feat(playbook): Clean up existing

TracecatHQ · Jun 22, 2024 · 848aeb3 · 848aeb3
1 parent 6d85c3a
commit 848aeb3
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 27 deletions.
diff --git a/playbooks/alert_management/aws-guardduty-to-slack.yml b/playbooks/alert_management/aws-guardduty-to-slack.yml
@@ -66,7 +66,7 @@ actions:
     for_each: ${{ for var.smac in ACTIONS.reshape_findings_into_smac.result }}
     args:
       channel: ${{ SECRETS.slack_channel.SLACK_CHANNEL }}
-      text: GuardDuty findings for past 24h
+      text: GuardDuty findings
       blocks:
         - type: header
           text:
@@ -87,19 +87,3 @@ actions:
               text: "*Action:* ${{ var.smac.action }}"
             - type: mrkdwn
               text: "*Context:* ${{ var.smac.context }}"
-        - type: actions
-          elements:
-            - type: button
-              text:
-                type: plain_text
-                emoji: true
-                text: "Suppress"
-              style: primary
-              value: "click_me_123"
-            - type: button
-              text:
-                type: plain_text
-                emoji: true
-                text: "Escalate"
-              style: danger
-              value: "click_me_123"
diff --git a/playbooks/alert_management/crowdstrike-to-cases.yml b/playbooks/alert_management/crowdstrike-to-cases.yml
@@ -40,16 +40,44 @@ actions:
           updated_at: ${{ var.alert.updated_timestamp -> str }} # Timestamp indicating when the alert was last updated
           created_at: ${{ var.alert.created_timestamp -> str }} # Timestamp indicating when the alert was created
 
+  - ref: send_slack_notification
+    action: integrations.chat.slack.post_slack_message
+    depends_on: reshape_alerts_into_smac
+    for_each: ${{ for var.smac in ACTIONS.reshape_alerts_into_smac.result }}
+    args:
+      channel: ${{ SECRETS.slack.SLACK_CHANNEL }}
+      text: Crowdstrike alerts
+      blocks:
+        - type: header
+          text:
+            type: plain_text
+            text: ${{ var.smac.title }}
+            emoji: true
+        - type: section
+          text:
+            type: mrkdwn
+            text: ${{ var.smac.description }}
+        - type: section
+          fields:
+            - type: mrkdwn
+              text: "*Status:* ${{ var.smac.status }}"
+            - type: mrkdwn
+              text: "*Malice:* ${{ var.smac.malice }}"
+            - type: mrkdwn
+              text: "*Action:* ${{ var.smac.action }}"
+            - type: mrkdwn
+              text: "*Context:* ${{ var.smac.context }}"
+
   - ref: open_cases
     action: core.open_case
     depends_on:
-      - suggest_osquery_queries
-    for_each: ${{ for var.alert in ACTIONS.reshape_alerts_into_smac.result }}
+      - reshape_alerts_into_smac
+    for_each: ${{ for var.smac in ACTIONS.reshape_alerts_into_smac.result }}
     args:
-      case_title: ${{ var.alert.title }}
-      status: ${{ var.alert.status }}
-      malice: ${{ var.alert.malice }}
-      action: ${{ var.alert.action }}
-      context: ${{ var.alert.context }}
-      payload: ${{ var.alert.payload }}
-      priority: ${{ var.alert.severity }}
+      case_title: ${{ var.smac.title }}
+      status: ${{ var.smac.status }}
+      malice: ${{ var.smac.malice }}
+      action: ${{ var.smac.action }}
+      context: ${{ var.smac.context }}
+      payload: ${{ var.smac.payload }}
+      priority: ${{ var.smac.severity }}
diff --git a/playbooks/alert_management/datadog-siem-to-slack.yml b/playbooks/alert_management/datadog-siem-to-slack.yml
@@ -75,7 +75,7 @@ actions:
       - ${{ for var.user_ids in ACTIONS.extract_slack_user_ids.result }}
     args:
       channel: ${{ SECRETS.slack.SLACK_CHANNEL }}
-      text: Datadog alerts (last )
+      text: Datadog alerts
       blocks:
         - type: header
           text: