From b9866102fdda204ce585b1b16c0072531fa3c058 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 30 Jun 2020 18:03:06 +0000 Subject: [PATCH 01/38] Save --- Packs/Code42/Integrations/Code42/Code42.yml | 13 ++++++++++++- Packs/Code42/Integrations/Code42/Code42_test.py | 1 + 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index c8536bdbe8d1..84cf20ecff97 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -586,7 +586,7 @@ script: description: The username of the user to reactivate. isArray: false name: username - required: false + required: true secret: false deprecated: false description: Reactivates the user with the given username. @@ -596,6 +596,17 @@ script: - contextPath: Code42.User.UserID description: The ID of a Code42 User. type: String + - arguments: + - default: false + description: Either the SHA256 or MD5 hash of the file. + isArray: false + name: hash + required: true + secret: false + deprecated: false + description: Downloads a file from Code42 servers. + execution: false + name: code42-download-file dockerimage: demisto/py42:1.0.0.9323 feed: false isfetch: true diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py index a3698087000d..ffe087482299 100644 --- a/Packs/Code42/Integrations/Code42/Code42_test.py +++ b/Packs/Code42/Integrations/Code42/Code42_test.py @@ -5,6 +5,7 @@ from py42.response import Py42Response from Code42 import ( Code42Client, + Code42UserIDNotFoundError, build_query_payload, map_observation_to_security_query, map_to_code42_event_context, From 78023a7349435b4af0db95377643acf907b46700 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 30 Jun 2020 18:21:21 +0000 Subject: [PATCH 02/38] Save --- Packs/Code42/Integrations/Code42/Code42.py | 32 +++++++++++++++++++--- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 88daae23c71a..7ce029f12bf9 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -306,6 +306,16 @@ def search_file_events(self, payload): res = self._get_sdk().securitydata.search_file_events(payload) return res["fileEvents"] + def download_file_by_hash(self, hash_arg): + security_module = self._get_sdk().securitydata + if _hash_is_md5(hash_arg): + return security_module.stream_file_by_md5(hash_arg) + elif _hash_is_sha256(hash_arg): + return security_module.stream_file_by_sha256(hash_arg) + else: + raise Exception("Unsupported hash. Must be SHA256 or MD5.") + + def _get_user_id(self, username): user_id = self.get_user(username).get("userUid") if user_id: @@ -405,12 +415,18 @@ def build_query_payload(args): return query +def _hash_is_sha256(hash_arg): + return hash_arg and len(hash_arg) == 64 + + +def _hash_is_md5(hash_arg): + return hash_arg and len(hash_arg) == 32 + + def _create_hash_filter(hash_arg): - if not hash_arg: - return None - elif len(hash_arg) == 32: + if _hash_is_md5(hash_arg): return MD5.eq(hash_arg) - elif len(hash_arg) == 64: + elif _hash_is_sha256(hash_arg): return SHA256.eq(hash_arg) @@ -936,6 +952,13 @@ def user_reactivate_command(client, args): return_error(create_command_error_message(demisto.command(), e)) +def download_file_command(client, args): + hash = args.get("hash") + + + + + """Fetching""" @@ -1096,6 +1119,7 @@ def get_command_map(): "code42-user-unblock": user_unblock_command, "code42-user-deactivate": user_deactivate_command, "code42_user-reactivate": user_reactivate_command, + "code42-download-file": download_file_command, } From 4ca73ecbb90a303ffcb4ccd5968e4e419f1dd508 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Tue, 30 Jun 2020 19:55:50 +0000 Subject: [PATCH 03/38] Test dwnld file --- Packs/Code42/Integrations/Code42/Code42.py | 9 ++-- .../Code42/Integrations/Code42/Code42_test.py | 21 +++++++++- .../Code42/integration-Code42.yml | 42 +++++++++++++++++-- 3 files changed, 62 insertions(+), 10 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index a6e8ff8095d5..445fc82d36d9 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -306,7 +306,7 @@ def search_file_events(self, payload): res = self._get_sdk().securitydata.search_file_events(payload) return res["fileEvents"] - def download_file_by_hash(self, hash_arg): + def download_file(self, hash_arg): security_module = self._get_sdk().securitydata if _hash_is_md5(hash_arg): return security_module.stream_file_by_md5(hash_arg) @@ -938,10 +938,9 @@ def user_reactivate_command(client, args): def download_file_command(client, args): - hash = args.get("hash") - - - + file_hash = args.get("hash") + file_bytes = client.download_file(file_hash) + return fileResult(file_hash, data=file_bytes) """Fetching""" diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py index ffe087482299..04f1f9a3e1d0 100644 --- a/Packs/Code42/Integrations/Code42/Code42_test.py +++ b/Packs/Code42/Integrations/Code42/Code42_test.py @@ -5,7 +5,6 @@ from py42.response import Py42Response from Code42 import ( Code42Client, - Code42UserIDNotFoundError, build_query_payload, map_observation_to_security_query, map_to_code42_event_context, @@ -27,6 +26,7 @@ user_unblock_command, user_deactivate_command, user_reactivate_command, + download_file_command, fetch_incidents, ) import time @@ -1636,6 +1636,25 @@ def test_security_data_search_command(code42_file_events_mock): assert output_item == mapped_event +def test_download_file_command_when_given_md5(code42_sdk_mock, mocker): + fr = mocker.patch("Code42.fileResult") + client = create_client(code42_sdk_mock) + _ = download_file_command(client, {"hash": "b6312dbe4aa4212da94523ccb28c5c16"}) + code42_sdk_mock.securitydata.stream_file_by_md5.assert_called_once_with( + "b6312dbe4aa4212da94523ccb28c5c16" + ) + assert fr.call_count == 1 + + +def test_download_file_command_when_given_sha256(code42_sdk_mock, mocker): + fr = mocker.patch("Code42.fileResult") + _hash = "41966f10cc59ab466444add08974fde4cd37f88d79321d42da8e4c79b51c2149" + client = create_client(code42_sdk_mock) + _ = download_file_command(client, {"hash": _hash}) + code42_sdk_mock.securitydata.stream_file_by_sha256.assert_called_once_with(_hash) + assert fr.call_count == 1 + + def test_fetch_when_no_significant_file_categories_ignores_filter( code42_fetch_incidents_mock, mocker ): diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml index 8354226e02df..268927164141 100644 --- a/Packs/Code42/Integrations/Code42/integration-Code42.yml +++ b/Packs/Code42/Integrations/Code42/integration-Code42.yml @@ -580,6 +580,17 @@ script: - contextPath: Code42.User.UserID description: The ID of a Code42 User. type: String + - arguments: + - default: false + description: Either the SHA256 or MD5 hash of the file. + isArray: false + name: hash + required: true + secret: false + deprecated: false + description: Downloads a file from Code42 servers. + execution: false + name: code42-download-file dockerimage: demisto/py42:1.0.0.9323 feed: false isfetch: true @@ -914,6 +925,16 @@ script: res = self._get_sdk().securitydata.search_file_events(payload) return res["fileEvents"] + def download_file(self, hash_arg): + security_module = self._get_sdk().securitydata + if _hash_is_md5(hash_arg): + return security_module.stream_file_by_md5(hash_arg) + elif _hash_is_sha256(hash_arg): + return security_module.stream_file_by_sha256(hash_arg) + else: + raise Exception("Unsupported hash. Must be SHA256 or MD5.") + + def _get_user_id(self, username): user_id = self.get_user(username).get("userUid") if user_id: @@ -1014,12 +1035,18 @@ script: return query + def _hash_is_sha256(hash_arg): + return hash_arg and len(hash_arg) == 64 + + + def _hash_is_md5(hash_arg): + return hash_arg and len(hash_arg) == 32 + + def _create_hash_filter(hash_arg): - if not hash_arg: - return None - elif len(hash_arg) == 32: + if _hash_is_md5(hash_arg): return MD5.eq(hash_arg) - elif len(hash_arg) == 64: + elif _hash_is_sha256(hash_arg): return SHA256.eq(hash_arg) @@ -1546,6 +1573,12 @@ script: ) + def download_file_command(client, args): + file_hash = args.get("hash") + file_bytes = client.download_file(file_hash) + return fileResult(file_hash, data=file_bytes) + + """Fetching""" @@ -1708,6 +1741,7 @@ script: "code42-user-unblock": user_unblock_command, "code42-user-deactivate": user_deactivate_command, "code42_user-reactivate": user_reactivate_command, + "code42-download-file": download_file_command, } From 77deb16e7ee29c9331885f76af10ec9f7e07d23b Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 12:28:23 +0000 Subject: [PATCH 04/38] save --- Packs/Code42/Integrations/Code42/Code42.py | 4 +++- Packs/Code42/Integrations/Code42/Code42.yml | 2 +- Packs/Code42/Integrations/Code42/integration-Code42.yml | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 947ec04f77ac..5a20785da19c 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -953,7 +953,9 @@ def user_reactivate_command(client, args): def download_file_command(client, args): file_hash = args.get("hash") - file_bytes = client.download_file(file_hash) + response = client.download_file(file_hash) + file_bytes = None + return fileResult(file_hash, data=file_bytes) diff --git a/Packs/Code42/Integrations/Code42/Code42.yml b/Packs/Code42/Integrations/Code42/Code42.yml index 6c062f25284a..296b07d61dd9 100644 --- a/Packs/Code42/Integrations/Code42/Code42.yml +++ b/Packs/Code42/Integrations/Code42/Code42.yml @@ -607,7 +607,7 @@ script: description: Downloads a file from Code42 servers. execution: false name: code42-download-file - dockerimage: demisto/py42:1.0.0.9323 + dockerimage: demisto/py42:1.0.0.9653 feed: false isfetch: true longRunning: false diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml index a1fed1e4148a..06baba1e1f61 100644 --- a/Packs/Code42/Integrations/Code42/integration-Code42.yml +++ b/Packs/Code42/Integrations/Code42/integration-Code42.yml @@ -591,7 +591,7 @@ script: description: Downloads a file from Code42 servers. execution: false name: code42-download-file - dockerimage: demisto/py42:1.0.0.9323 + dockerimage: demisto/py42:1.0.0.9653 feed: false isfetch: true longRunning: false From 6a7240e1752e17f1c27b16e4725da4abebd6f272 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 12:46:49 +0000 Subject: [PATCH 05/38] Chunks --- Packs/Code42/Integrations/Code42/Code42.py | 7 +++++-- Packs/Code42/Integrations/Code42/integration-Code42.yml | 9 +++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 5a20785da19c..cbb24ad8bd9d 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -953,10 +953,13 @@ def user_reactivate_command(client, args): def download_file_command(client, args): file_hash = args.get("hash") + file_chunks = [] response = client.download_file(file_hash) - file_bytes = None + for chunk in response.iter_content(chunk_size=128): + if chunk: + file_chunks.append(chunk) - return fileResult(file_hash, data=file_bytes) + return fileResult(file_hash, data=b"".join(file_chunks)) """Fetching""" diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml index 06baba1e1f61..cc81db94ccb7 100644 --- a/Packs/Code42/Integrations/Code42/integration-Code42.yml +++ b/Packs/Code42/Integrations/Code42/integration-Code42.yml @@ -1589,8 +1589,13 @@ script: def download_file_command(client, args): file_hash = args.get("hash") - file_bytes = client.download_file(file_hash) - return fileResult(file_hash, data=file_bytes) + file_chunks = [] + response = client.download_file(file_hash) + for chunk in response.iter_content(chunk_size=128): + if chunk: + file_chunks.append(chunk) + + return fileResult(file_hash, data=b"".join(file_chunks)) """Fetching""" From 19e321a163e6af2f090a319b183fcfe28e81e5a6 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 12:51:28 +0000 Subject: [PATCH 06/38] Lint --- Packs/Code42/Integrations/Code42/Code42.py | 2 -- Packs/Code42/Integrations/Code42/integration-Code42.yml | 1 - 2 files changed, 3 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index cbb24ad8bd9d..3d232f691802 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -315,7 +315,6 @@ def download_file(self, hash_arg): else: raise Exception("Unsupported hash. Must be SHA256 or MD5.") - def _get_user_id(self, username): user_id = self.get_user(username).get("userUid") if user_id: @@ -958,7 +957,6 @@ def download_file_command(client, args): for chunk in response.iter_content(chunk_size=128): if chunk: file_chunks.append(chunk) - return fileResult(file_hash, data=b"".join(file_chunks)) diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml index cc81db94ccb7..b478fa2320b4 100644 --- a/Packs/Code42/Integrations/Code42/integration-Code42.yml +++ b/Packs/Code42/Integrations/Code42/integration-Code42.yml @@ -1594,7 +1594,6 @@ script: for chunk in response.iter_content(chunk_size=128): if chunk: file_chunks.append(chunk) - return fileResult(file_hash, data=b"".join(file_chunks)) From fc12be76150ed6c020bfd6507014c1ec20c4af55 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 12:52:14 +0000 Subject: [PATCH 07/38] lint --- Packs/Code42/Integrations/Code42/Code42.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Code42/Integrations/Code42/Code42.py b/Packs/Code42/Integrations/Code42/Code42.py index 3d232f691802..a057ff1df246 100644 --- a/Packs/Code42/Integrations/Code42/Code42.py +++ b/Packs/Code42/Integrations/Code42/Code42.py @@ -1021,7 +1021,7 @@ def _fetch_remaining_incidents_from_last_run(self): if remaining_incidents: return ( self._last_run, - remaining_incidents[: self._fetch_limit], + remaining_incidents[:self._fetch_limit], remaining_incidents[self._fetch_limit:], ) From 1dec53be367ea46b5344c4dbd896605c31e6c9dd Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 12:52:19 +0000 Subject: [PATCH 08/38] lint --- Packs/Code42/Integrations/Code42/integration-Code42.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml index b478fa2320b4..3ffd160eeb35 100644 --- a/Packs/Code42/Integrations/Code42/integration-Code42.yml +++ b/Packs/Code42/Integrations/Code42/integration-Code42.yml @@ -934,7 +934,6 @@ script: else: raise Exception("Unsupported hash. Must be SHA256 or MD5.") - def _get_user_id(self, username): user_id = self.get_user(username).get("userUid") if user_id: @@ -1659,7 +1658,7 @@ script: if remaining_incidents: return ( self._last_run, - remaining_incidents[: self._fetch_limit], + remaining_incidents[:self._fetch_limit], remaining_incidents[self._fetch_limit:], ) From aaad70472ca851932da3ca0b59101248a0256178 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 13:31:54 +0000 Subject: [PATCH 09/38] Download file pb --- .../playbook-Code42_File_Download.yml | 380 ++++++++++++++++++ 1 file changed, 380 insertions(+) create mode 100644 Packs/Code42/Playbooks/playbook-Code42_File_Download.yml diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml new file mode 100644 index 000000000000..82e3cf0b91d5 --- /dev/null +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -0,0 +1,380 @@ +description: This playbook searches for files via Code42 security events by either + MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use. +id: f10f23fd-7db9-4544-8929-e2f76abafa46 +inputs: +- description: MD5 hash to search for + key: MD5 + playbookInputQuery: null + required: false + value: + complex: + accessor: MD5 + root: File + transformers: + - operator: uniq +- description: SHA256 hash to search for + key: SHA256 + playbookInputQuery: null + required: false + value: + complex: + accessor: SHA256 + root: File + transformers: + - operator: uniq +name: Code42 File Download +outputs: +- contextPath: Code42.SecurityData + description: Returned File Results + type: unknown +- contextPath: Code42.SecurityData.EventTimestamp + description: Timestamp for event +- contextPath: Code42.SecurityData.FileCreated + description: File creation date +- contextPath: Code42.SecurityData.EndpointID + description: Code42 device ID +- contextPath: Code42.SecurityData.DeviceUsername + description: Username that device is associated with in Code42 +- contextPath: Code42.SecurityData.EmailFrom + description: Sender email address for email exfiltration events +- contextPath: Code42.SecurityData.EmailTo + description: Recipient emial address for email exfiltration events +- contextPath: Code42.SecurityData.EmailSubject + description: Email subject line for email exfiltration events +- contextPath: Code42.SecurityData.EventID + description: Security Data event ID +- contextPath: Code42.SecurityData.EventType + description: Type of Security Data event +- contextPath: Code42.SecurityData.FileCategory + description: Type of file as determined by Code42 engine +- contextPath: Code42.SecurityData.FileOwner + description: Owner of file +- contextPath: Code42.SecurityData.FileName + description: File name +- contextPath: Code42.SecurityData.FilePath + description: Path to file +- contextPath: Code42.SecurityData.FileSize + description: Size of file in bytes +- contextPath: Code42.SecurityData.FileModified + description: File modification date +- contextPath: Code42.SecurityData.FileMD5 + description: MD5 hash of file +- contextPath: Code42.SecurityData.FileHostname + description: Hostname where file event was captured +- contextPath: Code42.SecurityData.DevicePrivateIPAddress + description: Private IP addresses of device where event was captured +- contextPath: Code42.SecurityData.DevicePublicIPAddress + description: Public IP address of device where event was captured +- contextPath: Code42.SecurityData.RemovableMediaType + description: Type of removate media +- contextPath: Code42.SecurityData.RemovableMediaCapacity + description: Total capacity of removable media in bytes +- contextPath: Code42.SecurityData.RemovableMediaMediaName + description: Full name of removable media +- contextPath: Code42.SecurityData.RemovableMediaName + description: Name of removable media +- contextPath: Code42.SecurityData.RemovableMediaSerialNumber + description: Serial number for removable medial device +- contextPath: Code42.SecurityData.RemovableMediaVendor + description: Vendor name for removable device +- contextPath: Code42.SecurityData.FileSHA256 + description: SHA256 hash of file +- contextPath: Code42.SecurityData.FileShared + description: Whether file is shared using cloud file service +- contextPath: Code42.SecurityData.FileSharedWith + description: Accounts that file is shared with on cloud file service +- contextPath: Code42.SecurityData.Source + description: Source of file event, Cloud or Endpoint +- contextPath: Code42.SecurityData.ApplicationTabURL + description: URL associated with application read event +- contextPath: Code42.SecurityData.ProcessName + description: Process name for application read event +- contextPath: Code42.SecurityData.ProcessOwner + description: Process owner for application read event +- contextPath: Code42.SecurityData.WindowTitle + description: Process name for application read event +- contextPath: Code42.SecurityData.FileURL + description: URL of file on cloud file service +- contextPath: Code42.SecurityData.Exposure + description: Exposure type for event +- contextPath: Code42.SecurityData.SharingTypeAdded + description: Type of sharing added to file +- contextPath: File + description: The file object. + type: unknown +- contextPath: File.Name + description: File name +- contextPath: File.Path + description: File path +- contextPath: File.Size + description: File size in bytes +- contextPath: File.MD5 + description: MD5 hash of file +- contextPath: File.SHA256 + description: FSHA256 hash of file +- contextPath: File.Hostname + description: Hostname where file event was captured +sourceplaybookid: Code42 File Search +starttaskid: "0" +tasks: + "0": + id: "0" + ignoreworker: false + nexttasks: + '#none#': + - "1" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: d045a003-2e7f-4f47-80c7-3882baf399b6 + iscommand: false + name: "" + version: -1 + taskid: d045a003-2e7f-4f47-80c7-3882baf399b6 + timertriggers: [] + type: start + view: |- + { + "position": { + "x": 280, + "y": -140 + } + } + "1": + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: brand + operator: isEqualString + right: + value: + simple: Code42 + - - left: + iscontext: true + value: + simple: state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: "yes" + id: "1" + ignoreworker: false + nexttasks: + '#default#': + - "7" + "yes": + - "2" + - "3" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 746c1a4e-7084-45f1-86e6-e9764ffbbf5c + iscommand: false + name: Is Code42 Integration Active? + type: condition + version: -1 + taskid: 746c1a4e-7084-45f1-86e6-e9764ffbbf5c + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 280, + "y": 160 + } + } + "2": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.SHA256 + operator: isNotEmpty + label: "yes" + id: "2" + ignoreworker: false + nexttasks: + '#default#': + - "7" + "yes": + - "5" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 935cb1d6-e328-4a8e-888f-347c3b33ce11 + iscommand: false + name: Does SHA256 Exist? + type: condition + version: -1 + taskid: 935cb1d6-e328-4a8e-888f-347c3b33ce11 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 20, + "y": 370 + } + } + "3": + conditions: + - condition: + - - left: + iscontext: true + value: + simple: inputs.MD5 + operator: isNotEmpty + label: "yes" + id: "3" + ignoreworker: false + nexttasks: + '#default#': + - "7" + "yes": + - "6" + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 1d0dfb1f-6874-41e9-8593-fca2a96c58c4 + iscommand: false + name: Does MD5 Exist? + type: condition + version: -1 + taskid: 1d0dfb1f-6874-41e9-8593-fca2a96c58c4 + timertriggers: [] + type: condition + view: |- + { + "position": { + "x": 532.5, + "y": 370 + } + } + "5": + id: "5" + ignoreworker: false + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + scriptarguments: + hash: + simple: ${inputs.SHA256} + separatecontext: false + skipunavailable: false + task: + brand: Code42 + description: Downloads a file from Code42 servers. + id: 4e1746f8-d275-4799-8af2-6ef87500a69b + iscommand: true + name: Code42 Download by SHA256 + script: Code42|||code42-download-file + type: regular + version: -1 + taskid: 4e1746f8-d275-4799-8af2-6ef87500a69b + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 20, + "y": 630 + } + } + "6": + id: "6" + ignoreworker: false + nexttasks: + '#none#': + - "7" + note: false + quietmode: 0 + scriptarguments: + exposure: {} + hash: + simple: ${inputs.MD5} + hostname: {} + json: {} + results: {} + username: {} + separatecontext: false + skipunavailable: false + task: + brand: "" + id: cea50fb7-6903-4650-8172-5d6a324da237 + iscommand: true + name: Code42 Download by MD5 + script: '|||code42-securitydata-search' + type: regular + version: -1 + taskid: cea50fb7-6903-4650-8172-5d6a324da237 + timertriggers: [] + type: regular + view: |- + { + "position": { + "x": 532.5, + "y": 630 + } + } + "7": + id: "7" + ignoreworker: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: "" + id: 7f03d6ab-3bb8-4bd5-867b-fe853fa38684 + iscommand: false + name: Complete + type: title + version: -1 + taskid: 7f03d6ab-3bb8-4bd5-867b-fe853fa38684 + timertriggers: [] + type: title + view: |- + { + "position": { + "x": 280, + "y": 1040 + } + } +version: -1 +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1245, + "width": 892.5, + "x": 20, + "y": -140 + } + } + } From 50874550cff2c5394ff4f682885c2be1778bdd23 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 13:35:18 +0000 Subject: [PATCH 10/38] Remove params from a test that arent used --- Packs/Code42/Integrations/Code42/Code42_test.py | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/Packs/Code42/Integrations/Code42/Code42_test.py b/Packs/Code42/Integrations/Code42/Code42_test.py index 04f1f9a3e1d0..29a8107236f5 100644 --- a/Packs/Code42/Integrations/Code42/Code42_test.py +++ b/Packs/Code42/Integrations/Code42/Code42_test.py @@ -1380,16 +1380,7 @@ def test_departingemployee_get_all_command_when_no_employees( no_employees_response ) client = create_client(code42_departing_employee_mock) - cmd_res = departingemployee_get_all_command( - client, - { - "risktags": [ - "PERFORMANCE_CONCERNS", - "SUSPICIOUS_SYSTEM_ACTIVITY", - "POOR_SECURITY_PRACTICES", - ] - }, - ) + cmd_res = departingemployee_get_all_command(client,{}) assert cmd_res.outputs_prefix == "Code42.DepartingEmployee" assert cmd_res.outputs_key_field == "UserID" assert cmd_res.raw_response == {} From ca149e40da5ef4837ea9cf7275f70c6735b98447 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 13:40:06 +0000 Subject: [PATCH 11/38] Update exil pb --- .../playbook-Code42_Exfiltration_Playbook.yml | 423 ++++++++++-------- 1 file changed, 230 insertions(+), 193 deletions(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml index bfdc6561a1a0..10509940a930 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml @@ -1,38 +1,39 @@ id: Code42 Exfiltration Playbook -version: -1 +version: 12 name: Code42 Exfiltration Playbook description: The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events by revoking access rights to cloud files or containing endpoints. -starttaskid: '0' +starttaskid: "0" tasks: - '0': - id: '0' + "0": + id: "0" taskid: ab4c0d6a-996e-415c-8f44-8a76d279ca15 type: start task: id: ab4c0d6a-996e-415c-8f44-8a76d279ca15 version: -1 - name: '' + name: "" iscommand: false - brand: '' - description: '' + brand: "" nexttasks: '#none#': - - '1' + - "1" separatecontext: false view: |- { "position": { "x": 520, - "y": -90 + "y": 50 } } note: false timertriggers: [] ignoreworker: false - '1': - id: '1' + skipunavailable: false + quietmode: 0 + "1": + id: "1" taskid: e588a1bf-ad9e-4755-8e55-efba11ad1aff type: title task: @@ -41,18 +42,17 @@ tasks: name: Start Remediation Timer type: title iscommand: false - brand: '' - description: '' + brand: "" nexttasks: '#none#': - - '24' - - '25' + - "25" + - "34" separatecontext: false view: |- { "position": { "x": 520, - "y": 75 + "y": 195 } } note: false @@ -60,36 +60,39 @@ tasks: - fieldname: remediationsla action: start ignoreworker: false - '5': - id: '5' + skipunavailable: false + quietmode: 0 + "5": + id: "5" taskid: e0da957a-46bb-44b9-8ea6-408e043cae88 type: condition task: id: e0da957a-46bb-44b9-8ea6-408e043cae88 version: -1 name: Review Evidence for Malicious Behavior - description: '' type: condition iscommand: false - brand: '' + brand: "" nexttasks: '#default#': - - '7' + - "7" Malicious: - - '6' + - "6" separatecontext: false view: |- { "position": { "x": 520, - "y": 465 + "y": 515 } } note: false timertriggers: [] ignoreworker: false - '6': - id: '6' + skipunavailable: false + quietmode: 0 + "6": + id: "6" taskid: b6a7b214-a52b-48cc-8c0b-bc966c11ff90 type: title task: @@ -98,26 +101,27 @@ tasks: name: Malicious Behavior Determined type: title iscommand: false - brand: '' - description: '' + brand: "" nexttasks: '#none#': - - '19' - - '22' - - '23' + - "19" + - "22" + - "23" separatecontext: false view: |- { "position": { - "x": 1000, - "y": 670 + "x": 960, + "y": 690 } } note: false timertriggers: [] ignoreworker: false - '7': - id: '7' + skipunavailable: false + quietmode: 0 + "7": + id: "7" taskid: 2c7eb57c-ee9b-4059-8b73-34bdb9963ca0 type: title task: @@ -126,38 +130,38 @@ tasks: name: Benign Behavior Determined type: title iscommand: false - brand: '' - description: '' + brand: "" nexttasks: '#none#': - - '9' + - "9" separatecontext: false view: |- { "position": { "x": 50, - "y": 1900 + "y": 1725 } } note: false timertriggers: [] ignoreworker: false - '8': - id: '8' + skipunavailable: false + quietmode: 0 + "8": + id: "8" taskid: b8a80acb-a2f7-4899-88e7-16382828b9b4 type: regular task: id: b8a80acb-a2f7-4899-88e7-16382828b9b4 version: -1 name: Resolve Code42 Alert - description: '' script: '|||code42-alert-resolve' type: regular iscommand: true - brand: '' + brand: "" nexttasks: '#none#': - - '26' + - "26" scriptarguments: id: simple: ${incident.labels.id} @@ -165,15 +169,17 @@ tasks: view: |- { "position": { - "x": 480, - "y": 2455 + "x": 407.5, + "y": 2030 } } note: false timertriggers: [] ignoreworker: false - '9': - id: '9' + skipunavailable: false + quietmode: 0 + "9": + id: "9" taskid: 1905e906-499f-4c14-8ec1-9c02eb6ef22a type: title task: @@ -182,17 +188,16 @@ tasks: name: Stop Remediation Timer type: title iscommand: false - brand: '' - description: '' + brand: "" nexttasks: '#none#': - - '8' + - "8" separatecontext: false view: |- { "position": { - "x": 480, - "y": 2260 + "x": 407.5, + "y": 1885 } } note: false @@ -200,8 +205,10 @@ tasks: - fieldname: remediationsla action: stop ignoreworker: false - '10': - id: '10' + skipunavailable: false + quietmode: 0 + "10": + id: "10" taskid: 2b0168b7-3d35-470d-8902-5517dc8e9164 type: title task: @@ -210,35 +217,35 @@ tasks: name: Done type: title iscommand: false - brand: '' - description: '' + brand: "" separatecontext: false view: |- { "position": { - "x": 480, - "y": 2905 + "x": 407.5, + "y": 2380 } } note: false timertriggers: [] ignoreworker: false - '11': - id: '11' + skipunavailable: false + quietmode: 0 + "11": + id: "11" taskid: 99490d9a-6acf-41de-8d77-1266f5d63d7f type: regular task: id: 99490d9a-6acf-41de-8d77-1266f5d63d7f version: -1 name: Locate CrowdStrike Host - description: '' script: CrowdstrikeFalcon|||cs-falcon-search-device type: regular iscommand: true brand: CrowdstrikeFalcon nexttasks: '#none#': - - '31' + - "31" scriptarguments: filter: {} hostname: @@ -257,32 +264,33 @@ tasks: { "position": { "x": 990, - "y": 1195 + "y": 1010 } } note: false timertriggers: [] ignoreworker: false - '19': - id: '19' + skipunavailable: false + quietmode: 0 + "19": + id: "19" taskid: 9bfcad2c-62a7-4c59-8140-1e5ba45199bd type: condition task: id: 9bfcad2c-62a7-4c59-8140-1e5ba45199bd version: -1 name: Is Jira Enabled? - description: '' type: condition iscommand: false - brand: '' + brand: "" nexttasks: '#default#': - - '30' - 'yes': - - '21' + - "30" + "yes": + - "21" separatecontext: false conditions: - - label: 