diff --git a/Packs/CortexResponseAndRemediation/.pack-ignore b/Packs/CortexResponseAndRemediation/.pack-ignore index a762b2e2f08..2a3a553f998 100644 --- a/Packs/CortexResponseAndRemediation/.pack-ignore +++ b/Packs/CortexResponseAndRemediation/.pack-ignore @@ -1,12 +1,19 @@ [file:playbook-Azure_AD_account_unlock_or_password_reset.yml] ignore=GR103 +[file:silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml] +ignore=GR103 + [file:silent-playbook-Authentication_method_added_to_an_Azure_account.yml] ignore=GR103 [file:playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml] ignore=PB106 +[file:silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml] +ignore=PB106 + + [file:README.md] ignore=RM104,RM106 @@ -14,10 +21,18 @@ ignore=RM104,RM106 [file:playbook-Suspicious_Hidden_User_Created.yml] ignore=GR103 +# See CIAC-7711, CIAC-11954 +[file:silent-playbook-Suspicious_Hidden_User_Created_Test.yml] +ignore=GR103 + # See CIAC-7711, CIAC-11954 [file:playbook-Suspicious_Local_Administrator_Login.yml] ignore=GR103 +# See CIAC-7711, CIAC-11954 +[file:silent-playbook-Suspicious_Local_Administrator_Login_Test.yml] +ignore=GR103 + # See CIAC-7711, CIAC-11954 [file:silent-playbook-MFA_was_disabled_for_an_Azure_identity.yml] ignore=GR103 @@ -26,18 +41,34 @@ ignore=GR103 [file:playbook-Excessive_User_Account_Lockouts.yml] ignore=GR103 +# See CIAC-7711, CIAC-11954 +[file:silent-playbook-Excessive_User_Account_Lockouts_Test.yml] +ignore=GR103 + # GR103 is temporary, see CIAC-11954 [file:playbook-Scheduled_task_created_with_HTTP_or_FTP_reference.yml] ignore=GR103 +# GR103 is temporary, see CIAC-11954 +[file:silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml] +ignore=GR103 + # GR103 fails on SearchAlertsv2 [file:playbook-A_user_executed_multiple_LDAP_enumeration_queries.yml] ignore=GR103 +# GR103 fails on SearchAlertsv2 +[file:silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml] +ignore=GR103 + # GR103 fails on SearchAlertsv2 [file:playbook-SSO_Authentication_With_Suspicious_Characteristics.yml] ignore=GR103 +# GR103 fails on SearchAlertsv2 +[file:silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml] +ignore=GR103 + # GR103 fails on SearchAlertsv2 [file:silent-SPNs_cleared_from_a_machine_account.yml] ignore=GR103 diff --git a/Packs/CortexResponseAndRemediation/.secrets-ignore b/Packs/CortexResponseAndRemediation/.secrets-ignore index dd51812b365..a18adeab1d7 100644 --- a/Packs/CortexResponseAndRemediation/.secrets-ignore +++ b/Packs/CortexResponseAndRemediation/.secrets-ignore @@ -1,6 +1,7 @@ 1.1.1.1 2.2.2.2 8.8.8.8 +440 3.3.3.3 5.5.5.5 0.0.0.0 diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml new file mode 100644 index 00000000000..af0245035b7 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml @@ -0,0 +1,702 @@ +description: "This playbook is designed to handle the following alert:\n\n- A successful\ + \ login from TOR\n\nThe playbook executes the following stages:\n\nTriage:\n\n-\ + \ The playbook will fetch the user identity details.\n\nRemediation & Eradication:\n\ + \n- The playbooks will suggest several actions for the analyst to take: disabling\ + \ the user account using Active Directory or Azure Active Directory, expiring the\ + \ user password using Active Directory, or blocking traffic from TOR exit nodes\ + \ using PAN-OS and Palo Alto Networks' predefined EDL.\n\nThe analyst can select\ + \ multiple actions, which will then be executed by the playbook based on the analyst's\ + \ choices.\n\nRequirements: \nFor any response action, you will need one of the\ + \ following integrations: Azure Active Directory Users / Active Directory Users." +fromversion: 8.9.0 +id: silent-A Successful login from TOR Test +inputs: [] +issilent: true +name: silent-A Successful login from TOR Test +outputs: [] +starttaskid: '0' +tags: +- TA0001 - Initial Access +- T1090 - Proxy +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 31ec7e08-1f47-4c7c-8152-2892e9e547a9 + iscommand: false + name: '' + version: -1 + taskid: 31ec7e08-1f47-4c7c-8152-2892e9e547a9 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -70\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d792840b-3502-4cc8-87c4-2f02e5661e06 + iscommand: false + name: Containment & Eradication + type: title + version: -1 + taskid: d792840b-3502-4cc8-87c4-2f02e5661e06 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 360\n }\n}" + '10': + continueonerror: true + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + - '4' + note: true + quietmode: 0 + scriptarguments: + sAMAccountName: + simple: ${Core.OriginalAlert.event.login_data_dst_normalized_user.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieves detailed information about a user account. The user can + be specified by name, email address, or as an Active Directory Distinguished + Name (DN). If no filter is specified, all users are returned. + id: b5b43e75-8fc6-4216-8302-8bfffe18b6b7 + iscommand: true + name: Active Directory - Search User + script: '|||ad-get-user' + type: regular + version: -1 + taskid: b5b43e75-8fc6-4216-8302-8bfffe18b6b7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 660\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${ActiveDirectory.Users.sAMAccountName} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disables an Active Directory user account. + id: 8729df19-7078-4516-826d-0566d3be66d8 + iscommand: true + name: Active Directory - Disable User Account + script: '|||ad-disable-account' + type: regular + version: -1 + taskid: 8729df19-7078-4516-826d-0566d3be66d8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 990\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: a402f3c4-396d-4962-8210-267d645ad480 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: a402f3c4-396d-4962-8210-267d645ad480 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1640\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a5cfd092-601a-4ff2-8f25-7cabd460ec84 + iscommand: false + name: Done + type: title + version: -1 + taskid: a5cfd092-601a-4ff2-8f25-7cabd460ec84 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1800\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${Core.OriginalAlert.event.login_data_dst_normalized_user.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Expires the password of an Active Directory user. + id: a6e46587-a13a-4ca9-8276-199a1743d113 + iscommand: true + name: Active Directory - Expire User Password + script: '|||ad-expire-password' + type: regular + version: -1 + taskid: a6e46587-a13a-4ca9-8276-199a1743d113 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -460,\n \"y\": 990\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 82ced8bc-aea8-486b-8f86-374b6254bc37 + iscommand: true + name: Get User Identity Details + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 82ced8bc-aea8-486b-8f86-374b6254bc37 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 200\n }\n}" + '19': + continueonerror: true + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: true + quietmode: 0 + scriptarguments: + filter: + simple: startswith(userPrincipalName,'${Core.OriginalAlert.event.login_data_dst_normalized_user.username}@') + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Retrieves a list of user objects. + + Permissions: - User.ReadBasic.All (Delegated) - User.Read.All (Application).' + id: f0c501d7-19d6-4ef6-8864-980df56d8132 + iscommand: true + name: Azure AD - Search User + script: '|||msgraph-user-list' + type: regular + version: -1 + taskid: f0c501d7-19d6-4ef6-8864-980df56d8132 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 660\n }\n}" + '2': + continueonerrortype: '' + form: + description: '' + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Select containment plan for the user ${alert.username.[0]} + options: [] + optionsarg: + - {} + - simple: Disable the user account + - simple: Expire the user password (Active Directory Only) + placeholder: '' + readonly: false + required: false + tooltip: '' + type: multiSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '1' + label: '' + labelarg: + simple: "Would you like to block traffic from TOR exit nodes using PAN-OS\ + \ and Palo Alto Networks predefined EDL. \nNOTICE: By selecting \"Yes,\ + \ commit automatically\" you are allowing to automatically commit the\ + \ rule to your firewalls." + options: [] + optionsarg: + - simple: 'No' + - simple: Yes, commit manually + - simple: Yes, commit automatically + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Select containment & Eradication plans + totalanswers: 0 + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '8' + - '19' + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 331cade7-b3e9-4a82-8cf8-1ee613a71d7c + iscommand: false + name: Select containment & Eradication plans + type: collection + version: -1 + taskid: 331cade7-b3e9-4a82-8cf8-1ee613a71d7c + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 490\n }\n}" + '20': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.0 + operator: containsGeneral + right: + value: + simple: Disable the user account + - - left: + iscontext: true + value: + simple: MSGraphUser.ID + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + 'yes': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f5edf591-d22f-4306-8852-4f8d17ffee3f + iscommand: false + name: Disable User Account? + type: condition + version: -1 + taskid: f5edf591-d22f-4306-8852-4f8d17ffee3f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 820\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${MSGraphUser.ID} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 1adf22f2-87e0-415b-8aad-495172d41031 + iscommand: true + name: Azure AD - Disable User Account + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 1adf22f2-87e0-415b-8aad-495172d41031 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 990\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 964e5b3e-f677-43bd-87f8-84e400da8a36 + iscommand: false + name: Triage + type: title + version: -1 + taskid: 964e5b3e-f677-43bd-87f8-84e400da8a36 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 60\n }\n}" + '3': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.0 + operator: containsGeneral + right: + value: + simple: Disable the user account + - - left: + iscontext: true + value: + simple: ActiveDirectory.Users.sAMAccountName + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + 'yes': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9e1167c7-f6f3-4230-8db0-ef2f65c915b7 + iscommand: false + name: Disable User Account? + type: condition + version: -1 + taskid: 9e1167c7-f6f3-4230-8db0-ef2f65c915b7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 830\n }\n}" + '4': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.0 + operator: containsGeneral + right: + value: + simple: Expire the user password (Active Directory Only) + - - left: + iscontext: true + value: + simple: ActiveDirectory.Users.sAMAccountName + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + 'yes': + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 08e40ba9-ff3b-4bdf-809c-914a919a54fa + iscommand: false + name: Expire User Password? + type: condition + version: -1 + taskid: 08e40ba9-ff3b-4bdf-809c-914a919a54fa + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -460,\n \"y\": 830\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.1 + operator: containsGeneral + right: + value: + simple: Yes, commit automatically + - ignorecase: true + left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.1 + operator: containsGeneral + right: + value: + simple: Yes, commit manually + label: 'yes' + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b31d6055-ca01-444c-8587-c9b76b4fed78 + iscommand: false + name: Block Traffic From TOR Exit Nodes? + type: condition + version: -1 + taskid: b31d6055-ca01-444c-8587-c9b76b4fed78 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1300\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: + value: + simple: 'No' + equals: {} + lhs: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.1 + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: Yes, commit automatically + rhsB: {} + then: + value: + simple: 'Yes' + operator: If-Then-Else + EDLName: + simple: panw-torexit-ip-list + RuleName: + simple: TOR Exit nodes from predefined EDLs was Blocked by Cortex XSIAM + separatecontext: true + skipunavailable: true + task: + brand: '' + description: This playbook blocks IP addresses from External Dynamic List using + Custom Block Rules in Palo Alto Networks Panorama or Firewall. The playbook + receives an EDL name as input, creates a custom "from" directional rule to + block, and commits the configuration. + id: 4e9d89fa-2d50-46c7-8e68-b33cda0f4dbe + iscommand: false + name: PAN-OS - Block IPs From EDL - Custom Block Rule + playbookId: PAN-OS - Block IPs From EDL - Custom Block Rule + type: playbook + version: -1 + taskid: 4e9d89fa-2d50-46c7-8e68-b33cda0f4dbe + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 880,\n \"y\": 1470\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 16e0ff95-8ea1-4a5c-84a5-45b385dd19ff + iscommand: false + name: Eradication + type: title + version: -1 + taskid: 16e0ff95-8ea1-4a5c-84a5-45b385dd19ff + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1160\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"20_8_#default#\": 0.23,\n \"3_12_yes\"\ + : 0.7,\n \"3_8_#default#\": 0.43,\n \"4_8_#default#\": 0.23,\n \"5_7_yes\"\ + : 0.51\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 1935,\n \ + \ \"width\": 1720,\n \"x\": -460,\n \"y\": -70\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml new file mode 100644 index 00000000000..edd1d8cde74 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml @@ -0,0 +1,1601 @@ +description: "This playbook addresses the following alerts:\n\n- A mail forwarding\ + \ rule was configured in Google Workspace.\n- A mail forwarding rule was configured\ + \ in Google Workspace to an uncommon domain.\n\nPlaybook Stages:\n \nTriage: \n\n\ + - The playbook retrieves the caller's IP, the forwarding email address, and associated\ + \ filters.\n\nEarly Containment:\n\n- The playbook checks if the IP or domain of\ + \ the forwarding email address is malicious. If so, it suggests blocking the IP\ + \ using PAN-OS while continuing the investigation in parallel.\n\nInvestigation:\n\ + \n- The playbook verifies if the rule was created outside of working hours or from\ + \ an unusual geolocation and extracts suspicious keywords from the forwarding rules.\ + \ It then aggregates all evidence collected during the investigation.\n\nContainment:\n\ + \n- If only one suspicious evidence is found, the playbook executes soft response\ + \ actions, including signing the user out and deleting the forwarding email address\ + \ from the user account mailbox. The user will be notified of these actions via\ + \ email.\n- If multiple suspicious evidences are found, the playbook executes both\ + \ soft and hard response actions, recommending the analyst suspend the user account.\n\ + \nRequirements: \n\nFor any response action, you need one of the following integrations:\n\ + - Gmail integration to fetch filters and remove the forwarding email address.\n\ + - Google Workspace Admin access to sign out and suspend the user account.\n" +fromversion: 8.9.0 +id: silent-A mail forwarding rule was configured in Google Workspace Test +inputSections: +- description: Generic group for inputs + inputs: + - SendNotification + name: General (Inputs group) +inputs: +- description: If set to "true," the playbook will send an email notification to the + user informing them that the forwarding address was deleted. If "false," no notification + will be sent. + key: SendNotification + playbookInputQuery: null + required: false + value: + simple: 'true' +issilent: true +marketplaces: +- marketplacev2 +name: silent-A mail forwarding rule was configured in Google Workspace Test +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0009 - Collection +- T1114 - Email Collection +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f54996ae-66c2-4d51-8fe3-a1ad489e4afb + iscommand: false + name: '' + version: -1 + taskid: f54996ae-66c2-4d51-8fe3-a1ad489e4afb + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": -20\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + - '2' + - '12' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 586f11c0-89b5-4c58-86df-36aa1af4305d + iscommand: true + name: Get caller IP and forwarding mail address + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 586f11c0-89b5-4c58-86df-36aa1af4305d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 110\n }\n}" + '10': + continueonerror: true + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + scriptarguments: + forwarding_email: + simple: ${Core.OriginalAlert.event.raw_log.events.parameters.value} + user_id: + simple: ${Core.OriginalAlert.event.raw_log.actor.profileId} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Gets the specified forwarding address or a list of the forwarding + addresses for the specified account. + id: f636844f-1e17-47eb-8b12-e862f2863b85 + iscommand: true + name: Gmail - Get forwarding email address + script: '|||gmail-forwarding-address-get' + type: regular + version: -1 + taskid: f636844f-1e17-47eb-8b12-e862f2863b85 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1530\n }\n}" + '12': + continueonerror: true + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: caller_ip + root: Core.OriginalAlert.raw_abioc.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the reputation of an IP address. + id: 4a1a1abf-ed23-4539-892a-03f8111fb08c + iscommand: true + name: Get caller IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 4a1a1abf-ed23-4539-892a-03f8111fb08c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 280\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 23be2a95-6283-4e18-865a-9ce05445701f + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 23be2a95-6283-4e18-865a-9ce05445701f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -580,\n \"y\": 810\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + complex: + accessor: caller_ip + root: Core.OriginalAlert.raw_abioc.event + transformers: + - operator: uniq + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: f0dd7de0-9eac-4e6f-86a1-dd9ff4dc93f6 + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: f0dd7de0-9eac-4e6f-86a1-dd9ff4dc93f6 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": -580,\n \"y\": 945\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + closeReason: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs != rhs + conditionB: {} + conditionInBetween: {} + else: + value: + simple: Resolved as FALSE_POSITIVE - Handled by the playbook "A + mail forwarding rule was configured in Google Workspace" + equals: {} + lhs: + iscontext: true + value: + simple: Evidences + lhsB: {} + options: {} + optionsB: {} + rhs: {} + rhsB: {} + then: + value: + simple: Resolved as TRUE_POSITIVE - Handled by the playbook "A mail + forwarding rule was configured in Google Workspace" + operator: If-Then-Else + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 3028fe8a-9e44-4203-8458-c6be36fc42a7 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 3028fe8a-9e44-4203-8458-c6be36fc42a7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2410\n }\n}" + '18': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Gmail.ForwardingAddress.forwardingEmail + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: de8e5625-536a-4bb9-8bdc-70ee14eb72ff + iscommand: false + name: Check if the forwarding mail address still exists + type: condition + version: -1 + taskid: de8e5625-536a-4bb9-8bdc-70ee14eb72ff + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1690\n }\n}" + '2': + continueonerror: true + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + accessor: value + root: Core.OriginalAlert.event.raw_log.events.parameters + transformers: + - args: + delimiter: + value: + simple: '@' + fields: + value: + simple: '2' + operator: Cut + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the reputation of a domain. + id: bfb51251-f775-4f54-8ad2-20a46e1f1ac0 + iscommand: true + name: Get forwarding email domain reputation + script: '|||domain' + type: regular + version: -1 + taskid: bfb51251-f775-4f54-8ad2-20a46e1f1ac0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 280\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fe775a32-55a3-45a0-8502-c6e319e7ae91 + iscommand: false + name: Done + type: title + version: -1 + taskid: fe775a32-55a3-45a0-8502-c6e319e7ae91 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2570\n }\n}" + '21': + continueonerror: true + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '45' + note: false + quietmode: 0 + scriptarguments: + begin_time: + simple: '22:00:00' + end_time: + simple: 06:00:00 + extend-context: + simple: IsOutOfWorkingHours= + value: + complex: + accessor: event_timestamp + root: Core.OriginalAlert.raw_abioc.event + transformers: + - operator: TimeStampToDate + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the given value is within the specified time (hour) + range. + id: 252d8473-0602-420c-8fef-df880efcc695 + iscommand: false + name: Check if the rule was created outside of working hours + scriptName: BetweenHours + type: regular + version: -1 + taskid: 252d8473-0602-420c-8fef-df880efcc695 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 765\n }\n}" + '22': + continueonerror: true + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: IsAbnormalGeolocation= + left: + simple: ${Core.OriginalAlert.raw_abioc.event.saas_caller_ip_geolocation_days_seen_count},${Core.OriginalAlert.raw_abioc.event.service_caller_ip_asn_days_seen_count} + right: + simple: '0' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Returns all elements from the left side that have a substring + that is equal to an element from the right side. Note: This filter is case-insensitive. + + E.g -AnyMatch left=baby right=A will return baby. For more examples see the + filter''s Readme.' + id: a1b2240d-c96c-46a2-8749-c94f8a214538 + iscommand: false + name: Check for unusual geolocation connections + scriptName: AnyMatch + type: regular + version: -1 + taskid: a1b2240d-c96c-46a2-8749-c94f8a214538 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 765\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '52' + note: false + quietmode: 0 + scriptarguments: + forwarding_email: + simple: ${Gmail.ForwardingAddress.forwardingEmail} + user_id: + simple: ${Gmail.ForwardingAddress.userId} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Deletes the specified forwarding address and revokes any verification + that may have been required. This method is only available to service account + clients that have been delegated domain-wide authority. + id: 3023b302-dc80-4e51-8b44-4489de9d410c + iscommand: true + name: Gmail - Remove forwarding mail address + script: '|||gmail-forwarding-address-remove' + type: regular + version: -1 + taskid: 3023b302-dc80-4e51-8b44-4489de9d410c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1880\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + - '49' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f069e81d-7b35-45fc-864e-25e9051482ab + iscommand: false + name: Soft Response + type: title + version: -1 + taskid: f069e81d-7b35-45fc-864e-25e9051482ab + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1400\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 68992710-f44d-47dc-8ddb-82e8cea3339c + iscommand: false + name: Hard Response + type: title + version: -1 + taskid: 68992710-f44d-47dc-8ddb-82e8cea3339c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1400\n }\n}" + '29': + continueonerrortype: '' + form: + description: The investigation identified several suspicious indicators, suggesting + that the user who created the forwarding rule may have been compromised. The + forwarding email and associated filters have been automatically removed. Please + review and decide if any additional actions should be taken. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: "The following evidence was found: \n\n${Evidences}\n\nWould you\ + \ like to suspend the account ${Core.OriginalAlert.raw_abioc.event.identity_name}\ + \ using Google Workspace Admin?" + options: [] + optionsarg: + - {} + - simple: 'Yes' + - simple: 'No ' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Select user account containment steps + totalanswers: 0 + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 10a29f38-0fc1-4df2-82bc-e7afb761788b + iscommand: false + name: Decide Whether to Suspend User Account + type: collection + version: -1 + taskid: 10a29f38-0fc1-4df2-82bc-e7afb761788b + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1530\n }\n}" + '3': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4f9ab5b8-efb8-4999-873c-8390d318895c + iscommand: false + name: Check if forwarding email domain or IP is malicious + type: condition + version: -1 + taskid: 4f9ab5b8-efb8-4999-873c-8390d318895c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 450\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + user_key: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Signs a user out of all web and device sessions and reset their + sign-in cookies. + id: 172b1869-9064-4a18-869e-a522b8602b9a + iscommand: true + name: Sign-Out user account from Google Workspace + script: '|||gsuite-user-signout' + type: regular + version: -1 + taskid: 172b1869-9064-4a18-869e-a522b8602b9a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 2240\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + suspended: + simple: 'true' + user_key: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Updates a user. + id: 1b880cd2-e9af-4734-8364-ead4ccdb0a7b + iscommand: true + name: Suspend user in google workspace + script: '|||gsuite-user-update' + type: regular + version: -1 + taskid: 1b880cd2-e9af-4734-8364-ead4ccdb0a7b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1880\n }\n}" + '33': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Select user account containment steps.Answers.0 + operator: containsGeneral + right: + value: + simple: 'yes' + label: 'yes' + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2e040f98-61ea-4032-826c-66b48eece3d7 + iscommand: false + name: Check analyst decision + type: condition + version: -1 + taskid: 2e040f98-61ea-4032-826c-66b48eece3d7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1690\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 52b78c1f-6c70-4221-8440-d99cd5fa754c + iscommand: false + name: Early Containment Complete + type: title + version: -1 + taskid: 52b78c1f-6c70-4221-8440-d99cd5fa754c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -580,\n \"y\": 2270\n }\n}" + '37': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '1' + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fdc9701c-599a-4494-8a76-9b500a2bf90e + iscommand: false + name: Check if suspicious evidence detected + type: condition + version: -1 + taskid: fdc9701c-599a-4494-8a76-9b500a2bf90e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1240\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + - '17' + - '46' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 65753a7c-d6c1-4592-8094-7a9efe197055 + iscommand: false + name: Verdict + type: title + version: -1 + taskid: 65753a7c-d6c1-4592-8094-7a9efe197055 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1100\n }\n}" + '40': + continueonerror: true + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '44' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: SuspiciousKeyWords + stringify: + simple: 'true' + value: + complex: + accessor: Criteria.query + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Gmail.Filter.Action.forward + operator: containsGeneral + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.raw_log.events.parameters.value + root: Gmail.Filter + transformers: + - operator: StringifyArray + - args: + error_if_no_match: {} + ignore_case: + value: + simple: 'true' + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: \b(accounting|agreement|bank|bic|capital call|cash|confidential|contribution|credentials|credit|deposit|dividend|docusign|finance|fund|iban|invoice|password|payment|payroll|purchase|sensitive|shares|ssn|statement|swift|tax|transfer|w2|wire|wiring + info|withdrawal)\b + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: cc0a92a6-27ec-43ee-852a-d6368282a74d + iscommand: false + name: Extract suspicious keywords from the forwarding rules + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: cc0a92a6-27ec-43ee-852a-d6368282a74d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 765\n }\n}" + '43': + continueonerror: true + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: true + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + stringify: + simple: 'true' + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: IsAbnormalGeolocation.[0] + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: 'True' + rhsB: {} + then: + value: + simple: The user connected from an unusual geolocation. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 9b154689-28ab-4f05-8ba4-e3cc23859851 + iscommand: false + name: Set abnormal geolocation to evidence + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9b154689-28ab-4f05-8ba4-e3cc23859851 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 930\n }\n}" + '44': + continueonerror: true + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: true + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs!=rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: SuspiciousKeyWords + lhsB: {} + options: {} + optionsB: {} + rhs: {} + rhsB: {} + then: + value: + simple: User has defined forwarding rule with querying for suspicious + words + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 47ef82fb-1c7d-4c4b-8f3b-40c46d3c5bac + iscommand: false + name: Set suspicious keywords to evidence + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 47ef82fb-1c7d-4c4b-8f3b-40c46d3c5bac + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 930\n }\n}" + '45': + continueonerror: true + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: true + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + stringify: + simple: 'true' + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: + value: + simple: lhsB==rhsB + conditionInBetween: + value: + simple: and + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: IsOutOfWorkingHours + lhsB: + iscontext: true + value: + simple: alert.severity + options: {} + optionsB: {} + rhs: + value: + simple: 'true' + rhsB: + value: + simple: '3' + then: + value: + simple: User took action outside of working hours + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 80b45a10-5b09-4f0f-89af-c4aced6131cd + iscommand: false + name: Set abnormal working hours to evidence + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 80b45a10-5b09-4f0f-89af-c4aced6131cd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 930\n }\n}" + '46': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '2' + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: GSuiteAdmin + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 652eb822-a99d-4d31-8777-3d912ffd8e29 + iscommand: false + name: Check if multiple suspicious evidence detected + type: condition + version: -1 + taskid: 652eb822-a99d-4d31-8777-3d912ffd8e29 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1240\n }\n}" + '47': + continueonerror: true + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + htmlBody: + simple: "\n\n\n \n\n\n\ + \n
\n

Dear <${Core.OriginalAlert.raw_abioc.event.identity_name}>,

\n\ + \ \n

As part of our ongoing security measures, we detected unusual\ + \ activity associated with your mailbox. A forwarding address and associated\ + \ rule were automatically removed from your account to protect your data\ + \ and ensure the security of our systems.

\n\n

If you did not set\ + \ up these rules, we recommend reviewing your recent activity and updating\ + \ your account password immediately. If you require assistance or further\ + \ information, please contact our security team.

\n\n

Thank you for\ + \ your understanding and cooperation.

