diff --git a/Packs/SupernaZeroTrust/.pack-ignore b/Packs/SupernaZeroTrust/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SupernaZeroTrust/.secrets-ignore b/Packs/SupernaZeroTrust/.secrets-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/SupernaZeroTrust/Author_image.png b/Packs/SupernaZeroTrust/Author_image.png new file mode 100644 index 000000000000..7e852156343d Binary files /dev/null and b/Packs/SupernaZeroTrust/Author_image.png differ diff --git a/Packs/SupernaZeroTrust/CONTRIBUTORS.json b/Packs/SupernaZeroTrust/CONTRIBUTORS.json new file mode 100644 index 000000000000..678f195fbc18 --- /dev/null +++ b/Packs/SupernaZeroTrust/CONTRIBUTORS.json @@ -0,0 +1,3 @@ +[ + "Superna" +] diff --git a/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/README.md b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/README.md new file mode 100644 index 000000000000..fd40526000ae --- /dev/null +++ b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/README.md @@ -0,0 +1,36 @@ +## Superna Zero Trust Integration + +Integrates Cortex XSOAR with **Superna Zero Trust** to automate ransomware containment and recovery actions. + +### Configure Superna Zero Trust on Cortex XSOAR + +1. Go to **Settings → Integrations → Servers & Services** +2. Search for **Superna Zero Trust** +3. Click **Add instance** +4. Configure the following parameters: + - **API URL**: Base URL of your Superna Zero Trust / SERA server (e.g. `https://172.31.1.102`) + - **API Key**: API key stored securely using Cortex XSOAR credentials + - **Trust any certificate**: Enable only if using self-signed certificates + - **Use system proxy**: Optional + +5. Click **Test** to validate connectivity + +### Commands + +| Command | Description | +|--------|-------------| +| `superna-zt-snapshot-critical-paths` | Snapshot Superna critical paths for ransomware recovery | +| `superna-zt-lockout-user` | Lock out a user from NAS storage access | +| `superna-zt-unlock-user` | Unlock a user from NAS storage access | + +### Use Cases + +- Ransomware containment +- Insider threat response +- Zero Trust enforcement +- NAS data protection + +### Security Notes + +- API keys are stored using Cortex XSOAR’s secure credentials store +- No secrets or IP addresses are embedded in playbooks diff --git a/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust.py b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust.py new file mode 100644 index 000000000000..75458d87315c --- /dev/null +++ b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust.py @@ -0,0 +1,136 @@ +\ +from typing import Any, Dict + +import demistomock as demisto # noqa: F401 +from CommonServerPython import * # noqa: F401,F403 + + +class Client(BaseClient): + def __init__(self, base_url: str, api_key: str, verify: bool, proxy: bool): + headers = { + "Accept": "application/json", + "Content-Type": "application/json", + "api_key": api_key, + } + super().__init__(base_url=base_url, verify=verify, proxy=proxy, headers=headers) + + def snapshot_critical_paths(self) -> Dict[str, Any]: + return self._http_request( + method="POST", + url_suffix="/sera/v2/ransomware/criticalpaths", + json_data={}, + ) + + def lockout_user(self, username: str) -> Dict[str, Any]: + return self._http_request( + method="POST", + url_suffix=f"/sera/v2/ransomware/lockout/{username}", + json_data={}, + ) + + def unlock_user(self, username: str) -> Dict[str, Any]: + return self._http_request( + method="POST", + url_suffix=f"/sera/v2/ransomware/unlock/{username}", + json_data={}, + ) + + def healthcheck(self) -> Dict[str, Any]: + return self._http_request( + method="GET", + url_suffix="/sera/v1/healthcheck", + ) + + +def test_module(client: Client) -> str: + client.healthcheck() + return "ok" + + +def snapshot_cmd(client: Client) -> CommandResults: + try: + res = client.snapshot_critical_paths() + return CommandResults( + outputs_prefix="SupernaZeroTrust.Snapshot", + outputs={ + "Status": "Success", + "Message": "Snapshot created successfully", + "Result": res + }, + readable_output="✅ Snapshot created successfully", + raw_response=res, + ) + except DemistoException as e: + # Check if it's a 429 error (rate limit / recent snapshot exists) + if "429" in str(e) or "Too Many Requests" in str(e): + return CommandResults( + outputs_prefix="SupernaZeroTrust.Snapshot", + outputs={ + "Status": "AlreadyExists", + "Message": "Snapshot already created within the last hour. Please wait before creating another snapshot." + }, + readable_output="⚠️ Snapshot already created within the last hour. Please wait before creating another snapshot.", + raw_response={"error": str(e)}, + ) + else: + # Re-raise other errors + raise + + +def lockout_cmd(client: Client, args: Dict[str, Any]) -> CommandResults: + username = args.get("username") + if not username: + raise DemistoException("Missing required argument: username") + res = client.lockout_user(username) + return CommandResults( + outputs_prefix="SupernaZeroTrust.Lockout", + outputs={"Username": username, "Result": res}, + raw_response=res, + ) + + +def unlock_cmd(client: Client, args: Dict[str, Any]) -> CommandResults: + username = args.get("username") + if not username: + raise DemistoException("Missing required argument: username") + res = client.unlock_user(username) + return CommandResults( + outputs_prefix="SupernaZeroTrust.Unlock", + outputs={"Username": username, "Result": res}, + raw_response=res, + ) + + +def main(): # pragma: no cover + params = demisto.params() + base_url = (params.get("base_url") or "").rstrip("/") + creds = params.get("credentials") or {} + api_key = creds.get("password") # Authentication param: password holds the secret + insecure = bool(params.get("insecure")) + proxy = bool(params.get("proxy")) + + if not base_url: + return_error("Missing required integration parameter: base_url") + if not api_key: + return_error("Missing required integration parameter: credentials (API key)") + + client = Client(base_url=base_url, api_key=api_key, verify=not insecure, proxy=proxy) + + try: + cmd = demisto.command() + if cmd == "test-module": + return_results(test_module(client)) + elif cmd == "superna-zt-snapshot-critical-paths": + return_results(snapshot_cmd(client)) + elif cmd == "superna-zt-lockout-user": + return_results(lockout_cmd(client, demisto.args())) + elif cmd == "superna-zt-unlock-user": + return_results(unlock_cmd(client, demisto.args())) + else: + raise NotImplementedError(f"Command not implemented: {cmd}") + except Exception as e: + return_error(str(e), error=e) + + +if __name__ in ("__main__", "__builtin__", "builtins"): + main() diff --git a/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust.yml b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust.yml new file mode 100644 index 000000000000..db3a33696e30 --- /dev/null +++ b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust.yml @@ -0,0 +1,62 @@ +commonfields: + id: SupernaZeroTrust + version: -1 +name: SupernaZeroTrust +display: Superna Zero Trust +category: Utilities +description: Run Superna Zero Trust ransomware containment actions (critical path snapshot, user lockout/unlock) via the Superna API. +configuration: +- display: API URL (e.g. https://sera.example.local) + name: base_url + type: 0 + required: true +- displaypassword: API Key + name: credentials + type: 9 + required: true + hiddenusername: true +- display: Trust any certificate (not secure) + name: insecure + type: 8 + required: false + defaultvalue: "false" +- display: Use system proxy settings + name: proxy + type: 8 + required: false + defaultvalue: "false" +script: + script: "-" + type: python + subtype: python3 + dockerimage: demisto/python3:3.10.13.86272 + commands: + - name: superna-zt-snapshot-critical-paths + description: Create a snapshot of Superna critical paths for ransomware rapid recovery. + outputs: + - contextPath: SupernaZeroTrust.Snapshot.Result + description: API response from snapshot operation. + type: Unknown + - name: superna-zt-lockout-user + description: Lock out a user from NAS storage access. + arguments: + - name: username + required: true + description: Username to lock out. + outputs: + - contextPath: SupernaZeroTrust.Lockout.Result + description: API response from lockout operation. + type: Unknown + - name: superna-zt-unlock-user + description: Unlock a user from NAS storage access. + arguments: + - name: username + required: true + description: Username to unlock. + outputs: + - contextPath: SupernaZeroTrust.Unlock.Result + description: API response from unlock operation. + type: Unknown +fromversion: 6.10.0 +tests: +- No tests diff --git a/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust_image.png b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust_image.png new file mode 100644 index 000000000000..bd262dd31759 Binary files /dev/null and b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust_image.png differ diff --git a/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust_test.py