diff --git a/Integrations/integration-CrowdStrikeIntel.yml b/Integrations/integration-CrowdStrikeIntel.yml index 9fc64029654b..47dd065ad88c 100644 --- a/Integrations/integration-CrowdStrikeIntel.yml +++ b/Integrations/integration-CrowdStrikeIntel.yml @@ -5,10 +5,11 @@ name: FalconIntel display: CrowdStrike Falcon Intel category: Data Enrichment & Threat Intelligence image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAATCAYAAABbV8lLAAALzElEQVRo3u1YeVgV5RdWMQpFKDJMVBRNJQGRfQlZFRRUFHEXs0gjQwRKAbPABZcEk9wwQzMFLVcUREEEAbdExSVMRQgURYF7Z+69c+fO3aZ3BrhyA63H3z+/fJjnmQdm7jfn+77znvOe93yd5EVnbDt1XK/uRW9cG0unrFvT8qy8efWdDq+8Qpf6Ua0J4Wkhkq6JT+CexZ/OzJGfPB7c4ZlXKYtT1q4UWL/FUl9FpjDZRycKHfrKZBk/TevwzCtySROXJYnmTjovdOxHi2aPL6C+/iJV6NyflMQu3CwvLjDq8NB//FJV3htK+No/FM0Nyhf6jKghRg6tF4dOySNGmjcQ7ubV1PLYOHlBXu8OT/2HL/nZ/ABksIQM8roqmuZ3SejUnyJ87R4DbFYw3JAl3AYLxPNn/ExvXj+BOZnVs8Nj/0WQzxfZEwGuZRy4ZKB7FeFlxRKuZiyymBXa92a5Oi0Y0ZMlRg4RiGaMzaWWx4QzWYfNXmYu2bbv/KjYiJXUkvDVsq0bpir/uPWa5rcTmb2Y/XtCmYyfFtJbksLpb5cHqOoedf67De4beuOaYGrx52uo+MXfMAfTnbWY6c/7JvLD+0NUT+p0NXssyPNVXL1srxlTV2fIHN4/R1V134B7Zg7t88e8YczPPy7E/uYx+3Y7teurglxzKmbhMklk6Hp628YQVcUfemop1VX2w6Z59PqV0fSGxCh6w+rmOzGaXhsfrSy7YiHPOdaZTk6cjzuK/m5NNJW47DPmQLqDlu3c7A9QNqNUlRWDeH9sT+kBm5FY15SWMczJ4wHShCVLVLfKzPlvftkzhV63PKp53mjYj5ZtTfZqs3Dl72W60nUJkYSHxWMAzSKLWcJjGCt0HcQK7XqzQoc++PsugH6bB1zoPEAKaj8G5e36r1S7iDQUzZ6QS3zwXoNo1rgsUciETMLT8hEC6iZTkGvCjSG8Lb2EtsYsMcbhIjHG8QICql68ICRLLRHrtgJvCBHgcgtBWCOaM/EIOc0vD2shJVHzd7EKeVdujKL0ghkEIyvPP+XI7+1xrS7hZdkg/jg4V+OofbuDEcAS1d3b3blngU3PMsJ1YC1snyP8na5inQIw2ln140d9Wr5RXDrngblEAovXwW5vso1DOrGS6E8z1KTwdfhKIni/Kyuw1OeZj08KK0N+DJOxK4z6OloHz5TAqgfGdGcFFm/wYwBeeIt9ydJFyQ2DO7GKM7l8NyP0tRnAjSODR13m915VMVRga6wkvIfXqxobjLl3opkBpY3v68BmN41dYLbruUAoykp7SBO/XiIcbVvJgUn42tZjU0qhvUkTyC03QOc2AHpnFL+dd/wngCURH2eSk0fdUFwv7aWZ62KxgWzntk9YpbIHv6HRI3zg4BpN0JWV9oIeoJj0XeP5IJFK9cE0f0qiw/Yqb1zVa+X4IQjIWunahJSWd+REj1vo8xfzv5cU2vB78bJsVFbceZNfz+IFOyURHx1pGU+4mF0ngzwXPFtbiYnow0kFEJ+/qWlah3fm3KBsgfWbLL05aaps944hEKXfMicyp/OZdPqkNZNzzEG2fdOHQpt3WMLf+RBzMMMBCeCgulPeUxw+x1Bo05PAusrleTkO9I5NY7kgQqA+wV74IKMSliQ2DnuNVZzND+TXNN7FFN+okQynm3z4UTb3u7yoYEzLOhHkJYTzAAYM4YkSOgLrscH/pu2Lrid1vRTnikybDj6u6VBxEetARxnSFXHbBFb62gA331wkS+IiFr6wBJQUWgpdzBTKG9csXjSOCHDyIca7VWu98x7eyOxNm8pnXfquUHK0zRO1+FlGa+YoPO0DvUApy2/2bnZWsmhOYCHfDm5aH0NOGFmOYH2E0uLL2/V3rkIWf6yZx21wGeFnF6nlj5o/jQGClDl+0IM/KwibfbgR2StdG78UAWDQ3h5AocO54Cc8zDdr7WPiyLfxXgz2uvBsvy530bXQ8lNZfMeC0vA3gF1NwWhKBFkhAiqUm5uKi9zT2q4oJPAc4TpIhjJgprx+xaAlWNoH+O5tc3KSZzm16qtYett34ciIxahJs1RP6wyQfdeFyAJtgE1YAaIVk095Yb+9JSmE8Bpe/U9ZTgS6eRLuw0hsPJGY4BYPZ2SDnn7n6J3fzKxxP4hmjjvabhAVFxjgWwG9Ndmdd/SJzNGkt1WDqrpKj5zhf16WmrIIdJouXR6TrLx+tR83j/LubVMtgMc6RrZZk79zueTLzz5vqv2/WxIBzrcazbuABgcSACReJRToaQGcfcSBL2k+w1Nbvyen+Bih9NUjYAgwyTH4uURgbcQigfaq5QyvM6An2mawk6mIK1sc/YJJadXDmv6t7Yo/mnyWL5kcw2Kc0Me6kk7bovdcJyuvXX5PNMO/gKOiRnMdRKJFgyTqk1/EocH5qIkSTnRpgQzDqF2kaPqYk3RqSqiKEHZtI6x2bJ6IU7N6xeULr78Y4JHuXMYgYg+Qk30KuQUr75QP1dB81PxkAFzQbmm5UGxMuA0RMccO2DfVq/v6HG3Lft4Ryv1VXLk0EEwwWzTVr5TeuuELMsj7htbczwN4rFMFBNE8TRLcv6uDY95w0tu6iqt9VEz4XlB4578DDObRBnjqKCMAVIekUELLiDnACD+HarVI1KNlTLsU7dCHwfrL4ZPDXJ2V7UxdrJXBH04qhj0ltTRyN4J3uzRpZaK85IzuP6vdPT+OFn8+50dy1Ij7TcJAvylC2qFpvh6PMGIbh+ly2RzRzrHoOwgOijl2MOSFAPvZoQa7ajIdINylv1+/vFVddEMwKVT37wxuG0RbYgBGtar+qSZ60d4dJ7ytH5BBPmXNZacvnPoQvX8Vsi+5DcC+dlqlRlF60ZHTH4rSS3xpUT190ktelD+Qt3XjWmeUi1pkmFi2e7v+vwLY3oRE5l6BH3qIPwvJBMgqrk19IcA2PVlk6Ql0E29wZxZgAbH6QXX/ZxQ94RzWTr98C3U6pytUoB1o6lvx3KAzGkXdKoOblLURywUC4TJQClFh3qY27UlbBGUrR2sxDTYN5YV53ZnMA+7Y8GXUj1H8hrwsRxF+9rUQV92a2oacQGxICfWoacnQYqWTPtY18kMZHmgrujHZh9+WJq0Ih20lnidrl4bkCE6VQktonA0GON8ItYuxnq3HCl0GQGR5xdPfr+kt25VqJkvbNh1nAY3QH9u53zmFjvP6fOxfSsUtWg06XQUxpeJKl6q6UsNaTNYhR74T8LL8QQvgYG8jjKdQcq7wAVJ+0wJ+U5KBHrfVEgkflBBtqzn6h56Y2KxJTIVIHDBqEW/7+KEQXrlHzjvaugZz3Q2+3ShNiFkt/ebL1Sitn7wU2MqbZdZCp35yTiW2gAsApOJ504/QG1ZNQd32x4TF6AnD2hUgaakL4LQ6KMc6UNwj0HGjZGlkMsSdQdOGnL3QNt1TNAPMZ+HcyWepZdE7NWwgkXTBZpLxbT1vw2PYE2RLJbIiqG1/X2yJ9UmQVeM0oCetSuDbjKoKLZGEoDkNxY76aFWPNTagpNSgJ/2KZWQ8/aopSRdZ2tYQjKvmGQ2ikxxtW6G4dlmrX4aStoMil4LuN2lR6ayAt/D+qWjW+BLNUfGK2O2gXQWTsZtX79SKuASURqmiuIBfLznZsx/hZEqJmts7VqnoLA6blQe2lCuKCnixKJk/MxdBR3Mg8wzLKXj3YcUvndHMqayxqCNyXlXbwpjrIIlopv8pKEHr5n5XH3XY4Llt2Pmi7nC4jWxvmj1saZ2MQRC9AeXaRy19VtPUJKGPute/zTpOHDXCQYG9/Mh+K/mFoq7tzcUqFJ1hr69a1tTmNNvTg1B5t43ArK40xgHDABxcmIGx+oKK27WpuHKxG/NruiWz7yer1q2axj4UPoLHFPa0zvJVD6q74H1fVe0Dzdxo+3RV9/4wxW+9m0rAU0NVxR1TNUXpNan4Kh3eVu1D41b2u0EM9295p35ci3XfM+XHtdzVVcb/08kX8+ue8RA833NtCbI3i4pduBHUG9ZxJviqHXHm5XigjVgLdWrd4Y3/r+svksqca07dD2oAAAAASUVORK5CYII= -description: Actors, indicators and reports intelligence +description: Actors, indicators and reports intelligence with indicator V2 api support detaileddescription: |- Please provide the API id and key for the CrowsStrike Falcon Intelligence. API Key Pairs can be generated by accessing the CrowdStrike API tab located in the user settings on the Intelligence Portal. + Indicator API v2 is supported. configuration: - display: Server URL (e.g. https://192.168.0.1) name: url @@ -35,8 +36,16 @@ configuration: defaultvalue: "false" type: 8 required: false +- display: Support indicator API V2 + name: version + defaultvalue: "true" + type: 8 + required: false script: script: | + // determine api version for api calls + var version = (params.version ? "v2" : "v1"); + var serverUrl = params.url; if (serverUrl[serverUrl.length - 1] !== '/') { serverUrl += '/'; @@ -50,7 +59,8 @@ script: 'X-CSIX-CUSTID': [params.id], 'X-CSIX-CUSTKEY': [params.key], 'Content-Type': ['application/json'], - 'Accept': ['application/json'] + 'Accept': ['application/json'], + 'X-INTEGRATION' : ['Demisto_demisto_3.6'] }, Method: method, Body: body ? JSON.stringify(body) : '' @@ -237,7 +247,7 @@ script: a.order = parts[1]; } } - var res = doReq('GET', 'indicator/v1/search/' + args.parameter, a); + var res = doReq('GET', 'indicator/'+ version +'/search/' + args.parameter, a); var md = '## Falcon Intel Indicator Search for: ' + args.value + '\n'; var found = false; var ec = {}; @@ -289,7 +299,7 @@ script: var doIndicator = function(ind, type, title, appendContextFunc) { var a = {equal: ind}; - var res = doReq('GET', 'indicator/v1/search/indicator', a); + var res = doReq('GET', 'indicator/'+ version +'/search/indicator', a); var md = '## ' + title + ': ' + ind + '\n'; var ec = {}; var found = false; @@ -431,8 +441,13 @@ script: switch (command) { case 'test-module': - doReq('GET', 'actors/queries/actors/v1', {q: 'panda'}); - return true; + if(version === 'v2') { + doReq('GET', 'indicator/'+ version +'/search/indicator', {equal: '4.4.4.4'}); + return true; + } else { + doReq('GET', 'actors/queries/actors/v1', {q: 'panda'}); + return true; + } case 'file': return doFile(args.file); case 'ip': @@ -455,11 +470,9 @@ script: type: javascript commands: - name: file - deprecated: false arguments: - name: file required: true - deprecated: false default: true description: The file hash md5/sha1/sha256 to check outputs: @@ -483,11 +496,9 @@ script: description: The actual score description: Check file reputation - name: url - deprecated: false arguments: - name: url required: true - deprecated: false default: true description: URL to be checked outputs: @@ -507,11 +518,9 @@ script: description: The actual score description: Check the given URL reputation - name: domain - deprecated: false arguments: - name: domain required: true - deprecated: false default: true description: Domain to be checked outputs: @@ -531,11 +540,9 @@ script: description: The actual score description: Check the given URL reputation - name: ip - deprecated: false arguments: - name: ip required: true - deprecated: false default: true description: IP to check outputs: @@ -555,54 +562,38 @@ script: description: The actual score description: Check IP reputation - name: cs-actors - deprecated: false arguments: - name: q - deprecated: false default: true description: Search all fields for the given data - name: name - deprecated: false description: Search based on actor name - name: desc - deprecated: false description: Search based on description - name: minLastModifiedDate - deprecated: false description: Search range from modified date. Dates are formatted as YYYY-MM-DD. - name: maxLastModifiedDate - deprecated: false description: Search range to modified date. Dates are formatted as YYYY-MM-DD. - name: minLastActivityDate - deprecated: false description: Search range from activity date. Dates are formatted as YYYY-MM-DD. - name: maxLastActivityDate - deprecated: false description: Search range to activity date. Dates are formatted as YYYY-MM-DD. - name: origins - deprecated: false description: Search by origins separated by "," - name: targetCountries - deprecated: false description: Search by target countries separated by "," - name: targetIndustries - deprecated: false description: Search by target industries separated by "," - name: motivations - deprecated: false description: Search by motivations separated by "," - name: offset - deprecated: false description: Which page of the results to retrieve. It is 0 based. - name: limit - deprecated: false description: Number of results for the page - name: sort - deprecated: false description: Sort is field_name.order, field_name.order where order is either asc or desc - name: slug - deprecated: false description: 'Search by ''slug'' or