From 848aeb326a566300e62fd6693cc933053426bb87 Mon Sep 17 00:00:00 2001 From: Chris Lo <46541035+topher-lo@users.noreply.github.com> Date: Sat, 22 Jun 2024 10:29:17 -0700 Subject: [PATCH] feat(playbook): Clean up existing --- .../aws-guardduty-to-slack.yml | 18 +------- .../alert_management/crowdstrike-to-cases.yml | 46 +++++++++++++++---- .../datadog-siem-to-slack.yml | 2 +- 3 files changed, 39 insertions(+), 27 deletions(-) diff --git a/playbooks/alert_management/aws-guardduty-to-slack.yml b/playbooks/alert_management/aws-guardduty-to-slack.yml index 96eabde85..d56dfb24d 100644 --- a/playbooks/alert_management/aws-guardduty-to-slack.yml +++ b/playbooks/alert_management/aws-guardduty-to-slack.yml @@ -66,7 +66,7 @@ actions: for_each: ${{ for var.smac in ACTIONS.reshape_findings_into_smac.result }} args: channel: ${{ SECRETS.slack_channel.SLACK_CHANNEL }} - text: GuardDuty findings for past 24h + text: GuardDuty findings blocks: - type: header text: @@ -87,19 +87,3 @@ actions: text: "*Action:* ${{ var.smac.action }}" - type: mrkdwn text: "*Context:* ${{ var.smac.context }}" - - type: actions - elements: - - type: button - text: - type: plain_text - emoji: true - text: "Suppress" - style: primary - value: "click_me_123" - - type: button - text: - type: plain_text - emoji: true - text: "Escalate" - style: danger - value: "click_me_123" diff --git a/playbooks/alert_management/crowdstrike-to-cases.yml b/playbooks/alert_management/crowdstrike-to-cases.yml index 613286e02..bfd5185b1 100644 --- a/playbooks/alert_management/crowdstrike-to-cases.yml +++ b/playbooks/alert_management/crowdstrike-to-cases.yml @@ -40,16 +40,44 @@ actions: updated_at: ${{ var.alert.updated_timestamp -> str }} # Timestamp indicating when the alert was last updated created_at: ${{ var.alert.created_timestamp -> str }} # Timestamp indicating when the alert was created + - ref: send_slack_notification + action: integrations.chat.slack.post_slack_message + depends_on: reshape_alerts_into_smac + for_each: ${{ for var.smac in ACTIONS.reshape_alerts_into_smac.result }} + args: + channel: ${{ SECRETS.slack.SLACK_CHANNEL }} + text: Crowdstrike alerts + blocks: + - type: header + text: + type: plain_text + text: ${{ var.smac.title }} + emoji: true + - type: section + text: + type: mrkdwn + text: ${{ var.smac.description }} + - type: section + fields: + - type: mrkdwn + text: "*Status:* ${{ var.smac.status }}" + - type: mrkdwn + text: "*Malice:* ${{ var.smac.malice }}" + - type: mrkdwn + text: "*Action:* ${{ var.smac.action }}" + - type: mrkdwn + text: "*Context:* ${{ var.smac.context }}" + - ref: open_cases action: core.open_case depends_on: - - suggest_osquery_queries - for_each: ${{ for var.alert in ACTIONS.reshape_alerts_into_smac.result }} + - reshape_alerts_into_smac + for_each: ${{ for var.smac in ACTIONS.reshape_alerts_into_smac.result }} args: - case_title: ${{ var.alert.title }} - status: ${{ var.alert.status }} - malice: ${{ var.alert.malice }} - action: ${{ var.alert.action }} - context: ${{ var.alert.context }} - payload: ${{ var.alert.payload }} - priority: ${{ var.alert.severity }} + case_title: ${{ var.smac.title }} + status: ${{ var.smac.status }} + malice: ${{ var.smac.malice }} + action: ${{ var.smac.action }} + context: ${{ var.smac.context }} + payload: ${{ var.smac.payload }} + priority: ${{ var.smac.severity }} diff --git a/playbooks/alert_management/datadog-siem-to-slack.yml b/playbooks/alert_management/datadog-siem-to-slack.yml index 83728e6cb..90ecfd38d 100644 --- a/playbooks/alert_management/datadog-siem-to-slack.yml +++ b/playbooks/alert_management/datadog-siem-to-slack.yml @@ -75,7 +75,7 @@ actions: - ${{ for var.user_ids in ACTIONS.extract_slack_user_ids.result }} args: channel: ${{ SECRETS.slack.SLACK_CHANNEL }} - text: Datadog alerts (last ) + text: Datadog alerts blocks: - type: header text: