From cc4494f7c37e5de2d13961ea34d28a0ee3b71b76 Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Wed, 8 Apr 2026 13:42:29 -0400 Subject: [PATCH 1/2] =?UTF-8?q?chore(soc-opt-uni):=20normalize=20existing?= =?UTF-8?q?=20playbooks=20=E2=80=94=20strip=20UI=20export=20artifacts,=20f?= =?UTF-8?q?ix=20task=20IDs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../SOCActionClassMap_V3.json | 25 +- .../SOCExecutionList_V3.json | 25 +- .../Lists/SOCFWConfig/SOCFWConfig.json | 5 +- .../SOCFWFeatureFlags/SOCFWFeatureFlags.json | 25 +- .../SOCFWFeatureFlags_data.json | 4 +- .../SOCFrameworkActions_V3_data.json | 890 +----------------- .../shadow_mode_policy.json | 49 - .../SOCOptimizationConfig_V3.json | 25 +- .../SOCProductCategoryMap_V3.json | 25 +- .../SOCProductCategoryMap_V3_data.json | 2 +- ...ent.yml => Foundation_-_Assessment_V3.yml} | 9 +- ...Sync.yml => Foundation_-_Case_Sync_V3.yml} | 4 +- .../Foundation_-_Data_Integrity_V3.yml | 14 +- ..._-_Dedup.yml => Foundation_-_Dedup_V3.yml} | 40 +- .../Playbooks/Foundation_-_Enrichment_V3.yml | 34 +- ...Foundation_-_Environment_Detection_V3.yml} | 20 +- ...yml => Foundation_-_Error_Handling_V3.yml} | 2 +- ...ion.yml => Foundation_-_Escalation_V3.yml} | 4 +- ...et_Alert_Tasks_and_Store_to_Dataset_V3.yml | 23 +- .../Foundation_-_Normalize_Artifacts_V3.yml | 36 +- .../Foundation_-_Normalize_Cloud_V3.yml | 94 +- .../Foundation_-_Normalize_Email_V3.yml | 101 +- .../Foundation_-_Normalize_Endpoint_V3.yml | 159 ++-- .../Foundation_-_Normalize_Generic_V3.yml | 69 +- .../Foundation_-_Normalize_Identity_V3.yml | 109 +-- .../Foundation_-_Normalize_Network_V3.yml | 119 +-- ...> Foundation_-_Performance_Capture_V3.yml} | 4 +- ...Foundation_-_Product_Classification_V3.yml | 40 +- .../Foundation_-_Upon_Trigger_V3.yml | 17 +- ...n_-_Extract_Indicators_from_alerts_V3.yml} | 8 +- ...Alerts_V3.yml => JOB_-_Auto_Triage_V3.yml} | 10 +- ...-_Store_Playbook_Metrics_in_Dataset_V3.yml | 11 +- ...Close_Cases.yml => SOC_Close_Cases_V3.yml} | 19 +- .../Playbooks/SOC_Comms_Email_V3.yml | 35 +- .../{SOC_Comms_IM.yml => SOC_Comms_IM_V3.yml} | 9 +- ...cketing.yml => SOC_Comms_Ticketing_V3.yml} | 9 +- 36 files changed, 396 insertions(+), 1678 deletions(-) delete mode 100644 Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/shadow_mode_policy.json rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Assessment.yml => Foundation_-_Assessment_V3.yml} (93%) rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Case_Sync.yml => Foundation_-_Case_Sync_V3.yml} (96%) rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Dedup.yml => Foundation_-_Dedup_V3.yml} (97%) rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Environment_Detection.yml => Foundation_-_Environment_Detection_V3.yml} (91%) rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Error_Handling.yml => Foundation_-_Error_Handling_V3.yml} (100%) rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Escalation.yml => Foundation_-_Escalation_V3.yml} (97%) rename Packs/soc-optimization-unified/Playbooks/{Foundation_-_Performance_Capture.yml => Foundation_-_Performance_Capture_V3.yml} (97%) rename Packs/soc-optimization-unified/Playbooks/{Foundation_Common_-_Extract_Indicators_from_alerts.yml => Foundation_Common_-_Extract_Indicators_from_alerts_V3.yml} (95%) rename Packs/soc-optimization-unified/Playbooks/{JOB_-_Triage_Alerts_V3.yml => JOB_-_Auto_Triage_V3.yml} (98%) rename Packs/soc-optimization-unified/Playbooks/{SOC_Close_Cases.yml => SOC_Close_Cases_V3.yml} (93%) rename Packs/soc-optimization-unified/Playbooks/{SOC_Comms_IM.yml => SOC_Comms_IM_V3.yml} (95%) rename Packs/soc-optimization-unified/Playbooks/{SOC_Comms_Ticketing.yml => SOC_Comms_Ticketing_V3.yml} (95%) diff --git a/Packs/soc-optimization-unified/Lists/SOCActionClassMap_V3/SOCActionClassMap_V3.json b/Packs/soc-optimization-unified/Lists/SOCActionClassMap_V3/SOCActionClassMap_V3.json index 39f2714d..8021caea 100644 --- a/Packs/soc-optimization-unified/Lists/SOCActionClassMap_V3/SOCActionClassMap_V3.json +++ b/Packs/soc-optimization-unified/Lists/SOCActionClassMap_V3/SOCActionClassMap_V3.json @@ -1,28 +1,7 @@ { - "allRead": true, - "allReadWrite": true, - "cacheVersn": 0, - "data": "-", - "definitionId": "", - "description": "Maps SOC Framework action names to action classes for multi-vendor response routing. SOCCommandWrapper reads this to determine which responses.{class} key to use in SOCProductCategoryMap_V3.", - "detached": false, - "fromServerVersion": "6.5.0", "id": "SOCActionClassMap_V3", - "isOverridable": false, - "itemVersion": "1.0.0", - "locked": false, "name": "SOCActionClassMap_V3", - "nameLocked": false, - "packID": "", - "packName": "", - "previousAllRead": true, - "previousAllReadWrite": true, - "system": false, - "tags": null, - "toServerVersion": "", - "truncated": false, + "display_name": "SOCActionClassMap_V3", "type": "json", - "version": -1, - "fromVersion": "6.5.0", - "display_name": "SOCActionClassMap_V3" + "fromVersion": "6.5.0" } diff --git a/Packs/soc-optimization-unified/Lists/SOCExecutionList_V3/SOCExecutionList_V3.json b/Packs/soc-optimization-unified/Lists/SOCExecutionList_V3/SOCExecutionList_V3.json index 6f03f9ed..e8f16e97 100644 --- a/Packs/soc-optimization-unified/Lists/SOCExecutionList_V3/SOCExecutionList_V3.json +++ b/Packs/soc-optimization-unified/Lists/SOCExecutionList_V3/SOCExecutionList_V3.json @@ -1,28 +1,7 @@ { - "allRead": true, - "allReadWrite": true, - "cacheVersn": 0, - "data": "-", - "definitionId": "", - "description": "By default these playbooks will run the default playbook. These can be changed on a per tenant bases to test new development branches under custom. The values are either \"default\" or \"custom\"", - "detached": false, - "fromServerVersion": "", "id": "SOCExecutionList_V3", - "isOverridable": false, - "itemVersion": "", - "locked": false, "name": "SOCExecutionList_V3", - "nameLocked": false, - "packID": "", - "packName": "", - "previousAllRead": true, - "previousAllReadWrite": true, - "system": false, - "tags": null, - "toServerVersion": "", - "truncated": false, + "display_name": "SOCExecutionList_V3", "type": "json", - "version": -1, - "fromVersion": "6.5.0", - "display_name": "SOCExecutionList_V3" + "fromVersion": "6.5.0" } diff --git a/Packs/soc-optimization-unified/Lists/SOCFWConfig/SOCFWConfig.json b/Packs/soc-optimization-unified/Lists/SOCFWConfig/SOCFWConfig.json index 20431f5e..85f37332 100644 --- a/Packs/soc-optimization-unified/Lists/SOCFWConfig/SOCFWConfig.json +++ b/Packs/soc-optimization-unified/Lists/SOCFWConfig/SOCFWConfig.json @@ -3,8 +3,5 @@ "name": "SOCFWConfig", "display_name": "SOCFWConfig", "type": "json", - "version": -1, - "fromVersion": "6.5.0", - "data": "", - "tags": ["soc-framework,soc"] + "fromVersion": "6.5.0" } diff --git a/Packs/soc-optimization-unified/Lists/SOCFWFeatureFlags/SOCFWFeatureFlags.json b/Packs/soc-optimization-unified/Lists/SOCFWFeatureFlags/SOCFWFeatureFlags.json index 731c420c..c0050baa 100644 --- a/Packs/soc-optimization-unified/Lists/SOCFWFeatureFlags/SOCFWFeatureFlags.json +++ b/Packs/soc-optimization-unified/Lists/SOCFWFeatureFlags/SOCFWFeatureFlags.json @@ -1,28 +1,7 @@ { - "allRead": true, - "allReadWrite": true, - "cacheVersn": 0, - "data": "-", - "definitionId": "", - "description": "SOC Framework feature flags. All flags default false \u2014 Framework runs end-to-end with zero configuration. Enable individual capabilities as integrations are deployed. Each flag description explains the requirement.", - "detached": false, - "fromServerVersion": "", "id": "SOCFWFeatureFlags", - "isOverridable": false, - "itemVersion": "", - "locked": false, "name": "SOCFWFeatureFlags", - "nameLocked": false, - "packID": "", - "packName": "", - "previousAllRead": true, - "previousAllReadWrite": true, - "system": false, - "tags": null, - "toServerVersion": "", - "truncated": false, + "display_name": "SOCFWFeatureFlags", "type": "json", - "version": -1, - "fromVersion": "6.5.0", - "display_name": "SOCFWFeatureFlags" + "fromVersion": "6.5.0" } diff --git a/Packs/soc-optimization-unified/Lists/SOCFWFeatureFlags/SOCFWFeatureFlags_data.json b/Packs/soc-optimization-unified/Lists/SOCFWFeatureFlags/SOCFWFeatureFlags_data.json index 8d29fd36..580d38f8 100644 --- a/Packs/soc-optimization-unified/Lists/SOCFWFeatureFlags/SOCFWFeatureFlags_data.json +++ b/Packs/soc-optimization-unified/Lists/SOCFWFeatureFlags/SOCFWFeatureFlags_data.json @@ -19,10 +19,10 @@ }, "email_indicator_hunting": { "enabled": false, - "description": "Cross-platform indicator hunting for phishing IOCs. Enable when a hunting-capable platform is connected (e.g., Microsoft Defender 365). Expensive \u2014 runs per alert and queries connected platforms for all extracted IOCs." + "description": "Cross-platform indicator hunting for phishing IOCs. Enable when a hunting-capable platform is connected (e.g., Microsoft Defender 365). Expensive — runs per alert and queries connected platforms for all extracted IOCs." }, "email_phishing_ml": { "enabled": false, - "description": "ML-based phishing content scoring via Phishing - Machine Learning Analysis. Enable after deploying a Phishing ML model. Requires email body content from email_process_original or direct alert body fields. Note: not available in XSIAM \u2014 XSOAR deployments only." + "description": "ML-based phishing content scoring via Phishing - Machine Learning Analysis. Enable after deploying a Phishing ML model. Requires email body content from email_process_original or direct alert body fields. Note: not available in XSIAM — XSOAR deployments only." } } diff --git a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json index b35be659..7c87f46e 100644 --- a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json +++ b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json @@ -1,853 +1,49 @@ { - "id": "SOCFrameworkActions_V3", - "name": "SOCFrameworkActions_V3", - "soc-isolate-endpoint": { - "responses": { - "Cortex Core - IR": { - "command": "core-isolate-endpoint", - "inline_args": { - "endpoint_id": "${SOCFramework.Artifacts.EndPointID}" - } - }, - "Trend Micro Vision One V3": { - "command": "trendmicro-visionone-isolate-endpoint", - "inline_args": { - "endpoint_identifiers": "${SOCFramework.Artifacts.EndPointID}" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-isolate-machine", - "inline_args": { - "machine_id": "${SOCFramework.Artifacts.EndPointID}", - "comment": "SOCFramework isolate endpoint", - "isolation_type": "Full" - } - }, - "CrowdStrike Falcon": { - "command": "cs-falcon-contain-host", - "inline_args": { - "agent_id": "${SOCFramework.Artifacts.EndPointID}" - } - } - }, - "shadow_mode": true - }, - "soc-deisolate-endpoint": { - "responses": { - "Cortex Core - IR": { - "command": "core-unisolate-endpoint", - "inline_args": { - "endpoint_id": "${SOCFramework.Artifacts.EndPointID}" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-unisolate-machine", - "inline_args": { - "machine_id": "${SOCFramework.Artifacts.EndPointID}" - } - }, - "CrowdStrike Falcon": { - "command": "cs-falcon-lift-host-containment", - "inline_args": { - "agent_id": "${SOCFramework.Artifacts.EndPointID}" - } - } - }, - "shadow_mode": true - }, - "soc-kill-process": { - "responses": { - "Cortex Core - IR": { - "command": "core-run-script-kill-process", - "inline_args": { - "endpoint_ids": "${SOCFramework.Artifacts.EndPointID}", - "process_names": "${SOCFramework.Artifacts.ProcessName}" - } - }, - "Trend Micro Vision One V3": { - "command": "trendmicro-visionone-terminate-process", - "inline_args": { - "process_identifiers": "${SOCFramework.Artifacts.PID}" - } - }, - "CrowdStrike Falcon": { - "command": "cs-falcon-run-command", - "inline_args": { - "host_ids": "${SOCFramework.Artifacts.EndPointID}", - "command_type": "runscript", - "full_command": "runscript -Raw=```Stop-Process -Id ${SOCFramework.Artifacts.PID} -Force -ErrorAction SilentlyContinue```" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-live-response-run-script", - "inline_args": { - "machine_id": "${SOCFramework.Artifacts.EndPointID}", - "script_name": "StopProcess.ps1", - "args": "${SOCFramework.Artifacts.PID}" - } - } - }, - "shadow_mode": true - }, - "soc-remove-file": { - "responses": { - "Cortex Core - IR": { - "command": "core-run-script-delete-file", - "inline_args": { - "endpoint_id": "${SOCFramework.Artifacts.EndPointID}", - "file_path": "${SOCFramework.Artifacts.FilePath}" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-stop-and-quarantine-file", - "inline_args": { - "machine_ids": "${SOCFramework.Artifacts.EndPointID}", - "file_hashes": "${SOCFramework.Artifacts.File}" - } - }, - "CrowdStrike Falcon": { - "command": "cs-falcon-run-command", - "inline_args": { - "host_ids": "${SOCFramework.Artifacts.EndPointID}", - "command_type": "runscript", - "full_command": "runscript -Raw=```Remove-Item -Path '${SOCFramework.Artifacts.FilePath}' -Force -ErrorAction SilentlyContinue```" - } - } - }, - "shadow_mode": true - }, - "soc-remove-persistence": { - "responses": { - "Cortex Core - IR": { - "command": "core-script-run", - "inline_args": { - "endpoint_ids": "${SOCFramework.Artifacts.EndPointID}", - "script_name": "remove_persistence", - "parameters": "${SOCFramework.Artifacts.FilePath}" - } - }, - "CrowdStrike Falcon": { - "command": "cs-falcon-run-command", - "inline_args": { - "host_ids": "${SOCFramework.Artifacts.EndPointID}", - "command_type": "runscript", - "full_command": "runscript -Raw=```Remove-ItemProperty -Path 'HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '${SOCFramework.Artifacts.ProcessName}' -ErrorAction SilentlyContinue; Unregister-ScheduledTask -TaskName '${SOCFramework.Artifacts.ProcessName}' -Confirm:$false -ErrorAction SilentlyContinue```" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-stop-and-quarantine-file", - "inline_args": { - "machine_ids": "${SOCFramework.Artifacts.EndPointID}", - "file_hashes": "${SOCFramework.Artifacts.File}" - } - } - }, - "shadow_mode": true - }, - "soc-delete-file": { - "responses": { - "Cortex Core - IR": { - "command": "core-run-script-delete-file", - "inline_args": { - "endpoint_id": "${SOCFramework.Artifacts.EndPointID}", - "file_path": "${SOCFramework.Artifacts.FilePath}" - } - }, - "CrowdStrike Falcon": { - "command": "cs-falcon-run-command", - "inline_args": { - "host_ids": "${SOCFramework.Artifacts.EndPointID}", - "command_type": "runscript", - "full_command": "runscript -Raw=```Remove-Item -Path '${SOCFramework.Artifacts.FilePath}' -Force -ErrorAction SilentlyContinue```" - } - } - }, - "shadow_mode": true - }, - "soc-file-exists": { - "responses": { - "Cortex Core - IR": { - "command": "core-run-script-file-exists", - "inline_args": { - "endpoint_id": "${SOCFramework.Artifacts.EndPointID}", - "file_path": "${SOCFramework.Artifacts.FilePath}" - } - }, - "CrowdStrike