From 54092d53bce956546bcdc41bf875754b470d426a Mon Sep 17 00:00:00 2001 From: xsoar-bot Date: Mon, 3 Mar 2025 15:23:11 +0000 Subject: [PATCH] "pack contribution initial commit" --- Packs/MISP-IndicatorSharing/.pack-ignore | 0 Packs/MISP-IndicatorSharing/.secrets-ignore | 0 .../incidentfield-CNCS_Classification.json | 43 + .../incidentfield-CNCS_Type.json | 73 + .../incidentfield-enisacode.json | 72 + ...-CNCS_-_Create_Incident_Classification.yml | 487 +++++ ...-_Create_Incident_Classification_README.md | 42 + ...laybook-CNCS_-_Incident_Classification.yml | 102 ++ ...k-CNCS_-_Incident_Classification_README.md | 37 + ...ENISA_-_Create_Incident_Classification.yml | 482 +++++ ...-_Create_Incident_Classification_README.md | 42 + ...aybook-ENISA_-_Incident_Classification.yml | 103 ++ ...-ENISA_-_Incident_Classification_README.md | 37 + ...-MISP_-_Add_Several_Tags_to_MISP_Event.yml | 214 +++ ...-_Add_Several_Tags_to_MISP_Event_README.md | 41 + ...aybook-MISP_-_Set_Attributes_to_Update.yml | 691 ++++++++ ...-MISP_-_Set_Attributes_to_Update_README.md | 46 + ...ok-Playbook_-_MISP_-_Indicator_Sharing.yml | 1577 +++++++++++++++++ ...ybook_-_MISP_-_Indicator_Sharing_README.md | 51 + Packs/MISP-IndicatorSharing/README.md | 0 .../MispSetClassification.py | 332 ++++ .../MispSetClassification.yml | 30 + .../Scripts/MispSetClassification/README.md | 25 + .../MispSetfileAtributes.py | 43 + .../MispSetfileAtributes.yml | 23 + .../Scripts/MispSetfileAtributes/README.md | 22 + .../MispSetmailAttributes.py | 53 + .../MispSetmailAttributes.yml | 31 + .../Scripts/MispSetmailAttributes/README.md | 31 + .../SetIncidentClassification/README.md | 26 + .../SetIncidentClassification.py | 345 ++++ .../SetIncidentClassification.yml | 33 + .../MISP-IndicatorSharing/pack_metadata.json | 21 + 33 files changed, 5155 insertions(+) create mode 100644 Packs/MISP-IndicatorSharing/.pack-ignore create mode 100644 Packs/MISP-IndicatorSharing/.secrets-ignore create mode 100644 Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-CNCS_Classification.json create mode 100644 Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-CNCS_Type.json create mode 100644 Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-enisacode.json create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Create_Incident_Classification.yml create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Create_Incident_Classification_README.md create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Incident_Classification.yml create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Incident_Classification_README.md create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Create_Incident_Classification.yml create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Create_Incident_Classification_README.md create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Incident_Classification.yml create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Incident_Classification_README.md create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Add_Several_Tags_to_MISP_Event.yml create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Add_Several_Tags_to_MISP_Event_README.md create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Set_Attributes_to_Update.yml create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Set_Attributes_to_Update_README.md create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-Playbook_-_MISP_-_Indicator_Sharing.yml create mode 100644 Packs/MISP-IndicatorSharing/Playbooks/playbook-Playbook_-_MISP_-_Indicator_Sharing_README.md create mode 100644 Packs/MISP-IndicatorSharing/README.md create mode 100644 Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/MispSetClassification.py create mode 100644 Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/MispSetClassification.yml create mode 100644 Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/README.md create mode 100644 Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/MispSetfileAtributes.py create mode 100644 Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/MispSetfileAtributes.yml create mode 100644 Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/README.md create mode 100644 Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/MispSetmailAttributes.py create mode 100644 Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/MispSetmailAttributes.yml create mode 100644 Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/README.md create mode 100644 Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/README.md create mode 100644 Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/SetIncidentClassification.py create mode 100644 Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/SetIncidentClassification.yml create mode 100644 Packs/MISP-IndicatorSharing/pack_metadata.json diff --git a/Packs/MISP-IndicatorSharing/.pack-ignore b/Packs/MISP-IndicatorSharing/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/MISP-IndicatorSharing/.secrets-ignore b/Packs/MISP-IndicatorSharing/.secrets-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-CNCS_Classification.json b/Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-CNCS_Classification.json new file mode 100644 index 000000000000..b08190859801 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-CNCS_Classification.json @@ -0,0 +1,43 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "cncsclassification", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_cncsclassification", + "isReadOnly": false, + "locked": false, + "name": "CNCS_Classification", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "selectValues": [ + "", + "Código Malicioso", + "Disponibilidade", + "Recolha de Informação", + "Intrusão", + "Tentativa de Intrusão", + "Segurança da Informação", + "Fraude", + "Conteúdo Abusivo", + "Vulnerabilidade", + "Outro" + ], + "sla": 0, + "system": false, + "threshold": 72, + "type": "singleSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.0.0" +} \ No newline at end of file diff --git a/Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-CNCS_Type.json b/Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-CNCS_Type.json new file mode 100644 index 000000000000..cdf4a6ad3b46 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-CNCS_Type.json @@ -0,0 +1,73 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "cncstype", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_cncstype", + "isReadOnly": false, + "locked": false, + "name": "CNCS_Type", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "selectValues": [ + "", + "Sistema Infetado", + "Distribuição de Malware", + "Servidor C2", + "Configuração de Malware", + "Negação de Serviço", + "Negação de Serviço Distribuída", + "Configuração incorreta", + "Sabotagem", + "Interrupção", + "Scanning", + "Sniffing", + "Engenharia Social", + "Comprometimento de Conta Privilegiada", + "Comprometimento de Conta Não Privilegiada", + "Comprometimento de Aplicação", + "Comprometimento de Sistema", + "Arrombamento", + "Exploração de Vulnerabilidade", + "Tentativa de Login", + "Nova assinatura de ataque", + "Acesso não autorizado", + "Modificação não autorizada", + "Perda de dados", + "Exfiltração de Informação", + "Utilização indevida ou não autorizada de recursos", + "Direitos de autor", + "Utilização ilegítima de nome de terceiros", + "Phishing", + "Spam", + "Discurso Nocivo", + "Exploração sexual de menores", + "racismo e apologia da violência", + "Criptografia fraca", + "Amplificador DDoS", + "Serviços acessíveis potencialmente indesejados", + "Revelação de informação", + "Sistema vulnerável", + "Sem tipo", + "Indeterminado", + "Teste" + ], + "sla": 0, + "system": false, + "threshold": 72, + "type": "singleSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.0.0" +} \ No newline at end of file diff --git a/Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-enisacode.json b/Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-enisacode.json new file mode 100644 index 000000000000..979c5cd2284a --- /dev/null +++ b/Packs/MISP-IndicatorSharing/IncidentFields/incidentfield-enisacode.json @@ -0,0 +1,72 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "enisacode", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_enisacode", + "isReadOnly": false, + "locked": false, + "name": "enisacode", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "selectValues": [ + "", + "Malicious Code:Infected System", + "Malicious Code:Malware Distribution", + "Malicious Code:C2 Server", + "Malicious Code:Malware Configuration", + "Availability:Denial of Service", + "Availability:Distributed Denial of Service", + "Availability:Misconfiguration", + "Availability:Sabotage", + "Availability:Outage", + "Information Gathering:Scanning", + "Information Gathering:Sniffing", + "Information Gathering:Social Engineering", + "Intrusions:Privileged Account Compromise", + "Intrusions:Unprivileged Account Compromise", + "Intrusions:Application Compromise", + "Intrusions:System Compromise", + "Intrusions:Burglary", + "Intrusion Attempts:Exploitation of known Vulnerabilities", + "Intrusion Attempts:Login attempts", + "Intrusion Attempts:New attack signature", + "Information Content Security:Unauthorised access to information", + "Information Content Security:Unauthorised modification of information", + "Information Content Security:Data Loss", + "Information Content Security:Leak of confidential information", + "Fraud:Unauthorised use of resources", + "Fraud:Copyright", + "Fraud:Masquerade", + "Fraud:Phishing", + "Abusive Content:Spam", + "Abusive Content:Harmful Speech", + "Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content", + "Vulnerable:Weak crypto", + "Vulnerable:DDoS amplifier", + "Vulnerable:Potentially unwanted accessible services", + "Vulnerable:Information disclosure", + "Vulnerable:Vulnerable system", + "Other:Uncategorised", + "Other:Undetermined", + "Test:Test" + ], + "sla": 0, + "system": false, + "threshold": 72, + "type": "singleSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.0.0" +} \ No newline at end of file diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Create_Incident_Classification.yml b/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Create_Incident_Classification.yml new file mode 100644 index 000000000000..a66c01824c1d --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Create_Incident_Classification.yml @@ -0,0 +1,487 @@ +contentitemexportablefields: + contentitemfields: + propagationLabels: + - all +id: CNCS - Create Incident Classification +inputs: [] +name: CNCS - Create Incident Classification +outputs: +- contextPath: Exit + type: unknown +quiet: true +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ef5e563c-2071-4908-8186-47792118f6fe + iscommand: false + name: "" + version: -1 + description: '' + taskid: ef5e563c-2071-4908-8186-47792118f6fe + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + all: + simple: "yes" + subplaybook: + simple: auto + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + id: b749ebfc-1b9e-40f6-8b7e-f5f53ecd0f1c + iscommand: false + name: Reset Previous Form + scriptName: DeleteContext + type: regular + version: -1 + taskid: b749ebfc-1b9e-40f6-8b7e-f5f53ecd0f1c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + org_type: + simple: pt_org + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 3d864e01-d4ee-40f9-87aa-fcb4de88e951 + iscommand: false + name: Fetch CNCS Classification Values + scriptName: set_incident_classification + type: regular + version: -1 + taskid: 3d864e01-d4ee-40f9-87aa-fcb4de88e951 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + "3": + continueonerrortype: "" + form: + description: "" + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: Choose CNCS Classification + options: [] + optionsarg: + - {} + - complex: + root: IncidentClassification + placeholder: "" + readonly: false + required: true + tooltip: "" + type: singleSelect + sender: "" + title: Choose CNCS Classification + totalanswers: 0 + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: "" + methods: [] + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 716a2d63-5dc5-4fd0-8b08-25fb79a9bc65 + iscommand: false + name: Choose CNCS Classification + type: collection + version: -1 + taskid: 716a2d63-5dc5-4fd0-8b08-25fb79a9bc65 + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 50, + "y": 545 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + classification: + simple: ${Choose CNCS Classification.Answers.0} + org_type: + simple: pt_org + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 72db8636-6a7b-431c-879c-dbd9a4341563 + iscommand: false + name: Fetch CNCS Classification Values + scriptName: set_incident_classification + type: regular + version: -1 + taskid: 72db8636-6a7b-431c-879c-dbd9a4341563 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 895 + } + } + "5": + continueonerrortype: "" + form: + description: "" + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: Choose CNCS Type + options: [] + optionsarg: + - {} + - complex: + root: IncidentClassification + placeholder: "" + readonly: false + required: true + tooltip: "" + type: singleSelect + sender: "" + title: Choose CNCS Type + totalanswers: 0 + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: "" + methods: [] + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6e9661bb-a48e-4dd3-8ed6-b588aa3b4625 + iscommand: false + name: Choose CNCS Type + type: collection + version: -1 + taskid: 6e9661bb-a48e-4dd3-8ed6-b588aa3b4625 + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 50, + "y": 1070 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "No": + - "10" + "Yes": + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 085c8c52-cd37-4371-8b2e-7d24061c3591 + iscommand: false + name: Confirm The Chosen Values? + type: condition + version: -1 + taskid: 085c8c52-cd37-4371-8b2e-7d24061c3591 