-
Notifications
You must be signed in to change notification settings - Fork 15
/
File_Enrichment_-_Generic_v2.yml
349 lines (348 loc) · 8.09 KB
/
File_Enrichment_-_Generic_v2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
id: File Enrichment - Generic v2
version: 1
contentitemexportablefields:
contentitemfields:
packID: CommonPlaybooks
packName: Common Playbooks
itemVersion: 2.2.1
fromServerVersion: 5.0.0
toServerVersion: ""
definitionid: ""
vcShouldKeepItemLegacyProdMachine: false
name: File Enrichment - Generic v2
description: |-
Enrich a file using one or more integrations.
- Provide threat information
starttaskid: "0"
tasks:
"0":
id: "0"
taskid: 00109219-5fc8-4bbb-881e-e597ec3b7439
type: start
task:
id: 00109219-5fc8-4bbb-881e-e597ec3b7439
version: -1
name: ""
iscommand: false
brand: ""
nexttasks:
'#none#':
- "25"
- "29"
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 735,
"y": -90
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"7":
id: "7"
taskid: 89ce26db-58e9-4a6d-88f2-d6810e458ee2
type: title
task:
id: 89ce26db-58e9-4a6d-88f2-d6810e458ee2
version: -1
name: Done
type: title
iscommand: false
brand: ""
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 735,
"y": 620
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"25":
id: "25"
taskid: 339fc232-e5d0-468b-87ea-cf8d41ea0ca6
type: condition
task:
id: 339fc232-e5d0-468b-87ea-cf8d41ea0ca6
version: -1
name: Is there a SHA256 hash?
description: Check if there is a SHA256 hash in context.
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "7"
"yes":
- "27"
scriptarguments:
value:
simple: ${File.SHA256}
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isExists
left:
value:
complex:
root: inputs.SHA256
iscontext: true
continueonerrortype: ""
view: |-
{
"position": {
"x": 470,
"y": 50
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"27":
id: "27"
taskid: 0783a3a6-5d8b-48f1-8dee-f3f0ef62defc
type: condition
task:
id: 0783a3a6-5d8b-48f1-8dee-f3f0ef62defc
version: -1
name: Is Cylance Protect v2 enabled?
description: Checks if there is an active instance of the Cylance Protect v2
integration enabled.
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "7"
"yes":
- "28"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isExists
left:
value:
complex:
root: modules
filters:
- - operator: isEqualString
left:
value:
simple: modules.brand
iscontext: true
right:
value:
simple: Cylance Protect v2
ignorecase: true
- - operator: isEqualString
left:
value:
simple: modules.state
iscontext: true
right:
value:
simple: active
ignorecase: true
accessor: brand
iscontext: true
continueonerrortype: ""
view: |-
{
"position": {
"x": 470,
"y": 250
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"28":
id: "28"
taskid: ff014724-3ad2-4ce2-8578-5106c126e76b
type: regular
task:
id: ff014724-3ad2-4ce2-8578-5106c126e76b
version: -1
name: Get threat information from Cylance Protect v2
description: Gets threat information from the Cylance Protect v2 integration.
script: Cylance Protect v2|||cylance-protect-get-threat
type: regular
iscommand: true
brand: Cylance Protect v2
nexttasks:
'#none#':
- "7"
scriptarguments:
sha256:
complex:
root: inputs.SHA256
transformers:
- operator: uniq
reputationcalc: 1
separatecontext: false
continueonerror: true
continueonerrortype: ""
view: |-
{
"position": {
"x": 470,
"y": 450
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"29":
id: "29"
taskid: e5eae00a-9da2-4d93-8ed2-693e0c6c2c89
type: playbook
task:
id: e5eae00a-9da2-4d93-8ed2-693e0c6c2c89
version: -1
name: File Enrichment - Virus Total Private API
description: Get file information using the Virus Total Private API integration.
playbookName: File Enrichment - Virus Total Private API
type: playbook
iscommand: false
brand: ""
nexttasks:
'#none#':
- "7"
separatecontext: true
continueonerrortype: ""
loop:
iscommand: false
exitCondition: ""
wait: 1
max: 0
view: |-
{
"position": {
"x": 990,
"y": 50
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: true
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
system: true
view: |-
{
"linkLabelsPosition": {
"25_27_yes": 0.59,
"25_7_#default#": 0.44,
"27_28_yes": 0.57,
"27_7_#default#": 0.63
},
"paper": {
"dimensions": {
"height": 775,
"width": 900,
"x": 470,
"y": -90
}
}
}
inputs:
- key: MD5
value:
complex:
root: File
accessor: MD5
transformers:
- operator: uniq
required: false
description: File MD5 hash to enrich.
playbookInputQuery: null
- key: SHA256
value:
complex:
root: File
accessor: SHA256
transformers:
- operator: uniq
required: false
description: The file SHA256 hash to enrich.
playbookInputQuery: null
- key: SHA1
value:
complex:
root: File
accessor: SHA1
transformers:
- operator: uniq
required: false
description: The file SHA1 hash to enrich.
playbookInputQuery: null
outputs:
- contextPath: DBotScore.Indicator
description: The indicator that was tested.
type: string
- contextPath: DBotScore.Type
description: The indicator type.
type: string
- contextPath: File.SHA1
description: SHA1 hash of the file.
type: string
- contextPath: File.SHA256
description: SHA256 hash of the file.
type: string
- contextPath: File.Malicious.Vendor
description: For malicious files, the vendor that made the decision.
type: string
- contextPath: File.MD5
description: MD5 hash of the file.
type: string
- contextPath: DBotScore
description: The DBotScore object.
type: unknown
- contextPath: File
description: The file object
type: unknown
- contextPath: DBotScore.Vendor
description: Vendor used to calculate the score.
type: string
- contextPath: DBotScore.Score
description: The actual score.
type: number
- contextPath: File.VirusTotal.Scans
description: The scan object.
type: unknown
- contextPath: File.VirusTotal.Scans.Source
description: Vendor that scanned this hash.
- contextPath: File.VirusTotal.Scans.Detected
description: Whether a scan was detected for this hash (True/False).
- contextPath: File.VirusTotal.Scans.Result
description: Scan result for this hash - signature, etc.