Falcon": { - "command": "cs-falcon-run-command", - "inline_args": { - "host_ids": "${SOCFramework.Artifacts.EndPointID}", - "command_type": "runscript", - "full_command": "runscript -Raw=```Test-Path -Path '${SOCFramework.Artifacts.FilePath}'```" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-live-response-get-file", - "inline_args": { - "machine_id": "${SOCFramework.Artifacts.EndPointID}", - "path": "${SOCFramework.Artifacts.FilePath}" - } - } - }, - "shadow_mode": false - }, - "soc-quarantine-files": { - "responses": { - "Cortex Core - IR": { - "command": "core-quarantine-files", - "inline_args": { - "endpoint_id_list": "${SOCFramework.Artifacts.EndPointID}", - "file_hash": "${SOCFramework.Artifacts.File}", - "file_path": "${SOCFramework.Artifacts.FilePath}" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-stop-and-quarantine-file", - "inline_args": { - "machine_ids": "${SOCFramework.Artifacts.EndPointID}", - "file_hashes": "${SOCFramework.Artifacts.File}" - } - } - }, - "shadow_mode": true - }, - "soc-disable-user": { - "responses": { - "Active Directory Query v2": { - "command": "disable-user", - "inline_args": { - "user_email": "${SOCFramework.Artifacts.UserEmail}", - "user_name": "${SOCFramework.Artifacts.UserName}", - "user_id": "${SOCFramework.Artifacts.UserID}" - } - }, - "Microsoft Graph User": { - "command": "disable-user", - "inline_args": { - "user_email": "${SOCFramework.Artifacts.UserEmail}", - "user_name": "${SOCFramework.Artifacts.UserName}", - "user_id": "${SOCFramework.Artifacts.UserID}" - } - }, - "Okta IAM": { - "command": "disable-user", - "inline_args": { - "user_email": "${SOCFramework.Artifacts.UserEmail}", - "user_name": "${SOCFramework.Artifacts.UserName}", - "user_id": "${SOCFramework.Artifacts.UserID}" - } - }, - "Okta v2": { - "command": "disable-user", - "inline_args": { - "user_email": "${SOCFramework.Artifacts.UserEmail}", - "user_name": "${SOCFramework.Artifacts.UserName}", - "user_id": "${SOCFramework.Artifacts.UserID}" - } - } - }, - "shadow_mode": true - }, - "soc-clear-sessions": { - "responses": { - "Okta v2": { - "command": "okta-clear-user-sessions", - "inline_args": { - "userId": "${SOCFramework.Artifacts.UserName}" - } - } - }, - "shadow_mode": true - }, - "soc-reset-password": { - "responses": { - "Active Directory Query v2": { - "command": "ad-set-new-password", - "inline_args": { - "sAMAccountName": "${SOCFramework.Artifacts.UserName}", - "password": "auto-generated" - } - }, - "Okta v2": { - "command": "okta-expire-password", - "inline_args": { - "userId": "${SOCFramework.Artifacts.UserName}" - } - } - }, - "shadow_mode": true - }, - "soc-revoke-tokens": { - "responses": { - "Okta v2": { - "command": "okta-clear-user-sessions", - "inline_args": { - "userId": "${SOCFramework.Artifacts.UserName}" - } - }, - "Entra ID Users": { - "command": "msgraph-user-account-disable", - "inline_args": { - "user": "${SOCFramework.Artifacts.UserName}" - } - } - }, - "shadow_mode": true - }, - "soc-enable-user": { - "responses": { - "Active Directory Query v2": { - "command": "ad-enable-account", - "inline_args": { - "sAMAccountName": "${SOCFramework.Artifacts.UserName}" - } - }, - "Okta v2": { - "command": "okta-activate-user", - "inline_args": { - "userId": "${SOCFramework.Artifacts.UserName}" - } - } - }, - "shadow_mode": true - }, - "soc-enrich-user": { - "responses": { - "Active Directory Query v2": { - "command": "ad-get-user", - "inline_args": { - "username": "${SOCFramework.Primary.User}" - } - }, - "Microsoft Graph User": { - "command": "msgraph-user-get", - "inline_args": { - "user": "${SOCFramework.Primary.User}" - } - }, - "Okta v2": { - "command": "okta-get-user", - "inline_args": { - "userId": "${SOCFramework.Primary.User}" - } - }, - "Okta IAM": { - "command": "iam-get-user", - "inline_args": { - "user_profile": "${SOCFramework.Primary.User}" - } - }, - "Google Workspace": { - "command": "gsuite-user-get", - "inline_args": { - "user-key": "${SOCFramework.Primary.Email}" - } - }, - "AWS - IAM": { - "command": "aws-iam-get-user", - "inline_args": { - "userName": "${SOCFramework.Primary.User}" - } - }, - "PingOne": { - "command": "pingone-get-user", - "inline_args": { - "userId": "${SOCFramework.Primary.User}" - } - } - }, - "shadow_mode": false - }, - "soc-enrich-endpoint": { - "responses": { - "Cortex Core - IR": { - "command": "core-get-endpoints", - "inline_args": { - "endpoint_id_list": "${SOCFramework.Primary.Endpoint}" - } - }, - "Carbon Black EDR": { - "command": "cb-edr-sensors-list", - "inline_args": { - "hostname": "${SOCFramework.Primary.Endpoint}" - } - }, - "Armis": { - "command": "armis-search-devices", - "inline_args": { - "name": "${SOCFramework.Primary.Endpoint}" - } - }, - "ExtraHop": { - "command": "extrahop-devices-search", - "inline_args": { - "name": "${SOCFramework.Primary.Endpoint}" - } - }, - "CrowdStrike Falcon": { - "command": "cs-falcon-search-device", - "inline_args": { - "filter": "${SOCFramework.Primary.Endpoint}" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-get-machine-details", - "inline_args": { - "machine_id": "${SOCFramework.Artifacts.EndPointID}" - } - } - }, - "shadow_mode": false - }, - "soc-enrich-file": { - "responses": { - "Cortex Core - IR": { - "command": "core-get-hash-analytics-prevalence", - "inline_args": { - "sha256": "${SOCFramework.Artifacts.Hash}" - }, - "output_map": { - "UC.Enrich.File.hash_prevalence_count": "Core.AnalyticsPrevalence.Hash.data.global_prevalence.value", - "UC.Enrich.File.prevalence": "Core.AnalyticsPrevalence.Hash.prevalence", - "UC.Enrich.File.verdict": "Core.AnalyticsPrevalence.Hash.data.description" - } - }, - "WildFire": { - "command": "wildfire-get-verdict", - "inline_args": { - "hash": "${SOCFramework.Artifacts.Hash}" - }, - "output_map": { - "UC.Enrich.File.verdict": "WildFire.Report.verdict", - "UC.Enrich.File.malicious": "WildFire.Report.malware_family" - } - }, - "VirusTotal (Private API)": { - "command": "vt-private-get-file-report", - "inline_args": { - "resource": "${SOCFramework.Artifacts.Hash}" - }, - "output_map": { - "UC.Enrich.File.verdict": "VirusTotal.File.Verdict", - "UC.Enrich.File.hash_prevalence_count": "VirusTotal.File.DetectionEngines" - } - } - }, - "shadow_mode": false - }, - "soc-enrich-ip": { - "responses": { - "Cortex Core - IR": { - "command": "core-get-IP-analytics-prevalence", - "inline_args": { - "ip_address": "${SOCFramework.Artifacts.IP}" - }, - "output_map": { - "UC.Enrich.IP.prevalence": "Core.AnalyticsPrevalence.IP.prevalence", - "UC.Enrich.IP.count": "Core.AnalyticsPrevalence.IP.data.global_prevalence.value" - } - }, - "VirusTotal (Private API)": { - "command": "vt-private-get-ip-report", - "inline_args": { - "ip": "${SOCFramework.Artifacts.IP}" - }, - "output_map": { - "UC.Enrich.IP.verdict": "VirusTotal.IP.Verdict", - "UC.Enrich.IP.detections": "VirusTotal.IP.DetectionEngines" - } - }, - "Recorded Future": { - "command": "recordedfuture-intelligence", - "inline_args": { - "entity": "${SOCFramework.Artifacts.IP}", - "entity_type": "ip" - }, - "output_map": { - "UC.Enrich.IP.risk_score": "RecordedFuture.IP.riskScore", - "UC.Enrich.IP.verdict": "RecordedFuture.IP.riskString" - } - } - }, - "shadow_mode": false - }, - "soc-enrich-domain": { - "responses": { - "Cortex Core - IR": { - "command": "core-get-domain-analytics-prevalence", - "inline_args": { - "domain": "${SOCFramework.Artifacts.Domain}" - }, - "output_map": { - "UC.Enrich.Domain.prevalence": "Core.AnalyticsPrevalence.Domain.prevalence", - "UC.Enrich.Domain.count": "Core.AnalyticsPrevalence.Domain.data.global_prevalence.value" - } - }, - "Cisco Umbrella": { - "command": "umbrella-domain-categorization", - "inline_args": { - "name": "${SOCFramework.Artifacts.Domain}" - }, - "output_map": { - "UC.Enrich.Domain.category": "Umbrella.Domain.category", - "UC.Enrich.Domain.risk_score": "Umbrella.Domain.risk_score" - } - }, - "Recorded Future": { - "command": "recordedfuture-intelligence", - "inline_args": { - "entity": "${SOCFramework.Artifacts.Domain}", - "entity_type": "domain" - }, - "output_map": { - "UC.Enrich.Domain.risk_score": "RecordedFuture.Domain.riskScore", - "UC.Enrich.Domain.verdict": "RecordedFuture.Domain.riskString" - } - } - }, - "shadow_mode": false - }, - "soc-enrich-ioc": { - "responses": { - "Cortex Core - IR": { - "command": "core-get-hash-analytics-prevalence", - "inline_args": { - "sha256": "${SOCFramework.Artifacts.Hash}" - } - }, - "Recorded Future": { - "command": "recordedfuture-intelligence", - "inline_args": { - "entity": "${SOCFramework.Artifacts.IP}", - "entity_type": "indicator" - } - }, - "Proofpoint TAP v2": { - "command": "proofpoint-get-forensics", - "inline_args": { - "threatId": "${SOCFramework.Artifacts.Hash}" - } - } - }, - "shadow_mode": false - }, - "soc-get-email-events": { - "responses": { - "Microsoft Graph Security (messages delivered)": { - "command": "msg-advanced-hunting", - "inline_args": { - "query": "${SOCFramework.Email.MessagesDeliveredQuery}" - }, - "output_map": { - "UC.Email.Events.recipients": "MsGraph.Hunt.results.To", - "UC.Email.Events.message_id": "MsGraph.Hunt.results.InternetMessageId" - } - }, - "Microsoft Graph Security (clicks permitted)": { - "command": "msg-advanced-hunting", - "inline_args": { - "query": "${SOCFramework.Email.ClicksPermittedQuery}" - }, - "output_map": { - "UC.Email.Events.clicks_permitted": "results.results", - "UC.Email.Events.clickers": "results.results.AccountUpn" - } - } - }, - "shadow_mode": false - }, - "soc-get-email-forensics": { - "responses": { - "Proofpoint TAP v2": { - "command": "proofpoint-get-forensics", - "inline_args": { - "threatId": "${SOCFramework.Email.threat_id}", - "campaignId": "${SOCFramework.Email.campaign_id}", - "includeCampaignForensics": "true" - }, - "output_map": { - "UC.Email.Forensics.behavior": "Proofpoint.Report.Behavior", - "UC.Email.Forensics.dns": "Proofpoint.Report.DNS", - "UC.Email.Forensics.network": "Proofpoint.Report.Network", - "UC.Email.Forensics.file": "Proofpoint.Report.File", - "UC.Email.Forensics.attachment": "Proofpoint.Report.Attachment" - } - } - }, - "shadow_mode": false - }, - "soc-retract-email": { - "responses": { - "Microsoft Graph": { - "command": "msgraph-mail-delete-email", - "inline_args": { - "user_id": "${SOCFramework.Email.recipient}", - "message_id": "${SOCFramework.Email.message_id}" - }, - "output_map": { - "UC.Email.Retract.status": "MicrosoftGraph.Mail.Delete.status", - "UC.Email.Retract.message": "MicrosoftGraph.Mail.Delete.message" - } - }, - "Gmail": { - "command": "gmail-delete-mail", - "inline_args": { - "user_id": "${SOCFramework.Email.recipient}", - "message_id": "${SOCFramework.Email.message_id}" - }, - "output_map": { - "UC.Email.Retract.status": "MicrosoftGraph.Mail.Delete.status", - "UC.Email.Retract.message": "MicrosoftGraph.Mail.Delete.message" - } - }, - "O365 Compliance": { - "command": "o365-sc-compliance-search-purge", - "inline_args": { - "search_name": "${SOCFramework.Email.ComplianceSearchName}", - "purge_type": "SoftDelete" - }, - "output_map": { - "UC.Email.Retract.status": "MicrosoftGraph.Mail.Delete.status", - "UC.Email.Retract.message": "MicrosoftGraph.Mail.Delete.message" - } - } - }, - "shadow_mode": true - }, - "soc-quarantine-email": { - "responses": { - "Trend Micro Vision One": { - "command": "trendmicro-visionone-quarantine-email-message", - "inline_args": { - "message_id": "${SOCFramework.Email.message_id}", - "mailbox": "${SOCFramework.Email.recipient}" - }, - "output_map": { - "UC.Email.Quarantine.status": "TrendMicro.QuarantineEmail.status", - "UC.Email.Quarantine.message": "TrendMicro.QuarantineEmail.message" - } - }, - "Mimecast": { - "command": "mimecast-reject-held-message", - "inline_args": { - "id": "${SOCFramework.Email.message_id}", - "reason": "Quarantined by SOC Framework automated response" - }, - "output_map": { - "UC.Email.Quarantine.status": "TrendMicro.QuarantineEmail.status", - "UC.Email.Quarantine.message": "TrendMicro.QuarantineEmail.message" - } - } - }, - "shadow_mode": true - }, - "soc-block-sender": { - "responses": { - "Mimecast": { - "command": "mimecast-create-blocked-sender-policy", - "inline_args": { - "sender": "${SOCFramework.Email.sender}", - "description": "Blocked by SOC Framework -- threat sender" - }, - "output_map": { - "UC.Email.BlockSender.status": "Mimecast.BlockedSender.status", - "UC.Email.BlockSender.message": "Mimecast.BlockedSender.message" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-sc-indicator-create", - "inline_args": { - "indicator_value": "${SOCFramework.Email.sender}", - "indicator_type": "EmailSenderAddress", - "action": "BlockAndRemediate", - "description": "SOCFramework block sender", - "expiration_date_time": "90" - }, - "output_map": { - "UC.Email.BlockSender.status": "Mimecast.BlockedSender.status", - "UC.Email.BlockSender.message": "Mimecast.BlockedSender.message" - } - } - }, - "shadow_mode": true - }, - "soc-unblock-sender": { - "responses": { - "Mimecast": { - "command": "mimecast-delete-blocked-sender-policy", - "inline_args": { - "sender": "${SOCFramework.Email.sender}" - }, - "output_map": { - "UC.Email.UnblockSender.status": "Mimecast.DeleteBlockedSender.status", - "UC.Email.UnblockSender.message": "Mimecast.DeleteBlockedSender.message" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-sc-indicator-delete", - "inline_args": { - "indicator_value": "${SOCFramework.Email.sender}" - }, - "output_map": { - "UC.Email.UnblockSender.status": "Mimecast.DeleteBlockedSender.status", - "UC.Email.UnblockSender.message": "Mimecast.DeleteBlockedSender.message" - } - } - }, - "shadow_mode": true - }, - "soc-audit-inbox-rules": { - "responses": { - "Microsoft Graph": { - "command": "msgraph-mail-list-rules", - "inline_args": { - "user_id": "${SOCFramework.Email.recipient}" - }, - "output_map": { - "SOCFramework.Email.InboxRules": "MSGraphMail.Rules" - } - } - }, - "shadow_mode": false - }, - "soc-notify-user": { - "responses": { - "Mail Sender (New)": { - "command": "send-mail", - "inline_args": { - "to": "${SOCFramework.Email.recipient}", - "subject": "${SOCFramework.Comms.Email.subject}", - "body": "${SOCFramework.Comms.Email.body}" - }, - "output_map": { - "UC.Comms.Email.status": "SendMail.status", - "UC.Comms.Email.message": "SendMail.message" - } - }, - "Send Email v2": { - "command": "send-mail", - "inline_args": { - "to": "${SOCFramework.Email.recipient}", - "subject": "${SOCFramework.Comms.Email.subject}", - "body": "${SOCFramework.Comms.Email.body}" - }, - "output_map": { - "UC.Comms.Email.status": "SendMail.status", - "UC.Comms.Email.message": "SendMail.message" - } - } - }, - "shadow_mode": true - }, - "soc-detonate-file": { - "shadow_mode": false, - "description": "Submit file for sandbox analysis and return verdict. Cortex Core hash