Skip to main content

Xpanse Incident Handling - Generic

This Playbook is part of the Expanse v2 Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

A generic playbook for handling Xpanse issues. The logic behind this playbook is to work with an internal exclusions list which will help the analyst to get to a decision or, if configured, close incidents automatically. The phases of this playbook are: 1) Check if assets (IP, Domain or Certificate) associated with the issue are excluded in the exclusions list and optionally, close the incident automatically. 2) Optionally, enrich indicators and calculate the severity of the issue, using sub-playbooks. 3) Optionally, allow the analyst to add associated assets (IP, Domain or Certificate) to the exclusions list. 4) Tag associated assets. 5) Update the status of the issue.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Extract and Enrich Expanse Indicators
  • Calculate Severity - Standard
  • Expanse Load-Create List

Integrations#

ExpanseV2

Scripts#

  • AddKeyToList
  • Set
  • ExpanseRefreshIssueAssets

Commands#

  • expanse-update-issue
  • expanse-create-tag
  • expanse-get-certificate
  • expanse-assign-tags-to-asset
  • closeInvestigation
  • expanse-get-issue-comments

Playbook Inputs#


NameDescriptionDefault ValueRequired
ExclusionsListThe name of an internal XSOAR list which includes all IP values or domain values in the allowed list. If no list currently exists, the playbook will create it for you with the given name.
The structure of this list should be:

{
"Addresses":[
{
"ip": "x.x.x.x",
"issueTypeID": "issueTypeIDHere",
"port": 123,
"protocol": "UDP"
},
{
"ip": "x.x.x.x",
"issueTypeID": "issueTypeIDHere",
"port": 456,
"protocol": "TCP"
},
.
.
.
],
"Domains":[
{
"domain":"some.domain.com",
"issueTypeID": "issueTypeIDHere",
"port": 80,
"protocol": "TCP"
}
.
.
.
] ,
"Certificates":[
{
"sha256fingerprint":"value of sha256 fingerprin",
"issueTypeID": "issueTypeIDHere",
"subject": "certificate subject"
}
.
.
.
]
}

For example:

{
"Addresses":[
{
"ip":"10.0.0.1",
"issueTypeID":"MissingXFrameOptionsHeader",
"port":443,
"protocol": "TCP"
},
{
"ip":"10.0.0.2",
"issueTypeID":"WildcardCertificate",
"port":443,
"protocol": "TCP"
}
],
"Domains":[
{
"domain":"my.domain.com",
"issueTypeID": "ApacheWebServer",
"port": 443,
"protocol": "TCP"
}
],
"Certificates":[
{
"sha256fingerprint":"f2ca1bb.....6fd2",
"issueTypeID": "ShortKeyCertificate",
"subject": "C=US,ST=WASHINGTON,L=.....E=John@test.com"
}
]
}

In the above example, we will whitelist "MissingXFrameOptionsHeader" issue type ID on 10.0.0.1:443, "WildcardCertificate" issue type ID on 10.0.0.2:443, "ApacheWebServer" issue type ID on my.domain.com:443 And "ShortKeyCertificate" on a certificate with a specific sha256 fingerprint and subject.
XpanseExclusionsListRequired
EnrichIndicatorsWhether to extract and enrich indicators automatically using the "Entity Enrichment - Generic V3" playbook.TrueOptional
CalculateSeverityWhether to calculate the severity of the incident automatically using the "Calculate Severity - Standard" playbook.TrueOptional
CommonTagsA comma-separated list of common tags (lower case letters) which your organization uses.
For example:
tag1, tag2, tag3 ...
Optional
CloseWhenExcludedTrue - Close the incident automatically if the current issue's certificate or domain are excluded. If an IP is excluded, close automatically only if there is no domain for the incident.

False - Let the analyst go over the incident manually even if the assets are excluded.
Optional
AutomaticTagValueIf the value of "CloseWhenExcluded" is "True", tag associated assets with this value in Xpanse.
For example, if the value of "AutomaticTagValue" is "excluded-in-xsoar", the tag "excluded-in-xsoar" will be assigned to the assets.
excluded-in-xsoarOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Xpanse Incident Handling - Generic