\n
\n\n\n\n" + subject: + simple: Forwarding Rule and Address Removed from Your Mailbox + to: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + using: + simple: Built-in Mail Sender + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Sends an email. + id: 8f88c80e-c7e1-41f0-8f57-2e0b353172ca + iscommand: true + name: Send user notification via Email + script: '|||send-mail' + type: regular + version: -1 + taskid: 8f88c80e-c7e1-41f0-8f57-2e0b353172ca + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 2240\n }\n}" + '48': + continueonerror: true + continueonerrortype: '' + id: '48' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: true + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + stringify: + simple: 'true' + value: + simple: Known malicious indicators detected + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: f747c163-e58c-4da6-883b-a245234aed44 + iscommand: false + name: Save known malicious indicators detected to evidences + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: f747c163-e58c-4da6-883b-a245234aed44 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -580,\n \"y\": 620\n }\n}" + '49': + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '50' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve a user's details given a user key. + id: 89920c84-f44d-45ce-8bc5-0577831df61f + iscommand: true + name: Get Google Workspace user account + script: '|||gsuite-user-get' + type: regular + version: -1 + taskid: 89920c84-f44d-45ce-8bc5-0577831df61f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 1880\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + - '40' + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 971290fa-daf4-4510-81d2-610dd2cb9751 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 971290fa-daf4-4510-81d2-610dd2cb9751 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 620\n }\n}" + '50': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: GSuite.User.id + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '50' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 212fa2bf-f6ce-458e-846d-0536d50ed840 + iscommand: false + name: Check if Google Workspace user account found + type: condition + version: -1 + taskid: 212fa2bf-f6ce-458e-846d-0536d50ed840 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 2040\n }\n}" + '52': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.SendNotification + operator: isEqualString + right: + value: + simple: 'true' + label: 'yes' + continueonerrortype: '' + id: '52' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d87cf812-ca8d-4017-85a4-aedb561018e7 + iscommand: false + name: Check user notification requirement + type: condition + version: -1 + taskid: d87cf812-ca8d-4017-85a4-aedb561018e7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 2040\n }\n}" + '6': + continueonerror: true + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + user-id: + simple: ${Core.OriginalAlert.event.raw_log.actor.profileId} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Lists all filters in a user's mailbox. + id: 59e8a285-2f0f-49c3-83c8-f7126a101b53 + iscommand: true + name: Get filters for the specific forwarding address + script: '|||gmail-list-filters' + type: regular + version: -1 + taskid: 59e8a285-2f0f-49c3-83c8-f7126a101b53 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 830,\n \"y\": 280\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"18_17_#default#\": 0.31,\n \"18_25_yes\"\ + : 0.55,\n \"33_17_#default#\": 0.32,\n \"37_17_#default#\": 0.19,\n \"\ + 3_5_#default#\": 0.37,\n \"46_17_#default#\": 0.19,\n \"50_17_#default#\"\ + : 0.19,\n \"50_30_yes\": 0.76,\n \"52_17_#default#\": 0.5,\n \"52_47_yes\"\ + : 0.81\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 2655,\n \ + \ \"width\": 2090,\n \"x\": -580,\n \"y\": -20\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml new file mode 100644 index 00000000000..b5c6d25c2c8 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml @@ -0,0 +1,616 @@ +description: "This playbook is designed to handle the following alerts:\n- A successful\ + \ SSO sign-in from TOR\n- A successful SSO sign-in from TOR via a mobile device\n\ + \nThe playbook executes the following stages:\n\nEarly Containment:\n- The playbooks\ + \ will perform early containment actions by clearing\\revoking user sessions and\ + \ enforcing re-authentication to terminate the connection from the Tor exit node\ + \ and verify the user's identity. \nDepending on the alert source, the playbook\ + \ will use either\nAzure Active Directory Users or Okta v2 integrations to clear\ + \ the user sessions.\n\nInvestigation:\nDuring the alert investigation, the playbook\ + \ will perform the following:\n- Checks the user's risk score.\n- Search for suspicious\ + \ user agent usage within the alert.\n- Search for related XDR alerts using the\ + \ following MITRE techniques to identify any malicious activity:\nT1566 - Phishing\ + \ \nT1621 - Multi-Factor Authentication Request Generation\n T1110 - Brute Force\n\ + \ T1556 - Modify Authentication Process\n\nRemediation:\n- Remediation actions will\ + \ be taken if the user\u2019s risk score is high, a suspicious user agent is detected,\ + \ or a related alert is found. In such cases, the playbook will disable the account.\n\ + By default, account disabling requires analyst approval.\n\nRequires: \nFor any\ + \ response action, you will need one of the following integrations: Azure Active\ + \ Directory Users / Okta v2." +fromversion: 8.9.0 +id: silent-A successful SSO sign-in from TOR Test +inputSections: +- description: Generic group for inputs + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-A successful SSO sign-in from TOR Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0011 - Command and Control +- T1090 - Proxy +- TA0001 - Initial Access +- T1078 - Valid Accounts +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 48d3588d-43e5-4b43-8b35-48ca384bcb15 + iscommand: false + name: '' + version: -1 + taskid: 48d3588d-43e5-4b43-8b35-48ca384bcb15 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -750\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff3d375d-21d5-461d-89f1-3afa5ba7f00b + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ff3d375d-21d5-461d-89f1-3afa5ba7f00b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 820\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8656afbe-1707-475f-8519-54e06e80f10a + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 8656afbe-1707-475f-8519-54e06e80f10a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -450\n }\n}" + '18': + continueonerror: true + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '39' + note: false + quietmode: 0 + scriptarguments: + user_id: + complex: + accessor: username + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 413c6747-9233-45db-864c-24c7e8cb1442 + iscommand: true + name: Get User Risk Level + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 413c6747-9233-45db-864c-24c7e8cb1442 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -20\n }\n}" + '20': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the number of related alerts found during the investigation + phase is greater than the 'RelatedAlertsThreshold' to determine if the activity + is malicious. + id: 87e8d6fa-ce8d-4b8b-80ae-5ab71367c73f + iscommand: false + name: Found related alerts requiring user disabling? + type: condition + version: -1 + taskid: 87e8d6fa-ce8d-4b8b-80ae-5ab71367c73f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 650\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + closeReason: + simple: Resolved - Handled by the playbook "A successful SSO sign-in from + TOR" + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: b3fc0a7d-b1ae-43a6-8867-87863d43a19d + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b3fc0a7d-b1ae-43a6-8867-87863d43a19d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1120\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c787ef1f-6b33-43ec-8f2b-ef107513f04a + iscommand: false + name: Investigation + type: title + version: -1 + taskid: c787ef1f-6b33-43ec-8f2b-ef107513f04a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -155\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + IAMUserDomain: + complex: + accessor: username + root: alert + transformers: + - args: + delimiter: + value: + simple: \ + fields: + value: + simple: '1' + operator: Cut + Username: + complex: + accessor: username + root: alert + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: + iscontext: true + value: + simple: alert.username + equals: {} + lhs: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.auth_server + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: Azure + rhsB: {} + then: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.auth_identity + operator: If-Then-Else + - args: + delimiter: + value: + simple: \ + operator: split + - operator: LastArrayElement + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook clears the users'' sessions using the Okta integration. (Currently, + the playbook supports only Okta.)' + id: 4e0e3028-bb27-43bd-84b8-37ea809825b6 + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: 4e0e3028-bb27-43bd-84b8-37ea809825b6 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -320\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + complex: + accessor: id + root: alert + transformers: + - operator: uniq + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 39e14077-fc34-4106-81a1-035728cbfcfc + iscommand: true + name: Get alert's extra data + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 39e14077-fc34-4106-81a1-035728cbfcfc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -615\n }\n}" + '31': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + - left: + iscontext: true + value: + simple: SuspiciousUserAgent + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '37' + 'yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate remediation actions based on the following: + + - User Risk Level + + - Suspicious User Agent ' + id: e5fd0cf2-e42d-4b66-8786-f2c339b80886 + iscommand: false + name: Is the user high-risk or is the user agent suspicious? + type: condition + version: -1 + taskid: e5fd0cf2-e42d-4b66-8786-f2c339b80886 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 320\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3200a260-eb1d-4089-8bf7-6895ea662306 + iscommand: false + name: Done + type: title + version: -1 + taskid: 3200a260-eb1d-4089-8bf7-6895ea662306 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1290\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(mitreattcktechnique:*T1566* or mitreattcktechnique:*T1110* + or mitreattcktechnique:*T1621* or mitreattcktechnique:*T1556* + or name:"SSO with an offensive user agent") and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches for suspicious alerts related to incident by\ + \ MITRE techniques that may indicate a compromised user.\nFocus on identifying\ + \ alerts associated with the following MITRE techniques:\n- T1566 - Phishing\ + \ \n- T1621 - Multi-Factor Authentication Request Generation\n- T1110 - Brute\ + \ Force\n- T1556 - Modify Authentication Process\n\nAnd the following alert:\n\ + - \"SSO with an offensive user agent\"\n\n\n\n\n\n" + id: 721a81cb-bb5a-4a3d-8775-c5a03b5e52b3 + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 721a81cb-bb5a-4a3d-8775-c5a03b5e52b3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 490\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + Tag: + simple: Bad Account + UserVerification: + simple: 'True' + Username: + simple: ${alert.username} + separatecontext: true + skipunavailable: false + task: + brand: '' + description: 'This playbook blocks malicious usernames using all integrations + that you have enabled. + + + Supported integrations for this playbook: + + * Active Directory + + * PAN-OS - This requires PAN-OS 9.1 or higher. + + * SailPoint + + * PingOne + + * AWS IAM + + * Clarizen IAM + + * Envoy IAM + + * ExceedLMS IAM + + * Okta + + * Microsoft Graph User (Azure Active Directory Users) + + * Google Workspace Admin + + * Slack IAM + + * ServiceNow IAM + + * Prisma Cloud IAM + + * Zoom IAM + + * Atlassian IAM + + * GitHub IAM.' + id: 140c4681-a58a-421d-8d18-faf0e81b1313 + iscommand: false + name: Block Account - Generic v2 + playbookName: Block Account - Generic v2 + type: playbook + version: -1 + taskid: 140c4681-a58a-421d-8d18-faf0e81b1313 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 950\n }\n}" + '39': + continueonerror: true + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + scriptarguments: + contextKey: + simple: SuspiciousUserAgent + data: + simple: ${Core.OriginalAlert.event.action_user_agent} + regex: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|REST)\b + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extracts regex data from the provided text. The script supports + groups and looping. + id: eb1d3c97-e1f0-409b-8c2e-fc00c0254b81 + iscommand: false + name: Extract suspicious user agent + scriptName: MatchRegexV2 + type: regular + version: -1 + taskid: eb1d3c97-e1f0-409b-8c2e-fc00c0254b81 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 150\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"20_11_yes\": 0.36,\n \"20_22_#default#\"\ + : 0.23,\n \"31_11_yes\": 0.3,\n \"31_37_#default#\": 0.62\n },\n \"paper\"\ + : {\n \"dimensions\": {\n \"height\": 2105,\n \"width\": 610,\n \ + \ \"x\": 450,\n \"y\": -750\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml new file mode 100644 index 00000000000..c0aa77c9fba --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml @@ -0,0 +1,1895 @@ +description: 'This playbook addresses the following alerts: + + + - A user executed suspicious LDAP enumeration queries + + + Playbook Stages: + + + Triage: + + + - Get additional event information about the LDAP searches executed by the user + + - Ensure that a single client IP exists in the alert + + - Get endpoint information for the client IP + + - Check preconditions for continuing investigation based on the number of suspicious + attributes, attack tool queries, and vulnerable certificate templates + + + + Investigation: + + + - Enrich the user that executed the queries + + - Check if the user was created recently + + - Search for additional discovery alerts in the incident + + - Check user groups and roles to determine if the user is unprivileged + + - Check user querying frequency to detect anomalies + + - Get host risk level + + - Search for recent malware alerts on client IP + + + Remediation: + + + - With analyst approval, disable the user in Active Directory if user-related anomalies + are found and the alert is a True Positive. + + - With analyst approval, isolate the endpoint if host-related anomalies are found + and the alert is a True Positive. + + - Logoff user from client host if an active session is detected and the alert is + a True Positive. + + + Requirements: + + + For any response action, you need the following integrations: + + + - Core - IR + + - Active Directory Query v2.' +fromversion: 8.9.0 +id: silent-A user executed multiple LDAP enumeration queries Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-A user executed multiple LDAP enumeration queries Test +outputs: [] +starttaskid: '0' +tags: +- T1087 - Account Discovery +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b3cdd99f-2cb2-48cf-82a2-83496b582087 + iscommand: false + name: '' + version: -1 + taskid: b3cdd99f-2cb2-48cf-82a2-83496b582087 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 30\n }\n}" + '10': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEqualString + right: + iscontext: true + value: + simple: alert.agentid + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.client + operator: isNotEqualString + right: + value: + simple: 127.0.0.1 + label: Non-Server + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Non-Server: + - '11' + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Ensures that the client that executed the LDAP queries is not a + server or the domain controller. + id: f1020a0f-6601-47cd-8617-10fb41f95280 + iscommand: false + name: Check client is not a server + type: condition + version: -1 + taskid: f1020a0f-6601-47cd-8617-10fb41f95280 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1330\n }\n}" + '11': + continueonerror: true + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + scriptarguments: + host_id: + complex: + accessor: endpoint_name + root: Core.Endpoint + transformers: + - operator: uniq + limit: + simple: '1' + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieves risk information for the client host. + id: d0f20db7-f43f-4f64-8517-f117cc5ce025 + iscommand: true + name: Get host risk level + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: d0f20db7-f43f-4f64-8517-f117cc5ce025 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1500\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + - '22' + - '29' + - '3' + note: false + quietmode: 0 + scriptarguments: + attributes: + simple: whenCreated + user_name: + simple: ${UsernameWithoutPrefix} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This script gathers user data from multiple integrations and returns + an Account entity with consolidated information to the context. + id: f26cce9f-ec35-472f-8ddc-820ac6c5ceae + iscommand: false + name: Enrich user + scriptName: get-user-data + type: regular + version: -1 + taskid: f26cce9f-ec35-472f-8ddc-820ac6c5ceae + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1320\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '49' + - '44' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: bf1f8757-6ccd-48fb-8deb-1949e097e4ac + iscommand: false + name: Remediation + type: title + version: -1 + taskid: bf1f8757-6ccd-48fb-8deb-1949e097e4ac + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2240\n }\n}" + '14': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_search_filter_suspicious_attributes + operator: greaterThan + right: + value: + simple: '15' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_search_filter_attack_tool_queries_reliable_signature + operator: greaterThan + right: + value: + simple: '0' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_search_filter_vulnerable_certificate_template + operator: greaterThan + right: + value: + simple: '0' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.visited_to_returned_ratio + operator: lessThan + right: + value: + simple: '0.1' + label: 'yes' + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '50' + 'yes': + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if investigation and remediation can be done based on pre-conditions + signifying high probability of a true positive alert and inherently malicious + behavior. + id: 0caeb27b-423f-45e3-8971-fa08e763f2d5 + iscommand: false + name: Check preconditions for continuing investigation + type: condition + version: -1 + taskid: 0caeb27b-423f-45e3-8971-fa08e763f2d5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 870\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b9b43bcd-a930-4a38-8459-1c1e985bd858 + iscommand: false + name: Skip / False Positive + type: title + version: -1 + taskid: b9b43bcd-a930-4a38-8459-1c1e985bd858 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1670,\n \"y\": 3090\n }\n}" + '17': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: MalwareAlertsOnHost + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: HostIsRisky + operator: isTrue + label: Remediate + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '42' + Remediate: + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether any host-related anomalies were found in the investigation + (the host is risky or malware alerts occurred on the host in the past 1 day). + id: 8f70c85b-5ef3-4fee-8d9a-7ca33697047a + iscommand: false + name: Check host analysis results + type: condition + version: -1 + taskid: 8f70c85b-5ef3-4fee-8d9a-7ca33697047a + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2560\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cbef50e1-da3d-48ca-8e11-ea9882cd7780 + iscommand: false + name: User Investigation + type: title + version: -1 + taskid: cbef50e1-da3d-48ca-8e11-ea9882cd7780 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1190\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5630dcc4-a789-44fd-8886-1c893f868719 + iscommand: false + name: Host Investigation + type: title + version: -1 + taskid: 5630dcc4-a789-44fd-8886-1c893f868719 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1190\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + - '57' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3b45073c-b0d9-4d5a-852c-df4e74dc0779 + iscommand: false + name: Triage + type: title + version: -1 + taskid: 3b45073c-b0d9-4d5a-852c-df4e74dc0779 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 180\n }\n}" + '20': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.actor_user_over_actor_user_ldap_query_count_distinct_search_filter_multiple_days_seen_count + operator: lessThan + right: + value: + simple: '20' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.actor_user_over_actor_user_ldap_query_count_distinct_search_filter_multiple_clients_multiple_days + operator: lessThan + right: + value: + simple: '5' + label: Anomaly + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Anomaly: + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user executes LDAP queries on a regular basis from + one or from multiple hosts, daily. + id: 778e431e-ce22-471f-87b3-94c1097cc9df + iscommand: false + name: Check user LDAP querying frequency + type: condition + version: -1 + taskid: 778e431e-ce22-471f-87b3-94c1097cc9df + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 1490\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserDoesNotRegularlyQuery + value: + simple: 'True' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves a context key indicating the user doesn't regularly execute + LDAP queries (from one or more hosts). + id: 75c00eb7-57a6-479b-8116-e1b3036785ab + iscommand: false + name: Save result - User does not perform LDAP queries regularly + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 75c00eb7-57a6-479b-8116-e1b3036785ab + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 1690\n }\n}" + '22': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Account.whenCreated.Value + operator: isNotEmpty + right: + value: {} + label: Exists + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Exists: + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the date and time of when the user was created is available. + id: f147ff27-f084-40cc-82ee-7187f4b11f11 + iscommand: false + name: Check if user creation date exists + type: condition + version: -1 + taskid: f147ff27-f084-40cc-82ee-7187f4b11f11 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1490\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserCreationDateInEpoch + value: + complex: + accessor: Value + root: Account.whenCreated + transformers: + - operator: toUnix + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Converts the user creation date to epoch to find relative time + of creation. + id: d2b6725d-73e9-468b-84d6-c59a4fd309af + iscommand: false + name: Convert user creation date to epoch + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d2b6725d-73e9-468b-84d6-c59a4fd309af + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1690\n }\n}" + '27': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: alert_generated_time + root: Core.OriginalAlert + transformers: + - args: + by: + iscontext: true + value: + simple: UserCreationDateInEpoch + operator: subtraction + operator: lessThanOrEqual + right: + value: + simple: '86400' + label: Anomaly + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Anomaly: + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user's creation date in AD happened 24 hours or less + since the time that this alert occurred. + id: 8082772d-1556-493e-89ce-9ced56fa975e + iscommand: false + name: Check if user was created recently + type: condition + version: -1 + taskid: 8082772d-1556-493e-89ce-9ced56fa975e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1850\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserCreatedLast24Hours + value: + simple: 'True' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves a context key indicating the user was created recently. + id: 0c17e758-0700-4d96-8fb9-e9e4a4f32253 + iscommand: false + name: Save result - User does not perform LDAP queries regularly + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 0c17e758-0700-4d96-8fb9-e9e4a4f32253 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 2040\n }\n}" + '29': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Domain Admins, + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Enterprise Admins + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Schema Admins + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Administrators + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Account Operators + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Backup Operators + root: Account.Groups.Value + operator: isEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.is_ldap_actor_user_service_account + operator: isFalse + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.is_ldap_actor_user_it_user + operator: isFalse + label: Anomaly + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Anomaly: + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user is part of built-in privileged Active Directory + groups. + id: 3b855ee6-8e16-4a2c-8567-185090bcd3ff + iscommand: false + name: Check user groups and roles + type: condition + version: -1 + taskid: 3b855ee6-8e16-4a2c-8567-185090bcd3ff + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -610,\n \"y\": 1490\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: DiscoveryAlertsInIncident= + fromdate: + simple: 1 days ago + ignore-outputs: + simple: 'true' + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: + value: + simple: ' and (mitreattcktechnique:*T1083* or mitreattcktechnique:*T1087* + or mitreattcktechnique:*T1615* or mitreattcktechnique:*T1016*) + and -id:' + operator: concat + - args: + prefix: {} + suffix: + iscontext: true + value: + simple: alert.id + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches for additional alerts in the incident that may further + indicate user attempts to enumerate Active Directory. + id: 2b12deed-65f6-4e1d-8b5e-175f07cb4c84 + iscommand: false + name: Search for additional discovery alerts in the incident + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 2b12deed-65f6-4e1d-8b5e-175f07cb4c84 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -1040,\n \"y\": 1490\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserIsUnprivileged + value: + simple: 'True' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves a context key indicating the user does not belong to default + privileged AD groups. + id: 4132aec2-37d9-44ce-84b0-7ca2ceb5e7d7 + iscommand: false + name: Save result - user is unprivileged + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 4132aec2-37d9-44ce-84b0-7ca2ceb5e7d7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -610,\n \"y\": 1690\n }\n}" + '35': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyHost.risk_level + operator: isNotEmpty + right: + value: {} + label: Anomaly + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Anomaly: + - '37' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the client host's risk level is high. + id: 8549af3b-58bb-4216-86b8-545001f9562b + iscommand: false + name: Check host risk level + type: condition + version: -1 + taskid: 8549af3b-58bb-4216-86b8-545001f9562b + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1670\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + key: + simple: HostIsRisky + value: + simple: 'True' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves a context key indicating that the client host's risk level + is high. + id: 69f4f4c5-9123-4058-8230-f35cc881ca48 + iscommand: false + name: Save risk result + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 69f4f4c5-9123-4058-8230-f35cc881ca48 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1870\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + command_type: + simple: powershell + commands: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + iscontext: true + value: + simple: UsernameWithoutPrefix + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + value: + simple: Active + root: Core.ScriptResult.results.command_output + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?<=\bconsole\s+)\d+ + unpack_matches: {} + operator: RegexExtractAll + - args: + prefix: + value: + simple: 'logoff ' + suffix: {} + operator: concat + endpoint_ids: + simple: ${Core.Endpoint.endpoint_id} + is_raw_command: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Logs off the user by using the logoff command for the active user + session''s ID. + + Note: the regex relies on the fact that interactively logged in users will + have an active "console" session in Windows machines.' + id: 164debc9-a89b-403d-8566-3fd31c1185ba + iscommand: true + name: Logoff user from client host + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 164debc9-a89b-403d-8566-3fd31c1185ba + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1260,\n \"y\": 3075\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEqualString + right: + iscontext: true + value: + simple: alert.agentid + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.os_type + operator: isEqualString + right: + value: + simple: AGENT_OS_WINDOWS + root: Core.Endpoint + transformers: + - operator: uniq + suppress_disconnected_endpoint_error: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the client host machine where the LDAP queries were executed. + id: c2828931-1af9-4e07-8701-bf60232a986a + iscommand: true + name: Isolate the endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: c2828931-1af9-4e07-8701-bf60232a986a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2890\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns detailed information about the LDAP searches executed by + the user. + id: 397aa0fb-bbfe-403b-807b-e1815c8e2bea + iscommand: true + name: Get additional event information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 397aa0fb-bbfe-403b-807b-e1815c8e2bea + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 320\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: {} + cc: null + format: '' + methods: [] + replyOptions: + - Isolate + - Do not isolate + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + Do not isolate: + - '42' + Isolate: + - '39' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Review the following findings and decide whether the host should + be isolated: + + + ${Core.Endpoint.endpoint_name} + + + Below are the findings of the investigation: + + + --- + + + #### Malware Alerts on Host: + + `${.=val.MalwareAlertsOnHost && val.MalwareAlertsOnHost.length > 0 ? "True" + : "False"}` + + + --- + + + #### Host is Risky: + + `${.=val.HostIsRisky ? "True" : "False"}` + + ' + id: 66791eda-dabf-4492-88bd-6841c95509eb + iscommand: false + name: Manual - decide whether to isolate the endpoint + type: condition + version: -1 + taskid: 66791eda-dabf-4492-88bd-6841c95509eb + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2725\n }\n}" + '41': + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: {} + cc: null + format: '' + methods: [] + replyOptions: + - Disable + - Do not disable + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + Disable: + - '43' + Do not disable: + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Review the following findings and decide whether you want to disable + the user. + + + Username: ${UsernameWithoutPrefix} + + + + Below are the findings of the investigation: + + + --- + + + #### User Created Recently: + + `${.=val.UserCreatedLast24Hours ? "True" : "False"}` + + + --- + + + #### Related Discovery Alerts: + + `${.=val.DiscoveryAlertsInIncident && Object.keys(val.DiscoveryAlertsInIncident).length + > 0 ? "True" : "False"}` + + + --- + + + #### User is Unprivileged: + + `${.=val.UserIsUnprivileged ? "True" : "False"}` + + + --- + + + #### User Rarely Executes Queries: + + `${.=val.UserDoesNotRegularlyQuery ? "True" : "False"}` + + ' + id: e95328f6-94c8-443b-84a0-0118c0aa0a6a + iscommand: false + name: Manual - decide whether to disable the user + type: condition + version: -1 + taskid: e95328f6-94c8-443b-84a0-0118c0aa0a6a + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 2725\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Closes the current alert. + id: 5c2a3c2d-4e31-497b-8511-e0a84c97a96a + iscommand: true + name: Close the alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 5c2a3c2d-4e31-497b-8511-e0a84c97a96a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 470,\n \"y\": 3250\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${UsernameWithoutPrefix} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disables the user that executed the LDAP enumeration queries in + Active Directory. + id: 8f55e219-35b2-459e-854f-cacc017c3c06 + iscommand: true + name: Disable user in AD + script: '|||ad-disable-account' + type: regular + version: -1 + taskid: 8f55e219-35b2-459e-854f-cacc017c3c06 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 2890\n }\n}" + '44': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEqualString + right: + iscontext: true + value: + simple: alert.agentid + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.os_type + operator: isEqualString + right: + value: + simple: AGENT_OS_WINDOWS + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + label: Non-Server + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '51' + Non-Server: + - '17' + - '53' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Ensures that the client is not a server, not the domain controller, + and runs the Windows operating system (required for automatic remediation). + id: e64d505f-b741-489d-8513-9b68a04129f1 + iscommand: false + name: Check that client OS is Windows and client role is not Server + type: condition + version: -1 + taskid: e64d505f-b741-489d-8513-9b68a04129f1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2390\n }\n}" + '49': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: UserCreatedLast24Hours + operator: isTrue + right: + value: {} + - left: + iscontext: true + value: + simple: UserDoesNotRegularlyQuery + operator: isTrue + - left: + iscontext: true + value: + simple: UserIsUnprivileged + operator: isTrue + - left: + iscontext: true + value: + simple: DiscoveryAlertsInIncident + operator: isNotEmpty + label: Remediate + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '42' + Remediate: + - '41' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether any user-related anomalies were found in the investigation. + id: 904e0927-8a4d-4289-8031-e7efbb6c5c30 + iscommand: false + name: Check user analysis results + type: condition + version: -1 + taskid: 904e0927-8a4d-4289-8031-e7efbb6c5c30 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 2390\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: MalwareAlertsOnHost= + fromdate: + simple: 1 days ago + ignore-outputs: + simple: 'true' + query: + complex: + accessor: client + root: Core.OriginalAlert.event + transformers: + - args: + prefix: + value: + simple: 'hostip:' + suffix: + value: + simple: ' and categoryname:Malware' + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches for alerts that happened in the past day with Malware + category where the host IP is the client IP of the current alert. + id: 2967545d-ba7a-4934-89fc-84f4a41ff124 + iscommand: false + name: Search for recent malware alerts on client IP + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 2967545d-ba7a-4934-89fc-84f4a41ff124 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1870\n }\n}" + '50': + continueonerrortype: '' + id: '50' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fb134545-e8fb-432f-8194-8a901d99a119 + iscommand: false + name: Insufficient evidence for remediation + type: title + version: -1 + taskid: fb134545-e8fb-432f-8194-8a901d99a119 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 1900\n }\n}" + '51': + continueonerrortype: '' + id: '51' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "The following host is a domain controller, a server, or not a\ + \ Windows machine. This means automatic remediation cannot be executed. \n\ + \nPlease review the information below and manually remediate the alert.