short descriptive name. Ex: "anchor-panda"' description: Search known actors based on the given parameters. Dates are formatted as YYYY-MM-DD. Max date is taken automatically looking at end-of-day time. Origins, @@ -610,11 +601,9 @@ script: separated by ",". Offset is 0 based. Sort is field_name.order, field_name.order where order is either asc or desc. - name: cs-indicators - deprecated: false arguments: - name: parameter required: true - deprecated: false description: Based on what parameter to search. See CrowdStrike documentation for details. Can be one of indicator, type, report, actor, malicious_confidence, published_date, last_updated, malware_family, kill_chain, labels, DomainType, @@ -622,7 +611,6 @@ script: Vulnerability - name: filter required: true - deprecated: false auto: PREDEFINED predefined: - match @@ -634,18 +622,14 @@ script: description: Can be either match, equal, gt(e), lt(e) - name: value required: true - deprecated: false description: The value for the given parameter - name: sort - deprecated: false description: Sort by a field. Should be field_name.order where order is either asc or desc. Fields are indicator, type, report, actor, malicious_confidence, published_date, last_updated. - name: page - deprecated: false description: The page to retrieve - 1 based - name: pageSize - deprecated: false description: The size of the page to retrieve outputs: - contextPath: File.MD5 @@ -718,35 +702,25 @@ script: description: The actual score description: Search known indicators based on the given parameters - name: cs-reports - deprecated: false arguments: - name: q - deprecated: false description: Perform a generic substring search across all fields in a report - name: name - deprecated: false description: Search for keywords across report names (i.e. the report’s title) - name: actor - deprecated: false description: Search for a report related to a particular actor. For a list of actors, refer to the Intel Actors API - name: targetCountries - deprecated: false description: Search reports by targeted country/countries - name: targetIndustries - deprecated: false description: Search reports by targeted industry/industries - name: motivations - deprecated: false description: Search by motivation - name: slug - deprecated: false description: Search by report 'slug' or short descriptive name - name: description - deprecated: false description: Search the body of the report - name: type - deprecated: false auto: PREDEFINED predefined: - intelligence report @@ -755,7 +729,6 @@ script: - tipper description: The type of object to search for. - name: subType - deprecated: false auto: PREDEFINED predefined: - weekly @@ -764,38 +737,30 @@ script: - annual description: The sub-type to search for. - name: tags - deprecated: false description: Tags associated with a report (managed internally by CS) - name: minLastModifiedDate - deprecated: false description: Constrain results to those modified on or after a certain date - format YYYY-MM-DD - name: maxLastModifiedDate - deprecated: false description: Constrain results to those modified