b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust_test.py new file mode 100644 index 000000000000..129736c13308 --- /dev/null +++ b/Packs/SupernaZeroTrust/Integrations/SupernaZeroTrust/SupernaZeroTrust_test.py @@ -0,0 +1,54 @@ +"""Unit tests for SupernaZeroTrust integration""" + +import pytest +from SupernaZeroTrust import Client + + +def test_client_initialization(): + """Test that client initializes correctly""" + client = Client( + base_url='https://test.example.com', + verify=False, + proxy=False, + headers={'api_key': 'test-key'} + ) + assert client._base_url == 'https://test.example.com/' + + +def test_snapshot_command(mocker): + """Test snapshot-critical-paths command""" + from SupernaZeroTrust import snapshot_critical_paths_command + + mock_client = mocker.Mock() + mock_client.snapshot_critical_paths.return_value = {'status': 'success'} + + result = snapshot_critical_paths_command(mock_client) + + assert result.outputs == {'status': 'success'} + assert 'SupernaZeroTrust.Snapshot.Result' in result.outputs_prefix + + +def test_lockout_command(mocker): + """Test lockout-user command""" + from SupernaZeroTrust import lockout_user_command + + mock_client = mocker.Mock() + mock_client.lockout_user.return_value = {'status': 'success'} + + result = lockout_user_command(mock_client, {'username': 'testuser'}) + + assert result.outputs == {'status': 'success'} + assert 'SupernaZeroTrust.Lockout.Result' in result.outputs_prefix + + +def test_unlock_command(mocker): + """Test unlock-user command""" + from SupernaZeroTrust import unlock_user_command + + mock_client = mocker.Mock() + mock_client.unlock_user.return_value = {'status': 'success'} + + result = unlock_user_command(mock_client, {'username': 'testuser'}) + + assert result.outputs == {'status': 'success'} + assert 'SupernaZeroTrust.Unlock.Result' in result.outputs_prefix diff --git a/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_Lockout.yml b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_Lockout.yml new file mode 100644 index 000000000000..aeaa749d5b60 --- /dev/null +++ b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_Lockout.yml @@ -0,0 +1,255 @@ +id: Superna Zero Trust Request User Storage Lockout +version: -1 +name: Superna Zero Trust Request User Storage Lockout +fromversion: 8.9.0 +description: Offers an input question to accept the userID that should be locked out of storage. This playbook can be run by any Secops workflow where the threat to data is increased and a proactive step to ensure no data can be destroyed or it can be used as step in a workflow when employees are leaving the company or have been terminated. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 8282f383-8434-46f4-8fdc-91b711d30d61 + type: start + task: + id: 8282f383-8434-46f4-8fdc-91b711d30d61 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "9" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": -170 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: f1e2d3c4-b5a6-4978-8e9f-0a1b2c3d4e5f + type: condition + task: + id: f1e2d3c4-b5a6-4978-8e9f-0a1b2c3d4e5f + version: -1 + name: Is Superna Zero Trust integration enabled? + description: Verify that the Superna Zero Trust integration is available before executing playbook + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "6" + scriptarguments: + brandname: + simple: SupernaZeroTrust + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": -50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 9aa29e1f-1021-47f3-8e86-6b9f12c99735 + type: title + task: + id: 9aa29e1f-1021-47f3-8e86-6b9f12c99735 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 2dc05c22-94ce-4f5d-80a7-76976eab1a80 + type: collection + task: + id: 2dc05c22-94ce-4f5d-80a7-76976eab1a80 + version: -1 + name: Prompt for userid + description: "" + type: collection + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": 70 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + subject: + body: + methods: [] + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: 'Enter user ID in AD format domain\userID ' + required: true + gridcolumns: [] + defaultrows: [] + type: shortText + options: [] + optionsarg: [] + fieldassociated: "" + placeholder: example corp\username + tooltip: "" + readonly: false + title: User NAS lock out request + description: This workflow allows secOPS to request a user is locked out of NAS storage as a precaution and support SMB share auto permission detection to deny the specific