diff --git a/playbooks/detect/webhook_alerts/elastic.yml b/playbooks/detect/webhook_alerts/elastic.yml deleted file mode 100644 index 5ab003c8e..000000000 --- a/playbooks/detect/webhook_alerts/elastic.yml +++ /dev/null @@ -1,46 +0,0 @@ -definition: - title: Receive Elastic Security alerts - description: | - Receives alerts from Elastic Security custom webhook connector. - Requires the body of the Connector Action to be defined as: - { - "ndjson": "{{#context.alerts}}{{{.}}}{{/context.alerts}}" - } - Triggers a child workflow for each alert in the ndjson payload. - entrypoint: - ref: deserialize_elastic_alerts - expects: - ndjson: - type: str - description: A newline-delimited JSON string containing alerts - triggers: - - type: webhook - ref: receive_elastic_alerts - entrypoint: deserialize_elastic_alerts - inputs: - child_workflow_id: REPLACE_WITH_CHILD_WORKFLOW_ID - limit: 10 - batch_size: 10 - - actions: - - ref: deserialize_elastic_alerts - action: core.transform.reshape - args: - value: - alerts: ${{ FN.deserialize_ndjson(TRIGGER.ndjson) }} - - - ref: redirect_elastic_alerts - action: core.workflow.execute - depends_on: - - deserialize_elastic_alerts - for_each: ${{ for var.alert in ACTIONS.deserialize_elastic_alerts.result }} - args: - workflow_id: ${{ INPUTS.child_workflow_id }} - loop_strategy: parallel - fail_strategy: isolated - batch_size: ${{ INPUTS.batch_size }} - trigger_inputs: - title: ${{ var.alert.message }} - integration: Elastic Security - alert: ${{ var.alert }} - severity: ${{ var.alert.event.severity }} diff --git a/playbooks/detect/webhook_alerts/panther.yml b/playbooks/detect/webhook_alerts/panther.yml deleted file mode 100644 index 99e192098..000000000 --- a/playbooks/detect/webhook_alerts/panther.yml +++ /dev/null @@ -1,69 +0,0 @@ -definition: - title: Receive Panther alert - description: | - Receive a Panther alert, convert `createdAt` string to datetime, and deserialize `alertContext` JSON object. - entrypoint: - ref: deserialize_alert - expects: - id: - type: str - description: Unique identifier for the alert - createdAt: - type: str - description: Timestamp when the alert was created - severity: - type: str - description: Severity level of the alert - type: - type: str - description: Type of the alert - link: - type: str - description: Link to the alert details - title: - type: str - description: Title of the alert - name: - type: str - description: Name associated with the alert - alertId: - type: str - description: Alert identifier - description: - type: str - description: Description of the alert - runbook: - type: str - description: Runbook associated with the alert - tags: - type: list[str] - description: Tags associated with the alert - version: - type: str - description: Version of the alert - alertContext: - type: str - description: Serialized JSON object containing additional context for the alert - triggers: - - type: webhook - ref: receive_panther_alert - entrypoint: deserialize_alert - - actions: - - ref: deserialize_alert - action: core.transform.reshape - args: - value: - id: ${{ TRIGGER.id}} - createdAt: ${{ FN.to_datetime(TRIGGER.createdAt)}} - severity: ${{ TRIGGER.severity}} - type: ${{ TRIGGER.type}} - link: ${{ TRIGGER.link}} - title: ${{ TRIGGER.title}} - name: ${{ TRIGGER.name}} - alertId: ${{ TRIGGER.alertId}} - description: ${{ TRIGGER.description}} - runbook: ${{ TRIGGER.runbook}} - tags: ${{ TRIGGER.tags}} - version: ${{ TRIGGER.version}} - alertContext: ${{ FN.deserialize_json(TRIGGER.alertContext)}} diff --git a/playbooks/respond/notify_users/slack.yml b/playbooks/respond/notify_users/slack.yml deleted file mode 100644 index 3e2a42e0f..000000000 --- a/playbooks/respond/notify_users/slack.yml +++ /dev/null @@ -1,81 +0,0 @@ -definition: - title: Send alert to Slack - description: | - Receives a object with `alert` (Elastic Common Schema formatted) - and `severity` fields and sends it to Slack. The Slack notification - includes a dropdown of options for the user to take action on the alert. - entrypoint: - ref: send_to_slack - expects: - title: - type: str - description: The title of the alert - integration: - type: str - description: The integration that triggered the alert - alert: - type: any - description: The alert object in Elastic Common Schema format - severity: - type: str - description: The severity level of the alert - triggers: - - type: webhook - ref: receive_alert - entrypoint: send_to_slack - inputs: - # ID to uniquely identify the actions in this playbook - slack_actions_id: alert-from-tracecat - - actions: - - ref: send_to_slack - action: integrations.slack.post_message - args: - channel: ${{ SECRETS.slack.SLACK_CHANNEL }} - text: 🚨 *An alert has been raised in ${{ TRIGGER.integration }}* - blocks: - - type: header - text: - type: plain_text - text: ${{ TRIGGER.title }} - emoji: true - - type: divider - - type: context - elements: - - type: plain_text - text: ${{ TRIGGER.alert.message }} - emoji: true - - type: divider - - type: section - fields: - - type: mrkdwn - text: "*Severity:*\n${{ TRIGGER.severity }}" - - type: mrkdwn - text: "*When:*\n${{ TRIGGER.alert.['@timestamp'] }}" - - type: mrkdwn - text: "*Source:*\n${{ FN.prettify_json(TRIGGER.alert.source) }}" - - type: mrkdwn - text: "*User:*\n${{ FN.prettify_json(TRIGGER.alert.user) }}" - - type: divider - - type: context - elements: - - type: plain_text - text: "Respond to alert?" - emoji: true - - type: actions - block_id: ${{ INPUTS.slack_actions_id }} - elements: - - type: button - text: - type: plain_text - emoji: true - text: Accept - style: primary - value: accept - - type: button - text: - type: plain_text - emoji: true - text: Reject - style: danger - value: reject