
Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com>
Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>

* Update Docker Image To demisto/python3  (#31242)

* Updated Metadata Of Pack CIRCL

* Added release notes to pack CIRCL

* Packs/CIRCL/Integrations/CirclCVESearch/CirclCVESearch.yml Docker image update

* Updated Metadata Of Pack ipinfo

* Added release notes to pack ipinfo

* Packs/ipinfo/Integrations/ipinfo_v2/ipinfo_v2.yml Docker image update

* Updated Metadata Of Pack AutoFocus

* Added release notes to pack AutoFocus

* Packs/AutoFocus/Integrations/FeedAutofocus/FeedAutofocus.yml Docker image update

* Packs/AutoFocus/Integrations/AutofocusV2/AutofocusV2.yml Docker image update

* Updated Metadata Of Pack MailSenderNew

* Added release notes to pack MailSenderNew

* Packs/MailSenderNew/Integrations/MailSenderNew/MailSenderNew.yml Docker image update

* avoid to update Docker for AutoFocusv2

---------

Co-authored-by: israelpolishook <ipolishuk@paloaltonetworks.com>

* Fixes For 'IP Enrichment - Generic v2' Playbook (#31183)

* Fixes For 'IP Enrichment - Generic v2' Playbook

* RN

* RN

* Updated the 'InternalRange' playbook input's default value.

* configured the 'extended_data' and 'threat_model_association' sub-playbook inputs

* Bump pack from version CommonPlaybooks to 2.4.36.

* Bump pack from version CommonPlaybooks to 2.4.37.

* changed the default value of the 'ResolveIP' playbook input

* re-added RN after merging from master

* Fixes RN

---------

Co-authored-by: Content Bot <bot@demisto.com>

* Check if should run Instance role (#31245)

* Added the sync from the saas bucket and modified the verify script to take the revision from the correct bucket. (#31254)

* AWS Organizations (#30525)

* init

* commands template

* aws-org-children-list

* more commands

* even more commands

* added account commands

* removed enhancement commands

* use json_transform

* unit-tests init

* unit-tests continued

* unit-tests continued some more

* TPB

* one more unit-test

* one more unit-test

* one more unit-test

* name change

* TPB

* docs complete

* pack readme

* pack readme part 2

* readme modified

* more tests

* more tests

* use get()

* adde description

* removed isFetch

* added image

* name change

* CR changes

* Apply suggestions from code review

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update docker

* put the commands back in

* code complete

* yml part 2

* yml part 3

* test template

* unit-tests continued some more

* unit-tests almost complete

* unit-tests complete

* fixed a few bugs

* fixed unit-tests

* added readme

* update readme

* added missing descriptions to readme

* TPB

* Apply suggestions from code review

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* CR changes

* demo changes

* update docker

* build wars: round 1

* build wars: round 2

* build wars: round 3; add unit-tests

* build wars: round 4

* build wars: round 5

* build wars: round 6

---------

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* NextToken in CommandResults (#30501)

* init

* new design

* added error in case of non nested input

* RN

* a tad more docs

* Bump pack from version Base to 1.32.47.

* Bump pack from version Base to 1.32.48.

* Bump pack from version Base to 1.32.49.

* improved doc-string

* resolve conflicts

* resolve conflicts

* Bump pack from version Base to 1.32.52.

---------

Co-authored-by: Content Bot <bot@demisto.com>

* demisto-sdk-release 1.24.0 (#31268)

* poetry files

* update validate manager imports (#31179)

* update validate manager imports

* revert

* Update Tests/configure_and_test_integration_instances.py

* Edit file types test (#31170)

* edited tests

* s

* s

* edit

---------

Co-authored-by: Content Bot <bot@demisto.com>
Co-authored-by: Yuval Hayun <70104171+YuvHayun@users.noreply.github.com>
Co-authored-by: merit-maita <49760643+merit-maita@users.noreply.github.com>
Co-authored-by: JudithB <132264628+jbabazadeh@users.noreply.github.com>

* modified modeling rules of clearswift dlp (#31247)

* modified modeling rules of clearswift dlp

* modified the parsing rule of clearswiftdlp

* Added release notes.

* added dlp to pack ignore

* added Clearswift to pack ignore

* QRadar: continue to poll in case of networking issues (#31084)

* Generalize the mode option in pre-commit (#30663)

* args updated to match the update in the sdk

* add merge-coverage-report and coverage-analyze

* updaing pyproject.toml

* poetry lock

* restoring pyproject.toml and poetry.lock

* pre-commit.yml

* updates

* test comment

* use sdk ref

* if

* add github output

* revert ilan changes

* merge-pytest-reports

---------

Co-authored-by: ilan <ierukhimovic@paloaltonetworks.com>

* EXPANDR-1576 CortexXpanse Remediation Guidance changes (#31190)

* EXPANDR-1576 CortexXpanse Remediation Guidance changes (#30712)

* CortexXpanse RG changes

* Fix flake8 errors

* Fix unit test cases

* Update docker version

* update command name

* Readme updates

* docker update

* Ignore BC error

* fix packignore

* Update release notes

* update breaking change notes

* update breaking change notes

* correct RN

---------

Co-authored-by: Chait A <112722030+capanw@users.noreply.github.com>
Co-authored-by: ilappe <ilappe@paloaltonetworks.com>

* Feature/cyberint enhancement (#31252)

* Feature/cyberint enhancement (#30493)

* Update Docker Image To demisto/py3-tools  (#25523)

* Updated Metadata Of Pack FeedAWS

* Added release notes to pack FeedAWS

* Packs/FeedAWS/Integrations/FeedAWS/FeedAWS.yml Docker image update

* update Cyberint Pack

* update release note and incidentfields

* update CommonType release note

* update CommonType relesenotes

* update CommonType relese notes

* update CyberInt Related entity name

* update release notes

* add new incident field: Alert Data

* foramt alert_data

* update CyberInt Related Entity name to avoid validation errors

* reset the CyberInt Related Entity name

* update incident field name

* Update 3_3_93.md

* pre commit update docker

* added known words

* fixed the RN

* known words

---------

Co-authored-by: TalGumi <101499620+TalGumi@users.noreply.github.com>
Co-authored-by: omerKarkKatz <95565843+omerKarkKatz@users.noreply.github.com>
Co-authored-by: okarkkatz <okarkkatz@paloaltonetworks.com>

* [xsoar-8 coverage] - use poll functions from SDK clients (#31144)

* update poetry

* use poll functions

* test against builds

* try to fix ssl issue

* timeout = 300 + verify ssl

* fix ssl issues

* fix incident pull

* fix

* make verify=false by default

* fix ports bug

* use sdk master

* revert poetry

* revert infra used for testing

* [CrowdStrike Falcon Intel v2] Fixed an issue in 'cs-actors' and 'cs-reports' commands (#31265)

* Fix the 'NoneType' object is not iterable issue

* ruff

* Update the docker image; Add RN

* Update Packs/CrowdStrikeIntel/ReleaseNotes/2_0_34.md

Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com>

---------

Co-authored-by: Dean Arbel <darbel@paloaltonetworks.com>

* oncall- installation orders (#31253)

* test

* test

* revert debugs

* pre-commit

---------

Co-authored-by: Jas Beilin <jgranot@paloaltonetworks.com>

* Core rest api docs fix (#31262)

* Improved descriptions.

