-
Notifications
You must be signed in to change notification settings - Fork 15
/
Get_File_Sample_From_Path_-_Generic_V2.yml
327 lines (326 loc) · 7.58 KB
/
Get_File_Sample_From_Path_-_Generic_V2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
id: Get File Sample From Path - Generic V2
version: 1
contentitemexportablefields:
contentitemfields:
packID: CommonPlaybooks
packName: Common Playbooks
itemVersion: 2.2.1
fromServerVersion: 5.0.0
toServerVersion: ""
definitionid: ""
vcShouldKeepItemLegacyProdMachine: false
name: Get File Sample From Path - Generic V2
description: |
This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks:
inputs:
1) Get File Sample From Path - D2.
2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).
starttaskid: "0"
tasks:
"0":
id: "0"
taskid: 5d887731-fb71-4226-872c-a9e8dbddac42
type: start
task:
id: 5d887731-fb71-4226-872c-a9e8dbddac42
version: -1
name: ""
iscommand: false
brand: ""
nexttasks:
'#none#':
- "1"
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 265,
"y": 50
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"1":
id: "1"
taskid: 8adb1ff3-5400-4f88-8a2b-4511ae8303f5
type: condition
task:
id: 8adb1ff3-5400-4f88-8a2b-4511ae8303f5
version: -1
name: Use D2 agent?
description: Yes, if we want to use the D2 agent to get the file.
type: condition
iscommand: false
brand: ""
nexttasks:
'#default#':
- "11"
"yes":
- "10"
scriptarguments:
left:
simple: ${inputs.UseD2}
right:
simple: "True"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isEqualString
left:
value:
simple: inputs.UseD2
iscontext: true
right:
value:
simple: "yes"
continueonerrortype: ""
view: |-
{
"position": {
"x": 265,
"y": 195
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"8":
id: "8"
taskid: f81d6908-8ce9-452b-8dde-689f44256933
type: title
task:
id: f81d6908-8ce9-452b-8dde-689f44256933
version: -1
name: Done
type: title
iscommand: false
brand: ""
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 265,
"y": 690
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"10":
id: "10"
taskid: acf75e5f-0da0-483e-82e2-2dbf09a0362c
type: playbook
task:
id: acf75e5f-0da0-483e-82e2-2dbf09a0362c
version: -1
name: Get File Sample From Path - D2
description: |-
Returns a file sample to the War Room from a path on an endpoint using Demisto Dissolvable Agent (D2).
Input:
* Credentials - credentials to use when trying to deploy Demisto Dissolvable Agent (D2) (default: Admin)
* ${Endpoint.Hostname} - deploy agent on target endpoint
* ${File.Path} - file's path to collect
playbookName: Get File Sample From Path - D2
type: playbook
iscommand: false
brand: ""
nexttasks:
'#none#':
- "8"
scriptarguments:
Credentials:
simple: Admin
Hostname:
simple: ${inputs.Hostname}
Path:
simple: ${inputs.Path}
separatecontext: false
continueonerrortype: ""
loop:
iscommand: false
exitCondition: ""
wait: 1
max: 0
view: |-
{
"position": {
"x": -9,
"y": 370
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: true
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"11":
id: "11"
taskid: 906138a1-e3ee-4711-889a-4ebcc8c2a1c6
type: title
task:
id: 906138a1-e3ee-4711-889a-4ebcc8c2a1c6
version: -1
name: Use VMware Carbon Black EDR (Live Response API)
type: title
iscommand: false
brand: ""
nexttasks:
'#none#':
- "12"
separatecontext: false
continueonerrortype: ""
view: |-
{
"position": {
"x": 480,
"y": 370
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: false
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
"12":
id: "12"
taskid: 03fe6fe7-8aa7-4329-8c0b-6cf3847128d7
type: playbook
task:
id: 03fe6fe7-8aa7-4329-8c0b-6cf3847128d7
version: -1
name: Get File Sample From Path - VMware Carbon Black EDR - Live Response API
description: |-
This playbook retrieves a file from a path on an endpoint using VMware Carbon Black EDR (Live Response API).
Make sure to provide the Carbon Black sensor ID of the endpoint from which you want to retrieve the file.
playbookName: Get File Sample From Path - VMware Carbon Black EDR - Live Response
API
type: playbook
iscommand: false
brand: ""
nexttasks:
'#none#':
- "8"
scriptarguments:
Path:
complex:
root: inputs.Path
Sensor_ID:
complex:
root: inputs.Agent_ID
separatecontext: true
continueonerrortype: ""
loop:
iscommand: false
exitCondition: ""
wait: 1
max: 100
view: |-
{
"position": {
"x": 480,
"y": 510
}
}
note: false
timertriggers: []
ignoreworker: false
skipunavailable: true
quietmode: 0
isoversize: false
isautoswitchedtoquietmode: false
system: true
view: |-
{
"linkLabelsPosition": {},
"paper": {
"dimensions": {
"height": 705,
"width": 869,
"x": -9,
"y": 50
}
}
}
inputs:
- key: UseD2
value: {}
required: false
description: |-
Determines whether a D2 agent will be used to retrieve the file.
Options:
no (default)
yes
playbookInputQuery: null
- key: Hostname
value: {}
required: false
description: Hostname of the machine on which the file is located.
playbookInputQuery: null
- key: Path
value: {}
required: false
description: |
The path of the file to retrieve.
For example:
C:\users\folder\file.txt
playbookInputQuery: null
- key: Agent_ID
value: {}
required: false
description: The ID of the agent, or of the endpoint, in the relevant integration
(such as EDR).
playbookInputQuery: null
outputs:
- contextPath: File.Size
description: The size of the file.
type: number
- contextPath: File.Type
description: The type of the file.
type: string
- contextPath: File.Info
description: General information of the file.
type: string
- contextPath: File.MD5
description: The MD5 hash of the file.
type: string
- contextPath: File.SHA1
description: The SHA1 hash of the file.
type: string
- contextPath: File.SHA256
description: The SHA256 hash of the file.
type: string
- contextPath: File.SHA512
description: The SHA512 hash of the file.
type: string
- contextPath: File.EntryID
description: The file entry ID.
type: string
- contextPath: File.Extension
description: The file extension.
type: string
- contextPath: File.Name
description: The file name.
type: string
- contextPath: File.SSDeep
description: File SSDeep.
type: string