Skip to content

Commit

Permalink
feat: CS-slack sync working (#211)
Browse files Browse the repository at this point in the history
* feat(engine): Add callback/child workflows

* feat(engine): Add base64 functions

* feat(engine): Allow runtime action test to take list and dict

* feat(playbook): Update cs to cases and add action tests

* feat(playbook): Update slack to cs update with action test

* test: Make cs alert a list of objects

* feat(playbook): Add comment on input shape

* test: Spaces in alert description
  • Loading branch information
daryllimyt authored Jun 25, 2024
1 parent b89b6b9 commit 7e07219
Show file tree
Hide file tree
Showing 8 changed files with 475 additions and 229 deletions.
31 changes: 19 additions & 12 deletions playbooks/alert_management/crowdstrike-to-cases.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,19 @@
title: Fetch Crowdstrike alerts and open cases.
description: Pulls Crowdstrike alerts and opens cases in Tracecat.
config:
enable_runtime_tests: true
entrypoint: pull_crowdstrike_alerts
triggers:
- type: webhook
ref: crowdstrike_alerts_webhook
entrypoint: pull_crowdstrike_alerts
# shape:
# - start_time: ISO8601 string
# - end_time: ISO8601 string
# - update_crowdstrike_alert: Webhook URL

actions:
# Mocked
- ref: pull_crowdstrike_alerts
action: integrations.crowdstrike.list_crowdstrike_alerts
args:
Expand All @@ -25,7 +32,7 @@ actions:
payload:
rule: ${{ var.alert.id }} # Identifier associated with the alert
severity: ${{ var.alert.severity }} # Severity level associated with the detection
status: ${{ 'closed' if var.alert.status == 'resolved' else 'open' }} # Status of the alert
status: ${{ 'closed' if FN.equal(var.alert.status, 'resolved') else 'open' }} # Status of the alert
malice: ${{ 'malicious' if FN.greater_than(var.alert.severity, 0) else 'benign' }} # Determines malice based on severity
action: quarantine
context:
Expand All @@ -39,6 +46,7 @@ actions:
context_timestamp: ${{ var.alert.context_timestamp -> str }}
updated_at: ${{ var.alert.updated_timestamp -> str }} # Timestamp indicating when the alert was last updated
created_at: ${{ var.alert.created_timestamp -> str }} # Timestamp indicating when the alert was created
user_name: ${{ var.alert.user_name }}

- ref: send_slack_notification
action: integrations.chat.slack.post_slack_message
Expand Down Expand Up @@ -74,26 +82,20 @@ actions:
text: "Select an option to update the alert:"
accessory:
type: static_select
action_id: update_crowdstrike_alert
action_id: ${{ TRIGGER.update_crowdstrike_alert }}?action_id=update_crowdstrike_alerts&alert_id=${{ var.smac.context.cid }}&old_status=${{ var.smac.status }}&username=${{ var.smac.context.user_name }}
options:
- text:
type: plain_text
text: Ignore
value:
old_status: ${{ var.smac.status }}
new_status: ignored"
value: new_status=ignored
- text:
type: plain_text
text: True Positive
value:
old_status: ${{ var.smac.status }}
new_status: true_positive
value: new_status=true_positive
- text:
type: plain_text
text: False Positive
value:
old_status: ${{ var.smac.status }}
new_status: false_positive
value: new_status=false_positive

- ref: open_cases
action: core.open_case
Expand All @@ -107,4 +109,9 @@ actions:
action: ${{ var.smac.action }}
context: ${{ var.smac.context }}
payload: ${{ var.smac.payload }}
priority: ${{ var.smac.severity }}
priority: ${{ 'high' if FN.greater_than(var.smac.payload.severity, 50) else 'low' }}

tests:
- ref: pull_crowdstrike_alerts
success:
- https://raw.githubusercontent.com/TracecatHQ/tracecat/main/tests/data/log_samples/crowdstrike/alert.json
24 changes: 18 additions & 6 deletions playbooks/alert_management/slack-to-crowdstrike-update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,29 @@ title: Update Crowdstrike alerts via Slack
description: |
Receives a Slack action and updates Crowdstrike alerts based on
`alert_ids` and `status` provided in the Slack action payload.
config:
enable_runtime_tests: true
entrypoint: extract_slack_payload
triggers:
- type: webhook
ref: slack_actions_webhook
entrypoint: receive_slack_action
# shape:
# - action_id: string
# - alert_id: string
# - old_status: string
# - new_status: string
# - username: string

actions:
- ref: extract_slack_payload
action: core.transform.forward
# Check if action received is as expected
run_if: ${{ FN.equal(TRIGGER.action.action_id, 'update_crowdstrike_alert') }}
args:
value:
username: ${{ TRIGGER.user.username }}
alert_id: ${{ TRIGGER.action.value.alert_id }}
old_status: ${{ TRIGGER.action.value.old_status }}
new_status: ${{ TRIGGER.action.value.new_status }}
username: ${{ TRIGGER.username }}
alert_id: ${{ TRIGGER.alert_id }}
old_status: ${{ TRIGGER.old_status }}
new_status: ${{ TRIGGER.new_status }}

- ref: update_crowdstrike_alerts
action: integrations.crowdstrike.update_crowdstrike_alert_status
Expand Down Expand Up @@ -51,3 +57,9 @@ actions:
text: "*Old status:* ${{ ACTIONS.extract_slack_payload.result.old_status }}"
- type: mrkdwn
text: "*New status:* ${{ ACTIONS.extract_slack_payload.result.new_status }}"

tests:
- ref: update_crowdstrike_alerts
success:
status: ok
code: 200
Loading

0 comments on commit 7e07219

Please sign in to comment.