'yes' + - label: "yes" condition: - - operator: isExists left: @@ -312,28 +320,29 @@ tasks: { "position": { "x": 295, - "y": 1535 + "y": 1360 } } note: false timertriggers: [] ignoreworker: false - '21': - id: '21' + skipunavailable: false + quietmode: 0 + "21": + id: "21" taskid: 47b1400e-6d83-483c-875f-7cac4b335481 type: regular task: id: 47b1400e-6d83-483c-875f-7cac4b335481 version: -1 name: Create Jira Incident Ticket - description: '' script: jira-v2|||jira-create-issue type: regular iscommand: true brand: jira-v2 nexttasks: '#none#': - - '30' + - "30" scriptarguments: assignee: {} description: {} @@ -356,33 +365,34 @@ tasks: view: |- { "position": { - "x": 295, - "y": 1780 + "x": 397.5, + "y": 1535 } } note: false timertriggers: [] ignoreworker: false - '22': - id: '22' + skipunavailable: false + quietmode: 0 + "22": + id: "22" taskid: 86aaec3f-7f38-4d4d-800b-406ca59605bd type: condition task: id: 86aaec3f-7f38-4d4d-800b-406ca59605bd version: -1 name: Can host be contained? - description: '' type: condition iscommand: false - brand: '' + brand: "" nexttasks: '#default#': - - '30' - 'yes': - - '11' + - "30" + "yes": + - "11" separatecontext: false conditions: - - label: 'yes' + - label: "yes" condition: - - operator: isExists left: @@ -415,33 +425,34 @@ tasks: view: |- { "position": { - "x": 990, - "y": 810 + "x": 960, + "y": 835 } } note: false timertriggers: [] ignoreworker: false - '23': - id: '23' + skipunavailable: false + quietmode: 0 + "23": + id: "23" taskid: ce5fa797-bd44-48ba-8ebe-62cbe6f986e5 type: condition task: id: ce5fa797-bd44-48ba-8ebe-62cbe6f986e5 version: -1 name: Does Manager Email Exist? - description: '' type: condition iscommand: false - brand: '' + brand: "" nexttasks: '#default#': - - '30' - 'yes': - - '33' + - "30" + "yes": + - "33" separatecontext: false conditions: - - label: 'yes' + - label: "yes" condition: - - operator: isExists left: @@ -451,55 +462,30 @@ tasks: view: |- { "position": { - "x": 1570, - "y": 1195 - } - } - note: false - timertriggers: [] - ignoreworker: false - '24': - id: '24' - taskid: 50db689b-2583-4a22-844c-868914c79e80 - type: regular - task: - id: 50db689b-2583-4a22-844c-868914c79e80 - version: -1 - name: Retrieve File Contents - description: '' - type: regular - iscommand: false - brand: '' - nexttasks: - '#none#': - - '5' - separatecontext: false - view: |- - { - "position": { - "x": 310, - "y": 260 + "x": 1420, + "y": 1185 } } note: false timertriggers: [] ignoreworker: false - '25': - id: '25' + skipunavailable: false + quietmode: 0 + "25": + id: "25" taskid: 9bccb9d7-118b-4a63-8e1d-288a4fe993a2 type: playbook task: id: 9bccb9d7-118b-4a63-8e1d-288a4fe993a2 version: -1 name: Active Directory - Get User Manager Details - description: '' playbookName: Active Directory - Get User Manager Details type: playbook iscommand: false - brand: '' + brand: "" nexttasks: '#none#': - - '5' + - "5" scriptarguments: UserEmail: simple: ${incident.employeeemail} @@ -507,34 +493,36 @@ tasks: separatecontext: true loop: iscommand: false - exitCondition: '' + exitCondition: "" wait: 1 + max: 0 view: |- { "position": { - "x": 735, - "y": 260 + "x": 305, + "y": 340 } } note: false timertriggers: [] ignoreworker: false - '26': - id: '26' + skipunavailable: false + quietmode: 0 + "26": + id: "26" taskid: 335b248d-7a04-4514-8890-57e3913dcdfa type: regular task: id: 335b248d-7a04-4514-8890-57e3913dcdfa version: -1 name: Close Incident - description: '' script: Builtin|||closeInvestigation type: regular iscommand: true brand: Builtin nexttasks: '#none#': - - '10' + - "10" scriptarguments: assetid: {} closeNotes: {} @@ -547,57 +535,59 @@ tasks: view: |- { "position": { - "x": 480, - "y": 2680 + "x": 407.5, + "y": 2205 } } note: false timertriggers: [] ignoreworker: false - '27': - id: '27' + skipunavailable: false + quietmode: 0 + "27": + id: "27" taskid: 10331857-eb12-46fa-8f1d-6f6239d4ac61 type: condition task: id: 10331857-eb12-46fa-8f1d-6f6239d4ac61 version: -1 name: Confirm Network Contain - description: '' type: condition iscommand: false - brand: '' + brand: "" nexttasks: '#default#': - - '30' - 'Yes': - - '32' + - "30" + "Yes": + - "32" separatecontext: false view: |- { "position": { - "x": 1115, - "y": 1580 + "x": 857.5, + "y": 1360 } } note: false timertriggers: [] ignoreworker: false - '29': - id: '29' + skipunavailable: false + quietmode: 0 + "29": + id: "29" taskid: 7387a45c-92d3-44ca-8f63-f66ec2b6ebaa type: regular task: id: 7387a45c-92d3-44ca-8f63-f66ec2b6ebaa version: -1 name: Send email to manager - description: '' script: '|||send-mail' type: regular iscommand: true - brand: '' + brand: "" nexttasks: '#none#': - - '30' + - "30" scriptarguments: additionalHeader: {} attachCIDs: {} @@ -635,59 +625,61 @@ tasks: view: |- { "position": { - "x": 1570, - "y": 1805 + "x": 1645, + "y": 1535 } } note: false timertriggers: [] ignoreworker: false - '30': - id: '30' + skipunavailable: false + quietmode: 0 + "30": + id: "30" taskid: ea60127b-366c-4a94-85db-339b32ca66c5 type: regular task: id: ea60127b-366c-4a94-85db-339b32ca66c5 version: -1 name: Confirm Remediation Is Complete - description: '' type: regular iscommand: false - brand: '' + brand: "" nexttasks: '#none#': - - '9' + - "9" separatecontext: false view: |- { "position": { - "x": 710, - "y": 2080 + "x": 970, + "y": 1710 } } note: false timertriggers: [] ignoreworker: false - '31': - id: '31' + skipunavailable: false + quietmode: 0 + "31": + id: "31" taskid: a7815436-cc18-4236-8833-318204036b2a type: condition task: id: a7815436-cc18-4236-8833-318204036b2a version: -1 name: Determine if network contain should be bypassed based on host count - description: '' type: condition iscommand: false - brand: '' + brand: "" nexttasks: '#default#': - - '27' - 'yes': - - '30' + - "27" + "yes": + - "30" separatecontext: false conditions: - - label: 'yes' + - label: "yes" condition: - - operator: greaterThan left: @@ -711,28 +703,29 @@ tasks: { "position": { "x": 990, - "y": 1360 + "y": 1185 } } note: false timertriggers: [] ignoreworker: false - '32': - id: '32' + skipunavailable: false + quietmode: 0 + "32": + id: "32" taskid: 9e908ce6-7623-4a06-865b-3725d5bab3e1 type: regular task: id: 9e908ce6-7623-4a06-865b-3725d5bab3e1 version: -1 name: CrowdStrike Network Contain - description: '' script: '|||cs-falcon-contain-host' type: regular iscommand: true - brand: '' + brand: "" nexttasks: '#none#': - - '30' + - "30" scriptarguments: ids: simple: ${CrowdStrike.Device.ID} @@ -741,33 +734,34 @@ tasks: view: |- { "position": { - "x": 1115, - "y": 1805 + "x": 970, + "y": 1535 } } note: false timertriggers: [] ignoreworker: false - '33': - id: '33' + skipunavailable: false + quietmode: 0 + "33": + id: "33" taskid: df73e338-6ae3-4d35-8d01-76e97fc62866 type: condition task: id: df73e338-6ae3-4d35-8d01-76e97fc62866 version: -1 name: Is email integration enabled? - description: '' type: condition iscommand: false - brand: '' + brand: "" nexttasks: '#default#': - - '30' - 'yes': - - '29' + - "30" + "yes": + - "29" separatecontext: false conditions: - - label: 'yes' + - label: "yes" condition: - - operator: isExists left: @@ -841,22 +835,63 @@ tasks: view: |- { "position": { - "x": 1570, + "x": 1532.5, "y": 1360 } } note: false timertriggers: [] ignoreworker: false + skipunavailable: false + quietmode: 0 + "34": + id: "34" + taskid: eec18ff1-2c09-4be0-87b2-34cc85619d39 + type: playbook + task: + id: eec18ff1-2c09-4be0-87b2-34cc85619d39 + version: -1 + name: Code42 File Download + playbookName: Code42 File Download + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + MD5: + simple: ${File.MD5} + SHA256: + simple: ${File.SHA256} + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 735, + "y": 340 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 +system: true view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 3060, - "width": 1900, + "height": 2395, + "width": 1975, "x": 50, - "y": -90 + "y": 50 } } } @@ -866,27 +901,29 @@ inputs: simple: Security required: false description: Jira Project for created incident ticket + playbookInputQuery: null - key: JiraType value: simple: Investigation required: false description: Type of Jira ticket to create + playbookInputQuery: null - key: JiraSummary value: simple: Code42 Security Alert for Demisto Incident ${incident.id} required: false description: Summary to use with Jira ticket creation + playbookInputQuery: null - key: ContainHostsMax value: - simple: '2' + simple: "2" required: false description: Maximum number of network hosts to contain. + playbookInputQuery: null - key: DemistoInstanceURL value: simple: https://example.com/ required: false description: URL of Demisto instance for emails. + playbookInputQuery: null outputs: [] -fromversion: 5.0.0 -tests: -- No Test From ce545580206f12b0d151496ad258248b5e93a3d2 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 13:46:32 +0000 Subject: [PATCH 12/38] Playbooks --- ...-Code42_Exfiltration_Playbook_CHANGELOG.md | 1 + .../playbook-Code42_File_Download.yml | 2 +- .../playbook-Code42_File_Download_README.md | 79 +++++++++++++++++++ .../Playbooks/playbook-Code42_File_Search.yml | 2 +- .../playbook-Code42_File_Search_README.md | 2 +- 5 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md diff --git a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_CHANGELOG.md b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_CHANGELOG.md index a6efe385e6d7..82508df7afe5 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_CHANGELOG.md +++ b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook_CHANGELOG.md @@ -1,4 +1,5 @@ ## [Unreleased] +Automated the manual step of retrieving file contents using the Code42 File Download playbook. ## [20.3.3] - 2020-03-18 diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index 82e3cf0b91d5..1be1e4d044e3 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -111,7 +111,7 @@ outputs: - contextPath: File.MD5 description: MD5 hash of file - contextPath: File.SHA256 - description: FSHA256 hash of file + description: SHA256 hash of file - contextPath: File.Hostname description: Hostname where file event was captured sourceplaybookid: Code42 File Search diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md b/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md new file mode 100644 index 000000000000..2e6b6513046b --- /dev/null +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download_README.md @@ -0,0 +1,79 @@ +This playbook searches for files via Code42 security events by either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use. + +## Dependencies +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks +This playbook does not use any sub-playbooks. + +### Integrations +* Code42 + +### Scripts +This playbook does not use any scripts. + +### Commands +* code42-securitydata-search +* code42-download-file + +## Playbook Inputs +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| MD5 | MD5 hash to search for | File.MD5 | Optional | +| SHA256 | SHA256 hash to search for | File.SHA256 | Optional | + +## Playbook Outputs +--- + +| **Path** | **Description** | **Type** | +| --- | --- | --- | +| Code42.SecurityData | Returned File Results | unknown | +| Code42.SecurityData.EventTimestamp | Timestamp for event | unknown | +| Code42.SecurityData.FileCreated | File creation date | unknown | +| Code42.SecurityData.EndpointID | Code42 device ID | unknown | +| Code42.SecurityData.DeviceUsername | Username that device is associated with in Code42 | unknown | +| Code42.SecurityData.EmailFrom | Sender email address for email exfiltration events | unknown | +| Code42.SecurityData.EmailTo | Recipient emial address for email exfiltration events | unknown | +| Code42.SecurityData.EmailSubject | Email subject line for email exfiltration events | unknown | +| Code42.SecurityData.EventID | Security Data event ID | unknown | +| Code42.SecurityData.EventType | Type of Security Data event | unknown | +| Code42.SecurityData.FileCategory | Type of file as determined by Code42 engine | unknown | +| Code42.SecurityData.FileOwner | Owner of file | unknown | +| Code42.SecurityData.FileName | File name | unknown | +| Code42.SecurityData.FilePath | Path to file | unknown | +| Code42.SecurityData.FileSize | Size of file in bytes | unknown | +| Code42.SecurityData.FileModified | File modification date | unknown | +| Code42.SecurityData.FileMD5 | MD5 hash of file | unknown | +| Code42.SecurityData.FileHostname | Hostname where file event was captured | unknown | +| Code42.SecurityData.DevicePrivateIPAddress | Private IP addresses of device where event was captured | unknown | +| Code42.SecurityData.DevicePublicIPAddress | Public IP address of device where event was captured | unknown | +| Code42.SecurityData.RemovableMediaType | Type of removate media | unknown | +| Code42.SecurityData.RemovableMediaCapacity | Total capacity of removable media in bytes | unknown | +| Code42.SecurityData.RemovableMediaMediaName | Full name of removable media | unknown | +| Code42.SecurityData.RemovableMediaName | Name of removable media | unknown | +| Code42.SecurityData.RemovableMediaSerialNumber | Serial number for removable medial device | unknown | +| Code42.SecurityData.RemovableMediaVendor | Vendor name for removable device | unknown | +| Code42.SecurityData.FileSHA256 | SHA256 hash of file | unknown | +| Code42.SecurityData.FileShared | Whether file is shared using cloud file service | unknown | +| Code42.SecurityData.FileSharedWith | Accounts that file is shared with on cloud file service | unknown | +| Code42.SecurityData.Source | Source of file event, Cloud or Endpoint | unknown | +| Code42.SecurityData.ApplicationTabURL | URL associated with application read event | unknown | +| Code42.SecurityData.ProcessName | Process name for application read event | unknown | +| Code42.SecurityData.ProcessOwner | Process owner for application read event | unknown | +| Code42.SecurityData.WindowTitle | Process name for application read event | unknown | +| Code42.SecurityData.FileURL | URL of file on cloud file service | unknown | +| Code42.SecurityData.Exposure | Exposure type for event | unknown | +| Code42.SecurityData.SharingTypeAdded | Type of sharing added to file | unknown | +| File | The file object. | unknown | +| File.Name | File name | unknown | +| File.Path | File path | unknown | +| File.Size | File size in bytes | unknown | +| File.MD5 | MD5 hash of file | unknown | +| File.SHA256 | SHA256 hash of file | unknown | +| File.Hostname | Hostname where file event was captured | unknown | + +## Playbook Image +--- +![Code42 Exfiltration Playbook](../Integrations/Code42/Code42_image.png) \ No newline at end of file diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Search.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Search.yml index 50f5c72dfe40..e6a8b3bb6aa8 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Search.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Search.yml @@ -369,7 +369,7 @@ outputs: - contextPath: File.MD5 description: MD5 hash of file - contextPath: File.SHA256 - description: FSHA256 hash of file + description: SHA256 hash of file - contextPath: File.Hostname description: Hostname where file event was captured sourceplaybookid: Code42 File Search diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md b/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md index 4c7201673fe5..ea136d3de4cd 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Search_README.md @@ -70,7 +70,7 @@ This playbook does not use any scripts. | File.Path | File path | unknown | | File.Size | File size in bytes | unknown | | File.MD5 | MD5 hash of file | unknown | -| File.SHA256 | FSHA256 hash of file | unknown | +| File.SHA256 | SHA256 hash of file | unknown | | File.Hostname | Hostname where file event was captured | unknown | ## Playbook Image From c4dc843b9ae552c1c322d7368994662dbe060b21 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 13:47:27 +0000 Subject: [PATCH 13/38] Add missing cl --- .../Code42/Playbooks/playbook-Code42_File_Download_CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Packs/Code42/Playbooks/playbook-Code42_File_Download_CHANGELOG.md diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download_CHANGELOG.md b/Packs/Code42/Playbooks/playbook-Code42_File_Download_CHANGELOG.md new file mode 100644 index 000000000000..044101fc496a --- /dev/null +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download_CHANGELOG.md @@ -0,0 +1,2 @@ +## [Unreleased] +New playbook for downloading files by MD5 or SHA256 hash. From 09b4cba0af9ce37aaf27220e1b8e6477a3f7d636 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 14:15:19 +0000 Subject: [PATCH 14/38] Use correct checksum from incident --- .../playbook-Code42_Exfiltration_Playbook.yml | 29 +++++++++--- .../playbook-Code42_File_Download.yml | 45 +++++++++---------- 2 files changed, 45 insertions(+), 29 deletions(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml index 10509940a930..e3c5a1da823c 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml @@ -1,5 +1,5 @@ id: Code42 Exfiltration Playbook -version: 12 +version: 14 name: Code42 Exfiltration Playbook description: The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events @@ -846,12 +846,15 @@ tasks: quietmode: 0 "34": id: "34" - taskid: eec18ff1-2c09-4be0-87b2-34cc85619d39 + taskid: e079cdf0-deb2-41a6-8b02-9e670600835b type: playbook task: - id: eec18ff1-2c09-4be0-87b2-34cc85619d39 + id: e079cdf0-deb2-41a6-8b02-9e670600835b version: -1 name: Code42 File Download + description: This playbook searches for files via Code42 security events by + either MD5 or SHA256 hash. The data is output to the Code42.SecurityData context + for use. playbookName: Code42 File Download type: playbook iscommand: false @@ -861,9 +864,25 @@ tasks: - "5" scriptarguments: MD5: - simple: ${File.MD5} + complex: + root: incident + accessor: code42eventid + transformers: + - operator: getField + args: + field: + value: + simple: md5checksum SHA256: - simple: ${File.SHA256} + complex: + root: incident + accessor: code42fileevents + transformers: + - operator: getField + args: + field: + value: + simple: sha256checksum separatecontext: true loop: iscommand: false diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index 1be1e4d044e3..ab1436607cf1 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -4,7 +4,7 @@ id: f10f23fd-7db9-4544-8929-e2f76abafa46 inputs: - description: MD5 hash to search for key: MD5 - playbookInputQuery: null + playbookInputQuery: required: false value: complex: @@ -14,7 +14,7 @@ inputs: - operator: uniq - description: SHA256 hash to search for key: SHA256 - playbookInputQuery: null + playbookInputQuery: required: false value: complex: @@ -111,7 +111,7 @@ outputs: - contextPath: File.MD5 description: MD5 hash of file - contextPath: File.SHA256 - description: SHA256 hash of file + description: FSHA256 hash of file - contextPath: File.Hostname description: Hostname where file event was captured sourceplaybookid: Code42 File Search @@ -139,8 +139,8 @@ tasks: view: |- { "position": { - "x": 280, - "y": -140 + "x": 377.5, + "y": 50 } } "1": @@ -173,10 +173,7 @@ tasks: id: "1" ignoreworker: false nexttasks: - '#default#': - - "7" "yes": - - "2" - "3" note: false quietmode: 0 @@ -195,8 +192,8 @@ tasks: view: |- { "position": { - "x": 280, - "y": 160 + "x": 377.5, + "y": 195 } } "2": @@ -232,8 +229,8 @@ tasks: view: |- { "position": { - "x": 20, - "y": 370 + "x": 592.5, + "y": 545 } } "3": @@ -249,7 +246,7 @@ tasks: ignoreworker: false nexttasks: '#default#': - - "7" + - "2" "yes": - "6" note: false @@ -269,7 +266,7 @@ tasks: view: |- { "position": { - "x": 532.5, + "x": 377.5, "y": 370 } } @@ -301,8 +298,8 @@ tasks: view: |- { "position": { - "x": 20, - "y": 630 + "x": 480, + "y": 720 } } "6": @@ -337,8 +334,8 @@ tasks: view: |- { "position": { - "x": 532.5, - "y": 630 + "x": 50, + "y": 720 } } "7": @@ -361,8 +358,8 @@ tasks: view: |- { "position": { - "x": 280, - "y": 1040 + "x": 480, + "y": 895 } } version: -1 @@ -371,10 +368,10 @@ view: |- "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 1245, - "width": 892.5, - "x": 20, - "y": -140 + "height": 910, + "width": 922.5, + "x": 50, + "y": 50 } } } From 6a0479fda957b76211816fd593a34280948a702e Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 14:48:40 +0000 Subject: [PATCH 15/38] Add evidence and ignore errors for file download --- .../playbook-Code42_File_Download.yml | 28 +++++++++++-------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index ab1436607cf1..cbdd7dd92f6d 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -271,6 +271,11 @@ tasks: } } "5": + continueonerror: true + evidencedata: + customfields: {} + description: + simple: The file that caused the alert. id: "5" ignoreworker: false nexttasks: @@ -286,13 +291,13 @@ tasks: task: brand: Code42 description: Downloads a file from Code42 servers. - id: 4e1746f8-d275-4799-8af2-6ef87500a69b + id: c83baa5d-207c-44de-868c-8b131dc0357b iscommand: true name: Code42 Download by SHA256 script: Code42|||code42-download-file type: regular version: -1 - taskid: 4e1746f8-d275-4799-8af2-6ef87500a69b + taskid: c83baa5d-207c-44de-868c-8b131dc0357b timertriggers: [] type: regular view: |- @@ -303,6 +308,11 @@ tasks: } } "6": + continueonerror: true + evidencedata: + customfields: {} + description: + simple: The file that caused the alert. id: "6" ignoreworker: false nexttasks: @@ -311,24 +321,20 @@ tasks: note: false quietmode: 0 scriptarguments: - exposure: {} hash: simple: ${inputs.MD5} - hostname: {} - json: {} - results: {} - username: {} separatecontext: false skipunavailable: false task: - brand: "" - id: cea50fb7-6903-4650-8172-5d6a324da237 + brand: Code42 + description: Downloads a file from Code42 servers. + id: 687edce2-d09d-4ad1-845e-a3ed7b7b7d4a iscommand: true name: Code42 Download by MD5 - script: '|||code42-securitydata-search' + script: Code42|||code42-download-file type: regular version: -1 - taskid: cea50fb7-6903-4650-8172-5d6a324da237 + taskid: 687edce2-d09d-4ad1-845e-a3ed7b7b7d4a timertriggers: [] type: regular view: |- From b4d95db4095108cbc0bb409644a45edae469f5fe Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 14:52:13 +0000 Subject: [PATCH 16/38] Remove outputs --- .../playbook-Code42_File_Download.yml | 92 +------------------ 1 file changed, 1 insertion(+), 91 deletions(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index cbdd7dd92f6d..e905ffb98256 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -23,97 +23,7 @@ inputs: transformers: - operator: uniq name: Code42 File Download -outputs: -- contextPath: Code42.SecurityData - description: Returned File Results - type: unknown -- contextPath: Code42.SecurityData.EventTimestamp - description: Timestamp for event -- contextPath: Code42.SecurityData.FileCreated - description: File creation date -- contextPath: Code42.SecurityData.EndpointID - description: Code42 device ID -- contextPath: Code42.SecurityData.DeviceUsername - description: Username that device is associated with in Code42 -- contextPath: Code42.SecurityData.EmailFrom - description: Sender email address for email exfiltration events -- contextPath: Code42.SecurityData.EmailTo - description: Recipient emial address for email exfiltration events -- contextPath: Code42.SecurityData.EmailSubject - description: Email subject line for email exfiltration events -- contextPath: Code42.SecurityData.EventID - description: Security Data event ID -- contextPath: Code42.SecurityData.EventType - description: Type of Security Data event -- contextPath: Code42.SecurityData.FileCategory - description: Type of file as determined by Code42 engine -- contextPath: Code42.SecurityData.FileOwner - description: Owner of file -- contextPath: Code42.SecurityData.FileName - description: File name -- contextPath: Code42.SecurityData.FilePath - description: Path to file -- contextPath: Code42.SecurityData.FileSize - description: Size of file in bytes -- contextPath: Code42.SecurityData.FileModified - description: File modification date -- contextPath: Code42.SecurityData.FileMD5 - description: MD5 hash of file -- contextPath: Code42.SecurityData.FileHostname - description: Hostname where file event was captured -- contextPath: Code42.SecurityData.DevicePrivateIPAddress - description: Private IP addresses of device where event was captured -- contextPath: Code42.SecurityData.DevicePublicIPAddress - description: Public IP address of device where event was captured -- contextPath: Code42.SecurityData.RemovableMediaType - description: Type of removate media -- contextPath: Code42.SecurityData.RemovableMediaCapacity - description: Total capacity of removable media in bytes -- contextPath: Code42.SecurityData.RemovableMediaMediaName - description: Full name of removable media -- contextPath: Code42.SecurityData.RemovableMediaName - description: Name of removable media -- contextPath: Code42.SecurityData.RemovableMediaSerialNumber - description: Serial number for removable medial device -- contextPath: Code42.SecurityData.RemovableMediaVendor - description: Vendor name for removable device -- contextPath: Code42.SecurityData.FileSHA256 - description: SHA256 hash of file -- contextPath: Code42.SecurityData.FileShared - description: Whether file is shared using cloud file service -- contextPath: Code42.SecurityData.FileSharedWith - description: Accounts that file is shared with on cloud file service -- contextPath: Code42.SecurityData.Source - description: Source of file event, Cloud or Endpoint -- contextPath: Code42.SecurityData.ApplicationTabURL - description: URL associated with application read event -- contextPath: Code42.SecurityData.ProcessName - description: Process name for application read event -- contextPath: Code42.SecurityData.ProcessOwner - description: Process owner for application read event -- contextPath: Code42.SecurityData.WindowTitle - description: Process name for application read event -- contextPath: Code42.SecurityData.FileURL - description: URL of file on cloud file service -- contextPath: Code42.SecurityData.Exposure - description: Exposure type for event -- contextPath: Code42.SecurityData.SharingTypeAdded - description: Type of sharing added to file -- contextPath: File - description: The file object. - type: unknown -- contextPath: File.Name - description: File name -- contextPath: File.Path - description: File path -- contextPath: File.Size - description: File size in bytes -- contextPath: File.MD5 - description: MD5 hash of file -- contextPath: File.SHA256 - description: FSHA256 hash of file -- contextPath: File.Hostname - description: Hostname where file event was captured +outputs: [] sourceplaybookid: Code42 File Search starttaskid: "0" tasks: From 650c7d227790eafcc5015b68913596d2c53f298e Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 15:31:23 +0000 Subject: [PATCH 17/38] Fix description --- Packs/Code42/Playbooks/playbook-Code42_File_Download.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index e905ffb98256..43b7e46220f8 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -1,5 +1,4 @@ -description: This playbook searches for files via Code42 security events by either - MD5 or SHA256 hash. The data is output to the Code42.SecurityData context for use. +description: This playbook downloads a file via Code42 by either MD5 or SHA256 hash. id: f10f23fd-7db9-4544-8929-e2f76abafa46 inputs: - description: MD5 hash to search for From da40cdc94531a7bc80109c552fda380523b7fd85 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 15:32:39 +0000 Subject: [PATCH 18/38] Fix ID --- Packs/Code42/Playbooks/playbook-Code42_File_Download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index 43b7e46220f8..1c67f94d861f 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -1,5 +1,5 @@ description: This playbook downloads a file via Code42 by either MD5 or SHA256 hash. -id: f10f23fd-7db9-4544-8929-e2f76abafa46 +id: Code42 Exfiltration Playbook inputs: - description: MD5 hash to search for key: MD5 From 6b85c58c0e6a10e6c8317f4ae52232b9bd38ccde Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 15:47:47 +0000 Subject: [PATCH 19/38] Fix validation errorS --- .../Layouts/layout-details-Code42_Security_Alert-V2.json | 8 ++++---- .../Playbooks/playbook-Code42_Exfiltration_Playbook.yml | 1 + Packs/Code42/Playbooks/playbook-Code42_File_Download.yml | 8 ++++++++ 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json b/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json index d33aea2ec4e3..af1f72ba6584 100644 --- a/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json +++ b/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json @@ -5,6 +5,9 @@ "name": "", "sortValues": null, "system": false, + "typeId": "Code42 Security Alert", + "version": -1, + "fromVersion": "5.0.0", "tabs": [ { "id": "summary", @@ -466,8 +469,5 @@ "name": "Canvas", "type": "canvas" } - ], - "typeId": "Code42 Security Alert", - "fromVersion": "5.0.0", - "version": -1 + ] } \ No newline at end of file diff --git a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml index e3c5a1da823c..aa90e8c7c100 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml @@ -945,4 +945,5 @@ inputs: required: false description: URL of Demisto instance for emails. playbookInputQuery: null +fromversion: "5.0.0" outputs: [] diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index 1c67f94d861f..e88146c90d03 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -41,6 +41,7 @@ tasks: id: d045a003-2e7f-4f47-80c7-3882baf399b6 iscommand: false name: "" + description: "" version: -1 taskid: d045a003-2e7f-4f47-80c7-3882baf399b6 timertriggers: [] @@ -93,6 +94,7 @@ tasks: id: 746c1a4e-7084-45f1-86e6-e9764ffbbf5c