[Pack: Recorded Future Intelligence][v1.4.0] Recorded Future playbook alerts v1 0

[recordedfuture-simonhornestedt]

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

• In Progress
• Ready
• In Hold - (Reason for hold)

Related Issues

fixes: N/A

Description

Introduce new Recorded Future feature Playbook alerts as a separate integration into the Recorded Future content pack, some minor settings update to the Recorded Future v2 Integration.

Screenshots

Paste here any images that will help the reviewer

Minimum version of Cortex XSOAR

• 6.0.0
• 6.1.0
• 6.2.0
• 6.5.0

Does it break backward compatibility?

• Yes
  • Further details:
• No

Must have

• Tests
• Documentation

[CLAassistant]

All committers have signed the CLA.

[content-bot]

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @yucohen will know he can start review the proposed changes.

[edik24]

Hi @recordedfuture-simonhornestedt can you please fill out the contribution Registration form and sign the CLA?

[efelmandar]

Hi @recordedfuture-simonhornestedt and thank you for your contribution, I reviewed your changes and found some points I want to discuss please see them below:

1. The new incident types you added do not use auto-extract, which is not recommended in most use cases. I suggest configuring auto-extract to all or a list to some incident fields to leverage auto-extract and auto-enrichment in playbooks.

2. In the Recorded Future Domain Abuse playbook - before the Create issue in JIRA (task no. 1) there is no check that JIRA integration is configured and available.

3. In the Recorded Future Playbook Alert Details playbook - Why not use the Mapping tab in the task to map all the output fields to the corresponding incident fields to show it better in the layout?

4. In the Recorded Future Vulnerability playbook, as before tasks Create issue in JIRA and Enrich CVE as Note (tasks no. 1 & no. 16) there is no check that the integration is enabled and configured.

5. The two playbooks, Recorded Future Vulnerability and Recorded Future Domain Abuse are very similar and only differ by a couple of tasks which creates a little bit of duplication and probably can be merged into one playbook.
   As this might not fit every use case please consider this change or let me know if you think otherwise.

Overall the changes look good, and once these points are addressed we can move forward

[recordedfuture-simonhornestedt]

Hi @efelmandar thanks for your feedback, I reached out to the person who created our playbooks/incident types from our Professional services team for some thoughts on your bullet points, this is his thoughts and reasoning to the choices:

1. we never use auto extract for our incident types because we always have a playbook for it (auto extract and enrichment doesn’t make sense for our alerts)
2. we don’t necessarily need to check for the Jira integration as this is a playbook template. we could remove it and just have a manual step to create an incident in an incident management platform or keep as 1 example and just mark it skip on error
3. our outputs don’t easily map to fields and with our output being dynamic with no standard it’s virtually imposing
4. Jira issue is already started in 2., we don’t need to check for enrichment because the customer will have our integration configured (once again we could make this a skip if error task)
5. we can’t merge them, doesn’t make sense … they are similar but once again the customer is supposed to copy and add steps to them as they are template playbooks

Any additional thoughts or suggestions with having this information?

[efelmandar]

@recordedfuture-simonhornestedt I appreciate your response regarding my points and can understand why it is reasonable to not make the changes in this case. Thanks again your contributions are valued and appreciated.

[yucohen]

@recordedfuture-simonhornestedt Thanks for the contribution! Great work!
Please see my comments :)
Also, we can delete the pipfile and pipfile.lock files

[yucohen]

Suggested change

	file_name = f'{screenshot_data.get("image_id").replace("img:","")}.png'
	file_name = f'{screenshot_data.get("image_id", "").replace("img:","")}.png'

In the case where no screenshots, the replace method won't fail

[recordedfuture-simonhornestedt]

done

[yucohen]

Suggested change

	file_data = screenshot_data.get("base64")
	file_data = screenshot_data.get("base64", "")

[recordedfuture-simonhornestedt]

done

[yucohen]

lets change it to type 9. see this article

[recordedfuture-simonhornestedt]

done

[recordedfuture-simonhornestedt]

Removed pipfile and updated the dockerimage tag so that should be the last of the changes requested