* Added docs

* Added rn.

* Changed i.e to e.g

* bugfix/XSUP-30713/port-scan-pb-issue-incident-failure (#31154)

* Fix playbook input's default value, change to not
required, add check for value not empty

* Update playbook image

* Update release notes

* Bump pack from version CortexXDR to 6.0.5.

* Moved InternalIPRanges input check to better location

* Fix review comments

---------

Co-authored-by: Content Bot <bot@demisto.com>

* [PagerDuty v2] Added Support For Pagination (#30959)

* commit init - lint and type annotation

* typing

* pagination function and some typing

* fix api limit and pagination

* added UT and test_data

* added RN and description for args

* generate readme

* update docker

* added UT

* fix flake8

* more docstring, one more UT, fix send unnecessary parameters

* fix f-string

* fix pep8

* revert copy

* fix parameters name

* docs review

* update docker

* [ASM] EXPANDR 7225 - Update Ev1 Integration Display Name (#31234) (#31276)

* Update Display Name

* Update release notes

* Update docker image and add period to descriptions

Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com>
Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com>

* Update Docker Image To demisto/python3  (#31286)

* Updated Metadata Of Pack QualysFIM

* Added release notes to pack QualysFIM

* Packs/QualysFIM/Integrations/QualysFIM/QualysFIM.yml Docker image update

* Updated Metadata Of Pack FortiSIEM

* Added release notes to pack FortiSIEM

* Packs/FortiSIEM/Integrations/FortiSIEMV2/FortiSIEMV2.yml Docker image update

* Updated Metadata Of Pack FreshworksFreshservice

* Added release notes to pack FreshworksFreshservice

* Packs/FreshworksFreshservice/Integrations/FreshworksFreshservice/FreshworksFreshservice.yml Docker image update

* Updated Metadata Of Pack KnowBe4_KMSAT

* Added release notes to pack KnowBe4_KMSAT

* Packs/KnowBe4_KMSAT/Integrations/KnowBe4KMSATEventCollector/KnowBe4KMSATEventCollector.yml Docker image update

* Packs/KnowBe4_KMSAT/Integrations/KnowBe4KMSAT/KnowBe4KMSAT.yml Docker image update

* Updated Metadata Of Pack SafeNet_Trusted_Access

* Added release notes to pack SafeNet_Trusted_Access

* Packs/SafeNet_Trusted_Access/Integrations/SafeNetTrustedAccessEventCollector/SafeNetTrustedAccessEventCollector.yml Docker image update

* Updated Metadata Of Pack DelineaSS

* Added release notes to pack DelineaSS

* Packs/DelineaSS/Integrations/DelineaSS/DelineaSS.yml Docker image update

* Updated Metadata Of Pack Cryptocurrency

* Added release notes to pack Cryptocurrency

* Packs/Cryptocurrency/Integrations/Cryptocurrency/Cryptocurrency.yml Docker image update

* Updated Metadata Of Pack PANOSPolicyOptimizer

* Added release notes to pack PANOSPolicyOptimizer

* Packs/PANOSPolicyOptimizer/Integrations/PANOSPolicyOptimizer/PANOSPolicyOptimizer.yml Docker image update

* Updated Metadata Of Pack DeveloperTools

* Added release notes to pack DeveloperTools

* Packs/DeveloperTools/Integrations/CreateIncidents/CreateIncidents.yml Docker image update

* Add XSOAR_SAAS section to EDL description (#31264)

* add XSOAR_SAAS section to EDL description

* update RN

* [XSUP 30575] Added full fields query param (#31272)

* get indicators full fields data

* pre-commit

* release notes

* tests and CR fixes

* Update Packs/FeedCrowdstrikeFalconIntel/ReleaseNotes/2_1_13.md

Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com>

---------

Co-authored-by: Dan Tavori <38749041+dantavori@users.noreply.github.com>

* Update Docker Image To demisto/boto3py3  (#31287)

* Updated Metadata Of Pack SecurityIntelligenceServicesFeed

* Added release notes to pack SecurityIntelligenceServicesFeed

* Packs/SecurityIntelligenceServicesFeed/Integrations/SecurityIntelligenceServicesFeed/SecurityIntelligenceServicesFeed.yml Docker image update

* Updated Metadata Of Pack AWS-IAM

* Added release notes to pack AWS-IAM

* Packs/AWS-IAM/Integrations/AWS-IAM/AWS-IAM.yml Docker image update

* Updated Metadata Of Pack AWS-Route53

* Added release notes to pack AWS-Route53

* Packs/AWS-Route53/Integrations/AWSRoute53/AWSRoute53.yml Docker image update

* Updated Metadata Of Pack AWS-AccessAnalyzer

* Added release notes to pack AWS-AccessAnalyzer

* Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml Docker image update

* Updated Metadata Of Pack AWS-GuardDuty

* Added release notes to pack AWS-GuardDuty

* Packs/AWS-GuardDuty/Integrations/AWSGuardDutyEventCollector/AWSGuardDutyEventCollector.yml Docker image update

* Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml Docker image update

* Updated Metadata Of Pack AWS-SecurityHub

* Added release notes to pack AWS-SecurityHub

* Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.yml Docker image update

* Updated Metadata Of Pack Aws-SecretsManager

* Added release notes to pack Aws-SecretsManager

* Packs/Aws-SecretsManager/Integrations/AwsSecretsManager/AwsSecretsManager.yml Docker image update

* Update Docker Image To demisto/accessdata  (#31288)

* Updated Metadata Of Pack Exterro

* Added release notes to pack Exterro

* Packs/Exterro/Integrations/Exterro/Exterro.yml Docker image update

* Update Docker Image To demisto/oci  (#31290)

* Updated Metadata Of Pack OracleCloudInfrastructure

* Added release notes to pack OracleCloudInfrastructure

* Packs/OracleCloudInfrastructure/Integrations/OracleCloudInfrastructureEventCollector/OracleCloudInfrastructureEventCollector.yml Docker image update

* Update Docker Image To demisto/py3-tools  (#31289)

* Updated Metadata Of Pack Intezer

* Added release notes to pack Intezer

* Packs/Intezer/Integrations/IntezerV2/IntezerV2.yml Docker image update

* Updated Metadata Of Pack Zabbix

* Added release notes to pack Zabbix

* Packs/Zabbix/Integrations/Zabbix/Zabbix.yml Docker image update

* Updated Metadata Of Pack FeedMalwareBazaar

* Added release notes to pack FeedMalwareBazaar

* Packs/FeedMalwareBazaar/Integrations/MalwareBazaarFeed/MalwareBazaarFeed.yml Docker image update