iscommand: false name: Is Code42 Integration Active? + description: "Checks to see if a Code42 Integration is active." type: condition version: -1 taskid: 746c1a4e-7084-45f1-86e6-e9764ffbbf5c @@ -130,6 +132,7 @@ tasks: id: 935cb1d6-e328-4a8e-888f-347c3b33ce11 iscommand: false name: Does SHA256 Exist? + description: "Checks to see if a SHA256 hash exists in the inputs." type: condition version: -1 taskid: 935cb1d6-e328-4a8e-888f-347c3b33ce11 @@ -167,6 +170,7 @@ tasks: id: 1d0dfb1f-6874-41e9-8593-fca2a96c58c4 iscommand: false name: Does MD5 Exist? + description: "Checks to see if a MD5 hash exists in the inputs." type: condition version: -1 taskid: 1d0dfb1f-6874-41e9-8593-fca2a96c58c4 @@ -265,6 +269,7 @@ tasks: id: 7f03d6ab-3bb8-4bd5-867b-fe853fa38684 iscommand: false name: Complete + description: "" type: title version: -1 taskid: 7f03d6ab-3bb8-4bd5-867b-fe853fa38684 @@ -278,6 +283,9 @@ tasks: } } version: -1 +fromversion: 5.0.0 +tests: +- No Test view: |- { "linkLabelsPosition": {}, From 86dd4f063632a82c69b39d363d3aa5445a5d1437 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 15:55:49 +0000 Subject: [PATCH 20/38] Fix validation errors --- .../playbook-Code42_Exfiltration_Playbook.yml | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml index aa90e8c7c100..ce47b5418e46 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_Exfiltration_Playbook.yml @@ -1,5 +1,5 @@ id: Code42 Exfiltration Playbook -version: 14 +version: -1 name: Code42 Exfiltration Playbook description: The Code42 Exfiltration playbook acts on Code42 Security Alerts, retrieves file event data, and allows security teams to remediate file exfiltration events @@ -16,6 +16,7 @@ tasks: name: "" iscommand: false brand: "" + description: "" nexttasks: '#none#': - "1" @@ -43,6 +44,7 @@ tasks: type: title iscommand: false brand: "" + description: "Starts a timer to track how long it takes to resolve the alert." nexttasks: '#none#': - "25" @@ -73,6 +75,7 @@ tasks: type: condition iscommand: false brand: "" + description: "Searches the related files for malicious behavior." nexttasks: '#default#': - "7" @@ -102,6 +105,7 @@ tasks: type: title iscommand: false brand: "" + description: "" nexttasks: '#none#': - "19" @@ -131,6 +135,7 @@ tasks: type: title iscommand: false brand: "" + description: "" nexttasks: '#none#': - "9" @@ -155,10 +160,11 @@ tasks: id: b8a80acb-a2f7-4899-88e7-16382828b9b4 version: -1 name: Resolve Code42 Alert - script: '|||code42-alert-resolve' + script: Code42|||code42-alert-resolve type: regular iscommand: true brand: "" + description: "" nexttasks: '#none#': - "26" @@ -189,6 +195,7 @@ tasks: type: title iscommand: false brand: "" + description: "" nexttasks: '#none#': - "8" @@ -218,6 +225,7 @@ tasks: type: title iscommand: false brand: "" + description: "" separatecontext: false view: |- { @@ -243,6 +251,7 @@ tasks: type: regular iscommand: true brand: CrowdstrikeFalcon + description: "" nexttasks: '#none#': - "31" @@ -283,6 +292,7 @@ tasks: type: condition iscommand: false brand: "" + description: "" nexttasks: '#default#': - "30" @@ -340,6 +350,7 @@ tasks: type: regular iscommand: true brand: jira-v2 + description: "" nexttasks: '#none#': - "30" @@ -385,6 +396,7 @@ tasks: type: condition iscommand: false brand: "" + description: "" nexttasks: '#default#': - "30" @@ -445,6 +457,7 @@ tasks: type: condition iscommand: false brand: "" + description: "" nexttasks: '#default#': - "30" @@ -483,6 +496,7 @@ tasks: type: playbook iscommand: false brand: "" + description: "" nexttasks: '#none#': - "5" @@ -520,6 +534,7 @@ tasks: type: regular iscommand: true brand: Builtin + description: "" nexttasks: '#none#': - "10" @@ -555,6 +570,7 @@ tasks: type: condition iscommand: false brand: "" + description: "" nexttasks: '#default#': - "30" @@ -585,6 +601,7 @@ tasks: type: regular iscommand: true brand: "" + description: "" nexttasks: '#none#': - "30" @@ -645,6 +662,7 @@ tasks: type: regular iscommand: false brand: "" + description: "" nexttasks: '#none#': - "9" @@ -672,6 +690,7 @@ tasks: type: condition iscommand: false brand: "" + description: "" nexttasks: '#default#': - "27" @@ -722,6 +741,7 @@ tasks: script: '|||cs-falcon-contain-host' type: regular iscommand: true + description: "" brand: "" nexttasks: '#none#': @@ -753,6 +773,7 @@ tasks: name: Is email integration enabled? type: condition iscommand: false + description: "" brand: "" nexttasks: '#default#': From cdb1cd3d9dc30bd078df98a29ea02fa0b487cd2e Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 15:56:50 +0000 Subject: [PATCH 21/38] Fix validation error --- Packs/Code42/Playbooks/playbook-Code42_File_Download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml index e88146c90d03..e93c2e3fd235 100644 --- a/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml +++ b/Packs/Code42/Playbooks/playbook-Code42_File_Download.yml @@ -1,5 +1,5 @@ description: This playbook downloads a file via Code42 by either MD5 or SHA256 hash. -id: Code42 Exfiltration Playbook +id: Code42 File Download inputs: - description: MD5 hash to search for key: MD5 From 2159d9d420c435f374041bff8fa8a8c5d3d51f42 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 16:07:52 +0000 Subject: [PATCH 22/38] Fix validation error --- ...yout-details-Code42_Security_Alert-V2.json | 903 +++++++++--------- 1 file changed, 454 insertions(+), 449 deletions(-) diff --git a/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json b/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json index af1f72ba6584..a9fb242081d2 100644 --- a/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json +++ b/Packs/Code42/Layouts/layout-details-Code42_Security_Alert-V2.json @@ -1,473 +1,478 @@ { - "TypeName": "", - "id": "Code42 Security Alert", - "kind": "details", - "name": "", - "sortValues": null, - "system": false, - "typeId": "Code42 Security Alert", - "version": -1, - "fromVersion": "5.0.0", - "tabs": [ - { - "id": "summary", - "name": "Legacy Summary", - "type": "summary" - }, - { - "id": "caseinfoid", - "name": "Incident Info", - "sections": [ + "typeId": "Code42 Security Alert", + "version": -1, + "TypeName": "Code42 Security Alert", + "kind": "details", + "fromVersion": "5.0.0", + "layout": { + "TypeName": "", + "id": "Code42 Security Alert", + "kind": "details", + "name": "", + "system": false, + "typeId": "Code42 Security Alert", + "version": -1, + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "type", - "height": 22, - "id": "incident-type-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "severity", - "height": 22, - "id": "incident-severity-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "owner", - "height": 22, - "id": "incident-owner-field", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotsource", - "height": 22, - "id": "incident-source-field", - "index": 3, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "sourcebrand", - "height": 22, - "id": "incident-sourceBrand-field", - "index": 5, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "sourceinstance", - "height": 22, - "id": "incident-sourceInstance-field", - "index": 6, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "playbookid", - "height": 22, - "id": "incident-playbookId-field", - "index": 7, - "sectionItemType": "field", - "startCol": 0 - } - ], - "moved": false, - "name": "Case Details", - "static": false, - "w": 1, - "x": 0, - "y": 0 + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 }, { - "h": 2, - "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", - "moved": false, - "name": "Notes", - "static": false, - "type": "notes", - "w": 1, - "x": 2, - "y": 5 + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 }, { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", - "moved": false, - "name": "Work Plan", - "static": false, - "type": "workplan", - "w": 1, - "x": 2, - "y": 0 + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 }, { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", - "isVisible": true, - "moved": false, - "name": "Linked Incidents", - "static": false, - "type": "linkedIncidents", - "w": 1, - "x": 0, - "y": 9 + "endCol": 2, + "fieldId": "dbotsource", + "height": 22, + "id": "incident-source-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 }, { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", - "moved": false, - "name": "Child Incidents", - "static": false, - "type": "childInv", - "w": 1, - "x": 1, - "y": 9 + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 }, { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", - "moved": false, - "name": "Team Members", - "static": false, - "type": "team", - "w": 1, - "x": 2, - "y": 9 + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 }, { - "displayType": "CARD", - "h": 4, - "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", - "items": [ - { - "endCol": 1, - "fieldId": "occurred", - "height": 55, - "id": "incident-occurred-field", - "index": 1, - "startCol": 0 - }, - { - "endCol": 1, - "fieldId": "dbotmodified", - "height": 55, - "id": "incident-modified-field", - "index": 2, - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotduedate", - "height": 55, - "id": "incident-dueDate-field", - "index": 3, - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotcreated", - "height": 55, - "id": "incident-created-field", - "index": 1, - "startCol": 1 - }, - { - "endCol": 2, - "fieldId": "dbotclosed", - "height": 55, - "id": "incident-closed-field", - "index": 2, - "startCol": 1 - } - ], - "moved": false, - "name": "Timeline Information", - "static": false, - "w": 1, - "x": 0, - "y": 5 + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + } + ], + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 5 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 1, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 9 + }, + { + "displayType": "CARD", + "h": 4, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 