diff --git a/Dashboards/dashboard-SLA.json b/Dashboards/dashboard-SLA.json new file mode 100644 index 000000000000..d4df522a69a6 --- /dev/null +++ b/Dashboards/dashboard-SLA.json @@ -0,0 +1,260 @@ +{ + "id": "sla-dashboard", + "description": "A new dashboard to give you a good overview of your SLAs.", + "version": -1, + "fromVersion": "4.1.0", + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 30, + "field": "" + }, + "fromDateLicense": "0001-01-01T00:00:00Z", + "name": "SLA", + "layout": [ + { + "id": "25a2e8f0-fd4e-11e8-a656-2b6c8cbabaee", + "forceRange": false, + "x": 6, + "y": 0, + "i": "25a2e8f0-fd4e-11e8-a656-2b6c8cbabaee", + "w": 3, + "h": 1, + "widget": { + "id": "fddd62ff-a411-4e6a-8213-e0277a9b95b5", + "version": 1, + "name": "Mean Time to Detection", + "dataType": "incidents", + "widgetType": "duration", + "query": "-category:job and detectionsla.runStatus:ended", + "sort": null, + "isPredefined": false, + "description": "The mean time (average time) to detection across all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default.", + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 30, + "field": "" + }, + "fromDateLicense": "0001-01-01T00:00:00Z" + }, + "params": { + "keys": [ + "avg|detectionsla.totalDuration" + ] + }, + "size": 0, + "category": "" + } + }, + { + "id": "3747f820-fd4e-11e8-a656-2b6c8cbabaee", + "forceRange": false, + "x": 0, + "y": 0, + "i": "3747f820-fd4e-11e8-a656-2b6c8cbabaee", + "w": 3, + "h": 3, + "widget": { + "id": "1e54092d-1ed0-47a6-862d-893adc05e612", + "version": 1, + "name": "Detection SLA by Status", + "dataType": "incidents", + "widgetType": "pie", + "query": "-category:job and -detectionsla.runStatus:idle", + "sort": null, + "isPredefined": false, + "description": "The detection SLA status of all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes.", + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 30, + "field": "" + }, + "fromDateLicense": "0001-01-01T00:00:00Z" + }, + "params": { + "groupBy": [ + "detectionsla.slaStatus" + ] + }, + "size": 0, + "category": "" + } + }, + { + "id": "3de5b1e0-fd4e-11e8-a656-2b6c8cbabaee", + "forceRange": false, + "x": 3, + "y": 0, + "i": "3de5b1e0-fd4e-11e8-a656-2b6c8cbabaee", + "w": 3, + "h": 3, + "widget": { + "id": "1767dee0-7f8c-48a5-8988-c58b9e713ab6", + "version": 1, + "name": "Remediation SLA by Status", + "dataType": "incidents", + "widgetType": "pie", + "query": "-category:job and -remediationsla.runStatus:idle", + "sort": null, + "isPredefined": false, + "description": "The remediation SLA status of all incidents that started a remediation process. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes.", + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 30, + "field": "" + }, + "fromDateLicense": "0001-01-01T00:00:00Z" + }, + "params": { + "groupBy": [ + "remediationsla.slaStatus" + ] + }, + "size": 0, + "category": "" + } + }, + { + "id": "a48c1670-fdf1-11e8-a2fa-df5e7de7d45d", + "forceRange": false, + "x": 9, + "y": 0, + "i": "a48c1670-fdf1-11e8-a2fa-df5e7de7d45d", + "w": 3, + "h": 1, + "widget": { + "id": "mean-time-to-resolution", + "version": 169, + "name": "Mean Time To Resolution", + "dataType": "incidents", + "widgetType": "duration", + "query": "-category:job and status:closed", + "sort": null, + "isPredefined": true, + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 7, + "field": "" + }, + "fromDateLicense": "0001-01-01T00:00:00Z" + }, + "params": { + "keys": [ + "avg|openDuration", + "count|1" + ] + }, + "size": 0, + "category": "" + } + }, + { + "id": "d2bbe430-02a1-11e9-878d-4fff182656eb", + "forceRange": false, + "x": 6, + "y": 1, + "i": "d2bbe430-02a1-11e9-878d-4fff182656eb", + "w": 6, + "h": 5, + "widget": { + "id": "mttd-by-type", + "version": 1, + "name": "MTTD by Type", + "dataType": "incidents", + "widgetType": "line", + "query": "-category:job and detectionsla.runStatus:ended", + "sort": null, + "isPredefined": false, + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 7, + "field": "" + }, + "fromDateLicense": "0001-01-01T00:00:00Z" + }, + "params": { + "groupBy": [ + "occurred(d)", + "type" + ], + "keys": [ + "avg|detectionsla.totalDuration / 60" + ] + }, + "size": 0, + "category": "" + } + }, + { + "id": "e30f9430-02a1-11e9-878d-4fff182656eb", + "forceRange": false, + "x": 0, + "y": 3, + "i": "e30f9430-02a1-11e9-878d-4fff182656eb", + "w": 6, + "h": 3, + "widget": { + "id": "mttr-by-type", + "version": 168, + "name": "MTTR by Type", + "dataType": "incidents", + "widgetType": "line", + "query": "-category:job and status:closed", + "sort": null, + "isPredefined": true, + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 7, + "field": "" + }, + "fromDateLicense": "0001-01-01T00:00:00Z" + }, + "params": { + "groupBy": [ + "occurred(d)", + "type" + ], + "keys": [ + "avg|openDuration / (3600*24)" + ] + }, + "size": 0, + "category": "" + } + } + ], + "isPredefined": false +} \ No newline at end of file diff --git a/IncidentFields/incidentfield-detectionsla.json b/IncidentFields/incidentfield-detectionsla.json new file mode 100644 index 000000000000..5464e1897cb9 --- /dev/null +++ b/IncidentFields/incidentfield-detectionsla.json @@ -0,0 +1,37 @@ +{ + "closeForm": false, + "cliName": "detectionsla", + "fromVersion": "4.1.0", + "neverSetAsRequired": false, + "threshold": 72, + "id": "incident_detectionsla", + "group": 0, + "script": "", + "isReadOnly": true, + "system": false, + "content": true, + "unsearchable": false, + "version": -1, + "unmapped": false, + "hidden": false, + "type": "timer", + "editForm": false, + "description": "The time it took from incident creation until the maliciousness was determined.", + "associatedToAll": true, + "breachScript": "", + "associatedTypes": [], + "caseInsensitive": true, + "placeholder": "", + "useAsKpi": true, + "systemAssociatedTypes": null, + "locked": false, + "name": "Detection SLA", + "ownerOnly": false, + "required": false, + "modified": "2018-12-11T12:53:48.369705659Z", + "fieldCalcScript": "", + "selectValues": [], + "validationRegex": "", + "sla": 20, + "releaseNotes": "Added Detection SLA field" +} \ No newline at end of file diff --git a/IncidentFields/incidentfield-remediationsla.json b/IncidentFields/incidentfield-remediationsla.json new file mode 100644 index 000000000000..6c2de87485a7 --- /dev/null +++ b/IncidentFields/incidentfield-remediationsla.json @@ -0,0 +1,37 @@ +{ + "closeForm": false, + "fromVersion": "4.1.0", + "cliName": "remediationsla", + "neverSetAsRequired": false, + "threshold": 72, + "id": "incident_remediationsla", + "group": 0, + "script": "", + "isReadOnly": true, + "system": false, + "content": true, + "unsearchable": false, + "version": -1, + "unmapped": false, + "hidden": false, + "type": "timer", + "editForm": false, + "description": "The time it took since remediation of the incident began, and until it ended.", + "associatedToAll": true, + "breachScript": "", + "associatedTypes": [], + "caseInsensitive": true, + "placeholder": "", + "useAsKpi": true, + "systemAssociatedTypes": null, + "locked": false, + "name": "Remediation SLA", + "ownerOnly": false, + "required": false, + "modified": "2018-12-11T12:53:56.816268002Z", + "fieldCalcScript": "", + "selectValues": [], + "validationRegex": "", + "sla": 7200, + "releaseNotes": "Added Remediation SLA field" + } \ No newline at end of file diff --git a/IncidentFields/incidentfield-timetoassignment.json b/IncidentFields/incidentfield-timetoassignment.json new file mode 100644 index 000000000000..36bf72fd999a --- /dev/null +++ b/IncidentFields/incidentfield-timetoassignment.json @@ -0,0 +1,37 @@ +{ + "closeForm": false, + "cliName": "timetoassignment", + "fromVersion": "4.1.0", + "neverSetAsRequired": false, + "threshold": 72, + "id": "incident_timetoassignment", + "group": 0, + "script": "", + "isReadOnly": true, + "system": false, + "content": true, + "unsearchable": false, + "version": -1, + "unmapped": false, + "hidden": false, + "type": "timer", + "editForm": false, + "description": "The time it took from when the incident was created until a user was assigned to it.", + "associatedToAll": true, + "breachScript": "", + "associatedTypes": null, + "caseInsensitive": true, + "placeholder": "", + "useAsKpi": true, + "systemAssociatedTypes": null, + "locked": false, + "name": "Time to Assignment", + "ownerOnly": false, + "required": false, + "modified": "2018-12-11T12:55:38.305896432Z", + "fieldCalcScript": "", + "selectValues": null, + "validationRegex": "", + "sla": 0, + "releaseNotes": "Added Time to Assignment field" +} \ No newline at end of file diff --git a/IncidentFields/incidentfields.json b/IncidentFields/incidentfields.json index 2e06106ba701..30bb9b0318aa 100644 --- a/IncidentFields/incidentfields.json +++ b/IncidentFields/incidentfields.json @@ -1,4 +1,5 @@ { + "releaseNotes": "-", "incidentFields": [ { "id": "incident_app", @@ -1653,4 +1654,3 @@ } ] } - diff --git a/Layouts/layout-details-Phishing.json b/Layouts/layout-details-Phishing.json index