Skip to content

Commit

Permalink
Cortex XDR device control violations - AD bug fix (demisto#36610)
Browse files Browse the repository at this point in the history 
* playbook fix + image update

* RN

* Added task descriptions (validation fails due to them missing)

* validation fixes (more descriptions)

* Bump pack from version CortexXDR to 6.1.81.

---------

Co-authored-by: Content Bot <[email protected]>
  • Loading branch information
@idovandijk
idovandijk and Content Bot authored Oct 7, 2024
1 parent 32b9d3a commit 976d434
Show file tree
Hide file tree
Showing 4 changed files with 95 additions and 49 deletions.
136 changes: 88 additions & 48 deletions Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_device_control_violations.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ tasks:
ignoreworker: false
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"1":
id: "1"
taskid: 3b9e0236-4004-482e-8c5b-5084d95a532d
Expand All @@ -57,18 +60,9 @@ tasks:
ip_list:
complex:
root: inputs.IPAddress
product: {}
product_id: {}
serial: {}
timestamp_gte:
complex:
root: inputs.TimeStamp
timestamp_lte: {}
type: {}
username: {}
vendor: {}
vendor_id: {}
violation_id_list: {}
separatecontext: false
view: |-
{
Expand All @@ -82,6 +76,9 @@ tasks:
ignoreworker: false
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"2":
id: "2"
taskid: 5201332f-5be8-49ca-8a34-ba282ec5ff82
Expand All @@ -90,10 +87,10 @@ tasks:
id: 5201332f-5be8-49ca-8a34-ba282ec5ff82
version: -1
name: Were device control violations found?
description: Checks whether any device control violations were found.
type: condition
iscommand: false
brand: ""
description: ''
nexttasks:
'#default#':
- "8"
Expand Down Expand Up @@ -122,6 +119,9 @@ tasks:
ignoreworker: false
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"3":
id: "3"
taskid: a28d149b-91ca-4c81-8640-327f703edd79
Expand All @@ -138,32 +138,18 @@ tasks:
'#none#':
- "5"
scriptarguments:
additionalHeader: {}
attachCIDs: {}
attachIDs: {}
attachNames: {}
bcc: {}
body: {}
cc: {}
from: {}
htmlBody: {}
replyTo: {}
subject:
simple: Device Control Violation
templateParams: {}
to:
complex:
root: ActiveDirectory.Users
accessor: mail
transientFile: {}
transientFileCID: {}
transientFileContent: {}
separatecontext: false
view: |-
{
"position": {
"x": 447.5,
"y": 1265
"y": 1415
}
}
note: false
Expand All @@ -189,6 +175,8 @@ tasks:
retriescount: 2
retriesinterval: 360
completeafterreplies: 1
completeafterv2: false
completeaftersla: false
form:
questions:
- id: "0"
Expand Down Expand Up @@ -228,6 +216,9 @@ tasks:
totalanswers: 0
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"4":
id: "4"
taskid: 256b3ed5-14c2-4e5f-8ae2-bc937b86b8ce
Expand All @@ -245,14 +236,6 @@ tasks:
'#none#':
- "12"
scriptarguments:
attributes: {}
custom-field-data: {}
custom-field-type: {}
dn: {}
email: {}
limit: {}
name: {}
user-account-control-out: {}
username:
complex:
root: PaloAltoNetworksXDR.EndpointViolations
Expand All @@ -272,14 +255,17 @@ tasks:
{
"position": {
"x": 447.5,
"y": 890
"y": 1040
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"5":
id: "5"
taskid: 935f3d5b-a6b6-452a-81ca-0a3c31495999
Expand All @@ -288,10 +274,10 @@ tasks:
id: 935f3d5b-a6b6-452a-81ca-0a3c31495999
version: -1
name: Did the involved user connect the device?
description: Checks if the user connected the device
type: condition
iscommand: false
brand: ""
description: ''
nexttasks:
'#default#':
- "8"
Expand All @@ -315,14 +301,17 @@ tasks:
{
"position": {
"x": 447.5,
"y": 1430
"y": 1580
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"6":
id: "6"
taskid: 2a3eb3b4-ac48-4526-8b8d-dcde62ec67d2
Expand All @@ -331,10 +320,10 @@ tasks:
id: 2a3eb3b4-ac48-4526-8b8d-dcde62ec67d2
version: -1
name: Check if the device is approved for use
description: The analyst should decide whether the device is approved for use or not.
type: regular
iscommand: false
brand: ""
description: ''
nexttasks:
'#none#':
- "8"
Expand All @@ -343,14 +332,17 @@ tasks:
{
"position": {
"x": 700,
"y": 1600
"y": 1750
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"8":
id: "8"
taskid: 1a96d761-18b5-456a-8f26-b282377c131c
Expand All @@ -368,14 +360,17 @@ tasks:
{
"position": {
"x": 50,
"y": 1770
"y": 1920
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"9":
id: "9"
taskid: 199041f9-c401-46e9-81f6-268a5b132768
Expand All @@ -391,7 +386,7 @@ tasks:
brand: ""
nexttasks:
'#none#':
- "4"
- "13"
scriptarguments:
columns:
simple: Hostname,Username,IP,XDR endpoint ID,Violation type,Date,Product,Vendor
Expand All @@ -401,9 +396,6 @@ tasks:
simple: xdrdevicecontrolviolations
keys:
simple: hostname,username,ip,endpoint_id,type,date,product,vendor
overwrite: {}
sort_by: {}
unpack_nested_elements: {}
separatecontext: false
view: |-
{
Expand All @@ -417,6 +409,9 @@ tasks:
ignoreworker: false
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"10":
id: "10"
taskid: e12bce4a-c80e-4907-8767-86102a491bd8
Expand All @@ -425,10 +420,10 @@ tasks:
id: e12bce4a-c80e-4907-8767-86102a491bd8
version: -1
name: Were current violations found?
description: Checks whether any current device control violations were found.
type: condition
iscommand: false
brand: ""
description: ''
nexttasks:
'#default#':
- "1"
Expand Down Expand Up @@ -457,6 +452,9 @@ tasks:
ignoreworker: false
skipunavailable: false
quietmode: 0
continueonerrortype: ""
isoversize: false
isautoswitchedtoquietmode: false
"11":
id: "11"
taskid: 637b111d-8ab6-4f2b-8498-26e01b330c6b
Expand All @@ -478,7 +476,6 @@ tasks:
simple: "true"
key:
simple: PaloAltoNetworksXDR.EndpointViolations
stringify: {}
value:
complex:
root: incident
Expand All @@ -498,6 +495,7 @@ tasks:
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
continueonerrortype: ""
"12":
id: "12"
taskid: 1a497783-b55d-4aec-8764-2722b3d3216d
Expand All @@ -506,10 +504,10 @@ tasks:
id: 1a497783-b55d-4aec-8764-2722b3d3216d
version: -1
name: Is the user's email retrieved?
description: Checks if the user's email was retrieved from Active Directory.
type: condition
iscommand: false
brand: ""
description: ""
nexttasks:
'#default#':
- "8"
Expand All @@ -531,7 +529,44 @@ tasks:
{
"position": {
"x": 447.5,
"y": 1060
"y": 1210
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"13":
id: "13"
taskid: fbe94a7c-57b6-41da-8bab-95e135f30b60
type: condition
task:
id: fbe94a7c-57b6-41da-8bab-95e135f30b60
version: -1
name: Is Active Directory enabled?
description: Checks whether the Active Directory Query v2 integration is enabled.
scriptName: IsIntegrationAvailable
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "8"
"yes":
- "4"
scriptarguments:
brandname:
simple: Active Directory Query v2
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 447.5,
"y": 880
}
}
note: false
Expand All @@ -545,13 +580,15 @@ view: |-
{
"linkLabelsPosition": {
"10_11_yes": 0.47,
"12_8_#default#": 0.47,
"13_8_#default#": 0.27,
"2_8_#default#": 0.1,
"5_6_yes": 0.57,
"5_8_#default#": 0.22
},
"paper": {
"dimensions": {
"height": 1785,
"height": 1935,
"width": 1030,
"x": 50,
"y": 50
Expand Down Expand Up @@ -602,3 +639,6 @@ tests:
fromversion: 5.5.0
marketplaces:
- xsoar
contentitemexportablefields:
contentitemfields: {}
system: true
6 changes: 6 additions & 0 deletions Packs/CortexXDR/ReleaseNotes/6_1_81.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Playbooks

##### Cortex XDR device control violations

- Fixed an issue that resulted in an error if Active Directory was not available.
Binary file modified Packs/CortexXDR/doc_files/Cortex_XDR_device_control_violations.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion Packs/CortexXDR/pack_metadata.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Cortex XDR by Palo Alto Networks",
"description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
"support": "xsoar",
"currentVersion": "6.1.80",
"currentVersion": "6.1.81",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down

0 comments on commit 976d434

Please sign in to comment.