prevalence is the built-in baseline -- no integration required. Add WildFire, VirusTotal, or another sandbox for full dynamic detonation.", - "responses": { - "Cortex Core - IR": { - "command": "core-get-hash-analytics-prevalence", - "inline_args": { - "sha256": "${SOCFramework.Artifacts.Hash}" - } - }, - "WildFire v2": { - "command": "wildfire-upload-file", - "inline_args": { - "upload": "${SOCFramework.Artifacts.FilePath}", - "format": "auto" - } - }, - "WildFire v2 (hash)": { - "command": "wildfire-get-verdict", - "inline_args": { - "hash": "${SOCFramework.Artifacts.Hash}" - } - }, - "VirusTotal (Private API)": { - "command": "vt-private-get-file-report", - "inline_args": { - "resource": "${SOCFramework.Artifacts.Hash}" - } - }, - "Joe Security": { - "command": "joe-analysis-submit-sample", - "inline_args": { - "sample": "${SOCFramework.Artifacts.FilePath}" - } - }, - "CrowdStrike Falcon Sandbox v2": { - "command": "cs-fx-submit-uploaded-file", - "inline_args": { - "sha256": "${SOCFramework.Artifacts.Hash}", - "environment_id": "160" - } - } + "_schema": "SOC Framework shadow_mode production policy v1", + "_comment": [ + "Actions listed in 'production_allowed' have shadow_mode: false in SOCFrameworkActions_V3", + "and are explicitly approved to execute in full mode during PoV and production.", + "Every entry MUST have a 'reason' and a 'category'.", + "Categories: enrichment | analysis | read_only | comms", + "All C/E/R destructive actions (isolate, block, delete, reset, revoke, enable) must", + "remain shadow_mode: true and must NOT appear here until PS production handoff.", + "", + "Actions listed in 'dynamic_actions' have their action name resolved at runtime from", + "a context key or playbook input and cannot be statically validated. Each entry must", + "name the playbook and explain why static resolution is not possible.", + "These are warnings in CI, not hard failures." + ], + "production_allowed": { + "soc-get-email-events": { + "reason": "Read-only query -- retrieves email event history from vendor, no state change on any system.", + "category": "enrichment" + }, + "soc-get-email-forensics": { + "reason": "Read-only query -- retrieves forensic metadata for an email message, no state change.", + "category": "enrichment" + }, + "soc-file-exists": { + "reason": "Read-only check -- queries whether a file path exists on an endpoint, no modification.", + "category": "enrichment" + }, + "soc-enrich-file": { + "reason": "Read-only enrichment -- hash and reputation lookup against threat intel, no state change.", + "category": "enrichment" + }, + "soc-detonate-file": { + "reason": "Sandboxed execution -- file detonated in an isolated analysis environment, not on a production system.", + "category": "analysis" } }, - "soc-remove-inbox-rules": { - "responses": { - "Microsoft Graph Mail": { - "command": "msgraph-mail-delete-rule", - "inline_args": { - "user_id": "${SOCFramework.Email.recipient}", - "rule_id": "${SOCFramework.Email.InboxRules}" - }, - "output_map": { - "UC.Email.RemoveInboxRule.status": "MicrosoftGraph.Mail.Rule.Delete.status" - } - } - }, - "shadow_mode": true - }, - "soc-search-and-delete-email": { - "shadow_mode": true, - "responses": { - "O365 Compliance": { - "command": "o365-sc-compliance-search-purge", - "inline_args": { - "search_name": "${SOCFramework.Email.ComplianceSearch.Name}" - }, - "output_map": { - "UC.Email.SearchDelete.status": "O365.ComplianceSearch.Purge.status" - } - } + "dynamic_actions": { + "SOC_Email_Spread_Evaluation_V3": { + "task_id": "7", + "resolves_to": "soc-audit-inbox-rules", + "reason": "Action name is passed as a playbook input rather than hardcoded. Resolved action is soc-audit-inbox-rules which is listed in production_allowed above." } }, - "soc-block-indicators": { - "shadow_mode": true, - "responses": { - "Cortex Core - IR": { - "command": "core-blocklist-files", - "inline_args": { - "hash_list": "${SOCFramework.Artifacts.Email.SHA256}" - }, - "output_map": { - "UC.Email.BlockIndicator.status": "Core.BlockList.status" - } - }, - "CrowdStrike Falcon": { - "command": "cs-falcon-upload-custom-ioc", - "inline_args": { - "ioc_type": "sha256", - "value": "${SOCFramework.Artifacts.File}", - "action": "prevent", - "platforms": "windows", - "severity": "high", - "description": "SOC Framework -- Behavioral containment block" - }, - "output_map": { - "UC.Endpoint.BlockIndicator.status": "CrowdStrike.IOC.State" - } - }, - "Microsoft Defender Advanced Threat Protection": { - "command": "microsoft-atp-sc-indicator-create", - "inline_args": { - "indicator_value": "${SOCFramework.Artifacts.File}", - "indicator_type": "FileSha256", - "action": "AlertAndBlock", - "title": "SOCFramework Block", - "description": "Blocked by SOC Framework eradication" - } - } - } - } + "id": "SOCFrameworkActions_V3", + "name": "SOCFrameworkActions_V3", + "display_name": "shadow_mode_policy", + "type": "json" } diff --git a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/shadow_mode_policy.json b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/shadow_mode_policy.json deleted file mode 100644 index 7c87f46e..00000000 --- a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/shadow_mode_policy.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "_schema": "SOC Framework shadow_mode production policy v1", - "_comment": [ - "Actions listed in 'production_allowed' have shadow_mode: false in SOCFrameworkActions_V3", - "and are explicitly approved to execute in full mode during PoV and production.", - "Every entry MUST have a 'reason' and a 'category'.", - "Categories: enrichment | analysis | read_only | comms", - "All C/E/R destructive actions (isolate, block, delete, reset, revoke, enable) must", - "remain shadow_mode: true and must NOT appear here until PS production handoff.", - "", - "Actions listed in 'dynamic_actions' have their action name resolved at runtime from", - "a context key or playbook input and cannot be statically validated. Each entry must", - "name the playbook and explain why static resolution is not possible.", - "These are warnings in CI, not hard failures." - ], - "production_allowed": { - "soc-get-email-events": { - "reason": "Read-only query -- retrieves email event history from vendor, no state change on any system.", - "category": "enrichment" - }, - "soc-get-email-forensics": { - "reason": "Read-only query -- retrieves forensic metadata for an email message, no state change.", - "category": "enrichment" - }, - "soc-file-exists": { - "reason": "Read-only check -- queries whether a file path exists on an endpoint, no modification.", - "category": "enrichment" - }, - "soc-enrich-file": { - "reason": "Read-only enrichment -- hash and reputation lookup against threat intel, no state change.", - "category": "enrichment" - }, - "soc-detonate-file": { - "reason": "Sandboxed execution -- file detonated in an isolated analysis environment, not on a production system.", - "category": "analysis" - } - }, - "dynamic_actions": { - "SOC_Email_Spread_Evaluation_V3": { - "task_id": "7", - "resolves_to": "soc-audit-inbox-rules", - "reason": "Action name is passed as a playbook input rather than hardcoded. Resolved action is soc-audit-inbox-rules which is listed in production_allowed above." - } - }, - "id": "SOCFrameworkActions_V3", - "name": "SOCFrameworkActions_V3", - "display_name": "shadow_mode_policy", - "type": "json" -} diff --git a/Packs/soc-optimization-unified/Lists/SOCOptimizationConfig_V3/SOCOptimizationConfig_V3.json b/Packs/soc-optimization-unified/Lists/SOCOptimizationConfig_V3/SOCOptimizationConfig_V3.json index daa3d9ed..3fcd98a2 100644 --- a/Packs/soc-optimization-unified/Lists/SOCOptimizationConfig_V3/SOCOptimizationConfig_V3.json +++ b/Packs/soc-optimization-unified/Lists/SOCOptimizationConfig_V3/SOCOptimizationConfig_V3.json @@ -1,28 +1,7 @@ { - "allRead": true, - "allReadWrite": true, - "cacheVersn": 0, - "data": "-", - "definitionId": "", - "description": "", - "detached": false, - "fromServerVersion": "", "id": "SOCOptimizationConfig_V3", - "isOverridable": false, - "itemVersion": "", - "locked": false, "name": "SOCOptimizationConfig_V3", - "fromVersion": "6.5.0", - "nameLocked": false, - "packID": "", - "packName": "", - "previousAllRead": true, - "previousAllReadWrite": true, - "system": false, - "tags": null, - "toServerVersion": "", - "truncated": false, + "display_name": "SOCOptimizationConfig_V3", "type": "json", - "version": -1, - "display_name": "SOCOptimizationConfig_V3" + "fromVersion": "6.5.0" } diff --git a/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3.json b/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3.json index 647024c4..794c844c 100644 --- a/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3.json +++ b/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3.json @@ -1,28 +1,7 @@ { - "allRead": true, - "allReadWrite": true, - "cacheVersn": 0, - "data": "-", - "definitionId": "", - "description": "", - "detached": false, - "fromServerVersion": "6.5.0", "id": "SOCProductCategoryMap_V3", - "isOverridable": false, - "itemVersion": "3.0.29", - "locked": false, "name": "SOCProductCategoryMap_V3", - "nameLocked": false, - "packID": "", - "packName": "", - "previousAllRead": true, - "previousAllReadWrite": true, - "system": false, - "tags": null, - "toServerVersion": "", - "truncated": false, + "display_name": "SOCProductCategoryMap_V3", "type": "json", - "version": -1, - "fromVersion": "6.5.0", - "display_name": "SOCProductCategoryMap_V3" + "fromVersion": "6.5.0" } diff --git a/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3_data.json b/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3_data.json index 50a578c8..416e0fc9 100644 --- a/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3_data.json +++ b/Packs/soc-optimization-unified/Lists/SOCProductCategoryMap_V3/SOCProductCategoryMap_V3_data.json @@ -211,7 +211,7 @@ "category": "Email", "type": "SEG", "confidence": "high", - "_note": "Smoke test belt-and-suspenders \u2014 product-only normalization", + "_note": "Smoke test belt-and-suspenders — product-only normalization", "response": "Proofpoint TAP v2" }, "ds_proofpoint_tap": { diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Assessment.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Assessment_V3.yml similarity index 93% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Assessment.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Assessment_V3.yml index e4b0bf0f..c1e81ac2 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Assessment.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Assessment_V3.yml @@ -1,7 +1,8 @@ +adopted: true id: Foundation - Assessment_V3 -version: 3 +version: -1 contentitemexportablefields: - contentitemfields: + '9': packID: soc-optimization-unified _packName: SOC Framework Unified itemVersion: 2.1.19 @@ -11,7 +12,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Assessment_V3 description: |+ Evaluates our enrichment flags, and severity value(s) to formalize a final severity score @@ -97,7 +97,4 @@ view: |- } inputs: [] outputs: [] -sourceplaybookid: Foundation - Upon Trigger -dirtyInputs: true -adopted: true fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Case_Sync.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Case_Sync_V3.yml similarity index 96% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Case_Sync.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Case_Sync_V3.yml index c955e2c2..d83c9181 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Case_Sync.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Case_Sync_V3.yml @@ -1,6 +1,6 @@ adopted: true contentitemexportablefields: - contentitemfields: + '18': definitionid: "" fromServerVersion: 5.0.0 isoverridable: false @@ -14,12 +14,10 @@ description: |+ Generates/Updates the Case Alert Ledger Notifies incident owner of new issue addition -dirtyInputs: true id: 'Foundation - Case Sync_V3' inputs: [] name: Foundation - Case Sync_V3 outputs: [] -sourceplaybookid: Foundation - Upon Trigger starttaskid: "0" tags: - SOC diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml index 2ecc51fe..de522953 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Data_Integrity_V3.yml @@ -1,7 +1,7 @@ -fromversion: 5.0.0 adopted: true +fromversion: 5.0.0 contentitemexportablefields: - contentitemfields: + '29': definitionid: "" fromServerVersion: 5.0.0 isoverridable: false @@ -15,20 +15,10 @@ description: | Core fields are evaluated Unpopulated core fields refer to alternatives for values Field values are evaluated for formatting and syntax -dirtyInputs: true id: 'Foundation - Data Integrity_V3' -inputSections: - - description: Generic group for inputs - inputs: [] - name: General (Inputs group) inputs: [] name: Foundation - Data Integrity_V3 -outputSections: - - description: Generic group for outputs - name: General (Outputs group) - outputs: [] outputs: [] -sourceplaybookid: Foundation - Upon Trigger starttaskid: "0" tags: - SOC diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup_V3.yml similarity index 97% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup_V3.yml index c1998b61..39cb5e18 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Dedup_V3.yml @@ -1,8 +1,9 @@ +adopted: true fromversion: 5.0.0 id: Foundation - Dedup_V3 -version: 15 +version: -1 contentitemexportablefields: - contentitemfields: + '29': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.7.4 @@ -12,7 +13,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Dedup_V3 description: | Uses alert fingerprinting to detect duplicate alerts within the dedup window. @@ -95,7 +95,7 @@ tasks: description: |- Finds past similar alerts based on alert fields' similarity. Includes an option to also display indicators similarity. Note: For the similarity calculation, at least one field must be provided in one of the "similarTextField", "similarCategoricalField", or "similarJsonField" arguments. - scriptName: DBotFindSimilarAlerts + script: DBotFindSimilarAlerts type: regular iscommand: false brand: "" @@ -222,7 +222,7 @@ tasks: version: -1 name: Print Dedup Skipped Warning description: Prints text to war room (Markdown supported) - scriptName: Print + script: Print type: regular iscommand: false brand: "" @@ -362,7 +362,7 @@ tasks: closed by dedup. No issues are modified. tags: - Auto-Triage - scriptName: Print + script: Print type: regular iscommand: false brand: "" @@ -405,7 +405,7 @@ tasks: then applies the min transformer to determine the canonical case. The alert with the lowest ID is the winner — deterministic, race-free, no coordination required. - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -506,7 +506,7 @@ tasks: version: -1 name: Print Winner Note description: Prints text to war room (Markdown supported) - scriptName: Print + script: Print