c788c8cf992d..9c642ac20fb1 100644 --- a/Layouts/layout-details-Phishing.json +++ b/Layouts/layout-details-Phishing.json @@ -1,10 +1,11 @@ { + "releaseNotes": "New SLA content", "typeId": "Phishing", "kind": "details", "layout": { "id": "Phishing", "version": -1, - "modified": "2018-09-09T10:43:29.758272+03:00", + "modified": "2018-12-18T09:26:45.523902097Z", "name": "", "sections": [ { @@ -135,6 +136,20 @@ "fieldId": "incident_playbookid", "isVisible": true }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_detectionsla", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_remediationsla", + "isVisible": true + }, { "id": "", "version": 0, @@ -605,4 +620,4 @@ } ] } -} +} \ No newline at end of file diff --git a/Layouts/layout-quickView-Phishing.json b/Layouts/layout-quickView-Phishing.json new file mode 100644 index 000000000000..9fddd11cc64b --- /dev/null +++ b/Layouts/layout-quickView-Phishing.json @@ -0,0 +1,1035 @@ +{ + "releaseNotes": "Added SLAs for quickview", + "typeId": "Phishing", + "kind": "quickView", + "layout": { + "id": "Phishing", + "version": -1, + "modified": "2018-12-18T09:27:21.43610162Z", + "name": "", + "sections": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Basic Information", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_type", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_severity", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_owner", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbotstatus", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_sourcebrand", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_sourceinstance", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_playbookid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_detectionsla", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_remediationsla", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_phase", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_roles", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Timeline Information", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbotcreated", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_occurred", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbotduedate", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbotmodified", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_dbottotaltime", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Custom Fields", + "type": "", + "isVisible": true, + "readOnly": false, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_1", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_1longtexttest", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_2", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_3", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_4", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_5", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_6", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_7", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_8", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_9", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_adgroupname", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_ainsensitive", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_alertlevel", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_amarkdownsection", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_anothernumberpleasejusttomakesure", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_asensitive", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_attach", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_backupowner", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_bool1", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_bool2", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_booleansummary", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_booleantest", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_boolfield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_casenumber", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_cleanname", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_closeinvestcustom", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_compliance", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_constvalue", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_customfield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_date2", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_department", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_departmentadmin", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_destinationip", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_detectionsla", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_disposition", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_docsgrid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_edennum", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_emailtag2", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_escalationdate", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_falses", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_fetchid", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_fetchtype", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_field1", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_field2", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_field3", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_field4", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_fieldone", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_fieldtwo", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_hadastry", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_host", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_htmltypefield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_important", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_incidentactions", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_infectedhost", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_internalemail", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_itaytestfield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_killchain", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_lob", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_longtextone", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_longtexttoo", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_mttd", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_multilinetext", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_multiselect", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_mydate", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_myname", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_myseverity", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_newmarkdownfield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_newtextfield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_noastable", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_numberplease", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_objecttype", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_originalhtml", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_oriwithspace", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_priority", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_queues", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_relatedincidentssummary", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_remediationsla", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_reporttable", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_riskscore", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_selector", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_sensitive", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_sensorinstalled", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_shiftnotes", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_shrikitable", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_single", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_single2", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_slatest", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_source", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_sourceip", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_sourceip1", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_subcat", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_subcategory", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_table", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_targethostname", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_team", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_telefield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_teleselect", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_test", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_test111", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_testfield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_testguy", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_thisismysuperlongfield", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_tier2owner", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timeassignedtolevel2", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timefield1", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timelevel1", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timetoassignment", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timetoinvestigate", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timetomitigate", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_timetotriage", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_tldr", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_tlp", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_tr123", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_uniquefiled", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_useremail", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_userinformation", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_username", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_vvvv", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_windowlocation", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_windowupgrade", + "isVisible": true + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_windowupgraded", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + }, + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "name": "Labels", + "type": "labels", + "isVisible": true, + "readOnly": true, + "fields": [ + { + "id": "", + "version": 0, + "modified": "0001-01-01T00:00:00Z", + "fieldId": "incident_labels", + "isVisible": true + } + ], + "description": "", + "query": null, + "queryType": "" + } + ] + } +} \ No newline at end of file diff --git a/Playbooks/playbook-Phishing_Investigation_-_Generic.yml b/Playbooks/playbook-Phishing_Investigation_-_Generic.yml index 137135a7c062..2bb03e2d339e 100644 --- a/Playbooks/playbook-Phishing_Investigation_-_Generic.yml +++ b/Playbooks/playbook-Phishing_Investigation_-_Generic.yml @@ -1,7 +1,7 @@ id: Phishing Investigation - Generic version: -1 +fromversion: 4.1.0 name: Phishing Investigation - Generic -fromversion: 4.0 description: |- Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself. @@ -10,10 +10,10 @@ starttaskid: "0" tasks: "0": id: "0" - taskid: 32d25ab2-8fa5-46cd-82df-78dc402c0150 + taskid: 44927568-9dcf-4acb-84c2-1466eb224729 type: start task: - id: 32d25ab2-8fa5-46cd-82df-78dc402c0150 + id: 44927568-9dcf-4acb-84c2-1466eb224729 version: -1 name: "" description: "" @@ -21,23 +21,23 @@ tasks: brand: "" nexttasks: '#none#': - - "11" - - "18" + - "39" separatecontext: false view: |- { "position": { "x": 592.5, - "y": 50 + "y": -130 } } note: false + timertriggers: [] "2": id: "2" - taskid: 17b50e98-fd3e-4410-80c7-a6095629096c + taskid: c4e87e26-a8fc-473a-8f84-e63335a552e8 type: regular task: - id: 17b50e98-fd3e-4410-80c7-a6095629096c + id: c4e87e26-a8fc-473a-8f84-e63335a552e8 version: -1 name: Assign to analyst description: Assign the incident to an analyst based on the analyst's organizational @@ -66,12 +66,13 @@ tasks: } } note: false + timertriggers: [] "6": id: "6" - taskid: 5882f2a4-7949-4121-8dc6-09a44bc78a48 + taskid: c3cd10bc-d79e-4471-8b28-82613ac05418 type: playbook task: - id: 5882f2a4-7949-4121-8dc6-09a44bc78a48 + id: c3cd10bc-d79e-4471-8b28-82613ac05418 version: -1 name: "" description: "" @@ -91,12 +92,13 @@ tasks: } } note: false + timertriggers: [] "7": id: "7" - taskid: 96f4ce72-93d9-45b9-8831-0cbda3396066 + taskid: 89d7dd49-06a3-4397-8b72-f4428bf24805 type: regular task: - id: 96f4ce72-93d9-45b9-8831-0cbda3396066 + id: 89d7dd49-06a3-4397-8b72-f4428bf24805 version: -1 name: Manually review the incident description: Review the incident to determine if the email that the user reported @@ -116,12 +118,13 @@ tasks: } } note: false + timertriggers: [] "8": id: "8" - taskid: 0cead84c-7626-4cc0-839f-d1b8d5260b9c + taskid: 104d08e2-78ad-496f-81f6-f3ebe77f3b5a type: regular task: - id: 0cead84c-7626-4cc0-839f-d1b8d5260b9c + id: 104d08e2-78ad-496f-81f6-f3ebe77f3b5a version: -1 name: Close investigation description: Close the investigation. @@ -145,17 +148,18 @@ tasks: view: |- { "position": { - "x": 695, - "y": 2700 + "x": 685, + "y": 3290 } } note: false + timertriggers: [] "11": id: "11" - taskid: 6b039cde-c519-4ad2-83b7-17dbefb01c7b + taskid: f90db644-38c8-4d31-840c-4b5b16069a33 type: title task: - id: 6b039cde-c519-4ad2-83b7-17dbefb01c7b + id: f90db644-38c8-4d31-840c-4b5b16069a33 version: -1 name: Triage description: "" @@ -174,12 +178,13 @@ tasks: } } note: false + timertriggers: [] "12": id: "12" - taskid: 40a1c30b-92a4-41fc-84f3-c8474693f931 + taskid: 1a99d7e1-2c84-4d57-80be-0ec42482d952 type: regular task: - id: 40a1c30b-92a4-41fc-84f3-c8474693f931 + id: 1a99d7e1-2c84-4d57-80be-0ec42482d952 version: -1 name: Store the email address of the reporting user description: Store the email address of the user that reported the incident. @@ -209,12 +214,13 @@ tasks: } } note: false + timertriggers: [] "13": id: "13" - taskid: 4aafb18b-b981-470e-864c-5caedb033ce0 + taskid: 0f0f8a66-8f89-43fe-8e23-33d1d476c175 type: regular task: - id: 4aafb18b-b981-470e-864c-5caedb033ce0 + id: 0f0f8a66-8f89-43fe-8e23-33d1d476c175 version: -1 name: Acknowledge incident was received description: | @@ -254,12 +260,13 @@ tasks: } } note: false + timertriggers: [] "14": id: "14" - taskid: 849b0463-ea4a-4860-86b5-825e5cda8a08 + taskid: ca8ce4fe-c164-447f-872e-7a4ecf2cdbcd type: playbook task: - id: 849b0463-ea4a-4860-86b5-825e5cda8a08 + id: ca8ce4fe-c164-447f-872e-7a4ecf2cdbcd version: -1 name: Email Address Enrichment - Generic description: "" @@ -279,12 +286,13 @@ tasks: } } note: false + timertriggers: [] "15": id: "15" - taskid: f3ddd9af-36b1-44fb-8eaf-1a71be6b34fb + taskid: bd6e25bf-75cc-41b0-8f27-12b96b0f5ca4 type: condition task: - id: f3ddd9af-36b1-44fb-8eaf-1a71be6b34fb + id: bd6e25bf-75cc-41b0-8f27-12b96b0f5ca4 version: -1 name: Is the email malicious? description: Determine if the email is malicious based on the calculated severity. @@ -295,7 +303,7 @@ tasks: '#default#': - "31" 'Malicious ': - - "30" + - "41" separatecontext: false conditions: - label: 'Malicious ' @@ -316,12 +324,13 @@ tasks: } } note: false + timertriggers: [] "16": id: "16" - taskid: 79084bbf-1187-4b31-82f2-8b153a093a49 + taskid: ac0d8fe7-8ec0-49b8-8947-75d3bb87437c type: regular task: - id: 79084bbf-1187-4b31-82f2-8b153a093a49 + id: ac0d8fe7-8ec0-49b8-8947-75d3bb87437c version: -1 name: Update the user that the reported email is safe description: Send an email to the user explaining that the email they reported @@ -357,17 +366,18 @@ tasks: view: |- { "position": { - "x": 60, - "y": 2525 + "x": 40, + "y": 2865 } } note: false + timertriggers: [] "17": id: "17" - taskid: f7788586-5020-4246-8946-2021c76dc722 + taskid: 3616a344-7c58-4ac0-86fe-bad84f58c2e2 type: regular task: - id: f7788586-5020-4246-8946-2021c76dc722 + id: 3616a344-7c58-4ac0-86fe-bad84f58c2e2 version: -1 name: Update the user that the reported email is malicious description: Send an email to the user explaining that the email they reported @@ -401,17 +411,18 @@ tasks: view: |- { "position": { - "x": 807.5, - "y": 2030 + "x": 797.5, + "y": 2200 } } note: false + timertriggers: [] "18": id: "18" - taskid: 916bc6c8-6d46-4f04-8bd2-1152736b7984 + taskid: a4de0c33-52a7-42d9-8e4d-1a753a62d20e type: title task: - id: 916bc6c8-6d46-4f04-8bd2-1152736b7984 + id: a4de0c33-52a7-42d9-8e4d-1a753a62d20e version: -1 name: Engage with User description: "" @@ -430,12 +441,13 @@ tasks: } } note: false + timertriggers: [] "22": id: "22" - taskid: ca065734-ff0b-4d84-8bfe-a93298bd34ab + taskid: d24700ff-dc15-4f52-8faa-ab74f7d65ae3 type: playbook task: - id: ca065734-ff0b-4d84-8bfe-a93298bd34ab + id: d24700ff-dc15-4f52-8faa-ab74f7d65ae3 version: -1 name: Detonate File - Generic description: "" @@ -455,12 +467,13 @@ tasks: } } note: false + timertriggers: [] "25": id: "25" - taskid: fb79a97c-7e8d-4004-8a89-4297f9d0a9cf + taskid: ecff99fe-b6cf-4306-8609-9ca00a5dcc8f type: playbook task: - id: fb79a97c-7e8d-4004-8a89-4297f9d0a9cf + id: ecff99fe-b6cf-4306-8609-9ca00a5dcc8f version: -1 name: Entity Enrichment - Generic description: "" @@ -480,12 +493,13 @@ tasks: } } note: false + timertriggers: [] "26": id: "26" - taskid: 2cf1ade0-ab88-4dfd-819e-c134627edaf7 + taskid: 87a23c95-84b5-4343-8a01-d70c6f97702a type: playbook task: - id: 2cf1ade0-ab88-4dfd-819e-c134627edaf7 + id: 87a23c95-84b5-4343-8a01-d70c6f97702a version: -1 name: Process Email - Generic description: "" @@ -506,12 +520,13 @@ tasks: } } note: false + timertriggers: [] "27": id: "27" - taskid: d73d68a4-dff2-4cae-8645-972f9c328444 + taskid: 1b402b79-641b-4ac1-8124-80e939ae3bd4 type: title task: - id: d73d68a4-dff2-4cae-8645-972f9c328444 + id: 1b402b79-641b-4ac1-8124-80e939ae3bd4 version: -1 name: Remediate description: "" @@ -520,24 +535,23 @@ tasks: brand: "" nexttasks: '#none#': - - "34" - - "36" - - "37" + - "42" separatecontext: false view: |- { "position": { - "x": 807.5, - "y": 2205 + "x": 797.5, + "y": 2375 } } note: false + timertriggers: [] "28": id: "28" - taskid: 6cc94de8-1f6c-4832-805b-43ec888fcf1b + taskid: 2f89f21c-0088-460a-81b2-b0c3f021b89c type: playbook task: - id: 6cc94de8-1f6c-4832-805b-43ec888fcf1b + id: 2f89f21c-0088-460a-81b2-b0c3f021b89c version: -1 name: Search And Delete Emails - Generic description: "" @@ -547,22 +561,23 @@ tasks: brand: "" nexttasks: '#none#': - - "8" + - "43" separatecontext: true view: |- { "position": { - "x": 910, - "y": 2525 + "x": 890, + "y": 2865 } } note: false + timertriggers: [] "29": id: "29" - taskid: e9a74030-baa8-43f9-8c35-54f8ae2d6b7b + taskid: 8f9afe19-c4b2-4f86-8544-4fee8d8455d1 type: title task: - id: e9a74030-baa8-43f9-8c35-54f8ae2d6b7b + id: 8f9afe19-c4b2-4f86-8544-4fee8d8455d1 version: -1 name: Done description: "" @@ -573,17 +588,18 @@ tasks: view: |- { "position": { - "x": 695, - "y": 2875 + "x": 685, + "y": 3465 } } note: false + timertriggers: [] "30": id: "30" - taskid: 824c86e1-14a5-42cf-8516-e5f893558f09 + taskid: 50789baf-1476-467a-8386-0be463a4a460 type: title task: - id: 824c86e1-14a5-42cf-8516-e5f893558f09 + id: 50789baf-1476-467a-8386-0be463a4a460 version: -1 name: Malicious description: "" @@ -597,17 +613,18 @@ tasks: view: |- { "position": { - "x": 807.5, - "y": 1885 + "x": 797.5, + "y": 2055 } } note: false + timertriggers: [] "31": id: "31" - taskid: 717e858d-5696-441b-8ff2-30f798cea618 + taskid: 7d784d78-4fc1-4465-8a32-4c13aff74e60 type: title task: - id: 717e858d-5696-441b-8ff2-30f798cea618 + id: 7d784d78-4fc1-4465-8a32-4c13aff74e60 version: -1 name: Undetermined description: "" @@ -626,12 +643,13 @@ tasks: } } note: false + timertriggers: [] "33": id: "33" - taskid: f59a91ed-b686-4133-8f23-13338cff2d6e + taskid: 6f2e21d2-2a93-433e-81f5-3c9abd359e95 type: condition task: - id: f59a91ed-b686-4133-8f23-13338cff2d6e + id: 6f2e21d2-2a93-433e-81f5-3c9abd359e95 version: -1 name: Is the email malicious? description: Is the email that the user reported malicious? @@ -640,9 +658,9 @@ tasks: brand: "" nexttasks: "No": - - "16" - "yes": - - "30" + - "40" + "Yes": + - "41" separatecontext: false view: |- { @@ -652,12 +670,13 @@ tasks: } } note: false + timertriggers: [] "34": id: "34" - taskid: 17f0be59-6aff-4f12-829a-395597295427 + taskid: 536ca1cd-adbe-4db2-89c1-318be024fc3e type: regular task: - id: 17f0be59-6aff-4f12-829a-395597295427 + id: 536ca1cd-adbe-4db2-89c1-318be024fc3e version: -1 name: Manually remediate the incident description: "Consider the following:\n1. Search for and delete similar emails\n2. @@ -669,22 +688,23 @@ tasks: brand: "" nexttasks: '#none#': - - "8" + - "43" separatecontext: false view: |- { "position": { - "x": 460, - "y": 2360 + "x": 440, + "y": 2700 } } note: false + timertriggers: [] "35": id: "35" - taskid: 524a2856-34ef-4752-862d-90daa98875ee + taskid: cd577642-8baf-4aba-87d9-29f0366aa173 type: playbook task: - id: 524a2856-34ef-4752-862d-90daa98875ee + id: cd577642-8baf-4aba-87d9-29f0366aa173 version: -1 name: Extract Indicators From File - Generic description: "" @@ -704,12 +724,13 @@ tasks: } } note: false + timertriggers: [] "36": id: "36" - taskid: 9aff5a75-b7eb-410a-8751-6cc749dc9df5 + taskid: eebcf7b0-41c8-4185-8fad-977de983ab65 type: condition task: - id: 9aff5a75-b7eb-410a-8751-6cc749dc9df5 + id: eebcf7b0-41c8-4185-8fad-977de983ab65 version: -1 name: Execute the "Search and Delete" sub-playbook? description: Verify that the "Search and Delete" parameter is set to "True"? @@ -718,7 +739,7 @@ tasks: brand: "" nexttasks: '#default#': - - "8" + - "43" "yes": - "28" separatecontext: false @@ -744,17 +765,18 @@ tasks: view: |- { "position": { - "x": 910, - "y": 2360 + "x": 890, + "y": 2700 } } note: false + timertriggers: [] "37": id: "37" - taskid: 8277280f-0c19-4d99-85c9-39e19f60bc0d + taskid: f6b138df-f341-4cc0-8b9a-7f4ba4a06c71 type: condition task: - id: 8277280f-0c19-4d99-85c9-39e19f60bc0d + id: f6b138df-f341-4cc0-8b9a-7f4ba4a06c71 version: -1 name: Execute the "Block Indicators" sub-playbook? description: Verify that the "Block indicators" parameter is set to "True"? @@ -763,7 +785,7 @@ tasks: brand: "" nexttasks: '#default#': - - "8" + - "43" "yes": - "38" separatecontext: false @@ -789,17 +811,18 @@ tasks: view: |- { "position": { - "x": 1350, - "y": 2360 + "x": 1330, + "y": 2700 } } note: false + timertriggers: [] "38": id: "38" - taskid: 2198ea9b-926d-4f25-829e-39c390771dfb + taskid: cfb76a8d-e926-41a3-8036-6d4d54abf96d type: playbook task: - id: 2198ea9b-926d-4f25-829e-39c390771dfb + id: cfb76a8d-e926-41a3-8036-6d4d54abf96d version: -1 name: Block Indicators - Generic description: "" @@ -809,25 +832,164 @@ tasks: brand: "" nexttasks: '#none#': - - "8" + - "43" separatecontext: true view: |- { "position": { - "x": 1350, - "y": 2525 + "x": 1330, + "y": 2865 + } + } + note: false + timertriggers: [] + "39": + id: "39" + taskid: 5ff2d707-a036-4db0-8851-ed3ec61802db + type: title + task: + id: 5ff2d707-a036-4db0-8851-ed3ec61802db + version: -1 + name: Start Detection Timer + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + - "18" + separatecontext: false + view: |- + { + "position": { + "x": 592.5, + "y": 0 + } + } + note: false + timertriggers: + - fieldname: detectionsla + action: start + "40": + id: "40" + taskid: 83e23120-b009-4565-8ab7-880b247aee16 + type: title + task: + id: 83e23120-b009-4565-8ab7-880b247aee16 + version: -1 + name: Stop Detection Timer + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "16" + separatecontext: false + view: |- + { + "position": { + "x": 60, + "y": 2260 + } + } + note: false + timertriggers: + - fieldname: detectionsla + action: stop + "41": + id: "41" + taskid: 88612884-d640-4dd1-85f4-0daa684ecf99 + type: title + task: + id: 88612884-d640-4dd1-85f4-0daa684ecf99 + version: -1 + name: Stop Detection Timer + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "30" + separatecontext: false + view: |- + { + "position": { + "x": 797.5, + "y": 1880 + } + } + note: false + timertriggers: + - fieldname: detectionsla + action: stop + "42": + id: "42" + taskid: b7d4e2cb-4d75-4c0d-8d87-732af590173e + type: title + task: + id: b7d4e2cb-4d75-4c0d-8d87-732af590173e + version: -1 + name: Start Remediation Timer + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "34" + - "37" + - "36" + separatecontext: false + view: |- + { + "position": { + "x": 890, + "y": 2530 + } + } + note: false + timertriggers: + - fieldname: remediationsla + action: start + "43": + id: "43" + taskid: f863f789-c46a-44e2-8d8b-02174df5010b + type: title + task: + id: f863f789-c46a-44e2-8d8b-02174df5010b + version: -1 + name: Stop Remediation Timer + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + separatecontext: false + view: |- + { + "position": { + "x": 685, + "y": 3150 } } note: false + timertriggers: + - fieldname: remediationsla + action: stop view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 2890, + "height": 3660, "width": 1670, - "x": 60, - "y": 50 + "x": 40, + "y": -130 } } } @@ -852,6 +1014,7 @@ inputs: Enable the "Block Indicators" capability (can be either "True" or "False"). In case of a malicious email, the "Block Indicators" sub-playbook will block all malicious indicators in the relevant integrations. outputs: [] +releaseNotes: "-" tests: - Phishing test - attachment -- Phishing test - Inline +- Phishing test - Inline \ No newline at end of file diff --git a/Playbooks/playbook-Phishing_Investigation_-_Generic_4.0.yml b/Playbooks/playbook-Phishing_Investigation_-_Generic_4.0.yml new file mode 100644 index 000000000000..d8ac1837a14b --- /dev/null +++ b/Playbooks/playbook-Phishing_Investigation_-_Generic_4.0.yml @@ -0,0 +1,859 @@ +id: Phishing Investigation - Generic +version: -1 +name: Phishing Investigation - Generic +fromversion: 4.0.0 +toversion: 4.0.9 +description: |- + Use this playbook to investigate and remediate a potential phishing incident. The playbook simultaneously engages with the user that triggered the incident, while investigating the incident itself. + + The final remediation tasks are always decided by a human analyst. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 32d25ab2-8fa5-46cd-82df-78dc402c0150 + type: start + task: + id: 32d25ab2-8fa5-46cd-82df-78dc402c0150 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + - "18" + separatecontext: false + view: |- + { + "position": { + "x": 592.5, + "y": 50 + } + } + note: false + "2": + id: "2" + taskid: 17b50e98-fd3e-4410-80c7-a6095629096c + type: regular + task: + id: 17b50e98-fd3e-4410-80c7-a6095629096c + version: -1 + name: Assign to analyst + description: Assign the incident to an analyst based on the analyst's organizational + role. + scriptName: AssignAnalystToIncident + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "15" + scriptarguments: + assignBy: {} + email: {} + roles: + complex: + root: inputs.Role + username: {} + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 592.5, + "y": 1040 + } + } + note: false + "6": + id: "6" + taskid: 5882f2a4-7949-4121-8dc6-09a44bc78a48 + type: playbook + task: + id: 5882f2a4-7949-4121-8dc6-09a44bc78a48 + version: -1 + name: "" + description: "" + playbookName: Calculate Severity - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + separatecontext: false + view: |- + { + "position": { + "x": 377.5, + "y": 865 + } + } + note: false + "7": + id: "7" + taskid: 96f4ce72-93d9-45b9-8831-0cbda3396066 + type: regular + task: + id: 96f4ce72-93d9-45b9-8831-0cbda3396066 + version: -1 + name: Manually review the incident + description: Review the incident to determine if the email that the user reported + is malicious. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + separatecontext: false + view: |- + { + "position": { + "x": 60, + "y": 1535 + } + } + note: false + "8": + id: "8" + taskid: 0cead84c-7626-4cc0-839f-d1b8d5260b9c + type: regular + task: + id: 0cead84c-7626-4cc0-839f-d1b8d5260b9c + version: -1 + name: Close investigation + description: Close the investigation. + script: Builtin|||closeInvestigation + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "29" + scriptarguments: + assetid: {} + closeNotes: {} + closeReason: {} + id: {} + importantfield: {} + test2: {} + timefield1: {} + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 695, + "y": 2700 + } + } + note: false + "11": + id: "11" + taskid: 6b039cde-c519-4ad2-83b7-17dbefb01c7b + type: title + task: + id: 6b039cde-c519-4ad2-83b7-17dbefb01c7b + version: -1 + name: Triage + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "26" + separatecontext: false + view: |- + { + "position": { + "x": 377.5, + "y": 195 + } + } + note: false + "12": + id: "12" + taskid: 40a1c30b-92a4-41fc-84f3-c8474693f931 + type: regular + task: + id: 40a1c30b-92a4-41fc-84f3-c8474693f931 + version: -1 + name: Store the email address of the reporting user + description: Store the email address of the user that reported the incident. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "14" + scriptarguments: + append: + simple: "true" + key: + simple: Account.Email.Address + value: + complex: + root: incident + accessor: labels.Email/from + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 1022.5, + "y": 515 + } + } + note: false + "13": + id: "13" + taskid: 4aafb18b-b981-470e-864c-5caedb033ce0 + type: regular + task: + id: 4aafb18b-b981-470e-864c-5caedb033ce0 + version: -1 + name: Acknowledge incident was received + description: | + Send an auto-response to user that reported the incident, informing them the incident was received and being handled. + script: '|||send-mail' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + attachIDs: {} + attachNames: {} + bcc: {} + body: + simple: "Hi ${.=val.Account.DisplayName && val.Email.Address === val.incident.labels['Email/from'] + ? val.Account.DisplayName : val.incident.labels['Email/from']},\nWe've received + your email and are investigating.\nPlease do not touch the email until further + notice.\n\nCordially, \n Your friendly neighborhood security team" + cc: {} + htmlBody: {} + replyTo: {} + subject: + simple: 'Re: Phishing Investigation - ${incident.name}' + to: + complex: + root: incident + accessor: labels.Email/from + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 1022.5, + "y": 865 + } + } + note: false + "14": + id: "14" + taskid: 849b0463-ea4a-4860-86b5-825e5cda8a08 + type: playbook + task: + id: 849b0463-ea4a-4860-86b5-825e5cda8a08 + version: -1 + name: Email Address Enrichment - Generic + description: "" + playbookName: Email Address Enrichment - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "13" + separatecontext: true + view: |- + { + "position": { + "x": 1022.5, + "y": 690 + } + } + note: false + "15": + id: "15" + taskid: f3ddd9af-36b1-44fb-8eaf-1a71be6b34fb + type: condition + task: + id: f3ddd9af-36b1-44fb-8eaf-1a71be6b34fb + version: -1 + name: Is the email malicious? + description: Determine if the email is malicious based on the calculated severity. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "31" + 'Malicious ': + - "30" + separatecontext: false + conditions: + - label: 'Malicious ' + condition: + - - operator: greaterThanOrEqual + left: + value: + simple: incident.severity + iscontext: true + right: + value: + simple: "2" + view: |- + { + "position": { + "x": 592.5, + "y": 1215 + } + } + note: false + "16": + id: "16" + taskid: 79084bbf-1187-4b31-82f2-8b153a093a49 + type: regular + task: + id: 79084bbf-1187-4b31-82f2-8b153a093a49 + version: -1 + name: Update the user that the reported email is safe + description: Send an email to the user explaining that the email they reported + is safe. + scriptName: SendEmail + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + attachIDs: {} + bcc: {} + body: + simple: |- + Hi ${.=val.Account.DisplayName && val.Email.Address === val.incident.labels['Email/from'] ? val.Account.DisplayName : val.incident.labels['Email/from']}, + We've concluded that the email you forwarded to us is safe. + Thank you for your alertness and your participation in keeping our organization secure. + + Cordially, + Your security team + cc: {} + htmlBody: {} + noteEntryID: {} + replyTo: {} + subject: + simple: 'Re: Phishing Investigation - ${incident.name}' + to: + simple: ${incident.labels.Email/from} + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 60, + "y": 2525 + } + } + note: false + "17": + id: "17" + taskid: f7788586-5020-4246-8946-2021c76dc722 + type: regular + task: + id: f7788586-5020-4246-8946-2021c76dc722 + version: -1 + name: Update the user that the reported email is malicious + description: Send an email to the user explaining that the email they reported + is malicious. + script: '|||send-mail' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "27" + scriptarguments: + attachIDs: {} + attachNames: {} + bcc: {} + body: + simple: |- + Hi ${.=val.Account.DisplayName && val.Email.Address === val.incident.labels['Email/from'] ? val.Account.DisplayName : val.incident.labels['Email/from']}, + We've concluded that the email you forwarded to us is malicious. We've taken steps to blacklist the sender and quarantine the email. Good job on detecting and forwarding it to us! + + All the best, + Your security team + cc: {} + htmlBody: {} + replyTo: {} + subject: + simple: 'Re: Phishing Investigation - ${incident.name}' + to: + simple: ${incident.labels.Email/from} + separatecontext: false + view: |- + { + "position": { + "x": 807.5, + "y": 2030 + } + } + note: false + "18": + id: "18" + taskid: 916bc6c8-6d46-4f04-8bd2-1152736b7984 + type: title + task: + id: 916bc6c8-6d46-4f04-8bd2-1152736b7984 + version: -1 + name: Engage with User + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "12" + separatecontext: false + view: |- + { + "position": { + "x": 1022.5, + "y": 355 + } + } + note: false + "22": + id: "22" + taskid: ca065734-ff0b-4d84-8bfe-a93298bd34ab + type: playbook + task: + id: ca065734-ff0b-4d84-8bfe-a93298bd34ab + version: -1 + name: Detonate File - Generic + description: "" + playbookName: Detonate File - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + separatecontext: true + view: |- + { + "position": { + "x": 592.5, + "y": 690 + } + } + note: false + "25": + id: "25" + taskid: fb79a97c-7e8d-4004-8a89-4297f9d0a9cf + type: playbook + task: + id: fb79a97c-7e8d-4004-8a89-4297f9d0a9cf + version: -1 + name: Entity Enrichment - Generic + description: "" + playbookName: Entity Enrichment - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + separatecontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 690 + } + } + note: false + "26": + id: "26" + taskid: 2cf1ade0-ab88-4dfd-819e-c134627edaf7 + type: playbook + task: + id: 2cf1ade0-ab88-4dfd-819e-c134627edaf7 + version: -1 + name: Process Email - Generic + description: "" + playbookName: Process Email - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "35" + - "22" + separatecontext: true + view: |- + { + "position": { + "x": 377.5, + "y": 340 + } + } + note: false + "27": + id: "27" + taskid: d73d68a4-dff2-4cae-8645-972f9c328444 + type: title + task: + id: d73d68a4-dff2-4cae-8645-972f9c328444 + version: -1 + name: Remediate + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "34" + - "36" + - "37" + separatecontext: false + view: |- + { + "position": { + "x": 807.5, + "y": 2205 + } + } + note: false + "28": + id: "28" + taskid: 6cc94de8-1f6c-4832-805b-43ec888fcf1b + type: playbook + task: + id: 6cc94de8-1f6c-4832-805b-43ec888fcf1b + version: -1 + name: Search And Delete Emails - Generic + description: "" + playbookName: Search And Delete Emails - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + separatecontext: true + view: |- + { + "position": { + "x": 910, + "y": 2525 + } + } + note: false + "29": + id: "29" + taskid: e9a74030-baa8-43f9-8c35-54f8ae2d6b7b + type: title + task: + id: e9a74030-baa8-43f9-8c35-54f8ae2d6b7b + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 