* Updated Metadata Of Pack FeedGCPWhitelist

* Added release notes to pack FeedGCPWhitelist

* Packs/FeedGCPWhitelist/Integrations/FeedGoogleIPRanges/FeedGoogleIPRanges.yml Docker image update

* Updated Metadata Of Pack AccentureCTI_Feed

* Added release notes to pack AccentureCTI_Feed

* Packs/AccentureCTI_Feed/Integrations/ACTIIndicatorFeed/ACTIIndicatorFeed.yml Docker image update

* Updated Metadata Of Pack SEKOIAIntelligenceCenter

* Added release notes to pack SEKOIAIntelligenceCenter

* Packs/SEKOIAIntelligenceCenter/Integrations/SEKOIAIntelligenceCenter/SEKOIAIntelligenceCenter.yml Docker image update

* Updated Metadata Of Pack JARM

* Added release notes to pack JARM

* Packs/JARM/Integrations/JARM/JARM.yml Docker image update

* Updated Metadata Of Pack Anomali_ThreatStream

* Added release notes to pack Anomali_ThreatStream

* Packs/Anomali_ThreatStream/Integrations/AnomaliThreatStreamv3/AnomaliThreatStreamv3.yml Docker image update

* Updated Metadata Of Pack CommonWidgets

* Added release notes to pack CommonWidgets

* Packs/CommonWidgets/Scripts/RSSWidget/RSSWidget.yml Docker image update

* Updated Metadata Of Pack FiltersAndTransformers

* Added release notes to pack FiltersAndTransformers

* Packs/FiltersAndTransformers/Scripts/Jmespath/Jmespath.yml Docker image update

* Update Docker Image To demisto/armorblox  (#31291)

* Updated Metadata Of Pack Armorblox

* Added release notes to pack Armorblox

* Packs/Armorblox/Integrations/Armorblox/Armorblox.yml Docker image update

* Update Docker Image To demisto/crypto  (#31292)

* Updated Metadata Of Pack AzureKeyVault

* Added release notes to pack AzureKeyVault

* Packs/AzureKeyVault/Integrations/AzureKeyVault/AzureKeyVault.yml Docker image update

* Updated Metadata Of Pack AzureSentinel

* Added release notes to pack AzureSentinel

* Packs/AzureSentinel/Integrations/AzureSentinel/AzureSentinel.yml Docker image update

* Updated Metadata Of Pack AzureDevOps

* Added release notes to pack AzureDevOps

* Packs/AzureDevOps/Integrations/AzureDevOps/AzureDevOps.yml Docker image update

* Updated Metadata Of Pack MicrosoftCloudAppSecurity

* Added release notes to pack MicrosoftCloudAppSecurity

* Packs/MicrosoftCloudAppSecurity/Integrations/MicrosoftCloudAppSecurity/MicrosoftCloudAppSecurity.yml Docker image update

* Updated Metadata Of Pack AzureRiskyUsers

* Added release notes to pack AzureRiskyUsers

* Packs/AzureRiskyUsers/Integrations/AzureRiskyUsers/AzureRiskyUsers.yml Docker image update

* Updated Metadata Of Pack MicrosoftGraphGroups

* Added release notes to pack MicrosoftGraphGroups

* Packs/MicrosoftGraphGroups/Integrations/MicrosoftGraphGroups/MicrosoftGraphGroups.yml Docker image update

* Updated Metadata Of Pack AzureSQLManagement

* Added release notes to pack AzureSQLManagement

* Packs/AzureSQLManagement/Integrations/AzureSQLManagement/AzureSQLManagement.yml Docker image update

* Updated Metadata Of Pack MicrosoftGraphAPI

* Added release notes to pack MicrosoftGraphAPI

* Packs/MicrosoftGraphAPI/Integrations/MicrosoftGraphAPI/MicrosoftGraphAPI.yml Docker image update

* Updated Metadata Of Pack MicrosoftTeams

* Added release notes to pack MicrosoftTeams

* Packs/MicrosoftTeams/Integrations/MicrosoftTeamsManagement/MicrosoftTeamsManagement.yml Docker image update

* Updated Metadata Of Pack MicrosoftGraphApplications

* Added release notes to pack MicrosoftGraphApplications

* Packs/MicrosoftGraphApplications/Integrations/MicrosoftGraphApplications/MicrosoftGraphApplications.yml Docker image update

* Update Docker Image To demisto/sixgill  (#31293)

* Updated Metadata Of Pack Cybersixgill-ActionableAlerts

* Added release notes to pack Cybersixgill-ActionableAlerts

* Packs/Cybersixgill-ActionableAlerts/Integrations/CybersixgillActionableAlerts/CybersixgillActionableAlerts.yml Docker image update

* Updated Metadata Of Pack Sixgill-Darkfeed

* Added release notes to pack Sixgill-Darkfeed

* Packs/Sixgill-Darkfeed/Integrations/Sixgill_Darkfeed_Enrichment/Sixgill_Darkfeed_Enrichment.yml Docker image update

* Packs/Sixgill-Darkfeed/Integrations/Sixgill_Darkfeed/Sixgill_Darkfeed.yml Docker image update

* Update Docker Image To demisto/carbon-black-cloud  (#31295)

* Updated Metadata Of Pack CarbonBlackDefense

* Added release notes to pack CarbonBlackDefense

* Packs/CarbonBlackDefense/Integrations/CarbonBlackLiveResponseCloud/CarbonBlackLiveResponseCloud.yml Docker image update

* Update Docker Image To demisto/taxii2  (#31294)

* Updated Metadata Of Pack FeedDHS

* Added release notes to pack FeedDHS

* Packs/FeedDHS/Integrations/DHSFeedV2/DHSFeedV2.yml Docker image update

* Updated Metadata Of Pack FeedUnit42v2

* Added release notes to pack FeedUnit42v2

* Packs/FeedUnit42v2/Integrations/FeedUnit42v2/FeedUnit42v2.yml Docker image update

* MS IIS Update2 (#31256)

* Updated MicrosoftIISWebServerModelingRules_1_3

* Updated ModelingRules filters

* Updated ModelingRules filters

* Updated ReleaseNotes

* Upated ReleaseNotes

* CrowdStrikeFalconX-genreic-polling (#31189)

* old playbooks deprecated and new one added

* readme file edited

* set the interval from the inputs

* fixes for release notes

* added extensions to known words

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_URL_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2_README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2_README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/ReleaseNotes/1_2_37.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/ReleaseNotes/1_2_37.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/ReleaseNotes/1_2_37.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/ReleaseNotes/1_2_37.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2_README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2_README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_File_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2_README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* minor fixes for description

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_URL_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_URL_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2_README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CrowdStrikeFalconX/Playbooks/Detonate_URL_-_CrowdStrike_Falcon_Intelligence_Sandbox_v2.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

