Enhancements for Log4j | RBR (#16501)

* Added the new vul to the playbook, Added a new threat ID, Added coverage for Xpanse

* updated images and releasenotes

* Fixed issues after the review

Packs/CVE_2021_44228/Playbooks/playbook-CVE-2021-44228_-_Log4j_RCE.yml

@@ -6,16 +6,21 @@ description: "Critical RCE Vulnerability: log4j - CVE-2021-44228\n\nOn Dec. 9, 2
   \ exploited in the wild. Public proof of concept (PoC) code was released and subsequent\
   \ investigation revealed that exploitation was incredibly easy to perform. \n\n\
   On Dec. 14 2021, another vulnerability was discovered related the log4j 0-day exploit\
-  \ known as CVE-2021-45046.\n\n**Affected Version**\n\nApache Log4j 2.x <= 2.15.0-rc1\n\
-  \nThis playbook should be triggered manually or can be configured as a job.\nPlease create a new incident and\
-  \ choose the **CVE-2021-44228 - Log4j RCE** playbook and **Rapid Breach Response**\
+  \ known as CVE-2021-45046.\n\nOn Dec 18 2021, yet another vulnerability was discovered\
+  \ related the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker\
+  \ with control over Thread Context Map data to cause a denial of service when a\
+  \ crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.\n\
+  \n**Affected Version**\n\nApache Log4j 2.x <= 2.15.0-rc1\n\nThis playbook should\
+  \ be triggered manually or can be configured as a job.\nPlease create a new incident\
+  \ and choose the **CVE-2021-44228 - Log4j RCE** playbook and **Rapid Breach Response**\
   \ incident type.\n\n**The playbook includes the following tasks:**\n\n* Collect\
   \ related known indicators from several sources.\n* Indicators and exploitation\
-  \ patterns hunting using PAN-OS, Cortex XDR and SIEM products.\n* Block indicators\
-  \ automatically or manually.\n\n**Mitigations:**\n* Apache official CVE-2021-44228\
-  \ patch.\n* Unit42 recommended mitigations.\n* Detection Rules.\n    * Snort\n \
-  \   * Suricata\n    * Sigma\n    * Yara\n\nMore information:\n[Apache Log4j Vulnerability\
-  \ Is Actively Exploited in the Wild (CVE-2021-44228)](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/)\n\
+  \ patterns hunting using PAN-OS, Cortex XDR and SIEM products.\n*Search for possible\
+  \ vulnerable servers using Xpanse.\n* Block indicators automatically or manually.\n\
+  \n**Mitigations:**\n* Apache official CVE-2021-44228 patch.\n* Unit42 recommended\
+  \ mitigations.\n* Detection Rules.\n    * Snort\n    * Suricata\n    * Sigma\n \
+  \   * Yara\n\nMore information:\n[Apache Log4j Vulnerability Is Actively Exploited\
+  \ in the Wild (CVE-2021-44228)](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/)\n\
   \nNote: This is a beta playbook, which lets you implement and test pre-release software.\
   \ Since the playbook is beta, it might contain bugs. Updates to the pack during\
   \ the beta phase might include non-backward compatible features. We appreciate your\
@@ -420,6 +425,7 @@ tasks:
       '#none#':
       - "27"
       - "28"
+      - "88"
     separatecontext: false
     view: |-
       {
@@ -1006,10 +1012,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "28":
     id: "28"
-    taskid: f728cbb9-dfcb-4c9a-852d-5cb5345c8573
+    taskid: 90ce26de-18c4-41fe-8b04-1c9881abb2b4
     type: playbook
     task:
-      id: f728cbb9-dfcb-4c9a-852d-5cb5345c8573
+      id: 90ce26de-18c4-41fe-8b04-1c9881abb2b4
       version: -1
       name: Panorama Query Logs for Related Session
       description: 'Query Panorama Logs of types: traffic, threat, url, data-filtering
@@ -1026,7 +1032,7 @@ tasks:
         simple: threat
       query:
         simple: (threatid eq 91991) or (threatid eq 91994) or (threatid eq 91995)
-          or (threatid eq 92001)
+          or (threatid eq 92001) or (threatid eq 92012)
     separatecontext: true
     loop:
       iscommand: false
@@ -1702,17 +1708,20 @@ tasks:
     isautoswitchedtoquietmode: false
   "43":
     id: "43"
-    taskid: 815415a3-cc02-48fa-8af5-2d06638a0e0d
+    taskid: 56024ef2-f2ad-4836-8a38-7524f01c8d3a
     type: regular
     task:
-      id: 815415a3-cc02-48fa-8af5-2d06638a0e0d
+      id: 56024ef2-f2ad-4836-8a38-7524f01c8d3a
       version: -1
       name: Install log4j patched versions
       description: |-
-        Please patch with one of the following versions:
+        For CVE-2021-45046 and CVE-2021-44228, please patch with one of the following versions:
         **log4j-2.15.0-rc2**
         **log4j-2.16.0**
 