type: regular iscommand: false brand: "" @@ -547,7 +547,7 @@ tasks: version: -1 name: Print Self-Close Note description: Prints text to war room (Markdown supported) - scriptName: Print + script: Print type: regular iscommand: false brand: "" @@ -637,7 +637,7 @@ tasks: winner_id and alert_id together convey the outcome — XQL consumers determine canonical vs duplicate by comparing the two fields. Both the winner path and self-close path converge here. - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -738,14 +738,14 @@ view: |- } inputs: - key: DryRun - value: + '30': simple: "true" required: false description: When true, prints duplicate issues that would be closed without executing any close actions. Use for smoke testing after deployment. playbookInputQuery: null - key: DedupWindow - value: + '30': complex: root: lists accessor: SOCOptimizationConfig_V3 @@ -770,7 +770,7 @@ inputs: Default: 1 days ago.' playbookInputQuery: null - key: DedupScoreThreshold - value: + '30': complex: root: lists accessor: SOCOptimizationConfig_V3 @@ -794,18 +794,4 @@ inputs: description: 'If parent incident predicted_score is at or above this value, dedup is bypassed. Read from SOCOptimizationConfig_V3. Default: 70.' playbookInputQuery: null -inputSections: -- inputs: - - DryRun - - DedupWindow - - DedupScoreThreshold - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs outputs: [] -sourceplaybookid: Foundation - Upon Trigger -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml index 594f0942..b4ffcb5b 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml @@ -1,8 +1,9 @@ +adopted: true fromversion: 8.0.0 id: Foundation - Enrichment_V3 -version: 13 +version: -1 contentitemexportablefields: - contentitemfields: + '64': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.3.13 @@ -12,7 +13,6 @@ contentitemexportablefields: prevname: '' isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Enrichment_V3 description: 'Identifies the core fields present and starts tailored enrichment pipelines @@ -88,7 +88,7 @@ tasks: \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -501,7 +501,7 @@ view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n : 50\n }\n }\n}" inputs: - key: CategoryType - value: + '65': complex: root: issue accessor: categoryname @@ -511,43 +511,27 @@ inputs: description: What Category of Alert is this? (malware, phishing, etc.) playbookInputQuery: null - key: ip - value: + '65': simple: ${SOCFramework.Artifacts.IP} required: false description: '' playbookInputQuery: null - key: file - value: + '65': simple: ${SOCFramework.Artifacts.File} required: false description: '' playbookInputQuery: null - key: url - value: + '65': simple: ${SOCFramework.Artifacts.URL} required: false description: '' playbookInputQuery: null - key: domain - value: + '65': simple: ${SOCFramework.Artifacts.Domain} required: false description: '' playbookInputQuery: null -inputSections: -- inputs: - - CategoryType - - ip - - file - - url - - domain - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs outputs: [] -sourceplaybookid: Foundation - Enrichment_V3 -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Environment_Detection.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Environment_Detection_V3.yml similarity index 91% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Environment_Detection.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Environment_Detection_V3.yml index 564e2f25..2bda1f2d 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Environment_Detection.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Environment_Detection_V3.yml @@ -1,7 +1,8 @@ +adopted: true id: Foundation - Environment Detection_V3 -version: 16 +version: -1 contentitemexportablefields: - contentitemfields: + '20': packID: soc-optimization-unified _packName: SOC Framework Unified itemVersion: 2.1.16 @@ -11,7 +12,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Environment Detection_V3 description: | Identify Non-Production Use Cases @@ -121,7 +121,7 @@ tasks: version: -1 name: Set Shadow Mode / Full Run description: Set a value in context under the key you entered. - scriptName: Set + script: Set type: regular iscommand: false brand: "" @@ -180,20 +180,8 @@ view: |- } } inputs: [] -inputSections: -- inputs: [] - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: - - SOCFramework.shadow_mode - name: General (Outputs group) - description: Generic group for outputs outputs: - contextPath: SOCFramework.shadow_mode description: Are all playbooks running in Full Mode or Shadow Mode type: boolean -sourceplaybookid: Foundation - Upon Trigger -dirtyInputs: true -adopted: true fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Error_Handling.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Error_Handling_V3.yml similarity index 100% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Error_Handling.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Error_Handling_V3.yml index e0a7f30d..226b96b0 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Error_Handling.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Error_Handling_V3.yml @@ -1,3 +1,4 @@ +adopted: true id: 'Foundation - Error Handling_V3' inputs: [] name: Foundation - Error Handling_V3 @@ -155,4 +156,3 @@ view: |- } } } -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Escalation.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Escalation_V3.yml similarity index 97% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Escalation.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Escalation_V3.yml index 86656d6e..e721c3dd 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Escalation.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Escalation_V3.yml @@ -1,6 +1,6 @@ adopted: true contentitemexportablefields: - contentitemfields: + '18': definitionid: "" fromServerVersion: 5.0.0 isoverridable: false @@ -13,12 +13,10 @@ contentitemexportablefields: description: | Handles dispatching pagerduty alert / SOC email Identifies if another alert within the incident already paged -dirtyInputs: true id: 'Foundation - Escalation_V3' inputs: [] name: Foundation - Escalation_V3 outputs: [] -sourceplaybookid: Foundation - Upon Trigger starttaskid: "0" tags: - SOC diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Get_Alert_Tasks_and_Store_to_Dataset_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Get_Alert_Tasks_and_Store_to_Dataset_V3.yml index 8b7f9db8..30ed2168 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Get_Alert_Tasks_and_Store_to_Dataset_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Get_Alert_Tasks_and_Store_to_Dataset_V3.yml @@ -1,8 +1,9 @@ +adopted: true fromversion: 5.0.0 id: Foundation - Get Alert Tasks and Store to Dataset_V3 -version: 5 +version: -1 contentitemexportablefields: - contentitemfields: + '9': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.3.1 @@ -12,7 +13,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Get Alert Tasks and Store to Dataset_V3 tags: - SOC @@ -60,7 +60,7 @@ tasks: name: Foundation - Get Alert Tasks description: Get all tasks for a specific alert by the given state, name and/or tag. - scriptName: GetAlertTasks + script: GetAlertTasks type: regular iscommand: false brand: "" @@ -189,7 +189,7 @@ tasks: This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations - scriptName: DeleteContext + script: DeleteContext type: regular iscommand: false brand: "" @@ -231,7 +231,7 @@ tasks: version: -1 name: Create Object description: Set a value in context under the key you entered. - scriptName: Set + script: Set type: regular iscommand: false brand: "" @@ -390,16 +390,5 @@ inputs: required: false description: The Alert ID playbookInputQuery: null -inputSections: -- inputs: - - Alert - name: General (Inputs group) V3 - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs outputs: [] quiet: true -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Artifacts_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Artifacts_V3.yml index 1cd78d92..df400e6d 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Artifacts_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Artifacts_V3.yml @@ -1,9 +1,9 @@ adopted: true fromversion: 5.0.0 id: Foundation - Normalize Artifacts_V3 -version: 9 +version: -1 contentitemexportablefields: - contentitemfields: + '17': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.3.1 @@ -13,7 +13,6 @@ contentitemexportablefields: prevname: '' isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Normalize Artifacts_V3 description: Routes to the per-product normalizer based on SOCFramework.Product.category. Follows the SOC Analysis_V3 pattern — one condition, one branch fires, all paths @@ -30,7 +29,7 @@ tasks: taskid: 87571fef-30de-4eb7-b425-aefb49745ea9 type: start task: - id: 7a66de4e-44d5-481d-b4e4-cff41a9e3330 + id: 87571fef-30de-4eb7-b425-aefb49745ea9 version: -1 name: '' iscommand: false @@ -55,7 +54,7 @@ tasks: taskid: 24b303f7-6c51-44cc-849a-1ebb5c97dd1d type: title task: - id: d4424932-8242-4ac6-8075-b53408cc6b14 + id: 24b303f7-6c51-44cc-849a-1ebb5c97dd1d version: -1 name: Done type: title @@ -78,7 +77,7 @@ tasks: taskid: f56e7f8f-d9ae-4042-a0e1-9c575880e17c type: condition task: - id: 79a8454b-cd2b-46de-a70f-4ddb53243a9a + id: f56e7f8f-d9ae-4042-a0e1-9c575880e17c version: -1 name: Product Category description: Routes to per-product normalizer based on SOCFramework.Product.category. @@ -171,7 +170,7 @@ tasks: taskid: b364d42a-5ac8-4b1d-baef-8864b2f0474b type: playbook task: - id: 58b380eb-5a2f-4a12-b792-61ec9aefe0b3 + id: b364d42a-5ac8-4b1d-baef-8864b2f0474b version: -1 name: Foundation - Normalize Email description: Reads issue.* and writes SOCFramework.Email.* keys. @@ -205,7 +204,7 @@ tasks: taskid: 1cb74ad7-1eba-4aec-b8a0-00dad4fcdfb2 type: playbook task: - id: 73a6a279-b95c-4126-ba5f-dfcc60b2ebb7 + id: 1cb74ad7-1eba-4aec-b8a0-00dad4fcdfb2 version: -1 name: Foundation - Normalize Endpoint description: Reads issue.* and writes SOCFramework.Endpoint.* keys. @@ -239,7 +238,7 @@ tasks: taskid: 9c0be043-05f2-4b6b-a6c4-96cc6b1cdd2b type: playbook task: - id: 2ccc98dc-680e-4c13-b359-3b14d6c947f6 + id: 9c0be043-05f2-4b6b-a6c4-96cc6b1cdd2b version: -1 name: Foundation - Normalize Identity description: Reads issue.* and writes SOCFramework.Identity.* keys. @@ -273,7 +272,7 @@ tasks: taskid: 7a89d33e-b622-4b52-aeaa-d8746b2c3519 type: playbook task: - id: 4f7d8380-7ea5-41a8-b8d3-0bc557d4d7c3 + id: 7a89d33e-b622-4b52-aeaa-d8746b2c3519 version: -1 name: Foundation - Normalize Network description: Reads issue.* and writes SOCFramework.Network.* keys. @@ -307,7 +306,7 @@ tasks: taskid: e41e64b2-48f4-4893-80ae-07bcbe4bcc2c type: playbook task: - id: 33a07635-ae9a-4a01-bb9c-db374febb31b + id: e41e64b2-48f4-4893-80ae-07bcbe4bcc2c version: -1 name: Foundation - Normalize Cloud description: Reads issue.* and writes SOCFramework.Cloud.* keys. @@ -341,7 +340,7 @@ tasks: taskid: 055c73d7-9204-49ba-a802-aa1be55779ac type: playbook task: - id: 01f55060-330b-4e70-8a45-9ba64257de3c + id: 055c73d7-9204-49ba-a802-aa1be55779ac version: -1 name: Foundation - Normalize Generic description: Reads issue.* and writes SOCFramework.Generic.* keys. @@ -375,22 +374,11 @@ view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 700, "width 2400, "x": -1200, "y": 50}}}' inputs: - key: ProductKey - value: + '18': simple: ${SOCFramework.Product.category} required: false description: The product category key used to route to the correct per-product normalizer. Defaults to SOCFramework.Product.category set by Foundation - Product Classification_V3. Override only when calling this playbook directly with a known category. playbookInputQuery: null -inputSections: -- inputs: - - ProductKey - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: SOCFramework Contract - description: SOCFramework.{Category}.* keys — see individual normalizer for specifics. outputs: [] -sourceplaybookid: Foundation - Enrichment_V3 -dirtyInputs: false diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Cloud_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Cloud_V3.yml index be395c97..96847a31 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Cloud_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Cloud_V3.yml @@ -1,9 +1,9 @@ adopted: true fromversion: 5.0.0 id: Foundation - Normalize Cloud_V3 -version: 1 +version: -1 contentitemexportablefields: - contentitemfields: + '26': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.5.0 @@ -13,7 +13,6 @@ contentitemexportablefields: prevname: '' isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Normalize Cloud_V3 description: Normalizes Cloud alert fields into the SOCFramework.Cloud.* contract. Reads issue.