---------

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Add Symantec MSS to ignored items (#31296)

* [XSUP 30870] Added full fields option for cs-actors and cs-reports commands (#31271)

* Added the display_full_fields argument

* pre-commit

* release notes

* tests and CR fixes

* resolve conflict

* pre-commit

* CR fixes

* docker

* pre-commit

* add myself as codeowner (#31314)

* ORKL Feed Integration 1.0.0 Initial Release (#31166)

* ORKL Feed Integration 1.0.0 Initial Release (#31101)

Co-authored-by: Martin Ohl <Martin.Ohl@ohl-net.eu>

* [VirusTotal] Add suspicious threshold (#31220)

* [VirusTotal] Add suspicious threshold (#31021)

* fixing CimTrak_test.py unit tests (#31308)

fixing CimTrak_test.py unit tests #31308

* Add new command and bug fix. (#31311)

* Anomali ThreatStream v3 - Fix threatstream-get-indicators command (#31269)

* fix get_indicators method

* update RN

* update docker

* update test

* update test

* update get_indicators method

* update RN

* Update Packs/Anomali_ThreatStream/ReleaseNotes/2_2_9.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* update docker

* update docker

---------

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* SentinelOne v2: Add 2 new commands (#31312)

* fixing jira file attachments (#31297)

fixing jira file attachments, fixing mapping of newly created tickets #31297

* CiscoSMA Update (#31315)

* Updated ModelingRules

* Updated ReleaseNotes

* Updated ReleaseNotes

* updated docs (#31192)

* updated docs

* running pre-commit and docker

* docker update

* Apply suggestions from code review

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* remove package-lock file

* cr note

* Update Packs/MicrosoftGraphDeviceManagement/ReleaseNotes/1_1_20.md

Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com>

---------

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com>

* Fix an issue when there is only one incident in fetch_incidents powershell (#31267)

* added -AsArray

* updated the docker image and added .

* RN

* unit tests and docker image

* rn

* docker image and release notes

* Update Packs/Base/ReleaseNotes/1_32_53.md

Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com>

* updated the unit tests

---------

Co-authored-by: EyalPintzov <91007713+eyalpalo@users.noreply.github.com>

* Get Entity Alerts by MITRE Tactics - Performance Improvements (Refactor) (#31232)

* Added playbooks

* New playbooks images, formatted playbooks, and added RN

* Updated pb image to be in light mode

* Further improvements to playbooks, updated docs, and updated playbook images

* Bump pack from version CortexXDR to 6.0.6.

* Changed alert to incident to fix validation

* Descriptions

---------

Co-authored-by: Content Bot <bot@demisto.com>

* fix for sdk nightly e2e tests (#31310)

* [qradar-v3] - handle connection errors (#31246)

* [qradar-v3] - handle connection errors

* add uts

* bump rn

* remove irrelevant imports

* update code

* timeout = 300

* bump rn

* update implementation

* docker image

* fixes

* remove imports

* rn

* update debug-message

* update log

* fix docker-image

* fix ut

* oncall-sdk-nightly-create-xsoar-instance (#31300)


* overwrite the filter env file

* remove space

* remove print

* Update .gitlab/ci/.gitlab-ci.on-push.yml

Co-authored-by: Koby Meir <kobymeir@users.noreply.github.com>

---------

Co-authored-by: Koby Meir <kobymeir@users.noreply.github.com>

* [ASM] - EXPANDER 7238 - Jira Playbook Support for V2 and V3 Project Key (#31273) (#31322)

* Add support V2 and V3, remove default project key

- Add data collection task for customer
- Leave Jira Project Key input as blank
- Add support for project key passed into Jira V2 and V3 integrations

* Add release notes

* Update Playbook ReadMe

* Add task description

* Update release notes

Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com>
Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com>

* Support contributions when the name of the repo isn't content (#31320)

* update handle_external_pr.py

* set repo_name arg as optional

* Oncall sdk nightly create xsoar instance (#31324)

Oncall sdk nightly create xsoar instance #31324

* CIAC-4556/xdr-remote-psexec-lolbin-command-execution-playbook (#29092)

* Add playbook and readme files

* Add updated files

* Add playbook image

* Update release notes

* Fix validation error

* Bump pack from version CortexXDR to 5.1.0.

* Bump pack from version CortexXDR to 5.2.0.

* Bump pack from version CortexXDR to 5.2.0.

* Bump pack from version CortexXDR to 5.2.0.

* Add CommandLine verdict to layout

* Update according to demo review comments

* Bump pack from version CortexXDR to 5.2.0.

* Bump pack from version CortexXDR to 5.2.0.

* Add field for cmd line verdict

* Update layout

* Fix review comments

* Update from master

* Update Packs/CortexXDR/ReleaseNotes/5_2_0.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CortexXDR/ReleaseNotes/5_2_0.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert_README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Fix review comments and validations

* Apply suggestions from code review

Fix docs review

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Fix review comments

* Remove duplicate task for alert details, update playbook image

* Fix skipifunavailable validations and update release notes

* Fix review comments

* Update release notes

* Update release notes

* Bump pack from version CortexXDR to 5.2.0.

* Fix review comments

* Update release notes

* Bump pack from version CortexXDR to 5.2.2.

* Bump pack from version CortexXDR to 5.2.3.

* Fix review comments

* Fix validation error

* Fix validation errors

* Update release notes

* Fix conflicts

* removed already added incident field

* Update release notes

* Fix validation errors

* Fix validation errors

* revert file changes

* Fix validation errors

* Fix validation errors

* Bump pack from version CortexXDR to 6.0.4.

* Fix review comments

* Fix review comments

* Update to correct playbook image

* Bump pack from version CortexXDR to 6.0.5.

* Update 6_0_5.md

* Update release notes

* Update 6_0_5.md

* Bump pack from version CortexXDR to 6.0.7.

* Fix precommit errors

---------

Co-authored-by: Content Bot <bot@demisto.com>
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update README.md (#31299)

* Last Mirrored New Field & Qradar fix (#31251)

* add field

* Bump pack from version CommonTypes to 3.3.95.