user access to storage until the security threat can be resolve. + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: c8ff4cc9-8cdd-4759-8d9d-e267f8554456 + type: regular + task: + id: c8ff4cc9-8cdd-4759-8d9d-e267f8554456 + version: -1 + name: url encode userid + description: 'Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.' + scriptName: URLEncode + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + value: + simple: ${User NAS lock out request.Answers.0} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": 250 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 3e4d9d94-3b66-4288-8210-8446ba586009 + type: regular + task: + id: 3e4d9d94-3b66-4288-8210-8446ba586009 + version: -1 + name: Superna Zero Trust Lockout User + description: Lock out a user from NAS storage access + script: SupernaZeroTrust|||superna-zt-lockout-user + type: regular + iscommand: true + brand: SupernaZeroTrust + nexttasks: + '#none#': + - "3" + scriptarguments: + username: + simple: ${User NAS lock out request.Answers.0} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": 470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 955, + "width": 380, + "x": 470, + "y": -170 + } + } + } +inputs: [] +outputs: [] +quiet: false +tests: +- No tests (auto formatted) diff --git a/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_Lockout_README.md b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_Lockout_README.md new file mode 100644 index 000000000000..992e75166492 --- /dev/null +++ b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_Lockout_README.md @@ -0,0 +1,44 @@ +# Superna Zero Trust Request User Storage Lockout + +## Overview + +Offers an input question to accept the userID that should be locked out of storage. This playbook can be run by any SecOps workflow where the threat to data is increased and a proactive step to ensure no data can be destroyed, or it can be used as a step in a workflow when employees are leaving the company or have been terminated. + +## Playbook Tasks + +1. **Start** - Initiates the playbook +2. **Prompt for userid** - Displays a form to collect the user ID in AD format (domain\userID) +3. **URL encode userid** - Encodes the user ID for API transmission +4. **Superna Zero Trust Lockout User** - Locks out the specified user from NAS storage access using the SupernaZeroTrust integration +5. **Done** - Completes the playbook + +## Inputs + +This playbook does not require predefined inputs. The user ID is collected interactively through a form prompt. + +## Interactive Form + +The playbook presents a collection task asking: + +- **Title**: User NAS lock out request +- **Question**: Enter user ID in AD format domain\userID +- **Placeholder**: example corp\username + +## Outputs + +The playbook stores the lockout operation result in the context path: + +- SupernaZeroTrust.Lockout.Result + +## Use Cases + +- Employee termination workflows +- Proactive data protection during elevated threat conditions +- Manual user access revocation by SecOps +- Compliance-driven access control +- Insider threat mitigation + +## Dependencies + +- SupernaZeroTrust integration must be configured +- User must have permissions to approve data protection actions diff --git a/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_UnLockout.yml b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_UnLockout.yml new file mode 100644 index 000000000000..605e90f8a9ad --- /dev/null +++ b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_UnLockout.yml @@ -0,0 +1,255 @@ +id: Superna Zero Trust Request User Storage UnLockout +version: -1 +name: Superna Zero Trust Request User Storage UnLockout +fromversion: 8.9.0 +description: Offers an input question to accept the userID that should be unlocked out of storage. This playbook can be run by any Secops workflow to unlock a user that was previous locked out. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 8282f383-8434-46f4-8fdc-91b711d30d61 + type: start + task: + id: 8282f383-8434-46f4-8fdc-91b711d30d61 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "9" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": -170 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: a9b8c7d6-e5f4-4321-9876-fedcba098765 + type: condition + task: + id: a9b8c7d6-e5f4-4321-9876-fedcba098765 + version: -1 + name: Is Superna Zero Trust integration enabled? + description: Verify that the Superna Zero Trust integration is available before executing playbook + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "6" + scriptarguments: + brandname: + simple: SupernaZeroTrust + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": -50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 9aa29e1f-1021-47f3-8e86-6b9f12c99735 + type: title + task: + id: 9aa29e1f-1021-47f3-8e86-6b9f12c99735 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: b4823fb0-a7a9-4c4d-8d87-6a694fc5f043 + type: collection + task: + id: b4823fb0-a7a9-4c4d-8d87-6a694fc5f043 + version: -1 + name: Prompt for userid + description: "" + type: collection + iscommand: false + brand: "" + nexttasks: + '#none#': + - "7" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": 70 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + subject: + body: + methods: [] + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: 'Enter user ID in AD format domain\userID ' + required: true + gridcolumns: [] + defaultrows: [] + type: shortText + options: [] + optionsarg: [] + fieldassociated: "" + placeholder: example corp\username + tooltip: "" + readonly: false + title: User NAS unlock request + description: This workflow allows secOPS to request a user is locked out of NAS storage as a precaution and support SMB share auto permission detection to deny the specific user access to storage until the security threat can be resolve. + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 607201e1-b227-4e95-85e0-95456b744356 + type: regular + task: + id: 607201e1-b227-4e95-85e0-95456b744356 + version: -1 + name: url encode userid + description: 'Encodes a URL string by replacing special characters in the string using the %xx escape. For example: https://example.com converts to https:%2F%2Fexample.com.' + scriptName: URLEncode + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + value: + simple: ${User NAS unlock request.Answers.0} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": 250 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 61def79d-4ad1-4a75-8b20-7bf5ca05d9a9 + type: regular + task: + id: 61def79d-4ad1-4a75-8b20-7bf5ca05d9a9 + version: -1 + name: Superna Zero Trust Unlock User + description: Unlock a user from NAS storage access + script: SupernaZeroTrust|||superna-zt-unlock-user + type: regular + iscommand: true + brand: SupernaZeroTrust + nexttasks: + '#none#': + - "3" + scriptarguments: + username: + simple: ${User NAS unlock request.Answers.0} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": 470 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 955, + "width": 380, + "x": 470, + "y": -170 + } + } + } +inputs: [] +outputs: [] +quiet: false +tests: +- No tests (auto formatted) diff --git a/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_UnLockout_README.md b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_UnLockout_README.md new file mode 100644 index 000000000000..cf788a0458f5 --- /dev/null +++ b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Request_User_Storage_UnLockout_README.md @@ -0,0 +1,45 @@ +# Superna Zero Trust Request User Storage UnLockout + +## Overview + +Offers an input question to accept the userID that should be unlocked from the storage. This playbook can be run by any SecOps workflow to allow a user that was previously locked out to have the lockout removed. + +## Playbook Tasks + +1. **Start** - Initiates the playbook +2. **Prompt for userid** - Displays a form to collect the user ID in AD format (domain\userID) +3. **URL encode userid** - Encodes the user ID for API transmission +4. **Superna Zero Trust Unlock User** - Unlocks the specified user to restore NAS storage access using the SupernaZeroTrust integration +5. **Done** - Completes the playbook + +## Inputs + +This playbook does not require predefined inputs. The user ID is collected interactively through a form prompt. + +## Interactive Form + +The playbook presents a collection task asking: + +- **Title**: User NAS unlock request +- **Question**: Enter user ID in AD format domain\userID +- **Placeholder**: example corp\username + +## Outputs + +The playbook stores the unlock operation result in the context path: + +- SupernaZeroTrust.Unlock.Result + +## Use Cases + +- Restoring access after security incident resolution +- Removing false positive lockouts +- Post-investigation access restoration +- Scheduled access reinstatement workflows +- Emergency access recovery + +## Dependencies + +- SupernaZeroTrust integration must be configured +- User must have permissions to approve data access