695, + "y": 2875 + } + } + note: false + "30": + id: "30" + taskid: 824c86e1-14a5-42cf-8516-e5f893558f09 + type: title + task: + id: 824c86e1-14a5-42cf-8516-e5f893558f09 + version: -1 + name: Malicious + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "17" + separatecontext: false + view: |- + { + "position": { + "x": 807.5, + "y": 1885 + } + } + note: false + "31": + id: "31" + taskid: 717e858d-5696-441b-8ff2-30f798cea618 + type: title + task: + id: 717e858d-5696-441b-8ff2-30f798cea618 + version: -1 + name: Undetermined + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + separatecontext: false + view: |- + { + "position": { + "x": 60, + "y": 1390 + } + } + note: false + "33": + id: "33" + taskid: f59a91ed-b686-4133-8f23-13338cff2d6e + type: condition + task: + id: f59a91ed-b686-4133-8f23-13338cff2d6e + version: -1 + name: Is the email malicious? + description: Is the email that the user reported malicious? + type: condition + iscommand: false + brand: "" + nexttasks: + "No": + - "16" + "yes": + - "30" + separatecontext: false + view: |- + { + "position": { + "x": 60, + "y": 1710 + } + } + note: false + "34": + id: "34" + taskid: 17f0be59-6aff-4f12-829a-395597295427 + type: regular + task: + id: 17f0be59-6aff-4f12-829a-395597295427 + version: -1 + name: Manually remediate the incident + description: "Consider the following:\n1. Search for and delete similar emails\n2. + Inform the organization about the threat\n3. Hunt the relevant IOCs\n4. Update + proxies and firewalls as necessary\n5. Block the malicious sender/ domain + in the mail-gateway " + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + separatecontext: false + view: |- + { + "position": { + "x": 460, + "y": 2360 + } + } + note: false + "35": + id: "35" + taskid: 524a2856-34ef-4752-862d-90daa98875ee + type: playbook + task: + id: 524a2856-34ef-4752-862d-90daa98875ee + version: -1 + name: Extract Indicators From File - Generic + description: "" + playbookName: Extract Indicators From File - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "25" + separatecontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 515 + } + } + note: false + "36": + id: "36" + taskid: 9aff5a75-b7eb-410a-8751-6cc749dc9df5 + type: condition + task: + id: 9aff5a75-b7eb-410a-8751-6cc749dc9df5 + version: -1 + name: Execute the "Search and Delete" sub-playbook? + description: Verify that the "Search and Delete" parameter is set to "True"? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "28" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: inputs.SearchAndDelete + filters: + - - operator: isEqualString + left: + value: + simple: inputs.SearchAndDelete + iscontext: true + right: + value: + simple: "True" + ignorecase: true + iscontext: true + view: |- + { + "position": { + "x": 910, + "y": 2360 + } + } + note: false + "37": + id: "37" + taskid: 8277280f-0c19-4d99-85c9-39e19f60bc0d + type: condition + task: + id: 8277280f-0c19-4d99-85c9-39e19f60bc0d + version: -1 + name: Execute the "Block Indicators" sub-playbook? + description: Verify that the "Block indicators" parameter is set to "True"? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "38" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: inputs.BlockIndicators + filters: + - - operator: isEqualString + left: + value: + simple: inputs.BlockIndicators + iscontext: true + right: + value: + simple: "True" + ignorecase: true + iscontext: true + view: |- + { + "position": { + "x": 1350, + "y": 2360 + } + } + note: false + "38": + id: "38" + taskid: 2198ea9b-926d-4f25-829e-39c390771dfb + type: playbook + task: + id: 2198ea9b-926d-4f25-829e-39c390771dfb + version: -1 + name: Block Indicators - Generic + description: "" + playbookName: Block Indicators - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + separatecontext: true + view: |- + { + "position": { + "x": 1350, + "y": 2525 + } + } + note: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 2890, + "width": 1670, + "x": 60, + "y": 50 + } + } + } +inputs: +- key: Role + value: + simple: Administrator + required: true + description: The default role to assign the incident to. +- key: SearchAndDelete + value: + simple: "False" + required: false + description: |- + Enable the "Search and Delete" capability (can be either "True" or "False"). + In case of a malicious email, the "Search and Delete" sub-playbook will look for other instances of the email and delete them pending analyst approval. +- key: BlockIndicators + value: + simple: "False" + required: false + description: |- + Enable the "Block Indicators" capability (can be either "True" or "False"). + In case of a malicious email, the "Block Indicators" sub-playbook will block all malicious indicators in the relevant integrations. +outputs: [] +releaseNotes: "Updated yml so that playbook is supported up to 4.0.9 including." +tests: +- Phishing test - attachment +- Phishing test - Inline \ No newline at end of file diff --git a/Scripts/script-ChangeRemediationSLAOnSevChange.yml b/Scripts/script-ChangeRemediationSLAOnSevChange.yml new file mode 100644 index 000000000000..13516f433030 --- /dev/null +++ b/Scripts/script-ChangeRemediationSLAOnSevChange.yml @@ -0,0 +1,77 @@ +fromversion: 4.1.0 +commonfields: + id: changeremediationslaonsevchange + version: -1 +name: ChangeRemediationSLAOnSevChange +script: | + import datetime + + # ##### Help ##### + # This is an example script. The script is used to change the Remediation SLA of an incident, when the severity of the incident changes for any reason. Please copy this script and make changes to your liking. + # The Configuration section is there to help you easily configure the script with your desired SLAs. + + # The CRITICAL_SLA field defines the number of minutes that you would want an incident with critical severity to have, in its Remediation SLA field. + # The NONCRITICAL_SLA field defines the number of days that you would want an incident with non-critical severity to have, in its Remediation SLA field. + # The NONCRITICAL_SLA field can also be configured in minutes if you want. + + # Note that the SLA can be set with a number that represents minutes instead of days, like so: demisto.executeCommand("setIncident",{'sla': 30, "slaField":"remediationsla"}) + # but it can also be set with a number that represents a complete date and time structure, like so: demisto.executeCommand("setIncident",{'sla': 2018-12-26T12:10:24Z, "slaField":"remediationsla"}) + # To get the date+time structure, you can use timedelta, like so: newsla = now + datetime.timedelta(days=2) + # then, you would use this to convert it to the date+time structure that can be passed to the SLA field: newsla = newsla.strftime('%Y-%m-%dT%H:%M:%S+00:00') + + # Since this script is to be triggered by a change of a field, you may want to make use of the changes to the field in your script. + # For example, in this case, when the severity of an incident is changed, we want to check if it is now critical, or not. We do this by using demisto.args()['new'], to get the new value of the severity. + # The field changes can be obtained in the following way: + # The name of the triggered field is in: demisto.args()['name'] + # The field's old value is in: demisto.args()['old'] + # The field's new value is in: demisto.args()['new'] + # To print the whole argument structure, use this: demisto.results(demisto.args()) + + + # ##### Configuration ##### + CRITICAL_SLA = 60 # In minutes + NONCRITICAL_SLA = 6 # In days + + # ##### Logic ##### + args_sev = demisto.args().get('new') + now = datetime.datetime.utcnow() + + if args_sev == 'Critical': + demisto.log('Severity changed to Critical') + demisto.executeCommand("setIncident",{'sla': CRITICAL_SLA, "slaField":"remediationsla"}) + + else: + demisto.log('Severity changed to Not Critical' ) + newsla = now + datetime.timedelta(days=NONCRITICAL_SLA) + newsla = newsla.strftime('%Y-%m-%dT%H:%M:%S+00:00') + demisto.executeCommand("setIncident",{'sla': newsla, "slaField":"remediationsla"}) +type: python +tags: +- field-change-triggered +- example +comment: |- + Changes the remediation SLA once a change in incident severity occurs. + This is done automatically and the changes can be configured to your needs. +enabled: true +args: +- name: old + auto: PREDEFINED + predefined: + - Low + - Medium + - High + - Critical + description: The old value of the field that was changed. +- name: new + auto: PREDEFINED + predefined: + - Low + - Medium + - High + - Critical + description: The new value of the field that was changed. +scripttarget: 0 +runonce: false +runas: DBotRole +tests: + - SLA Scripts - Test \ No newline at end of file diff --git a/Scripts/script-StopTimeToAssignOnOwnerChange.yml b/Scripts/script-StopTimeToAssignOnOwnerChange.yml new file mode 100644 index 000000000000..e83528a4052f --- /dev/null +++ b/Scripts/script-StopTimeToAssignOnOwnerChange.yml @@ -0,0 +1,29 @@ +fromversion: 4.1.0 +commonfields: + id: stoptimetoassignonownerchange + version: -1 +name: StopTimeToAssignOnOwnerChange +script: | + # ##### Help ##### + # This is an example script. The script is used to stop the Time to Assignment SLA field, once an owner was set to an incident. + # If you want to use this script, you should go to the Time to Assignment SLA field, and set this script as the script to run upon change of field value. + + if not demisto.args().get('old') and demisto.args().get('new'): # If owner was no-one and is now someone: + demisto.executeCommand("stopTimer", {"timerField":"timetoassignment"}) + demisto.results("Assignment of the incident was successful and so the Time To Assignment timer has been stopped.") +type: python +tags: +- field-change-triggered +- example +comment: Stops the "Time To Assign" timer if the owner of the incident was changed. +enabled: true +args: +- name: old + description: The old value of the changed field +- name: new + description: The new value of the changed field +scripttarget: 0 +runonce: false +runas: DBotWeakRole +tests: + - SLA Scripts - Test \ No newline at end of file diff --git a/TestPlaybooks/playbook-SLA_Scripts_-_Test.yml b/TestPlaybooks/playbook-SLA_Scripts_-_Test.yml new file mode 100644 index 000000000000..7491d8732ba9 --- /dev/null +++ b/TestPlaybooks/playbook-SLA_Scripts_-_Test.yml @@ -0,0 +1,568 @@ +id: SLA Scripts - Test +version: -1 +name: SLA Scripts - Test +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 809ca330-f7be-4239-8b97-6ac5fa5ca98d + type: start + task: + id: 809ca330-f7be-4239-8b97-6ac5fa5ca98d + version: -1 + name: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + separatecontext: false + view: |- + { + "position": { + "x": 430, + "y": -90 + } + } + note: false + timertriggers: [] + "1": + id: "1" + taskid: cc737177-04cc-4c7f-8e30-c46494ba1989 + type: title + task: + id: cc737177-04cc-4c7f-8e30-c46494ba1989 + version: -1 + name: Change Remediation SLA On Severity Change + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": 410 + } + } + note: false + timertriggers: [] + "2": + id: "2" + taskid: d8750391-b43c-4a77-8d09-d48ecc4ec7f3 + type: regular + task: + id: d8750391-b43c-4a77-8d09-d48ecc4ec7f3 + version: -1 + name: Run script to update dueDate + description: Runs a script that should change the Remediation SLA because of + a severity change. This also injects input to the script, that will make it + believe the severity was changed. + scriptName: ChangeRemediationSLAOnSevChange + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + new: + simple: Critical + old: {} + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": 1050 + } + } + note: false + timertriggers: [] + "3": + id: "3" + taskid: 7a9560eb-92e0-4918-8ceb-8c3b1e7d4a83 + type: regular + task: + id: 7a9560eb-92e0-4918-8ceb-8c3b1e7d4a83 + version: -1 + name: Store old dueDate + description: Stores the old dueDate to later compare it with the new one and + see if there were any changes. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + append: {} + key: + simple: temp.remediationsla.dueDate + value: + complex: + root: incident + accessor: remediationsla.dueDate + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": 890 + } + } + note: false + timertriggers: [] + "4": + id: "4" + taskid: acc48387-b242-44c3-8d52-6104832da674 + type: condition + task: + id: acc48387-b242-44c3-8d52-6104832da674 + version: -1 + name: Is dueDate still the same? + description: Checks if the dueDate is the same as it was before running the + script that was supposed to change it. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + Same: + - "6" + separatecontext: false + conditions: + - label: Same + condition: + - - operator: isSame + left: + value: + complex: + root: temp + accessor: remediationsla.dueDate + iscontext: true + right: + value: + simple: incident.remediationsla.dueDate + iscontext: true + view: |- + { + "position": { + "x": -10, + "y": 1290 + } + } + note: false + timertriggers: [] + "5": + id: "5" + taskid: d167197d-ed08-4be5-85fe-18d658e4ae0d + type: title + task: + id: d167197d-ed08-4be5-85fe-18d658e4ae0d + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 420, + "y": 1630 + } + } + note: false + timertriggers: [] + "6": + id: "6" + taskid: c8281c3f-6602-4f60-82d3-41902c7c5068 + type: regular + task: + id: c8281c3f-6602-4f60-82d3-41902c7c5068 + version: -1 + name: Raise error + description: Raises an error in case the timer hasn't stopped. + scriptName: PrintErrorEntry + type: regular + iscommand: false + brand: "" + scriptarguments: + message: + complex: + root: incident + accessor: remediationsla.dueDate + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": -90, + "y": 1600 + } + } + note: false + timertriggers: [] + "7": + id: "7" + taskid: 16bab12b-0653-488e-8fca-ad7b871e1b05 + type: regular + task: + id: 16bab12b-0653-488e-8fca-ad7b871e1b05 + version: -1 + name: Start Remediation SLA timer + description: Starts the Remediation SLA timer. + script: Builtin|||startTimer + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "9" + scriptarguments: + incidentId: {} + timerField: + simple: remediationsla + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": 530 + } + } + note: false + timertriggers: [] + "8": + id: "8" + taskid: 78b27df7-2596-4237-8836-acd49b9e8e89 + type: regular + task: + id: 78b27df7-2596-4237-8836-acd49b9e8e89 + version: -1 + name: Delete context + description: "Deletes the current context," + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "19" + - "11" + scriptarguments: + all: + simple: "yes" + index: {} + key: {} + keysToKeep: {} + subplaybook: {} + separatecontext: false + view: |- + { + "position": { + "x": 430, + "y": 50 + } + } + note: false + timertriggers: [] + "9": + id: "9" + taskid: 8668d05c-4309-47b7-8204-2865a43f6f08 + type: regular + task: + id: 8668d05c-4309-47b7-8204-2865a43f6f08 + version: -1 + name: Set remediation SLA to 444 + description: Sets the remediation SLA to 444 (dueDate should be in 444 minutes + from now), so that the field becomes SLA and not a timer. Making remediation + SLA an SLA field, means that the dueDate won't be changing every second. By + making dueDate static, we can isolate changes to our script only, and check + if our script caused the dueDate to change (and not something else). + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "3" + scriptarguments: + addLabels: {} + customFields: {} + deleteEmptyField: {} + details: {} + id: {} + labels: {} + name: {} + occurred: {} + owner: {} + phase: {} + replacePlaybook: {} + roles: {} + severity: {} + sla: + simple: "444" + slaField: + simple: remediationsla + systems: {} + type: {} + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": 715 + } + } + note: false + timertriggers: [] + "11": + id: "11" + taskid: cd2b5ffa-490f-4949-8a45-7680c78197f5 + type: regular + task: + id: cd2b5ffa-490f-4949-8a45-7680c78197f5 + version: -1 + name: Reset Remediation SLA + description: Resets the Remediation SLA timer to allow re-running the playbook + if needed. + script: Builtin|||resetTimer + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "1" + scriptarguments: + all: {} + incidentId: {} + timerField: + simple: remediationsla + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": -10, + "y": 270 + } + } + note: false + timertriggers: [] + "12": + id: "12" + taskid: cf0b91a9-88d1-4bdd-8dba-b9b4ff862a48 + type: title + task: + id: cf0b91a9-88d1-4bdd-8dba-b9b4ff862a48 + version: -1 + name: Stop Time to Assignment On Owner Change + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "13" + separatecontext: false + view: |- + { + "position": { + "x": 840, + "y": 410 + } + } + note: false + timertriggers: [] + "13": + id: "13" + taskid: a079e54b-0859-4c64-826d-1c3ce3760dd5 + type: regular + task: + id: a079e54b-0859-4c64-826d-1c3ce3760dd5 + version: -1 + name: Start Time to Assignment timer + description: Starts the Time to Assignment timer. + script: Builtin|||startTimer + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "14" + scriptarguments: + incidentId: {} + timerField: + simple: timetoassignment + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 840, + "y": 715 + } + } + note: false + timertriggers: [] + "14": + id: "14" + taskid: 5a133461-2514-4e13-81af-c9f3f0fe3f5a + type: regular + task: + id: 5a133461-2514-4e13-81af-c9f3f0fe3f5a + version: -1 + name: Run script with new owner + description: Runs StopTimeToAssignOnOwnerChange script, with a new owner as + an argument. This should stop the Time to Assignment timer. + scriptName: StopTimeToAssignOnOwnerChange + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "20" + scriptarguments: + new: + simple: gever + old: {} + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 840, + "y": 1050 + } + } + note: false + timertriggers: [] + "18": + id: "18" + taskid: e4e242c6-ac8b-4acf-89b1-be36dc144fe3 + type: regular + task: + id: e4e242c6-ac8b-4acf-89b1-be36dc144fe3 + version: -1 + name: Raise error + description: Raises an error in case the timer hasn't stopped. + scriptName: PrintErrorEntry + type: regular + iscommand: false + brand: "" + scriptarguments: + message: + complex: + root: incident + accessor: remediationsla.dueDate + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 910, + "y": 1600 + } + } + note: false + timertriggers: [] + "19": + id: "19" + taskid: 9d39054a-2531-43f6-88bf-9905679d82ad + type: regular + task: + id: 9d39054a-2531-43f6-88bf-9905679d82ad + version: -1 + name: Reset Time to Assignment + description: Resets the Time to Assignment timer to allow re-running the playbook + if needed. + script: Builtin|||resetTimer + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "12" + scriptarguments: + all: {} + incidentId: {} + timerField: + simple: timetoassignment + reputationcalc: 1 + separatecontext: false + view: |- + { + "position": { + "x": 840, + "y": 270 + } + } + note: false + timertriggers: [] + "20": + id: "20" + taskid: 07d0aefa-728b-4ac4-8136-89a8ed6c4c5f + type: condition + task: + id: 07d0aefa-728b-4ac4-8136-89a8ed6c4c5f + version: -1 + name: Has Time to Assignment timer been stopped? + description: Checks whether Time to Assignment timer was stopped by our script. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "18" + "yes": + - "5" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: incident + accessor: timetoassignment.runStatus + iscontext: true + right: + value: + simple: ended + view: |- + { + "position": { + "x": 840, + "y": 1290 + } + } + note: false + timertriggers: [] +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1785, + "width": 1380, + "x": -90, + "y": -90 + } + } + } +inputs: [] +outputs: [] diff --git a/Tests/conf.json b/Tests/conf.json index 487b8f8e3ab0..7d64668d4562 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -909,6 +909,9 @@ { "integrations": "duo", "playbookID": "DUO Test Playbook" + }, + { + "playbookID": "SLA Scripts - Test" } ], "skipped_tests": { diff --git a/Tests/id_set.json b/Tests/id_set.json index e875cdaf65cd..6ef53632a4ae 100644 --- a/Tests/id_set.json +++ b/Tests/id_set.json @@ -1,5 +1,29 @@ { "scripts": [ + { + "changeremediationslaonsevchange": { + "name": "ChangeRemediationSLAOnSevChange", + "fromversion": "4.1.0", + "script_executions": [ + "setIncident" + ], + "tests": [ + "SLA Scripts - Test" + ] + } + }, + { + "stoptimetoassignonownerchange": { + "name": "StopTimeToAssignOnOwnerChange", + "fromversion": "4.1.0", + "script_executions": [ + "stopTimer" + ], + "tests": [ + "SLA Scripts - Test" + ] + } + }, { "AwsStopInstance": { "name": "AwsStopInstance", @@ -4723,6 +4747,35 @@ } ], "playbooks": [ + { + "Phishing Investigation - Generic": { + "name": "Phishing Investigation - Generic", + "fromversion": "4.1.0", + "implementing_scripts": [ + "AssignAnalystToIncident", + "Set", + "SendEmail" + ], + "implementing_playbooks": [ + "Search And Delete Emails - Generic", + "Detonate File - Generic", + "Extract Indicators From File - Generic", + "Entity Enrichment - Generic", + "Process Email - Generic", + "Block Indicators - Generic", + "Email Address Enrichment - Generic", + "Calculate Severity - Generic" + ], + "implementing_commands": [ + "closeInvestigation", + "send-mail" + ], + "tests": [ + "Phishing test - attachment", + "Phishing test - Inline" + ] + } + }, { "search_and_delete_emails_-_generic": { "name": "Search And Delete Emails - Generic", @@ -5945,7 +5998,8 @@ { "Phishing Investigation - Generic": { "name": "Phishing Investigation - Generic", - "fromversion": 4.0, + "toversion": "4.0.9", + "fromversion": "4.0.0", "implementing_scripts": [ "AssignAnalystToIncident", "Set", @@ -15029,6 +15083,23 @@ "symantec-mss-get-incident" ] } + }, + { + "SLA Scripts - Test": { + "name": "SLA Scripts - Test", + "implementing_scripts": [ + "StopTimeToAssignOnOwnerChange", + "ChangeRemediationSLAOnSevChange", + "Set", + "PrintErrorEntry", + "DeleteContext" + ], + "implementing_commands": [ + "setIncident", + "startTimer", + "resetTimer" + ] + } } ] } \ No newline at end of file diff --git a/Tests/schemas/incidentfields.yml b/Tests/schemas/incidentfields.yml index a86de1405873..74d553b1636f 100644 --- a/Tests/schemas/incidentfields.yml +++ b/Tests/schemas/incidentfields.yml @@ -64,6 +64,18 @@ schema;field_schema: type: number hidden: type: bool + columns: + type: any + defaultRows: + type: any + threshold: + type: number + sla: + type: number + caseInsensitive: + type: bool + breachScript: + type: str associatedTypes: type: any systemAssociatedTypes: diff --git a/Tests/schemas/playbook.yml b/Tests/schemas/playbook.yml index a44d4e8d03c5..325e0279e476 100644 --- a/Tests/schemas/playbook.yml +++ b/Tests/schemas/playbook.yml @@ -234,7 +234,7 @@ schema;arg_filter_schema: schema;timertriggers_schema: type: map mapping: - fieldName: + fieldname: type: str action: type: str \ No newline at end of file diff --git a/Widgets/widget-DetectionSLABySLAStatus.json b/Widgets/widget-DetectionSLABySLAStatus.json new file mode 100644 index 000000000000..66275244c421 --- /dev/null +++ b/Widgets/widget-DetectionSLABySLAStatus.json @@ -0,0 +1,27 @@ +{ + "id": "detection-sla-by-status", + "version": -1, + "fromVersion": "4.1.0", + "name": "Detection SLA by Status", + "dataType": "incidents", + "widgetType": "pie", + "query": "-category:job and -detectionsla.runStatus:idle", + "isPredefined": true, + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 30, + "field": "" + } + }, + "params":{ + "groupBy":[ + "detectionsla.slaStatus" + ] + }, + "description": "The detection SLA status of all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes." +} \ No newline at end of file diff --git a/Widgets/widget-MeanTimeToDetection.json b/Widgets/widget-MeanTimeToDetection.json new file mode 100644 index 000000000000..80dc04ca5b7c --- /dev/null +++ b/Widgets/widget-MeanTimeToDetection.json @@ -0,0 +1,27 @@ +{ + "id": "mean-time-to-detection", + "version": -1, + "fromVersion": "4.1", + "name": "Mean Time to Detection", + "dataType": "incidents", + "widgetType": "duration", + "query": "-category:job and detectionsla.runStatus:ended", + "isPredefined": true, + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 30, + "field": "" + } + }, + "params": { + "keys": [ + "avg|detectionsla.totalDuration" + ] + }, + "description": "The mean time (average time) to detection across all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default." +} \ No newline at end of file diff --git a/Widgets/widget-MttdByType.json b/Widgets/widget-MttdByType.json new file mode 100644 index 000000000000..b428685a541e --- /dev/null +++ b/Widgets/widget-MttdByType.json @@ -0,0 +1,26 @@ +{ + "id":"mttd-by-type", + "version":-1, + "fromVersion":"4.1", + "name":"MTTD by Type", + "dataType":"incidents", + "widgetType":"line", + "query":"-category:job and detectionsla.runStatus:ended", + "isPredefined":true, + "dateRange":{ + "fromDate":"0001-01-01T00:00:00Z", + "toDate":"0001-01-01T00:00:00Z", + "period":{ + "byTo":"", + "byFrom":"days", + "toValue":null, + "fromValue":7, + "field":"" + } + }, + "params":{ + "keys":["avg|detectionsla.totalDuration / 3600"], + "groupBy" : ["occurred(d)", "type"] + }, + "description": "A widget that shows the Mean Time to Detection, by incident type." +} \ No newline at end of file diff --git a/Widgets/widget-MttrByType.json b/Widgets/widget-MttrByType.json index ad70a935429c..ed43e41a60fd 100644 --- a/Widgets/widget-MttrByType.json +++ b/Widgets/widget-MttrByType.json @@ -19,8 +19,9 @@ } }, "params":{ - "keys":["avg|openDuration / (3600*24)"], + "keys":["avg|openDuration / 3600"], "groupBy" : ["occurred(d)", "type"] }, - "description": "" -} + "description": "Shows changes in Mean Time to Resolution, over time, while differentiating between incident types.", + "releaseNotes": "MTTR now also in timeline widget" +} \ No newline at end of file diff --git a/Widgets/widget-RemediationSLABySlaStatus.json b/Widgets/widget-RemediationSLABySlaStatus.json new file mode 100644 index 000000000000..e8e270976d39 --- /dev/null +++ b/Widgets/widget-RemediationSLABySlaStatus.json @@ -0,0 +1,27 @@ +{ + "id": "remediation-sla-by-status", + "version": -1, + "fromVersion": "4.1", + "name": "Remediation SLA by Status", + "dataType": "incidents", + "widgetType": "pie", + "query": "-category:job and -remediationsla.runStatus:idle", + "isPredefined": true, + "dateRange": { + "fromDate": "0001-01-01T00:00:00Z", + "toDate": "0001-01-01T00:00:00Z", + "period": { + "byTo": "", + "byFrom": "days", + "toValue": null, + "fromValue": 30, + "field": "" + } + }, + "params":{ + "groupBy":[ + "remediationsla.slaStatus" + ] + }, + "description": "The remediation SLA status of all incidents that started a remediation process. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes." +} \ No newline at end of file diff --git a/release_notes.py b/release_notes.py index b6fc8a1a3a88..40553a716608 100644 --- a/release_notes.py +++ b/release_notes.py @@ -17,6 +17,7 @@ "details": "Summary", "edit": "New/Edit", "close": "Close", + "quickView": "Quick View", } INTEGRATIONS_DIR = "Integrations"