* fix

* review fix

---------

Co-authored-by: Content Bot <bot@demisto.com>

* Update native candidate to py3-native:8.4.0.82817 (#31319)

* SplunkPy missing incidents (#30783)

* Used exclusion of even ids

* Reverted changes in unit tests

* Fixed unbound issue

* Added last fetched notables

* Added potential solution

* Comments in UTs

* Added UTs

* Added UTs with explanation

* Added RNs

* Fixed UTs and updated how we exclude ids

* Fixed conflicts

* Fixed CR

* Fixed conflicts

* Updated docker image

* Fixed pre-commit in test file

* Removed second pytest

* Fixed comments in test file

* MATI - Supporting multiple inputs for generic enrichment commands (#30940) (#31334)

* Supporting multiple inputs for generic enrichment commands

* Return list of CommandResults

* Re-adding rawJSON

* Bumping docker version

* Relesase Notes

* Tests

* Tests

* Adding details to contexts

* Fixing tests

* Bumping docker

* Bumping docker

* Fixing spacing

* Fixing spacing

* Fixing fetch

---------

Co-authored-by: Christopher Hultin <chrishultin@google.com>
Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com>

* [Cortex Data Lake] Update the Docker Image (#31337)

* Support Threat Assessment functionality in MS Graph Security (#30110)

* added yml and the first command in code

* added commands

* added to description in yml

* added readme for first command

* added readme to second command

* added third command to readme

* added url command to readme

* added list command to readme

* added tests files

* minor edits

* added unittests

* added unittest

* updated docker image

* added rn

* edited readme

* edit

* fixed lint errors

* fixed validation errors

* fixed rn

* edits precommits errors

* fixed unittest for test auth code

* edited tpb

* added unittests

* to revert some of these changes

* update after doc review

* added unittests

* removed checking server version in CSP

* updated docker image

* added rn

* Bump pack from version Base to 1.32.41.

* reverted changes for csp

* reveeted changes

* deleted rn

* added fromversion field

* added unittest

* updated for pre commit

* updated for pre commit

* edits after build failed

* removed file

* edits

* added the tpb

* fixed tpb

* edited the list command

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/ReleaseNotes/2_2_5.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Update Packs/MicrosoftGraphSecurity/Integrations/MicrosoftGraphSecurity/MicrosoftGraphSecurity.yml

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* updated docker image

* edited after build failed

* reverted changes

* updated do

* added arg

* added rn

* updated docker image

* edit

* edits after cr

* updated do

* edited the get user call

* checked the 2 other commands

* edited yml

* updated do

* edited test

* removed comments

* updated do

* edit

* edit

---------

Co-authored-by: Content Bot <bot@demisto.com>
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* incident field helloworld onprem (#31340)

* update ParseEmailFilesV2 to 0.1.19 (#31331)

* update Docker image and added bcc

* update rn

* update tests

* Update Packs/CommonScripts/ReleaseNotes/1_12_55.md

Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com>

---------

Co-authored-by: Shahaf Ben Yakir <44666568+ShahafBenYakir@users.noreply.github.com>

* update readme (#31343)

* [CommonServer.js] Update emailRegex (#31148)

change email regex

* Ciac 3790/add auto determine LDAP vendor (#31124)

* Added auto determine LDAP vendor

* Added test and RN

* fix lint and rn

* added to readme

* docker

* changed default vendor param to auto

* [Versa Director] Update response data formats (#31327)

* Remove accept: application/xml from get requests

* Remove redundant get() from request responses

* Update UTs

* Release notes; pre-commit updates

* Update UTs; Revert relevant get() functions

* Revert relevant get() functions

* Fix syntax error

* Update Packs/VersaDirector/ReleaseNotes/1_0_7.md

Co-authored-by: Jasmine Beilin <71636766+JasBeilin@users.noreply.github.com>

* Update 1_0_7.md

---------

Co-authored-by: Jasmine Beilin <71636766+JasBeilin@users.noreply.github.com>

* Replace LastMirroredInTime incident field with Last Mirrored Time Stamp incident field in QRadar (#31281)

* add field

* Last Mirrored Time Stamp

* fix unrelated release notes

* RN

* docker image and release notes

* rn

* rn

* docker image and release notes

* RN

* updates

* update

* unit tests for the script

* update rn and bc

* docstring for the ubit tests

---------

Co-authored-by: arikday <aday@paloaltonetworks.com>
Co-authored-by: ArikDay <115150768+ArikDay@users.noreply.github.com>

* Tessian integration setup (#31350)

* Tessian integration setup (#31028)

* revert package-lock.json

---------

Co-authored-by: NicBunn-PlutoFlume <112942358+NicBunn-PlutoFlume@users.noreply.github.com>
Co-authored-by: adi88d <adaud@paloaltonetworks.com>
Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>

* Kiteworks Modeling CIAC-6377 (#31230)

* init-pack

* parsing-rules

* json-format-modeling

* README.md

* modeling-rules

* refactor-modeling-rules

* fix-modeling-rules-issues

* single-line-format-modeling

* activity-group-type-modeling

* refactor-modeling-rules

* refactor-modeling-rules

* Update Packs/Kiteworks/README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* refactor-modeling-rules

* refactor-modeling-rules

* modeling-rules-json-fix

* modeling-rules-json-refactor

* modeling-rules-remove-unused-field

---------

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Prisma SASE - Quarantine Host With Active Threat  (#31346)

* New playbook for Prisma SASE

* update RN

* update RN

* update playbook description

* update playbook readme

* Apply suggestions from code review

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* update RN

* update playbook readme

* update RN

---------

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Symantec web security service pack long running (#30990)

* first commit

* commit

* commit

* first commit

* update pack_metadata file

* extract_logs_from_response changes

* get_events_command changes

* commit

* commit

* add logs

* commit

* commit

* commit

* commit

* commit

* commit

* commit

* commit

* commit

* commit

* commit

* commit

* commit

* Fixed the memory load on Docker

* commit

* first commit for rewrite

* commit

* commit

* add UT and finish implementation

* design

* Change pack name

* add-modeling-rules

* add-parsing-rules

* siem-content-minor-fixes

* add UT and docstring

* add-siem-documentation

* update-siem-documentation

* update-siem-documentation

* commit

* Change readme file

* fix UT and add description to pack_metadata

* commit

* fix mypy flake8

* add UT

* refactor-siem-content

* Apply suggestions from code review

Comment  corrections

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* comment corrections

* comment corrections and add UT for it

* comment correction

* mypy

* update Docker

* comment corrections

* comment corrections

* update docker

* fix UT and pre-commit

* commit

* commit

* fix pre commit

* commit

---------

Co-authored-by: Chanan Welt <cwelt@paloaltonetworks.com>
Co-authored-by: cweltPA <129675344+cweltPA@users.noreply.github.com>
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* FireEye ETP Event Collector fixes (#30819)

* Fixed date parsing

* format and tests

* fixed date parsing from and to the api

* fixed tests

* fixed invalid date order

* fetch in asc order

* fetch in asc order

* fix unitesing

* fix potential formatting issue

* change first_run

* change first_run

* Fix RN

* Fix lint

* Fix lint

* added unitests

* added unitests

* CR fixes

* CR fixes

* Update Docker Image To demisto/accessdata  (#31373)

* Updated Metadata Of Pack Exterro

* Added release notes to pack Exterro

* Packs/Exterro/Integrations/Exterro/Exterro.yml Docker image update

* Update Docker Image To demisto/boto3py3  (#31372)

* Updated Metadata Of Pack SecurityIntelligenceServicesFeed

* Added release notes to pack SecurityIntelligenceServicesFeed

* Packs/SecurityIntelligenceServicesFeed/Integrations/SecurityIntelligenceServicesFeed/SecurityIntelligenceServicesFeed.yml Docker image update