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 1245 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + cncsclassification: + simple: ${Choose CNCS Classification.Answers.0} + cncstype: + simple: ${Choose CNCS Type.Answers.0} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.set.incident + id: 5efe6d50-7079-4bbc-870f-f34a2e1753bc + iscommand: true + name: Set Incident Classification Fields + script: Builtin|||setIncident + type: regular + version: -1 + taskid: 5efe6d50-7079-4bbc-870f-f34a2e1753bc + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 162.5, + "y": 1420 + } + } + "9": + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + scriptarguments: + all: + simple: "no" + key: + simple: IncidentClassification + subplaybook: + simple: auto + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + id: 471dd70f-73f5-42dd-8d58-b9f2a62d9e2c + iscommand: false + name: Delete Previous Automation Run + scriptName: DeleteContext + type: regular + version: -1 + taskid: 471dd70f-73f5-42dd-8d58-b9f2a62d9e2c + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 47f0cfc9-8fc1-4164-8b1d-d7f09addb8ab + iscommand: false + name: End + type: title + version: -1 + description: '' + taskid: 47f0cfc9-8fc1-4164-8b1d-d7f09addb8ab + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 1770 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: Exit + value: + simple: "True" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: cedb9e88-6b1a-412d-8845-2433efb44bda + iscommand: false + name: Set Exit Value + scriptName: Set + type: regular + version: -1 + taskid: cedb9e88-6b1a-412d-8845-2433efb44bda + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 162.5, + "y": 1595 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1785, + "width": 492.5, + "x": 50, + "y": 50 + } + } + } +tests: +- No tests (auto formatted) +fromversion: 6.0.0 diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Create_Incident_Classification_README.md b/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Create_Incident_Classification_README.md new file mode 100644 index 000000000000..9fb3e1ac0579 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Create_Incident_Classification_README.md @@ -0,0 +1,42 @@ + + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +* set_incident_classification +* Set +* DeleteContext + +### Commands + +* setIncident + +## Playbook Inputs + +--- +There are no inputs for this playbook. + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| Exit | | unknown | + +## Playbook Image + +--- + +![CNCS - Create Incident Classification](../doc_files/CNCS_-_Create_Incident_Classification.png) diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Incident_Classification.yml b/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Incident_Classification.yml new file mode 100644 index 000000000000..3a19cc13b2bd --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Incident_Classification.yml @@ -0,0 +1,102 @@ +contentitemexportablefields: + contentitemfields: + definitionid: '' + fromServerVersion: '' + itemVersion: '' + packID: 697f8e56-e615-42f7-8e9a-e8811531eba4 + packName: MISP - Indicator Sharing + prevname: '' + propagationLabels: + - all + toServerVersion: '' +description: 'This playbook helps organizations categorize the incidents according to the CNCS Incident Classification Taxonomy, enabling standardized communication and sharing of threat intelligence on a Local scale. ' +id: CNCS - Incident Classification +inputs: [] +name: CNCS - Incident Classification +outputs: [] +starttaskid: '0' +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 46143058-254c-4d56-883d-65e118ca0b45 + iscommand: false + name: '' + version: -1 + taskid: 46143058-254c-4d56-883d-65e118ca0b45 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 50\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: c48cabcd-11fb-4ac0-8a7b-91660389ece8 + iscommand: false + name: End + type: title + version: -1 + taskid: c48cabcd-11fb-4ac0-8a7b-91660389ece8 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 370\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + builtincondition: + - - left: + iscontext: true + value: + simple: Exit + operator: isTrue + right: + value: {} + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: '' + id: b5375b05-efa7-44db-869b-1cd075d3895e + iscommand: false + name: CNCS - Create Incident Classification + playbookId: CNCS - Create Incident Classification + type: playbook + version: -1 + taskid: b5375b05-efa7-44db-869b-1cd075d3895e + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 195\n }\n}" +version: -1 +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 385,\n \"width\": 380,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Incident_Classification_README.md b/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Incident_Classification_README.md new file mode 100644 index 000000000000..79a944bfd844 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-CNCS_-_Incident_Classification_README.md @@ -0,0 +1,37 @@ +This playbook helps organizations categorize the incidents according to the CNCS Incident Classification Taxonomy, enabling standardized communication and sharing of threat intelligence on a Local scale. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +* CNCS - Create Incident Classification + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +This playbook does not use any scripts. + +### Commands + +This playbook does not use any commands. + +## Playbook Inputs + +--- +There are no inputs for this playbook. + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![CNCS - Incident Classification](../doc_files/CNCS_-_Incident_Classification.png) diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Create_Incident_Classification.yml b/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Create_Incident_Classification.yml new file mode 100644 index 000000000000..a9b847a791ba --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Create_Incident_Classification.yml @@ -0,0 +1,482 @@ +contentitemexportablefields: + contentitemfields: + propagationLabels: + - all +id: ENISA - Create Incident Classification +inputs: [] +name: ENISA - Create Incident Classification +outputs: +- contextPath: Exit + type: unknown +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 77d31f19-baea-40e0-8772-6f9031c22bd3 + iscommand: false + name: "" + version: -1 + description: '' + taskid: 77d31f19-baea-40e0-8772-6f9031c22bd3 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + all: + simple: "yes" + subplaybook: + simple: auto + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + id: f548d469-d4d1-4e7c-8a8c-3110bec21e0e + iscommand: false + name: Delete Previous Form + scriptName: DeleteContext + type: regular + version: -1 + taskid: f548d469-d4d1-4e7c-8a8c-3110bec21e0e + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + "2": + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + org_type: + simple: non_pt_org + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8604ccaa-74d2-4559-8679-0e4a164412f7 + iscommand: false + name: Fetch Macro Enisa Classification + scriptName: set_incident_classification + type: regular + version: -1 + taskid: 8604ccaa-74d2-4559-8679-0e4a164412f7 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + "3": + continueonerrortype: "" + form: + description: "" + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: Please Choose the Macro Classification According to the ENISA Taxonomy + options: [] + optionsarg: + - {} + - simple: ${IncidentClassification} + placeholder: "" + readonly: false + required: true + tooltip: "" + type: singleSelect + sender: "" + title: Please Choose the Macro Classification According to the ENISA Taxonomy + totalanswers: 0 + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: "" + methods: [] + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#none#': + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 2db2933e-39e5-455a-8c31-1b719de2695e + iscommand: false + name: Please Choose the Macro Classification According to the ENISA Taxonomy + type: collection + version: -1 + taskid: 2db2933e-39e5-455a-8c31-1b719de2695e + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 50, + "y": 545 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "6" + note: false + quietmode: 0 + scriptarguments: + all: + simple: "no" + key: + simple: IncidentClassification + subplaybook: + simple: auto + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + id: b279edd1-4f09-4c86-891c-2ee27600d3ec + iscommand: false + name: Delete Previous Automation Run + scriptName: DeleteContext + type: regular + version: -1 + taskid: b279edd1-4f09-4c86-891c-2ee27600d3ec + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } + "5": + continueonerrortype: "" + form: + description: "" + expired: false + questions: + - defaultrows: [] + fieldassociated: "" + gridcolumns: [] + id: "0" + label: "" + labelarg: + simple: Please Choose the Specific Classification According to the ENISA Taxonomy + options: [] + optionsarg: + - {} + - simple: ${IncidentClassification} + placeholder: "" + readonly: false + required: true + tooltip: "" + type: singleSelect + sender: "" + title: Please Choose the Specific Classification According to the ENISA Taxonomy + totalanswers: 0 + id: "5" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: "" + methods: [] + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: ef3fc2d1-2ea3-4be8-8a21-d535937f0851 + iscommand: false + name: Please Choose the Specific Classification According to the ENISA Taxonomy + type: collection + version: -1 + taskid: ef3fc2d1-2ea3-4be8-8a21-d535937f0851 + timertriggers: [] + type: collection + view: |- + { + "position": { + "x": 50, + "y": 1070 + } + } + "6": + continueonerrortype: "" + id: "6" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "5" + note: false + quietmode: 0 + scriptarguments: + classification: + simple: ${Please Choose the Macro Classification According to the ENISA Taxonomy.Answers.0} + org_type: + simple: non_pt_org + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 91b3ee79-9d49-4147-8838-6de9d730c708 + iscommand: false + name: Fetch Macro Enisa Classification + scriptName: set_incident_classification + type: regular + version: -1 + taskid: 91b3ee79-9d49-4147-8838-6de9d730c708 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 895 + } + } + "7": + continueonerrortype: "" + id: "7" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + "No": + - "10" + "Yes": + - "8" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 93d950a6-e9fe-46c1-8c05-fde64bb27d67 + iscommand: false + name: Do you confirm the chosen classification? + type: condition + version: -1 + taskid: 93d950a6-e9fe-46c1-8c05-fde64bb27d67 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 1245 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "11" + note: false + quietmode: 0 + scriptarguments: + enisacode: + simple: ${Please Choose the Macro Classification According to the ENISA Taxonomy.Answers.0}:${Please Choose the Specific Classification According to the ENISA Taxonomy.Answers.0} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.set.incident + id: ce5a7412-df19-48df-8118-49a6db977fa6 + iscommand: true + name: Set Enisa Classification + script: Builtin|||setIncident + type: regular + version: -1 + taskid: ce5a7412-df19-48df-8118-49a6db977fa6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 162.5, + "y": 1420 + } + } + "10": + continueonerrortype: "" + id: "10" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6e112468-214e-4445-82c8-fd5e69c03d6b + iscommand: false + name: End + type: title + version: -1 + description: '' + taskid: 6e112468-214e-4445-82c8-fd5e69c03d6b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 1770 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "10" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: Exit + value: + simple: "True" + separatecontext: false + skipunavailable: false + task: + brand: "" + description: Set a value in context under the key you entered. + id: 30974c2e-c5aa-4ae9-8516-1adc6482f9d4 + iscommand: false + name: Set Exit Value + scriptName: Set + type: regular + version: -1 + taskid: 30974c2e-c5aa-4ae9-8516-1adc6482f9d4 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 162.5, + "y": 1595 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1785, + "width": 492.5, + "x": 50, + "y": 50 + } + } + } +tests: +- No tests (auto formatted) +fromversion: 6.0.0 diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Create_Incident_Classification_README.md b/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Create_Incident_Classification_README.md new file mode 100644 index 000000000000..50210d0186c0 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Create_Incident_Classification_README.md @@ -0,0 +1,42 @@ + + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +* set_incident_classification +* Set +* DeleteContext + +### Commands + +* setIncident + +## Playbook Inputs + +--- +There are no inputs for this playbook. + +## Playbook Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| Exit | | unknown | + +## Playbook Image + +--- + +![ENISA - Create Incident Classification](../doc_files/ENISA_-_Create_Incident_Classification.png) diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Incident_Classification.yml b/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Incident_Classification.yml new file mode 100644 index 000000000000..a6296724d950 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Incident_Classification.yml @@ -0,0 +1,103 @@ +contentitemexportablefields: + contentitemfields: + definitionid: '' + fromServerVersion: '' + itemVersion: '' + packID: 697f8e56-e615-42f7-8e9a-e8811531eba4 + packName: MISP - Indicator Sharing + prevname: '' + propagationLabels: + - all + toServerVersion: '' +description: 'This playbook helps organizations categorize the incidents according to the ENISA Incident Classification Taxonomy, enabling standardized communication and sharing of threat intelligence on a global scale. ' +id: ENISA - Incident Classification +inputs: [] +name: ENISA - Incident Classification +outputs: [] +quiet: true +starttaskid: '0' +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 170ead0c-2d11-4f73-89ca-5d7133840dad + iscommand: false + name: '' + version: -1 + taskid: 170ead0c-2d11-4f73-89ca-5d7133840dad + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 50\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: f652a23a-ebab-493d-8f3f-672359ac8441 + iscommand: false + name: End + type: title + version: -1 + taskid: f652a23a-ebab-493d-8f3f-672359ac8441 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 370\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + builtincondition: + - - left: + iscontext: true + value: + simple: Exit + operator: isTrue + right: + value: {} + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: true + skipunavailable: false + task: + brand: '' + id: f08b0427-bc03-4102-8e95-7a2f304d4e1c + iscommand: false + name: ENISA - Create Incident Classification + playbookId: ENISA - Create Incident Classification + type: playbook + version: -1 + taskid: f08b0427-bc03-4102-8e95-7a2f304d4e1c + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 195\n }\n}" +version: -1 +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 385,\n \"width\": 380,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Incident_Classification_README.md b/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Incident_Classification_README.md new file mode 100644 index 000000000000..074c9bda0a7d --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-ENISA_-_Incident_Classification_README.md @@ -0,0 +1,37 @@ +This playbook helps organizations categorize the incidents according to the ENISA Incident Classification Taxonomy, enabling standardized communication and sharing of threat intelligence on a global scale. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +* ENISA - Create Incident Classification + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +This playbook does not use any scripts. + +### Commands + +This playbook does not use any commands. + +## Playbook Inputs + +--- +There are no inputs for this playbook. + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![ENISA - Incident Classification](../doc_files/ENISA_-_Incident_Classification.png) diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Add_Several_Tags_to_MISP_Event.yml b/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Add_Several_Tags_to_MISP_Event.yml new file mode 100644 index 000000000000..576c817bf749 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Add_Several_Tags_to_MISP_Event.yml @@ -0,0 +1,214 @@ +contentitemexportablefields: + contentitemfields: + propagationLabels: + - all +id: MISP - Add Several Tags to MISP Event +inputs: +- description: "" + key: misp_event_id + playbookInputQuery: + required: false + value: {} +- description: "" + key: tag + playbookInputQuery: + required: false + value: {} +name: MISP - Add Several Tags to MISP Event +outputs: [] +quiet: true +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7e4f28a4-e60f-4ba4-8546-5ca71973e058 + iscommand: false + name: "" + version: -1 + description: '' + taskid: 7e4f28a4-e60f-4ba4-8546-5ca71973e058 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + all: + simple: "yes" + subplaybook: + simple: auto + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + id: 47fef697-ee2b-49b1-8183-92814a25a77f + iscommand: false + name: Delete Previous Context + scriptName: DeleteContext + type: regular + version: -1 + taskid: 47fef697-ee2b-49b1-8183-92814a25a77f + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + "2": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.tag + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "3" + "yes": + - "4" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 36bffe41-51e8-4ab7-8d7b-e282cc826e66 + iscommand: false + name: Check if Input is filled + type: condition + version: -1 + taskid: 36bffe41-51e8-4ab7-8d7b-e282cc826e66 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 8e65ec6e-ddbf-4bad-85bc-bde96d4b168b + iscommand: false + name: End + type: title + version: -1 + description: '' + taskid: 8e65ec6e-ddbf-4bad-85bc-bde96d4b168b + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 50, + "y": 720 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "3" + note: false + quietmode: 0 + scriptarguments: + tag: + simple: ${inputs.tag} + uuid: + simple: ${inputs.misp_event_id} + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + description: Adds a tag to the given UUID event . + id: 2fa4312b-6651-4987-8f78-932125cb4459 + iscommand: true + name: Set Tag + script: MISP V3|||misp-add-tag-to-event + type: regular + version: -1 + taskid: 2fa4312b-6651-4987-8f78-932125cb4459 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 162.5, + "y": 545 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 735, + "width": 492.5, + "x": 50, + "y": 50 + } + } + } +tests: +- No tests (auto formatted) +fromversion: 6.0.0 diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Add_Several_Tags_to_MISP_Event_README.md b/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Add_Several_Tags_to_MISP_Event_README.md new file mode 100644 index 000000000000..82e661aa13b0 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Add_Several_Tags_to_MISP_Event_README.md @@ -0,0 +1,41 @@ + + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +* MISP V3 + +### Scripts + +* DeleteContext + +### Commands + +* misp-add-tag-to-event + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| misp_event_id | | | Optional | +| tag | | | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![MISP - Add Several Tags to MISP Event](../doc_files/MISP_-_Add_Several_Tags_to_MISP_Event.png) diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Set_Attributes_to_Update.yml b/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Set_Attributes_to_Update.yml new file mode 100644 index 000000000000..80586d790a03 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Set_Attributes_to_Update.yml @@ -0,0 +1,691 @@ +contentitemexportablefields: + contentitemfields: + propagationLabels: + - all +id: MISP - Set Attributes to Update +inputs: +- description: "" + key: misp_event_id + playbookInputQuery: + required: false + value: {} +- description: "" + key: indicator + playbookInputQuery: + required: false + value: {} +name: MISP - Set Attributes to Update +outputs: [] +starttaskid: "0" +tasks: + "0": + continueonerrortype: "" + id: "0" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: e9116fda-1569-41cd-8840-67e12c1a0bdf + iscommand: false + name: "" + version: -1 + description: '' + taskid: e9116fda-1569-41cd-8840-67e12c1a0bdf + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 357.5, + "y": 50 + } + } + "1": + continueonerrortype: "" + id: "1" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "9" + note: false + quietmode: 0 + scriptarguments: + all: + simple: "yes" + subplaybook: + simple: auto + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + id: d04fcf03-f235-443e-8fdc-d7212ce464b4 + iscommand: false + name: Delete Context + scriptName: DeleteContext + type: regular + version: -1 + taskid: d04fcf03-f235-443e-8fdc-d7212ce464b4 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 357.5, + "y": 195 + } + } + "2": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.indicator.indicator_type + operator: isEqualString + right: + value: + simple: IP + label: IP + - condition: + - - left: + iscontext: true + value: + simple: inputs.indicator.indicator_type + operator: isEqualString + right: + value: + simple: Domain + label: Domain + - condition: + - - left: + iscontext: true + value: + simple: inputs.indicator.indicator_type + operator: isEqualString + right: + value: + simple: URL + label: URL + - condition: + - - left: + iscontext: true + value: + simple: inputs.indicator.indicator_type + operator: isEqualString + right: + value: + simple: File + label: File, SHA256 Hash + - condition: + - - left: + iscontext: true + value: + simple: inputs.indicator.indicator_type + operator: isEqualString + right: + value: + simple: Email + - - left: + iscontext: true + value: + simple: inputs.indicator.value + operator: isEqualString + right: + value: + simple: "Yes" + label: Email Information + continueonerrortype: "" + id: "2" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + Domain: + - "14" + Email Information: + - "24" + File, SHA256 Hash: + - "3" + IP: + - "4" + URL: + - "15" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 6a726930-d193-4041-8bac-8fb9a80a8a27 + iscommand: false + name: Check Indicator Type + type: condition + version: -1 + taskid: 6a726930-d193-4041-8bac-8fb9a80a8a27 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 695, + "y": 720 + } + } + "3": + continueonerrortype: "" + id: "3" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "18" + note: false + quietmode: 0 + scriptarguments: + file_indicator: + simple: ${inputs.indicator} + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + id: 0ca16440-d299-4458-8b35-96aacf4ff024 + iscommand: false + name: MISP - Add File SHA256 to Event + scriptName: misp_setfile_atributes + type: regular + version: -1 + taskid: 0ca16440-d299-4458-8b35-96aacf4ff024 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 910, + "y": 895 + } + } + "4": + continueonerrortype: "" + id: "4" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + event_id: + simple: ${inputs.misp_event_id} + ip: + simple: ${inputs.indicator.value} + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + description: 'Adds an IP object to the MISP event. The following arguments are optional, but at least one must be supplied for the command to run successfully: "ip", "dst_port", "src_port", "domain", "hostname", "ip_src", and "ip_dst".' + id: 70f45d87-9ce2-45fa-8c06-a775885339b6 + iscommand: true + name: MISP - Add IP Info to Event + script: MISP V3|||misp-add-ip-object + type: regular + version: -1 + taskid: 70f45d87-9ce2-45fa-8c06-a775885339b6 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1340, + "y": 1070 + } + } + "8": + continueonerrortype: "" + id: "8" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: b2ad7263-de43-4d39-8ae4-ecd3f27c5e0c + iscommand: false + name: End + type: title + version: -1 + description: '' + taskid: b2ad7263-de43-4d39-8ae4-ecd3f27c5e0c + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 582.5, + "y": 1245 + } + } + "9": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.indicator + operator: isNotEmpty + label: "yes" + continueonerrortype: "" + id: "9" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - "8" + "yes": + - "11" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 93c3f3e1-c00c-45b5-80ac-e23c1f14fd24 + iscommand: false + name: Check if Input is filled + type: condition + version: -1 + taskid: 93c3f3e1-c00c-45b5-80ac-e23c1f14fd24 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 357.5, + "y": 370 + } + } + "11": + continueonerrortype: "" + id: "11" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "2" + note: false + quietmode: 0 + scriptarguments: + append: + simple: "false" + key: + simple: IndicatorComment + value: + simple: ${inputs.indicator_comment} + separatecontext: false + skipunavailable: false + task: + brand: "" + description: |- + Set a value in context under the key you entered. If no value is entered, the script doesn't do anything. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + id: cae33d92-7482-42fd-8dcf-0826d96551c2 + iscommand: false + name: Set comment to add to Indicator + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: cae33d92-7482-42fd-8dcf-0826d96551c2 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 695, + "y": 545 + } + } + "14": + continueonerrortype: "" + id: "14" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + attributes: + simple: '{"domain":"${inputs.indicator.value}"}' + event_id: + simple: ${inputs.misp_event_id} + template: + simple: domain + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + description: Adds any other object to MISP. + id: 1794a42f-193d-4866-8c64-cd622bd4b810 + iscommand: true + name: MISP - Add Domain Info to Event + script: MISP V3|||misp-add-object + type: regular + version: -1 + taskid: 1794a42f-193d-4866-8c64-cd622bd4b810 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 50, + "y": 1070 + } + } + "15": + continueonerrortype: "" + id: "15" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + event_id: + simple: ${inputs.misp_event_id} + url: + simple: ${inputs.indicator.value} + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + description: Adds a URL object to an MISP event. + id: 34ea39df-5bf8-4ee8-89b6-2c369b656b37 + iscommand: true + name: MISP - Add URL Info to Event + script: MISP V3|||misp-add-url-object + type: regular + version: -1 + taskid: 34ea39df-5bf8-4ee8-89b6-2c369b656b37 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 1770, + "y": 1070 + } + } + "17": + continueonerrortype: "" + id: "17" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + attributes: + simple: ${MispEmailAttribute} + event_id: + simple: ${inputs.misp_event_id} + template: + simple: email + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + description: Adds any other object to MISP. + id: 9784c5d2-c202-4ee7-846d-776f5ebd1028 + iscommand: true + name: MISP - Add Email Sender Info to Event + script: MISP V3|||misp-add-object + type: regular + version: -1 + taskid: 9784c5d2-c202-4ee7-846d-776f5ebd1028 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 480, + "y": 1070 + } + } + "18": + continueonerrortype: "" + id: "18" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "8" + note: false + quietmode: 0 + scriptarguments: + attributes: + complex: + root: fileindicator + transformers: + - operator: Stringify + event_id: + simple: ${inputs.misp_event_id} + template: + simple: file + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + description: Adds any other object to MISP. + id: 23c8330e-c7ac-4657-8e42-9a94633a03cd + iscommand: true + name: MISP - Add File SHA256 to Event + script: MISP V3|||misp-add-object + type: regular + version: -1 + taskid: 23c8330e-c7ac-4657-8e42-9a94633a03cd + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 910, + "y": 1070 + } + } + "24": + continueonerrortype: "" + id: "24" + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - "17" + note: false + quietmode: 0 + scriptarguments: + from: + simple: ${incident.reportedemailfrom} + from_display_name: + complex: + accessor: headervalue + filters: + - - left: + iscontext: true + value: + simple: incident.emailheaders.headername + operator: endWith + right: + value: + simple: From + root: incident.emailheaders + transformers: + - operator: FirstArrayElement + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (.+?) < + unpack_matches: {} + operator: RegexExtractAll + from_domain: + complex: + accessor: headervalue + filters: + - - left: + iscontext: true + value: + simple: incident.emailheaders.headername + operator: endWith + right: + value: + simple: Authentication-Results + root: incident.emailheaders + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: header.from=(.+?); + unpack_matches: {} + operator: RegexExtractAll + ip_src: + complex: + accessor: headervalue + filters: + - - left: + iscontext: true + value: + simple: incident.emailheaders.headername + operator: isEqualString + right: + value: + simple: Authentication-Results + root: incident.emailheaders + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: '\(sender IP is (.*?)\) ' + unpack_matches: {} + operator: RegexExtractAll + return_path: + simple: ${incident.emailreturnpath} + send_date: + complex: + accessor: headervalue + filters: + - - left: + iscontext: true + value: + simple: incident.emailheaders.headername + operator: isEqualString + right: + value: + simple: X-MS-Exchange-Organization-OriginalArrivalTime + - left: + iscontext: true + value: + simple: incident.emailheaders.headername + operator: isEqualString + right: + value: + simple: X-MS-Exchange-CrossTenant-OriginalArrivalTime + root: incident.emailheaders + subject: + complex: + accessor: reportedemailsubject + root: incident + transformers: + - args: + limit: {} + replaceWith: + value: + simple: \" + toReplace: + value: + simple: '"' + operator: replace + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 313b2987-db7f-408f-8914-4923bc3f39ac + iscommand: false + name: Get Email Info + scriptName: misp_setmail_attributes + type: regular + version: -1 + taskid: 313b2987-db7f-408f-8914-4923bc3f39ac + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 480, + "y": 895 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1260, + "width": 2100, + "x": 50, + "y": 50 + } + } + } +tests: +- No tests (auto formatted) +fromversion: 6.0.0 diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Set_Attributes_to_Update_README.md b/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Set_Attributes_to_Update_README.md new file mode 100644 index 000000000000..af3afff96e33 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-MISP_-_Set_Attributes_to_Update_README.md @@ -0,0 +1,46 @@ + + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +* MISP V3 + +### Scripts + +* misp_setfile_atributes +* misp_setmail_attributes +* SetAndHandleEmpty +* DeleteContext + +### Commands + +* misp-add-url-object +* misp-add-ip-object +* misp-add-object + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| misp_event_id | | | Optional | +| indicator | | | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![MISP - Set Attributes to Update](../doc_files/MISP_-_Set_Attributes_to_Update.png) diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-Playbook_-_MISP_-_Indicator_Sharing.yml b/Packs/MISP-IndicatorSharing/Playbooks/playbook-Playbook_-_MISP_-_Indicator_Sharing.yml new file mode 100644 index 000000000000..5b49e8fe44be --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-Playbook_-_MISP_-_Indicator_Sharing.yml @@ -0,0 +1,1577 @@ +contentitemexportablefields: + contentitemfields: + definitionid: '' + fromServerVersion: '' + itemVersion: '' + packID: 697f8e56-e615-42f7-8e9a-e8811531eba4 + packName: MISP - Indicator Sharing + prevname: '' + propagationLabels: + - all + toServerVersion: '' +description: This playbook addresses the challenge of efficiently sharing critical threat data with external partners, speeding up threat response and enhancing collective defense against cyberattacks. +id: Playbook - MISP - Indicator Sharing +inputs: +- description: Please choose between "pt_org" (Portuguese Organization) and "non_pt_org" (Non Portuguese Organization) + key: org_type + playbookInputQuery: + required: false + value: {} +name: Playbook - MISP - Indicator Sharing +outputs: [] +starttaskid: '0' +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 013b82ab-71ab-495c-8d71-9063f39ea827 + iscommand: false + name: '' + version: -1 + taskid: 013b82ab-71ab-495c-8d71-9063f39ea827 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": -360\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + add_fields_to_context: + simple: id,associatedfilenames,fileextension,filetype,path,md5,sha1,sha256,ssdeep,size + query: + simple: (incident.id:"${incident.id}") and (type:IP or type:Email or type:URL or type:File) + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: "Searches Cortex XSOAR Indicators.\n\nSearch for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict.\n\nYou can add additional fields from the indicators using the add_field_to_context argument." + id: ab55927f-4b0a-4cc3-8851-218dfe425b85 + iscommand: false + name: Search For Indicators Associated With Current Incident + scriptName: SearchIndicator + type: regular + version: -1 + taskid: ab55927f-4b0a-4cc3-8851-218dfe425b85 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 895\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 693b1ab9-5e79-4aa1-8364-3d4a963ea265 + iscommand: false + name: End + type: title + version: -1 + taskid: 693b1ab9-5e79-4aa1-8364-3d4a963ea265 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 807.5,\n \"y\": 5095\n }\n}" + '3': + continueonerrortype: '' + form: + description: '' + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Please select the URLs that should be shared via MISP + options: [] + optionsarg: + - complex: + accessor: value + filters: + - - left: + iscontext: true + value: + simple: foundIndicators.indicator_type + operator: isEqualString + right: + value: + simple: URL + root: foundIndicators + placeholder: '' + readonly: false + required: false + tooltip: '' + type: multiSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '1' + label: '' + labelarg: + simple: Insert Additional URLs To Submit To MISP (using csv format) + options: [] + optionsarg: + - complex: + accessor: value + filters: + - - left: + iscontext: true + value: + simple: foundIndicators.indicator_type + operator: isEqualString + right: + value: + simple: URL + root: foundIndicators + placeholder: '' + readonly: false + required: false + tooltip: '' + type: shortText + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '2' + label: '' + labelarg: + simple: Please select the Domains that should be shared via MISP + options: [] + optionsarg: + - complex: + accessor: value + filters: + - - left: + iscontext: true + value: + simple: foundIndicators.indicator_type + operator: isEqualString + right: + value: + simple: Domain + root: foundIndicators + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '3' + label: '' + labelarg: + simple: Please select the File Hashes that should be shared via MISP + options: [] + optionsarg: + - complex: + accessor: associatedfilenames + filters: + - - left: + iscontext: true + value: + simple: foundIndicators.indicator_type + operator: isEqualString + right: + value: + simple: File + root: foundIndicators + placeholder: '' + readonly: false + required: false + tooltip: '' + type: multiSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '4' + label: '' + labelarg: + simple: Do you want to share the email information? + options: [] + optionsarg: + - {} + - simple: Yes + - simple: No + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '5' + label: '' + labelarg: + simple: Set a default info comment to MISP + options: [] + optionsarg: + - simple: Yes + - simple: No, create a custom info comment to MISP + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Please select the indicators to submit via MISP + totalanswers: 0 + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: '' + methods: [] + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 81c08660-5683-425f-87d5-bbad4e71908c + iscommand: false + name: Please select the indicators to submit via MISP + type: collection + version: -1 + taskid: 81c08660-5683-425f-87d5-bbad4e71908c + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 1070\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + all: + simple: yes + subplaybook: + simple: auto + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Delete field from context.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more information, see the section about permissions here:\nhttps://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations" + id: 0a9d11e5-7c04-4898-85ad-0eef2d5f8ca5 + iscommand: false + name: Delete Previous Context + scriptName: DeleteContext + type: regular + version: -1 + taskid: 0a9d11e5-7c04-4898-85ad-0eef2d5f8ca5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": -145\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'false' + key: + simple: IndicatorsToShare + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: foundIndicators.value + operator: inList + right: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.0 + - left: + iscontext: true + value: + simple: foundIndicators.value + operator: inList + right: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.2 + - left: + iscontext: true + value: + simple: foundIndicators.associatedfilenames + operator: containsGeneral + right: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.3 + - left: + iscontext: true + value: + simple: foundIndicators.value + operator: inList + right: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.4 + root: foundIndicators + transformers: + - args: + item: + iscontext: true + value: + simple: ${EmailVar} + operator: append + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more information, see the section about permissions here:\nhttps://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations" + id: 84a94daa-e61d-4ac1-81ae-4b4f5013b85c + iscommand: false + name: Set Indicators to Share + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 84a94daa-e61d-4ac1-81ae-4b4f5013b85c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": 3170\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns the current datetime as an epoch value for use in timestamp comparisons. + id: be445ab6-5c42-46ab-818e-617e32da9cf9 + iscommand: false + name: Get Current Date + scriptName: DateTimeNowToEpoch + type: regular + version: -1 + taskid: be445ab6-5c42-46ab-818e-617e32da9cf9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 3345\n }\n}" + '9': + continueonerrortype: '' + form: + description: '' + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Please add notes to Contextualize Event + options: [] + optionsarg: [] + placeholder: '' + readonly: false + required: true + tooltip: '' + type: shortText + sender: '' + title: Please add notes to Contextualize Event + totalanswers: 0 + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: + body: + cc: + format: '' + methods: [] + subject: + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 86d6de2b-b539-47f0-86cc-4045f5a2ec47 + iscommand: false + name: Please add notes to Contextualize Event + type: collection + version: -1 + taskid: 86d6de2b-b539-47f0-86cc-4045f5a2ec47 + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 1595\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + scriptarguments: + arrayData: + simple: tlp:amber + contextKey: + simple: TagsMisp + separator: + simple: ',' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Will create an array object in context from given string input ' + id: 9909f441-59e0-4256-8a1f-363b66b1e1c2 + iscommand: false + name: Create Array Predefined of Tags + scriptName: CreateArray + type: regular + version: -1 + taskid: 9909f441-59e0-4256-8a1f-363b66b1e1c2 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 4045\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + alert: + simple: 'false' + event_id: + simple: ${MISP.Event.ID} + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + description: Publish an event. + id: 542138e0-d7eb-4bf4-8085-8c3a328b99f8 + iscommand: true + name: misp-publish-event + script: MISP V3|||misp-publish-event + type: regular + version: -1 + taskid: 542138e0-d7eb-4bf4-8085-8c3a328b99f8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 4920\n }\n}" + '15': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.5 + operator: isEqualString + right: + value: + simple: Yes + label: yes + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + yes: + - '19' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 0a141ecf-eeb4-4968-8588-1286f91baf7b + iscommand: false + name: Check If Info Comment should be custom + type: condition + version: -1 + taskid: 0a141ecf-eeb4-4968-8588-1286f91baf7b + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 1420\n }\n}" + '16': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.1 + operator: isNotEmpty + right: + value: {} + label: yes + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + yes: + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 14b296c7-6f01-43a9-81a0-13710a622790 + iscommand: false + name: Check If Additional URLs were Submitted + type: condition + version: -1 + taskid: 14b296c7-6f01-43a9-81a0-13710a622790 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 1945\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + arrayData: + simple: ${Please select the indicators to submit via MISP.Answers.1} + contextKey: + simple: AdditionalUrlsMisp + separator: + simple: ',' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Will create an array object in context from given string input ' + id: 2c6f06fc-b748-47b3-8025-e8aa92cca83d + iscommand: false + name: Create Array with Additional URLs + scriptName: CreateArray + type: regular + version: -1 + taskid: 2c6f06fc-b748-47b3-8025-e8aa92cca83d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 2120\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'false' + key: + simple: MispInfoField + value: + simple: ${incident.name} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. + id: 32b64255-9674-4e3e-8dd7-16c57e146f82 + iscommand: false + name: Set Context Info Based Incident Name + scriptName: Set + type: regular + version: -1 + taskid: 32b64255-9674-4e3e-8dd7-16c57e146f82 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": 1770\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'false' + key: + simple: MispInfoField + value: + simple: ${Please add notes to Contextualize Event.Answers.0} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. + id: 650f536c-7665-4b2a-8923-e7aeaaed2e5d + iscommand: false + name: Set Context Info with Notes + scriptName: Set + type: regular + version: -1 + taskid: 650f536c-7665-4b2a-8923-e7aeaaed2e5d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 1770\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: '1' + root: Please select the indicators to submit via MISP.Answers + transformers: + - args: + limit: {} + replaceWith: + value: + simple: ' or ' + toReplace: + value: + simple: ',' + operator: replace + - args: + prefix: + value: + simple: value:( + suffix: + value: + simple: ) and type:URL + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Searches Cortex XSOAR Indicators.\n\nSearch for XSOAR Indicators and returns the id, indicator_type, value, and score/verdict.\n\nYou can add additional fields from the indicators using the add_field_to_context argument." + id: 257b7f3a-2157-4cbe-8c05-159dba9acb98 + iscommand: false + name: Search For Newly Created URL Indicators + scriptName: SearchIndicator + type: regular + version: -1 + taskid: 257b7f3a-2157-4cbe-8c05-159dba9acb98 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 2995\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + all: + simple: no + key: + simple: foundIndicators + subplaybook: + simple: auto + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Delete field from context.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more information, see the section about permissions here:\nhttps://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations" + id: e2e2e018-0793-4399-86b6-a9eb578c9ea0 + iscommand: false + name: Remove Found Indicators Key + scriptName: DeleteContext + type: regular + version: -1 + taskid: e2e2e018-0793-4399-86b6-a9eb578c9ea0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 2820\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'false' + key: + simple: IndicatorsToShare + value: + complex: + root: IndicatorsToShare + transformers: + - args: + item: + iscontext: true + value: + simple: foundIndicators + operator: append + - args: + item: + iscontext: true + value: + simple: ${EmailVar} + operator: append + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more information, see the section about permissions here:\nhttps://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations" + id: 60cf148f-4d2f-4df0-8844-2bf21a7abe6f + iscommand: false + name: Set Indicators to Share + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 60cf148f-4d2f-4df0-8844-2bf21a7abe6f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 3170\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'false' + key: + simple: IndicatorsToShare + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: foundIndicators.value + operator: inList + right: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.0 + - left: + iscontext: true + value: + simple: foundIndicators.value + operator: inList + right: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.2 + - left: + iscontext: true + value: + simple: foundIndicators.associatedfilenames + operator: containsGeneral + right: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.3 + - left: + iscontext: true + value: + simple: foundIndicators.value + operator: inList + right: + iscontext: true + value: + simple: Please select the indicators to submit via MISP.Answers.4 + root: foundIndicators + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more information, see the section about permissions here:\nhttps://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations" + id: 8f069044-659c-40eb-8c58-c1647d5943cc + iscommand: false + name: Set Indicators to Share + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 8f069044-659c-40eb-8c58-c1647d5943cc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 2645\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + forEach: true + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - '36' + note: false + quietmode: 0 + scriptarguments: + indicator: + simple: ${IndicatorsToShare} + misp_event_id: + simple: ${MISP.Event.ID} + separatecontext: true + skipunavailable: false + task: + brand: '' + id: 9b34680d-9550-4005-8b0a-fc571f7638be + iscommand: false + name: MISP - Set Attributes to Update + playbookId: MISP - Set Attributes to Update + type: playbook + version: -1 + taskid: 9b34680d-9550-4005-8b0a-fc571f7638be + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 4570\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'false' + key: + simple: EmailVar + stringify: + simple: 'false' + value: + simple: '{"value":"${Please select the indicators to submit via MISP.Answers.4}","indicator_type":"Email"}' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value is entered, the script doesn't do anything.\n\nThis automation runs using the default Limited User role, unless you explicitly change the permissions.\nFor more information, see the section about permissions here:\nhttps://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations" + id: af118bae-7aa4-4dbf-8153-9cdd00901d18 + iscommand: false + name: Set Email Var to Use in Subplaybook + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: af118bae-7aa4-4dbf-8153-9cdd00901d18 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 1245\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + incidentId: + complex: + accessor: id + root: incident + indicatorsIDs: + complex: + accessor: ID + root: CreateNewIndicatorsOnly + transformers: + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.associate.indicators + id: 161645c7-8cb8-4c19-8c23-91dd3872ef53 + iscommand: true + name: Associate Created Indicators to Incident + script: Builtin|||associateIndicatorsToIncident + type: regular + version: -1 + taskid: 161645c7-8cb8-4c19-8c23-91dd3872ef53 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 2470\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + indicator_values: + simple: ${AdditionalUrlsMisp} + type: + simple: URL + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Create indicators to the Threat Intel database only if they are not registered. All submitted indicators will be associated with the parent incident. When using the script with many indicators, or when the Threat Intel Management database is highly populated, this script may have low performance issue. + id: 6f4f9ebc-61dd-4f1f-8056-52f3ae626b4a + iscommand: false + name: Create Url Indicators Based On Form + scriptName: CreateNewIndicatorsOnly + type: regular + version: -1 + taskid: 6f4f9ebc-61dd-4f1f-8056-52f3ae626b4a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 2295\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + forEach: true + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + misp_event_id: + simple: ${MISP.Event.UUID} + tag: + complex: + root: MispRSIT + transformers: + - args: + item: + iscontext: true + value: + simple: TagsMisp + operator: append + separatecontext: true + skipunavailable: false + task: + brand: '' + id: d7418f72-b56e-421f-820c-d1ffb8311ca3 + iscommand: false + name: MISP - Add Several Tags to MISP Event + playbookId: MISP - Add Several Tags to MISP Event + type: playbook + version: -1 + taskid: d7418f72-b56e-421f-820c-d1ffb8311ca3 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 4395\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + scriptarguments: + org_type: + simple: ${inputs.org_type} + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 6ae9acfb-d0e4-41c7-8404-6e52acdfca67 + iscommand: false + name: Create RSIT Entry Based on Classification + scriptName: misp_set_classification + type: regular + version: -1 + taskid: 6ae9acfb-d0e4-41c7-8404-6e52acdfca67 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 4220\n }\n}" + '34': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.org_type + operator: isNotEmpty + label: yes + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '35' + yes: + - '44' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 867e64a5-1996-4f18-8ba3-27ec65d1c0a7 + iscommand: false + name: Check if Org Type Input is filled + type: condition + version: -1 + taskid: 867e64a5-1996-4f18-8ba3-27ec65d1c0a7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 70\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + message: + simple: 'ERROR: Input org_type is empty, please fill the input before running the playbook.' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints an error entry with a given message. + id: ea15c388-9959-4381-8672-670ceeb5d871 + iscommand: false + name: Please select an org type before running the playbook + scriptName: PrintErrorEntry + type: regular + version: -1 + taskid: ea15c388-9959-4381-8672-670ceeb5d871 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 642.5,\n \"y\": 260\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + No: + - '37' + Yes: + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 2b80466f-0a36-4e16-88e1-d3ade6f68243 + iscommand: false + name: Publish Event + type: condition + version: -1 + taskid: 2b80466f-0a36-4e16-88e1-d3ade6f68243 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 4745\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: fa16c0a1-8e6e-4a6b-87fd-7e5e54bd569e + iscommand: false + name: Event Not Published To Misp + type: regular + version: -1 + taskid: fa16c0a1-8e6e-4a6b-87fd-7e5e54bd569e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 592.5,\n \"y\": 4920\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + No: + - '39' + Yes: + - '41' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 1394a18b-ec7c-46d3-85d9-da6b72e0d92b + iscommand: false + name: Create MISP Event? + type: condition + version: -1 + taskid: 1394a18b-ec7c-46d3-85d9-da6b72e0d92b + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 3520\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 041fca67-af9d-46a9-8b51-8bb643b05027 + iscommand: false + name: Event Not Created + type: regular + version: -1 + taskid: 041fca67-af9d-46a9-8b51-8bb643b05027 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 4920\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + analysis: + simple: completed + distribution: + simple: Sharing_group + info: + simple: ${MispInfoField} + sharing_group_id: + simple: '1' + threat_level_id: + simple: Low + to_ids: + simple: 'false' + value: + simple: Incident - ${incident.cncsclassification} - ${incident.cncstype} + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + description: Creates a new MISP event. + id: b8cb7ef2-9cfd-4414-8a97-297c9fed4687 + iscommand: true + name: Create MISP Event + script: MISP V3|||misp-create-event + type: regular + version: -1 + taskid: b8cb7ef2-9cfd-4414-8a97-297c9fed4687 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 3870\n }\n}" + '41': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.org_type + operator: isEqualString + right: + value: + simple: pt_org + label: pt_org + - condition: + - - left: + iscontext: true + value: + simple: inputs.org_type + operator: isEqualString + right: + value: + simple: non_pt_org + label: non_pt_org + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '43' + non_pt_org: + - '42' + pt_org: + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 06755865-dfcb-4d3f-8728-ad56f4e1760b + iscommand: false + name: Check Org Type Before Creating MISP Event + type: condition + version: -1 + taskid: 06755865-dfcb-4d3f-8728-ad56f4e1760b + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 695,\n \"y\": 3695\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + analysis: + simple: completed + distribution: + simple: Sharing_group + info: + simple: ${MispInfoField} + sharing_group_id: + simple: '1' + threat_level_id: + simple: Low + to_ids: + simple: 'false' + value: + simple: Incident - ${incident.enisacode} + separatecontext: false + skipunavailable: false + task: + brand: MISP V3 + description: Creates a new MISP event. + id: 5d663235-ee2b-4e18-847f-cfc3016c8fdc + iscommand: true + name: Create MISP Event + script: MISP V3|||misp-create-event + type: regular + version: -1 + taskid: 5d663235-ee2b-4e18-847f-cfc3016c8fdc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 3870\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + message: + simple: No org_type value + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints an error entry with a given message. + id: 4a902470-2e3e-40ae-83be-059bea7cb780 + iscommand: false + name: Return Error + scriptName: PrintErrorEntry + type: regular + version: -1 + taskid: 4a902470-2e3e-40ae-83be-059bea7cb780 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 3870\n }\n}" + '44': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: incident.enisacode + operator: isNotEmpty + - - left: + iscontext: true + value: + simple: inputs.org_type + operator: isEqualString + right: + value: + simple: non_pt_org + label: yes, according to enisa + - condition: + - - left: + iscontext: true + value: + simple: incident.cncstype + operator: isNotEmpty + - - left: + iscontext: true + value: + simple: inputs.org_type + operator: isEqualString + right: + value: + simple: pt_org + label: yes, according to cncs + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '45' + yes, according to cncs: + - '46' + yes, according to enisa: + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 05e66ee3-0905-47c6-8b12-bf564d27bc76 + iscommand: false + name: Check if Incident Classification is Filled + type: condition + version: -1 + taskid: 05e66ee3-0905-47c6-8b12-bf564d27bc76 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1022.5,\n \"y\": 390\n }\n}" + '45': + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + message: + simple: 'ERROR: Required Incident Field is empty. Please fill the enisacode field or in case of Portuguese Organization fill the cncs related fields.' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints an error entry with a given message. + id: 72eb0aff-dc3c-43ab-86dd-27fc6f55d424 + iscommand: false + name: Please fill the related incident classification field according to your organization type + scriptName: PrintErrorEntry + type: regular + version: -1 + taskid: 72eb0aff-dc3c-43ab-86dd-27fc6f55d424 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 570,\n \"y\": 560\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: de505abc-2861-4a1b-85cf-ad6712943672 + iscommand: false + name: CNCS Fields OK + type: title + version: -1 + taskid: de505abc-2861-4a1b-85cf-ad6712943672 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": 735\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + id: 0d3d2a0c-6c43-4fcb-84c2-aa56b6279ff7 + iscommand: false + name: ENISA Fields OK + type: title + version: -1 + taskid: 0d3d2a0c-6c43-4fcb-84c2-aa56b6279ff7 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1135,\n \"y\": 735\n }\n}" +version: -1 +view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 5520,\n \"width\": 1465,\n \"x\": 50,\n \"y\": -360\n }\n }\n}" diff --git a/Packs/MISP-IndicatorSharing/Playbooks/playbook-Playbook_-_MISP_-_Indicator_Sharing_README.md b/Packs/MISP-IndicatorSharing/Playbooks/playbook-Playbook_-_MISP_-_Indicator_Sharing_README.md new file mode 100644 index 000000000000..5e2a3799bae9 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Playbooks/playbook-Playbook_-_MISP_-_Indicator_Sharing_README.md @@ -0,0 +1,51 @@ +This playbook addresses the challenge of efficiently sharing critical threat data with external partners, speeding up threat response and enhancing collective defense against cyberattacks. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +* MISP - Set Attributes to Update +* MISP - Add Several Tags to MISP Event + +### Integrations + +* MISP V3 + +### Scripts + +* CreateArray +* SearchIndicator +* misp_set_classification +* CreateNewIndicatorsOnly +* DateTimeNowToEpoch +* Set +* PrintErrorEntry +* DeleteContext +* SetAndHandleEmpty + +### Commands + +* misp-publish-event +* associateIndicatorsToIncident +* misp-create-event + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| org_type | Please choose between "pt_org" \(Portuguese Organization\) and "non_pt_org" \(Non Portuguese Organization\) | | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![Playbook - MISP - Indicator Sharing](../doc_files/Playbook_-_MISP_-_Indicator_Sharing.png) diff --git a/Packs/MISP-IndicatorSharing/README.md b/Packs/MISP-IndicatorSharing/README.md new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/MispSetClassification.py b/Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/MispSetClassification.py new file mode 100644 index 000000000000..720eb5cc5bd3 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/MispSetClassification.py @@ -0,0 +1,332 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 +"""Base Script for Cortex XSOAR (aka Demisto) +This is an empty script with some basic structure according +to the code conventions. +MAKE SURE YOU REVIEW/REPLACE ALL THE COMMENTS MARKED AS "TODO" +Developer Documentation: https://xsoar.pan.dev/docs/welcome +Code Conventions: https://xsoar.pan.dev/docs/integrations/code-conventions +Linting: https://xsoar.pan.dev/docs/integrations/linting +""" + +from typing import Dict, Any +import traceback + +pt_enisa = [ + { + "Classification": "Código Malicioso", + "Type": "Sistema Infetado", + "EnisaDescription": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server", + "ENISA": "Malicious Code:Infected System", + "RSIT": "malicious-code=infected-system" + + }, + { + "Classification": "Código Malicioso", + "Type": "Distribuição de Malware", + "EnisaDescription": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).", + "ENISA": "Malicious Code:Malware Distribution", + "RSIT": "malicious-code=malware-distribution" + }, + { + "Classification": "Código Malicioso", + "Type": "Servidor C2", + "EnisaDescription": "Command-and-control server contacted by malware on infected systems.", + "ENISA": "Malicious Code:C2 Server", + "RSIT": "malicious-code=c2-server" + }, + { + "Classification": "Código Malicioso", + "Type": "Configuração de Malware", + "EnisaDescription": "URI hosting a malware configuration file, e.g. web-injects for a banking trojan.", + "ENISA": "Malicious Code:Malware Configuration", + "RSIT": "malicious-code=malware-configuration" + }, + { + "Classification": "Disponibilidade", + "Type": "Negação de Serviço", + "EnisaDescription": "Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.", + "ENISA": "Availability:Denial of Service", + "RSIT": "availability=dos" + + }, + { + "Classification": "Disponibilidade", + "Type": "Negação de Serviço Distribuída", + "EnisaDescription": "Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.", + "ENISA": "Availability:Distributed Denial of Service", + "RSIT": "availability=ddos" + + + }, + { + "Classification": "Disponibilidade", + "Type": "Configuração incorreta", + "EnisaDescription": "Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.", + "ENISA": "Availability:Misconfiguration", + "RSIT": "availability=misconfiguration" + }, + { + "Classification": "Disponibilidade", + "Type": "Sabotagem", + "EnisaDescription": "Physical sabotage, e.g cutting wires or malicious arson.", + "ENISA": "Availability:Sabotage", + "RSIT": "availability=sabotage" + }, + { + "Classification": "Disponibilidade", + "Type": "Interrupção", + "EnisaDescription": "An outage caused, for example, by air conditioning failure or natural disaster.", + "ENISA": "Availability:Outage", + "RSIT": "availability=outage" + }, + { + "Classification": "Recolha de Informação", + "Type": "Scanning", + "EnisaDescription": "Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples:fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.", + "ENISA": "Information Gathering:Scanning", + "RSIT": "information-gathering=scanner" + }, + { + "Classification": "Recolha de Informação", + "Type": "Sniffing", + "EnisaDescription": "Observing and recording of network traffic (wiretapping).", + "ENISA": "Information Gathering:Sniffing", + "RSIT": "information-gathering=sniffing" + }, + { + "Classification": "Recolha de Informação", + "Type": "Engenharia Social", + "EnisaDescription": "Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).", + "ENISA": "Information Gathering:Social Engineering", + "RSIT": "information-gathering=social-engineering" + }, + { + "Classification": "Intrusão", + "Type": "Comprometimento de Conta Privilegiada", + "EnisaDescription": "Compromise of a system where the attacker gained administrative privileges.", + "ENISA": "Intrusions:Privileged Account Compromise", + "RSIT": "intrusions=privileged-account-compromise" + }, + { + "Classification": "Intrusão", + "Type": "Comprometimento de Conta Não Privilegiada", + "EnisaDescription": "Compromise of a system using an unprivileged (user/service) account.", + "ENISA": "Intrusions:Unprivileged Account Compromise", + "RSIT": "intrusions=unprivileged-account-compromise" + }, + { + "Classification": "Intrusão", + "Type": "Comprometimento de Aplicação", + "EnisaDescription": "Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.", + "ENISA": "Intrusions:Application Compromise", + "RSIT": "intrusions=application-compromise" + }, + { + "Classification": "Intrusão", + "Type": "Comprometimento de Sistema", + "EnisaDescription": "Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.", + "ENISA": "Intrusions:System Compromise", + "RSIT": "intrusions=system" + }, + { + "Classification": "Intrusão", + "Type": "Arrombamento", + "EnisaDescription": "Physical intrusion, e.g. into corporate building or data-centre.", + "ENISA": "Intrusions:Burglary", + "RSIT": "intrusions=burglary" + }, + { + "Classification": "Tentativa de Intrusão", + "Type": "Exploração de Vulnerabilidade", + "EnisaDescription": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)", + "ENISA": "Intrusion Attempts:Exploitation of known Vulnerabilities", + "RSIT": "intrusion-attempts=ids-alert" + }, + { + "Classification": "Tentativa de Intrusão", + "Type": "Tentativa de Login", + "EnisaDescription": "Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.", + "ENISA": "Intrusion Attempts:Login attempts", + "RSIT": "intrusion-attempts=brute-force" + }, + { + "Classification": "Tentativa de Intrusão", + "Type": "Nova assinatura de ataque", + "EnisaDescription": "An attack using an unknown exploit.", + "ENISA": "Intrusion Attempts:New attack signature", + "RSIT": "intrusion-attempts=exploit" + }, + { + "Classification": "Segurança da Informação", + "Type": "Acesso não autorizado", + "EnisaDescription": "Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.", + "ENISA": "Information Content Security:Unauthorised access to information", + "RSIT": "information-content-security=unauthorised-information-access" + }, + { + "Classification": "Segurança da Informação", + "Type": "Modificação não autorizada", + "EnisaDescription": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.", + "ENISA": "Information Content Security:Unauthorised modification of information", + "RSIT": "information-content-security=unauthorised-information-modification" + }, + { + "Classification": "Segurança da Informação", + "Type": "Perda de dados", + "EnisaDescription": "Loss of data, e.g. caused by harddisk failure or physical theft.", + "ENISA": "Information Content Security:Data Loss", + "RSIT": "information-content-security=data-loss" + }, + { + "Classification": "Segurança da Informação", + "Type": "Exfiltração de Informação", + "EnisaDescription": "Leaked confidential information like credentials or personal data.", + "ENISA": "Information Content Security:Leak of confidential information", + "RSIT": "information-content-security=data-leak" + }, + { + "Classification": "Fraude", + "Type": "Utilização indevida ou não autorizada de recursos", + "EnisaDescription": "Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.", + "ENISA": "Fraud:Unauthorised use of resources", + "RSIT": "fraud=unauthorised-use-of-resources" + }, + { + "Classification": "Fraude", + "Type": "Direitos de autor", + "EnisaDescription": "Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).", + "ENISA": "Fraud:Copyright", + "RSIT": "fraud=copyright" + }, + { + "Classification": "Fraude", + "Type": "Utilização ilegítima de nome de terceiros", + "EnisaDescription": "Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.", + "ENISA": "Fraud:Masquerade", + "RSIT": "fraud=masquerade" + }, + { + "Classification": "Fraude", + "Type": "Phishing", + "EnisaDescription": "Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials.", + "ENISA": "Fraud:Phishing", + "RSIT": "misp-galaxy:rsit=\"Fraud:Phishing\"" + }, + { + "Classification": "Conteúdo Abusivo", + "Type": "Spam", + "EnisaDescription": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.", + "ENISA": "Abusive Content:Spam", + "RSIT": "abusive-content=spam" + }, + { + "Classification": "Conteúdo Abusivo", + "Type": "Discurso Nocivo", + "EnisaDescription": "Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.", + "ENISA": "Abusive Content:Harmful Speech", + "RSIT": "abusive-content=harmful-speech" + }, + { + "Classification": "Conteúdo Abusivo", + "Type": "Exploração sexual de menores, racismo e apologia da violência", + "EnisaDescription": "Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.", + "ENISA": "Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content", + "RSIT": "abusive-content=(child)-sexual-exploitation/sexual/violent-content" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Criptografia fraca", + "EnisaDescription": "Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.", + "ENISA": "Vulnerable:Weak crypto", + "RSIT": "vulnerable=weak-crypto" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Amplificador DDoS", + "EnisaDescription": "Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.", + "ENISA": "Vulnerable:DDoS amplifier", + "RSIT": "vulnerable=ddos-amplifier" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Serviços acessíveis potencialmente indesejados", + "EnisaDescription": "Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.", + "ENISA": "Vulnerable:Potentially