+        For CVE-2021-45105, please patch with the following version:
+        **Log4j 2.17.0 (Java 8)**
+
         The files are available via the following link:
         [Download Apache Log4j 2](https://logging.apache.org/log4j/2.x/download.html)
       type: regular
@@ -1738,17 +1747,15 @@ tasks:
     isautoswitchedtoquietmode: false
   "44":
     id: "44"
-    taskid: 29afbda7-a121-4af9-8c88-0d38ee6dc7b1
+    taskid: 23d81bed-59af-4214-81e3-c98780d8bc87
     type: regular
     task:
-      id: 29afbda7-a121-4af9-8c88-0d38ee6dc7b1
+      id: 23d81bed-59af-4214-81e3-c98780d8bc87
       version: -1
-      name: Disable JNDI lookup
-      description: |-
-        Disable JNDI lookup on vulnerable servers:
-
-        * Remove the JndiLookup file in the log4j-core and restart the service
-        * Setup spring.jndi.ignore=true
+      name: Disable JNDI and JNDI lookup
+      description: "To disable JNDI lookup on vulnerable servers - \n* Remove the\
+        \ JndiLookup file in the log4j-core and restart the service\n  * Setup log4j2.formatMsgNoLookups=true\n\
+        \nTo disable JNDI on vulnerable servers -\n* Set up spring.jndi.ignore=true"
       type: regular
       iscommand: false
       brand: ""
@@ -2185,10 +2192,10 @@ tasks:
     isautoswitchedtoquietmode: false
   "58":
     id: "58"
-    taskid: 252a983c-8832-4c22-808f-7ce5ede54369
+    taskid: 7eafd9fc-83f6-4fbb-85b4-83a0b1245092
     type: regular
     task:
-      id: 252a983c-8832-4c22-808f-7ce5ede54369
+      id: 7eafd9fc-83f6-4fbb-85b4-83a0b1245092
       version: -1
       name: Tag CVE indicators
       description: commands.local.cmd.new.indicator
@@ -2205,11 +2212,18 @@ tasks:
       retry-interval:
         simple: "2"
       tags:
-        simple: CVE-2021-44228
+        simple: Log4j
       type:
         simple: CVE
       value:
-        simple: CVE-2021-44228
+        complex:
+          root: inputs.RelatedCVEs
+          transformers:
+          - operator: split
+            args:
+              delimiter:
+                value:
+                  simple: ', '
     continueonerror: true
     separatecontext: false
     view: |-
@@ -3361,6 +3375,163 @@ tasks:
     quietmode: 0
     isoversize: false
     isautoswitchedtoquietmode: false
+  "88":
+    id: "88"
+    taskid: 35fccb6a-d214-44c8-885a-878c10970b8c
+    type: title
+    task:
+      id: 35fccb6a-d214-44c8-885a-878c10970b8c
+      version: -1
+      name: Xpanse
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "89"
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 2420,
+          "y": 720
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "89":
+    id: "89"
+    taskid: 67e1ae1e-04ee-4a67-85f8-d3e2d62cc279
+    type: condition
+    task:
+      id: 67e1ae1e-04ee-4a67-85f8-d3e2d62cc279
+      version: -1
+      name: Is Xpanse enabled?
+      description: Checks if Splunk instance is enabled.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "37"
+      "yes":
+      - "90"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isEqualString
+          left:
+            value:
+              complex:
+                root: modules
+                filters:
+                - - operator: containsString
+                    left:
+                      value:
+                        simple: modules.brand
+                      iscontext: true
+                    right:
+                      value:
+                        simple: Xpanse
+                    ignorecase: true
+                accessor: state
+            iscontext: true
+          right:
+            value:
+              simple: active
+          ignorecase: true
+    view: |-
+      {
+        "position": {
+          "x": 2420,
+          "y": 850
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "90":
+    id: "90"
+    taskid: 14ed68b7-f8e6-4309-80ae-a2c851bc56ba
+    type: regular
+    task:
+      id: 14ed68b7-f8e6-4309-80ae-a2c851bc56ba
+      version: -1
+      name: Search for possible vulnerable servers
+      description: Retrieve issues
+      script: '|||expanse-get-issues'
+      type: regular
+      iscommand: true
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "91"
+    scriptarguments:
+      issue_type:
+        simple: |-
+          Adobe ColdFusion, Apache Solr, Cisco Identity Services Engine (ISE), Cisco Integrated Management Controller (IMC), Cisco Unified Communications Manager, Cisco Unified Computing System, Cisco Webex Meetings Server, Co-Located Elasticsearch Server, Dell Wyse Management Suite, Elasticsearch Server
+          , Fortinet Device, IBM WebSphere Application Server, Java Application, Oracle E-Business Suite, Oracle Fusion Middleware, Palo Alto Networks Panorama Admin Login Page, SonicWall Email Security, VMware Carbon Black EDR, VMware vCenter, VMware vRealize Automation , , Appliance, VMware vRealize Suite Lifecycle Manager, VMware Workspace ONE Access Server
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 2670,
+          "y": 1020
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "91":
+    id: "91"
+    taskid: c42c8d3e-917d-41de-87ef-7fcc7a50945e
+    type: regular
+    task:
+      id: c42c8d3e-917d-41de-87ef-7fcc7a50945e
+      version: -1
+      name: 'Review possible vulnerable servers '
+      description: "Expander shows systems that are exposed to the public internet,\
+        \ without the need to install agents or sensors of any kind. Some of the systems\
+        \ below do not advertise version information, or are otherwise restricted\
+        \ from doing so depending on the configuration of our customers’ networks.\
+        \ Expander attempts to retrieve or derive version information, but this is\
+        \ not possible in all cases. \n\nXpanse issue IDs:\n${Expanse.Issue.id}"
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "37"
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 2670,
+          "y": 1210
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
 view: |-
   {
     "linkLabelsPosition": {
@@ -3377,12 +3548,14 @@ view: |-
       "75_29_#default#": 0.2,
       "80_29_no": 0.12,
       "80_81_yes": 0.29,
-      "80_82_yes": 0.43
+      "80_82_yes": 0.43,
+      "89_37_#default#": 0.17,
+      "89_90_yes": 0.59
     },
     "paper": {
       "dimensions": {
         "height": 5725,
-        "width": 4500,
+        "width": 4720,
         "x": -1670,
         "y": -1290
       }
@@ -3476,6 +3649,12 @@ inputs:
   required: false
   description: Whether to perform XQL hunting queries. Default is "False".
   playbookInputQuery:
+- key: RelatedCVEs
+  value:
+    simple: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
+  required: false
+  description: The log4j related CVEs.
+  playbookInputQuery:
 outputs: []
 tests:
 - No tests (auto formatted)