\n\ + Endpoint name: ${Core.Endpoint.endpoint_name}\n\nFindings of the investigation:\n\ + \n---\n\n#### Malware Alerts on Host:\n`${.=val.MalwareAlertsOnHost && val.MalwareAlertsOnHost.length\ + \ > 0 ? \"True\" : \"False\"}`\n\n---\n\n#### Host is Risky:\n`${.=val.HostIsRisky\ + \ ? \"True\" : \"False\"}`\n" + id: 12287b3f-c14f-46d2-8873-42a4283f7c3d + iscommand: false + name: Manually remediate server / DC / non-Windows machine + type: regular + version: -1 + taskid: 12287b3f-c14f-46d2-8873-42a4283f7c3d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 470,\n \"y\": 2560\n }\n}" + '53': + continueonerrortype: '' + id: '53' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '54' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: quser ${UsernameWithoutPrefix} + endpoint_ids: + simple: ${Core.Endpoint.endpoint_id} + is_raw_command: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiates code execution on the client host to check if the user + is currently logged in to the host. + id: 2ad19e3a-59ad-43a6-8e87-3221a3e9fcc7 + iscommand: true + name: Check if user is logged in + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 2ad19e3a-59ad-43a6-8e87-3221a3e9fcc7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1270,\n \"y\": 2560\n }\n}" + '54': + continueonerrortype: '' + id: '54' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '55' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves results from the "quser" command for the user - which + can be used to tell if the user is currently logged in. + id: f369276b-2db7-4648-8fed-32516d14d725 + iscommand: true + name: Get log in check result + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: f369276b-2db7-4648-8fed-32516d14d725 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1270,\n \"y\": 2725\n }\n}" + '55': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + iscontext: true + value: + simple: UsernameWithoutPrefix + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + value: + simple: Active + root: Core.ScriptResult.results.command_output + operator: isNotEmpty + right: + value: {} + label: Active + continueonerrortype: '' + id: '55' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '16' + Active: + - '38' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the execution results show that there is currently an + active session for the user - which means the user is currently logged in. + id: e53a7044-64ba-47db-8470-d9d23b475850 + iscommand: false + name: Check for active session of the user + type: condition + version: -1 + taskid: e53a7044-64ba-47db-8470-d9d23b475850 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1270,\n \"y\": 2890\n }\n}" + '57': + continueonerrortype: '' + id: '57' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UsernameWithoutPrefix + value: + complex: + accessor: username + root: alert + transformers: + - operator: LastArrayElement + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?<=\\)[^\\]+$ + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the username without the domain prefix. + id: 699a3c31-10f1-431d-8287-6e5d296cd319 + iscommand: false + name: Save username without domain prefix + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 699a3c31-10f1-431d-8287-6e5d296cd319 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 880,\n \"y\": 320\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + - '19' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6effa91d-38e0-4dfb-8a92-df531a3d6b4e + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6effa91d-38e0-4dfb-8a92-df531a3d6b4e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1050\n }\n}" + '8': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: client + root: Core.OriginalAlert.event + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: \. + unpack_matches: {} + operator: RegexExtractAll + - operator: count + operator: isEqualString + right: + value: + simple: '3' + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.client + operator: isNotEqualString + right: + value: + simple: 127.0.0.1 + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Ensures that the alert contains only 1 client IP. LDAP enumeration + query alerts containing multiple IPs are not supported by the playbook. + id: a685af16-c239-4712-81ff-00dbcca78bca + iscommand: false + name: Ensure that a single client IP exists + type: condition + version: -1 + taskid: a685af16-c239-4712-81ff-00dbcca78bca + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 485\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + ip_list: + complex: + accessor: client + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the endpoint name, agent ID and more information about + the IP used by the client in which the LDAP queries were executed. + id: 1095fda1-e8e9-4711-8634-165e8ba8345d + iscommand: true + name: Get endpoint information for the client IP + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 1095fda1-e8e9-4711-8634-165e8ba8345d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 680\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_13_#default#\": 0.2,\n \"10_5_Non-Server\"\ + : 0.36,\n \"14_50_#default#\": 0.15,\n \"14_6_yes\": 0.49,\n \"17_40_Remediate\"\ + : 0.56,\n \"17_42_#default#\": 0.14,\n \"20_13_#default#\": 0.2,\n \"20_21_Anomaly\"\ + : 0.67,\n \"22_13_#default#\": 0.26,\n \"22_24_Exists\": 0.45,\n \"27_13_#default#\"\ + : 0.4,\n \"27_28_Anomaly\": 0.52,\n \"29_13_#default#\": 0.1,\n \"29_31_Anomaly\"\ + : 0.68,\n \"35_13_#default#\": 0.32,\n \"40_39_Isolate\": 0.53,\n \"40_42_Do\ + \ not isolate\": 0.27,\n \"41_42_Do not disable\": 0.36,\n \"41_43_Disable\"\ + : 0.59,\n \"49_41_Remediate\": 0.55,\n \"49_42_#default#\": 0.15,\n \"\ + 55_16_#default#\": 0.19,\n \"8_9_yes\": 0.41\n },\n \"paper\": {\n \"dimensions\"\ + : {\n \"height\": 3315,\n \"width\": 3090,\n \"x\": -1040,\n \ + \ \"y\": 30\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml new file mode 100644 index 00000000000..3a77652b119 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml @@ -0,0 +1,1407 @@ +description: 'This playbook handles "AppleScript Process Executed With Rare Command + Line" alerts. + + + Playbook Stages: + + + Investigation: + + During the alert investigation, the playbook will perform the following: + + + - Searches for XSIAM prevention alerts with the same causality process ID. + + - Checks if the causality|actor image has bad reputation or is not signed. + + - Checks if malicious|suspicious patterns found in the command line. + + - Searches for XSIAM insights alerts indicating a suspicious activity. + + + + Remediation: + + + - Automatically terminate the causality process. + + - Quarantine the causality|actor image (requires analyst approval). + + - Automatically Close the alert.' +fromversion: 8.9.0 +id: silent-AppleScript Process Executed With Rare Command Line Test +inputs: [] +issilent: true +name: silent-AppleScript Process Executed With Rare Command Line Test +outputs: [] +starttaskid: '0' +tags: +- T1059 - Command and Scripting Interpreter +- TA0002 - Execution +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + - '2' + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 96b3467b-22f7-49f9-854b-4db18875a216 + iscommand: false + name: '' + version: -1 + taskid: 96b3467b-22f7-49f9-854b-4db18875a216 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 40\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Approved: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '**Approval Required: Suspicious Activity Detection** + + + The investigation does not meet the thresholds for a definitive malicious + verdict. It falls into a suspicious category based on the following conditions: + + + **Matched Verdicts:** + + * Insights alerts indicating a suspicious activity found for the same agent + ID. + + * Medium-confidence patterns indicating a suspicious activity found in the + command line. + + + **Unmatched Verdicts:** + + * No prevention rule found for the same process ID. + + * No High-confidence patterns matches. + + * Causality and actor process images signature and reputation. + + + Analyst approval is required to proceed with further remediation.' + id: 6e8e4f36-db87-4688-8b5a-5d4f54a8c809 + iscommand: false + name: 'Approval Required: Suspicious Activity Detected' + type: condition + version: -1 + taskid: 6e8e4f36-db87-4688-8b5a-5d4f54a8c809 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 1580\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1b0568f2-929c-4dd5-807c-cd47f4352ecb + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 1b0568f2-929c-4dd5-807c-cd47f4352ecb + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1780\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: The alert has been resolved, confirmed as a False Positive + closeReason: + simple: Resolved - Handled by the playbook "AppleScript Process Executed With + Rare Command Line" as False Positive + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 0994341d-bfbd-40ac-81d3-39bc702d5050 + iscommand: true + name: Close the Alert as False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 0994341d-bfbd-40ac-81d3-39bc702d5050 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1765\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: aa718280-de78-4665-850d-baa2cf62a48b + iscommand: false + name: Terminate Process + type: title + version: -1 + taskid: aa718280-de78-4665-850d-baa2cf62a48b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1920\n }\n}" + '14': + continueonerror: true + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available from Cortex + XSIAM 2.4. + id: 793cc8a3-8328-4262-89cd-079e187751cb + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 793cc8a3-8328-4262-89cd-079e187751cb + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2060\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: A malicious activity of an AppleScript Process Executed With a Rare + Command Line was identified and remediated. + closeReason: + simple: Resolved - Handled by the playbook "AppleScript Process Executed With + Rare Command Line" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: 4318ccac-8f25-4e2f-89fd-db65f27eed83 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 4318ccac-8f25-4e2f-89fd-db65f27eed83 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3950\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ae1771df-b9da-49ce-83ee-fd1e479f4e2d + iscommand: false + name: Quarantine file + type: title + version: -1 + taskid: ae1771df-b9da-49ce-83ee-fd1e479f4e2d + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 2800\n }\n}" + '18': + continueonerror: true + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + file_hash: + simple: ${fileToQuarantine.sha256} + file_path: + simple: ${fileToQuarantine.path} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the quarantine status for a selected file. + id: c17a5312-b5cf-4b26-84eb-8c1a721c8f9d + iscommand: true + name: Get file quarantine status + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: c17a5312-b5cf-4b26-84eb-8c1a721c8f9d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 2930\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: 'Dear Analyst, + + Should perform quarantine on the suspected file? + + ${fileToQuarantine.path}' + cc: null + format: '' + methods: [] + replyOptions: + - Quarantine + - Don't Quarantine + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + Don't Quarantine: + - '22' + Quarantine: + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval for quarantine the initiator file. + id: 197835c5-10a3-4a1c-876f-753da8e45112 + iscommand: false + name: Analyst approval for quarantine the file + type: condition + version: -1 + taskid: 197835c5-10a3-4a1c-876f-753da8e45112 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -10,\n \"y\": 3270\n }\n}" + '2': + continueonerror: true + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 24 hours ago + query: + simple: agentid:${alert.agentid} + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Cortex XSIAM alerts. A summarized version of this scrips + is available with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + + For Cortex XSOAR 6.13, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations + + + For Cortex XSOAR Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Scripts + + + For Cortex XSOAR on-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Scripts + + + For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 54fc54f0-02d2-489a-87e2-b8eb888d1d45 + iscommand: false + name: Retrieve all alerts for the agent ID + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 54fc54f0-02d2-489a-87e2-b8eb888d1d45 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 870,\n \"y\": 180\n }\n}" + '20': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.quarantineFiles.status.status + operator: isEqualString + right: + value: + simple: 'true' + label: 'Yes' + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '19' + 'Yes': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether to quarantine the files based on their quarantine + status. + id: 8d5f2618-1b50-453e-86bc-a685df65cad6 + iscommand: false + name: Was the file already quarantined? + type: condition + version: -1 + taskid: 8d5f2618-1b50-453e-86bc-a685df65cad6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 3095\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook was unable to quarantine the suspected file due to the following + possible reasons: + + + - The file was not found or no longer exists on the local host. + + - The endpoint is currently disconnected. + + + Please take manual action to terminate the causality process if needed and + quarantine the file. + + ${fileToQuarantine.path}' + id: 8bc6262d-0b2e-4efe-843e-a3fa0219ac88 + iscommand: false + name: "Manual action needed \u2013 The file couldn't be quarantined" + type: regular + version: -1 + taskid: 8bc6262d-0b2e-4efe-843e-a3fa0219ac88 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -420,\n \"y\": 3640\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8b6abfb1-5cdb-4610-8984-2096d60c453c + iscommand: false + name: Quarantine file - Done + type: title + version: -1 + taskid: 8b6abfb1-5cdb-4610-8984-2096d60c453c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 3810\n }\n}" + '23': + continueonerror: true + continueonerrortype: errorPath + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '21' + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + file_hash: + simple: ${fileToQuarantine.sha256} + file_path: + simple: ${fileToQuarantine.path} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + interval_in_seconds: + simple: '20' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Quarantines a file on selected endpoints. + id: 8bfa2daf-8f92-4b36-86ab-d5aca7289056 + iscommand: true + name: File quarantine + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: 8bfa2daf-8f92-4b36-86ab-d5aca7289056 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 3460\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ccc94600-7dae-4b57-810a-78235a30902b + iscommand: false + name: Done + type: title + version: -1 + taskid: ccc94600-7dae-4b57-810a-78235a30902b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1935\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e5bba677-0576-4269-8aa2-4261f39f1f07 + iscommand: false + name: Done + type: title + version: -1 + taskid: e5bba677-0576-4269-8aa2-4261f39f1f07 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 4120\n }\n}" + '26': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatorsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.cgosha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: containsGeneral + right: + value: + simple: 'false' + label: 'Yes' + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '16' + 'Yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the verdict is malicious/unsigned+not prevalent was matched; + if so, a quarantine approval will be prompt. + id: e30c2f55-4e28-41bd-8d51-55979a512d75 + iscommand: false + name: Should quarantine the malicious/unsigned file? + type: condition + version: -1 + taskid: e30c2f55-4e28-41bd-8d51-55979a512d75 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2230\n }\n}" + '27': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.cgosha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + label: CGO + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + CGO: + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Clearly identify the exact file causing concern. + id: 9d42c881-fdc3-401c-8e1f-b102a17de188 + iscommand: false + name: check which file is malicious/unsigned + type: condition + version: -1 + taskid: 9d42c881-fdc3-401c-8e1f-b102a17de188 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 2410\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + keys: + simple: sha256, path + parent: + simple: fileToQuarantine + values: + simple: ${alert.initiatorsha256}, ${alert.initiatorpath} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set multiple keys/values to the context. + id: dc5b6061-54c0-438e-8abe-92693f2a1cdc + iscommand: false + name: Set actor image for quarantine + scriptName: SetMultipleValues + type: regular + version: -1 + taskid: dc5b6061-54c0-438e-8abe-92693f2a1cdc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 2630\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 914ee865-e0e8-49e2-8aa8-2fdde662ded1 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 914ee865-e0e8-49e2-8aa8-2fdde662ded1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 360\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + keys: + simple: sha256, path + parent: + simple: fileToQuarantine + values: + simple: ${alert.cgosha256}, ${alert.cgopath} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set multiple keys/values to the context. + id: 20a50139-428e-4edf-8391-8509df0e7e11 + iscommand: false + name: Set causality image for quarantine + scriptName: SetMultipleValues + type: regular + version: -1 + taskid: 20a50139-428e-4edf-8391-8509df0e7e11 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 2630\n }\n}" + '31': + continueonerror: true + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + sha256: + complex: + accessor: cgosha256 + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.initiatorsha256 + operator: append + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a file, identified by SHA256. + id: 4bf441b3-1834-4a7f-82dd-280b369469f8 + iscommand: true + name: Get the prevalence of the causality and actor processes + script: '|||core-get-hash-analytics-prevalence' + type: regular + version: -1 + taskid: 4bf441b3-1834-4a7f-82dd-280b369469f8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 180\n }\n}" + '32': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + label: Malicious + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + Malicious: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if the causality or actor process is malicious. + id: 3dcdc9d4-b47d-45d7-8861-d85f24643a4e + iscommand: false + name: Is the causality or actor process malicious? + type: condition + version: -1 + taskid: 3dcdc9d4-b47d-45d7-8861-d85f24643a4e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 830\n }\n}" + '4': + continueonerror: true + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + file: + complex: + accessor: cgosha256 + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.initiatorsha256 + operator: append + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the file reputation of the specified hash. + id: d66bb77c-00b8-4780-82d0-1dd3b0ac5991 + iscommand: true + name: Get the reputation of the causality and actor processes + script: '|||file' + type: regular + version: -1 + taskid: d66bb77c-00b8-4780-82d0-1dd3b0ac5991 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 30,\n \"y\": 180\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: cid + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.action + operator: isEqualString + right: + value: + simple: BLOCKED + root: foundIncidents.CustomFields + transformers: + - operator: FirstArrayElement + operator: isEqualString + right: + iscontext: true + value: + complex: + accessor: cid + root: alert + transformers: + - operator: FirstArrayElement + label: Malicious + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + Malicious: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determine if a prevention rule is triggered for the same causality + ID (an identifier linking a chain of events or processes). + id: 4fac2339-3584-4626-8ec6-9171c7e72097 + iscommand: false + name: Prevention rule with the same causality ID? + type: condition + version: -1 + taskid: 4fac2339-3584-4626-8ec6-9171c7e72097 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 490\n }\n}" + '6': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatorsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.process_name + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.cgoname + root: Core.AnalyticsPrevalence.Process + operator: containsGeneral + right: + value: + simple: 'false' + - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.process_name + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.osparentname + root: Core.AnalyticsPrevalence.Process + operator: containsGeneral + right: + value: + simple: 'false' + label: Malicious + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '32' + Malicious: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if the causality or actor process is unsigned and not prevalent. + id: 2cd75c00-6cae-42f3-82c3-9c2d50fc2a67 + iscommand: false + name: Is the causality or actor process unsigned and not prevalent? + type: condition + version: -1 + taskid: 2cd75c00-6cae-42f3-82c3-9c2d50fc2a67 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 660\n }\n}" + '7': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Insights.Contents.data.name + operator: isNotEmpty + label: Suspicious + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Suspicious: + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Checks if any of the following Insight alerts are present for + agentid:${alert.agentid}: + + + - Rare process accessed a Keychain file + + - A process connected to a rare external host + + - AppleScript executed a shell script + + - Netcat shell via named pipe + + - Sudoers discovery + + - Shell History Access + + - Unusual process accessed web browser cookies + + - Unusual process accessed a web browser history file + + + If one or more of these alerts are detected, proceed with the required remediation.' + id: 0c2c3e68-9530-4ade-8748-4be6db12df2e + iscommand: false + name: Insight alerts indicating a malicious usage? + type: condition + version: -1 + taskid: 0c2c3e68-9530-4ade-8748-4be6db12df2e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1340\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: Insights= + fromdate: + simple: 3 hours ago + ignore-outputs: + simple: 'true' + includeinformational: + simple: 'true' + query: + simple: "agentid:${alert.agentid} AND (name:\"Rare process accessed a Keychain\ + \ file\" OR \nname:\"A process connected to a rare external host\" OR \n\ + name:\"AppleScript executed a shell script\" OR \nname:\"Netcat shell via\ + \ named pipe\" OR \nname:\"Sudoers discovery\" OR \nname:\"Shell History\ + \ Access\" OR \nname:\"Unusual process accessed web browser cookies\" OR\ + \ \nname:\"Unusual process accessed a web browser history file\")" + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Cortex XSIAM alerts. A summarized version of this script + is available with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + + For Cortex XSOAR 6.13, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations + + + For Cortex XSOAR Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Scripts + + + For Cortex XSOAR on-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Scripts + + + For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 579c3360-a41e-4206-870e-45bc391a2cc4 + iscommand: false + name: Retrieve insights alerts for the agent ID + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 579c3360-a41e-4206-870e-45bc391a2cc4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1180\n }\n}" + '9': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + conditions: + value: + simple: "[\n {\n \"condition\": \"'telegram' in #{alert.targetprocesscmd.[0]}\ + \ and 'walletDesk' in #{alert.targetprocesscmd.[0]}\",\n\ + \ \"return\": \"Malicious\"\n },\n {\n \"condition\"\ + : \"'to set visible' in #{alert.targetprocesscmd.[0]} and\ + \ 'false' in #{alert.targetprocesscmd.[0]}\",\n \"return\"\ + : \"Malicious\"\n },\n {\n \"condition\": \"'display\ + \ dialog' in #{alert.targetprocesscmd.[0]} or 'curl -' in\ + \ #{alert.targetprocesscmd.[0]}\",\n \"return\": \"Malicious\"\ + \n },\n {\n \"default\": \"None\"\n }\n]" + flags: + value: + simple: case_insensitive + operator: If-Elif + operator: isEqualString + right: + value: + simple: Malicious + label: Malicious + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + conditions: + value: + simple: "[\n {\n \"condition\": \"'hidden answer' in #{alert.targetprocesscmd.[0]}\"\ + ,\n \"return\": \"Suspicious\"\n },\n {\n \"condition\"\ + : \"'chflags hidden' in #{alert.targetprocesscmd.[0]}\"\ + ,\n \"return\": \"Suspicious\"\n },\n {\n \"condition\"\ + : \"'curl -' in #{alert.targetprocesscmd.[0]}\",\n \"\ + return\": \"Suspicious\"\n },\n {\n \"default\": \"\ + None\"\n }\n]" + flags: + value: + simple: case_insensitive + operator: If-Elif + operator: isEqualString + right: + value: + simple: Suspicious + label: Suspicious + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + Malicious: + - '11' + Suspicious: + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Identify if there are any known IOCs (Indicators of Compromise) + or suspicious behaviors. + id: de15924d-c9ea-437a-8ae6-fefcaa0e3eed + iscommand: false + name: Malicious or Suspicious patterns detected? + type: condition + version: -1 + taskid: de15924d-c9ea-437a-8ae6-fefcaa0e3eed + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 1000\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_11_Approved\": 0.21,\n \"10_12_#default#\"\ + : 0.39,\n \"19_22_Don't Quarantine\": 0.35,\n \"19_23_Quarantine\": 0.61,\n\ + \ \"26_16_#default#\": 0.1,\n \"27_29_#default#\": 0.8,\n \"27_30_CGO\"\ + : 0.63,\n \"32_11_Malicious\": 0.4,\n \"32_9_#default#\": 0.65,\n \"5_11_Malicious\"\ + : 0.1,\n \"5_6_#default#\": 0.64,\n \"6_11_Malicious\": 0.18,\n \"6_32_#default#\"\ + : 0.65,\n \"7_10_Suspicious\": 0.55,\n \"7_12_#default#\": 0.37,\n \"9_10_Suspicious\"\ + : 0.49,\n \"9_11_Malicious\": 0.6,\n \"9_8_#default#\": 0.65\n },\n \"paper\"\ + : {\n \"dimensions\": {\n \"height\": 4145,\n \"width\": 2270,\n \ + \ \"x\": -420,\n \"y\": 40\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml new file mode 100644 index 00000000000..3f2cbb7d8b7 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml @@ -0,0 +1,1423 @@ +description: "**This playbook addresses the following alert**:\n- Azure AD account\ + \ unlock/successful password reset\n\n**Playbook Stages**:\n\n**Triage**:\n- Gather\ + \ initial information about the user.\n\n**Investigation**:\n- **Check IP Reputation**:\n\ + \ - Analyze the reputation of the IP address related to the alert.\n- **Check for\ + \ Azure Alerts**:\n - Extract recent Azure security alerts for the user.\n- **Check\ + \ if User is Risky**:\n - Assess the risk score of the user based on Core and Azure\ + \ risk indicators.\n - Investigate reasons behind any identified risks, including\ + \ recent detections.\n\n**Containment**:\n- Check if feature sum is greater than\ + \ 2 (Possible features:new user agent/new asn/new country). If yes, continue to\ + \ revoke user's active sessions to ensure immediate containment.\nIf no, continue\ + \ to check investigation findings.\n- Provide a manual task for an analyst to review\ + \ the findings and decide the next steps.\n- Possible actions:\n - Disable the\ + \ target user.\n - Disable the resource user.\n - Disable both users.\n - Take\ + \ no action.\n\n**Requirements**:\nFor the best results, it's recommended to ensure\ + \ these integrations are configured and working:\n- `Cortex Core - Investigation\ + \ and Response` for Core user risk evaluation.\n- `Azure Risky Users` for retrieving\ + \ user risk scores.\n- `Microsoft 365 Defender` for advanced hunting queries and\ + \ Azure security alerts.