restoration +- Previous lockout action must have been performed diff --git a/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Snapshot.yml b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Snapshot.yml new file mode 100644 index 000000000000..34a1e491fe69 --- /dev/null +++ b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Snapshot.yml @@ -0,0 +1,189 @@ +id: Superna Zero Trust Snapshot +version: -1 +name: Superna Zero Trust Snapshot +description: |- + Creates a snapshot of Superna critical paths for ransomware rapid recovery. + This playbook should be triggered immediately upon detection of potential ransomware activity to preserve data state for recovery purposes. +fromversion: 8.9.0 +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 05b0f317-59b9-4035-8748-d77009b8018d + type: start + task: + id: 05b0f317-59b9-4035-8748-d77009b8018d + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d + type: condition + task: + id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d + version: -1 + name: Is Superna Zero Trust integration enabled? + description: Verify that the Superna Zero Trust integration is available before executing playbook + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "1" + scriptarguments: + brandname: + simple: SupernaZeroTrust + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 180 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: b704f7dd-6819-4110-8c9e-bfc553da9914 + type: regular + task: + id: b704f7dd-6819-4110-8c9e-bfc553da9914 + version: -1 + name: Superna Zero Trust Snapshot Critical Paths + description: Create a snapshot of Superna critical paths for ransomware rapid recovery + script: SupernaZeroTrust|||superna-zt-snapshot-critical-paths + type: regular + iscommand: true + brand: SupernaZeroTrust + nexttasks: + '#none#': + - "3" + separatecontext: false + continueonerror: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 350 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 8f2d4c3a-1b5e-4f9c-8d7e-2a3b4c5d6e7f + type: regular + task: + id: 8f2d4c3a-1b5e-4f9c-8d7e-2a3b4c5d6e7f + version: -1 + name: Display Snapshot Result + description: Display the result of the snapshot operation to the user + scriptName: Print + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + value: + simple: Status=${SupernaZeroTrust.Snapshot.Status}, Message=${SupernaZeroTrust.Snapshot.Message} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 520 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 71ec020f-5769-4a95-8032-2e8a372bd92a + type: title + task: + id: 71ec020f-5769-4a95-8032-2e8a372bd92a + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 700 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 715, + "width": 380, + "x": 450, + "y": 50 + } + } + } +inputs: [] +outputs: [] +quiet: false +tests: +- No tests (auto formatted) diff --git a/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Snapshot_README.md b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Snapshot_README.md new file mode 100644 index 000000000000..5452f28532db --- /dev/null +++ b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_Snapshot_README.md @@ -0,0 +1,34 @@ +# Superna Zero Trust Snapshot + +## Overview + +You can run this playbook for any incident where data security is at risk and an immutable snapshot is needed to protect critical data. The snapshot can be used to recover data and Cyber Storage analytics from Security Edition can detect malicious data activity and log file access. This is necessary to root cause what data was affected by a security incident. + +## Playbook Tasks + +1. **Start** - Initiates the playbook +2. **Superna Zero Trust Snapshot Critical Paths** - Creates a snapshot of Superna critical paths for ransomware rapid recovery using the SupernaZeroTrust integration +3. **Done** - Completes the playbook + +## Inputs + +| **Name** | **Description** | **Required** | +| --- | --- | --- | +| username | Username from incident context | No | + +## Outputs + +The playbook stores the snapshot operation result in the context path: + +- SupernaZeroTrust.Snapshot.Result + +## Use Cases + +- Ransomware incident response +- Data breach investigation +- Critical data protection during security incidents +- Cyber storage analytics and forensics + +## Dependencies + +This playbook requires the SupernaZeroTrust integration to be configured with valid API credentials and base URL. diff --git a/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_User_Lockout.yml