[ASM] - Rapid7 & Splunk Cortex ASM Enrichment - Expander 1613 & 90#24837
Conversation
ASM Splunk Playbook - Update search query to handle null represented as strings - Add Grid setup for asmowner Remove temporary values from ASM Enrichment playbook
Add Rapid7 and Splunk playbok information. Update ToC for Playbooks to be Alphanum order. Update "Automated Remediation requirements" to follow Alphanum order.
|
Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @daryakoval will know he can start review the proposed changes. |
|
CC: @johnnywilkes @capanw for review |
|
@daryakoval Thank you for approving. I have one question about a new validation check that I haven't seen before:
The |
|
@BigEasyJ This is a new validation check. I will check why it is not recognizing |
- Add tasks to check asset ID and set it as an ASM system ID.
johnnywilkes
left a comment
There was a problem hiding this comment.
@BigEasyJ , please see my comments
|
|
||
| ##### Cortex ASM - ASM Alert | ||
|
|
||
| - Updated the from version to 6.8.0 |
There was a problem hiding this comment.
| - Updated the from version to 6.8.0 | |
| - Updated the from version to 6.8.0. |
|
|
||
| ##### Cortex ASM - Enrichment | ||
|
|
||
| - Updated the from version to 6.8.0 |
There was a problem hiding this comment.
| - Updated the from version to 6.8.0 | |
| - Updated the from version to 6.8.0. |
|
|
||
| ##### InferWhetherServiceIsDev | ||
|
|
||
| - Updated the Docker image to: *demisto/python3:3.10.10.4839*. |
There was a problem hiding this comment.
| - Updated the Docker image to: *demisto/python3:3.10.10.4839*. | |
| - Updated the Docker image to: *demisto/python3:3.10.10.48392*. |
|
|
||
| Playbook that given the IP address enriches Tenable.io information relevant to ASM alerts. | ||
|  | ||
|  |
There was a problem hiding this comment.
You can change this later (separate PR right away or when the playbook is edited in the future).
|  | |
|  |
|  | ||
| Playbook that given the IP address enriches Splunk information relevant to ASM alerts. | ||
|
|
||
|  |
There was a problem hiding this comment.
|  | |
|  |
| note: false | ||
| timertriggers: [] | ||
| ignoreworker: false | ||
| skipunavailable: false |
There was a problem hiding this comment.
| skipunavailable: false | |
| skipunavailable: true |
|
|
||
| | **Path** | **Description** | **Type** | | ||
| | --- | --- | --- | | ||
| | asmserviceowner | This is the potential service owners from splunk results. | unknown | |
There was a problem hiding this comment.
I don't think this is necessary because the GridFieldSetup automation in the playbook it exporting the value to the field, therefore it doesn't need to returned as raw context. What do you think?
There was a problem hiding this comment.
Agreed, that was leftover from a previous change. I'll remove it.
| iscontext: true | ||
| right: | ||
| value: | ||
| simple: owner |
There was a problem hiding this comment.
Nitty question: Is it possible that only the owner AssetTag.Type could be found and therefore this would fail? The previous conditional seems to only check for Nexpose.AssetTag and not Nexpose.AssetTag where type != owner so I think there might be a potential failure scenario though I don't know how rare it is. Will leave it up to you to change if you please.
- Removed output.
- Update conditional task for non-owner tags
johnnywilkes
left a comment
There was a problem hiding this comment.
@BigEasyJ , thanks for making these changes, this is now approved!
|
@BigEasyJ Hi, The GR103 validation error is a bug in our validation. We will force merge your PR, and fix the validation. |
3bdd91d
into
demisto:contrib/BigEasyJ_rapid7-splunk-cortex-asm-enrichment
…24837) (#24868) * Add rapid7 ASM enrichment playbook and docs * Add Splunk ASM enrichment playbook and docs * Update Cortex ASM enrichment playbook and docs * Update ASM Splunk Playbook and ASM enrichment ASM Splunk Playbook - Update search query to handle null represented as strings - Add Grid setup for asmowner Remove temporary values from ASM Enrichment playbook * Update docker images in other scripts and integrations * Sort pack metadata dependecies, add Splunk/R7 * Update pack README Add Rapid7 and Splunk playbok information. Update ToC for Playbooks to be Alphanum order. Update "Automated Remediation requirements" to follow Alphanum order. * Add 1.5.3 release notes * Update Remedation Path Rules docker image * Update ReadMe format and alphanum order * Update release notes * Update Splunk README and pic * Update Rapid7 yml and README * Update pack ignore * Update format for Rapid7 playbook * Update from version of ASM enrichment playbook * Update from version of ASM alert playbook to 6.8 * Update release notes * Update ASM Rapid7 Enrichment playbook - Add tasks to check asset ID and set it as an ASM system ID. * Update ASM Splunk enrichment playbook. - Removed output. * Update ASM Rapid7 enrichment playbook - Update conditional task for non-owner tags * Update README and release notes * Update ASM Splunk playbook README Co-authored-by: John <[email protected]>
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Related Issues
EXPANDR-90
EXPANDR-1613
Description
Added New playbooks
Cortex ASM - Splunk EnrichmentandCortex ASM - Rapid7 Enrichmentto theCortex ASM - Enrichmentplaybook.Updated the Docker image to: *demisto/python3:3.10.10.48392 for:
Minimum version of Cortex XSOAR
Does it break backward compatibility?
Must have