\n- `Microsoft Graph User` for disabling accounts and revoking\ + \ sessions." +fromversion: 8.9.0 +id: silent-Azure AD account unlock or password reset Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Azure AD account unlock or password reset Test +outputs: [] +starttaskid: '0' +tags: +- T1078 - Valid Accounts +- TA0003 - Persistence +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5e4b610f-ffdb-423f-8fe1-c54b8ada2e68 + iscommand: false + name: '' + version: -1 + taskid: 5e4b610f-ffdb-423f-8fe1-c54b8ada2e68 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 190\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ce1b1b8f-0d0f-4983-84d4-c071ecfc0ee5 + iscommand: false + name: Enrich IP + type: title + version: -1 + taskid: ce1b1b8f-0d0f-4983-84d4-c071ecfc0ee5 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 480\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a7b912f5-66c7-4190-8639-55d1d2860720 + iscommand: false + name: Done + type: title + version: -1 + taskid: a7b912f5-66c7-4190-8639-55d1d2860720 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 3400\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + - '20' + - '37' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c870efe1-6e26-4239-8283-bd8907b6edd3 + iscommand: false + name: Investigtion + type: title + version: -1 + taskid: c870efe1-6e26-4239-8283-bd8907b6edd3 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 970\n }\n}" + '13': + continueonerror: true + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + updated_after: + simple: 1 day + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: bff3bca0-fccb-41e1-8947-57c8dc132d8f + iscommand: true + name: Get Azure user risk score + script: '|||azure-risky-users-list' + type: regular + version: -1 + taskid: bff3bca0-fccb-41e1-8947-57c8dc132d8f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 1260\n }\n}" + '14': + continueonerror: true + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + query: + simple: let _start = now(-1d); AlertEvidence | where Timestamp >= _start | + where AccountUpn == "${Core.OriginalAlert.raw_abioc.event.identity_invoked_by_name}" + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Advanced hunting is a threat-hunting tool that uses specially + constructed queries to examine the past 30 days of event data in Microsoft + 365 Defender. Details on how to write queries: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide.' + id: 9031985a-2a22-409b-8121-ad55fcb546c5 + iscommand: true + name: 'Get Azure user alerts ' + script: '|||microsoft-365-defender-advanced-hunting' + type: regular + version: -1 + taskid: 9031985a-2a22-409b-8121-ad55fcb546c5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1260\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + query: + simple: "(name:\"Suspicious authentication method addition to Azure account\"\ + \ or name:\"Suspicious Azure AD Administrator Role assignment\u05F4 or name:\u05F4\ + Abnormal sign-in followed by suspicious activity in Azure AD\") and caller_ip=${alert.hostip}" + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Demisto alerts. A summarized version of this script is + available with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Permission-Management' + id: 4a1449ce-823c-4225-8208-8002607aadf5 + iscommand: false + name: Get source IP related alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 4a1449ce-823c-4225-8208-8002607aadf5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": 1260\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '39' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 7f0ec57c-0d61-4b37-8086-2f71a31beb9a + iscommand: true + name: Get core risky user + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 7f0ec57c-0d61-4b37-8086-2f71a31beb9a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 2160,\n \"y\": 1590\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + key: + simple: RiskyUserReason + value: + complex: + accessor: description + root: Core.RiskyUser.reasons + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex see + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 10eb3e27-4068-4ee5-8d18-08db15710e1d + iscommand: false + name: Extract user risk reasons + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 10eb3e27-4068-4ee5-8d18-08db15710e1d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 2160,\n \"y\": 1910\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d12fe789-b844-48ed-8097-78aa7af90a55 + iscommand: false + name: Check if user is risky + type: title + version: -1 + taskid: d12fe789-b844-48ed-8097-78aa7af90a55 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 1120\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 3bc71303-5ccd-4f2f-8761-aeeb4671c954 + iscommand: true + name: Get event information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 3bc71303-5ccd-4f2f-8761-aeeb4671c954 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 320\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d8ce9808-3363-48c1-86b5-7b5ca9c883fe + iscommand: false + name: Check for related alerts + type: title + version: -1 + taskid: d8ce9808-3363-48c1-86b5-7b5ca9c883fe + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 1120\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3e571631-0c12-4a50-87a0-4edb5a5988e1 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 3e571631-0c12-4a50-87a0-4edb5a5988e1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2080\n }\n}" + '22': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_orig.user.userPrincipalName + root: AzureRiskyUsers.RiskyUser.userPrincipalName + transformers: + - operator: uniq + operator: isEqualString + right: + iscontext: true + value: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.event.identity_orig.user + transformers: + - operator: uniq + label: 'yes' + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '21' + 'yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5704aa11-540c-495a-8af9-108025d7a5fe + iscommand: false + name: Check user azure risk score + type: condition + version: -1 + taskid: 5704aa11-540c-495a-8af9-108025d7a5fe + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 1420\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + key: + simple: AzureSecurityAlerts + value: + complex: + accessor: Title + root: Microsoft365Defender.Hunt.results + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6.x see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: ed4dabc2-05b3-4032-8034-bd5376d17f9f + iscommand: false + name: Extract Azure user alerts + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: ed4dabc2-05b3-4032-8034-bd5376d17f9f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1420\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + detected_date_time_after: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a comma-separated list of the Risk Detection objects and + their properties. + id: 56edf542-2170-4215-8659-844df93992e1 + iscommand: true + name: Get user risky detection list + script: '|||azure-risky-users-risk-detections-list' + type: regular + version: -1 + taskid: 56edf542-2170-4215-8659-844df93992e1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1750,\n \"y\": 1750\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyAzureDetections + value: + complex: + accessor: riskEventType + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_orig.user.userPrincipalName + - - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: atRisk + - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: confirmedCompromised + root: AzureRiskyUsers.RiskDetection + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6.x see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: fa26a407-b086-48c3-8eb5-7d306d91c7fe + iscommand: false + name: Extract Azure user detections + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: fa26a407-b086-48c3-8eb5-7d306d91c7fe + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1750,\n \"y\": 1910\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '1' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: c1105dd3-87ba-458e-8d93-d1a8e60f2c6d + iscommand: false + name: Get timestamp for Azure detections + scriptName: GetTime + type: regular + version: -1 + taskid: c1105dd3-87ba-458e-8d93-d1a8e60f2c6d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1750,\n \"y\": 1590\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: '[0]' + root: alert.hostip + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: 969fb1db-b3df-4a51-8489-b1060bebf3fe + iscommand: true + name: Check source IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 969fb1db-b3df-4a51-8489-b1060bebf3fe + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 620\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.event.raw_log.properties.targetResources + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: a6ee8fab-96cd-402e-8270-a64f974ab311 + iscommand: true + name: Disable target user + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: a6ee8fab-96cd-402e-8270-a64f974ab311 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1270,\n \"y\": 3065\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + key: + simple: CallerIpAlerts + value: + complex: + accessor: name + root: foundIncidents + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex see + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 88ee5b7e-f3e5-4ed3-84ee-46196dbc2c14 + iscommand: false + name: Extract source ip related alerts + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 88ee5b7e-f3e5-4ed3-84ee-46196dbc2c14 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": 1420\n }\n}" + '33': + continueonerrortype: '' + form: + description: Analyst review. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: '#### Resource User: + + `${Core.OriginalAlert.raw_abioc.event.identity_orig.user.userPrincipalName}` + + + #### Target User: + + `${Core.OriginalAlert.event.raw_log.properties.targetResources.userPrincipalName}` + + + --- + + + ### Malicious Indicators Found: + + - **Malicious IP**: `${.=val.MaliciousIP || "None"}` + + - **Malicious User Agent**: `${.=val.SuspiciousUserAgent || "None"}` + + + --- + + + ### User Risk Analysis: + + - **User is risky (Core)**: `${.=val.UserRiskyCoreReason ? "Yes, Reason: + " + val.UserRiskyCoreReason : "N/A"}` + + - **User is risky (Azure)**: `${.=val.UserRiskyAzureDetections ? "Yes, + Risk Types: " + val.UserRiskyAzureDetections : "N/A"}` + + + --- + + + ### User Azure Security Alerts: + + - **Alerts from last day**: `${.=val.AzureSecurityAlerts || "N/A"}` + + + --- + + + ### Caller IP Related Alerts + + - `${.=val.CallerIpAlerts || "N/A"}` + + + --- + + + ### Action Required: + + Please choose the action you want to perform.' + options: [] + optionsarg: + - simple: No Action + - simple: Disable resource user + - simple: Disable target user + - simple: Disable both + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Analyst Action + totalanswers: 0 + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 824395c1-ba17-412d-862a-2e55fdea816a + iscommand: false + name: Manual Task - Disable user account decision + type: collection + version: -1 + taskid: 824395c1-ba17-412d-862a-2e55fdea816a + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 1060,\n \"y\": 2730\n }\n}" + '34': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CoreRiskyUser + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: UserRiskyAzureDetections + operator: isNotEmpty + - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + - left: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.features_sum + operator: greaterThanOrEqual + right: + value: + simple: '2' + - left: + iscontext: true + value: + simple: MaliciousIP + operator: isNotEmpty + - left: + iscontext: true + value: + simple: SuspiciousUserAgent + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '41' + 'yes': + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9507bf6e-0bea-4883-80e1-695e5b21b167 + iscommand: false + name: Evaluate conditions for soft remediation + type: condition + version: -1 + taskid: 9507bf6e-0bea-4883-80e1-695e5b21b167 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2210\n }\n}" + '35': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable resource user + label: Disable resource user + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable target user + label: Disable target user + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable both + label: Disable both + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Disable both: + - '36' + Disable resource user: + - '8' + Disable target user: + - '31' + No Action: + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8716fa1c-18b7-4d93-8e5f-16ab80309eb4 + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: 8716fa1c-18b7-4d93-8e5f-16ab80309eb4 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1060,\n \"y\": 2890\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.raw_abioc.event.identity_orig.user + transformers: + - args: + item: + iscontext: true + value: + simple: ${Core.OriginalAlert.event.raw_log.properties.targetResources.userPrincipalName} + operator: append + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 1af19eea-5223-4d7f-8852-d18e51a9c561 + iscommand: true + name: Disable both users + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 1af19eea-5223-4d7f-8852-d18e51a9c561 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 2060,\n \"y\": 3065\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 47d4e985-1c95-4977-8508-87920395aa14 + iscommand: false + name: Check User Agent + type: title + version: -1 + taskid: 47d4e985-1c95-4977-8508-87920395aa14 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1120\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousIP + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex see + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 3bcedb8d-530d-48fd-87dc-bda42c0f67c8 + iscommand: false + name: Get source IP reputation results + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 3bcedb8d-530d-48fd-87dc-bda42c0f67c8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 785\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + scriptarguments: + key: + simple: CoreRiskyUser + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyUser + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex see + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: e6c72ffe-f542-4967-8e36-0a601dae93fc + iscommand: false + name: Extract user risk score + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: e6c72ffe-f542-4967-8e36-0a601dae93fc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 2160,\n \"y\": 1750\n }\n}" + '4': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.user_agent_data + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '21' + 'yes': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e9a066c5-a971-4c93-8339-89f10881daf2 + iscommand: false + name: Check user agent + type: condition + version: -1 + taskid: e9a066c5-a971-4c93-8339-89f10881daf2 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1260\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '41' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.raw_abioc.event.identity_orig.user + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Revoke a user session- Invalidates all the refresh tokens issued + to applications for a user. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: f0ec862f-1615-4c5a-80c2-c5b55cc983a0 + iscommand: true + name: Revoke user session + script: '|||msgraph-user-session-revoke' + type: regular + version: -1 + taskid: f0ec862f-1615-4c5a-80c2-c5b55cc983a0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1060,\n \"y\": 2390\n }\n}" + '41': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CoreRiskyUser + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: UserRiskyAzureDetections + operator: isNotEmpty + - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + 'yes': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e61bd954-7afa-4a37-8b15-ef9959339128 + iscommand: false + name: Evaluate conditions for hard remediation + type: condition + version: -1 + taskid: e61bd954-7afa-4a37-8b15-ef9959339128 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2560\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + contextKey: + simple: SuspiciousUserAgent + data: + simple: ${Core.OriginalAlert.event.user_agent_data} + regex: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|REST)\b + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extracts regex data from the provided text. The script support + groups and looping. + id: 8b56f37b-d3ad-46fd-8a71-21e6dfc498ec + iscommand: false + name: Extract suspicious user agent + scriptName: MatchRegexV2 + type: regular + version: -1 + taskid: 8b56f37b-d3ad-46fd-8a71-21e6dfc498ec + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1450\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.raw_abioc.event.identity_orig.user + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: c752a467-d872-4669-87e9-689bbef4e94f + iscommand: true + name: Disable source user + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: c752a467-d872-4669-87e9-689bbef4e94f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1660,\n \"y\": 3065\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: ac620832-65be-484c-822b-56339cdfbddb + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: ac620832-65be-484c-822b-56339cdfbddb + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 3235\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"22_21_#default#\": 0.1,\n \"22_27_yes\"\ + : 0.5,\n \"34_40_yes\": 0.54,\n \"34_41_#default#\": 0.49,\n \"35_31_Disable\ + \ target user\": 0.62,\n \"35_8_Disable resource user\": 0.67,\n \"35_9_No\ + \ Action\": 0.45,\n \"41_33_yes\": 0.56,\n \"4_21_#default#\": 0.13,\n \ + \ \"4_5_yes\": 0.44\n },\n \"paper\": {\n \"dimensions\": {\n \"height\"\ + : 3275,\n \"width\": 2500,\n \"x\": 40,\n \"y\": 190\n }\n }\n\ + }" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml new file mode 100644 index 00000000000..85ebddb73aa --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml @@ -0,0 +1,1468 @@ +description: "This playbook addresses the following alerts:\n\n- User rejected numerous\ + \ SSO MFA attempts\n- Multiple SSO MFA attempts were rejected by a user with suspicious\ + \ characteristics\n\nPlaybook Stages:\n\nTriage:\n- The playbook checks the IP address\ + \ reputation associated with the MFA attempts and gathers related login events.\n\ + \nEarly Containment:\n- If the IP address is identified as malicious, the playbook\ + \ blocks the IP. The investigation continues in parallel to this phase.\n\nInvestigation:\n\ + - The playbook performs an in-depth analysis, including:\n - Assessing the user's\ + \ risk score to identify potentially compromised accounts.\n - Checking for an\ + \ unusually high number of invalid credential attempts, which may indicate brute-force\ + \ or credential-stuffing activity.\n - Verifying whether Okta logs indicate a malicious\ + \ source IP based on Okta's threat intelligence.\n - Reviewing whether there have\ + \ been an excessive number of MFA rejections from the user, suggesting potentially\ + \ compromised behavior.\n - Looking for abnormal user agent patterns that may indicate\ + \ suspicious or compromised access methods.\n - Investigating previous failed Okta\ + \ login attempts within a specified timeframe to identify patterns.\n\nContainment:\n\ + - If suspicious activity is confirmed, the playbook initiates the following containment\ + \ actions:\n - Clears the user's active sessions and expires their password to\ + \ prevent further unauthorized access.\n - If a successful login attempt was also\ + \ detected, the playbook prompts a manual task for an analyst to review and decide\ + \ on further action.\n\nRequirements:\nFor any response actions, the following integration\ + \ is required:\n- Okta v2\n\nFor early containment actions, the following integration\ + \ is required:\n- Palo Alto Networks PAN-OS." +fromversion: 8.9.0 +id: silent-Compromise Accounts - User rejected numerous SSO MFA attempts Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Compromise Accounts - User rejected numerous SSO MFA attempts Test +outputs: [] +starttaskid: '0' +tags: +- T1586 - Compromise Accounts +- T1621 - Multi-Factor Authentication Request Generation +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d10d3ef6-73ad-4cde-89a4-c883b892ca51 + iscommand: false + name: '' + version: -1 + taskid: d10d3ef6-73ad-4cde-89a4-c883b892ca51 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 70\n }\n}" + '1': + continueonerror: true + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + ip: + simple: ${alert.localip} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Enriches the external source IP of the attack to check if it's + known as malicious. Skips on errors for cases where the IP address or the + !ip command is empty. + id: ebae547a-1c7b-4418-870a-cd2eb588d8dd + iscommand: true + name: Check source IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: ebae547a-1c7b-4418-870a-cd2eb588d8dd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 205\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 4c4ce503-367d-4e7c-8811-8eca2f8ab7d2 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 4c4ce503-367d-4e7c-8811-8eca2f8ab7d2 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3580\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${UserEmail} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Expires a password for an existing Okta user. + id: c16c6ff7-ff53-48f4-8386-cba54af59585 + iscommand: true + name: Expire Okta User's Password + script: '|||okta-expire-password' + type: regular + version: -1 + taskid: c16c6ff7-ff53-48f4-8386-cba54af59585 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2350\n }\n}" + '12': + continueonerrortype: '' + form: + description: Please choose whether to suspend the user in Okta. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Do you want to suspend the user ${Core.OriginalAlert.raw_abioc.event.auth_normalized_user.upn} + in Okta? + options: [] + optionsarg: + - simple: 'Yes' + - simple: 'No' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Okta - Suspend User + totalanswers: 0 + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a0f06b2f-1df9-4279-88c7-5673237c230c + iscommand: false + name: Manual task - Suspend user in Okta + type: collection + version: -1 + taskid: a0f06b2f-1df9-4279-88c7-5673237c230c + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2860\n }\n}" + '13': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Okta - suspend user.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + label: 'yes' + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + 'yes': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 69610310-90da-47b4-8cd3-8953b92c587c + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: 69610310-90da-47b4-8cd3-8953b92c587c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3030\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${UserEmail} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Suspends a single user. This operation can only be performed on + users with an ACTIVE status. After the porcess is completed, the user's status + is SUSPENDED. + id: 3c2da8e6-9226-445a-8514-1fe75124f8b5 + iscommand: true + name: Suspend user in Okta + script: '|||okta-suspend-user' + type: regular + version: -1 + taskid: 3c2da8e6-9226-445a-8514-1fe75124f8b5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3235\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserEmail + value: + complex: + accessor: upn + root: Core.OriginalAlert.raw_abioc.event.auth_normalized_user + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Save the user email from the alert data to a dedicated context + field. + id: 61d2d4db-f2aa-480a-8523-37fb0f3ddc42 + iscommand: false + name: Get user email + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 61d2d4db-f2aa-480a-8523-37fb0f3ddc42 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1010\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 124fea52-e5cd-428a-8655-73b748af6b5f + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 124fea52-e5cd-428a-8655-73b748af6b5f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2040\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: af1e2643-4eb2-4bbe-8e2c-01f9e146a5fc + iscommand: false + name: Successful Login Remediation + type: title + version: -1 + taskid: af1e2643-4eb2-4bbe-8e2c-01f9e146a5fc + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2720\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c63271a9-b73b-4266-8f6b-f02fc553887f + iscommand: false + name: Done + type: title + version: -1 + taskid: c63271a9-b73b-4266-8f6b-f02fc553887f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3740\n }\n}" + '19': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.risk + operator: containsString + right: + value: + simple: reasons=Anomalous + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.risk + operator: containsString + right: + value: + simple: ', Anomalous' + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.risk + operator: containsString + right: + value: + simple: level=HIGH + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.behaviors + operator: containsString + right: + value: + simple: New Geo-Location=POSITIVE, New Device=POSITIVE, New + IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, + New City=POSITIVE + root: OktaSSODebugLogs + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_action_country + operator: greaterThanOrEqual + right: + value: + simple: '3' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_action_country_is_rare_for_tenant + operator: greaterThanOrEqual + right: + value: + simple: '1' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_action_country_first_seen + operator: greaterThanOrEqual + right: + value: + simple: '1' + label: REMEDIATION + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task analyzes Okta SSO debug logs for suspicious activity. + It checks for anomalous behavior, high-risk levels, and unusual geographic + patterns in user actions. The task evaluates various risk indicators including + new locations, devices, IPs, and velocity anomalies. It also considers the + diversity and rarity of countries involved in user actions. Based on these + checks, the playbook determines whether to proceed with remediation or continue + to the Close Alert section. + id: 3e76261c-0241-4a6c-8547-012e233cb46f + iscommand: false + name: Check Okta logs for suspicious activity + type: condition + version: -1 + taskid: 3e76261c-0241-4a6c-8547-012e233cb46f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -550,\n \"y\": 1530\n }\n}" + '2': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThan + right: + value: + simple: '2' + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: inList + right: + iscontext: true + value: + simple: alert.localip + - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: isEqualString + right: + value: + simple: alert.localip + root: DBotScore + operator: isNotEmpty + right: + value: {} + label: 'Yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '24' + 'Yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the external Source IP is malicious (DBotScore above + 2). + id: 3aaad26e-4ec4-414c-8235-0b497e728fe1 + iscommand: false + name: Is the IP malicious? + type: condition + version: -1 + taskid: 3aaad26e-4ec4-414c-8235-0b497e728fe1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 365\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b36615c3-c917-44e9-8a7c-2685027ae22e + iscommand: false + name: Check Okta Debug Logs + type: title + version: -1 + taskid: b36615c3-c917-44e9-8a7c-2685027ae22e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -550,\n \"y\": 1380\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d2fb6b1c-8f4a-4b8d-8c52-c3a3ad837882 + iscommand: false + name: Check Alert Data + type: title + version: -1 + taskid: d2fb6b1c-8f4a-4b8d-8c52-c3a3ad837882 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -50,\n \"y\": 1380\n }\n}" + '22': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.OriginalAlert._all_events.auth_outcome_reason + operator: isEqualString + right: + value: + simple: INVALID_CREDENTIALS + root: Core.OriginalAlert._all_events.auth_outcome_reason + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '6' + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.threatSuspected + operator: isEqualString + right: + value: + simple: 'true' + root: OktaSSODebugLogs.threatSuspected + transformers: + - operator: uniq + operator: isNotEmpty + - left: + iscontext: true + value: + simple: OktaSSODebugLogs.count_distinct_story_id_okta_push_denied + operator: greaterThanOrEqual + right: + value: + simple: '5' + label: REMEDIATION + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task evaluates potential security threats by examining multiple + factors. It checks for at least 6 instances of invalid credentials, verifies + if Okta's threat intelligence has flagged a potentially malicious IP involved + in the authentication attempt, and confirms if there have been 5 or more distinct + Okta push denials. If these conditions are met, the task initiates remediation + steps; if not, it proceeds to the Close Alert section. + id: 58388125-14c9-46c6-8197-72d32fd0c7e8 + iscommand: false + name: Verify High-Risk Alert with Rare Country Indicators + type: condition + version: -1 + taskid: 58388125-14c9-46c6-8197-72d32fd0c7e8 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -50,\n \"y\": 1530\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + - '20' + - '21' + - '29' + - '31' + note: false + quietmode: 0 + scriptarguments: + key: + simple: OktaSSODebugLogs + value: + complex: + accessor: sso_debug_data + root: Core.OriginalAlert._all_events + transformers: + - operator: ParseJSON + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: bad58157-c03d-446f-88fb-cfcc80a77ce1 + iscommand: false + name: Parse Okta SSO logs + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: bad58157-c03d-446f-88fb-cfcc80a77ce1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1180\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 687e79e6-ced4-4d10-853e-eda14fe423e3 + iscommand: false + name: Get Additional Data + type: title + version: -1 + taskid: 687e79e6-ced4-4d10-853e-eda14fe423e3 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 550\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d3b97b69-ddaa-4b3e-82b2-4a209166a1a9 + iscommand: false + name: Check If User Is Risky + type: title + version: -1 + taskid: d3b97b69-ddaa-4b3e-82b2-4a209166a1a9 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1380\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + scriptarguments: + user_id: + complex: + accessor: username + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 93676905-092b-4cf1-8567-9054e8d61ae6 + iscommand: true + name: Get user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 93676905-092b-4cf1-8567-9054e8d61ae6 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1530\n }\n}" + '27': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + label: REMEDIATION + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task evaluates if the user's risk level is HIGH. If so, it + initiates remediation steps; otherwise, it moves to the Close Alert section. + id: 070055d5-534b-4a27-817e-d752df2c4b8f + iscommand: false + name: Check risk score + type: condition + version: -1 + taskid: 070055d5-534b-4a27-817e-d752df2c4b8f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1690\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b5496eec-b661-4293-8e28-7164fd57e403 + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: b5496eec-b661-4293-8e28-7164fd57e403 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 2040\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2410733b-4efd-46fd-858a-b3e7ed9d1445 + iscommand: false + name: Check Previous Okta Failed Logins + type: title + version: -1 + taskid: 2410733b-4efd-46fd-858a-b3e7ed9d1445 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 1380\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 06e82d3f-2b4a-4f6d-84d1-12fc60d876bf + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 06e82d3f-2b4a-4f6d-84d1-12fc60d876bf + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 930,\n \"y\": 550\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 06fb7cdb-405c-4516-8b2d-dd4458431aa2 + iscommand: false + name: Check for Suspicious User-Agent + type: title + version: -1 + taskid: 06fb7cdb-405c-4516-8b2d-dd4458431aa2 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1380\n }\n}" + '32': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert._all_events.action_user_agent + operator: match + right: + value: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|python-requests|node-fetch|PostmanRuntime|GuzzleHttp)\b + root: Core.OriginalAlert._all_events.action_user_agent + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_user_agent_first_seen_for_user + operator: greaterThanOrEqual + right: + value: + simple: '1' + label: REMEDIATION + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task examines the user agent strings in the alert for known + suspicious patterns. It checks for specific tools often used in automated + attacks or scraping. Additionally, it verifies if there's at least one new + user agent for this user. If both conditions are met, it triggers remediation; + otherwise, it proceeds to close the alert. + id: c107279a-f23a-45dc-82ce-e016897d6700 + iscommand: false + name: Check for a suspicious user agent + type: condition + version: -1 + taskid: c107279a-f23a-45dc-82ce-e016897d6700 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1510\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + hoursAgo: + simple: '12' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: 2a72a190-9db8-4eac-8e77-8b1fd7cdf58d + iscommand: false + name: Retrieve timestamp for 12 hours window + scriptName: GetTime + type: regular + version: -1 + taskid: 2a72a190-9db8-4eac-8e77-8b1fd7cdf58d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 1510\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + scriptarguments: + since: + complex: + root: TimeNow + transformers: + - args: + variation: + value: + simple: in 0 hours + operator: ModifyDateTime + until: + complex: + root: TimeNow + transformers: + - args: + variation: + value: + simple: in 12 hours + operator: ModifyDateTime + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns failed login events. + id: a6a9262d-e3d6-4b7c-8290-97576811107b + iscommand: true + name: Get Okta failed logins + script: '|||okta-get-failed-logins' + type: regular + version: -1 + taskid: a6a9262d-e3d6-4b7c-8290-97576811107b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 1670\n }\n}" + '35': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Okta.Logs.Events.actor.alternateId + operator: isEqualString + right: + iscontext: true + value: + simple: UserEmail + root: Okta.Logs.Events.actor.alternateId + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '5' + label: REMEDIATION + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task checks Okta logs for 5 or more failed login attempts + by the user within the past 12 hours. If threshold is met, it triggers remediation; + otherwise, it closes the alert. + id: 7d8c70a2-fbc0-4339-8477-de6d9aaed8b6 + iscommand: false + name: Check for 5 failed logins + type: condition + version: -1 + taskid: 7d8c70a2-fbc0-4339-8477-de6d9aaed8b6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 1830\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousIPs + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: inList + right: + iscontext: true + value: + simple: alert.localip + - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: isEqualString + right: + value: + simple: alert.localip + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 3ee60af9-d489-41ae-8c0a-bbbd3654982a + iscommand: false + name: Save malicious IPs to be blocked + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 3ee60af9-d489-41ae-8c0a-bbbd3654982a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 930,\n \"y\": 690\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + forEach: true + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + simple: ${MaliciousIPs} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: bf27b93c-08c7-4a4a-84b8-067d4957ad79 + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: bf27b93c-08c7-4a4a-84b8-067d4957ad79 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 930,\n \"y\": 855\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + Username: + simple: ${UserEmail} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook uses the ''Okta v2'' and ''MSGraph User'' integrations to clear + user sessions.' + id: 7b8e233a-e891-496a-8fae-dce79475f0b5 + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: 7b8e233a-e891-496a-8fae-dce79475f0b5 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2180\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 38d4401c-a37d-4601-822d-552ddd7deecf + iscommand: true + name: Collect login information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 38d4401c-a37d-4601-822d-552ddd7deecf + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 690\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6ce6c84b-26c8-48ce-8c4e-fdb9bfe99865 + iscommand: false + name: Analyze Alert Data + type: title + version: -1 + taskid: 6ce6c84b-26c8-48ce-8c4e-fdb9bfe99865 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 870\n }\n}" + '8': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: alert.details + operator: notContainsGeneral + right: + value: + simple: . 