Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

T1059 command and scripting xsiam fix #34049

Merged
merged 12 commits into from
Apr 24, 2024
Merged

T1059 command and scripting xsiam fix #34049

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
c7d6694
added a new conditional task
OmriItzhak Apr 18, 2024
a09c168
RN and task description
OmriItzhak Apr 18, 2024
08938f1
Merged master into current branch.
Apr 18, 2024
9b70897
Bump pack from version Core to 3.0.26.
Apr 18, 2024
5690d0d
change the task location
OmriItzhak Apr 18, 2024
9ca6968
Merge branch 'T1059-command-and-scripting-XSIAM---Fix' of github.com:…
OmriItzhak Apr 18, 2024
ba4723f
added task description
OmriItzhak Apr 21, 2024
52142b0
Merge branch 'master' into T1059-command-and-scripting-XSIAM---Fix
OmriItzhak Apr 21, 2024
f3f9428
validation error fix
OmriItzhak Apr 21, 2024
3f4fa4f
Merge branch 'T1059-command-and-scripting-XSIAM---Fix' of github.com:…
OmriItzhak Apr 21, 2024
8f7bcb1
Merged master into current branch.
Apr 24, 2024
a0af878
Bump pack from version Core to 3.0.27.
Apr 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 102 additions & 12 deletions Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ tasks:
{
"position": {
"x": 1140,
"y": -90
"y": -240
}
}
note: false
Expand Down Expand Up @@ -54,7 +54,7 @@ tasks:
{
"position": {
"x": 1140,
"y": 95
"y": -85
}
}
note: false
Expand Down Expand Up @@ -116,7 +116,7 @@ tasks:
{
"position": {
"x": 1140,
"y": 600
"y": 590
}
}
note: false
Expand Down Expand Up @@ -415,7 +415,7 @@ tasks:
{
"position": {
"x": 1140,
"y": 740
"y": 730
}
}
note: false
Expand Down Expand Up @@ -647,7 +647,7 @@ tasks:
{
"position": {
"x": 1140,
"y": 420
"y": 410
}
}
note: false
Expand Down Expand Up @@ -1146,7 +1146,7 @@ tasks:
brand: ""
nexttasks:
'#none#':
- "47"
- "61"
scriptarguments:
alert_ids:
complex:
Expand All @@ -1157,7 +1157,7 @@ tasks:
{
"position": {
"x": 1140,
"y": 230
"y": 50
}
}
note: false
Expand Down Expand Up @@ -1425,6 +1425,93 @@ tasks:
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"61":
id: "61"
taskid: 6c95fc1f-ffd0-4de4-818f-41e07987c215
type: condition
task:
id: 6c95fc1f-ffd0-4de4-818f-41e07987c215
version: -1
name: Is the CMD defined?
description: Checks the existence of the command line parameters.
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "62"
"yes":
- "47"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
simple: Core.DynamicAnalysis.internals.attributes.content
iscontext: true
- operator: isNotEmpty
left:
value:
simple: Core.DynamicAnalysis.internals.attributes.scriptblock_text
iscontext: true
- operator: isNotEmpty
left:
value:
simple: Core.DynamicAnalysis.internals.attributes.original_command_line
iscontext: true
- operator: isNotEmpty
left:
value:
simple: alert.targetprocesscmd
iscontext: true
continueonerrortype: ""
view: |-
{
"position": {
"x": 1140,
"y": 220
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"62":
id: "62"
taskid: 77940295-f899-43d3-8b41-40fef01d6993
type: title
task:
id: 77940295-f899-43d3-8b41-40fef01d6993
version: -1
name: No CMD Parameters found
type: title
iscommand: false
brand: ""
description: ''
nexttasks:
'#none#':
- "29"
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 170,
"y": 440
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
view: |-
{
"linkLabelsPosition": {
Expand All @@ -1433,14 +1520,17 @@ view: |-
"28_43_yes": 0.43,
"34_29_#default#": 0.25,
"48_27_yes": 0.62,
"48_49_#default#": 0.47
"48_49_#default#": 0.47,
"56_16_#default#": 0.46,
"61_47_yes": 0.5,
"61_62_#default#": 0.52
},
"paper": {
"dimensions": {
"height": 4235,
"width": 1510,
"x": 450,
"y": -90
"height": 4385,
"width": 1790,
"x": 170,
"y": -240
}
}
}
Expand Down
6 changes: 6 additions & 0 deletions Packs/Core/ReleaseNotes/3_0_27.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#### Playbooks

##### T1059 - Command and Scripting Interpreter

Added a new conditional task to verify the existence of a command line parameter.
2 changes: 1 addition & 1 deletion Packs/Core/pack_metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"name": "Core - Investigation and Response",
"description": "Automates incident response",
"support": "xsoar",
"currentVersion": "3.0.26",
"currentVersion": "3.0.27",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
Expand Down
Loading