on or before a certain date - format YYYY-MM-DD - name: offset - deprecated: false description: Used to paginate the response. You can then use limit to set the number of results for the next page. - name: limit - deprecated: false description: Limits the number of results to return - name: sort - deprecated: false description: 'The field and direction to sort results on in the format of: . or .. Valid values include: name, target_countries, target_industries, type, created_date, last_modified_date' description: The Falcon Intel Reports API allows to query CrowdStrike intelligence publications. - name: cs-report-pdf - deprecated: false arguments: - name: id required: true - deprecated: false default: true description: The ID of the report to retrieve description: Retrieve the Falcon Intel Report PDF -hidden: false -fromversion: 3.5.0 + runonce: false +releaseNotes: "Added support for v2 indicator API" \ No newline at end of file diff --git a/TestPlaybooks/playbook-CrowdStrike_Intel_Test.yml b/TestPlaybooks/playbook-CrowdStrike_Intel_Test.yml new file mode 100644 index 000000000000..8e1ad3d0f9f5 --- /dev/null +++ b/TestPlaybooks/playbook-CrowdStrike_Intel_Test.yml @@ -0,0 +1,523 @@ +id: CrowdStrike Falcon Intel v2 +version: 17 +name: CrowdStrike Falcon Intel v2 +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 8fc39449-a01e-4f31-8397-79e8f3b48660 + type: start + task: + id: 8fc39449-a01e-4f31-8397-79e8f3b48660 + version: -1 + name: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 50 + } + } + "1": + id: "1" + taskid: 5e52d6ee-db15-490e-8fbe-677f7786f616 + type: regular + task: + id: 5e52d6ee-db15-490e-8fbe-677f7786f616 + version: -1 + name: Check IP Address + script: FalconIntel|||ip + type: regular + iscommand: true + brand: FalconIntel + nexttasks: + '#none#': + - "3" + scriptarguments: + ip: + simple: 4.4.4.4 + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 391 + } + } + "2": + id: "2" + taskid: 351f2b7b-a641-43a4-8154-c55745f22901 + type: regular + task: + id: 351f2b7b-a641-43a4-8154-c55745f22901 + version: -1 + name: Delete Context + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + scriptarguments: + all: + simple: "yes" + key: {} + separatecontext: false + view: |- + { + "position": { + "x": 451, + "y": 225 + } + } + "3": + id: "3" + taskid: 6beb9982-5245-47a1-8ce5-38a8ceeb4c9e + type: regular + task: + id: 6beb9982-5245-47a1-8ce5-38a8ceeb4c9e + version: -1 + name: Check File + script: FalconIntel|||file + type: regular + iscommand: true + brand: FalconIntel + nexttasks: + '#none#': + - "4" + scriptarguments: + file: + simple: 369c8fc6532ba547d7ef5985bb5e880a + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 556 + } + } + "4": + id: "4" + taskid: 3802bfdb-a38c-42ee-86c5-bf53e4280d88 + type: regular + task: + id: 3802bfdb-a38c-42ee-86c5-bf53e4280d88 + version: -1 + name: Check URL + script: FalconIntel|||url + type: regular + iscommand: true + brand: FalconIntel + nexttasks: + '#none#': + - "5" + scriptarguments: + url: + simple: http://8.8.8.8/google.doc + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 709 + } + } + "5": + id: "5" + taskid: 0dcd8f93-d91e-46d6-8940-636b19911017 + type: regular + task: + id: 0dcd8f93-d91e-46d6-8940-636b19911017 + version: -1 + name: Check Domain + script: FalconIntel|||domain + type: regular + iscommand: true + brand: FalconIntel + nexttasks: + '#none#': + - "6" + scriptarguments: + domain: + simple: dns02.hpupdat.net + separatecontext: false + view: |- + { + "position": { + "x": 450, + "y": 878 + } + } + "6": + id: "6" + taskid: d2138ff6-3e9f-4a8b-80e0-cd6c0f1703c9 + type: condition + task: + id: d2138ff6-3e9f-4a8b-80e0-cd6c0f1703c9 + version: -1 + name: Test if values exist from API calls + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "13" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: string.isEqual + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: ip + - - operator: string.isEqual + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: hash + - - operator: string.isEqual + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: url + - - operator: string.isEqual + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: domain + view: |- + { + "position": { + "x": 450, + "y": 1040 + } + } + "7": + id: "7" + taskid: aba71f51-9b4f-42a4-8898-160942e1214f + type: title + task: + id: aba71f51-9b4f-42a4-8898-160942e1214f + version: -1 + name: Test playbook finished successfully. + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 101, + "y": 1983 + } + } + "8": + id: "8" + taskid: 4efee843-f1c8-4829-8940-81c213af0021 + type: regular + task: + id: 4efee843-f1c8-4829-8940-81c213af0021 + version: -1 + name: Some value was not found + scriptName: ThrowException + type: regular + iscommand: false + brand: "" + scriptarguments: + error: + simple: Some value was not found + separatecontext: false + view: |- + { + "position": { + "x": 926, + "y": 1205 + } + } + "9": + id: "9" + taskid: 7a53ba7d-66a5-42e2-8a3f-1da21dcdcf19 + type: regular + task: + id: 7a53ba7d-66a5-42e2-8a3f-1da21dcdcf19 + version: -1 + name: Search known actors + script: FalconIntel|||cs-actors + type: regular + iscommand: true + brand: FalconIntel + nexttasks: + '#none#': + - "10" + scriptarguments: + desc: {} + limit: + simple: "1" + maxLastActivityDate: {} + maxLastModifiedDate: {} + minLastActivityDate: {} + minLastModifiedDate: {} + motivations: {} + name: {} + offset: {} + origins: {} + q: + simple: google + slug: {} + sort: {} + targetCountries: {} + targetIndustries: {} + separatecontext: false + view: |- + { + "position": { + "x": 101, + "y": 1320 + } + } + "10": + id: "10" + taskid: 98954f21-86ac-4d87-8222-061fe28a971a + type: regular + task: + id: 98954f21-86ac-4d87-8222-061fe28a971a + version: -1 + name: Search known indicators + script: FalconIntel|||cs-indicators + type: regular + iscommand: true + brand: FalconIntel + nexttasks: + '#none#': + - "14" + scriptarguments: + filter: + simple: match + page: {} + pageSize: {} + parameter: + simple: indicator + sort: {} + value: + simple: panda + separatecontext: false + view: |- + { + "position": { + "x": 531, + "y": 1320 + } + } + "11": + id: "11" + taskid: db262e1a-d58c-494c-8c39-9c4d0da8efb2 + type: regular + task: + id: db262e1a-d58c-494c-8c39-9c4d0da8efb2 + version: -1 + name: Query CrowdStrike intelligence publications + script: FalconIntel|||cs-reports + type: regular + iscommand: true + brand: FalconIntel + nexttasks: + '#none#': + - "12" + scriptarguments: + actor: + simple: panda + description: {} + limit: + simple: "2" + maxLastModifiedDate: {} + minLastModifiedDate: {} + motivations: {} + name: {} + offset: {} + q: {} + slug: {} + sort: {} + subType: {} + tags: {} + targetCountries: {} + targetIndustries: {} + type: {} + separatecontext: false + view: |- + { + "position": { + "x": 101, + "y": 1650 + } + } + "12": + id: "12" + taskid: 219c9ba6-2112-4d69-85b2-65dbbb3f9adf + type: regular + task: + id: 219c9ba6-2112-4d69-85b2-65dbbb3f9adf + version: -1 + name: Retrieve Falcon Intel Report PDF + script: FalconIntel|||cs-report-pdf + type: regular + iscommand: true + brand: FalconIntel + nexttasks: + '#none#': + - "7" + scriptarguments: + id: + simple: "588" + separatecontext: false + view: |- + { + "position": { + "x": 101, + "y": 1814 + } + } + "13": + id: "13" + taskid: 6a3831eb-7baf-4326-84f9-1423a5ab3d83 + type: regular + task: + id: 6a3831eb-7baf-4326-84f9-1423a5ab3d83 + version: -1 + name: Delete Context + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "9" + scriptarguments: + all: + simple: "yes" + key: {} + separatecontext: false + view: |- + { + "position": { + "x": 151, + "y": 1175 + } + } + "14": + id: "14" + taskid: f313db80-996c-40c0-8946-e198de408141 + type: condition + task: + id: f313db80-996c-40c0-8946-e198de408141 + version: -1 + name: Test if values exist from API calls + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "15" + "yes": + - "11" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: string.isEqual + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: ip + - operator: string.isEqual + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: hash + - operator: string.isEqual + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: url + - operator: string.isEqual + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: domain + view: |- + { + "position": { + "x": 531, + "y": 1495 + } + } + "15": + id: "15" + taskid: b3d63c21-fc03-490c-830b-231f91e1c1d7 + type: regular + task: + id: b3d63c21-fc03-490c-830b-231f91e1c1d7 + version: -1 + name: Some value was not found + scriptName: ThrowException + type: regular + iscommand: false + brand: "" + scriptarguments: + error: + simple: Some value was not found + separatecontext: false + view: |- + { + "position": { + "x": 926, + "y": 1677 + } + } +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1998, + "width": 1205, + "x": 101, + "y": 50 + } + } + } +inputs: [] +outputs: [] \ No newline at end of file diff --git a/Tests/conf.json b/Tests/conf.json index b0714177a806..dba315c45006 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -2,6 +2,10 @@ "testTimeout": 160, "testInterval": 20, "tests": [ + { + "integrations": "FalconIntel", + "playbookID": "CrowdStrike Falcon Intel v2" + }, { "integrations": [{ "name": "Mail Sender (New)"