Gem Security pack

[liormgem]

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

• In Progress
• Ready
• In Hold - (Reason for hold)

Related Issues

fixes: link to the issue

Description

Pack Gem integrates with the Gem Security platform.
Pack includes:

• 1 Automation
• 3 Classifiers
• 16 Incident Fields
• 1 Incident Type
• 1 Integration
• 1 Layout
• 3 Playbooks
• 1 Pre-process Rule

Must have

• Tests
• Documentation

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[content-bot]

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @merit-maita will know the proposed changes are ready to be reviewed.
For your convenience, here is a link to the contributions SLAs document.

[kgal-pan]

@liormgem - Thanks for the contribution. When filling out the Contribution Form, use gem-security-18933 as your Partner ID.

[merit-maita]

@liormgem - Thanks for the contribution. When filling out the Contribution Form, use gem-security-18933 as your Partner ID.

@liormgem can you please address this comment, so i can go ahead and review the pr

[melamedbn]

Hi @liormgem,

I've reviewed your contribution. Thank you for your effort and dedication. I would appreciate it if you could address the following feedback:

Classification and Mapping

1. Classifier Functionality: It may be beneficial to review the classifier to ensure it correctly classifies alerts. If there are any improvements needed, we can work on them together.
2. Mapping Differences: Could you help me understand if there are any differences between the mapping done in 'Gem Mapper' and 'Gem Mapper Webhook'? This would help us ensure consistency and efficiency in our mapping process.

Playbooks

Gem Handle Alert for Root Usage

1. Task '1' Adjustment: To ensure the playbook closes automatically, let's adjust the else path to lead either to the Done section header or to an error handling path.
2. Inputs and Outputs Clarification: I noticed that the playbook has no inputs and outputs. Is this intended? If so, could you explain the reasoning behind it?
3. Question Marks Addition: Let's add question marks where needed, such as in Task '1', to ensure clarity and understanding for anyone reviewing the playbook.
4. Grid Alignment: Could you please fix the arrow exiting task '4' so that it leads correctly to task '11' on the grid?
5. Task '10' and '11' Clarification: It would be helpful to clarify the need for both tasks '10' and '11'. Additionally, let's enhance the title of Task '10' to provide more context and clarity.
6. Task '2' Adjustment: For Task '2', let's remove the index position ".[1]" and ".[0]" and use the path instead.
7. Task '6' Enhancement: For Task '6', let's first deduplicate and then count the number of unique values. Additionally, add a conditional task that counts the usernames and checks using 'greater or equals to'.
8. Task '7' Adjustment: Similar to Task '1', let's ensure the else path in Task '7' leads either to the Done section header or to an error handling path.

Gem Handle ec2

1. Task '7' Clarification: What happens if it's not an EC2 instance?
2. Task '1' Title Enhancement: Let's put a more descriptive title for Task '1'.
3. Task '1' Slack User Check: We need to make sure the Slack user is provided via the inputs or else the ASK task might not be relevant.

Gem Validate triggering event

1. Grid Alignment: Please fix the arrow exiting the Playbook Triggered header directing to task '10' on the grid.
2. Question Marks Addition: Add question marks where needed for clarity.
3. Task '10' Adjustment: To ensure the playbook closes automatically, let's adjust the else path in Task '10' to lead either to the Done section header or to an error handling path.

Incident Fields

1. New Incident Fields: Why were new incident fields created if most are available in our common types (OOTB)? When using OOTB fields, they will be mapped in a way that fits more OOTB content items.

Layout

1. Section Width Adjustment: Let's adjust the width of the sections so we won't have blank spaces.

Please let me know if there are any more revisions needed or if there's anything else I can assist you with.

Best regards,
Ben

[liormgem]

Hi @melamedbn,
Thank you for the feedback.
The new Incident Fields were changed to the relevant OOTB fields in case we found one.

All your remarks were addressed and fixed, answers to your clarification questions are below:

Classification and Mapping
2. Mapping Differences: Could you help me understand if there are any differences between the mapping done in 'Gem Mapper' and 'Gem Mapper Webhook'? This would help us ensure consistency and efficiency in our mapping process.

There are small differences in the way the webhook sends the Gem alerts and the way the fetching Endpoint serves it.
For example - the Gem Alert ID in the webhook is mapped from event.alert_id and in the regular mapper from metadata.alert_id

Playbooks
Gem Handle Alert for Root Usage
2. Inputs and Outputs Clarification: I noticed that the playbook has no inputs and outputs. Is this intended? If so, could you explain the reasoning behind it?

It is.
It gets all the information it needs from the relevant Gem Alert and is meant to be attached to one.

Gem Handle ec2

1. Task '7' Clarification: What happens if it's not an EC2 instance?

The playbook is not relevant in this case.
Will add a Done section header.

3. Task '1' Slack User Check: We need to make sure the Slack user is provided via the inputs or else the ASK task might not be relevant.

It’s still relevant manually and I think that’s ok

Thanks,
Lior

[liormgem]

Hi @maimorag,
Thank you for the review.
All comments were fixed.

I'm working on uploading the example video to the demisto-assets repo and then I'll submit the Contribution form.

Lior

[ssokolovich]

Hey @liormgem

A couple of notes from my side.

1. Note that I usually suggest not using the exact brand GEM in the commands. In case a customer would like to copy your integration, he will need to change all the OOTB playbooks as well (there is an option to choose the non-brand command from the PB itself). This isn't required, however, a tip from my experience.
   
2. Usually we add a Done task at the end. Just a cosmetic tip.
   
3. Note that you don't have a playbook associated with your incident type. Once the investigation started the user would need to choose how to handle it automatically.
   
4. Extracting all indicators from all fields might impact server performance, hence, suggesting to extract indicators from only necessary fields (basically the ones that you mapped).
   

Let me know if you need me to elaborate more on a point or help with anything else.
Cheers!

[ssokolovich]

Would like to suggest moving some of the fields under the case details to the investigation data (or even expanding the case details section), since if all the fields may be mapped, the user might miss that info.
Not mandatory but nice to have (of course analysts will appreciate it :) ).

[liormgem]

Hi @ssokolovich,
Thank you for the review.

1. I think that would be fine with the amount of content we have.
2. Will be Added
3. Customers we consulted prefer to not have a default playbook
4. There are indicators in other parts of the incident, not just in the mapped fields and we would like it to be processed. The number of incidents is low enough (not less than 10 a day) to not have an impact.
5. We will leave it as it is, for now, it's extra information.

Lior

[ssokolovich]

Cool! so just let me know when you fix # 2 and also please remember to update the playbook images.
Then waiting for your update @liormgem.
Cheers!

[liormgem]

Great, done.
@ssokolovich

[maimorag]

Hey @liormgem, the code looks good!

We're ready for a demo. Please check this page, and let me know when you're available for one over DFIR.
Feel free also to send me a recording of a demo.

I'll be on PTO from May 12th to May 19th. Apologies for any delay in advance.

[content-bot]

For the Reviewer: Trigger build request has been accepted for this contribution PR.

[content-bot]

For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/1005764

[github-actions]

Thank you for your contribution. Your external PR has been merged and the changes are now included in an internal PR for further review. The internal PR will be merged to the master branch within 3 business days.