CortexNewPack (#37787)

* content

* rn

* add

* fix

* changepackname

* changepacknamee

* fixpackignore

* updatenewpacknameinlist

* rnwithbcupdate

* Bump pack from version Core to 3.2.11.

* Bump pack from version Core to 3.2.12.

* Bump pack from version Core to 3.2.13.

* Bump pack from version Core to 3.2.14.

* remove authimage

* fixesfromreview

* triggers new playbooks and change name

* changes

* changepbname

* test

* fix

* fix folder name

* fix

* removenamechange

* fix metadate

* Bump pack from version Core to 3.2.15.

* Bump pack from version Core to 3.2.16.

---------

Co-authored-by: Content Bot <[email protected]>
Co-authored-by: ypreisler <[email protected]>

Config/core_packs_mpv2_list.json

@@ -22,7 +22,8 @@
     "Unit42Intel",
     "VirusTotal",
     "Whois",
-    "rasterize"
+    "rasterize",
+    "CortexResponseAndRemediation"
   ],
   "update_core_packs_list": [
     "AutoFocus",
@@ -47,6 +48,7 @@
     "Unit42Intel",
     "VirusTotal",
     "Whois",
-    "rasterize"
+    "rasterize",
+    "CortexResponseAndRemediation"
   ]
 }

Packs/Core/ReleaseNotes/3_2_16.json

@@ -0,0 +1,4 @@
+{
+    "breakingChanges": true,
+    "breakingChangesNotes": "Playbooks from 'Core - Investigation & Response' have been migrated to the 'Cortex Response And Remediation' pack. Please install the new pack before updating."
+}

Packs/Core/ReleaseNotes/3_2_16.md

@@ -0,0 +1,3 @@
+## Core - Investigation and Response
+
+Playbooks from 'Core - Investigation & Response' have been migrated to the 'Cortex Response And Remediation' pack. Please install the new pack before updating.

Packs/Core/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "3.2.15",
+    "currentVersion": "3.2.16",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CortexResponseAndRemediation/.pack-ignore

@@ -0,0 +1,25 @@
+[file:playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml]
+ignore=PB106
+
+[file:README.md]
+ignore=RM104,RM106
+
+# See CIAC-7711, CIAC-11954
+[file:playbook-Suspicious_Hidden_User_Created.yml]
+ignore=GR103
+
+# See CIAC-7711, CIAC-11954
+[file:playbook-Excessive_User_Account_Lockouts.yml]
+ignore=GR103
+
+# GR103 is temporary, see CIAC-11954
+[file:playbook-Scheduled_task_created_with_HTTP_or_FTP_reference.yml]
+ignore=GR103
+
+[known_words]
+xsiam
+coreirapimodule
+xdrir
+NGFW
+HTTPS
+SMTP

Packs/CortexResponseAndRemediation/.secrets-ignore

@@ -0,0 +1,95 @@
+1.1.1.1
+2.2.2.2
+8.8.8.8
+3.3.3.3
+5.5.5.5
+0.0.0.0
+172.16.0.0
+172.31.11.11
+196.168.0.1
+192.168.0.0
+agent_version=6.1.4.1680
+1111.paloaltonetworks.com
+origin=originsic=CN=DWdeviceBlackend,O=Blackend
+origin=originsic=CN=DWdeviceBlackend
+|action|action_external_hostname|action_file_md5|action_file_path||action_local_ip|action_local_port|action_pretty|action_process_image_command_line|action_process_image_name||action_process_signature_status|action_process_signature_vendor|action_registry_data||action_remote_ip|action_remote_port|actor_process_command_line|actor_process_image_name|actor_process_signature_status|actor_process_signature_vendor|alert_id|category|causality_actor_causality_id||causality_actor_process_image_name|causality_actor_process_signature_status||description|detection_timestamp|event_type|fw_app_id|host_ip|host_name|is_whitelisted|name|severity|source|starred|user_name|
+modification_time
+creation_time
+timestamp_lte
+_external_hostname
+192.168.1.254
+[email protected]
+[email protected]
+xdrdummyurl.com
+some.xdr.url.com
+api.xdrurl.com
+demisto.hello.com
+paloaltonetworksxdr
+url_suffix=
+wildfire-test-pe-file.exe
+manual_description
+causality_actor_process_signature_vendor
+wildfire-test-pe-file.exe
+action_file_sha256
+manual_description
+action_registry_full_key
+action_process_image_sha256
+causality_actor_process_command_line
+high_severity_alert_count
+origin=originsicname
+||microsoft-ds
+Point|Log
+auditagentreports
+ip-172-31-15-237.eu-central-1.compute.internal
+196.168.0.111
+tableToMarkdown
+under_investigation
+resolved_threat_handled
+resolved_true_positive
+resolved_security_testing
+resolved_known_issue
+resolved_false_positive
+resolved_duplicate
+resolved_other
+"new"
+distribution_id
+endpoint_id
+cef_alerts
+https://github.com
+[email protected]
+http://example.com
+https://raw.githubusercontent.com
+2.2.2.3
+2.2.3.3
+management_logs
+11.11.11.11
+22.22.22.22
+33.33.33.33
+44.44.44.44
+55.55.55.55
+66.66.66.66
+77.77.77.77
+88.88.88.88
+http://www.test.com
+http://www.test.org
+http://test.org
+https://test.org
+[email protected]
+https://us-cert.cisa.gov/tlp
+fake.url.com
+[email protected]
+https://www.cisa.gov
+SailPoint
+[email protected]
+[email protected]
+[email protected]
+[email protected]
+000001e7a228b2a7abdf7f7e404bc8522df32b725e86907dde32176bccbbbb27
+80.66.75.36
+218.92.0.29
+[email protected]
+[email protected]
+[email protected]
+f3322.net
+Clarizen
+https://test_api.com

Packs/CortexResponseAndRemediation/README.md

@@ -0,0 +1,17 @@
+The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes, built to support an Autonomous SOC vision.
+The playbooks in this pack are tightly coupled to Issues, leveraging detector logic to provide highly accurate and context-aware responses. This ensures seamless integration with Cortex XSIAM, enabling SOC teams to focus on high-priority threats while automating repetitive tasks.
+
+
+## Response & Remediation Pack playbooks Key Principles
+- Focused Security Response: Playbooks prioritize high-quality security responses while delegating organizational tasks to incident-level or sub-playbooks.
+- Research-Based Design: The playbooks in the Response & Remediation pack are designed by the Cortex & Prisma Research team with extensive expertise and knowledge in responding to incidents and alerts.
+- Detector Alignment: Playbooks are tailored to specific Cortex and Prisma issues, ensuring precision by aligning with detector logic.
+- Cortex Analytics Integration: Playbooks leverage Cortex analytics capabilities to derive precise verdicts for accurate and effective remediation.
+- AI-Driven Investigations: Advanced AI capabilities enrich investigations by providing deeper insights and contextual data to improve decision-making.
+- Clear Design: Understandable within minutes.
+
+## Playbook Features
+- Prebuilt: Use out-of-the-box (OOTB) playbooks to ensure rapid deployment and reliable functionality.
+- Context-aware Actions: Implement responsive actions based on alert triggers.
+- Seamless Integrations: Fully compatible with Palo Alto Networks products and compatible also with third-party solutions.
+- Granular Monitoring: Provides detailed logs for tracking execution.

Packs/CortexResponseAndRemediation/pack_metadata.json

@@ -0,0 +1,23 @@
+{
+    "name": "Cortex Response And Remediation",
+    "description": "The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes. Built to support an Autonomous SOC vision.",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Case Management",
+        "Endpoint",
+        "Cloud Security",
+        "Email"
+    ],
+    "tags": [
+        "Palo Alto Networks Products"
+    ],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "marketplacev2"
+    ]
+}