0 successful + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + 'yes': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the alert indicates that there was a successful + login or not. + id: 2242a45c-8715-41ab-8e7e-9b060920e9ad + iscommand: false + name: Check for successful login + type: condition + version: -1 + taskid: 2242a45c-8715-41ab-8e7e-9b060920e9ad + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2515\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 780502a5-9cfe-4d0e-8367-03f2d79595ce + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: 780502a5-9cfe-4d0e-8367-03f2d79595ce + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3440\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"13_14_yes\": 0.55,\n \"13_9_#default#\"\ + : 0.14,\n \"19_16_REMEDIATION\": 0.1,\n \"19_28_#default#\": 0.15,\n \"\ + 22_16_REMEDIATION\": 0.17,\n \"22_28_#default#\": 0.22,\n \"27_16_REMEDIATION\"\ + : 0.35,\n \"27_28_#default#\": 0.1,\n \"32_16_REMEDIATION\": 0.13,\n \"\ + 32_28_#default#\": 0.34,\n \"35_16_REMEDIATION\": 0.19,\n \"35_28_#default#\"\ + : 0.26,\n \"8_17_yes\": 0.59,\n \"8_9_#default#\": 0.16\n },\n \"paper\"\ + : {\n \"dimensions\": {\n \"height\": 3735,\n \"width\": 2400,\n \ + \ \"x\": -550,\n \"y\": 70\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml new file mode 100644 index 00000000000..9da266a4875 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml @@ -0,0 +1,562 @@ +description: 'This playbook is designed to handle the following alerts: + + - Command-line arguments match Mimikatz execution + + - Mimikatz command-line arguments + + - Credential dumping via wce.exe + + - Credential dumping via gsecdump.exe + + - PowerShell runs with known Mimikatz arguments + + - Hash cracking using Hashcat tool + + - Credential dumping via fgdump.exe + + - Credential dumping via LaZagne + + - Credential dumping via pwdumpx.exe + + - Dumping lsass.exe memory for credential extraction + + - Memory dumping with comsvcs.dll + + + The playbook executes the following stages: + + + Early Containment: + + - Handles malicious alerts by terminating the causality process. + + + Remediation: + + - Handles malicious alerts by suggesting the analyst to isolate the endpoint.' +fromversion: 8.9.0 +id: silent-Credential Dumping using a known tool Test +inputs: [] +issilent: true +name: silent-Credential Dumping using a known tool Test +outputs: [] +starttaskid: '0' +tags: +- TA0006 - Credential Access +- T1003 - OS Credential Dumping +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c5104fac-8485-4a26-8ac1-9eee0ae0ea5e + iscommand: false + name: '' + version: -1 + taskid: c5104fac-8485-4a26-8ac1-9eee0ae0ea5e + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -1280\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 06f5d734-c40b-4d0a-8c63-066e73bd9acb + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 06f5d734-c40b-4d0a-8c63-066e73bd9acb + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -240,\n \"y\": -780\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious activity detected + closeReason: + simple: Resolved - Handled by the playbook "Credential Dumping using a known + tool" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 11a229b7-5716-4011-800a-b4d215a25717 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 11a229b7-5716-4011-800a-b4d215a25717 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": 570\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7aa614c4-5aad-4465-803d-71563fec2665 + iscommand: false + name: Done + type: title + version: -1 + taskid: 7aa614c4-5aad-4465-803d-71563fec2665 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": 730\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 18d7aacc-c482-48a2-8f0b-9cc7251379db + iscommand: true + name: 'Isolate Endpoint ' + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 18d7aacc-c482-48a2-8f0b-9cc7251379db + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -280,\n \"y\": 400\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: bc3d1488-e2cc-425a-8fb3-87110d8ce804 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: bc3d1488-e2cc-425a-8fb3-87110d8ce804 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -290\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: Should perform isolation on the endpoint ${alert.hostname} ? + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#default#': + - '24' + 'Yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval is required to isolate the endpoint. + id: e175d505-aad6-4f06-8898-4b6f2e68782f + iscommand: false + name: Analyst approval for isolation + type: condition + version: -1 + taskid: e175d505-aad6-4f06-8898-4b6f2e68782f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -280,\n \"y\": 200\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields is + concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoints from the start + of the result set (start by counting from 0). + id: 02d8f791-2c65-4dab-870c-cd53cf133be9 + iscommand: true + name: Get endpoint info by endpoint ID + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 02d8f791-2c65-4dab-870c-cd53cf133be9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -155\n }\n}" + '31': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_type + root: Core.Endpoint + operator: containsString + right: + value: + simple: WORKSTATION + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_status + root: Core.Endpoint + operator: isEqualString + right: + value: + simple: CONNECTED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_UNISOLATED + label: Isolate + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_ISOLATED + label: Already isolated + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '36' + Already isolated: + - '24' + Isolate: + - '29' + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determine whether to isolate the endpoint based on its status, + isolation state, and OS type. + id: c887cbd2-5a09-4d82-83da-f2df7a9c068f + iscommand: false + name: Verify endpoint isn't isolated, disconnected, or a server + type: condition + version: -1 + taskid: c887cbd2-5a09-4d82-83da-f2df7a9c068f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": 10\n }\n}" + '32': + continueonerror: true + continueonerrortype: errorPath + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '33' + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process by it's causality ID. + id: e779dfc7-1f39-4ea1-8395-693901916095 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: e779dfc7-1f39-4ea1-8395-693901916095 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -240,\n \"y\": -650\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nDuring the remediation process, the playbook\ + \ couldn't terminate the process ${alert.cgoname} \n\nPlease terminate the\ + \ process manually if possible. \nNote that the next remediation step, if\ + \ possible, will be endpoint isolation." + id: f82b7572-1a45-4d6a-84b5-b6802dcc44af + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: f82b7572-1a45-4d6a-84b5-b6802dcc44af + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -430,\n \"y\": -460\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nPlease note that during the remediation process,\ + \ the playbook didn't isolate the following host: ${alert.hostname} \n\nThis\ + \ is due to one of the following reasons:\n- The device disconnected.\n- The\ + \ device has been identified as a server.\n\nPlease take manual action to\ + \ contain the attack and prevent the attacker from executing lateral movement\ + \ before closing this alert." + id: ca7ef243-bf2e-4de4-8e0c-d44f7703cd0f + iscommand: false + name: Manual remediation actions for a server or a disconnected endpoint + type: regular + version: -1 + taskid: ca7ef243-bf2e-4de4-8e0c-d44f7703cd0f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 300,\n \"y\": 200\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '41' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task searches for Cortex XSIAM related alerts to the current + incident. + id: cc0cf3c7-a04b-4a53-8132-52ea0b88609b + iscommand: false + name: Get Incident related alerts + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: cc0cf3c7-a04b-4a53-8132-52ea0b88609b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -1145\n }\n}" + '41': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: isEqualString + right: + value: + simple: alert.cid + root: foundIncidents.CustomFields + operator: isEqualString + right: + value: + simple: BLOCKED + label: Blocked + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Blocked: + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the incident's alerts for an alert that blocked the causality + using the agent. + id: 4d7bcdc0-6b74-421e-875a-d3c6a29cc564 + iscommand: false + name: Check if the causality was blocked by the agent + type: condition + version: -1 + taskid: 4d7bcdc0-6b74-421e-875a-d3c6a29cc564 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -980\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"29_24_#default#\": 0.4,\n \"29_27_Yes\"\ + : 0.55,\n \"31_24_Already isolated\": 0.16,\n \"31_29_Isolate\": 0.57,\n \ + \ \"32_33_#error#\": 0.53,\n \"41_28_Blocked\": 0.18\n },\n \"paper\": {\n\ + \ \"dimensions\": {\n \"height\": 2075,\n \"width\": 1110,\n \"\ + x\": -430,\n \"y\": -1280\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml new file mode 100644 index 00000000000..79b3b4e7a58 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml @@ -0,0 +1,1204 @@ +contentitemexportablefields: + contentitemfields: {} +description: 'This playbook handles "Uncommon remote scheduled task creation" alert, + which is generated on the source host that created the remote scheduled task. + + + Playbook Stages: + + + Analysis: + + + - The playbook verifies whether the causality process is signed and prevalent. If + the process is not signed and not prevalent, it proceeds with remediation actions; + otherwise, it continues investigating the alert. + + + Investigation: + + + During the alert investigation, the playbook will perform the following: + + + - Searches for related Cortex XSIAM alerts on the endpoint that use the following + MITRE techniques to identify malicious activity: T1202 - Indirect Command Execution, + T1021 - Remote Services. + + - Searches for related Cortex XSIAM agent alerts on the remote endpoint, to determine + if the creation of the scheduled task is part of an attack pattern. + + - Searches for suspicious command-line parameters indicating a malicious scheduled + task. + + + Remediation: + + + - Automatically disable the malicious scheduled task on the remote host. + + - Automatically terminate the causality process. + + - Automatically close the alert.' +fromversion: 8.9.0 +id: silent-Endpoint initiated uncommon remote scheduled task creation Test +inputs: [] +issilent: true +name: silent-Endpoint initiated uncommon remote scheduled task creation Test +outputs: [] +starttaskid: '0' +tags: +- TA0002 - Execution +- T1053 - Scheduled Task/Job +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -240\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 540\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Endpoint initiated uncommon remote + scheduled task creation" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: da448fc0-16d7-49b4-892f-493b725ca59a + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: da448fc0-16d7-49b4-892f-493b725ca59a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3960\n }\n}" + '14': + continueonerror: true + continueonerrortype: errorPath + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '22' + '#none#': + - '69' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell.exe schtasks /change /tn "${ExtractedTaskName}" /disable + endpoint_ids: + complex: + accessor: endpoint_id + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_status + operator: isEqualString + right: + value: + simple: CONNECTED + root: Core.Endpoint + timeout: + simple: '120' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Disable the malicious scheduled task by executing shell commands. + id: 9de4fea1-2efe-427d-83e7-5ca0c0ffaff1 + iscommand: true + name: Disable the scheduled task on the remote host + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 9de4fea1-2efe-427d-83e7-5ca0c0ffaff1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2780\n }\n}" + '2': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: 'Yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '1' + 'Yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict based on the signature and prevalence + of the causality process. + id: 3ddedabb-1395-4234-81f5-a3b098a10721 + iscommand: false + name: Is the causality process unsigned and not prevalent? + type: condition + version: -1 + taskid: 3ddedabb-1395-4234-81f5-a3b098a10721 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 370\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '81' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process the playbook failed to disable the scheduled + task: ${Core.OriginalAlert.event.scheduled_task_path} + + on the remote host: ${Core.OriginalAlert.raw_abioc.event.schtasks_remote_host} + + + Please manually disable this scheduled task.' + id: 93c5df93-c13b-4e70-8ba4-8d0d405c5e56 + iscommand: false + name: Disable the scheduled task manually + type: regular + version: -1 + taskid: 93c5df93-c13b-4e70-8ba4-8d0d405c5e56 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 3310\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff18f72c-0256-4776-823c-90dd05fdba39 + iscommand: false + name: Done + type: title + version: -1 + taskid: ff18f72c-0256-4776-823c-90dd05fdba39 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 4120\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '74' + - '77' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 91b0123e-c227-465b-84d6-a3c53e9a8eb4 + iscommand: true + name: Get scheduled task details + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 91b0123e-c227-465b-84d6-a3c53e9a8eb4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 25\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + forEach: true + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '66' + note: false + quietmode: 0 + scriptarguments: + Commandline: + complex: + accessor: osparentcmd + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.targetprocesscmd + operator: append + - operator: uniq + StringSimilarityThreshold: + simple: '0.5' + separatecontext: true + skipunavailable: false + task: + brand: '' + description: "This playbook takes a command line from the alert and performs\ + \ the following actions:\n- Checks for base64 string and decodes if exists\n\ + - Extracts and enriches indicators from the command line\n- Checks specific\ + \ arguments for malicious usage \n\nAt the end of the playbook, it sets a\ + \ possible verdict for the command line, based on the finding:\n1. Indicators\ + \ found in the command line\n2. Found AMSI techniques\n3. Found suspicious\ + \ parameters\n4. Usage of malicious tools\n5. Indication of network activity\n\ + 6. Indication of suspicious LOLBIN execution\n7. Suspicious path and arguments\ + \ in the command line\n\nNote: To run this playbook with a list of command\ + \ lines, set this playbook to run in a loop. To do so, navigate to 'Loop'\ + \ and check \"For Each Input\"." + id: 5aad16e6-ce1d-45b5-8104-fd02073c0d4b + iscommand: false + name: Command-Line Analysis + playbookName: Command-Line Analysis + type: playbook + version: -1 + taskid: 5aad16e6-ce1d-45b5-8104-fd02073c0d4b + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 1140\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6d11f6e-a28a-459a-8004-bec570e4b02a + iscommand: false + name: Analysis + type: title + version: -1 + taskid: b6d11f6e-a28a-459a-8004-bec570e4b02a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -110\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '80' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ababf146-0f9f-4621-8323-18c3256738ee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ababf146-0f9f-4621-8323-18c3256738ee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2160\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '75' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6d96992e-fe69-4b71-8e3c-9f64ce6a2aec + iscommand: false + name: Investigation on remote host + type: title + version: -1 + taskid: 6d96992e-fe69-4b71-8e3c-9f64ce6a2aec + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1480\n }\n}" + '32': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines if there are agent alerts on the remote host indicating + that the alert was part of an attack pattern. + id: c9cda634-644d-4c93-8cc6-e1fa36a29e2f + iscommand: false + name: Found any alerts of malicious activity on the remote host? + type: condition + version: -1 + taskid: c9cda634-644d-4c93-8cc6-e1fa36a29e2f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1970\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + iscommand: false + name: Done + type: title + version: -1 + taskid: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1400,\n \"y\": 2450\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 5 hours ago + query: + simple: (mitreattcktechnique:*T1018* or name:"WildFire Malware" or name:"Local + Analysis Malware" or name:"Behavioral Threat") and agentid:${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches for related suspicious alerts by MITRE technique\ + \ and specific alert names to determine if this alert is part of an attack\ + \ pattern. \nFocus on identifying alerts from the past 5 hours on the endpoint\ + \ associated with:\n\nMITRE Technique: \n- T1018 - Remote System Discovery\n\ + \nAlerts:\n- \"WildFire Malware\"\n- \"Local Analysis Malware\"\n- \"Behavioral\ + \ Threat\"\n\nThe findings may indicate whether this alert is part of an attack\ + \ pattern." + id: a62156c1-5f66-4cc7-8cf5-53be739b6549 + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: a62156c1-5f66-4cc7-8cf5-53be739b6549 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 670\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d6cce08c-349e-44db-807d-b6348886db73 + iscommand: false + name: No evidence of malicious activity + type: title + version: -1 + taskid: d6cce08c-349e-44db-807d-b6348886db73 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1400,\n \"y\": 2160\n }\n}" + '56': + continueonerrortype: '' + id: '56' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3dca7f38-a58c-4c1c-8a67-e28182e1216a + iscommand: false + name: Command-line Investigation + type: title + version: -1 + taskid: 3dca7f38-a58c-4c1c-8a67-e28182e1216a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 1010\n }\n}" + '66': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CommandlineVerdict.AMSI + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: CommandlineVerdict.maliciousTools + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.networkActivity + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.SuspiciousLolbinExecution + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.SuspiciousCmdPathAndArguments + operator: isNotEmpty + label: 'Yes' + continueonerrortype: '' + id: '66' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '30' + 'Yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict based on the results of the + command-line analysis. + id: be97ffb8-982a-489c-8d0a-c45eb6618a1f + iscommand: false + name: Found any malicious Command-line parameters? + type: condition + version: -1 + taskid: be97ffb8-982a-489c-8d0a-c45eb6618a1f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 1300\n }\n}" + '67': + continueonerrortype: '' + id: '67' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '81' + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Dear Analyst,\n\nDuring the remediation process the playbook executed\ + \ a shell command to disable the following scheduled task: \n${ExtractedTaskName}\n\ + \nThe task was disabled on the following remote endpoint: \n${Core.OriginalAlert.raw_abioc.event.schtasks_remote_host}" + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints text to War Room (Markdown supported). + id: e2846c17-8044-43e0-881e-17219cfa784c + iscommand: false + name: Notify to War Room - Scheduled Task Disabled + scriptName: Print + type: regular + version: -1 + taskid: e2846c17-8044-43e0-881e-17219cfa784c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3310\n }\n}" + '69': + continueonerrortype: '' + id: '69' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '70' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: ba4fa808-bf46-4d09-8491-24e0aa59c3ee + iscommand: true + name: Get script execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: ba4fa808-bf46-4d09-8491-24e0aa59c3ee + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2950\n }\n}" + '70': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: AnyMatch + right: + value: + simple: SUCCESS + label: 'yes' + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '67' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Verify if the script successfully disabled the task. + id: 1666967d-c2af-4352-82f0-0d17d99b391f + iscommand: false + name: Has the script disabled the task successfully? + type: condition + version: -1 + taskid: 1666967d-c2af-4352-82f0-0d17d99b391f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3110\n }\n}" + '72': + continueonerror: true + continueonerrortype: '' + id: '72' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + key: + simple: ExtractedTaskName + value: + complex: + accessor: targetprocesscmd + root: alert + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?i).*tn\s(.*?)\s\/ + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extract the name and path of the malicious scheduled task and sets + the value in context key 'ExtractedTaskName'. + id: dfc8da1d-2f1d-4c5a-8de9-d2381c34b396 + iscommand: false + name: Extract the name and path of the scheduled task + scriptName: Set + type: regular + version: -1 + taskid: dfc8da1d-2f1d-4c5a-8de9-d2381c34b396 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2620\n }\n}" + '73': + continueonerrortype: '' + id: '73' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + query: + simple: (mitreattcktechnique:*T1202* or mitreattcktechnique:*T1021*) and -name:"Uncommon + remote scheduled task created" and agentid:${Core.Endpoint.endpoint_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for suspicious related alerts on the remote + endpoint using MITRE techniques. It focuses on identifying alerts from the + past 3 hours associated with the following techniques: + + - T1202 - Indirect Command Execution + + - T1021 - Remote Services + + ' + id: 8ef473cd-2dc1-46a1-805e-fa179910603d + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 8ef473cd-2dc1-46a1-805e-fa179910603d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1805\n }\n}" + '74': + continueonerrortype: '' + id: '74' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + hostname: + simple: ${Core.OriginalAlert.raw_abioc.event.schtasks_remote_host} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of the endpoint from the + start of the result set (start by counting from 0). + id: 4be27c4b-ad83-46b4-868b-795a35647cd0 + iscommand: true + name: Get remote endpoint details + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 4be27c4b-ad83-46b4-868b-795a35647cd0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 630,\n \"y\": 195\n }\n}" + '75': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '75' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '73' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the Cortex XDR agent is installed on the remote + endpoint. + id: a2bad801-d912-45ec-8ac6-5ece49400caa + iscommand: false + name: Is the XDR agent installed on the remote endpoint? + type: condition + version: -1 + taskid: a2bad801-d912-45ec-8ac6-5ece49400caa + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1610\n }\n}" + '76': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_status + operator: isEqualString + right: + value: + simple: CONNECTED + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '76' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '72' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the Cortex XDR agent is installed and connected + on the remote endpoint. + id: 36164015-8f07-4e5b-873d-024f66adb228 + iscommand: false + name: Is the XDR agent install and connected on the remote endpoint? + type: condition + version: -1 + taskid: 36164015-8f07-4e5b-873d-024f66adb228 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2420\n }\n}" + '77': + continueonerrortype: '' + id: '77' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + process_name: + simple: ${alert.cgoname} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: f54e9a6f-1a23-438f-8fbb-69aa1bab715e + iscommand: true + name: Get Causality process prevalence + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: f54e9a6f-1a23-438f-8fbb-69aa1bab715e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 190,\n \"y\": 195\n }\n}" + '78': + continueonerror: true + continueonerrortype: errorPath + id: '78' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '79' + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 5ec26302-ebf5-44f0-820f-608303db5477 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 5ec26302-ebf5-44f0-820f-608303db5477 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3610\n }\n}" + '79': + continueonerrortype: '' + id: '79' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process, the playbook failed to terminate the causality + process: ${alert.cgoname} + + Please investigate this before closing this alert. + + ' + id: 008355c5-1a8d-4320-89be-537f43d295e8 + iscommand: false + name: Terminate Causality Process Manually + type: regular + version: -1 + taskid: 008355c5-1a8d-4320-89be-537f43d295e8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 190,\n \"y\": 3790\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '56' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the alert contains agent alerts indicating that + the alert was part of an attack pattern. + id: 287b6585-4340-4fd2-8134-6ee815f90846 + iscommand: false + name: Found any alerts indicating this is a malicious scheduled task? + type: condition + version: -1 + taskid: 287b6585-4340-4fd2-8134-6ee815f90846 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 830\n }\n}" + '80': + continueonerrortype: '' + id: '80' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '76' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 15daefa9-4061-4aed-845a-473010c4b749 + iscommand: false + name: Remediation on the Remote Host + type: title + version: -1 + taskid: 15daefa9-4061-4aed-845a-473010c4b749 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2290\n }\n}" + '81': + continueonerrortype: '' + id: '81' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '78' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 74d0a222-b7d3-487e-8904-027e7a972231 + iscommand: false + name: Remediation on the Source Host + type: title + version: -1 + taskid: 74d0a222-b7d3-487e-8904-027e7a972231 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3480\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: 'No Evidence of Malicious Activity: + + - The causality process is signed and prevalent. + + - No related alerts indicating malicious activity were found on the source + host. + + - No malicious parameters were identified in the command line. + + - No related alerts indicating malicious activity were found on the remote + host.' + closeReason: + simple: Resolved - Handled by the playbook "Endpoint initiated uncommon remote + scheduled task creation" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: a376a415-7a05-4085-85ff-e80b02660456 + iscommand: true + name: Close Alert - No evidence of malicious activity + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: a376a415-7a05-4085-85ff-e80b02660456 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1400,\n \"y\": 2290\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"14_22_#error#\": 0.37,\n \"2_3_Yes\"\ + : 0.12,\n \"32_3_yes\": 0.29,\n \"66_3_Yes\": 0.19,\n \"70_22_#default#\"\ + : 0.66,\n \"70_67_yes\": 0.52,\n \"75_5_#default#\": 0.6,\n \"75_73_yes\"\ + : 0.41,\n \"76_22_#default#\": 0.27,\n \"76_72_yes\": 0.47,\n \"78_79_#error#\"\ + : 0.51,\n \"8_3_yes\": 0.13\n },\n \"paper\": {\n \"dimensions\": {\n \ + \ \"height\": 4425,\n \"width\": 1780,\n \"x\": 0,\n \"y\": -240\n\ + \ }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml new file mode 100644 index 00000000000..6d211dd5111 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml @@ -0,0 +1,503 @@ +description: "This playbook is designed to handle the following alerts: \n- Windows\ + \ Event Log was cleared using wevtutil.exe\n- Security Event Log was cleared using\ + \ wevtutil.exe\n- A Sensitive Windows Event Log was cleared using wevtutil.exe\n\ + - Windows event logs were cleared with PowerShell\n- Suspicious clear or delete\ + \ security provider event logs with PowerShell\n- Suspicious clear or delete default\ + \ providers event logs with PowerShell\n- Windows event logs cleared using wmic.exe\n\ + \nThe playbook executes the following stages:\n\nInvestigation:\nCheck the following\ + \ parameters to determine if remediation actions are needed:\n- Cortex XSIAM alerts\ + \ related to the hostname by MITRE tactics indicating malicious activity.\n- Whether\ + \ the CGO or the OSParent process is unsigned.\n- The prevalence of the OSParent\ + \ process.\n\nRemediation:\n- Handles malicious alerts by terminating the relevant\ + \ processes.\n- Handles non-malicious alerts identified during the investigation." +fromversion: 8.9.0 +id: silent-Event Log Was Cleared Test +inputSections: +- description: Generic group for inputs. + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +name: silent-Event Log Was Cleared Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- T1070 - Indicator Removal +- T1490 - Inhibit System Recovery +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: acc9b1ca-5e6b-485d-8152-4171df653733 + iscommand: false + name: '' + version: -1 + taskid: acc9b1ca-5e6b-485d-8152-4171df653733 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 40\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '73' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3bcade69-bdb3-46e0-880b-c9f741342853 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 3bcade69-bdb3-46e0-880b-c9f741342853 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 170\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Suspicious activity detected + closeReason: + simple: Resolved - Handled by the playbook "Event Log was cleared". + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 7f649638-3182-4d2c-8369-d0a14ec35642 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 7f649638-3182-4d2c-8369-d0a14ec35642 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1475\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 331ffb07-1760-4644-837c-68732ecf9bee + iscommand: false + name: Done + type: title + version: -1 + taskid: 331ffb07-1760-4644-837c-68732ecf9bee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1655\n }\n}" + '24': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '26' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the incident contains related alerts by MITRE + Techniques, indicating that the alert was part of an attack pattern. + id: 5b4b20fd-e0f6-43d0-843d-7d3c52c89fb7 + iscommand: false + name: Found any alerts indicating this is malicious activity? + type: condition + version: -1 + taskid: 5b4b20fd-e0f6-43d0-843d-7d3c52c89fb7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 790\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '70' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 273d63e4-d318-4050-8e20-fa8b42b3b527 + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: 273d63e4-d318-4050-8e20-fa8b42b3b527 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1040,\n \"y\": 980\n }\n}" + '6': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.osparentsignature + operator: isNotEmpty + root: alert.osparentsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: 'yes' + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '77' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict based on: + + - Process Signature + + - CMD line/Process name prevalence' + id: d5887430-f83b-453c-87b3-649e9fac2eb7 + iscommand: false + name: Check for process signatures and prevalence + type: condition + version: -1 + taskid: d5887430-f83b-453c-87b3-649e9fac2eb7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 460\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '76' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1473ad2f-f097-4673-8227-54c63e7bb296 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 1473ad2f-f097-4673-8227-54c63e7bb296 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 980\n }\n}" + '70': + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No Results Found + closeReason: + simple: Resolved - Handled by the playbook "Event Log was cleared" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 53074f01-741a-4f1e-8f5f-4e19539684f3 + iscommand: true + name: Close Alert - No results returned + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 53074f01-741a-4f1e-8f5f-4e19539684f3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1040,\n \"y\": 1110\n }\n}" + '73': + continueonerrortype: '' + id: '73' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + process_name: + complex: + accessor: osparentname + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.cgoname + operator: append + - args: + empty_values: {} + remove_keys: + value: + simple: 'false' + operator: RemoveEmpty + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Get the prevalence of a process, identified by process name. + id: 11e37dbd-4664-442a-8b48-737b5e95ad75 + iscommand: true + name: Get prevalence for the processes in the causality + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: 11e37dbd-4664-442a-8b48-737b5e95ad75 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 300\n }\n}" + '76': + continueonerror: true + continueonerrortype: errorPath + id: '76' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '78' + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 7c9f23f6-7986-4c42-835f-f31c037a9fde + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 7c9f23f6-7986-4c42-835f-f31c037a9fde + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1110\n }\n}" + '77': + continueonerrortype: '' + id: '77' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(mitreattcktechnique:*T1055* or mitreattcktechnique:*T1059*) + and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches for Cortex XSIAM suspicious alerts related\ + \ to the current incident by Mitre Technique, indicating that the alert is\ + \ part of an attack pattern.