[ASM] Expander 5777 (#29647)

content-bot · johnnywilkes · Content Bot · ostolero · commit 484ee5ab9862 · 2023-09-18T14:35:09.000+03:00
* [ASM] Expander 5777 (#29619) * first * RN * Bump pack from version CortexAttackSurfaceManagement to 1.6.36. --------- Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com> Co-authored-by: Content Bot <bot@demisto.com>
diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml
@@ -6,10 +6,10 @@ starttaskid: "0"
 tasks:
   "0":
     id: "0"
-    taskid: d1735507-de4e-495b-8480-d5706b9c0bbd
+    taskid: 59fd772a-8663-4f65-894b-ce0d9d594d3a
     type: start
     task:
-      id: d1735507-de4e-495b-8480-d5706b9c0bbd
+      id: 59fd772a-8663-4f65-894b-ce0d9d594d3a
       version: -1
       name: ""
       iscommand: false
@@ -36,10 +36,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "3":
     id: "3"
-    taskid: 1e668467-bde2-483b-8523-b8409d9eaff8
+    taskid: abeca2ef-0997-4c7d-8f50-fe1ed91d0446
     type: condition
     task:
-      id: 1e668467-bde2-483b-8523-b8409d9eaff8
+      id: abeca2ef-0997-4c7d-8f50-fe1ed91d0446
       version: -1
       name: What provider is this service?
       description: Determines which cloud provider the service is in order to direct to the correct enrichment.
@@ -50,7 +50,7 @@ tasks:
       '#default#':
       - "4"
       AWS:
-      - "8"
+      - "10"
       GCP:
       - "9"
       Azure:
@@ -130,10 +130,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "4":
     id: "4"
-    taskid: ed351bc8-42f2-4168-8623-e0573f6911e5
+    taskid: 2130db27-44cb-4de8-8b9e-45ca3c14c404
     type: title
     task:
-      id: ed351bc8-42f2-4168-8623-e0573f6911e5
+      id: 2130db27-44cb-4de8-8b9e-45ca3c14c404
       version: -1
       name: Completed
       type: title
@@ -146,7 +146,7 @@ tasks:
       {
         "position": {
           "x": 450,
-          "y": 790
+          "y": 860
         }
       }
     note: false
@@ -158,10 +158,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "6":
     id: "6"
-    taskid: f0cba2e4-b4de-450d-806a-3145e1ce4999
+    taskid: 0280f013-e0ff-41b4-8fed-68d95b3ee6dd
     type: playbook
     task:
-      id: f0cba2e4-b4de-450d-806a-3145e1ce4999
+      id: 0280f013-e0ff-41b4-8fed-68d95b3ee6dd
       version: -1
       name: Azure - Network Security Group Remediation
       description: |-
@@ -242,10 +242,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "7":
     id: "7"
-    taskid: 67959d21-de62-43ad-814b-a2bf61b5a280
+    taskid: 072e7951-1e71-4d9e-8972-9bf7324f1d6d
     type: playbook
     task:
-      id: 67959d21-de62-43ad-814b-a2bf61b5a280
+      id: 072e7951-1e71-4d9e-8972-9bf7324f1d6d
       version: -1
       name: AWS - Unclaimed S3 Bucket Remediation
       description: The playbook will create the unclaimed S3 bucket.
@@ -280,8 +280,8 @@ tasks:
     view: |-
       {
         "position": {
-          "x": -200,
-          "y": 460
+          "x": 220,
+          "y": 470
         }
       }
     note: false
@@ -293,10 +293,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "8":
     id: "8"
-    taskid: 409f127a-6417-41a9-8c53-e35dbfc32f53
+    taskid: 7138c0ac-6cc2-4494-817f-1a5130a79c2a
     type: playbook
     task:
-      id: 409f127a-6417-41a9-8c53-e35dbfc32f53
+      id: 7138c0ac-6cc2-4494-817f-1a5130a79c2a
       version: -1
       name: AWS - Security Group Remediation v2
       description: This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive. It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.
@@ -345,8 +345,8 @@ tasks:
     view: |-
       {
         "position": {
-          "x": 230,
-          "y": 470
+          "x": -120,
+          "y": 670
         }
       }
     note: false
@@ -358,10 +358,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "9":
     id: "9"
-    taskid: d7ea937a-8db4-4b32-87d9-7f02b626c16d
+    taskid: 1100e81a-1ff6-49f4-8f7e-aaf059697952
     type: playbook
     task:
-      id: d7ea937a-8db4-4b32-87d9-7f02b626c16d
+      id: 1100e81a-1ff6-49f4-8f7e-aaf059697952
       version: -1
       name: GCP - Firewall Remediation
       playbookName: GCP - Firewall Remediation
@@ -447,22 +447,153 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+  "10":
+    id: "10"
+    taskid: 6334ec1b-b8f4-4498-84b2-80049ebcc585
+    type: condition
+    task:
+      id: 6334ec1b-b8f4-4498-84b2-80049ebcc585
+      version: -1
+      name: Is AWSAssumeRoleName Input defined?
+      description: Determines which cloud provider the service is in order to direct to the correct enrichment.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "8"
+      "yes":
+      - "11"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: inputs.AWSAssumeRoleName
+            iscontext: true
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": -300,
+          "y": 440
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "11":
+    id: "11"
+    taskid: ad50baec-b4d2-4969-8933-d60086859a91
+    type: playbook
+    task:
+      id: ad50baec-b4d2-4969-8933-d60086859a91
+      version: -1
+      name: AWS - Security Group Remediation v2
+      description: This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive.  It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed.  Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.
+      playbookName: AWS - Security Group Remediation v2
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "4"
+    scriptarguments:
+      AWSAssumeArn:
+        complex:
+          root: alert.asmcloud
+          accessor: project
+          transformers:
+          - operator: FirstArrayElement
+          - operator: concat
+            args:
+              prefix:
+                value:
+                  simple: 'arn:aws:iam::'
+              suffix:
+                value:
+                  simple: :role/
+          - operator: concat
+            args:
+              prefix: {}
+              suffix:
+                value:
+                  simple: inputs.AWSAssumeRoleName
+                iscontext: true
+      InstanceID:
+        complex:
+          root: alert.asmsystemids
+          filters:
+          - - operator: isEqualString
+              left:
+                value:
+                  simple: alert.asmsystemids.type
+                iscontext: true
+              right:
+                value:
+                  simple: ASSET-ID
+          accessor: id
+      Port:
+        complex:
+          root: alert
+          accessor: remoteport
+      Protocol:
+        complex:
+          root: alert
+          accessor: protocol
+          transformers:
+          - operator: toLowerCase
+      PublicIP:
+        complex:
+          root: alert
+          accessor: remoteip
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": -550,
+          "y": 670
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
 view: |-
   {
     "linkLabelsPosition": {},
     "paper": {
       "dimensions": {
-        "height": 805,
-        "width": 1680,
-        "x": -200,
+        "height": 875,
+        "width": 2030,
+        "x": -550,
         "y": 50
       }
     }
   }
-inputs: []
+inputs:
+- key: AWSAssumeRoleName
+  value: {}
+  required: false
+  description: If assuming roles for AWS, this is the name of the role to assume (should be the same for all organizations)
+  playbookInputQuery:
 outputs: []
 tests:
 - No tests (auto formatted)
 fromversion: 6.5.0
-contentitemexportablefields:
-  contentitemfields: {}
diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation_README.md b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation_README.md
@@ -6,9 +6,9 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
 
