Skip to main content

iot-security-get-raci

This Script is part of the Palo Alto Networks IoT Pack.#

IoT RACI model script

Script Data#


NameDescription
Script Typepython3
Tagsiot
Cortex XSOAR Version5.5.0

This script is using the device and incident attributes to evaluate the Responsible (R) and Informed (I) parties in the RACI model.

A list variable needs to be created with a fixed format JSON. You can create a new XSOAR list variable under Settings > Advanced > Lists.

By default, the name of the list variable is IOT_CONFIG.

There are three main sections in the JSON: devices, alerts, and groups.

"devices" is a list of devices mapping to the owners based on the device_id, which is a concatenation of the device's category, profile, vendor and model delimited by "|".

  • device_id: a regular expression to match
  • owner: a group name, which is also defined in the "groups" section

"alerts" is a list of conditions to map a combination of IoT incident type and incident names to the RACI model.

  • iot_raw_type: either "IoT Alert" or "IoT Vulnerability"
  • name_regex: a list of regular expressions trying to match with the alert/vulnerability names
  • raci: a section to define the RACI model for the match. If the value is "IOT_OWNER", we look up the underlying group using the mapping in "devices" section.

"groups" is all the groups found in the "devices" and "alerts" section.

  • email: the email of the group, this is used when setting the incident owner in XSOAR or sending an email through the email integration
  • snow: it has three fields, table, fields and custom_fields. Those are the fields when you use the official ServiceNow integration when you create a ServiceNow ticket.

Here is the template of the JSON:

{
"devices": [
{
"device_id": "Audio Streaming|Profusion.*",
"owner": "IT_AUDIO_VIDEO"
},
{
"device_id": "Camera|Avigilon Camera.*",
"owner": "PHYSICAL_SECURITY"
}
],
"alerts": [
{
"iot_raw_type": "IoT Alert",
"name_regex": [
"DOUBLEPULSAR.+",
"ECLIPSEDWING.+",
"ETERNALBLUE.+"
],
"raci": {
"r": "SOC",
"i": ["IOT_OWNER"]
}
},
{
"iot_raw_type": "IoT Vulnerability",
"raci": {
"r": "IOT_OWNER",
"i": ["INFOSEC", "SOC"]
}
}
],
"groups": {
"DEFAULT": {
"email": "default@example.com"
},
"SOC": {
"email": "soc@example.com"
},
"INFOSEC": {
"email": "infosec@example.com"
},
"IT_AUDIO_VIDEO": {
"email": "av@example.com",
"snow": {
"table": "incident",
"fields": {
"assignment_group": "98dae8874fd67348bf547fe24210c7a0"
},
"custom_fields": {
"u_custom_field1": "IT",
"u_category": "05b9e5371b3b08905f28fc43cd4bcbe2"
}
}
},
"PHYSICAL_SECURITY": {
"email": "security@example.com"
}
}
}

Used In#


This script is used in the following playbooks and scripts.

  • PANW IoT Incident Handling with ServiceNow

Inputs#


Argument NameDescription
alert_nameThe name of the IoT alert.
raw_typeThe raw type of the incident.
categoryThe device category.
profileThe device profile.
vendorThe device vendor.
modelThe device model.
iot_config_list_nameThe variable name for IOT_CONFIG.

Outputs#


PathDescriptionType
PaloAltoNetworksIoT.RACIThe RACI model of the IoT incidentunknown
PaloAltoNetworksIoT.RACI.rThe responsible in the RACI modelstring
PaloAltoNetworksIoT.RACI.r_emailThe email of responsible in the RACI modelstring
PaloAltoNetworksIoT.RACI.iThe informed in the RACI modelstring
PaloAltoNetworksIoT.RACI.i_emailThe emails of informed in the RACI model delimited by commastring
PaloAltoNetworksIoT.RACI.ownerThe IoT owner of the devicestring
PaloAltoNetworksIoT.RACI.r_snowThe ServiceNow information of the incident responsiblestring
PaloAltoNetworksIoT.RACI.r_snow.fieldsThe fields of the ServiceNow ticketstring
PaloAltoNetworksIoT.RACI.r_snow.custom_fieldsThe custom fields of the ServiceNow ticketstring
PaloAltoNetworksIoT.RACI.r_snow.tableThe table of the ServiceNow ticketstring