From 2644665ce8d1cc577e32a4a69d9d06580b34a32e Mon Sep 17 00:00:00 2001
From: content-bot <55035720+content-bot@users.noreply.github.com>
Date: Thu, 16 May 2024 16:29:18 +0300
Subject: [PATCH] [ASM] - EXPANDR-7800 - Small Azure Remediation Fix (#34389)

* play and RN (#34312)

* Bump pack from version CortexAttackSurfaceManagement to 1.7.38.

---------

Co-authored-by: johnnywilkes <32227961+johnnywilkes@users.noreply.github.com>
Co-authored-by: anas-yousef <44998563+anas-yousef@users.noreply.github.com>
Co-authored-by: Content Bot <bot@demisto.com>
---
 .../Playbooks/Cortex_ASM_-_Remediation.yml    | 76 ++++++++++---------
 .../ReleaseNotes/1_7_38.md                    |  6 ++
 .../pack_metadata.json                        |  2 +-
 3 files changed, 47 insertions(+), 37 deletions(-)
 create mode 100644 Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_38.md

diff --git a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml
index ce9d38331120..f5f91eb25de0 100644
--- a/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml
+++ b/Packs/CortexAttackSurfaceManagement/Playbooks/Cortex_ASM_-_Remediation.yml
@@ -6,10 +6,10 @@ starttaskid: '0'
 tasks:
   '0':
     id: '0'
-    taskid: 51f75382-1305-4354-8979-49a204553bbd
+    taskid: e8d9de22-8cb1-45cb-8336-7a3634a2eaef
     type: start
     task:
-      id: 51f75382-1305-4354-8979-49a204553bbd
+      id: e8d9de22-8cb1-45cb-8336-7a3634a2eaef
       version: -1
       name: ''
       iscommand: false
@@ -36,10 +36,10 @@ tasks:
     isautoswitchedtoquietmode: false
   '3':
     id: '3'
-    taskid: d2a675b7-aab6-4178-827f-689b608a0cd0
+    taskid: 4d5d4d16-ec25-4600-8aa3-9db0085d2be4
     type: condition
     task:
-      id: d2a675b7-aab6-4178-827f-689b608a0cd0
+      id: 4d5d4d16-ec25-4600-8aa3-9db0085d2be4
       version: -1
       name: What provider is this service?
       description: Determines which cloud provider the service is in order to direct to the correct enrichment.
@@ -163,10 +163,10 @@ tasks:
     isautoswitchedtoquietmode: false
   '4':
     id: '4'
-    taskid: ae695e07-cbca-4f09-8b68-cffb4378a93d
+    taskid: 025137d8-71d5-4a03-87fc-593dc78f0167
     type: title
     task:
-      id: ae695e07-cbca-4f09-8b68-cffb4378a93d
+      id: 025137d8-71d5-4a03-87fc-593dc78f0167
       version: -1
       name: Completed
       type: title
@@ -191,17 +191,24 @@ tasks:
     isautoswitchedtoquietmode: false
   '6':
     id: '6'
-    taskid: c510a13b-9767-4f1f-807a-3ab0e5651644
+    taskid: 8755ee7e-a021-424c-8a4c-0159367c490a
     type: playbook
     task:
-      id: c510a13b-9767-4f1f-807a-3ab0e5651644
+      id: 8755ee7e-a021-424c-8a4c-0159367c490a
       version: -1
       name: Azure - Network Security Group Remediation
-      description: "This playbook adds new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules will give access only to a private IP address range and block traffic that's exposed to the public internet ([using the private IP of the VM as stated in Azure documentation](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview)). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allows traffic from private IP address and blocks the rest of the RDP traffic.\n\nConditions and limitations:\n- Limited to one resource group.\n- 200 Azure rules viewed at once to find the offending rule.\n- 2 priorities lower than the offending rule priority must be available.\n- Adds rules to NSGs associated to NICs."
-      playbookName: Azure - Network Security Group Remediation
+      description: |-