Packs/CVE_2021_44228/Playbooks/playbook-CVE-2021-44228_-_Log4j_RCE_README.md

@@ -4,6 +4,8 @@ On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 w
 
 On Dec. 14 2021, another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45046.
 
+On Dec 18 2021, yet another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
+
 **Affected Version**
 
 Apache Log4j 2.x <= 2.15.0-rc1
@@ -12,6 +14,7 @@ Apache Log4j 2.x <= 2.15.0-rc1
 
 * Collecting Indicators - related known indicators from several sources.
 * Investigation and Hunting - indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
+* Search for potentially vulnerable servers using Xpanse.
 * Remediation - Blocking indicators automatically or manually based on **playbook inputs**.
 * Mitigations:
     * Apache official CVE-2021-44228, CVE-2021-45046 patch.
@@ -29,10 +32,6 @@ Apache Log4j 2.x <= 2.15.0-rc1
     1. To run the shell scripts on XDR endpoints - you will need to change "XDRScriptExecution" and the "XDREndpointIDs" playbook inputs. Note that running the scripts on **all** XDR connected linux endpoints might impact performance on the XDR (depending on number of endpoints).
     2. Change the SIEM search time frame as requested (default is 1 day). If you are using Splunk , you can change the index by changing the "SplunkSourcetype" playbook input.
     3. To block indicators automatically - change the playbook input "BlockIndicatorsAutomatically" to "True".
-3. (Optional) Edit the playbook, if needed:
-    1. If multiple panorama instances enabled, you will need to make sure you edit the playbook to select the instance that is the PanOS instance and not FW. 
-    2. Edit the SIEM queries for your needs, fields and the organization best practices. 
-
 
 Read more about the vulnerability on our Unit 42 blog:
 [Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/)
@@ -96,4 +95,4 @@ There are no outputs for this playbook.
 
 ## Playbook Image
 ---
-![CVE-2021-44228 - Log4j RCE1](https://raw.githubusercontent.com/demisto/content/c95b0ec363641c13015525506dea8b78bbe7fcd7/Packs/CVE_2021_44228/doc_files/CVE-2021-44228_-_Log4j_RCE.png)
+![CVE-2021-44228 - Log4j RCE1](https://raw.githubusercontent.com/demisto/content/0f7c54d47da9839926275b15bc3d950db35bd3e6/Packs/CVE_2021_44228/doc_files/CVE-2021-44228_-_Log4j_RCE.png)

Packs/CVE_2021_44228/README.md

@@ -6,6 +6,8 @@ On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 w
 
 On Dec. 14 2021, another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45046.
 
+On Dec 18 2021, yet another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45105. The vulnerability allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
+
 This pack will provide you with a first response kit which includes:
 * Hunting
 * Remediation
@@ -18,4 +20,4 @@ More information about the vulnerability:
 
 Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
 
-![CVE-2021-44228 - Log4j RCE](https://raw.githubusercontent.com/demisto/content/c95b0ec363641c13015525506dea8b78bbe7fcd7/Packs/CVE_2021_44228/doc_files/CVE-2021-44228_-_Log4j_RCE.png)
+![CVE-2021-44228 - Log4j RCE](https://raw.githubusercontent.com/demisto/content/0f7c54d47da9839926275b15bc3d950db35bd3e6/Packs/CVE_2021_44228/doc_files/CVE-2021-44228_-_Log4j_RCE.png)

Packs/CVE_2021_44228/ReleaseNotes/1_0_6.md

@@ -0,0 +1,8 @@
+
+#### Playbooks
+##### CVE-2021-44228 - Log4j RCE
+* On Dec 18 2021, another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45105.
+* Added a new threat ID.
+* Added the new patch for mitigation.
+* Playbook will also search for potentially vulnerable servers using Xpanse.
+