* Updated Metadata Of Pack AWS-IAM

* Added release notes to pack AWS-IAM

* Packs/AWS-IAM/Integrations/AWS-IAM/AWS-IAM.yml Docker image update

* Updated Metadata Of Pack AWS-Route53

* Added release notes to pack AWS-Route53

* Packs/AWS-Route53/Integrations/AWSRoute53/AWSRoute53.yml Docker image update

* Updated Metadata Of Pack AWS-AccessAnalyzer

* Added release notes to pack AWS-AccessAnalyzer

* Packs/AWS-AccessAnalyzer/Integrations/AWS-AccessAnalyzer/AWS-AccessAnalyzer.yml Docker image update

* Updated Metadata Of Pack AWS-GuardDuty

* Added release notes to pack AWS-GuardDuty

* Packs/AWS-GuardDuty/Integrations/AWSGuardDutyEventCollector/AWSGuardDutyEventCollector.yml Docker image update

* Packs/AWS-GuardDuty/Integrations/AWSGuardDuty/AWSGuardDuty.yml Docker image update

* Updated Metadata Of Pack AWS-SecurityHub

* Added release notes to pack AWS-SecurityHub

* Packs/AWS-SecurityHub/Integrations/AWSSecurityHubEventCollector/AWSSecurityHubEventCollector.yml Docker image update

* Updated Metadata Of Pack Aws-SecretsManager

* Added release notes to pack Aws-SecretsManager

* Packs/Aws-SecretsManager/Integrations/AwsSecretsManager/AwsSecretsManager.yml Docker image update

* [ASM] - EXPANDER 3741 - XSIAM Layout and Rule (#31352)

* [ASM] - EXPANDER 3741 - XSIAM Layout and Rule (#31212)

* Update Rem. Guidance Playbook, add new fields

Created fields:
- "ASM - Attack Surface Rule Category"
- "ASM - Attack Surface Rule Description"
- "ASM - Attack Surface Rule Priority"
- "ASM - Attack Surface Rule Remediation Guidance"

Set fields in Remediation Guidance playbook

* Update release notes

* Update field descriptions

* Format JSON files

* update unsearchable and fromVersion

* Add ASM layout and rule

* Add release notes

* Update pack ReadMe

* Update server content items

* Add marketplace to layout

* Update release notes version

* Add AlertType to server content items

* Add IncidentType to server content items

* update ASM.json layout

* remove ASM from server_content_items.json

---------

Co-authored-by: John <40349459+BigEasyJ@users.noreply.github.com>
Co-authored-by: Adi Daud <46249224+adi88d@users.noreply.github.com>
Co-authored-by: adi88d <adaud@paloaltonetworks.com>

* Feed Recorded Future download all compressed data on disk bug  (#30981)

* Hint for solution

* Potential solution

* Tried solution, did not work

* Added potential solution

* Added RNs and updated docker image

* Added debug logs

* Resolved conflicts

* Added handling of cut-off bytes while streaming

* Added unit tests and test data

* Outsourced decoder

* Went over CR comments

* Fixed Chunk Size

* Added description to fixture

* Ran pre-commit

* Refactored decoding mechanism

* Fix chunk size

* Update FeedRecordedFuture.yml

* Update 1_0_32.md

* CISCO SMA u200b Update (#31349)

* Updated ModelingRules

* Updated ReleaseNotes

* Updated ReleaseNotes

* Updated ModelingRules logic

* [e2e xsoar-saas] - fix issue with taxii2-server test (#31362)

* Update Docker Image To demisto/crypto  (#31368)

* Updated Metadata Of Pack MicrosoftDefenderAdvancedThreatProtection

* Added release notes to pack MicrosoftDefenderAdvancedThreatProtection

* Packs/MicrosoftDefenderAdvancedThreatProtection/Integrations/MicrosoftDefenderAdvancedThreatProtection/MicrosoftDefenderAdvancedThreatProtection.yml Docker image update

* Updated Metadata Of Pack AzureSecurityCenter

* Added release notes to pack AzureSecurityCenter

* Packs/AzureSecurityCenter/Integrations/AzureSecurityCenter_v2/AzureSecurityCenter_v2.yml Docker image update

* Update Docker Image To demisto/armorblox  (#31376)

* Updated Metadata Of Pack Armorblox

* Added release notes to pack Armorblox

* Packs/Armorblox/Integrations/Armorblox/Armorblox.yml Docker image update

* Update Docker Image To demisto/pymisp2  (#31369)

* Updated Metadata Of Pack MISP

* Added release notes to pack MISP

* Packs/MISP/Integrations/MISPV3/MISPV3.yml Docker image update

* Update Docker Image To demisto/genericsql  (#31370)

* Updated Metadata Of Pack GenericSQL

* Added release notes to pack GenericSQL

* Packs/GenericSQL/Integrations/GenericSQL/GenericSQL.yml Docker image update

* MS IIS Update3 (#31385)

* Updated ModelingRules

* Updated ReleaseNotes

* Updated ReleaseNotes

* Updated ModelingRules

* Updated ModelingRules

* Add a manual fatch once in 12 hours (#31123)

* fixes

* http module

* CSV

* common server

* tests

* RN

* link

* RN

* change RN

* one more

* pre commit

* update base version

* [known_words]

* removing typing

* swap the known words

* RN

* fix RN

* Bump pack from version FeedMalwareBazaar to 1.0.30.

* Bump pack from version AccentureCTI_Feed to 1.1.27.

* Bump pack from version FeedGCPWhitelist to 2.0.30.

* Bump pack from version Base to 1.32.52.

* make it better

* docs

* CR

* cr

* Fixing dirty merge #1

* fixing dirty merge #2

* fix dirty merge #3

* more

* fox dirty merge #4

* common

* poetry

* fix dirty merge #5

* fix test date

* base rn

* RN

* fix common docstring

* fix rn

* fix errors in build

* shirley

* Bump pack from version Base to 1.32.54.

* RN

* mypy

* fix common server

* ignore type error

* skip test

* fix test name

* add import

* remove the import, test is failing

* fixed function and test

* space

* conf

* add a test for a uniq time zone

* fix test

* move the import into the function

* move the import from the test as well

* replace timezone with pytz, to fit python 2

* Bump pack from version Base to 1.33.1.

* fix test comment

---------

Co-authored-by: Content Bot <bot@demisto.com>

* Fix gmail get mail context output (#31342)

* update context path

* added RN

* updated readme

* update docker

* added run get attachments argument

* pre commit fixes

* pre commit fixes

* cr fixes

* cr fixes

* cr fixes

* update RN

* update docker

* Updated README.md (#31347) (#31363)

* [Zscaler] Add URLs to Retaining Parent Category (#30637)

* add retaining parent url

* Update retaining_parent_category_url argument

* Add retaining-parent-category-ip to yml

* Add retaining-parent-category-ip logic

* ip argument no longer marked required

* url argument no longer marked required

* retaining_parent_category args are None by default

* Add retaining-parent-category-url to remove-url

* Add retaining-parent-category-ip to remove-ip

* UT fix; ruff updates

* Remove redundant context output

* Update release notes

* FIx Failed UTs

* Case of only one ip argument in remove commands

* pre-commit updates

* Update release notes

* Change display value to original value

* Update release notes

* UT Coverage

* Add UTs; Remove redundant debug logs

* Update release notes

* Apply suggestions from code review

Co-authored-by: Jasmine Beilin <71636766+JasBeilin@users.noreply.github.com>

* Remove "pragma no cover" from unrelated UTs

* Revert open function's default 'r' value for readability

---------

Co-authored-by: Jasmine Beilin <71636766+JasBeilin@users.noreply.github.com>

* Update Docker Image To demisto/python3  (#31371)

* Updated Metadata Of Pack QualysFIM

* Added release notes to pack QualysFIM

* Packs/QualysFIM/Integrations/QualysFIM/QualysFIM.yml Docker image update

* Updated Metadata Of Pack FortiSIEM

* Added release notes to pack FortiSIEM

* Packs/FortiSIEM/Integrations/FortiSIEMV2/FortiSIEMV2.yml Docker image update

* Updated Metadata Of Pack FreshworksFreshservice

* Added release notes to pack FreshworksFreshservice

* Packs/FreshworksFreshservice/Integrations/FreshworksFreshservice/FreshworksFreshservice.yml Docker image update

* Updated Metadata Of Pack KnowBe4_KMSAT

* Added release notes to pack KnowBe4_KMSAT

* Packs/KnowBe4_KMSAT/Integrations/KnowBe4KMSATEventCollector/KnowBe4KMSATEventCollector.yml Docker image update

* Packs/KnowBe4_KMSAT/Integrations/KnowBe4KMSAT/KnowBe4KMSAT.yml Docker image update

* Updated Metadata Of Pack SafeNet_Trusted_Access

* Added release notes to pack SafeNet_Trusted_Access

* Packs/SafeNet_Trusted_Access/Integrations/SafeNetTrustedAccessEventCollector/SafeNetTrustedAccessEventCollector.yml Docker image update

* Updated Metadata Of Pack DelineaSS

* Added release notes to pack DelineaSS

* Packs/DelineaSS/Integrations/DelineaSS/DelineaSS.yml Docker image update

* Updated Metadata Of Pack Cryptocurrency

* Added release notes to pack Cryptocurrency

* Packs/Cryptocurrency/Integrations/Cryptocurrency/Cryptocurrency.yml Docker image update

* Updated Metadata Of Pack PANOSPolicyOptimizer

* Added release notes to pack PANOSPolicyOptimizer

* Packs/PANOSPolicyOptimizer/Integrations/PANOSPolicyOptimizer/PANOSPolicyOptimizer.yml Docker image update

* Updated Metadata Of Pack DeveloperTools

* Added release notes to pack DeveloperTools

* Packs/DeveloperTools/Integrations/CreateIncidents/CreateIncidents.yml Docker image update

* Updated Metadata Of Pack QualysFIM

* Updated Metadata Of Pack QualysFIM

* [Marketplace Contribution] MicrosoftGraphTeams - Content Pack Update (#31097) (#31387)

* "contribution update to pack "MicrosoftGraphTeams""

* Update MicrosoftGraphTeams.py

uncomment 'topic' to allow subject for group type chat.

* Update MicrosoftGraphTeams.yml

fixed validation error for descriptions.

* Update Packs/MicrosoftGraphTeams/Integrations/MicrosoftGraphTeams/MicrosoftGraphTeams.py

done



* cr

* Update 1_1_0.md

* Update MicrosoftGraphTeams.yml

* Update 1_1_0.md

* Update 1_1_0.md

* Update MicrosoftGraphTeams.yml

---------

Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com>
Co-authored-by: Vipul Kaneriya <50216620+vipulkaneriya@users.noreply.github.com>
Co-authored-by: MLainer1 <93524335+MLainer1@users.noreply.github.com>
Co-authored-by: MLainer1 <mlainer@paloaltonetworks.com>

* Cybersixgill alerts typosquatting (#31386)

* Cybersixgill alerts typosquatting (#30787)

* Added mapper for 2 custom incident fields

* Updated release notes.

* Added typosquatting to known words

* new Incident fields and incomming mapper formated

* Release notes reviewed.

* setting unseachable to true.

* Suspicious and Triggered domain as tables.

* Moved 3 mappings from code to mapper.

* Updated test case

* Updated test case

* Added default mapper and updated docker image version

* Added breaking change note

* Removed breaking change note

* Renamed files as per suggestion

* renamed mapper as per suggestion

* Added new release note.

* Changed id and name for incident fields and updated docker image name

* update RN

* update RN, update fields names, update mapper

* update id, update RN

* Update 1_2_10.md

* Update incidentfield-Cybersixgill_Triggered_Domain.json

* update docker

* ID value contained invalid caps character.

* changing type in fields to tagselect

---------

Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>
Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com>

* docker image update

---------

Co-authored-by: syed-loginsoft <97145640+syed-loginsoft@users.noreply.github.com>
Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>
Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com>

* Armis …
  • Loading branch information
@efelmandar @TalNos
@xsoar-bot @sapirshuker @rurhrlaub @suraj-metron @JasBeilin @AradCarmi @dantavori @DinaMeylakh @MosheEichler @wolyslager @israelpoli @jbabazadeh @omerKarkKatz @jlevypaloalto @ShirleyDenkberg @YuvHayun @merit-maita @yasta5 @ilaner @RotemAmit @capanw @ilappe @TalGumi @GuyAfik @mmhw @DeanArbel @ShahafBenYakir @shmuel44 @BigEasyJ @adi88d @yaakovpraisler @eepstain @karinafishman @samuelFain @mohlcyber @kobymeir @maimorag @eyalpalo @idovandijk @ArikDay @anas-yousef @chrishultin @moishce @yucohen @NicBunn-PlutoFlume @melamedbn @RosenbergYehuda @vipulkaneriya @syed-loginsoft @thefrieddan1 @michal-dagan @ssokolovich @sharonfi99 @MichaelYochpaz @ip2location @lmichalevich @asieberle @JudahSchwartz @shaqnawe @kgal-pan @chloerongier @ieichen137 @Ni-Knight @amshamah419 @johestephan @OmriItzhak @zdrouse @daryakoval @nicokuyum-plutoflume @os-ahmed
88 people authored Jan 11, 2024
1 parent 0340872 commit e2ccdfa
Show file tree
Hide file tree
Showing 9 changed files with 1,121 additions and 14 deletions.
1,018 changes: 1,018 additions & 0 deletions Packs/Core/Playbooks/playbook-Remote_PsExec_with_Lolbin_Command_Execution_alert.yml
View file

Large diffs are not rendered by default.