b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_User_Lockout.yml new file mode 100644 index 000000000000..55233a11cfba --- /dev/null +++ b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_User_Lockout.yml @@ -0,0 +1,197 @@ +id: Superna Zero Trust User Lockout +version: -1 +name: Superna Zero Trust User Lockout +fromversion: 8.9.0 +description: 'Locks out a user from NAS storage access in response to Zero Trust incidents. Extracts the source username from the incident and executes lockout via Superna Zero Trust integration.' +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 8282f383-8434-46f4-8fdc-91b711d30d61 + type: start + task: + id: 8282f383-8434-46f4-8fdc-91b711d30d61 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": -170 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: c9d8e7f6-a5b4-4c3d-9e8f-7a6b5c4d3e2f + type: condition + task: + id: c9d8e7f6-a5b4-4c3d-9e8f-7a6b5c4d3e2f + version: -1 + name: Is Superna Zero Trust integration enabled? + description: Verify that the Superna Zero Trust integration is available before executing playbook + scriptName: IsIntegrationAvailable + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "5" + scriptarguments: + brandname: + simple: SupernaZeroTrust + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": -50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 1522802c-11ea-4a49-8de3-22e0b71bba99 + type: regular + task: + id: 1522802c-11ea-4a49-8de3-22e0b71bba99 + version: -1 + name: Superna Zero Trust Lockout User + description: Lock out a user from NAS storage access + script: SupernaZeroTrust|||superna-zt-lockout-user + type: regular + iscommand: true + brand: SupernaZeroTrust + nexttasks: + '#none#': + - "3" + scriptarguments: + username: + simple: ${inputs.username} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 460, + "y": 250 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 9aa29e1f-1021-47f3-8e86-6b9f12c99735 + type: title + task: + id: 9aa29e1f-1021-47f3-8e86-6b9f12c99735 + version: -1 + name: Done + type: title + description: "" + iscommand: false + brand: "" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 460, + "y": 500 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 8e672319-aa07-41c9-8c54-273050485749 + type: regular + task: + id: 8e672319-aa07-41c9-8c54-273050485749 + version: -1 + name: print inputs to API task + description: Prints text to war room (Markdown supported) + scriptName: Print + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + scriptarguments: + value: + simple: Locking out user ${inputs.username} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 470, + "y": 80 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 735, + "width": 390, + "x": 460, + "y": -170 + } + } + } +inputs: +- key: username + value: + complex: + root: incident + accessor: sourceusername + required: false + description: The source user name is populated by Superna Zero trust webhook integration + playbookInputQuery: +outputs: [] +quiet: false +tests: +- No tests (auto formatted) diff --git a/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_User_Lockout_README.md b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_User_Lockout_README.md new file mode 100644 index 000000000000..6098cc82ad74 --- /dev/null +++ b/Packs/SupernaZeroTrust/Playbooks/Superna_Zero_Trust_User_Lockout_README.md @@ -0,0 +1,36 @@ +# Superna Zero Trust User Lockout + +## Overview + +You can run this playbook for any Superna Zero Trust created alerts, as this playbook depends on the customer userID field to exist in the incident. If lockout mode in Superna Security Edition is not enabled, this allows SecOps to decide when a user lockout should occur. This moves the responsibility of data protection decisions to the SecOps team versus the storage team. + +## Playbook Tasks + +1. **Start** - Initiates the playbook +2. **Print inputs to API task** - Displays the API URL and username for verification +3. **Superna Zero Trust Lockout User** - Locks out the specified user from NAS storage access using the SupernaZeroTrust integration +4. **Done** - Completes the playbook + +## Inputs + +| **Name** | **Description** | **Required** | +| --- | --- | --- | +| username | Source username from the incident (incident.sourceusername). This field is populated by Superna Zero Trust webhook integration. | No | + +## Outputs + +The playbook stores the lockout operation result in the context path: + +- SupernaZeroTrust.Lockout.Result + +## Use