unwanted accessible services", + "RSIT": "vulnerable=potentially-unwanted-accessible" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Revelação de informação", + "EnisaDescription": "Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.", + "ENISA": "Vulnerable:Information disclosure", + "RSIT": "vulnerable=information-disclosure" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Sistema vulnerável", + "EnisaDescription": "A system which is vulnerable to certain attacks. Example:misconfigured client proxy settings (example:WPAD), outdated operating system version, XSS vulnerabilities, etc.", + "ENISA": "Vulnerable:Vulnerable system", + "RSIT": "vulnerable=vulnerable-system" + }, + { + "Classification": "Outro", + "Type": "Sem tipo", + "EnisaDescription": "All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised.", + "ENISA": "Other:Uncategorised", + "RSIT": "other=other" + }, + { + "Classification": "Outro", + "Type": "Indeterminado", + "EnisaDescription": "The categorisation of the incident is unknown/undetermined.", + "ENISA": "Other:Undetermined", + "RSIT": "other=undetermined" + }, + { + "Classification": "Teste", + "Type": "Teste", + "EnisaDescription": "Meant for testing.", + "ENISA": "Test:Test", + "RSIT": "test=test" + } +] + + +def get_value_from_list(org_type): + if org_type == 'pt_org': + ref_val = demisto.incident()['CustomFields'].get('cncstype') + ref_entry = {'Key': 'Type', 'Value': ref_val} + elif org_type == 'non_pt_org': + ref_val = demisto.incident()['CustomFields'].get('enisacode') + ref_entry = {'Key': 'ENISA', 'Value': ref_val} + + for enisa_value in pt_enisa: + if enisa_value[ref_entry['Key']] == ref_entry['Value']: + rsit_entry = enisa_value['RSIT'] + return rsit_entry + + +''' MAIN FUNCTION ''' + + +def main(): + + try: + org_type = demisto.args().get('org_type') + rsit = get_value_from_list(org_type) + command_result = CommandResults( + outputs_prefix='MispRSIT', + outputs=rsit + ) + return_results(command_result) + except Exception as ex: + demisto.error(traceback.format_exc()) # print the traceback + return_error(f'Failed to execute BaseScript. Error: {str(ex)}') + + +''' ENTRY POINT ''' + + +if __name__ in ('__main__', '__builtin__', 'builtins'): + main() diff --git a/Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/MispSetClassification.yml b/Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/MispSetClassification.yml new file mode 100644 index 000000000000..96e5c1c85895 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/MispSetClassification.yml @@ -0,0 +1,30 @@ +args: +- auto: PREDEFINED + name: org_type + predefined: + - non_pt_org + - pt_org + required: true +comment: The purpose of this automation is to classify the incident according to the ENISA Taxonomy and return a RSIT code that can be ingested by MISP. +commonfields: + id: misp_set_classification + version: -1 +contentitemexportablefields: + contentitemfields: + fromServerVersion: '' +dockerimage: demisto/python3:3.12.8.1983910 +enabled: true +engineinfo: {} +name: misp_set_classification +outputs: +- contextPath: MispRSIT +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +tags: [] +type: python +fromversion: 6.0.0 +tests: +- No tests (auto formatted) diff --git a/Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/README.md b/Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/README.md new file mode 100644 index 000000000000..41f2c4ff1f45 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/MispSetClassification/README.md @@ -0,0 +1,25 @@ +The purpose of this automation is to classify the incident according to the ENISA Taxonomy and return a RSIT code that can be ingested by MISP. + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | + +## Inputs + +--- + +| **Argument Name** | **Description** | +| --- | --- | +| org_type | | + +## Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| MispRSIT | | Unknown | diff --git a/Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/MispSetfileAtributes.py b/Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/MispSetfileAtributes.py new file mode 100644 index 000000000000..091acbb255b6 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/MispSetfileAtributes.py @@ -0,0 +1,43 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 +file_indicator_dict = demisto.args()['file_indicator'] + + +misp_atribute = {} + +for key in file_indicator_dict.keys(): + if key == 'associatedfilenames': + if file_indicator_dict[key] != 'n/a': + misp_atribute["filename"] = ','.join(file_indicator_dict[key]) + if key == 'md5': + if file_indicator_dict[key] != 'n/a': + misp_atribute["md5"] = file_indicator_dict[key] + if key == 'path': + if file_indicator_dict[key] != 'n/a': + misp_atribute["path"] = file_indicator_dict[key] + if key == 'sha1': + if file_indicator_dict[key] != 'n/a': + misp_atribute["sha1"] = file_indicator_dict[key] + if key == 'sha256': + if file_indicator_dict[key] != 'n/a': + misp_atribute["sha256"] = file_indicator_dict[key] + if key == 'size-in-bytes': + if file_indicator_dict[key] != 'n/a': + misp_atribute["size-in-bytes"] = file_indicator_dict[key] + if key == 'ssdeep': + if file_indicator_dict[key] != 'n/a': + misp_atribute["ssdeep"] = file_indicator_dict[key] + if key == 'mimetype': + if file_indicator_dict[key] != 'n/a': + misp_atribute["mimetype"] = file_indicator_dict[key] + + +if len(misp_atribute.keys()) > 0: + results = CommandResults( + outputs_prefix='fileindicator', + outputs=misp_atribute, + readable_output=tableToMarkdown('', misp_atribute, headers=misp_atribute.keys()) + ) + + +return_results(results) diff --git a/Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/MispSetfileAtributes.yml b/Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/MispSetfileAtributes.yml new file mode 100644 index 000000000000..2c1f2b8d554d --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/MispSetfileAtributes.yml @@ -0,0 +1,23 @@ +args: +- name: file_indicator +comment: This script takes as input an indicator of Type File and returns a dict type value that can be ingested by MISP API. +commonfields: + id: misp_setfile_atributes + version: -1 +contentitemexportablefields: + contentitemfields: + fromServerVersion: '' +dockerimage: demisto/python3:3.12.8.1983910 +enabled: true +engineinfo: {} +name: misp_setfile_atributes +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +tags: [] +type: python +fromversion: 6.0.0 +tests: +- No tests (auto formatted) diff --git a/Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/README.md b/Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/README.md new file mode 100644 index 000000000000..2e4130255a1d --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/MispSetfileAtributes/README.md @@ -0,0 +1,22 @@ +This script takes as input an indicator of Type File and returns a dict type value that can be ingested by MISP API. + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | + +## Inputs + +--- + +| **Argument Name** | **Description** | +| --- | --- | +| file_indicator | | + +## Outputs + +--- +There are no outputs for this script. diff --git a/Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/MispSetmailAttributes.py b/Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/MispSetmailAttributes.py new file mode 100644 index 000000000000..c3cd45bf2ccb --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/MispSetmailAttributes.py @@ -0,0 +1,53 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 +"""Base Script for Cortex XSOAR (aka Demisto) +This is an empty script with some basic structure according +to the code conventions. +MAKE SURE YOU REVIEW/REPLACE ALL THE COMMENTS MARKED AS "TODO" +Developer Documentation: https://xsoar.pan.dev/docs/welcome +Code Conventions: https://xsoar.pan.dev/docs/integrations/code-conventions +Linting: https://xsoar.pan.dev/docs/integrations/linting +""" + +from typing import Dict, Any +import traceback + + +''' STANDALONE FUNCTION ''' + + +''' COMMAND FUNCTION ''' + + +''' MAIN FUNCTION ''' + + +def main(): + + misp_fields = {'from': 'from', 'from-display-name': 'from_display_name', 'from-domain': 'from_domain', + 'ip-src': 'ip_src', 'subject': 'subject', 'send-date': 'send_date', 'return-path': 'return_path'} + + try: + args = dict(demisto.args()) + misp_value = {} + + for k, v in misp_fields.items(): + if v in args.keys(): + misp_value[k] = args[v] + + command_result = CommandResults( + outputs_prefix='MispEmailAttribute', + outputs=misp_value + ) + + return_results(command_result) + except Exception as ex: + demisto.error(traceback.format_exc()) # print the traceback + return_error(f'Failed to execute BaseScript. Error: {str(ex)}') + + +''' ENTRY POINT ''' + + +if __name__ in ('__main__', '__builtin__', 'builtins'): + main() diff --git a/Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/MispSetmailAttributes.yml b/Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/MispSetmailAttributes.yml new file mode 100644 index 000000000000..5388a66670c5 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/MispSetmailAttributes.yml @@ -0,0 +1,31 @@ +args: +- name: from + required: true +- name: from_display_name +- name: from_domain +- name: ip_src +- name: subject +- name: send_date +- name: return_path +commonfields: + id: misp_setmail_attributes + version: -1 +contentitemexportablefields: + contentitemfields: + fromServerVersion: '' +dockerimage: demisto/python3:3.12.8.1983910 +enabled: true +engineinfo: {} +name: misp_setmail_attributes +outputs: +- contextPath: MispEmailAttribute +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +tags: [] +type: python +fromversion: 6.0.0 +tests: +- No tests (auto formatted) diff --git a/Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/README.md b/Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/README.md new file mode 100644 index 000000000000..db2ccd5eb1d9 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/MispSetmailAttributes/README.md @@ -0,0 +1,31 @@ + + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | + +## Inputs + +--- + +| **Argument Name** | **Description** | +| --- | --- | +| from | | +| from_display_name | | +| from_domain | | +| ip_src | | +| subject | | +| send_date | | +| return_path | | + +## Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| MispEmailAttribute | | Unknown | diff --git a/Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/README.md b/Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/README.md new file mode 100644 index 000000000000..c6cd90a4abdf --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/README.md @@ -0,0 +1,26 @@ +This automation allows the definition of CNCS values (for portuguese organizations) or ENISA (for non portuguese organizations). It is used to populate the main options for a data collection task. If a main option is already present is used in classification arg and this automation will return all the specific values for that specific main option. + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | + +## Inputs + +--- + +| **Argument Name** | **Description** | +| --- | --- | +| classification | Value to filter from either CNCS or ENISA codes | +| org_type | Type of organization \(non_pt or pt_org\) | + +## Outputs + +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| IncidentClassification | | Unknown | diff --git a/Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/SetIncidentClassification.py b/Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/SetIncidentClassification.py new file mode 100644 index 000000000000..4c739b882883 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/SetIncidentClassification.py @@ -0,0 +1,345 @@ +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401 +"""Base Script for Cortex XSOAR (aka Demisto) +This is an empty script with some basic structure according +to the code conventions. +MAKE SURE YOU REVIEW/REPLACE ALL THE COMMENTS MARKED AS "TODO" +Developer Documentation: https://xsoar.pan.dev/docs/welcome +Code Conventions: https://xsoar.pan.dev/docs/integrations/code-conventions +Linting: https://xsoar.pan.dev/docs/integrations/linting +""" + +from typing import Dict, Any +import traceback + +pt_enisa = [ + { + "Classification": "Código Malicioso", + "Type": "Sistema Infetado", + "EnisaDescription": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server", + "ENISA": "Malicious Code:Infected System", + "RSIT": "malicious-code=infected-system" + + }, + { + "Classification": "Código Malicioso", + "Type": "Distribuição de Malware", + "EnisaDescription": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).", + "ENISA": "Malicious Code:Malware Distribution", + "RSIT": "malicious-code=malware-distribution" + }, + { + "Classification": "Código Malicioso", + "Type": "Servidor C2", + "EnisaDescription": "Command-and-control server contacted by malware on infected systems.", + "ENISA": "Malicious Code:C2 Server", + "RSIT": "malicious-code=c2-server" + }, + { + "Classification": "Código Malicioso", + "Type": "Configuração de Malware", + "EnisaDescription": "URI hosting a malware configuration file, e.g. web-injects for a banking trojan.", + "ENISA": "Malicious Code:Malware Configuration", + "RSIT": "malicious-code=malware-configuration" + }, + { + "Classification": "Disponibilidade", + "Type": "Negação de Serviço", + "EnisaDescription": "Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.", + "ENISA": "Availability:Denial of Service", + "RSIT": "availability=dos" + + }, + { + "Classification": "Disponibilidade", + "Type": "Negação de Serviço Distribuída", + "EnisaDescription": "Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.", + "ENISA": "Availability:Distributed Denial of Service", + "RSIT": "availability=ddos" + + + }, + { + "Classification": "Disponibilidade", + "Type": "Configuração