Acti indicator query playbook #18733
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ense/content into ACTIIndicatorQuery_playbook
…IndicatorQuery_playbook
|
@kgal-pan I think this should work |
|
@satyakidroid - Looks good. Please merge from /Utils/git_pull_master_into_fork.sh |
|
@kgal-pan , I think the current state is good. |
|
@yaakovi - This PR was already reviewed by @tomer-pan and approved in #18401 regarding Playbooks. The only difference between the closed internal PR and this one is that this one includes some fixes for UTs that were sending out HTTP requests to Accenture APIs instead of mocking them, see discussion here. Therefore, not sure that we need @idovandijk to review this PR. |
yaakovi
approved these changes
May 1, 2022
yaakovi
pushed a commit
that referenced
this pull request
May 1, 2022
* Layout identification bug fixed * Modified layout for alerts and reports * Added playbooks * Updated README * added user agent * minor changes * minor changes * minor changes * Added playbooks and modified README * Added description to Indicator Fields and updated ACTI IntelGraph version * Update reputation-ACTI_Intelligence_Alert.json * Update reputation-ACTI_Intelligence_Alert.json * Adding description to the indicator type. * missing comma * Update reputation-ACTI_Intelligence_Report.json * Added description to playbooks * description added in playbooks * removed unused tasks from playbook * Modified the way threat types were printed in report * Minor changes * Added README to playbooks * Added description for layouts * Changes made to incident enrichment playbook * Update README.md * Update README.md * Update README.md * Update playbook-ACTI_Block_Indicators_from_Incident_README.md * Update playbook-ACTI_Block_Indicators_severity_greater_or_equal_5_README.md * Update playbook-ACTI_Create_Relationships_README.md * Update playbook-ACTI_IA_IR_Enrichment_README.md * Update playbook-ACTI_Incident_Enrichment_README.md * Update playbook-ACTI_Indicator_Enrichment_README.md * Update playbook-ACTI_Vulnerability_Enrichment_README.md * Update Playbook Name * Update Playbook title * Update playbook-ACTI_Create_Relationships.yml * Update Playbook Name * Description Updated * Updating Playbook Description * Update Playbook Description * Updated Playbook Description. * Updated playbook config files * Minor Changes * Adding markdown postprocessing logic to download inline image links include them as encoded images * Fixing errors * Errors Fixed : Try 2 * Fixing ACTI Feed coverage issue * Fixing UT coverage for ACTIIndicatorQuery * Fixing UTs and flake8 errors * Added UT for addBaseUrlToPartialPaths func * UT added for domain and IP not found * UT for markdown postprocessing * minor chnges * resolving flake8 errors * threatintelreport command & some minor bug fixed * Error fix : Try 1 * Minor changes * Fixing Nonetype object issue * Fixed bug which was not creating relationship * Removed Report Enrichment step in Incident Enrichment playbook * Added user choice to block or not block indicators * Have added DeleteContext for user choice key and added ACTI Indicator Enrichment as sub-playbook * Added case when IA IR is not present, also have tweaked the playbook to work 1 or more reports * Fixing Errors * Update playbook-ACTI_Block_High_Severity_Indicators_README.md * Update playbook-ACTI_Block_Indicators_from_an_Incident_README.md * Update playbook-ACTI_Create_Report-Indicator_Associations_README.md * Update playbook-ACTI_Incident_Enrichment_README.md * Fixed bug which wasn't able to create relationship when there is 1 indicator and 1 report * Update playbook-ACTI_Incident_Enrichment_README.md * Update playbook-ACTI_Block_Indicators_from_an_Incident.yml * Update playbook-ACTI_Block_High_Severity_Indicators.yml * Update playbook-ACTI_Vulnerability_Enrichment.yml * Update playbook-ACTI_Vulnerability_Enrichment_README.md * Update playbook-ACTI_Block_Indicators_from_an_Incident_README.md * Update playbook-ACTI_Block_High_Severity_Indicators_README.md * Update playbook-ACTI_Create_Report-Indicator_Associations.yml * Update playbook-ACTI_Create_Report-Indicator_Associations_README.md * Update playbook-ACTI_Create_Report-Indicator_Associations_README.md * Update playbook-ACTI_Report_Enrichment.yml * Update playbook-ACTI_Report_Enrichment_README.md * Update playbook-ACTI_Indicator_Enrichment.yml * Update playbook-ACTI_Indicator_Enrichment_README.md * Minor changes * Update README.md * Fixing UT * Added UT for enocded_images * Resolved flake8 errors * Made few changes to add test.com instead of intelgraph.idefense.com to mocker Co-authored-by: Ankit Mordhwaj <[email protected]> Co-authored-by: nirmalneupane <[email protected]> Co-authored-by: Nirmal Neupane <[email protected]> Co-authored-by: Satyaki Chakraborti <[email protected]> Co-authored-by: Ankit Mordhwaj <[email protected]> Co-authored-by: nirmalneupane <[email protected]> Co-authored-by: Nirmal Neupane <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Related Issues
fixes: link to the issue
Description
This PR is created to continue working on (#18725)
Screenshots
Paste here any images that will help the reviewer
Minimum version of Cortex XSOAR
Does it break backward compatibility?
Must have