* directly. Sequential chain — one connection per task. @@ -29,7 +28,7 @@ tasks: taskid: 153fb4ab-e370-4311-b805-7040d22ad1c7 type: start task: - id: 6120cc99-27f6-4a26-8d1a-27cb32b4cc3d + id: 153fb4ab-e370-4311-b805-7040d22ad1c7 version: -1 name: '' iscommand: false @@ -54,7 +53,7 @@ tasks: taskid: e8299def-f7ab-4027-ad9a-82e0463d37e8 type: title task: - id: ee171dbe-58b0-4b50-a7d5-4b284b620a1c + id: e8299def-f7ab-4027-ad9a-82e0463d37e8 version: -1 name: Set SOCFramework.Cloud Fields type: title @@ -80,7 +79,7 @@ tasks: taskid: c579beda-abde-414b-9701-6adc32059a30 type: title task: - id: 51612973-d436-4424-a272-ee197de6c0d5 + id: c579beda-abde-414b-9701-6adc32059a30 version: -1 name: Done type: title @@ -103,10 +102,10 @@ tasks: taskid: 7cab9531-ab46-42d5-9f48-bd2c0a5b7929 type: regular task: - id: 1f09d88c-b66f-48bf-97e4-e4e94f765d93 + id: 7cab9531-ab46-42d5-9f48-bd2c0a5b7929 version: -1 name: Set principal - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -138,10 +137,10 @@ tasks: taskid: d61ba44c-3cd0-4b25-a29c-51f6ee441165 type: regular task: - id: 450c55bb-3fff-4efe-8e1b-77387d7229b3 + id: d61ba44c-3cd0-4b25-a29c-51f6ee441165 version: -1 name: Set principal_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -173,10 +172,10 @@ tasks: taskid: 7f2d2e5d-fc10-4aec-b675-9a0155194746 type: regular task: - id: 59f41843-b2ba-4a35-a7e2-87cc4a28afbb + id: 7f2d2e5d-fc10-4aec-b675-9a0155194746 version: -1 name: Set principal_type - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -208,10 +207,10 @@ tasks: taskid: fd583f15-6964-4ac0-b4ea-ab53533928d4 type: regular task: - id: 1e5a91fa-e01a-49ba-bb00-e3dfdadd9c69 + id: fd583f15-6964-4ac0-b4ea-ab53533928d4 version: -1 name: Set resource - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -243,10 +242,10 @@ tasks: taskid: 4f69775d-4173-40cb-b0fb-63b8f51a2b5d type: regular task: - id: 6b553702-3c6c-4021-ba94-9078415910d5 + id: 4f69775d-4173-40cb-b0fb-63b8f51a2b5d version: -1 name: Set resource_type - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -278,10 +277,10 @@ tasks: taskid: fe46d515-bd92-4f93-8cb5-2bfc9e6c833d type: regular task: - id: 11b379e9-3efa-4480-90fa-c916b869b48d + id: fe46d515-bd92-4f93-8cb5-2bfc9e6c833d version: -1 name: Set cloud_account - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -313,10 +312,10 @@ tasks: taskid: 1f643df5-4a21-413d-93bf-bf1544903106 type: regular task: - id: 9eda8888-8ed2-46f6-8909-a239e01e938e + id: 1f643df5-4a21-413d-93bf-bf1544903106 version: -1 name: Set region - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -348,10 +347,10 @@ tasks: taskid: 1792676d-42b6-49e5-9922-8bf371c4cd09 type: regular task: - id: 9e76269f-66bc-48e6-b3d5-b4bc3c6f552f + id: 1792676d-42b6-49e5-9922-8bf371c4cd09 version: -1 name: Set cloud_provider - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -383,10 +382,10 @@ tasks: taskid: c42d0299-ec11-40e5-bd48-08ffc7e31e83 type: regular task: - id: 43ae9e40-a459-45f5-b2f4-d7195d898b1b + id: c42d0299-ec11-40e5-bd48-08ffc7e31e83 version: -1 name: Set action - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -418,10 +417,10 @@ tasks: taskid: 0e178be6-1d51-453c-ae26-300f5bc43e9c type: regular task: - id: 17120c5a-0704-449f-821a-0dc604efb2a3 + id: 0e178be6-1d51-453c-ae26-300f5bc43e9c version: -1 name: Set action_status - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -453,10 +452,10 @@ tasks: taskid: 29882cf9-54a4-48fc-b054-725c54c133bc type: regular task: - id: b9cf526e-ff12-4321-80e3-7bdd065707bf + id: 29882cf9-54a4-48fc-b054-725c54c133bc version: -1 name: Set error_code - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -488,10 +487,10 @@ tasks: taskid: 048cebca-6b67-4085-9822-df002652590a type: regular task: - id: c1f57926-44f2-4386-a0ac-56a88f4a0107 + id: 048cebca-6b67-4085-9822-df002652590a version: -1 name: Set source_ip - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -523,10 +522,10 @@ tasks: taskid: e4de0603-f455-4cf6-b7cd-46a8ffd28c4b type: regular task: - id: dabd7ec9-2696-40f5-a36f-c2c7ca096350 + id: e4de0603-f455-4cf6-b7cd-46a8ffd28c4b version: -1 name: Set user_agent - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -558,10 +557,10 @@ tasks: taskid: 5c2e3769-230a-4dc7-ac0a-74ec1b1dd66b type: regular task: - id: 93c02e8d-29e4-4987-a6f5-abfabb07896b + id: 5c2e3769-230a-4dc7-ac0a-74ec1b1dd66b version: -1 name: Set risk_score - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -593,10 +592,10 @@ tasks: taskid: d097616a-e39b-48c0-9ad6-834245444c74 type: regular task: - id: 80126315-555a-4313-8ec2-045277068d67 + id: d097616a-e39b-48c0-9ad6-834245444c74 version: -1 name: Set normalization_source - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -626,29 +625,6 @@ tasks: view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 2900, "width": 380, "x": 280, "y": 50}}}' inputs: [] -inputSections: -- inputs: [] - name: General (Inputs group) - description: '' -outputSections: -- outputs: - - SOCFramework.Cloud.principal - - SOCFramework.Cloud.principal_id - - SOCFramework.Cloud.principal_type - - SOCFramework.Cloud.resource - - SOCFramework.Cloud.resource_type - - SOCFramework.Cloud.cloud_account - - SOCFramework.Cloud.region - - SOCFramework.Cloud.cloud_provider - - SOCFramework.Cloud.action - - SOCFramework.Cloud.action_status - - SOCFramework.Cloud.error_code - - SOCFramework.Cloud.source_ip - - SOCFramework.Cloud.user_agent - - SOCFramework.Cloud.risk_score - - SOCFramework.Cloud.normalization_source - name: SOCFramework Cloud Contract - description: SOCFramework.Cloud.* keys for downstream NIST IR lifecycle outputs: - contextPath: SOCFramework.Cloud.principal description: A/C/E - IAM principal diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Email_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Email_V3.yml index cef8b2f9..518fb27b 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Email_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Email_V3.yml @@ -1,8 +1,9 @@ +adopted: true fromversion: 5.0.0 id: Foundation - Normalize Email_V3 -version: 4 +version: -1 contentitemexportablefields: - contentitemfields: + '46': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.5.0 @@ -12,7 +13,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Normalize Email_V3 description: Normalizes Email alert fields into the SOCFramework.Email.* contract. Two paths — gateway SEG alerts (issue.fw_email_sender populated) and Mail Listener @@ -95,7 +95,7 @@ tasks: id: f5d6ef13-4a6a-4469-bdf5-89e861e38329 version: -1 name: Set sender - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -136,7 +136,7 @@ tasks: id: bfa16d57-7c66-4f05-b2d6-b1533a1ac74a version: -1 name: Set recipient - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -177,7 +177,7 @@ tasks: id: 9f432db2-ed84-462b-a3d2-ed07ef2a05dd version: -1 name: Set subject - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -218,7 +218,7 @@ tasks: id: 79579338-943e-4ef6-8628-b6f33af92372 version: -1 name: Set message_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -259,7 +259,7 @@ tasks: id: 59474540-2433-46ce-9b29-52a496eb8969 version: -1 name: Set sender_ip - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -300,7 +300,7 @@ tasks: id: e9705879-d48e-4ca4-8797-ed4ac4fad569 version: -1 name: Set reported_by - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -341,7 +341,7 @@ tasks: id: df2a4c4f-bcb2-4b5c-9d9b-5fa581e8cf20 version: -1 name: Set threat_url - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -382,7 +382,7 @@ tasks: id: 2faa8f6a-3409-4f0d-a228-2016a82b1079 version: -1 name: Set threat_type - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -423,7 +423,7 @@ tasks: id: 3d97f0de-b191-411e-b519-6f32b5a59758 version: -1 name: Set threat_status - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -464,7 +464,7 @@ tasks: id: b8869d9e-2231-4d72-8a5a-5cfdf107b709 version: -1 name: Set threat_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -505,7 +505,7 @@ tasks: id: 521073fb-9004-4919-9d94-8a6b57a482fb version: -1 name: Set classification - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -546,7 +546,7 @@ tasks: id: 9eecbac3-834d-40ba-a60f-5dd8d5bb934c version: -1 name: Set phish_score - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -587,7 +587,7 @@ tasks: id: 960b1635-ab00-4d99-a880-61618176357e version: -1 name: Set malware_score - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -628,7 +628,7 @@ tasks: id: c840b5ef-3fe9-4e4a-9ca8-9b759f2ccb8c version: -1 name: Set delivery_action - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -669,7 +669,7 @@ tasks: id: d0c5f4c6-8f40-4380-b780-57925fc098c0 version: -1 name: Set direction - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -710,7 +710,7 @@ tasks: id: bb60e6da-5c61-4ba3-94ed-1d2811c2ec94 version: -1 name: Set attachment_name - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -751,7 +751,7 @@ tasks: id: 213076ed-c21e-4c6b-9e15-a8fa56eb8128 version: -1 name: Set attachment_sha256 - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -792,7 +792,7 @@ tasks: id: f9647cc4-5870-494d-921d-7b3337d4bc43 version: -1 name: Set campaign_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -833,7 +833,7 @@ tasks: id: 5880c5fd-450c-406b-b425-6fe0bbf62c2f version: -1 name: Set click_ip - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -874,7 +874,7 @@ tasks: id: 6e7ba831-35d5-4bc2-a755-98b1b8ea9636 version: -1 name: Set click_time - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -915,7 +915,7 @@ tasks: id: f9196f93-6537-4647-b0db-9a3e756c5b64 version: -1 name: Set normalization_source - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1058,7 +1058,7 @@ tasks: id: e8f1b11e-1108-434f-89eb-a1002d53cc46 version: -1 name: Set recipient from rawJSON - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1108,7 +1108,7 @@ tasks: id: 9661004b-5ac4-49dc-9de1-b94c70363a28 version: -1 name: Set subject from rawJSON - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1158,7 +1158,7 @@ tasks: id: 0eaf176a-1ff8-44a8-ab09-755de71d7c10 version: -1 name: Set message_id from rawJSON - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1210,7 +1210,7 @@ tasks: name: Set reported_by from alert description: Mail Listener sets issue.reporteremailaddress — the user who forwarded the suspicious email to the abuse mailbox. - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1251,7 +1251,7 @@ tasks: id: 134eeb4c-8976-434a-a4a4-b4415bc5c05b version: -1 name: Set normalization_source (mail_listener) - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1294,7 +1294,7 @@ tasks: name: Set Artifacts.Email.From alias description: Alias SOCFramework.Artifacts.Email.From from SOCFramework.Email.sender. Consumed by Signal Characterization, IOC Enrichment, and C/E/R warroom logs. - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1337,7 +1337,7 @@ tasks: name: Set Artifacts.Email.To alias description: Alias SOCFramework.Artifacts.Email.To from SOCFramework.Email.recipient. Consumed by Signal Characterization, IOC Enrichment, and C/E/R warroom logs. - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1380,7 +1380,7 @@ tasks: name: Set Artifacts.Email.Subject alias description: Alias SOCFramework.Artifacts.Email.Subject from SOCFramework.Email.subject. Consumed by Signal Characterization, IOC Enrichment, and C/E/R warroom logs. - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1423,7 +1423,7 @@ tasks: name: Set Artifacts.Email.MessageID alias description: Alias SOCFramework.Artifacts.Email.MessageID from SOCFramework.Email.message_id. Consumed by Signal Characterization, IOC Enrichment, and C/E/R warroom logs. - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1466,7 +1466,7 @@ tasks: name: Set Artifacts.Email.ThreatType alias description: Alias SOCFramework.Artifacts.Email.ThreatType from SOCFramework.Email.threat_type. Consumed by Signal Characterization, IOC Enrichment, and C/E/R warroom logs. - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1509,7 +1509,7 @@ tasks: name: Set Artifacts.Email.ThreatURL alias description: Alias SOCFramework.Artifacts.Email.ThreatURL from SOCFramework.Email.threat_url. Consumed by Signal Characterization, IOC Enrichment, and C/E/R warroom logs. - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -1556,36 +1556,6 @@ view: |- } } inputs: [] -inputSections: -- inputs: [] - name: General (Inputs group) - description: "" -outputSections: -- outputs: - - SOCFramework.Email.sender - - SOCFramework.Email.recipient - - SOCFramework.Email.subject - - SOCFramework.Email.message_id - - SOCFramework.Email.sender_ip - - SOCFramework.Email.reported_by - - SOCFramework.Email.threat_url - - SOCFramework.Email.threat_type - - SOCFramework.Email.threat_status - - SOCFramework.Email.threat_id - - SOCFramework.Email.classification - - SOCFramework.Email.phish_score - - SOCFramework.Email.malware_score - - SOCFramework.Email.delivery_action - - SOCFramework.Email.direction - - SOCFramework.Email.attachment_name - - SOCFramework.Email.attachment_sha256 - - SOCFramework.Email.campaign_id - - SOCFramework.Email.click_ip - - SOCFramework.Email.click_time - - SOCFramework.Email.normalization_source - name: SOCFramework Email Contract - description: SOCFramework.Email.* and SOCFramework.Artifacts.Email.* keys for downstream - NIST IR lifecycle outputs: - contextPath: SOCFramework.Email.sender description: A/C/E - block-indicator, search-and-delete @@ -1650,4 +1620,3 @@ outputs: - contextPath: SOCFramework.Email.normalization_source description: Always 'email' type: String -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Endpoint_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Endpoint_V3.yml index 5c07b2af..c50ff931 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Endpoint_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Endpoint_V3.yml @@ -1,9 +1,9 @@ adopted: true fromversion: 5.0.0 id: Foundation - Normalize Endpoint_V3 -version: 1 +version: -1 contentitemexportablefields: - contentitemfields: + '39': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.5.0 @@ -13,7 +13,6 @@ contentitemexportablefields: prevname: '' isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Normalize Endpoint_V3 description: Normalizes Endpoint alert fields into the SOCFramework.Endpoint.* contract. Reads issue.* directly. Sequential chain — one connection per task. @@ -29,7 +28,7 @@ tasks: taskid: 4a635a08-9199-4952-acca-bdc3d92f5362 type: start task: - id: d2187681-89f6-4847-9698-a21ffb690efa + id: 4a635a08-9199-4952-acca-bdc3d92f5362 version: -1 name: '' iscommand: false @@ -54,7 +53,7 @@ tasks: taskid: 33898784-9d88-4562-8f7c-71b88bfc0837 type: title task: - id: 20c02f99-026b-4829-a2eb-14cb9cc91b61 + id: 33898784-9d88-4562-8f7c-71b88bfc0837 version: -1 name: Set SOCFramework.Endpoint Fields type: title @@ -80,7 +79,7 @@ tasks: taskid: fe2331b9-c937-4769-9549-41d3414e6671 type: title task: - id: 2aef31ae-1c2b-4a88-8be6-0070d7778a5c + id: fe2331b9-c937-4769-9549-41d3414e6671 version: -1 name: Done type: title @@ -103,10 +102,10 @@ tasks: taskid: e54bcf4d-2ef6-407c-8e9f-972bd03a082f type: regular task: - id: 12108da5-13bc-4fd1-9ef9-9b5dcc6e21d7 + id: e54bcf4d-2ef6-407c-8e9f-972bd03a082f version: -1 name: Set hostname - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -138,10 +137,10 @@ tasks: taskid: 1728e7da-a49c-495f-9c4a-651f3d325d4c type: regular task: - id: 7b198c88-f9a1-4d90-9d9e-bad9b5e67c3e + id: 1728e7da-a49c-495f-9c4a-651f3d325d4c version: -1 name: Set endpoint_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -173,10 +172,10 @@ tasks: taskid: be84975e-3882-4ad2-ae98-05b08f097b74 type: regular task: - id: fdbd44d9-6c57-4923-ba22-65b6da368954 + id: be84975e-3882-4ad2-ae98-05b08f097b74 version: -1 name: Set os - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -208,10 +207,10 @@ tasks: taskid: bcfc4ae5-d9cf-47ac-bb6c-403eabe449f7 type: regular task: - id: e2eb7fda-794a-4b51-8c0f-05beb1d78fb9 + id: bcfc4ae5-d9cf-47ac-bb6c-403eabe449f7 version: -1 name: Set ip_address - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -243,10 +242,10 @@ tasks: taskid: 39ddeb5c-9a4c-42d6-a050-8c292ecf7370 type: regular task: - id: ae3c4682-a5d6-442a-aa9b-0f970844d495 + id: 39ddeb5c-9a4c-42d6-a050-8c292ecf7370 version: -1 name: Set external_ip - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -278,10 +277,10 @@ tasks: taskid: 94db0245-28e4-4907-a2b3-762d61180d99 type: regular task: - id: 3da81239-0044-4d26-a716-ec836692f426 + id: 94db0245-28e4-4907-a2b3-762d61180d99 version: -1 name: Set mac_address - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -313,10 +312,10 @@ tasks: taskid: f98f6b22-f54b-4414-b0c2-28ab247065bc type: regular task: - id: b219fbc7-460c-4c6f-ac6e-bfff977e778d + id: f98f6b22-f54b-4414-b0c2-28ab247065bc version: -1 name: Set domain - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -348,10 +347,10 @@ tasks: taskid: be667a38-2c06-4fc6-906b-94a0ee1dbdcf type: regular task: - id: 49ccfef3-5295-4299-a568-d46e891cde57 + id: be667a38-2c06-4fc6-906b-94a0ee1dbdcf version: -1 name: Set username - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -383,10 +382,10 @@ tasks: taskid: 40ac1098-6482-4d09-b298-596817667ae9 type: regular task: - id: c73cc2ac-7da1-4562-86b2-cd0361517a11 + id: 40ac1098-6482-4d09-b298-596817667ae9 version: -1 name: Set user_principal - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -418,10 +417,10 @@ tasks: taskid: f5285642-57e7-4709-9ed0-0230ad73a3be type: regular task: - id: 75e1ca8c-b71f-4b99-a33f-cfe0f4f63658 + id: f5285642-57e7-4709-9ed0-0230ad73a3be version: -1 name: Set process_name - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -453,10 +452,10 @@ tasks: taskid: d2e3e5e3-fba0-4b3b-a4ef-7ce7b6791097 type: regular task: - id: 89757f63-d540-4174-8281-8a283d816733 + id: d2e3e5e3-fba0-4b3b-a4ef-7ce7b6791097 version: -1 name: Set process_sha256 - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -488,10 +487,10 @@ tasks: taskid: 610a9786-8d1a-46c9-b65d-a904457cfbce type: regular task: - id: 2f49c655-012a-4aba-ba42-1ccad79381e1 + id: 610a9786-8d1a-46c9-b65d-a904457cfbce version: -1 name: Set process_cmd - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -523,10 +522,10 @@ tasks: taskid: d9d0c800-cb53-45cf-9157-cabd1b8a0518 type: regular task: - id: 32fb3f67-5922-431e-a582-5d8dcae4c503 + id: d9d0c800-cb53-45cf-9157-cabd1b8a0518 version: -1 name: Set process_path - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -558,10 +557,10 @@ tasks: taskid: 83d9d1b2-16af-45de-bba9-5f790df5338a type: regular task: - id: d9d21d87-5d4d-4356-ab85-6ae4cb33bd5e + id: 83d9d1b2-16af-45de-bba9-5f790df5338a version: -1 name: Set process_pid - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -593,10 +592,10 @@ tasks: taskid: 40de1fb9-9e1d-456a-b592-fc50df00116d type: regular task: - id: 7e77846d-7b66-4f85-9bfe-1bbcdae68dbc + id: 40de1fb9-9e1d-456a-b592-fc50df00116d version: -1 name: Set parent_process_name - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -628,10 +627,10 @@ tasks: taskid: 67876a83-7cfe-4d31-9c6d-ced0926f98ff type: regular task: - id: a8d520fc-0997-4bf5-827e-03f26ecc5696 + id: 67876a83-7cfe-4d31-9c6d-ced0926f98ff version: -1 name: Set parent_process_sha256 - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -663,10 +662,10 @@ tasks: taskid: 1daf524c-126c-4b72-b3f2-8d538eae2cb7 type: regular task: - id: 2abe04ac-dca6-4626-911e-40a119f6cf8d + id: 1daf524c-126c-4b72-b3f2-8d538eae2cb7 version: -1 name: Set parent_process_cmd - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -698,10 +697,10 @@ tasks: taskid: bc33c866-0b10-47ca-a610-7fc40ed87939 type: regular task: - id: 6f2b1288-ea48-46f1-b17b-e2585f1fe499 + id: bc33c866-0b10-47ca-a610-7fc40ed87939 version: -1 name: Set file_path - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -733,10 +732,10 @@ tasks: taskid: 44981864-82b0-446f-8153-15753a837339 type: regular task: - id: 1829f8ed-36ad-43c4-8e41-b8642169c586 + id: 44981864-82b0-446f-8153-15753a837339 version: -1 name: Set file_sha256 - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -768,10 +767,10 @@ tasks: taskid: 25fd7074-5498-40c6-aabd-ca5cad9e1895 type: regular task: - id: 1b6a81a8-d79d-468f-a77b-70bee2c9e205 + id: 25fd7074-5498-40c6-aabd-ca5cad9e1895 version: -1 name: Set network_accesses - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -803,10 +802,10 @@ tasks: taskid: 3454aaad-269b-4a28-afcd-ce9b78da66eb type: regular task: - id: c381f34d-9b40-4692-b2b2-7238833aa71f + id: 3454aaad-269b-4a28-afcd-ce9b78da66eb version: -1 name: Set dns_queries - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -838,10 +837,10 @@ tasks: taskid: 04036c47-be8b-488a-83eb-032f8621c546 type: regular task: - id: d4962e68-c9ec-4514-877e-57324c744e8c + id: 04036c47-be8b-488a-83eb-032f8621c546 version: -1 name: Set tactic - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -873,10 +872,10 @@ tasks: taskid: db7b34d0-d3c5-4929-b1ae-a045bca10dbf type: regular task: - id: b702b07b-0c3d-43d9-8b9f-fd782b1bb81b + id: db7b34d0-d3c5-4929-b1ae-a045bca10dbf version: -1 name: Set technique - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -908,10 +907,10 @@ tasks: taskid: eb25785a-bde6-4a2e-8add-f721225542b1 type: regular task: - id: 3e252f2c-4e4d-4031-8623-46ae81cc1320 + id: eb25785a-bde6-4a2e-8add-f721225542b1 version: -1 name: Set tactic_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -943,10 +942,10 @@ tasks: taskid: ee0333ae-cb51-460b-b96a-dc84b28eb1b9 type: regular task: - id: 7f667e8e-ac32-4e35-baf9-c175f720873e + id: ee0333ae-cb51-460b-b96a-dc84b28eb1b9 version: -1 name: Set technique_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -978,10 +977,10 @@ tasks: taskid: 2313c91f-7b5a-4854-b6a0-7f305727effe type: regular task: - id: b97739b6-84be-489d-bb61-28bf7823da73 + id: 2313c91f-7b5a-4854-b6a0-7f305727effe version: -1 name: Set alert_action - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -1013,10 +1012,10 @@ tasks: taskid: c8f18f80-0264-4322-a953-fde35a119878 type: regular task: - id: c1379b71-c8e8-4da2-b4f0-52e7ad3aa120 + id: c8f18f80-0264-4322-a953-fde35a119878 version: -1 name: Set containment_status - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -1048,10 +1047,10 @@ tasks: taskid: 11665980-2bc9-47f2-bc7f-b282ebb6df5c type: regular task: - id: f9c3d3a0-bfb3-4c81-a18f-47476cf74b16 + id: 11665980-2bc9-47f2-bc7f-b282ebb6df5c version: -1 name: Set normalization_source - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -1081,42 +1080,6 @@ tasks: view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 4980, "width": 380, "x": 280, "y": 50}}}' inputs: [] -inputSections: -- inputs: [] - name: General (Inputs group) - description: '' -outputSections: -- outputs: - - SOCFramework.Endpoint.hostname - - SOCFramework.Endpoint.endpoint_id - - SOCFramework.Endpoint.os - - SOCFramework.Endpoint.ip_address - - SOCFramework.Endpoint.external_ip - - SOCFramework.Endpoint.mac_address - - SOCFramework.Endpoint.domain - - SOCFramework.Endpoint.username - - SOCFramework.Endpoint.user_principal - - SOCFramework.Endpoint.process_name - - SOCFramework.Endpoint.process_sha256 - - SOCFramework.Endpoint.process_cmd - - SOCFramework.Endpoint.process_path - - SOCFramework.Endpoint.process_pid - - SOCFramework.Endpoint.parent_process_name - - SOCFramework.Endpoint.parent_process_sha256 - - SOCFramework.Endpoint.parent_process_cmd - - SOCFramework.Endpoint.file_path - - SOCFramework.Endpoint.file_sha256 - - SOCFramework.Endpoint.network_accesses - - SOCFramework.Endpoint.dns_queries - - SOCFramework.Endpoint.tactic - - SOCFramework.Endpoint.technique - - SOCFramework.Endpoint.tactic_id - - SOCFramework.Endpoint.technique_id - - SOCFramework.Endpoint.alert_action - - SOCFramework.Endpoint.containment_status - - SOCFramework.Endpoint.normalization_source - name: SOCFramework Endpoint Contract - description: SOCFramework.Endpoint.* keys for downstream NIST IR lifecycle outputs: - contextPath: SOCFramework.Endpoint.hostname description: A/C/R - isolation target diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Generic_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Generic_V3.yml index fe095f26..824595c9 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Generic_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Generic_V3.yml @@ -1,9 +1,9 @@ adopted: true fromversion: 5.0.0 id: Foundation - Normalize Generic_V3 -version: 1 +version: -1 contentitemexportablefields: - contentitemfields: + '21': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.5.0 @@ -13,7 +13,6 @@ contentitemexportablefields: prevname: '' isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Normalize Generic_V3 description: Normalizes Generic alert fields into the SOCFramework.Generic.* contract. Reads issue.* directly. Sequential chain — one connection per task. @@ -29,7 +28,7 @@ tasks: taskid: 68aeb78a-45fb-499f-a71d-7803d13a396c type: start task: - id: 16ac951f-8a05-4e1b-9293-a602450102e2 + id: 68aeb78a-45fb-499f-a71d-7803d13a396c version: -1 name: '' iscommand: false @@ -54,7 +53,7 @@ tasks: taskid: 15cd6078-5cf2-4765-b9b8-18ca32843eb7 type: title task: - id: 3e955890-7e8d-48af-aa06-bbc3d46e8b01 + id: 15cd6078-5cf2-4765-b9b8-18ca32843eb7 version: -1 name: Set SOCFramework.Generic Fields type: title @@ -80,7 +79,7 @@ tasks: taskid: 5252998f-4653-4db3-962f-4aeeb5599617 type: title task: - id: b45c8de3-32a3-410c-a179-411152b724fc + id: 5252998f-4653-4db3-962f-4aeeb5599617 version: -1 name: Done type: title @@ -103,10 +102,10 @@ tasks: taskid: 4a930cb6-86d9-447b-84c9-a6f928d3c376 type: regular task: - id: 6f5a9af1-1d1c-4e09-9251-74ca88f074a3 + id: 4a930cb6-86d9-447b-84c9-a6f928d3c376 version: -1 name: Set primary_entity_type - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -138,10 +137,10 @@ tasks: taskid: 1177acee-4e67-4494-9c89-26879d742272 type: regular task: - id: c77e931f-6309-4d6d-b68d-06f2e6678d94 + id: 1177acee-4e67-4494-9c89-26879d742272 version: -1 name: Set primary_entity_value - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -173,10 +172,10 @@ tasks: taskid: 250df73d-ccd4-4cb6-ad34-7850f5ac377b type: regular task: - id: 466da30c-01ff-4538-b8ad-b77c17317718 + id: 250df73d-ccd4-4cb6-ad34-7850f5ac377b version: -1 name: Set hostname - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -208,10 +207,10 @@ tasks: taskid: 1c724a7d-15f6-4731-99d0-39762dba0969 type: regular task: - id: 797cfe0d-7ae5-4490-8907-60bfb9422965 + id: 1c724a7d-15f6-4731-99d0-39762dba0969 version: -1 name: Set source_ip - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -243,10 +242,10 @@ tasks: taskid: 7b1f922b-9530-41c3-8fd4-9b9a03f5e76a type: regular task: - id: 421f2376-562e-4a8b-8720-3b250250f541 + id: 7b1f922b-9530-41c3-8fd4-9b9a03f5e76a version: -1 name: Set username - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -278,10 +277,10 @@ tasks: taskid: 33d79d17-dfea-402a-8389-7e36ae4844f0 type: regular task: - id: d9beeedc-8080-4e86-8233-ac14480bcfc2 + id: 33d79d17-dfea-402a-8389-7e36ae4844f0 version: -1 name: Set tactic - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -313,10 +312,10 @@ tasks: taskid: 1e8257a6-a9ad-4b53-8862-19e2d2faa135 type: regular task: - id: b3918503-879f-408a-9f1a-a6f3b438fa3d + id: 1e8257a6-a9ad-4b53-8862-19e2d2faa135 version: -1 name: Set technique - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -348,10 +347,10 @@ tasks: taskid: 757d0736-b62a-4654-a2c2-2b208c4a210e type: regular task: - id: 0224c02e-f80b-4701-9dc5-fcdc3b46ead7 + id: 757d0736-b62a-4654-a2c2-2b208c4a210e version: -1 name: Set alert_name - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -383,10 +382,10 @@ tasks: taskid: 9d1f25f9-c909-44d8-a333-a84b19b84958 type: regular task: - id: 6c491a9f-450b-4e63-81b7-eb290db5e817 + id: 9d1f25f9-c909-44d8-a333-a84b19b84958 version: -1 name: Set alert_source - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -418,10 +417,10 @@ tasks: taskid: 82cdd25e-feed-496f-87cf-cc450d8ed422 type: regular task: - id: 4887631e-cd4c-4ed5-b4d2-ceb768c04a7e + id: 82cdd25e-feed-496f-87cf-cc450d8ed422 version: -1 name: Set normalization_source - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -451,24 +450,6 @@ tasks: view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 2100, "width": 380, "x": 280, "y": 50}}}' inputs: [] -inputSections: -- inputs: [] - name: General (Inputs group) - description: '' -outputSections: -- outputs: - - SOCFramework.Generic.primary_entity_type - - SOCFramework.Generic.primary_entity_value - - SOCFramework.Generic.hostname - - SOCFramework.Generic.source_ip - - SOCFramework.Generic.username - - SOCFramework.Generic.tactic - - SOCFramework.Generic.technique - - SOCFramework.Generic.alert_name - - SOCFramework.Generic.alert_source - - SOCFramework.Generic.normalization_source - name: SOCFramework Generic Contract - description: SOCFramework.Generic.* keys for downstream NIST IR lifecycle outputs: - contextPath: SOCFramework.Generic.primary_entity_type description: A - primary entity type diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Identity_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Identity_V3.yml index 4c0f8586..70a0b5f4 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Identity_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Identity_V3.yml @@ -1,9 +1,9 @@ adopted: true fromversion: 5.0.0 id: Foundation - Normalize Identity_V3 -version: 1 +version: -1 contentitemexportablefields: - contentitemfields: + '29': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.5.0 @@ -13,7 +13,6 @@ contentitemexportablefields: prevname: '' isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Normalize Identity_V3 description: Normalizes Identity alert fields into the SOCFramework.Identity.* contract. Reads issue.