\n\nFocus on identifying alerts associated with\ + \ the following MITRE techniques:\n- T1055 - Process Injection \n- T1059 -\ + \ Command and Scripting Interpreter" + id: 7270541a-9892-47dc-8e5f-2b8c5c9c4583 + iscommand: false + name: Search for suspicious-related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 7270541a-9892-47dc-8e5f-2b8c5c9c4583 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 630\n }\n}" + '78': + continueonerrortype: '' + id: '78' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process, the playbook failed to terminate the causality + process: ${alert.cgoname} + + Please investigate this before closing this alert. + + ' + id: 891baf84-9fd1-4e29-800c-35768048337b + iscommand: false + name: Terminate Causality Process Manually + type: regular + version: -1 + taskid: 891baf84-9fd1-4e29-800c-35768048337b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1290\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"24_7_yes\": 0.23,\n \"76_78_#error#\"\ + : 0.56\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 1680,\n \ + \ \"width\": 1220,\n \"x\": 200,\n \"y\": 40\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml new file mode 100644 index 00000000000..7e696572e06 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml @@ -0,0 +1,1142 @@ +description: 'This playbook addresses the following alerts: + + + - Excessive user account lockouts + + - Excessive account lockouts on suspicious users + + - Excessive user account lockouts from a suspicious source + + + The playbook investigates and responds to excessive user account lockout alerts. + It gathers information about the alert, enriches relevant host data, and analyzes + event patterns. This analysis helps distinguish between benign lockouts and lockouts + caused by brute-force or password spray attacks. + + + Playbook Stages: + + + Triage: + + + - The playbook enriches the alert with details about the lockout events. + + + Investigation: + + + - Analyzes the lockout event timestamps to detect patterns. + + - Checks for related medium severity brute-force alerts in the incident. + + - Retrieves the Risk Score for the Caller Computer that caused the lockouts. + + + Containment: + + + - With analyst approval, the playbook can isolate the endpoint (either the Caller + Computer or the target host) if it''s determined to be a true positive and not a + server. + + + Requirements: + + + - For response actions, the following integration is required: Core - IR.' +fromversion: 8.9.0 +id: silent-Excessive User Account Lockouts Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Excessive User Account Lockouts Test +outputs: [] +starttaskid: '0' +tags: +- T1110 - Brute Force +- TA0006 - Credential Access +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a6f8c311-b856-4f69-898f-31f3a2fa1068 + iscommand: false + name: '' + version: -1 + taskid: a6f8c311-b856-4f69-898f-31f3a2fa1068 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about the lockout events, including timestamps + and the Caller Computer name. + id: 34a5e2bb-48fc-49e6-8942-973578d1a7a6 + iscommand: true + name: Get more information about the lockout events + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 34a5e2bb-48fc-49e6-8942-973578d1a7a6 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 320\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f6c847f4-93f0-4cce-89f1-79fd4f983858 + iscommand: false + name: Verdict + type: title + version: -1 + taskid: f6c847f4-93f0-4cce-89f1-79fd4f983858 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 1680\n }\n}" + '12': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.severity + operator: isEqualString + right: + value: + simple: '1' + label: Low + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '15' + Low: + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the severity of the current alert. Different severity variations + have different conditions for verdict decision. + id: 8f3e49e5-3f1e-41bf-87ce-085572fb5519 + iscommand: false + name: Check alert severity + type: condition + version: -1 + taskid: 8f3e49e5-3f1e-41bf-87ce-085572fb5519 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 1810\n }\n}" + '13': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.id + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: IntervalAnalysis.IsPatternLikelyAutomated + operator: isTrue + label: True Positive + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '46' + True Positive: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if there are medium severity brute-force alerts in the incident, + and if the lockouts seem to be the result of an automated process. + id: 8bd9e5e8-d9a9-4d99-8f3d-8a4e8661dd1e + iscommand: false + name: Check verdict - low severity alert + type: condition + version: -1 + taskid: 8bd9e5e8-d9a9-4d99-8f3d-8a4e8661dd1e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 260,\n \"y\": 1980\n }\n}" + '15': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyHost + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: foundIncidents.id + operator: isNotEmpty + - left: + iscontext: true + value: + simple: IntervalAnalysis.IsPatternLikelyAutomated + operator: isTrue + label: True Positive + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '38' + True Positive: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the Caller Computer is risky, there are medium severity + brute-force alerts in the incident, or if the lockouts seem to be the result + of an automated process. + id: 94de6f92-b24f-47ce-8c6a-2b2bc2b3ddc5 + iscommand: false + name: Check verdict - medium/high severity alert + type: condition + version: -1 + taskid: 94de6f92-b24f-47ce-8c6a-2b2bc2b3ddc5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 1980\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '52' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0052b546-df3b-4fbd-8c65-9c7cceba5164 + iscommand: false + name: Containment + type: title + version: -1 + taskid: 0052b546-df3b-4fbd-8c65-9c7cceba5164 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2320\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b130c4f8-988f-41f5-83b2-c0d560e1749a + iscommand: false + name: Triage + type: title + version: -1 + taskid: b130c4f8-988f-41f5-83b2-c0d560e1749a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 180\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + complex: + accessor: endpoint_id + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: IsolationCandidate.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + - - left: + iscontext: true + value: + simple: IsolationCandidate.endpoint_name + operator: isNotEmpty + root: IsolationCandidate + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 036c042d-4edd-4a67-81e7-4130eb342a38 + iscommand: true + name: Isolate the endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 036c042d-4edd-4a67-81e7-4130eb342a38 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2800\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + hostname: + complex: + accessor: norm_evtlog_target_domain_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + ignore-outputs: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves agent information for the Caller Computer that caused + the lockouts (if managed). + id: e80f56bc-9b7f-4194-8a3b-b7da358e127a + iscommand: true + name: Enrich Caller Computer + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: e80f56bc-9b7f-4194-8a3b-b7da358e127a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 830\n }\n}" + '31': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.norm_evtlog_target_domain_name + operator: isNotEmpty + right: + value: {} + label: Available + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '4' + Available: + - '3' + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the name of the Caller Computer is available in the event, + in order to avoid cases where all computers are queried due to an empty filter + in the core-get-endpoints command. + id: b114af3d-b553-4a33-8652-3b88a888c6f1 + iscommand: false + name: Check availability of Caller Computer Name + type: condition + version: -1 + taskid: b114af3d-b553-4a33-8652-3b88a888c6f1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 640\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f824171c-912c-4559-83e3-9c6c3908db98 + iscommand: false + name: False Positive + type: title + version: -1 + taskid: f824171c-912c-4559-83e3-9c6c3908db98 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2320\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c21218a5-d5ff-4fb6-84bb-cf1a0beb53cf + iscommand: false + name: False Positive + type: title + version: -1 + taskid: c21218a5-d5ff-4fb6-84bb-cf1a0beb53cf + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -170,\n \"y\": 2815\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '40' + note: false + quietmode: 0 + scriptarguments: + hostname: + complex: + accessor: hostname + root: alert + transformers: + - operator: uniq + ignore-outputs: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoint from the start + of the result set (start by counting from 0). + id: 83ff4126-8b59-42d1-80e7-492fa269b5d7 + iscommand: true + name: Get endpoint details for the target host + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 83ff4126-8b59-42d1-80e7-492fa269b5d7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -160,\n \"y\": 1180\n }\n}" + '40': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + label: Non-server + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '11' + Non-server: + - '43' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves agent information for the host where the lockouts were + logged. + id: cec099da-466d-4705-825f-5228bc8d77e0 + iscommand: false + name: Ensure target host is not a server + type: condition + version: -1 + taskid: cec099da-466d-4705-825f-5228bc8d77e0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -160,\n \"y\": 1340\n }\n}" + '41': + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + key: + simple: IsolationCandidate + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEmpty + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_name + operator: isEqualString + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.norm_evtlog_target_domain_name + root: Core.Endpoint + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the Caller Computer that caused the user lockouts as the + remediation target. + id: 054b82f0-47a5-4a50-82d3-42a7df367ebd + iscommand: false + name: Save Caller Computer as target for remediation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 054b82f0-47a5-4a50-82d3-42a7df367ebd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 250,\n \"y\": 1180\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + key: + simple: IsolationCandidate + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEmpty + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_name + operator: isEqualString + right: + iscontext: true + value: + simple: alert.hostname + root: Core.Endpoint + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the host on which the lockouts occurred as the remediation + target. + id: 62222607-7815-4c38-8775-1cfe01426421 + iscommand: false + name: Save Target Host as target for remediation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 62222607-7815-4c38-8775-1cfe01426421 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 1510\n }\n}" + '46': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyHost + operator: isNotEmpty + right: + value: {} + label: Risky + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '39' + Risky: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the Caller Computer that caused the lockouts is risky + (if managed). + id: 0c636d74-3530-4485-8aab-eeb6b0a459e1 + iscommand: false + name: Check Caller Computer risk level + type: condition + version: -1 + taskid: 0c636d74-3530-4485-8aab-eeb6b0a459e1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 70,\n \"y\": 2150\n }\n}" + '48': + continueonerrortype: '' + id: '48' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 648a9503-9122-44fe-8bea-2e326ca79107 + iscommand: true + name: Close the alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 648a9503-9122-44fe-8bea-2e326ca79107 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2980\n }\n}" + '49': + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Automatic remediation was skipped due to one of the following + reasons: + + - The Caller Computer is not managed, and the target host is a server. + + - The Caller Computer and the Target Host are the same, and they are both + servers. + + + The analyst should take manual remediation steps such as fixing misconfigurations, + investigating lockout causes, etc.' + id: 7f81c1a1-0cf6-40e1-8d0a-66e9a2378131 + iscommand: false + name: Manual - host server or unavailable + type: regular + version: -1 + taskid: 7f81c1a1-0cf6-40e1-8d0a-66e9a2378131 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": 2630\n }\n}" + '5': + continueonerror: true + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + host_id: + complex: + accessor: norm_evtlog_target_domain_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets the risk level for the Caller Computer that caused the lockouts. + id: bba0b309-a23d-411c-8d5a-ac7bff8b971b + iscommand: true + name: Get Caller Computer risk level + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: bba0b309-a23d-411c-8d5a-ac7bff8b971b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 830\n }\n}" + '52': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: IsolationCandidate.endpoint_name + operator: isEmpty + right: + value: {} + label: Host unavailable/server + continueonerrortype: '' + id: '52' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '54' + Host unavailable/server: + - '49' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Checks if the Caller Computer or host where the lockouts occurred + can be remediated. + + + The IsolationCandidate key will hold the Caller Computer if it''s managed. + If not managed or a server, the key will hold the target hostname instead. + If the target host is a server, or is the same host as the Caller Computer + which happens to be a server, the IsolationCandidate key will be empty, requiring + analyst intervention.' + id: 8a3da735-27c1-40a2-814b-d8381a298c30 + iscommand: false + name: Check remediation preconditions + type: condition + version: -1 + taskid: 8a3da735-27c1-40a2-814b-d8381a298c30 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2455\n }\n}" + '53': + continueonerrortype: '' + id: '53' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: + value: + simple: ' and mitreattcktechnique:*T1110* and -severity:LOW and + -id:' + operator: concat + - args: + prefix: {} + suffix: + iscontext: true + value: + simple: alert.id + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches for non-low severity alerts with the Brute Force MITRE + technique (T1110) in the same incident, which may be related to the excessive + lockouts. + id: 3979d50a-f78e-4979-8103-27797180092d + iscommand: false + name: Search for suspicious brute force alerts in the incident + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 3979d50a-f78e-4979-8103-27797180092d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 630\n }\n}" + '54': + continueonerrortype: '' + id: '54' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: {} + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + 'No': + - '48' + 'Yes': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Review the following findings and decide whether the host should + be isolated: + + ${IsolationCandidate.endpoint_name} + + + Below are the findings of the investigation: + + + + #### Current Alert Severity: + + `${.=val.alert.severity > 1 ? "Medium or higher" : "Low"}` + + + --- + + + #### Pattern Likely Automated: + + `${.=val.IntervalAnalysis.IsPatternLikelyAutomated ? "True" : "False"}` + + + --- + + + #### Related Brute-Force Alerts: + + `${.=val.foundIncidents.id ? "True" : "False"}` + + + --- + + + #### Risky Caller Computer: + + `${.=val.Core.RiskyHost && val.Core.RiskyHost.risk_level === "HIGH" ? "True" + : "False or unavailable"}` + + + ' + id: 18e9d259-d6ef-4e2a-875b-a849d57f6d42 + iscommand: false + name: Manual - decide whether to isolate the endpoint + type: condition + version: -1 + taskid: 18e9d259-d6ef-4e2a-875b-a849d57f6d42 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2630\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + - '53' + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 35501fc7-5bf8-4a0e-873b-5beec9d343ea + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 35501fc7-5bf8-4a0e-873b-5beec9d343ea + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 480\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + timestamps: + simple: ${Core.OriginalAlert._all_events.event_timestamp} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyze a list of Unix timestamps in milliseconds, to detect simple + patterns of consistency or high frequency. The script can aid in the investigation + of multi-event alerts that contain a list of timestamps. + id: bb054ce8-8cc5-4060-817d-dba6db2ffee1 + iscommand: false + name: Analyze lockout timestamps + scriptName: AnalyzeTimestampIntervals + type: regular + version: -1 + taskid: bb054ce8-8cc5-4060-817d-dba6db2ffee1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 630\n }\n}" + '9': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + label: Non-server + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '4' + Non-server: + - '41' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the Caller Computer is managed and identified is + a server. + id: 984a779e-940a-429c-8846-b1f832ce1f17 + iscommand: false + name: Ensure Caller Computer is not a server + type: condition + version: -1 + taskid: 984a779e-940a-429c-8846-b1f832ce1f17 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 990\n }\n}" +tests: +- no tests +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"13_16_True Positive\": 0.46,\n \"\ + 13_46_#default#\": 0.6,\n \"15_16_True Positive\": 0.45,\n \"15_38_#default#\"\ + : 0.23,\n \"31_3_Available\": 0.55,\n \"31_4_#default#\": 0.16,\n \"40_11_#default#\"\ + : 0.2,\n \"46_16_Risky\": 0.49,\n \"46_39_#default#\": 0.49,\n \"52_49_Host\ + \ unavailable/server\": 0.68,\n \"54_48_No\": 0.54,\n \"9_41_Non-server\"\ + : 0.58,\n \"9_4_#default#\": 0.4\n },\n \"paper\": {\n \"dimensions\": {\n\ + \ \"height\": 3025,\n \"width\": 1620,\n \"x\": -170,\n \"y\"\ + : 50\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml new file mode 100644 index 00000000000..346292ec121 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml @@ -0,0 +1,1576 @@ +description: "**This playbook addresses the following alerts**:\n- Exchange user mailbox\ + \ forwarding.\n- Suspicious Exchange user mailbox forwarding.\n\n**Playbook Stages**:\n\ + \n**Triage**:\n- Collect initial information about the internal user and the associated\ + \ external forwarding address.\n\n**Investigation**:\n- **Check IOCs Reputation**:\n\ + \ - Analyze the reputation of IP addresses, email addresses, and domains associated\ + \ with the alert.\n- **Get External Email Statistics**:\n - Retrieve statistics\ + \ of email interactions between the internal user and the external forwarding address\ + \ over the last 2 days, including:\n - Number of emails sent to and received\ + \ from the external address.\n - Number of users interacting with the external\ + \ address.\n- **Check if User is Risky**:\n - Assess the internal user's risk score\ + \ using:\n - **Core Risk Evaluation**: Identify high-risk users and extract reasons\ + \ behind elevated risk levels.\n - **Azure Risk Indicators**: Retrieve Azure\ + \ risk scores, detections, and recent security alerts for the internal user.\n-\ + \ **Check for Azure Alerts**:\n - Perform an advanced hunting query in Microsoft\ + \ 365 Defender to extract recent Azure alerts associated with the internal user.\n\ + \n**Containment**:\n- Provide a manual task for an analyst to review the findings\ + \ and determine the appropriate response.\n- Possible actions:\n - Disable the\ + \ user in Azure AD to prevent further unauthorized actions.\n - Disable mailbox\ + \ forwarding for the user in Exchange Online.\n - Disable both user and forwarding.\n\ + \ - Take no action.\n- If the user is disabled, revoke active sessions to ensure\ + \ immediate containment.\n\n**Requirements**:\nFor the best results, it's recommended\ + \ to ensure these integrations are configured and working:\n- `Cortex Core - Investigation\ + \ and Response` for Core user risk evaluation.\n- `Azure Risky Users` for retrieving\ + \ Azure-based user risk scores and detections.\n- `Microsoft 365 Defender` for advanced\ + \ hunting queries and extracting Azure alerts.\n- `Microsoft Graph User` for disabling\ + \ user accounts and revoking active sessions.\n- `Exchange Online EWS` for disabling\ + \ mailbox forwarding.\n- `Security And Compliance V2` for fetching email interaction\ + \ statistics." +fromversion: 8.9.0 +id: silent-Exchange User Mailbox Forwarding Test +inputs: [] +issilent: true +name: silent-Exchange User Mailbox Forwarding Test +outputs: [] +starttaskid: '0' +tags: +- TA0009 - Collection +- TA0010 - Exfiltration +- T1114 - Email Collection +- T1020 - Automated Exfiltration +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1ac1b290-5044-4124-8c24-2b9b64b96c75 + iscommand: false + name: '' + version: -1 + taskid: 1ac1b290-5044-4124-8c24-2b9b64b96c75 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -440\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '1' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: 7ce27bae-e219-4888-8d78-5afe5d9c48b8 + iscommand: false + name: Get timestamp for Azure detections + scriptName: GetTime + type: regular + version: -1 + taskid: 7ce27bae-e219-4888-8d78-5afe5d9c48b8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 580\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: c0ff360a-1f8d-4af8-8635-9c29f2c06cf9 + iscommand: true + name: Collect user information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: c0ff360a-1f8d-4af8-8635-9c29f2c06cf9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -180\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: caller_ip + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: 8aee3a72-4abc-41e8-8d9a-4c3b79b1b016 + iscommand: true + name: Get IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 8aee3a72-4abc-41e8-8d9a-4c3b79b1b016 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -1050,\n \"y\": 260\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + scriptarguments: + email: + complex: + accessor: mailbox_forwarding_address + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Return email information and reputation. + id: 8b31ebe4-f831-4d96-8be9-68cc325b9bf1 + iscommand: true + name: Get Email reputation + script: '|||email' + type: regular + version: -1 + taskid: 8b31ebe4-f831-4d96-8be9-68cc325b9bf1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -630,\n \"y\": 260\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + accessor: mailbox_forwarding_address + root: Core.OriginalAlert.event + transformers: + - operator: uniq + - args: + delimiter: + value: + simple: '@' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns domain information and reputation. + id: b5f28af3-c85f-4e9a-8432-98de0d324f2d + iscommand: true + name: Get Domain reputation + script: '|||domain' + type: regular + version: -1 + taskid: b5f28af3-c85f-4e9a-8432-98de0d324f2d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 260\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + - '13' + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5563326e-2e66-48cd-83e6-804156328fed + iscommand: false + name: Check IOCs Reputation + type: title + version: -1 + taskid: 5563326e-2e66-48cd-83e6-804156328fed + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -630,\n \"y\": 120\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousEmail + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: email + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 64be2b3d-af92-455f-818a-e2e4e75a9ee3 + iscommand: false + name: Check Email reputation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 64be2b3d-af92-455f-818a-e2e4e75a9ee3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -630,\n \"y\": 420\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousDomain + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 35e0f51d-e1c2-4737-8f2a-d0b578241e90 + iscommand: false + name: Check Domain reputation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 35e0f51d-e1c2-4737-8f2a-d0b578241e90 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 420\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 02cbe31c-9cfd-4cb0-833a-85358b09721c + iscommand: false + name: 'Triage ' + type: title + version: -1 + taskid: 02cbe31c-9cfd-4cb0-833a-85358b09721c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -310\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + - '21' + - '2' + - '35' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d0de6bf8-23c5-45ee-8c4f-5007e86cd02c + iscommand: false + name: Investigation + type: title + version: -1 + taskid: d0de6bf8-23c5-45ee-8c4f-5007e86cd02c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -20\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: af350203-fe3e-4456-8cfe-13aa951ad866 + iscommand: false + name: Check If User Is Risky + type: title + version: -1 + taskid: af350203-fe3e-4456-8cfe-13aa951ad866 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 120\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousIP + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: a4f41b44-31cb-4ffa-8b04-13c043ef3e6e + iscommand: false + name: Check IP reputation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: a4f41b44-31cb-4ffa-8b04-13c043ef3e6e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -1050,\n \"y\": 420\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d359526d-881e-4905-8933-9c999bd8862e + iscommand: false + name: Get External Email Statistics + type: title + version: -1 + taskid: d359526d-881e-4905-8933-9c999bd8862e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 120\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + allow_not_found_exchange_locations: + simple: 'true' + exchange_location: + simple: All + force: + simple: 'false' + kql: + simple: (from:${Core.OriginalAlert.event.mailbox_forwarding_address} OR to:${Core.OriginalAlert.event.mailbox_forwarding_address}) + AND (Received>=${ComplianceTime} OR Sent>=${ComplianceTime}) + polling_interval: + simple: '1' + polling_timeout: + simple: '45' + preview: + simple: 'true' + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook performs the following steps: + + 1. Creates a compliance search. + + 2. Starts a compliance search. + + 3. Waits for the compliance search to complete. + + 4. Gets the results of the compliance search as an output. + + 5. Gets the preview results, if specified.' + id: 2a178317-b1f5-418d-8716-9a2f93d42a8d + iscommand: false + name: O365 - Security And Compliance - Search + playbookName: O365 - Security And Compliance - Search + type: playbook + version: -1 + taskid: 2a178317-b1f5-418d-8716-9a2f93d42a8d + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 420\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '2' + extend-context: + simple: ComplianceTime=. + ignore-outputs: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: d6c7a3ca-8885-4e9e-8377-03cfe327e1f1 + iscommand: false + name: Get timestamp for compliance search + scriptName: GetTime + type: regular + version: -1 + taskid: d6c7a3ca-8885-4e9e-8377-03cfe327e1f1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 260\n }\n}" + '25': + continueonerrortype: '' + form: + description: Analyst review + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: "#### Internal User:\n`${Core.OriginalAlert.event.identity_name}`\n\ + \n#### External User (forwarded address):\n`${Core.OriginalAlert.event.mailbox_forwarding_address}`\n\ + \n---\n\n### Malicious Indicators Found:\n- **Malicious IP**: `${.=val.MaliciousIP\ + \ || \"None\"}`\n- **Malicious Domain**: `${.=val.MaliciousDomain || \"\ + None\"}`\n- **Malicious Email**: `${.=val.MaliciousEmail || \"None\"}`\n\ + \n---\n\n### Internal User Risk Analysis:\n- **User is risky (Core)**:\ + \ `${.=val.UserRiskyCoreReason ? \"Yes, Reason: \" + val.UserRiskyCoreReason\ + \ : \"N/A\"}`\n- **User is risky (Azure)**: `${.=val.UserRiskyAzureDetections\ + \ ? \"Yes, Risk Types: \" + val.UserRiskyAzureDetections : \"N/A\"}`\n\ + \n---\n\n### User Azure Security Alerts:\n- **Alerts titles from last\ + \ day**: `${.=val.AzureSecurityAlerts || \"N/A\"}`\n\n---\n\n### Email\ + \ Interaction Statistics of last 2 days:\n- **Number of users interacted\ + \ with ${Core.OriginalAlert.event.mailbox_forwarding_address}**: `${.=val.O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation\ + \ ? Object.keys(val.O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation).length\ + \ : \"No results\"}`\n\n- **Number of emails received from ${Core.OriginalAlert.event.mailbox_forwarding_address}**:\ + \ `${.=val.O365.SecurityAndCompliance.ContentSearch.SearchAction.Results\ + \ ? val.O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.filter(r\ + \ => r.Sender.toLowerCase() === val.Core.OriginalAlert.event.mailbox_forwarding_address.toLowerCase()).length\ + \ : \"No results\"}`\n\n- **Number of emails sent to ${Core.OriginalAlert.event.mailbox_forwarding_address}**:\ + \ `${.=val.O365.SecurityAndCompliance.ContentSearch.SearchAction.Results\ + \ ? val.O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.filter(r\ + \ => r.ReceivedTime && r.Sender.toLowerCase() !== val.Core.OriginalAlert.event.mailbox_forwarding_address.toLowerCase()).length\ + \ : \"No results\"}`\n\n---\n\n### Action Required:\nPlease choose the\ + \ action you want to perform:\n\n- **No Action**\n- **Disable User**:\ + \ Disable the user which configured the forwarding action on Azure.\n\ + \ - **Disable Forwarding**: Disable the forwarding action performed by\ + \ the user.\n- **Disable Both**: Disable the user in Azure and also disable\ + \ the forwarding action.\n\n**Note**: Disabling the auto-forwarding feature\ + \ organization-wide can prevent potential data leakage and improve email\ + \ security." + options: [] + optionsarg: + - simple: No Action + - simple: Disable User + - simple: Disable Forwarding + - simple: Disable Both + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: Your SOC team + title: Analyst Action + totalanswers: 0 + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + scriptarguments: + key: + simple: Message + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9a18dcd2-4dd3-4aa0-8697-02fa65b8089d + iscommand: false + name: Manual Task - User Action Decision + type: collection + version: -1 + taskid: 9a18dcd2-4dd3-4aa0-8697-02fa65b8089d + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1220\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9fceaec3-3ffe-45aa-8501-3eafac491d2c + iscommand: false + name: Containment + type: title + version: -1 + taskid: 9fceaec3-3ffe-45aa-8501-3eafac491d2c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1090\n }\n}" + '27': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable User + label: Disable User + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Forwarding + label: Disable Forwarding + - condition: + - - left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Both Users + label: Disable Both + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Disable Both: + - '39' + Disable Forwarding: + - '30' + Disable User: + - '31' + No Action: + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6947fa8d-dd5e-494a-8f94-03c19036be26 + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: 6947fa8d-dd5e-494a-8f94-03c19036be26 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1390\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0c2e3c83-aebd-47bf-84ce-2f3dd284005d + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: 0c2e3c83-aebd-47bf-84ce-2f3dd284005d + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 2090\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 555473c9-54f1-485f-87c7-77d049ff0ad1 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 555473c9-54f1-485f-87c7-77d049ff0ad1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 2230\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 6ec94329-01df-47f3-8591-913966bc4fa4 + iscommand: true + name: Get core user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 6ec94329-01df-47f3-8591-913966bc4fa4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 260\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + identity: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disable mail forwarding for a given user. + id: d8140792-902e-43dc-8735-ba8ea75032a8 + iscommand: true + name: Disable forwarding action + script: '|||ews-mail-forwarding-disable' + type: regular + version: -1 + taskid: d8140792-902e-43dc-8735-ba8ea75032a8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 750,\n \"y\": 1760\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: f1db6f8a-0f7f-44f4-8e03-97775d8bafe9 + iscommand: true + name: Disable user in Azure + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: f1db6f8a-0f7f-44f4-8e03-97775d8bafe9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 120,\n \"y\": 1760\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 37a8e3aa-8d05-49d5-8839-ea94acc26f3a + iscommand: false + name: Done + type: title + version: -1 + taskid: 37a8e3aa-8d05-49d5-8839-ea94acc26f3a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 2400\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Revoke a user session- Invalidates all the refresh tokens issued + to applications for a user. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: a5a85fc9-5d43-4dcf-8b3a-3303a8ed321b + iscommand: true + name: Revoke user session + script: '|||msgraph-user-session-revoke' + type: regular + version: -1 + taskid: a5a85fc9-5d43-4dcf-8b3a-3303a8ed321b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 120,\n \"y\": 1920\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: 6f4cd3b5-60d1-4cb6-8582-4321319b7aa8 + iscommand: false + name: Check For Azure Alerts + type: title + version: -1 + taskid: 6f4cd3b5-60d1-4cb6-8582-4321319b7aa8 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 120\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + note: false + quietmode: 0 + scriptarguments: + query: + simple: let _start = now(-1d); AlertEvidence | where Timestamp >= _start | + where AccountUpn == "${UserUPN}" + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Advanced hunting is a threat-hunting tool that uses specially + constructed queries to examine the past 30 days of event data in Microsoft + 365 Defender. Details on how to write queries: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide.' + id: e302b09c-496a-4e41-8a76-3eb89b8c8266 + iscommand: true + name: Get Azure alerts + script: '|||microsoft-365-defender-advanced-hunting' + type: regular + version: -1 + taskid: e302b09c-496a-4e41-8a76-3eb89b8c8266 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 420\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: AzureSecurityAlerts + value: + complex: + accessor: Title + root: Microsoft365Defender.Hunt.results + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: 8f66eab4-f9a6-49c3-8202-1e26c1993cd9 + iscommand: false + name: Extract Azure user alerts + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 8f66eab4-f9a6-49c3-8202-1e26c1993cd9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 580\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '36' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserUPN + value: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: FirstArrayElement + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: a8d35ffd-1cb6-4037-83b4-9d2a9b823606 + iscommand: false + name: Get user UPN + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: a8d35ffd-1cb6-4037-83b4-9d2a9b823606 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 260\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b3384680-5740-433d-8dbf-b3a1103b4580 + iscommand: false + name: Disable User & Forwarding Settings + type: title + version: -1 + taskid: b3384680-5740-433d-8dbf-b3a1103b4580 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1620\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + updated_after: + simple: 1 days + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: 81e20815-1f8f-4844-895e-68f66ea6db1f + iscommand: true + name: Get Azure user risk score + script: '|||azure-risky-users-list' + type: regular + version: -1 + taskid: 81e20815-1f8f-4844-895e-68f66ea6db1f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 260\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + label: HIGH + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '26' + HIGH: + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: 9e18431c-9d6c-4d10-8bf9-a79e259b5472 + iscommand: false + name: Check user risk score + type: condition + version: -1 + taskid: 9e18431c-9d6c-4d10-8bf9-a79e259b5472 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 420\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + detected_date_time_after: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a comma-separated list of the Risk Detection objects and + their properties. + id: 58e997bd-fa51-41b9-8e94-3473c3881e59 + iscommand: true + name: Get Azure risky user detections + script: '|||azure-risky-users-risk-detections-list' + type: regular + version: -1 + taskid: 58e997bd-fa51-41b9-8e94-3473c3881e59 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 745\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyCoreReason + value: + complex: + accessor: description + root: Core.RiskyUser.reasons + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: 9bca58e7-7159-4149-824f-169580c9eb81 + iscommand: false + name: Get risky user activity + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9bca58e7-7159-4149-824f-169580c9eb81 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 630\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: userPrincipalName + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.userPrincipalName + operator: isEqualString + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_name + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.riskState + operator: isEqualString + right: + value: + simple: atRisk + - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.riskState + operator: isEqualString + right: + value: + simple: confirmedCompromised + root: AzureRiskyUsers.RiskyUser + transformers: + - operator: uniq + operator: isEqualString + right: + iscontext: true + value: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '26' + 'yes': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 59da37a5-c608-4f67-84fe-087321520256 + iscommand: false + name: Check user risk score + type: condition + version: -1 + taskid: 59da37a5-c608-4f67-84fe-087321520256 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 420\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyAzureDetections + value: + complex: + accessor: riskEventType + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_name + - - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: atRisk + - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: confirmedCompromised + root: AzureRiskyUsers.RiskDetection + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 19e009b2-b4a9-4b69-8a41-18c78f22e4ac + iscommand: false + name: Extract Azure user detections + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 19e009b2-b4a9-4b69-8a41-18c78f22e4ac + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 910\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"27_28_No Action\": 0.74,\n \"27_30_Disable\ + \ Forwarding\": 0.86,\n \"27_31_Disable User\": 0.85,\n \"27_39_Disable Both\"\ + : 0.52,\n \"5_26_#default#\": 0.14,\n \"5_7_HIGH\": 0.6,\n \"8_26_#default#\"\ + : 0.19\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 2905,\n \ + \ \"width\": 2930,\n \"x\": -1050,\n \"y\": -440\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml new file mode 100644 index 00000000000..fb43ee75bc9 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml @@ -0,0 +1,1605 @@ +description: "This playbook addresses the following alerts:\n\n- External Exchange\ + \ inbox forwarding rule configured.\n- Suspicious Exchange inbox forwarding rule\ + \ configured.\n- Suspicious Exchange email-hiding inbox rule.\n- Possible BEC Exchange\ + \ email-hiding inbox rule.\n- Exchange email-hiding transport rule based on message\ + \ keywords.\n- Suspicious Exchange email-hiding transport rule.\n- Exchange transport\ + \ forwarding rule configured.\n- Suspicious Exchange transport forwarding rule configured.\n\ + \nPlaybook Stages:\n \nTriage: \n\n- The playbook retrieves the caller's IP, the\ + \ forwarding email address, and the domain.\n\nEarly Containment:\n\n- The playbook\ + \ checks if the IP or domain of the forwarding email address is malicious. If so,\ + \ it suggests blocking the IP using PAN-OS while continuing the investigation in\ + \ parallel.\n\nInvestigation:\n\n- The playbook checks for suspicious behaviors,\ + \ including whether an Exchange admin created the rule outside of working hours,\ + \ from unusual geolocation, or if the user who created the rule has a high-risk\ + \ score. It then aggregates all evidence collected during the investigation.\n\n\ + Containment:\n\n- Soft Response Actions: If at least two suspicious pieces of evidence\ + \ are identified, the playbook will execute soft response actions. These actions\ + \ include signing the user out and disabling the forwarding rule configured in the\ + \ user's account mailbox.\n- Hard Response Actions: If more than two suspicious\ + \ pieces of evidence are identified, the playbook escalates to hard response actions.\ + \ These actions include disabling the user account upon analyst decision and removing\ + \ the forwarding rule from the user's account mailbox.\n\nRequirements: \n\nFor\ + \ any response action, you need the following integrations:\n- EWS Extension Online\ + \ Powershell v3 integration.\n- Azure Active Directory Users." +fromversion: 8.9.0 +id: silent-Exchange forwarding rule configured Test +inputSections: +- description: Generic group for inputs. + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Exchange forwarding rule configured Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0009 - Collection +- TA0010 - Exfiltration +- T1114 - Email Collection +- T1020 - Automated Exfiltration +- TA0005 - Defense Evasion +- T1564.008 - Hide Artifacts +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d8b9f650-e109-4dd6-886d-da90aef71bff + iscommand: false + name: '' + version: -1 + taskid: d8b9f650-e109-4dd6-886d-da90aef71bff + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -310\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + - '28' + - '6' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 3fa5a92e-3b86-4a05-8b86-53cd466bb1cb + iscommand: true + name: Get caller IP and forwarding mail address + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 3fa5a92e-3b86-4a05-8b86-53cd466bb1cb + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -180\n }\n}" + '10': + continueonerror: true + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: IsAbnormalGeolocation= + left: + simple: ${Core.OriginalAlert.event.saas_caller_ip_geolocation_days_seen_count},${Core.OriginalAlert.event.service_caller_ip_asn_days_seen_count} + right: + simple: '0' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Returns all elements from the left side that have a substring + that is equal to an element from the right side. Note: This filter is case-insensitive.' + id: cdba5566-f4de-4815-85ba-46d04083adf2 + iscommand: false + name: Analyze geolocation anomalies + scriptName: AnyMatch + type: regular + version: -1 + taskid: cdba5566-f4de-4815-85ba-46d04083adf2 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 660\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + scriptarguments: + closeReason: + simple: Resolved - Handled by the playbook "Exchange forwarding rule configured" + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 2a5b29fd-1460-4830-819f-be57d5c524df + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 2a5b29fd-1460-4830-819f-be57d5c524df + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2170\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + identity: + simple: ${Core.OriginalAlert.raw_abioc.event.exchange_rule_name} + mailbox: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disable an existing inbox rule in a given mailbox. + id: 08bbda77-f3ca-482f-83bb-6590a059f649 + iscommand: true + name: Disable the Exchange forwarding inbox rule + script: '|||ews-rule-disable' + type: regular + version: -1 + taskid: 08bbda77-f3ca-482f-83bb-6590a059f649 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2000\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 58ed5fd7-71b7-4865-8de2-a4b02de08967 + iscommand: false + name: Done + type: title + version: -1 + taskid: 58ed5fd7-71b7-4865-8de2-a4b02de08967 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2330\n }\n}" + '2': + continueonerror: true + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: caller_ip + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: be117be2-af06-4d9e-8b01-19cc4b115d02 + iscommand: true + name: 'Check caller IP reputation ' + script: '|||ip' + type: regular + version: -1 + taskid: be117be2-af06-4d9e-8b01-19cc4b115d02 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -160,\n \"y\": -10\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + Username: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook uses the ''Okta v2'' and ''MSGraph User'' integrations to clear + user sessions.' + id: 34930460-5127-496b-8e0c-3edcd48e29af + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: 34930460-5127-496b-8e0c-3edcd48e29af + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 1490\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: HIGH + rhsB: {} + then: + value: + simple: The user risk level is high. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This script runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about script permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 88f80ddf-8d28-480d-8c67-9bb233890c41 + iscommand: false + name: Set risky user to aggregated evidences + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 88f80ddf-8d28-480d-8c67-9bb233890c41 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 840,\n \"y\": 820\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: IsAbnormalGeolocation.[0] + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: 'True' + rhsB: {} + then: + value: + simple: The user connected from an unusual geolocation. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This script runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about script permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 44ae1921-e62d-4ace-8ad6-604f750b32e0 + iscommand: false + name: Set abnormal geolocation to aggregated evidences + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 44ae1921-e62d-4ace-8ad6-604f750b32e0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 820\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: IsOutOfWorkingHours + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: 'true' + rhsB: {} + then: + value: + simple: User created forwarding rule outside of business hours. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This script runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about script permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 347eeeb4-facc-4e53-8832-013274dac80f + iscommand: false + name: Set abnormal working hours to aggregated evidences + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 347eeeb4-facc-4e53-8832-013274dac80f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 820\n }\n}" + '25': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '2' + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + label: 'Yes' + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'Yes': + - '20' + - '43' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 627d5819-cb1e-4b21-8e88-8b6d82ae21ac + iscommand: false + name: Checking soft remediation conditions + type: condition + version: -1 + taskid: 627d5819-cb1e-4b21-8e88-8b6d82ae21ac + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 1270\n }\n}" + '28': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.forwarding_domain_with_tld + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b09a9327-e34b-4f81-8782-e54ae932ca27 + iscommand: false + name: Check if a forwarding address domain exists + type: condition + version: -1 + taskid: b09a9327-e34b-4f81-8782-e54ae932ca27 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": -10\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + - '37' + - '36' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 73936401-a8d4-4374-8d30-4c9bc55f590e + iscommand: false + name: Evaluate investigation results + type: title + version: -1 + taskid: 73936401-a8d4-4374-8d30-4c9bc55f590e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 990\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + accessor: forwarding_domain_with_tld + root: Core.OriginalAlert.raw_abioc.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of a domain. + id: b504ebe2-56d0-400e-8222-a7d57b546615 + iscommand: true + name: Check forwarding email Domain reputation + script: '|||domain' + type: regular + version: -1 + taskid: b504ebe2-56d0-400e-8222-a7d57b546615 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 180\n }\n}" + '30': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.severity + operator: isEqualString + right: + value: + simple: SEV_030_MEDIUM + - - left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '2' + label: 'yes' + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7a967a10-abda-42b5-8535-2b3502c52c05 + iscommand: false + name: Checking medium severity conditions + type: condition + version: -1 + taskid: 7a967a10-abda-42b5-8535-2b3502c52c05 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 1270\n }\n}" + '32': + continueonerrortype: '' + form: + description: The investigation revealed several suspicious indicators suggesting + the user who created the forwarding rule may be compromised. The associated + forwarding email and filters have been automatically removed. Please decide + whether to take any additional recommended actions. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: "The following evidence was found: \n\n${Evidences}\n\nWould you\ + \ like to disable the account ${Core.OriginalAlert.raw_abioc.event.identity_name}?" + options: [] + optionsarg: + - simple: 'Yes' + - simple: 'No' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Select user account containment steps + totalanswers: 0 + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6cc4ec9a-a36d-48e5-852b-a5c1bc1b782f + iscommand: false + name: Decide whether to disable the user account + type: collection + version: -1 + taskid: 6cc4ec9a-a36d-48e5-852b-a5c1bc1b782f + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1470\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 008f1f26-4377-498c-8921-ddb3736ef0fa + iscommand: true + name: Disable user account via MS-Graph + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 008f1f26-4377-498c-8921-ddb3736ef0fa + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1830\n }\n}" + '34': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Select user account containment steps.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + label: 'yes' + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 65ab206a-9e3f-4b64-8efe-0ec2ba0d3e54 + iscommand: false + name: Check analyst decision + type: condition + version: -1 + taskid: 65ab206a-9e3f-4b64-8efe-0ec2ba0d3e54 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1660\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ed34eb8f-329b-49f1-8f12-d0e979055d77 + iscommand: false + name: Early Containment Complete + type: title + version: -1 + taskid: ed34eb8f-329b-49f1-8f12-d0e979055d77 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -450,\n \"y\": 2015\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + - '41' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ec931801-d2f1-4042-84b4-0a7adf76ed05 + iscommand: false + name: Hard Remediation + type: title + version: -1 + taskid: ec931801-d2f1-4042-84b4-0a7adf76ed05 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 1130\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f6057cef-9260-4970-8b1d-88edb25b4059 + iscommand: false + name: Soft Remediation + type: title + version: -1 + taskid: f6057cef-9260-4970-8b1d-88edb25b4059 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 1130\n }\n}" + '4': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0b23837d-9e34-4468-8c26-2d54a9705b83 + iscommand: false + name: Evaluate domain and IP address risk level + type: condition + version: -1 + taskid: 0b23837d-9e34-4468-8c26-2d54a9705b83 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -160,\n \"y\": 350\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: Core.OriginalAlert.event.service_sub_type + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: ExchangeAdmin + rhsB: {} + then: + value: + simple: The user has admin privileges. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This script runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about script permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 0ad3c032-8b63-40e8-8c30-edab2a540918 + iscommand: false + name: Verify if user is an Exchange admin + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 0ad3c032-8b63-40e8-8c30-edab2a540918 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1230,\n \"y\": 660\n }\n}" + '41': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d4c540d3-adaf-4f1b-869f-32ddd550508f + iscommand: false + name: Checking hard remediation conditions + type: condition + version: -1 + taskid: d4c540d3-adaf-4f1b-869f-32ddd550508f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -170,\n \"y\": 1275\n }\n}" + '43': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: EWS Extension Online Powershell v3 + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '44' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 70e37f74-2f2f-41bf-88fc-463eaba78af7 + iscommand: false + name: Check EWS Extension Online Powershell availability + type: condition + version: -1 + taskid: 70e37f74-2f2f-41bf-88fc-463eaba78af7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1490\n }\n}" + '44': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: External Exchange inbox forwarding rule configured + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Suspicious Exchange inbox forwarding rule configured + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Possible BEC Exchange email-hiding inbox rule + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Suspicious Exchange email-hiding inbox rule + label: Inbox Rule + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Exchange email-hiding transport rule based on message keywords + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Suspicious Exchange email-hiding transport rule + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Exchange transport forwarding rule configured + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Suspicious Exchange transport forwarding rule configured + label: Transport Rule + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Inbox Rule: + - '46' + Transport Rule: + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f89e9955-3dd9-4670-8a5e-08f041d3414b + iscommand: false + name: Check Alert type + type: condition + version: -1 + taskid: f89e9955-3dd9-4670-8a5e-08f041d3414b + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1660\n }\n}" + '45': + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + identity: + simple: ${Core.OriginalAlert.event.exchange_transport_rule_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disable a mail flow rule (transport rule) in the organization. + id: cce63e53-a02d-4d25-89ec-3684f0de635e + iscommand: true + name: Disable the Exchange forwarding transport rule + script: '|||ews-mail-flow-rule-disable' + type: regular + version: -1 + taskid: cce63e53-a02d-4d25-89ec-3684f0de635e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1280,\n \"y\": 2000\n }\n}" + '46': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: ${Core.OriginalAlert.raw_abioc.event.exchange_rule_name} + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 040c3bcd-4166-4768-847f-e4d09303d1f5 + iscommand: false + name: Check if inbox rule name is not empty + type: condition + version: -1 + taskid: 040c3bcd-4166-4768-847f-e4d09303d1f5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 1830\n }\n}" + '47': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.exchange_transport_rule_name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '45' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a5bf70e3-c221-4511-8166-f205c7ee13b6 + iscommand: false + name: Check if transport rule name is not empty + type: condition + version: -1 + taskid: a5bf70e3-c221-4511-8166-f205c7ee13b6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1280,\n \"y\": 1830\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4592715d-e397-4035-8f6a-aa8adebe4d8b + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 4592715d-e397-4035-8f6a-aa8adebe4d8b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -450,\n \"y\": 520\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + - '9' + - '8' + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3147a19e-41fd-493f-823d-87582c61e37b + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 3147a19e-41fd-493f-823d-87582c61e37b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 520\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + simple: ${Core.OriginalAlert.event.caller_ip} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: aa988d9d-9321-4428-8426-cdd5d7c15e5d + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: aa988d9d-9321-4428-8426-cdd5d7c15e5d + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": -450,\n \"y\": 660\n }\n}" + '8': + continueonerror: true + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_normalized.identity} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 150bae48-03a8-495a-87b5-11b63bd85444 + iscommand: true + name: Get user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 150bae48-03a8-495a-87b5-11b63bd85444 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 840,\n \"y\": 660\n }\n}" + '9': + continueonerror: true + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + begin_time: + simple: '22:00:00' + end_time: + simple: 06:00:00 + extend-context: + simple: IsOutOfWorkingHours= + value: + complex: + accessor: event_timestamp + root: Core.OriginalAlert.event + transformers: + - operator: TimeStampToDate + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the given value is within the specified time (hour) + range. + id: 146faa60-9405-4cf2-8f7c-7ce02160a0c4 + iscommand: false + name: Check if rule creation occurred outside business hours + scriptName: BetweenHours + type: regular + version: -1 + taskid: 146faa60-9405-4cf2-8f7c-7ce02160a0c4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 660\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"25_14_#default#\": 0.17,\n \"25_20_Yes\"\ + : 0.52,\n \"25_43_Yes\": 0.51,\n \"28_3_yes\": 0.43,\n \"28_6_#default#\"\ + : 0.25,\n \"30_14_#default#\": 0.1,\n \"30_32_yes\": 0.43,\n \"34_14_#default#\"\ + : 0.32,\n \"34_33_yes\": 0.55,\n \"41_14_#default#\": 0.16,\n \"41_32_yes\"\ + : 0.4,\n \"43_14_#default#\": 0.24,\n \"43_44_yes\": 0.47,\n \"44_46_Inbox\ + \ Rule\": 0.45,\n \"44_47_Transport Rule\": 0.53,\n \"46_14_#default#\": 0.45,\n\ + \ \"47_14_#default#\": 0.22,\n \"4_5_yes\": 0.38,\n \"4_6_#default#\":\ + \ 0.19\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 2705,\n \ + \ \"width\": 2110,\n \"x\": -450,\n \"y\": -310\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml new file mode 100644 index 00000000000..5f46c68f30e --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml @@ -0,0 +1,1176 @@ +description: "This playbook addresses the following alerts:\n \n- Msiexec execution\ + \ of an executable from an uncommon remote location with a specific port\n- Msiexec\ + \ execution of an executable from an uncommon remote location without properties\n\ + \ \nPlaybook Stages:\n \nAnalysis: \n \n- Check extracted URL reputation:\n -\ + \ Determine if the MSI package was installed from a malicious source\n - If the\ + \ URL is found to be malicious, the playbook will proceed directly to remediation\ + \ steps\n \nInvestigation:\n\n- Check extracted domain's prevalence and causality\ + \ process signature status:\n - Evaluate the prevalence of the domain from which\ + \ the MSI package was downloaded\n - Verify if the causality process (CGO) is signed\ + \ or unsigned\n - If the domain is found malicious and the causality process is\ + \ unsigned, the playbook will proceed directly to remediation steps\n\n- Check for\ + \ the following related alerts: \n - Local Analysis Malware\n - Mitre Techniques:\n\ + \ - T1140 - Deobfuscate/Decode Files or Information\n - T1059 - Command and\ + \ Scripting Interpreter \n\n- Analyze CGO command line for defense evasion techniques:\n\ + \ - Evaluate the command line for suspicious patterns which indicates attempts\ + \ to bypass security controls\n\n- If the command line contains suspicious patterns\ + \ or related alerts are found, the playbook will proceed directly to remediation\ + \ steps\n\nContainment:\n \n- Terminate causality process\n- Block maliciou URL\ + \ (Manual approval)\n - Implement URL blocking using PAN-OS through Custom URL\ + \ Categories\n- Isolate endpoint (Manual approval)\n \nRequirements: \n \nFor any\ + \ response action, you need the following integration:\n \n- PAN-OS." +fromversion: 8.9.0 +id: silent-Msiexec execution of an executable from an uncommon remote location Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Msiexec execution of an executable from an uncommon remote location Test +outputs: [] +starttaskid: '0' +tags: +- TA0005 - Defense Evasion +- T1218 - System Binary Proxy Execution +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4ac8c300-a0ba-4b0f-8816-e8f4a9e451df + iscommand: false + name: '' + version: -1 + taskid: 4ac8c300-a0ba-4b0f-8816-e8f4a9e451df + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": -1110\n }\n}" + '1': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + label: Malicious + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '43' + Malicious: + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check reputation of the remote URL from which the MSI was downloaded + and installed. + id: 95e1f313-a103-47b7-8d45-7c458de2dc48 + iscommand: false + name: Check extracted remote URL's reputation + type: condition + version: -1 + taskid: 95e1f313-a103-47b7-8d45-7c458de2dc48 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 750,\n \"y\": -280\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + domain_name: + simple: ${Domain.Name} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a domain, identified by domain_name. + id: fd751959-f8ae-4ef0-8735-aaca8b0ee92b + iscommand: true + name: Check domain prevalence + script: '|||core-get-domain-analytics-prevalence' + type: regular + version: -1 + taskid: fd751959-f8ae-4ef0-8735-aaca8b0ee92b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 100\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c6614547-d98f-4f0c-84ec-7466f1b8ac41 + iscommand: false + name: Done + type: title + version: -1 + taskid: c6614547-d98f-4f0c-84ec-7466f1b8ac41 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1300,\n \"y\": 2550\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '((mitreattcktechnique:*T1059* or mitreattcktechnique:*1140* + or name:*Local Analysis Malware*) and caseid:' + suffix: + value: + simple: ) + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM suspicious alerts related + to the current alert by Mitre Technique, indicating that the alert is part + of an attack pattern. + + + Focus on identifying alerts associated with the following MITRE techniques: + + - Any Agent Alerts within this alert. + + - T1059 - Command and Scripting Interpreter.' + id: 62f69c52-5b95-41c1-83e5-a7b0822cc82d + iscommand: false + name: Search for suspicious-related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 62f69c52-5b95-41c1-83e5-a7b0822cc82d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 660\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious attempt to install .msi package from remote URL + closeReason: + simple: Resolved - Handled by the playbook "Suspicious msiexec execution" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: ee22533d-2819-4162-88a0-15379051d139 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: ee22533d-2819-4162-88a0-15379051d139 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": 2380\n }\n}" + '21': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + root: Core.AnalyticsPrevalence.Domain + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: 'False' + - left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Ip.value + operator: isEqualString + right: + value: + simple: 'False' + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + label: Malicious + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Malicious: + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This condition checks if the domain prevalence is not False (i.e., + the domain is prevalent) and if the causality process is signed. If both conditions + are met, the task is considered malicious. + id: b4037b3b-bc13-46d6-8bbf-3883cac5b0e5 + iscommand: false + name: Check if domain is not prevalent AND CGO process is unsigned + type: condition + version: -1 + taskid: b4037b3b-bc13-46d6-8bbf-3883cac5b0e5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 430\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4366472d-cc91-4059-894c-59066b6611a1 + iscommand: false + name: Inconclusive + type: title + version: -1 + taskid: 4366472d-cc91-4059-894c-59066b6611a1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1300,\n \"y\": 1390\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + scriptarguments: + url: + simple: ${URL.Data} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns a verdict for a hash. + id: f999a637-3507-4144-8eb8-3f0d871d4fb1 + iscommand: true + name: Get Wildfire Verdict for URL + script: '|||wildfire-get-verdict' + type: regular + version: -1 + taskid: f999a637-3507-4144-8eb8-3f0d871d4fb1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 750,\n \"y\": -440\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 036d604c-7aac-4e5a-8d47-399ea4ca6934 + iscommand: false + name: Analyze CGO Commandline + type: title + version: -1 + taskid: 036d604c-7aac-4e5a-8d47-399ea4ca6934 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 840\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 08dd5d27-1e08-4e7e-8661-8b8801ab0883 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 08dd5d27-1e08-4e7e-8661-8b8801ab0883 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 270\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 0f6a3195-3710-4629-86cd-b810f988f805 + iscommand: true + name: Isolate endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 0f6a3195-3710-4629-86cd-b810f988f805 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2210\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + command_line: + complex: + accessor: cgocmd + root: alert + transformers: + - args: + delimiter: + value: + simple: ' + + ' + operator: splitAndTrim + - args: + empty_values: {} + remove_keys: + value: + simple: 'true' + operator: RemoveEmpty + - args: + separator: {} + operator: join + custom_patterns: + simple: ((cmd|type)= 30, indicating high confidence\ + \ probability for malicious behavior.\n\n* Score >= 10 with a prevention rule\ + \ detected in the same incident, correlating to malicious activity.\n\n**Action\ + \ Required:**\n\n* Isolate the remote host: ${Endpoint.Hostname}" + id: c2b18800-ab04-4323-8962-209698d7d91e + iscommand: false + name: "Approval Required \u2013 Malicious Activity Detected" + type: condition + version: -1 + taskid: c2b18800-ab04-4323-8962-209698d7d91e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2560\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${Endpoint.ID} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 7df12c62-a960-428c-8e0f-dccf404b63e0 + iscommand: true + name: Isolate endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 7df12c62-a960-428c-8e0f-dccf404b63e0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2755\n }\n}" + '19': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: CommandLineAnalysis.findings + operator: AnyMatch + right: + value: + simple: mixed case powershell, reversed command, powershell suspicious + patterns, credential dumping, double encoding, amsi techniques, malicious + commands + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: IP + root: DBotScore + operator: greaterThanOrEqual + right: + value: + simple: '3' + - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual + right: + value: + simple: '30' + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_UNISOLATED + label: 'Yes' + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'Yes': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: If the condition "Check for high-confidence evidence or malicious + IP address" was matched and the remote endpoint ID is available, an endpoint + isolation is suggested. + id: f4474c65-78f5-4acd-8954-1ed6559bc89e + iscommand: false + name: Should proceed to isolate the remote endpoint? + type: condition + version: -1 + taskid: f4474c65-78f5-4acd-8954-1ed6559bc89e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2200\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + ip_list: + simple: ${Core.OriginalAlert.event.actor_remote_ip} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of the endpoint from the + start of the result set (start by counting from 0). + id: b93c8d2f-f8f3-41a0-8d5e-3505f27a0ce5 + iscommand: true + name: Search for the attacker's agent ID + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: b93c8d2f-f8f3-41a0-8d5e-3505f27a0ce5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2040\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + - '1' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 0c30d0e2-4703-413a-8bc0-2e5c223d443d + iscommand: true + name: Get the attacker's remote host IP address + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 0c30d0e2-4703-413a-8bc0-2e5c223d443d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 90\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f + iscommand: false + name: Enrichment + type: title + version: -1 + taskid: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -40\n }\n}" + '23': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: containsString + right: + value: + simple: WORKSTATION + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_status + operator: isEqualString + right: + value: + simple: CONNECTED + label: WORKSTATION + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '24' + WORKSTATION: + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the endpoint is a workstation or a server. + id: c5470fce-c24b-4768-844b-ce10abd9c6ba + iscommand: false + name: Check if the endpoint is workstation or a server + type: condition + version: -1 + taskid: c5470fce-c24b-4768-844b-ce10abd9c6ba + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2380\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nPlease note that during the remediation process,\ + \ the playbook didn't isolate the following host: ${Endpoint.Hostname} \n\n\ + This is due to one of the following reasons:\n- The device disconnected.