+        This playbook adds new Azure Network Security Groups (NSG) rules to NSGs attached to a NIC. The new rules will give access only to a private IP address range and block traffic that's exposed to the public internet ([using the private IP of the VM as stated in Azure documentation](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview)). For example, if RDP is exposed to the public internet, this playbook adds new firewall rules that only allow traffic from private IP addresses and blocks the rest of the RDP traffic.
+
+        Conditions and limitations:
+        - Limited to one resource group.
+        - 200 Azure rules viewed at once to find offending rule.
+        - 2 priorities lower than the offending rule priority must be available.
+        - Adds rules to NSGs associated to NICs.
       type: playbook
       iscommand: false
       brand: ''
+      playbookId: Azure - Network Security Group Remediation
     nexttasks:
       '#none#':
       - '4'
@@ -231,12 +238,7 @@ tasks:
               right:
                 value:
                   simple: Azure
-          transformers:
-          - operator: getField
-            args:
-              field:
-                value:
-                  simple: IP
+          accessor: ip
       RemotePort:
         complex:
           root: alert
@@ -245,6 +247,8 @@ tasks:
         complex:
           root: alert
           accessor: protocol
+      RemediationAllowRanges:
+        simple: 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16
     separatecontext: true
     continueonerrortype: ''
     loop:
@@ -268,17 +272,17 @@ tasks:
     isautoswitchedtoquietmode: false
   '7':
     id: '7'
-    taskid: bf0705bb-bdd5-4ba7-808a-e735b2396319
+    taskid: 4a5a1b3f-8f19-486d-8778-6bdadca1adc9
     type: playbook
     task:
-      id: bf0705bb-bdd5-4ba7-808a-e735b2396319
+      id: 4a5a1b3f-8f19-486d-8778-6bdadca1adc9
       version: -1
       name: AWS - Unclaimed S3 Bucket Remediation
       description: The playbook will create the unclaimed S3 bucket.
-      playbookName: AWS - Unclaimed S3 Bucket Remediation
       type: playbook
       iscommand: false
       brand: ''
+      playbookId: AWS - Unclaimed S3 Bucket Remediation
     nexttasks:
       '#none#':
       - '4'
@@ -319,17 +323,17 @@ tasks:
     isautoswitchedtoquietmode: false
   '8':
     id: '8'
-    taskid: 00322392-5990-499f-8924-dca8422cb81e
+    taskid: ac918c29-4d5f-48b5-8060-94a4c15cc060
     type: playbook
     task:
-      id: 00322392-5990-499f-8924-dca8422cb81e
+      id: ac918c29-4d5f-48b5-8060-94a4c15cc060
       version: -1
       name: AWS - Security Group Remediation v2
       description: This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive. It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed.  Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.
-      playbookName: AWS - Security Group Remediation v2
       type: playbook
       iscommand: false
       brand: ''
+      playbookId: AWS - Security Group Remediation v2
     nexttasks:
       '#none#':
       - '4'
@@ -390,16 +394,16 @@ tasks:
     isautoswitchedtoquietmode: false
   '9':
     id: '9'
-    taskid: c99909d1-19d5-4bdd-8e05-b65991ee850c
+    taskid: 3bfc76d9-be4e-4402-84eb-1b09f3af599f
     type: playbook
     task:
-      id: c99909d1-19d5-4bdd-8e05-b65991ee850c
+      id: 3bfc76d9-be4e-4402-84eb-1b09f3af599f
       version: -1
       name: GCP - Firewall Remediation
-      playbookName: GCP - Firewall Remediation
       type: playbook
       iscommand: false
       brand: ''
+      playbookId: GCP - Firewall Remediation
       description: ''
     nexttasks:
       '#none#':
@@ -481,10 +485,10 @@ tasks:
     isautoswitchedtoquietmode: false
   '10':
     id: '10'
-    taskid: 244da719-dd83-4ef4-801a-5e009d79259a
+    taskid: 7c022be5-c22d-4413-854c-d2a87249e532
     type: condition
     task:
-      id: 244da719-dd83-4ef4-801a-5e009d79259a
+      id: 7c022be5-c22d-4413-854c-d2a87249e532
       version: -1
       name: Is AWSAssumeRoleName Input defined?
       description: Determines which cloud provider the service is in order to direct to the correct enrichment.
@@ -523,17 +527,17 @@ tasks:
     isautoswitchedtoquietmode: false
   '11':
     id: '11'
-    taskid: 0efa486c-40f7-440f-8ff2-fd9202e5f5a7
+    taskid: 85ddd43d-66b3-48f5-8861-a1c60e51024e
     type: playbook
     task:
-      id: 0efa486c-40f7-440f-8ff2-fd9202e5f5a7
+      id: 85ddd43d-66b3-48f5-8861-a1c60e51024e
       version: -1
       name: AWS - Security Group Remediation v2
       description: This playbook takes in some information about an EC2 instance (ID and public_ip) and with provided port and protocol, determines what security groups on the primary interface of an EC2 instance are over-permissive.  It uses an automation to determine what interface on an EC2 instance has an over-permissive security group on, determine which security groups have over-permissive rules and to replace them with a copy of the security group that has only the over-permissive portion removed.  Over-permissive is defined as sensitive ports (SSH, RDP, etc) being exposed to the internet via IPv4.
-      playbookName: AWS - Security Group Remediation v2
       type: playbook
       iscommand: false
       brand: ''
+      playbookId: AWS - Security Group Remediation v2
     nexttasks:
       '#none#':
       - '4'
@@ -615,17 +619,17 @@ tasks:
     isautoswitchedtoquietmode: false
   '12':
     id: '12'
-    taskid: 1787656d-ba63-465a-8f31-b8dfa60fe177
+    taskid: 0300188b-1a4f-4da1-8d6f-559597a8873c
     type: playbook
     task:
-      id: 1787656d-ba63-465a-8f31-b8dfa60fe177
+      id: 0300188b-1a4f-4da1-8d6f-559597a8873c
       version: -1
       name: Cortex ASM - On Prem Remediation
       description: "This playbook adds new block rule(s) to on-prem firewall vendors in order to block internet access for internet exposures.\n\nConditions:\nThis is currently limited to stand-alone firewalls for PAN-OS."
-      playbookName: Cortex ASM - On Prem Remediation
       type: playbook
       iscommand: false
       brand: ''
+      playbookId: Cortex ASM - On Prem Remediation
     nexttasks:
       '#none#':
       - '4'
@@ -706,16 +710,16 @@ tasks:
     isautoswitchedtoquietmode: false
   '13':
     id: '13'
-    taskid: 09e585e1-b45b-4168-840a-a8c437cdaabd
+    taskid: 56f329df-f61c-49b0-8b5d-048a4330f190
     type: playbook
     task:
-      id: 09e585e1-b45b-4168-840a-a8c437cdaabd
+      id: 56f329df-f61c-49b0-8b5d-048a4330f190
       version: -1
       name: Cortex ASM - Cortex Endpoint Remediation
-      playbookName: Cortex ASM - Cortex Endpoint Remediation
       type: playbook
       iscommand: false
       brand: ''
+      playbookId: Cortex ASM - Cortex Endpoint Remediation
       description: ''
     nexttasks:
       '#none#':
diff --git a/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_38.md b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_38.md
new file mode 100644
index 000000000000..6838862b61e6
--- /dev/null
+++ b/Packs/CortexAttackSurfaceManagement/ReleaseNotes/1_7_38.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Cortex ASM - Remediation
+
+Fixed an issue where an incorrect key was referenced.
diff --git a/Packs/CortexAttackSurfaceManagement/pack_metadata.json b/Packs/CortexAttackSurfaceManagement/pack_metadata.json
index f72a9b204c73..551ada0fea18 100644
--- a/Packs/CortexAttackSurfaceManagement/pack_metadata.json
+++ b/Packs/CortexAttackSurfaceManagement/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Cortex Attack Surface Management",
     "description": "Content for working with Attack Surface Management (ASM).",
     "support": "xsoar",
-    "currentVersion": "1.7.37",
+    "currentVersion": "1.7.38",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",