Cases + +- Automated response to Superna Zero Trust alerts +- User access revocation during active security incidents +- Immediate containment of compromised user accounts +- Zero Trust enforcement for NAS storage + +## Dependencies + +- SupernaZeroTrust integration must be configured +- The incident must contain a sourceusername field populated by Superna Zero Trust webhook diff --git a/Packs/SupernaZeroTrust/README.md b/Packs/SupernaZeroTrust/README.md new file mode 100644 index 000000000000..d2c201af410c --- /dev/null +++ b/Packs/SupernaZeroTrust/README.md @@ -0,0 +1,47 @@ +# Superna Zero Trust + +This content pack provides a **Superna Zero Trust** integration and supporting playbooks for ransomware containment workflows. + +## Integration Instance Configuration + +Create an instance of **Superna Zero Trust** and set: + +- **API URL**: Base URL of your Superna SERA/Zero Trust server (for example `https://sera.example.local`) +- **API Key**: Stored securely using the **Authentication** parameter type (credentials store) + +## Commands + +- `!superna-zt-snapshot-critical-paths` +- `!superna-zt-lockout-user username=` +- `!superna-zt-unlock-user username=` + +## Playbooks included + +- Superna Zero Trust Snapshot +- Superna Zero Trust Request User Storage Lockout +- Superna Zero Trust Request User Storage UnLockout +- Superna Zero Trust User Lockout + +### Pack Contributors: + +--- + +- Superna + +Contributions are welcome and appreciated. For more info, visit our [Contribution Guide](https://xsoar.pan.dev/docs/contributing/contributing). + +### Pack Contributors: + +--- + +- Superna + +Contributions are welcome and appreciated. For more info, visit our [Contribution Guide](https://xsoar.pan.dev/docs/contributing/contributing). + +### Pack Contributors: + +--- + +- Superna + +Contributions are welcome and appreciated. For more info, visit our [Contribution Guide](https://xsoar.pan.dev/docs/contributing/contributing). \ No newline at end of file diff --git a/Packs/SupernaZeroTrust/SupernaZeroTrust_image.png b/Packs/SupernaZeroTrust/SupernaZeroTrust_image.png new file mode 100644 index 000000000000..bd262dd31759 Binary files /dev/null and b/Packs/SupernaZeroTrust/SupernaZeroTrust_image.png differ diff --git a/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_Request_User_Storage_Lockout.png b/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_Request_User_Storage_Lockout.png new file mode 100644 index 000000000000..d865de98242d Binary files /dev/null and b/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_Request_User_Storage_Lockout.png differ diff --git a/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_Request_User_Storage_UnLockout.png b/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_Request_User_Storage_UnLockout.png new file mode 100644 index 000000000000..149dfd0d232f Binary files /dev/null and b/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_Request_User_Storage_UnLockout.png differ diff --git a/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_Snapshot.png b/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_Snapshot.png new file mode 100644 index 000000000000..1a8051da8c06 Binary files /dev/null and b/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_Snapshot.png differ diff --git a/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_User_Lockout.png b/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_User_Lockout.png new file mode 100644 index 000000000000..ac18453612c5 Binary files /dev/null and b/Packs/SupernaZeroTrust/doc_files/Superna_Zero_Trust_User_Lockout.png differ diff --git a/Packs/SupernaZeroTrust/pack_metadata.json b/Packs/SupernaZeroTrust/pack_metadata.json new file mode 100644 index 000000000000..f9f4d4dc8c77 --- /dev/null +++ b/Packs/SupernaZeroTrust/pack_metadata.json @@ -0,0 +1,31 @@ +{ + "name": "Superna Zero Trust", + "description": "Automate ransomware response: critical path snapshots and user NAS lockout/unlock via secure API integration.", + "support": "partner", + "currentVersion": "1.0.0", + "author": "Superna", + "url": "https://www.superna.io", + "email": "support@superna.io", + "partnerId": "2989092", + "categories": [ + "Incident Response", + "Network Security" + ], + "tags": [], + "useCases": [ + "Ransomware", + "Incident Response" + ], + "keywords": [ + "superna", + "zero trust", + "nas", + "lockout", + "unlock", + "critical paths" + ], + "marketplaces": [ + "xsoar", + "xsoar_saas" + ] +} \ No newline at end of file