incorreta", + "EnisaDescription": "Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.", + "ENISA": "Availability:Misconfiguration", + "RSIT": "availability=misconfiguration" + }, + { + "Classification": "Disponibilidade", + "Type": "Sabotagem", + "EnisaDescription": "Physical sabotage, e.g cutting wires or malicious arson.", + "ENISA": "Availability:Sabotage", + "RSIT": "availability=sabotage" + }, + { + "Classification": "Disponibilidade", + "Type": "Interrupção", + "EnisaDescription": "An outage caused, for example, by air conditioning failure or natural disaster.", + "ENISA": "Availability:Outage", + "RSIT": "availability=outage" + }, + { + "Classification": "Recolha de Informação", + "Type": "Scanning", + "EnisaDescription": "Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples:fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.", + "ENISA": "Information Gathering:Scanning", + "RSIT": "information-gathering=scanner" + }, + { + "Classification": "Recolha de Informação", + "Type": "Sniffing", + "EnisaDescription": "Observing and recording of network traffic (wiretapping).", + "ENISA": "Information Gathering:Sniffing", + "RSIT": "information-gathering=sniffing" + }, + { + "Classification": "Recolha de Informação", + "Type": "Engenharia Social", + "EnisaDescription": "Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).", + "ENISA": "Information Gathering:Social Engineering", + "RSIT": "information-gathering=social-engineering" + }, + { + "Classification": "Intrusão", + "Type": "Comprometimento de Conta Privilegiada", + "EnisaDescription": "Compromise of a system where the attacker gained administrative privileges.", + "ENISA": "Intrusions:Privileged Account Compromise", + "RSIT": "intrusions=privileged-account-compromise" + }, + { + "Classification": "Intrusão", + "Type": "Comprometimento de Conta Não Privilegiada", + "EnisaDescription": "Compromise of a system using an unprivileged (user/service) account.", + "ENISA": "Intrusions:Unprivileged Account Compromise", + "RSIT": "intrusions=unprivileged-account-compromise" + }, + { + "Classification": "Intrusão", + "Type": "Comprometimento de Aplicação", + "EnisaDescription": "Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.", + "ENISA": "Intrusions:Application Compromise", + "RSIT": "intrusions=application-compromise" + }, + { + "Classification": "Intrusão", + "Type": "Comprometimento de Sistema", + "EnisaDescription": "Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.", + "ENISA": "Intrusions:System Compromise", + "RSIT": "intrusions=system" + }, + { + "Classification": "Intrusão", + "Type": "Arrombamento", + "EnisaDescription": "Physical intrusion, e.g. into corporate building or data-centre.", + "ENISA": "Intrusions:Burglary", + "RSIT": "intrusions=burglary" + }, + { + "Classification": "Tentativa de Intrusão", + "Type": "Exploração de Vulnerabilidade", + "EnisaDescription": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)", + "ENISA": "Intrusion Attempts:Exploitation of known Vulnerabilities", + "RSIT": "intrusion-attempts=ids-alert" + }, + { + "Classification": "Tentativa de Intrusão", + "Type": "Tentativa de Login", + "EnisaDescription": "Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.", + "ENISA": "Intrusion Attempts:Login attempts", + "RSIT": "intrusion-attempts=brute-force" + }, + { + "Classification": "Tentativa de Intrusão", + "Type": "Nova assinatura de ataque", + "EnisaDescription": "An attack using an unknown exploit.", + "ENISA": "Intrusion Attempts:New attack signature", + "RSIT": "intrusion-attempts=exploit" + }, + { + "Classification": "Segurança da Informação", + "Type": "Acesso não autorizado", + "EnisaDescription": "Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.", + "ENISA": "Information Content Security:Unauthorised access to information", + "RSIT": "information-content-security=unauthorised-information-access" + }, + { + "Classification": "Segurança da Informação", + "Type": "Modificação não autorizada", + "EnisaDescription": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.", + "ENISA": "Information Content Security:Unauthorised modification of information", + "RSIT": "information-content-security=unauthorised-information-modification" + }, + { + "Classification": "Segurança da Informação", + "Type": "Perda de dados", + "EnisaDescription": "Loss of data, e.g. caused by harddisk failure or physical theft.", + "ENISA": "Information Content Security:Data Loss", + "RSIT": "information-content-security=data-loss" + }, + { + "Classification": "Segurança da Informação", + "Type": "Exfiltração de Informação", + "EnisaDescription": "Leaked confidential information like credentials or personal data.", + "ENISA": "Information Content Security:Leak of confidential information", + "RSIT": "information-content-security=data-leak" + }, + { + "Classification": "Fraude", + "Type": "Utilização indevida ou não autorizada de recursos", + "EnisaDescription": "Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.", + "ENISA": "Fraud:Unauthorised use of resources", + "RSIT": "fraud=unauthorised-use-of-resources" + }, + { + "Classification": "Fraude", + "Type": "Direitos de autor", + "EnisaDescription": "Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).", + "ENISA": "Fraud:Copyright", + "RSIT": "fraud=copyright" + }, + { + "Classification": "Fraude", + "Type": "Utilização ilegítima de nome de terceiros", + "EnisaDescription": "Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.", + "ENISA": "Fraud:Masquerade", + "RSIT": "fraud=masquerade" + }, + { + "Classification": "Fraude", + "Type": "Phishing", + "EnisaDescription": "Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials.", + "ENISA": "Fraud:Phishing", + "RSIT": "misp-galaxy:rsit=\"Fraud:Phishing\"" + }, + { + "Classification": "Conteúdo Abusivo", + "Type": "Spam", + "EnisaDescription": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.", + "ENISA": "Abusive Content:Spam", + "RSIT": "abusive-content=spam" + }, + { + "Classification": "Conteúdo Abusivo", + "Type": "Discurso Nocivo", + "EnisaDescription": "Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.", + "ENISA": "Abusive Content:Harmful Speech", + "RSIT": "abusive-content=harmful-speech" + }, + { + "Classification": "Conteúdo Abusivo", + "Type": "Exploração sexual de menores, racismo e apologia da violência", + "EnisaDescription": "Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.", + "ENISA": "Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content", + "RSIT": "abusive-content=(child)-sexual-exploitation/sexual/violent-content" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Criptografia fraca", + "EnisaDescription": "Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.", + "ENISA": "Vulnerable:Weak crypto", + "RSIT": "vulnerable=weak-crypto" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Amplificador DDoS", + "EnisaDescription": "Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.", + "ENISA": "Vulnerable:DDoS amplifier", + "RSIT": "vulnerable=ddos-amplifier" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Serviços acessíveis potencialmente indesejados", + "EnisaDescription": "Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.", + "ENISA": "Vulnerable:Potentially unwanted accessible services", + "RSIT": "vulnerable=potentially-unwanted-accessible" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Revelação de informação", + "EnisaDescription": "Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.", + "ENISA": "Vulnerable:Information disclosure", + "RSIT": "vulnerable=information-disclosure" + }, + { + "Classification": "Vulnerabilidade", + "Type": "Sistema vulnerável", + "EnisaDescription": "A system which is vulnerable to certain attacks. Example:misconfigured client proxy settings (example:WPAD), outdated operating system version, XSS vulnerabilities, etc.", + "ENISA": "Vulnerable:Vulnerable system", + "RSIT": "vulnerable=vulnerable-system" + }, + { + "Classification": "Outro", + "Type": "Sem tipo", + "EnisaDescription": "All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised.", + "ENISA": "Other:Uncategorised", + "RSIT": "other=other" + }, + { + "Classification": "Outro", + "Type": "Indeterminado", + "EnisaDescription": "The categorisation of the incident is unknown/undetermined.", + "ENISA": "Other:Undetermined", + "RSIT": "other=undetermined" + }, + { + "Classification": "Teste", + "Type": "Teste", + "EnisaDescription": "Meant for testing.", + "ENISA": "Test:Test", + "RSIT": "test=test" + } +] + + +def get_value_from_list(org_type, classification): + if org_type == 'pt_org': + if classification: + result = [enisa_value['Type'] for enisa_value in pt_enisa if enisa_value['Classification'] == classification] + + else: + result = [enisa_value['Classification'] for enisa_value in pt_enisa] + result = list(set(result)) + + elif org_type == 'non_pt_org': + if classification: + result = [enisa_value['ENISA'].split(":")[1] for enisa_value in pt_enisa if classification in enisa_value['ENISA']] + else: + result = [enisa_value['ENISA'].split(":")[0] for enisa_value in pt_enisa] + result = list(set(result)) + + return result + + +''' MAIN FUNCTION ''' + + +def main(): + + try: + org_type = demisto.args().get('org_type') + + # Check which action should be the fetch: First Part of Classification vs Second Part Based On Input + + classification = demisto.args().get('classification', None) + result = get_value_from_list(org_type=org_type, classification=classification) + + markdown = tableToMarkdown('Incident Classification', result, headers=['Classification']) + + command_result = CommandResults( + outputs_prefix='IncidentClassification', + readable_output=markdown, + outputs=result + ) + return_results(command_result) + except Exception as ex: + demisto.error(traceback.format_exc()) # print the traceback + return_error(f'Failed to execute BaseScript. Error: {str(ex)}') + + +''' ENTRY POINT ''' + + +if __name__ in ('__main__', '__builtin__', 'builtins'): + main() diff --git a/Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/SetIncidentClassification.yml b/Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/SetIncidentClassification.yml new file mode 100644 index 000000000000..500f9e9d54b9 --- /dev/null +++ b/Packs/MISP-IndicatorSharing/Scripts/SetIncidentClassification/SetIncidentClassification.yml @@ -0,0 +1,33 @@ +args: +- description: Value to filter from either CNCS or ENISA codes. + name: classification +- auto: PREDEFINED + description: Type of organization (non_pt or pt_org). + name: org_type + predefined: + - non_pt_org + - pt_org + required: true +comment: This automation allows the definition of CNCS values (for portuguese organizations) or ENISA (for non portuguese organizations). It is used to populate the main options for a data collection task. If a main option is already present is used in classification arg and this automation will return all the specific values for that specific main option. +commonfields: + id: set_incident_classification + version: -1 +contentitemexportablefields: + contentitemfields: + fromServerVersion: '' +dockerimage: demisto/python3:3.12.8.1983910 +enabled: true +engineinfo: {} +name: set_incident_classification +outputs: +- contextPath: IncidentClassification +runas: DBotWeakRole +runonce: false +script: '' +scripttarget: 0 +subtype: python3 +tags: [] +type: python +fromversion: 6.0.0 +tests: +- No tests (auto formatted) diff --git a/Packs/MISP-IndicatorSharing/pack_metadata.json b/Packs/MISP-IndicatorSharing/pack_metadata.json new file mode 100644 index 000000000000..3ea968ae8a5f --- /dev/null +++ b/Packs/MISP-IndicatorSharing/pack_metadata.json @@ -0,0 +1,21 @@ +{ + "name": "MISP - Indicator Sharing", + "description": "MISP Indicator Sharing - Boosting Portuguese Cybersecurity - Together, we can build a Safer Digital Future\n \nIn our ongoing efforts to enhance cybersecurity across Portugal, we are excited to share our comprehensive playbook designed to enable the sharing cybersecurity indicators via MISP. This playbook is a valuable resource for organizations of all sizes, providing standardized practices and actionable insights to improve incident response and overall cybersecurity posture.\n- This content pack incluides:\n\t\n\t- Introduction to Cybersecurity Indicator Sharing\n\tUnderstanding the importance of cybersecurity indicators and how they can help in identifying, managing, and mitigating cyber threats.\n\tThe concept of Predefinied Tags enables the default propagation of several tags that are consumed by MISP like Country, Company Sector, CSIRT-Aliance, this can be definied on the task.\n\t\n\t- Portuguese National Taxonomy: A playbook to classifiy the incident according to CNCS taxonomy\n\t\n\t- ENISA Taxonomy: A playbook to classify the incident according to the ENISA taxonomy\n\n\tThe previous playbooks ensure the incident classification to a format that enables a direct mapping to MISP tags via RSIT aligning with international standards to ensure consistency and interoperability.\n\nEven though the main focus is the indicator sharing for Portuguese Companies the use of ENISA standards allows the use of this playbook for non portuguese companies.\nThis playbook builds from the \"Phishing\" content pack since it uses some of its incident fields allowing for an easier use in cases of phishing email information sharing. \nWe encourage all organizations to review and integrate these guidelines to strengthen our collective cybersecurity efforts.", + "support": "community", + "currentVersion": "1.0.0", + "author": "GALP-CSIRT", + "url": "", + "email": "", + "created": "2025-03-03T15:20:19Z", + "categories": [], + "tags": [], + "useCases": [], + "keywords": [], + "marketplaces": [ + "xsoar", + "marketplacev2" + ], + "githubUser": [ + "Galp-Csirt-Team" + ] +} \ No newline at end of file