62 changes: 62 additions & 0 deletions .../Playbooks/playbook-Remote_PsExec_with_Lolbin_Command_Execution_alert_README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source.
The playbook aims to efficiently:

- Check if the execution is blocked. If not will terminate the process (Manually by default).
- Enrich any entities and indicators from the alert and find any related campaigns.
- Perform command analysis to provide insights and verdict for the executed command.
- Perform further endpoint investigation using XDR.
- Checks for any malicious verdict found to raise the severity of the alert.
- Perform Automatic/Manual remediation response by blocking any malicious indicators found.

The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’.
It depends on the data from the parent playbooks and can not be used as a standalone version.

## Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

### Sub-playbooks

* Threat Hunting - Generic
* Block Indicators - Generic v3
* Command-Line Analysis
* Get entity alerts by MITRE tactics
* Enrichment for Verdict

### Integrations

* CortexCoreIR

### Scripts

This playbook does not use any scripts.

### Commands

* extractIndicators
* core-get-endpoints
* core-run-script-execute-commands
* setAlert
* setIncident

## Playbook Inputs

---

| **Name** | **Description** | **Default Value** | **Required** |
| --- | --- | --- | --- |
| alerts_ids | The ID's of the relevant alerts | ${alert.id} | Optional |
| AutoRemediation | Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic. | false | Optional |
| LOLBASFeedLimit | LOLBAS Feed results limit | 100 | Optional |
| EndpointIDs | The IDs of the victim endpoint | ${alert.hostip} | Optional |

## Playbook Outputs

---
There are no outputs for this playbook.

## Playbook Image

---

![Remote PsExec with LOLBIN command execution alert](../doc_files/Remote_PsExec_with_LOLBIN_command_execution_alert.png)
17 changes: 17 additions & 0 deletions Packs/Core/ReleaseNotes/3_0_9.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@

#### Playbooks

##### New: Remote PsExec with LOLBIN command execution alert

- New: The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source.
The playbook aims to efficiently:

- Check if the execution is blocked. If not will terminate the process (Manually by default).
- Enrich any entities and indicators from the alert and find any related campaigns.
- Perform command analysis to provide insights and verdict for the executed command.
- Perform further endpoint investigation using XDR.
- Checks for any malicious verdict found to raise the severity of the alert.
- Perform Automatic/Manual remediation response by blocking any malicious indicators found.

The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’.
It depends on the data from the parent playbooks and can not be used as a standalone version. (Available from Cortex XSOAR 6.10.0).
Binary file added Packs/Core/doc_files/Remote_PsExec_with_LOLBIN_command_execution_alert.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion Packs/Core/pack_metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Core - Investigation and Response",
"description": "Automates incident response",
"support": "xsoar",
"currentVersion": "3.0.8",
"currentVersion": "3.0.9",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
18 changes: 11 additions & 7 deletions ...XDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,17 @@ version: -1
contentitemexportablefields:
contentitemfields: {}
name: Cortex XDR Remote PsExec with LOLBIN command execution alert
description: "The \"Remote PsExec-like LOLBIN Command Execution\" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. \nThe playbook aims to efficiently:\n\n- Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default).\n- Enrich any entities and indicators from the alert and find any related campaigns.\n- Perform command analysis to provide insights and a verdict for the executed command.\n- Perform further endpoint investigation using Cortex XDR.\n- Checks for any malicious verdicts found to raise the severity of the alert.\n- Perform automatic/manual remediation response by blocking any malicious indicators found.\n\nThe playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’.\nIt depends on the data from the parent playbooks and cannot be used as a standalone version."
description: |
The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source.
The playbook aims to efficiently:
- Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default).
- Enrich any entities and indicators from the alert and find any related campaigns.
- Perform command analysis to provide insights and a verdict for the executed command.
- Perform further endpoint investigation using Cortex XDR.
- Checks for any malicious verdicts found to raise the severity of the alert.
- Perform automatic/manual remediation response by blocking any malicious indicators found.
The playbook is designed to run as a sub-playbook in "Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling".
It depends on the data from the parent playbooks and cannot be used as a standalone version.
starttaskid: "0"
tasks:
"0":
Expand Down Expand Up @@ -1092,12 +1102,6 @@ inputs:
required: false
description: Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic.
playbookInputQuery:
- key: LOLBASFeedLimit
value:
simple: "100"
required: false
description: LOLBAS Feed results limit.
playbookInputQuery:
- key: EndpointIDs
value:
complex:
Expand Down
10 changes: 5 additions & 5 deletions ...aybook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert_README.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
V The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source.
The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source.
The playbook aims to efficiently:

- Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default).
Expand All @@ -8,7 +8,7 @@ The playbook aims to efficiently:
- Checks for any malicious verdicts found to raise the severity of the alert.
- Perform automatic/manual remediation response by blocking any malicious indicators found.

The playbook is designed to run as a sub-playbook in Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling.
The playbook is designed to run as a sub-playbook in "Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling".
It depends on the data from the parent playbooks and cannot be used as a standalone version.

## Dependencies
Expand All @@ -18,9 +18,9 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
### Sub-playbooks

* Command-Line Analysis
* Threat Hunting - Generic
* Entity Enrichment - Generic v4
* Cortex XDR - Endpoint Investigation
* Threat Hunting - Generic
* Block Indicators - Generic v3

### Integrations
Expand All @@ -30,11 +30,12 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
### Scripts

* IncreaseIncidentSeverity
* AddEvidence

### Commands

* xdr-script-commands-execute
* setIncident
* xdr-script-commands-execute

## Playbook Inputs

Expand All @@ -45,7 +46,6 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
| SrcIPAddress | The remote IP address that executed the process. | incident.xdralerts.actionremoteip | Optional |
| alerts_ids | The IDs of the relevant alerts. | incident.xdralerts.alert_id | Optional |
| AutoRemediation | Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic. | false | Optional |
| LOLBASFeedLimit | LOLBAS Feed results limit. | 100 | Optional |
| EndpointIDs | The IDs of the victim endpoint. | incident.xdralerts.endpoint_id | Optional |
| HighAlertsThreshold | The threshold number of additional high severity alerts. | 1 | Optional |
| CriticalAlertsThreshold | The threshold number of additional critical severity alerts. | 1 | Optional |
Expand Down
6 changes: 6 additions & 0 deletions Packs/CortexXDR/ReleaseNotes/6_1_4.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Playbooks

##### Cortex XDR Remote PsExec with LOLBIN command execution alert

- Updated the playbook description
2 changes: 1 addition & 1 deletion Packs/CortexXDR/pack_metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Cortex XDR by Palo Alto Networks",
"description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
"support": "xsoar",
"currentVersion": "6.1.3",
"currentVersion": "6.1.4",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down

0 comments on commit e2ccdfa

Please sign in to comment.