* directly. Sequential chain — one connection per task. @@ -29,7 +28,7 @@ tasks: taskid: 7b37faf3-cac0-4dc7-93f9-cb5ba6487196 type: start task: - id: 02065ce9-7f37-40dc-9895-1a7499a067e1 + id: 7b37faf3-cac0-4dc7-93f9-cb5ba6487196 version: -1 name: '' iscommand: false @@ -54,7 +53,7 @@ tasks: taskid: 3ce73d72-97e4-429f-b995-2f973c9ca86d type: title task: - id: 6a436b95-b10a-42af-b205-d048cb9bbda7 + id: 3ce73d72-97e4-429f-b995-2f973c9ca86d version: -1 name: Set SOCFramework.Identity Fields type: title @@ -80,7 +79,7 @@ tasks: taskid: 83a92d7b-c874-4dca-adbf-1eebe384d201 type: title task: - id: c0c06eae-fbbd-4d6c-bd41-b51f8628a3b9 + id: 83a92d7b-c874-4dca-adbf-1eebe384d201 version: -1 name: Done type: title @@ -103,10 +102,10 @@ tasks: taskid: e19ac918-7bb4-47a3-a8eb-04f3993e34d0 type: regular task: - id: 96ec25c2-0ff6-426b-b88f-416b322ad11b + id: e19ac918-7bb4-47a3-a8eb-04f3993e34d0 version: -1 name: Set username - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -138,10 +137,10 @@ tasks: taskid: cc9548f8-58ce-4964-8649-2e62a4af0f78 type: regular task: - id: f22f049d-50b7-41f4-94f3-519da213478f + id: cc9548f8-58ce-4964-8649-2e62a4af0f78 version: -1 name: Set user_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -173,10 +172,10 @@ tasks: taskid: f0c74f01-e998-4e58-986c-291a86a3a81f type: regular task: - id: a0c1c446-9d47-48b8-b24d-fc9f31bba539 + id: f0c74f01-e998-4e58-986c-291a86a3a81f version: -1 name: Set user_email - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -208,10 +207,10 @@ tasks: taskid: 00d9d9e5-a729-4ffb-a0ab-8b2c4c90e16b type: regular task: - id: 4f46b6c0-3c01-42b2-9c99-52a015157880 + id: 00d9d9e5-a729-4ffb-a0ab-8b2c4c90e16b version: -1 name: Set user_display_name - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -243,10 +242,10 @@ tasks: taskid: 7fe91753-9d20-4827-b6c1-02517cdfa422 type: regular task: - id: f051ea79-9fe4-4bc9-97d5-ff6ff30a8531 + id: 7fe91753-9d20-4827-b6c1-02517cdfa422 version: -1 name: Set auth_source - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -278,10 +277,10 @@ tasks: taskid: a694e927-cc78-4ac0-b394-2605664553d8 type: regular task: - id: 293340e0-9f7d-4183-9332-2f1b77537a96 + id: a694e927-cc78-4ac0-b394-2605664553d8 version: -1 name: Set event_type - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -313,10 +312,10 @@ tasks: taskid: de6c2a7d-11a8-401a-809c-5d43f4bcb911 type: regular task: - id: 0ea3d287-5a8a-4467-99e3-a63d44aa6407 + id: de6c2a7d-11a8-401a-809c-5d43f4bcb911 version: -1 name: Set outcome - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -348,10 +347,10 @@ tasks: taskid: fecf5031-959f-4aa1-ba87-34c2e21d1122 type: regular task: - id: dbc6258b-a849-45f7-ac1c-928ef0bbeaab + id: fecf5031-959f-4aa1-ba87-34c2e21d1122 version: -1 name: Set client_ip - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -383,10 +382,10 @@ tasks: taskid: 8409c731-b2c1-4b32-b730-b8fcdc8a4752 type: regular task: - id: b15573ea-c425-4ced-ab83-30a1f569103a + id: 8409c731-b2c1-4b32-b730-b8fcdc8a4752 version: -1 name: Set country - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -418,10 +417,10 @@ tasks: taskid: 074e28a8-21ab-426b-9c72-a910bcfe7c35 type: regular task: - id: 35120f34-6c9d-4015-bbe6-bcb2e8df8409 + id: 074e28a8-21ab-426b-9c72-a910bcfe7c35 version: -1 name: Set user_agent - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -453,10 +452,10 @@ tasks: taskid: 75d81ee4-127d-4238-8b67-3541ec09517d type: regular task: - id: 70066c9f-fe40-44ae-8f14-7ad846b89b54 + id: 75d81ee4-127d-4238-8b67-3541ec09517d version: -1 name: Set device_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -488,10 +487,10 @@ tasks: taskid: 3b0c6524-d5cf-4f9c-84ea-7c4b964f001c type: regular task: - id: 3aca3f98-8835-4223-8e0c-08e88d049bea + id: 3b0c6524-d5cf-4f9c-84ea-7c4b964f001c version: -1 name: Set session_id - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -523,10 +522,10 @@ tasks: taskid: 5a91c879-46f2-4ce8-9dae-fe2c5ed8abde type: regular task: - id: 779c9fc4-9cc8-4d8d-884b-3a99d7624247 + id: 5a91c879-46f2-4ce8-9dae-fe2c5ed8abde version: -1 name: Set mfa_method - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -558,10 +557,10 @@ tasks: taskid: abddd6d6-a913-4d68-adea-ac8288de7b7f type: regular task: - id: 5e405007-eee9-4ea9-aee1-9e2f94743453 + id: abddd6d6-a913-4d68-adea-ac8288de7b7f version: -1 name: Set risk_level - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -593,10 +592,10 @@ tasks: taskid: 7d0eed96-5249-461f-b45d-6c4a84f84461 type: regular task: - id: cc327272-b326-436e-8255-2bd90d464fcc + id: 7d0eed96-5249-461f-b45d-6c4a84f84461 version: -1 name: Set target_resource - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -628,10 +627,10 @@ tasks: taskid: f1040836-c01c-40ba-b1db-ef4d9ef00869 type: regular task: - id: 7d4445f0-3f04-45d5-a874-4f105bd71f3c + id: f1040836-c01c-40ba-b1db-ef4d9ef00869 version: -1 name: Set source_hostname - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -663,10 +662,10 @@ tasks: taskid: a3c80a47-3bfc-4437-8c70-7f0de51e7c43 type: regular task: - id: f3edd45c-5960-41da-8f6a-584aea71f9e4 + id: a3c80a47-3bfc-4437-8c70-7f0de51e7c43 version: -1 name: Set logon_type - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -698,10 +697,10 @@ tasks: taskid: 20a5a89b-d768-4ea4-aaa0-0af2b50c69c1 type: regular task: - id: 217a94d5-3c52-407b-9ae2-f647ca8e00e2 + id: 20a5a89b-d768-4ea4-aaa0-0af2b50c69c1 version: -1 name: Set normalization_source - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -731,32 +730,6 @@ tasks: view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 3380, "width": 380, "x": 280, "y": 50}}}' inputs: [] -inputSections: -- inputs: [] - name: General (Inputs group) - description: '' -outputSections: -- outputs: - - SOCFramework.Identity.username - - SOCFramework.Identity.user_id - - SOCFramework.Identity.user_email - - SOCFramework.Identity.user_display_name - - SOCFramework.Identity.auth_source - - SOCFramework.Identity.event_type - - SOCFramework.Identity.outcome - - SOCFramework.Identity.client_ip - - SOCFramework.Identity.country - - SOCFramework.Identity.user_agent - - SOCFramework.Identity.device_id - - SOCFramework.Identity.session_id - - SOCFramework.Identity.mfa_method - - SOCFramework.Identity.risk_level - - SOCFramework.Identity.target_resource - - SOCFramework.Identity.source_hostname - - SOCFramework.Identity.logon_type - - SOCFramework.Identity.normalization_source - name: SOCFramework Identity Contract - description: SOCFramework.Identity.* keys for downstream NIST IR lifecycle outputs: - contextPath: SOCFramework.Identity.username description: A/C/E/R - all actions target this diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Network_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Network_V3.yml index d8f472cf..7c50504b 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Network_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Normalize_Network_V3.yml @@ -1,9 +1,9 @@ adopted: true fromversion: 5.0.0 id: Foundation - Normalize Network_V3 -version: 1 +version: -1 contentitemexportablefields: - contentitemfields: + '31': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.5.0 @@ -13,7 +13,6 @@ contentitemexportablefields: prevname: '' isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Normalize Network_V3 description: Normalizes Network alert fields into the SOCFramework.Network.* contract. Reads issue.* directly. Sequential chain — one connection per task. @@ -29,7 +28,7 @@ tasks: taskid: 754b4432-823c-48ec-94a9-7ae9e01a21c3 type: start task: - id: e30d2738-b79d-4ddb-86de-6a683983d286 + id: 754b4432-823c-48ec-94a9-7ae9e01a21c3 version: -1 name: '' iscommand: false @@ -54,7 +53,7 @@ tasks: taskid: 407948f9-37f1-40a5-8536-778a7551bc70 type: title task: - id: 50e5dc55-ea24-427f-9a2d-37a79e335a57 + id: 407948f9-37f1-40a5-8536-778a7551bc70 version: -1 name: Set SOCFramework.Network Fields type: title @@ -80,7 +79,7 @@ tasks: taskid: bc2caeea-182e-408f-8741-3a9bba4fcb14 type: title task: - id: 65fcdc32-8a6d-44be-867b-ba9e4e618ec0 + id: bc2caeea-182e-408f-8741-3a9bba4fcb14 version: -1 name: Done type: title @@ -103,10 +102,10 @@ tasks: taskid: 87f6b1f1-4543-4bdd-bbca-34ec3f878919 type: regular task: - id: 84e04ef4-fe2a-48c6-89da-69df32b63b78 + id: 87f6b1f1-4543-4bdd-bbca-34ec3f878919 version: -1 name: Set src_ip - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -138,10 +137,10 @@ tasks: taskid: 7b8cadd5-7018-45fb-92ca-953f920464bb type: regular task: - id: 583eb895-afa8-4b23-a555-8777ec51916e + id: 7b8cadd5-7018-45fb-92ca-953f920464bb version: -1 name: Set src_port - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -173,10 +172,10 @@ tasks: taskid: 8b4af71c-ef13-4315-aab6-fa869a4e534a type: regular task: - id: 71ccbdea-053a-4ca8-867e-af96bd02f18d + id: 8b4af71c-ef13-4315-aab6-fa869a4e534a version: -1 name: Set src_hostname - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -208,10 +207,10 @@ tasks: taskid: e681a721-2190-4fd5-9bae-6b6846fb3756 type: regular task: - id: aaefe5fc-6351-4b19-9720-f317b7044e35 + id: e681a721-2190-4fd5-9bae-6b6846fb3756 version: -1 name: Set src_username - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -243,10 +242,10 @@ tasks: taskid: d33fe02c-fc94-475c-9d7b-4f2203f24fe4 type: regular task: - id: c7c2bfe9-3ebb-411e-9cc0-1242becab148 + id: d33fe02c-fc94-475c-9d7b-4f2203f24fe4 version: -1 name: Set dst_ip - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -278,10 +277,10 @@ tasks: taskid: d58b0844-059d-4fc0-b49c-336691549284 type: regular task: - id: 039145f4-f3fa-49e5-9c4b-d04e6af20b1f + id: d58b0844-059d-4fc0-b49c-336691549284 version: -1 name: Set dst_port - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -313,10 +312,10 @@ tasks: taskid: 74a0cdfe-4ced-42ff-a5de-082db2783cca type: regular task: - id: 8656ad01-b41e-4f0c-9f56-e45c136e5218 + id: 74a0cdfe-4ced-42ff-a5de-082db2783cca version: -1 name: Set dst_hostname - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -348,10 +347,10 @@ tasks: taskid: c364e5f5-59d7-4621-9578-d8ccd8eee53f type: regular task: - id: 428f6569-7e6b-4b30-8972-48260f328cc5 + id: c364e5f5-59d7-4621-9578-d8ccd8eee53f version: -1 name: Set protocol - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -383,10 +382,10 @@ tasks: taskid: 45d1ad81-7681-4f9d-a4fa-3941d4db7e55 type: regular task: - id: e68bd8c7-36d6-491c-b7cf-357b011586fc + id: 45d1ad81-7681-4f9d-a4fa-3941d4db7e55 version: -1 name: Set app - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -418,10 +417,10 @@ tasks: taskid: ca0e5d66-db73-4fc4-8923-44152a1a9654 type: regular task: - id: 2715fd33-360f-408b-969a-4d5842621c2f + id: ca0e5d66-db73-4fc4-8923-44152a1a9654 version: -1 name: Set action - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -453,10 +452,10 @@ tasks: taskid: c1b7d80d-c09b-4e8a-8772-fe3acb489590 type: regular task: - id: 27855cfd-fee7-4428-b66a-cf3a025ecd98 + id: c1b7d80d-c09b-4e8a-8772-fe3acb489590 version: -1 name: Set direction - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -488,10 +487,10 @@ tasks: taskid: 67231012-69bc-4b51-8f3e-11b3b80c0826 type: regular task: - id: e7145d54-e30b-407a-b365-f08ae0238084 + id: 67231012-69bc-4b51-8f3e-11b3b80c0826 version: -1 name: Set url - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -523,10 +522,10 @@ tasks: taskid: 41994ab3-da84-4d93-9056-ada0710c0849 type: regular task: - id: fc3e24c2-26fe-4eee-8410-0d8fecfb8d14 + id: 41994ab3-da84-4d93-9056-ada0710c0849 version: -1 name: Set domain - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -558,10 +557,10 @@ tasks: taskid: db63a404-97ab-42af-9572-6faf41aac33b type: regular task: - id: c16436fd-2ae0-4ea7-82ad-48860235169d + id: db63a404-97ab-42af-9572-6faf41aac33b version: -1 name: Set bytes_sent - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -593,10 +592,10 @@ tasks: taskid: a9b10e73-0f3f-4248-a612-86db07a4da56 type: regular task: - id: a588cbc0-9559-4272-9d13-a387f8f6971d + id: a9b10e73-0f3f-4248-a612-86db07a4da56 version: -1 name: Set bytes_received - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -628,10 +627,10 @@ tasks: taskid: 1edf67be-c89a-43d4-9246-7a3bb5d6c476 type: regular task: - id: b6690ccf-a735-46e6-ad25-0d9216c96073 + id: 1edf67be-c89a-43d4-9246-7a3bb5d6c476 version: -1 name: Set rule_name - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -663,10 +662,10 @@ tasks: taskid: 26fa327f-8261-41a1-8f9b-fc8ceccfddde type: regular task: - id: 1079dfd4-589b-4fda-bd43-4f3eeed83102 + id: 26fa327f-8261-41a1-8f9b-fc8ceccfddde version: -1 name: Set nat_src_ip - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -698,10 +697,10 @@ tasks: taskid: 503baf1a-711e-4ee8-bec8-d294ae5377e3 type: regular task: - id: 98014771-2312-48b1-b21e-cd36a2a9cd71 + id: 503baf1a-711e-4ee8-bec8-d294ae5377e3 version: -1 name: Set tactic - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -733,10 +732,10 @@ tasks: taskid: 5334dedb-9909-4c4f-8f56-b560d25468c7 type: regular task: - id: 579d7aed-b093-4e23-a338-2aa2091d9d50 + id: 5334dedb-9909-4c4f-8f56-b560d25468c7 version: -1 name: Set technique - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -768,10 +767,10 @@ tasks: taskid: 3de27a5b-b626-4db0-8be5-4fc943eaa676 type: regular task: - id: 2f2c7954-560e-41ab-ba04-49aa87c208e3 + id: 3de27a5b-b626-4db0-8be5-4fc943eaa676 version: -1 name: Set normalization_source - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: '' @@ -801,34 +800,6 @@ tasks: view: '{"linkLabelsPosition": {}, "paper": {"dimensions": {"height": 3700, "width": 380, "x": 280, "y": 50}}}' inputs: [] -inputSections: -- inputs: [] - name: General (Inputs group) - description: '' -outputSections: -- outputs: - - SOCFramework.Network.src_ip - - SOCFramework.Network.src_port - - SOCFramework.Network.src_hostname - - SOCFramework.Network.src_username - - SOCFramework.Network.dst_ip - - SOCFramework.Network.dst_port - - SOCFramework.Network.dst_hostname - - SOCFramework.Network.protocol - - SOCFramework.Network.app - - SOCFramework.Network.action - - SOCFramework.Network.direction - - SOCFramework.Network.url - - SOCFramework.Network.domain - - SOCFramework.Network.bytes_sent - - SOCFramework.Network.bytes_received - - SOCFramework.Network.rule_name - - SOCFramework.Network.nat_src_ip - - SOCFramework.Network.tactic - - SOCFramework.Network.technique - - SOCFramework.Network.normalization_source - name: SOCFramework Network Contract - description: SOCFramework.Network.* keys for downstream NIST IR lifecycle outputs: - contextPath: SOCFramework.Network.src_ip description: A/C/E - block-indicator source diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Performance_Capture.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Performance_Capture_V3.yml similarity index 97% rename from Packs/soc-optimization-unified/Playbooks/Foundation_-_Performance_Capture.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_-_Performance_Capture_V3.yml index 8e4cd283..91a4aaf2 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Performance_Capture.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Performance_Capture_V3.yml @@ -1,6 +1,6 @@ adopted: true contentitemexportablefields: - contentitemfields: + '18': definitionid: "" fromServerVersion: 5.0.0 isoverridable: false @@ -13,12 +13,10 @@ contentitemexportablefields: description: | Captures playbook execution delays, time to completion, etc. Records telemetry to a dataset for analysis -dirtyInputs: true id: 'Foundation - Performance Capture_V3' inputs: [] name: Foundation - Performance Capture_V3 outputs: [] -sourceplaybookid: Foundation - Upon Trigger starttaskid: "0" tags: - SOC diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml index b11d5d26..96b7bf73 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Product_Classification_V3.yml @@ -1,8 +1,9 @@ +adopted: true fromversion: 5.0.0 id: Foundation - Product Classification_V3 -version: 11 +version: -1 contentitemexportablefields: - contentitemfields: + '251': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.7.0 @@ -12,7 +13,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Product Classification_V3 description: Designed to get the product category (EndPoint, Network, Cloud SaaS, Cloud Workload, etc) from the list SOCProductCategoryMap_V3 @@ -130,7 +130,7 @@ tasks: see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -201,7 +201,7 @@ tasks: taskid: 0109f2f5-f35b-473e-a100-27901e40ebb3 type: regular task: - id: a3e6eec2-fc77-44d0-bf82-d55bbc93d60c + id: 0109f2f5-f35b-473e-a100-27901e40ebb3 version: -1 name: Get Product Category Map List description: Fetches SOCProductCategoryMap_V3 into context so the downstream @@ -327,7 +327,7 @@ tasks: see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -389,7 +389,7 @@ tasks: see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -451,7 +451,7 @@ tasks: see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -512,7 +512,7 @@ tasks: see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - scriptName: DeleteContext + script: DeleteContext type: regular iscommand: false brand: "" @@ -556,7 +556,7 @@ tasks: see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n - For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -614,7 +614,7 @@ tasks: description: Reads the responses map from SOCProductCategoryMap_V3 for this product key and stores it as SOCFramework.Product.responses. SOCCommandWrapper uses this to route actions to the correct integration by action class (endpoint/identity/email/indicator). - scriptName: SetAndHandleEmpty + script: SetAndHandleEmpty type: regular iscommand: false brand: "" @@ -678,24 +678,11 @@ view: |- } inputs: - key: ProductKey - value: + '252': simple: ${issue.tags.