-* AWS - Unclaimed S3 Bucket Remediation
 * GCP - Firewall Remediation
 * AWS - Security Group Remediation v2
+* AWS - Unclaimed S3 Bucket Remediation
 * Azure - Network Security Group Remediation
 
 ### Integrations
@@ -26,7 +26,10 @@ This playbook does not use any commands.
 ## Playbook Inputs
 
 ---
-There are no inputs for this playbook.
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| AWSAssumeRoleName | If assuming roles for AWS, this is the name of the role to assume \(should be the same for all organizations\) |  | Optional |
 
 ## Playbook Outputs
 
@@ -37,4 +40,4 @@ There are no outputs for this playbook.
 
 ---
 
-![Cortex ASM - Remediation](../doc_files/Cortex_ASM_-_Remediation.png)
+![Cortex ASM - Remediation](../doc_files/Cortex_ASM_-_Remediation.png)
diff --git a/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_6_36.md b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_6_36.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Cortex ASM - Remediation
+
+- Added the **AWSAssumeRoleName** optional input in case a roleArn needs to be passed in.
diff --git a/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Remediation.png b/Packs/CortexAttackSurfaceManagement/doc_files/Cortex_ASM_-_Remediation.png
diff --git a/Packs/CortexAttackSurfaceManagement/pack_metadata.json b/Packs/CortexAttackSurfaceManagement/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cortex Attack Surface Management",
     "description": "Content for working with Attack Surface Management (ASM).",
     "support": "xsoar",
-    "currentVersion": "1.6.35",
+    "currentVersion": "1.6.36",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