55, + "id": "incident-occurred-field", + "index": 1, + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 55, + "id": "incident-modified-field", + "index": 2, + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 55, + "id": "incident-dueDate-field", + "index": 3, + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 55, + "id": "incident-created-field", + "index": 1, + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 55, + "id": "incident-closed-field", + "index": 2, + "startCol": 1 + } + ], + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 5 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 24, + "id": "incident-dbotClosed-field", + "index": 0, + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 24, + "id": "incident-closeReason-field", + "index": 1, + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 48, + "id": "incident-closeNotes-field", + "index": 2, + "startCol": 0 + } + ], + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 2, + "y": 7 + }, + { + "displayType": "CARD", + "h": 4, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "name", + "height": 55, + "id": "f4316c20-598a-11ea-b904-997d555669cb", + "index": 0, + "listId": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "details", + "height": 110, + "id": "incident-details-field", + "index": 1, + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "code42alerttype", + "height": 55, + "id": "66a7ca60-598b-11ea-b904-997d555669cb", + "index": 2, + "listId": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "employeedisplayname", + "height": 55, + "id": "9e36d450-5984-11ea-b904-997d555669cb", + "index": 3, + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "employeeemail", + "height": 55, + "id": "a3608bb0-5984-11ea-b904-997d555669cb", + "index": 4, + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "employeemanageremail", + "height": 55, + "id": "a4bc7230-5984-11ea-b904-997d555669cb", + "index": 5, + "startCol": 0 + } + ], + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 5 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-d0b3fb00-5985-11ea-b904-997d555669cb", + "items": [ + { + "endCol": 6, + "fieldId": "code42fileevents", + "height": 106, + "id": "484a0170-b6ef-11ea-8e1b-f35e38fc5b4a", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 6, + "fieldId": "exfiltratedfilelist", + "height": 22, + "id": "d857da20-5985-11ea-b904-997d555669cb", + "index": 1, + "listId": "caseinfoid-d0b3fb00-5985-11ea-b904-997d555669cb", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "minW": 1, + "moved": false, + "name": "File Events", + "static": false, + "w": 3, + "x": 0, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-bcc9c440-b6ef-11ea-8e1b-f35e38fc5b4a", + "items": [ + { + "endCol": 2, + "fieldId": "code42alertname", + "height": 22, + "id": "d3760eb0-b6ef-11ea-8e1b-f35e38fc5b4a", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "code42username", + "height": 22, + "id": "e7d311f0-b6ef-11ea-8e1b-f35e38fc5b4a", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "code42alerttype", + "height": 22, + "id": "dcb30460-b6ef-11ea-8e1b-f35e38fc5b4a", + "index": 2, + "listId": "caseinfoid-bcc9c440-b6ef-11ea-8e1b-f35e38fc5b4a", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "code42alertdescription", + "height": 22, + "id": "d4ac1db0-b6ef-11ea-8e1b-f35e38fc5b4a", + "index": 3, + "sectionItemType": "field", + "startCol": 0 }, { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "dbotclosed", - "height": 24, - "id": "incident-dbotClosed-field", - "index": 0, - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "closereason", - "height": 24, - "id": "incident-closeReason-field", - "index": 1, - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "closenotes", - "height": 48, - "id": "incident-closeNotes-field", - "index": 2, - "startCol": 0 - } - ], - "moved": false, - "name": "Closing Information", - "static": false, - "w": 1, - "x": 2, - "y": 7 + "endCol": 2, + "fieldId": "code42alertstate", + "height": 22, + "id": "d8f1b6a0-b6ef-11ea-8e1b-f35e38fc5b4a", + "index": 4, + "sectionItemType": "field", + "startCol": 0 }, { - "displayType": "CARD", - "h": 4, - "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", - "isVisible": true, - "items": [ - { - "dropEffect": "move", - "endCol": 2, - "fieldId": "name", - "height": 55, - "id": "f4316c20-598a-11ea-b904-997d555669cb", - "index": 0, - "listId": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "details", - "height": 110, - "id": "incident-details-field", - "index": 1, - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 2, - "fieldId": "code42alerttype", - "height": 55, - "id": "66a7ca60-598b-11ea-b904-997d555669cb", - "index": 2, - "listId": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "employeedisplayname", - "height": 55, - "id": "9e36d450-5984-11ea-b904-997d555669cb", - "index": 3, - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "employeeemail", - "height": 55, - "id": "a3608bb0-5984-11ea-b904-997d555669cb", - "index": 4, - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "employeemanageremail", - "height": 55, - "id": "a4bc7230-5984-11ea-b904-997d555669cb", - "index": 5, - "startCol": 0 - } - ], - "moved": false, - "name": "Investigation Data", - "static": false, - "w": 1, - "x": 1, - "y": 5 + "endCol": 2, + "fieldId": "code42alertid", + "height": 22, + "id": "d6de3ff0-b6ef-11ea-8e1b-f35e38fc5b4a", + "index": 5, + "sectionItemType": "field", + "startCol": 0 }, { - "displayType": "ROW", - "h": 3, - "hideName": false, - "i": "caseinfoid-d0b3fb00-5985-11ea-b904-997d555669cb", - "items": [ - { - "endCol": 6, - "fieldId": "code42fileevents", - "height": 106, - "id": "484a0170-b6ef-11ea-8e1b-f35e38fc5b4a", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 6, - "fieldId": "exfiltratedfilelist", - "height": 22, - "id": "d857da20-5985-11ea-b904-997d555669cb", - "index": 1, - "listId": "caseinfoid-d0b3fb00-5985-11ea-b904-997d555669cb", - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "minW": 1, - "moved": false, - "name": "File Events", - "static": false, - "w": 3, - "x": 0, - "y": 2 + "endCol": 2, + "fieldId": "code42alerttimestamp", + "height": 22, + "id": "dabdeb20-b6ef-11ea-8e1b-f35e38fc5b4a", + "index": 6, + "sectionItemType": "field", + "startCol": 0 }, { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-bcc9c440-b6ef-11ea-8e1b-f35e38fc5b4a", - "items": [ - { - "endCol": 2, - "fieldId": "code42alertname", - "height": 22, - "id": "d3760eb0-b6ef-11ea-8e1b-f35e38fc5b4a", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "code42username", - "height": 22, - "id": "e7d311f0-b6ef-11ea-8e1b-f35e38fc5b4a", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 2, - "fieldId": "code42alerttype", - "height": 22, - "id": "dcb30460-b6ef-11ea-8e1b-f35e38fc5b4a", - "index": 2, - "listId": "caseinfoid-bcc9c440-b6ef-11ea-8e1b-f35e38fc5b4a", - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "code42alertdescription", - "height": 22, - "id": "d4ac1db0-b6ef-11ea-8e1b-f35e38fc5b4a", - "index": 3, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "code42alertstate", - "height": 22, - "id": "d8f1b6a0-b6ef-11ea-8e1b-f35e38fc5b4a", - "index": 4, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "code42alertid", - "height": 22, - "id": "d6de3ff0-b6ef-11ea-8e1b-f35e38fc5b4a", - "index": 5, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "code42alerttimestamp", - "height": 22, - "id": "dabdeb20-b6ef-11ea-8e1b-f35e38fc5b4a", - "index": 6, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "code42severity", - "height": 22, - "id": "e5bab940-b6ef-11ea-8e1b-f35e38fc5b4a", - "index": 7, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "minW": 1, - "moved": false, - "name": "Code42 Alert Details", - "static": false, - "w": 1, - "x": 1, - "y": 0 + "endCol": 2, + "fieldId": "code42severity", + "height": 22, + "id": "e5bab940-b6ef-11ea-8e1b-f35e38fc5b4a", + "index": 7, + "sectionItemType": "field", + "startCol": 0 } - ], - "type": "custom" - }, - { - "id": "warRoom", - "name": "War Room", - "type": "warRoom" - }, - { - "id": "workPlan", - "name": "Work Plan", - "type": "workPlan" - }, - { - "id": "evidenceBoard", - "name": "Evidence Board", - "type": "evidenceBoard" - }, - { - "id": "relatedIncidents", - "name": "Related Incidents", - "type": "relatedIncidents" - }, - { - "id": "canvas", - "name": "Canvas", - "type": "canvas" - } - ] + ], + "maxW": 3, + "minH": 1, + "minW": 1, + "moved": false, + "name": "Code42 Alert Details", + "static": false, + "w": 1, + "x": 1, + "y": 0 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + } } \ No newline at end of file From 3de85689dba654b55fd71c3a0b89b62a11154096 Mon Sep 17 00:00:00 2001 From: Juliya Smith Date: Wed, 1 Jul 2020 17:02:48 +0000 Subject: [PATCH 23/38] Removed integration file - not supposed to be there i guess --- .../Code42/integration-Code42.yml | 1859 ----------------- 1 file changed, 1859 deletions(-) delete mode 100644 Packs/Code42/Integrations/Code42/integration-Code42.yml diff --git a/Packs/Code42/Integrations/Code42/integration-Code42.yml b/Packs/Code42/Integrations/Code42/integration-Code42.yml deleted file mode 100644 index 3ffd160eeb35..000000000000 --- a/Packs/Code42/Integrations/Code42/integration-Code42.yml +++ /dev/null @@ -1,1859 +0,0 @@ -category: Endpoint -commonfields: - id: Code42 - version: -1 -configuration: -- defaultvalue: console.us.code42.com - display: Code42 Console URL for the pod your Code42 instance is running in - name: console_url - required: true - type: 0 -- display: Username - name: credentials - required: true - type: 9 -- display: Fetch incidents - name: isFetch - required: false - type: 8 -- display: Incident type - name: incidentType - required: false - type: 13 -- display: Alert severities to fetch when fetching incidents - name: alert_severity - options: - - High - - Medium - - Low - required: false - type: 16 -- defaultvalue: 24 hours - display: First fetch time range (