[0]} required: false description: Pass the product Data Source typically found here (i.e. issue.tags.[0]) playbookInputQuery: null -inputSections: -- inputs: - - ProductKey - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: - - SOCFramework.Product.key - - SOCFramework.Product.category - - SOCFramework.Product.type - - SOCFramework.Product.confidence - name: General (Outputs group) - description: Generic group for outputs outputs: - contextPath: SOCFramework.Product.key description: Canonical resolved product key @@ -711,6 +698,3 @@ outputs: description: Confidence level of the product classification (e.g. high, medium, low). type: string -sourceplaybookid: Foundation - Upon Trigger -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml index ba7a42b1..b604f7da 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_-_Upon_Trigger_V3.yml @@ -1,8 +1,9 @@ +adopted: true fromversion: 5.0.0 id: Foundation - Upon Trigger V3 -version: 11 +version: -1 contentitemexportablefields: - contentitemfields: + '38': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.7.0 @@ -12,7 +13,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation - Upon Trigger V3 tags: - SOC @@ -543,16 +543,5 @@ view: |- } } inputs: [] -inputSections: -- inputs: [] - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs outputs: [] -sourceplaybookid: Foundation - Upon Trigger quiet: true -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/Foundation_Common_-_Extract_Indicators_from_alerts.yml b/Packs/soc-optimization-unified/Playbooks/Foundation_Common_-_Extract_Indicators_from_alerts_V3.yml similarity index 95% rename from Packs/soc-optimization-unified/Playbooks/Foundation_Common_-_Extract_Indicators_from_alerts.yml rename to Packs/soc-optimization-unified/Playbooks/Foundation_Common_-_Extract_Indicators_from_alerts_V3.yml index a13ee784..a8b603f1 100644 --- a/Packs/soc-optimization-unified/Playbooks/Foundation_Common_-_Extract_Indicators_from_alerts.yml +++ b/Packs/soc-optimization-unified/Playbooks/Foundation_Common_-_Extract_Indicators_from_alerts_V3.yml @@ -1,7 +1,8 @@ +adopted: true id: Foundation Common - Extract Indicators from alerts_V3 -version: 7 +version: -1 contentitemexportablefields: - contentitemfields: + '4': packID: soc-optimization-unified _packName: SOC Framework Unified itemVersion: 2.1.16 @@ -11,7 +12,6 @@ contentitemexportablefields: prevname: '' isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: Foundation Common - Extract Indicators from alerts_V3 description: This is a common playbook intended to integrate the Indicator Extraction to all automated alerts. @@ -103,7 +103,5 @@ view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \ }\n }\n}" inputs: [] outputs: [] -sourceplaybookid: Foundation Common - Extract Indicators from alerts_V3 quiet: true -adopted: true fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml b/Packs/soc-optimization-unified/Playbooks/JOB_-_Auto_Triage_V3.yml similarity index 98% rename from Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml rename to Packs/soc-optimization-unified/Playbooks/JOB_-_Auto_Triage_V3.yml index c34d6cc0..53a61738 100644 --- a/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/JOB_-_Auto_Triage_V3.yml @@ -1,8 +1,9 @@ +adopted: true fromversion: 5.0.0 id: JOB - Auto Triage V3 -version: 7 +version: -1 contentitemexportablefields: - contentitemfields: + '13': packID: soc-optimization-unified packName: SOC Framework Unified itemVersion: 3.7.3 @@ -12,7 +13,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: JOB - Auto Triage V3 tags: - SOC @@ -258,7 +258,7 @@ tasks: description: Filters API response by aggregated_score <= TriageScoreThreshold and manual_score is null. Cases above threshold or analyst-touched are skipped. Passes only eligible cases to the close loop. - scriptName: SOCAutoTriageScoreFilter + script: SOCAutoTriageScoreFilter type: regular iscommand: false brand: "" @@ -346,5 +346,3 @@ view: |- } inputs: [] outputs: [] -dirtyInputs: true -adopted: true diff --git a/Packs/soc-optimization-unified/Playbooks/JOB_-_Store_Playbook_Metrics_in_Dataset_V3.yml b/Packs/soc-optimization-unified/Playbooks/JOB_-_Store_Playbook_Metrics_in_Dataset_V3.yml index 1d618278..3fc58ec8 100644 --- a/Packs/soc-optimization-unified/Playbooks/JOB_-_Store_Playbook_Metrics_in_Dataset_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/JOB_-_Store_Playbook_Metrics_in_Dataset_V3.yml @@ -1,7 +1,8 @@ +adopted: true id: JOB - Store Playbook Metrics in Dataset V3 -version: 2 +version: -1 contentitemexportablefields: - contentitemfields: + '7': packID: soc-optimization-unified _packName: SOC Framework Unified itemVersion: 2.1.16 @@ -11,7 +12,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: JOB - Store Playbook Metrics in Dataset V3 tags: - SOC_Framework_Unified @@ -64,7 +64,7 @@ tasks: This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Permission-Management - scriptName: SearchAlertsV2 + script: SearchAlertsV2 type: regular iscommand: false brand: "" @@ -282,7 +282,4 @@ view: |- } inputs: [] outputs: [] -sourceplaybookid: JOB - Store Playbook Metrics in Dataset -dirtyInputs: true -adopted: true fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases_V3.yml similarity index 93% rename from Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml rename to Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases_V3.yml index 725fb918..aa108e98 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases_V3.yml @@ -1,7 +1,8 @@ +adopted: true id: SOC Close Cases_V3 -version: 1 +version: -1 contentitemexportablefields: - contentitemfields: + '10': packID: soc-optimization-unified _packName: SOC Framework Unified itemVersion: 2.1.19 @@ -11,7 +12,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: SOC Close Cases_V3 tags: - SOC @@ -214,18 +214,7 @@ inputs: value: {} required: true description: "" - playbookInputQuery: -inputSections: -- inputs: - - incident_id - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs + '11': outputs: [] quiet: true -dirtyInputs: true -adopted: true fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Comms_Email_V3.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Comms_Email_V3.yml index d45a45fb..86077acd 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Comms_Email_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Comms_Email_V3.yml @@ -370,13 +370,13 @@ tasks: inputs: - key: Verdict - value: + '10': simple: ${Analysis.Email.verdict} required: false description: Analysis.Email.verdict - malicious / benign. Drives notification routing. playbookInputQuery: null - key: UserEngagement - value: + '10': simple: 'false' required: false description: Set to true to enable reporter notification. Default false - analyst @@ -384,7 +384,7 @@ inputs: Containment playbook. playbookInputQuery: null - key: ReporterEmail - value: + '10': simple: ${alert.reporteremailaddress} required: false description: Email address of the person who reported the phishing. Sourced from @@ -392,54 +392,35 @@ inputs: phishing alert type). playbookInputQuery: null - key: PartOfCampaign - value: + '10': simple: ${PartOfCampaign} required: false description: Campaign ID if this alert is part of a detected phishing campaign. Non-empty value triggers campaign-specific notification body. playbookInputQuery: null - key: AlertName - value: + '10': simple: ${alert.name} required: false description: Alert name for email subject line. playbookInputQuery: null - key: SendMailInstance - value: {} + '10': {} required: false description: Mail integration instance to use for send-mail commands. Leave empty to use the default instance. playbookInputQuery: null -inputSections: -- inputs: - - Verdict - - UserEngagement - - ReporterEmail - - PartOfCampaign - name: Notification Config - description: Controls who is notified and what message they receive -- inputs: - - AlertName - - SendMailInstance - name: Delivery Config - description: Subject line context and mail integration routing outputs: [] -outputSections: -- outputs: [] - name: General (Outputs group) - description: Fire-and-forget - no outputs. Comms playbooks do not produce context - keys consumed by downstream phases. view: "{\"linkLabelsPosition\": {}, \"paper\": {\"dimensions\": {\"height\": 1120,\ \ \"width\": 1200, \"x\": 50, \"y\": 50}}}" contentitemexportablefields: - contentitemfields: + '11': definitionid: '' fromServerVersion: 6.10.0 isoverridable: false itemVersion: 1.0.0 packID: soc-optimization-unified - packName: SOC Framework NIST IR + packName: SOC Framework Unified prevname: '' supportedModules: [] toServerVersion: '' -dirtyInputs: false diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Comms_IM.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Comms_IM_V3.yml similarity index 95% rename from Packs/soc-optimization-unified/Playbooks/SOC_Comms_IM.yml rename to Packs/soc-optimization-unified/Playbooks/SOC_Comms_IM_V3.yml index 577ae190..45db57be 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Comms_IM.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Comms_IM_V3.yml @@ -1,7 +1,8 @@ +adopted: true id: SOC Comms IM_V3 -version: 3 +version: -1 contentitemexportablefields: - contentitemfields: + '18': packID: soc-optimization-unified _packName: SOC Framework Unified itemVersion: 2.1.19 @@ -11,7 +12,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: SOC Comms IM_V3 description: |2+ @@ -129,7 +129,4 @@ view: |- } inputs: [] outputs: [] -sourceplaybookid: Foundation - Upon Trigger -dirtyInputs: true -adopted: true fromversion: 5.0.0 diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Comms_Ticketing.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Comms_Ticketing_V3.yml similarity index 95% rename from Packs/soc-optimization-unified/Playbooks/SOC_Comms_Ticketing.yml rename to Packs/soc-optimization-unified/Playbooks/SOC_Comms_Ticketing_V3.yml index ce9766f2..d22b5559 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Comms_Ticketing.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Comms_Ticketing_V3.yml @@ -1,7 +1,8 @@ +adopted: true id: SOC Comms Ticketing_V3 -version: 3 +version: -1 contentitemexportablefields: - contentitemfields: + '18': packID: soc-optimization-unified _packName: SOC Framework Unified itemVersion: 2.1.19 @@ -11,7 +12,6 @@ contentitemexportablefields: prevname: "" isoverridable: false supportedModules: [] -vcShouldKeepItemLegacyProdMachine: false name: SOC Comms Ticketing_V3 description: |2+ @@ -129,7 +129,4 @@ view: |- } inputs: [] outputs: [] -sourceplaybookid: Foundation - Upon Trigger -dirtyInputs: true -adopted: true fromversion: 5.0.0 From e639a691fad8a1452ae32f39795ac1e4923fe4f6 Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Wed, 8 Apr 2026 14:18:09 -0400 Subject: [PATCH 2/2] - Fixing normalzie destruction of the shadow mode policy. --- .../shadow_mode_policy.json | 49 +++++++++++++++++++ tools/normalize_contribution.py | 3 ++ 2 files changed, 52 insertions(+) create mode 100644 Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/shadow_mode_policy.json diff --git a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/shadow_mode_policy.json b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/shadow_mode_policy.json new file mode 100644 index 00000000..7c87f46e --- /dev/null +++ b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/shadow_mode_policy.json @@ -0,0 +1,49 @@ +{ + "_schema": "SOC Framework shadow_mode production policy v1", + "_comment": [ + "Actions listed in 'production_allowed' have shadow_mode: false in SOCFrameworkActions_V3", + "and are explicitly approved to execute in full mode during PoV and production.", + "Every entry MUST have a 'reason' and a 'category'.", + "Categories: enrichment | analysis | read_only | comms", + "All C/E/R destructive actions (isolate, block, delete, reset, revoke, enable) must", + "remain shadow_mode: true and must NOT appear here until PS production handoff.", + "", + "Actions listed in 'dynamic_actions' have their action name resolved at runtime from", + "a context key or playbook input and cannot be statically validated. Each entry must", + "name the playbook and explain why static resolution is not possible.", + "These are warnings in CI, not hard failures." + ], + "production_allowed": { + "soc-get-email-events": { + "reason": "Read-only query -- retrieves email event history from vendor, no state change on any system.", + "category": "enrichment" + }, + "soc-get-email-forensics": { + "reason": "Read-only query -- retrieves forensic metadata for an email message, no state change.", + "category": "enrichment" + }, + "soc-file-exists": { + "reason": "Read-only check -- queries whether a file path exists on an endpoint, no modification.", + "category": "enrichment" + }, + "soc-enrich-file": { + "reason": "Read-only enrichment -- hash and reputation lookup against threat intel, no state change.", + "category": "enrichment" + }, + "soc-detonate-file": { + "reason": "Sandboxed execution -- file detonated in an isolated analysis environment, not on a production system.", + "category": "analysis" + } + }, + "dynamic_actions": { + "SOC_Email_Spread_Evaluation_V3": { + "task_id": "7", + "resolves_to": "soc-audit-inbox-rules", + "reason": "Action name is passed as a playbook input rather than hardcoded. Resolved action is soc-audit-inbox-rules which is listed in production_allowed above." + } + }, + "id": "SOCFrameworkActions_V3", + "name": "SOCFrameworkActions_V3", + "display_name": "shadow_mode_policy", + "type": "json" +} diff --git a/tools/normalize_contribution.py b/tools/normalize_contribution.py index 5fe7e303..fcdf185a 100644 --- a/tools/normalize_contribution.py +++ b/tools/normalize_contribution.py @@ -193,6 +193,9 @@ def _load_pack_registry(packs_root: Optional[Path]) -> tuple[dict, dict]: ".secrets-ignore", "Author_image.png", "CHANGELOG.md", + # Policy/config files that live inside List directories but are not + # list descriptors or data files — read directly by framework validators. + "shadow_mode_policy.json", } # Files in these directories are skipped. They have their own SDK schema