\n\ + - The device has been identified as a server.\n\nPlease take manual action\ + \ to contain the attack and prevent the attacker from executing lateral movement\ + \ before closing this alert." + id: dc9a785d-392b-4233-89ad-b308d3412477 + iscommand: false + name: Manual remediation actions for a server or a disconnected endpoint + type: regular + version: -1 + taskid: dc9a785d-392b-4233-89ad-b308d3412477 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 2560\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + command_line: + simple: ${Core.OriginalAlert.event.action_process_image_command_line} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This script evaluates command-line threats by analyzing both original + and decoded inputs. It assigns weighted scores to detected patterns, such + as AMSI bypass or credential dumping, and applies risk combination bonuses + for multiple detections. The total score is normalized to a 0-100 scale, with + risk levels categorized as follows: + + + * 0-25: Low Risk + + * 26-50: Medium Risk + + * 51-90: High Risk + + * 91-100: Critical Risk + + + The scoring mechanism provides a comprehensive risk assessment, considering + both the severity and frequency of malicious behaviors.' + id: b6c5e8f1-54fa-4924-8ad4-a65fdfb76818 + iscommand: false + name: Analyze command line + scriptName: CommandLineAnalysis + type: regular + version: -1 + taskid: b6c5e8f1-54fa-4924-8ad4-a65fdfb76818 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 575\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2bc56cd9-7962-499b-8b89-2c1019c24e51 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 2bc56cd9-7962-499b-8b89-2c1019c24e51 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 440\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: CommandLineAnalysis.findings + operator: AnyMatch + right: + value: + simple: mixed case powershell, reversed command, powershell suspicious + patterns, credential dumping, double encoding, amsi techniques, malicious + commands + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: IP + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual + right: + value: + simple: '30' + label: Malicious + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + Malicious: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task evaluates the command line analysis results and checks + if the profile matches one or more high-risk categories or if the overall + score indicates a critical risk. + + + **Conditions:** + + + - A profile matches one or more of the following categories: **mixed case + PowerShell, reversed command, PowerShell suspicious patterns, credential dumping, + double encoding, AMSI techniques, or malicious commands.** + + - OR the score is **greater than or equal to 30**. + + - OR an **IP address** involved in the incident is flagged as **malicious**. + + + If any condition is met, mark the result as **Malicious**.' + id: d0a04858-443a-4a4c-8ac2-5ddb45a55041 + iscommand: false + name: Check for high-confidence evidence or malicious IP address + type: condition + version: -1 + taskid: d0a04858-443a-4a4c-8ac2-5ddb45a55041 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 740\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Cortex XSIAM alerts. A summarized version of this scrips + is available with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + + For Cortex XSOAR 6.13, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations + + + For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Scripts + + + For Cortex XSOAR on-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Scripts + + + For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: d8651cb0-32f4-4f7f-8c14-f9404dcf2c52 + iscommand: false + name: Retrieve all incident alerts + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: d8651cb0-32f4-4f7f-8c14-f9404dcf2c52 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 260\n }\n}" + '8': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual + right: + value: + simple: '10' + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.action + operator: containsGeneral + right: + value: + simple: BLOCKED + label: Malicious + - condition: + - - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: lessThan + right: + value: + simple: '10' + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.action + operator: containsGeneral + right: + value: + simple: BLOCKED + label: Medium Confidence + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + Malicious: + - '11' + Medium Confidence: + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task identifies the risk level by considering the score and + whether a prevention rule is present in the same incident. + + + **Conditions:** + + + - If Score is **greater than or equal to 10** AND a **prevention rule exists** + in the same incident, classify the result as **Malicious**. + + - Else, if Score is **less than 10** AND a **prevention rule exists** in the + same incident, classify the result as **Suspicious**. + + + High-risk behavior with prevention rule: **Malicious**. + + Low-risk behavior with prevention rule: **Suspicious**. + + ' + id: d5387b4c-0757-45ad-8915-0b127bbc64c0 + iscommand: false + name: Check for medium-confidence threshold with a prevention alert + type: condition + version: -1 + taskid: d5387b4c-0757-45ad-8915-0b127bbc64c0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 920\n }\n}" + '9': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: InRange + right: + value: + simple: 10,29 + label: 'yes' + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '16' + 'yes': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task identifies medium-risk cases based on the score received\ + \ from the command line analysis script.\n\n**Conditions:**\n\nIf the score\ + \ is in the range of **10\u201329**, mark the result as **Suspicious**." + id: f75ed630-b4ed-418a-8f72-f92b03afc587 + iscommand: false + name: Check for medium-confidence and request remediation approval + type: condition + version: -1 + taskid: f75ed630-b4ed-418a-8f72-f92b03afc587 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 930,\n \"y\": 1100\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_11_Approved\": 0.38,\n \"10_16_#default#\"\ + : 0.1,\n \"12_13_#error#\": 0.51,\n \"17_14_#default#\": 0.43,\n \"17_18_Isolate\"\ + : 0.4,\n \"19_14_#default#\": 0.21,\n \"19_23_Yes\": 0.37,\n \"23_17_WORKSTATION\"\ + : 0.46,\n \"23_24_#default#\": 0.62,\n \"5_11_Malicious\": 0.46,\n \"5_8_#default#\"\ + : 0.42,\n \"8_11_Malicious\": 0.22,\n \"8_9_#default#\": 0.58,\n \"9_10_yes\"\ + : 0.32,\n \"9_16_#default#\": 0.16\n },\n \"paper\": {\n \"dimensions\"\ + : {\n \"height\": 3335,\n \"width\": 1340,\n \"x\": 180,\n \"\ + y\": -170\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml new file mode 100644 index 00000000000..35988b749da --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml @@ -0,0 +1,1140 @@ +description: "**This playbook addresses the following alerts**:\n- SSO authentication\ + \ attempt with suspicious characteristics.\n- Successful SSO authentication with\ + \ suspicious characteristics.\n\n**Playbook Stages**:\n\n**Triage**:\n- Collect\ + \ initial information about the user and the SSO authentication event.\n- Validate\ + \ whether the authentication proxy is linked to iCloud Relay.\n\n**Investigation**:\n\ + - **Check IOCs Reputation**:\n - Analyze the reputation of IP addresses associated\ + \ with the alert.\n- **Search Related Alerts**:\n - Look for alerts related to\ + \ the same user within the system to identify suspicious activity trends.\n- **Check\ + \ If User Is Risky**:\n - Retrieve the user's risk score and evaluate high-risk\ + \ indicators for suspicious activities.\n- **Check User Agent**:\n - Identify suspicious\ + \ user agents used during the authentication attempts.\n- **Check Okta Logs**:\n\ + \ - Retrieve Okta authentication logs for failed login attempts and suspicious\ + \ authentication activities within the last day.\n\n**Containment**:\n- **Automatic\ + \ Actions**:\n - Clear user sessions if any suspicious evidence is found during\ + \ the investigation.\n- **Analyst Review**:\n - Provide an analyst with findings\ + \ for review and determine the appropriate action:\n - No action required.\n\ + \ - Suspend the user in Okta.\n - If the analyst chooses to suspend the user,\ + \ their active sessions are cleared in Okta.\n\n**Requirements**:\nFor the best\ + \ results, it's recommended to ensure these integrations are configured and working:\n\ + - **Core** integration for user risk evaluation and suspicious activity checks.\n\ + - **Okta v2** integration for analyzing authentication logs, clearing sessions,\ + \ and user suspension.\n- Any IP reputation integration that supports the `!ip`\ + \ command for checking IP address reputation." +fromversion: 8.9.0 +id: silent-SSO Authentication With Suspicious Characteristics Test +inputs: [] +issilent: true +name: silent-SSO Authentication With Suspicious Characteristics Test +outputs: [] +starttaskid: '0' +tags: +- TA0001 - Initial Access +- T1078 - Valid Accounts +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8bd29f9d-77ae-4ae9-86f7-77b429390af6 + iscommand: false + name: '' + version: -1 + taskid: 8bd29f9d-77ae-4ae9-86f7-77b429390af6 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 20\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 3ace4f94-cff7-49ea-8267-0eff392840ab + iscommand: true + name: Collect authentication information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 3ace4f94-cff7-49ea-8267-0eff392840ab + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 300\n }\n}" + '12': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: tunnels + root: Core.OriginalAlert.raw_abioc.event.sso_debug_data + transformers: + - operator: uniq + operator: containsGeneral + right: + value: + simple: ICLOUD_RELAY_PROXY + label: yes - close alert + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + yes - close alert: + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 538168f1-8287-431d-83bd-86eb4ed96eec + iscommand: false + name: Check if auth proxy is iCloud + type: condition + version: -1 + taskid: 538168f1-8287-431d-83bd-86eb4ed96eec + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 470\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: b77a453e-6a23-4585-8044-fc2f8918c4c9 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b77a453e-6a23-4585-8044-fc2f8918c4c9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 2525\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ed5c95fb-afe7-4912-8a11-b467acfaddba + iscommand: false + name: Done + type: title + version: -1 + taskid: ed5c95fb-afe7-4912-8a11-b467acfaddba + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 2690\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b0feadde-e88c-4393-8c46-569ebc9141ac + iscommand: false + name: Containment + type: title + version: -1 + taskid: b0feadde-e88c-4393-8c46-569ebc9141ac + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1465\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + Username: + simple: ${Core.OriginalAlert.event.auth_normalized_user.upn} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook uses the ''Okta v2'' and ''MSGraph User'' integrations to clear + user sessions.' + id: 615f55bb-76d6-481a-86cd-06196dbf65aa + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: 615f55bb-76d6-481a-86cd-06196dbf65aa + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1610\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9e0cca91-c3e9-429c-8036-b7b89c3b5202 + iscommand: false + name: Check If User Is Risky + type: title + version: -1 + taskid: 9e0cca91-c3e9-429c-8036-b7b89c3b5202 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 810\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c0ea2a44-413f-44ef-85b7-a2664bf9148f + iscommand: false + name: 'Triage ' + type: title + version: -1 + taskid: c0ea2a44-413f-44ef-85b7-a2664bf9148f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 170\n }\n}" + '20': + continueonerror: true + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 4476bd38-fefa-4180-8f32-afc58b6cd7b9 + iscommand: true + name: Get core user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 4476bd38-fefa-4180-8f32-afc58b6cd7b9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 940\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyCoreReason + value: + complex: + accessor: reasons.description + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyUser + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: f8a044d0-204a-4078-8b6a-7af93fda9194 + iscommand: false + name: Get risky user activity + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: f8a044d0-204a-4078-8b6a-7af93fda9194 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1100\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 10882af2-70d1-4918-8486-8add87c9ba58 + iscommand: false + name: Search Related Alerts + type: title + version: -1 + taskid: 10882af2-70d1-4918-8486-8add87c9ba58 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 810\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: action_local_ip + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: 10fbb0a2-eed8-485a-8809-8bbee09975b7 + iscommand: true + name: Get IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 10fbb0a2-eed8-485a-8809-8bbee09975b7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -360,\n \"y\": 940\n }\n}" + '30': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Suspend User + label: Suspend User + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + No Action: + - '14' + Suspend User: + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c94c6f69-9012-4ed2-8893-4b7cced387d0 + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: c94c6f69-9012-4ed2-8893-4b7cced387d0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1950\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${Core.OriginalAlert.event.auth_normalized_user.upn} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Suspends a single user. This operation can only be performed on + users with an ACTIVE status. After the porcess is completed, the user's status + is SUSPENDED. + id: ebb75b74-3580-4d8f-82af-238299139250 + iscommand: true + name: Suspend user in Okta + script: '|||okta-suspend-user' + type: regular + version: -1 + taskid: ebb75b74-3580-4d8f-82af-238299139250 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 2170\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c19cb304-bab7-42d2-8249-03ffb9bccb45 + iscommand: false + name: Check Okta Logs + type: title + version: -1 + taskid: c19cb304-bab7-42d2-8249-03ffb9bccb45 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1320,\n \"y\": 810\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '45' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1c995d99-d73a-4635-840c-0cae9c8941b6 + iscommand: false + name: Check User Agent + type: title + version: -1 + taskid: 1c995d99-d73a-4635-840c-0cae9c8941b6 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 900,\n \"y\": 810\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: OktaLogs=. + filter: + simple: (outcome.result eq "SUCCESS" AND (eventType eq "app.oauth2.client_id_rate_limit_warning" + OR eventType eq "user.mfa.attempt_bypass")) OR (outcome.result eq "FAILURE" + AND ( eventType eq "user.authentication.auth_via_mfa" OR eventType eq "user.authentication.auth_via_IDP" + OR eventType eq "user.account.lock" OR eventType eq "user.authentication.auth_via_social" + OR eventType eq "user.account.unlock" OR eventType eq "user.account.use_token" + OR eventType eq "app.oauth2.token.grant" OR eventType eq "app.oauth2.as.evaluate.claim" + OR eventType eq "app.oauth2.as.token.revoke")) AND actor.alternateId eq + "${Core.OriginalAlert.event.auth_normalized_user.upn}" + ignore-outputs: + simple: 'true' + since: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Gets logs by providing optional filters. + id: 452c9c63-44ef-4552-8ea7-55538f5a67a8 + iscommand: true + name: Search for suspicious authentication activity + script: '|||okta-get-logs' + type: regular + version: -1 + taskid: 452c9c63-44ef-4552-8ea7-55538f5a67a8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 1110\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '39' + - '42' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '1' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: 6ef61263-52ea-4fd5-8979-c9a56a6f75af + iscommand: false + name: Get timestamp for Okta logs + scriptName: GetTime + type: regular + version: -1 + taskid: 6ef61263-52ea-4fd5-8979-c9a56a6f75af + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1320,\n \"y\": 940\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: FailedLogins=. + ignore-outputs: + simple: 'true' + since: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns failed login events. + id: 8d12f625-ee04-4af9-8495-3bfb4a0c9997 + iscommand: true + name: Get Okta failed logins in last day + script: '|||okta-get-failed-logins' + type: regular + version: -1 + taskid: 8d12f625-ee04-4af9-8495-3bfb4a0c9997 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1120,\n \"y\": 1110\n }\n}" + '43': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaLogs + operator: isNotEqualString + right: + value: + simple: No logs found + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: FailedLogins.actor.alternateId + operator: isEqualString + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.auth_normalized_user.upn + root: FailedLogins + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '5' + - left: + iscontext: true + value: + simple: foundIncidents.id + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + - left: + iscontext: true + value: + simple: UserAgent + operator: isNotEmpty + - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: tunnels + root: Core.OriginalAlert.raw_abioc.event.sso_debug_data + transformers: + - operator: uniq + operator: containsGeneral + right: + value: + simple: '"TOR_PROXY"' + label: 'yes' + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 10ecbe66-7ca4-4080-89bb-d5af2ae0c4d0 + iscommand: false + name: Check for suspicious evidence + type: condition + version: -1 + taskid: 10ecbe66-7ca4-4080-89bb-d5af2ae0c4d0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1280\n }\n}" + '45': + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserAgent + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.normalized_user_agent + operator: match + right: + value: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|python-requests|node-fetch|PostmanRuntime|GuzzleHttp)\b + root: Core.OriginalAlert.event.normalized_user_agent + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: fe290ade-179c-411b-818a-20eb58f6d94f + iscommand: false + name: Check for a suspicious User Agent + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: fe290ade-179c-411b-818a-20eb58f6d94f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 900,\n \"y\": 940\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + Username: + simple: ${Core.OriginalAlert.event.auth_normalized_user.upn} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook uses the ''Okta v2'' and ''MSGraph User'' integrations to clear + user sessions.' + id: b62483ff-7b2a-40dc-8eed-7cca09b538a2 + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: b62483ff-7b2a-40dc-8eed-7cca09b538a2 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 2350\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 2 hours ago + query: + complex: + accessor: '[0]' + root: alert.username + transformers: + - args: + limit: {} + replaceWith: + value: + simple: \\ + toReplace: + value: + simple: \ + operator: replace + - args: + prefix: + value: + simple: username:* + suffix: + value: + simple: '* AND (name:"A successful SSO sign-in from TOR" or name:"A + user connected from a new country using an anonymized proxy" or + name:"Abnormal first access to a resource by a user via SSO")' + operator: concat + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Cortex alerts. A summarized version of this scrips is + avilable with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations' + id: 29b64812-1e6f-4477-84f1-a657139dcf1e + iscommand: false + name: Search for related alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 29b64812-1e6f-4477-84f1-a657139dcf1e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 940\n }\n}" + '48': + continueonerrortype: '' + form: + description: Analyst review + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: '#### Username: + + `${Core.OriginalAlert.event.auth_normalized_user.upn}` + + + --- + + + #### Malicious IP Found: + + `${.=val.DBotScore && val.DBotScore.filter(d => d.Type === "ip" && d.Score + === 3).length > 0 ? val.DBotScore.filter(d => d.Type === "ip" && d.Score + === 3)[0].Indicator : "None"}` + + + --- + + + #### Core User Risk Analysis: + + - **User is risky**: `${.=val.UserRiskyCoreReason ? "Yes, Reason: " + + val.UserRiskyCoreReason : "N/A"}` + + + --- + + + #### Related Alerts: + + ${.=val.foundIncidents && val.foundIncidents.length > 0 ? Array.from(new + Set(val.foundIncidents.map(incident => " - " + incident.name))).join("\n\n") + : "N/A"} + + + --- + + + #### User Agent Analysis: + + - **Suspicious User Agent**: `${.=val.UserAgent ? val.UserAgent : "N/A"}` + + + --- + + + #### Okta Logs Analysis: + + - **Last Day Failed Login Attempts**: `${.=val.FailedLogins && val.FailedLogins + !== "No logs found" ? val.FailedLogins.filter(f => f.actor.alternateId + === val.Core.OriginalAlert.event.auth_normalized_user.upn).length : "N/A"}` + + - **Number of Suspicious Okta System Logs from Last Day**: + + `${.=val.OktaLogs !== "No logs found" ? val.OktaLogs.length : "N/A"}` + + + #### Action Required: + + Please choose the action you want to perform: + + + - **No Action** + + - **Suspend User**: Suspend the user in Okta.' + options: [] + optionsarg: + - simple: No Action + - simple: Suspend User + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: Your SOC team + title: Analyst Action + totalanswers: 0 + id: '48' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + scriptarguments: + key: + simple: Message + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5f4c7dba-a5ad-4f41-8487-1f5d4d981f62 + iscommand: false + name: Manual Task - User Action Decision + type: collection + version: -1 + taskid: 5f4c7dba-a5ad-4f41-8487-1f5d4d981f62 + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1780\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b7c04990-1c58-4572-83e5-be31d44fe88a + iscommand: false + name: Check IOCs Reputation + type: title + version: -1 + taskid: b7c04990-1c58-4572-83e5-be31d44fe88a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -360,\n \"y\": 810\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + - '24' + - '19' + - '35' + - '36' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: eec90eed-fe16-4f75-8f44-60e27270f03e + iscommand: false + name: Investigation + type: title + version: -1 + taskid: eec90eed-fe16-4f75-8f44-60e27270f03e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 660\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"12_14_yes - close alert\": 0.16,\n \ + \ \"12_9_#default#\": 0.36,\n \"30_14_No Action\": 0.29,\n \"30_32_Suspend\ + \ User\": 0.63,\n \"43_14_#default#\": 0.11,\n \"43_17_yes\": 0.57\n },\n\ + \ \"paper\": {\n \"dimensions\": {\n \"height\": 2735,\n \"width\"\ + : 2270,\n \"x\": -360,\n \"y\": 20\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml new file mode 100644 index 00000000000..216c7ac1641 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml @@ -0,0 +1,1045 @@ +description: 'This playbook is designed to handle the alert "Scheduled task created + with HTTP or FTP reference". + + + The playbook executes the following stages: + + + Investigation: + + During the alert investigation, the playbook will perform the following: + + - Checks the IP and the URL reputation. + + - Checks the CGO process signature. + + - Searches for related XDR agent alerts to determine if the creation of the scheduled + task is part of an attack pattern. + + + Remediation: + + - Remediation actions will be taken if the CGO process is unsigned, the IP or URL + has a malicious reputation, or a related alert is detected. In these cases, the + playbook will disable the scheduled task, block the malicious indicators, and close + the alert. + + + Requires: To block the malicious URL and IP, configure ''Palo Alto Networks PAN-OS'' + integration. + + ' +fromversion: 8.9.0 +id: silent-Scheduled task created with HTTP or FTP reference Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Scheduled task created with HTTP or FTP reference Test +outputs: [] +starttaskid: '0' +tags: +- TA0002 - Execution +- T1053 - Scheduled Task/Job +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 80\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 210\n }\n}" + '10': + continueonerror: true + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + key: + simple: ExtractedTaskName + value: + complex: + accessor: targetprocesscmd + root: alert + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?i).*tn\s(.*?)\s\/ + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extract the name and path of the malicious scheduled task and sets + the value in context key 'ExtractedTaskName'. + id: f5deb02f-7086-4e3f-8672-40de9759ae36 + iscommand: false + name: Extract the name and path of the malicious scheduled task + scriptName: Set + type: regular + version: -1 + taskid: f5deb02f-7086-4e3f-8672-40de9759ae36 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 990\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Scheduled task created with HTTP + or FTP reference" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: 4189ee6f-1a2c-4ff7-8c0e-8d096e6ecf0e + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 4189ee6f-1a2c-4ff7-8c0e-8d096e6ecf0e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2690\n }\n}" + '14': + continueonerror: true + continueonerrortype: errorPath + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '22' + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell.exe schtasks /change /tn "${ExtractedTaskName}" /disable + endpoint_ids: + simple: ${alert.agentid} + timeout: + simple: '120' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Disable the malicious scheduled task by executing shell commands. + id: 5fb7fc6e-1bed-4e79-8ba3-b757fd583e94 + iscommand: true + name: Disable the malicious scheduled task + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 5fb7fc6e-1bed-4e79-8ba3-b757fd583e94 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1160\n }\n}" + '17': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + 'yes': + - '20' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether a malicious IP is detected and requires blocking. + id: 47529ac8-a0ed-4d35-8019-a8b679181f22 + iscommand: false + name: Is there a malicious IP to block? + type: condition + version: -1 + taskid: 47529ac8-a0ed-4d35-8019-a8b679181f22 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 2000\n }\n}" + '18': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + 'yes': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether a malicious URL is detected and requires blocking. + id: 9b2696ef-df04-4496-8451-531d164d904c + iscommand: false + name: Is there a malicious URL to block? + type: condition + version: -1 + taskid: 9b2696ef-df04-4496-8451-531d164d904c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2000\n }\n}" + '2': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict based on: + + - Process Signature (CGO Process) + + - IP Reputation + + - URL Reputation' + id: 1726e203-af36-4ddf-88ea-b94006caadeb + iscommand: false + name: Check for unsigned CGO or malicious IP or URL + type: condition + version: -1 + taskid: 1726e203-af36-4ddf-88ea-b94006caadeb + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 340\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: 53d9f3a4-a2b0-488e-8dc1-3ec51aea3c00 + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: 53d9f3a4-a2b0-488e-8dc1-3ec51aea3c00 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 2190\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + simple: 'Yes' + CustomURLCategory: + simple: XSIAM - Malicious URLs + URL: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + pre-post: + simple: pre-rulebase + type: + simple: URL List + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks URLs using Palo Alto Networks Panorama or + Firewall through Custom URL Categories. + + The playbook checks whether the input URL category already exists, and if + the URLs are a part of this category. Otherwise, it will create the category, + block the URLs, and commit the configuration.' + id: a7b4dd30-58d1-4e5a-8fae-e4079d446aae + iscommand: false + name: PAN-OS - Block URL - Custom URL Category + playbookName: PAN-OS - Block URL - Custom URL Category + type: playbook + version: -1 + taskid: a7b4dd30-58d1-4e5a-8fae-e4079d446aae + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 30,\n \"y\": 2520\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + Please note that during the remediation process, the playbook failed to disable + the scheduled task ${ExtractedTaskName} + + + Please take manual action to disable the scheduled task. ' + id: e5e0d51f-b834-47d0-81f2-326aaab123dc + iscommand: false + name: Disable the malicious scheduled task manually + type: regular + version: -1 + taskid: e5e0d51f-b834-47d0-81f2-326aaab123dc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 1690\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c5219f31-047d-4cee-888e-f7c63909a296 + iscommand: false + name: Block Malicious Indicators + type: title + version: -1 + taskid: c5219f31-047d-4cee-888e-f7c63909a296 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1860\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: 'Should Block the following malicious URL: ${BadUrl} using PAN-OS?' + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + 'No': + - '13' + 'Yes': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval required for URL blocking. + id: e16a5d0b-f119-4691-811e-28c3d0221004 + iscommand: false + name: Analyst approval for Block URL + type: condition + version: -1 + taskid: e16a5d0b-f119-4691-811e-28c3d0221004 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2350\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + key: + simple: BadUrl + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 635dc7e9-df29-49fe-8218-dbf28d22be32 + iscommand: false + name: Set malicious URL's + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 635dc7e9-df29-49fe-8218-dbf28d22be32 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2190\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff18f72c-0256-4776-823c-90dd05fdba39 + iscommand: false + name: Done + type: title + version: -1 + taskid: ff18f72c-0256-4776-823c-90dd05fdba39 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2850\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Dear Analyst,\n\nPlease note that during the remediation process,\ + \ the playbook executed a shell command to disable the following scheduled\ + \ task: \n${ExtractedTaskName}" + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints text to war room (Markdown supported) + id: 4ebfbf7e-b9c0-4ec7-86c5-b741ec7142fa + iscommand: false + name: Notify to War Room - Scheduled Task Disabled + scriptName: Print + type: regular + version: -1 + taskid: 4ebfbf7e-b9c0-4ec7-86c5-b741ec7142fa + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1690\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: 917a0b85-38b9-4f5a-86bf-2bc724829f8e + iscommand: true + name: Get script execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: 917a0b85-38b9-4f5a-86bf-2bc724829f8e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1325\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ababf146-0f9f-4621-8323-18c3256738ee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ababf146-0f9f-4621-8323-18c3256738ee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 860\n }\n}" + '30': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: AnyMatch + right: + value: + simple: SUCCESS + label: 'yes' + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Verify if the script successfully disabled the task. + id: 9bca942b-9378-49c2-85f9-1b04f168f8a3 + iscommand: false + name: Has the script disabled the task successfully? + type: condition + version: -1 + taskid: 9bca942b-9378-49c2-85f9-1b04f168f8a3 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1490\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a3fc63d5-f57f-4e5b-89cb-9fcd435227fc + iscommand: false + name: Done + type: title + version: -1 + taskid: a3fc63d5-f57f-4e5b-89cb-9fcd435227fc + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 1150\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d6cce08c-349e-44db-807d-b6348886db73 + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: d6cce08c-349e-44db-807d-b6348886db73 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 860\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM related alerts to the current + incident. + + + ' + id: a4828e36-f8a7-4072-8c5b-959194e04595 + iscommand: false + name: Get Incident related alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: a4828e36-f8a7-4072-8c5b-959194e04595 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 840,\n \"y\": 525\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.sourceBrand + operator: isEqualString + right: + value: + simple: TRAPS + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.categoryname + operator: isEqualString + right: + value: + simple: Malware + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the incident contains agent alerts indicating + that the alert was part of an attack pattern. + id: 7f8c3f22-69fa-442d-854f-b29ccb764512 + iscommand: false + name: Found any alerts indicating this is a malicious scheduled task? + type: condition + version: -1 + taskid: 7f8c3f22-69fa-442d-854f-b29ccb764512 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 840,\n \"y\": 690\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No Results Found + closeReason: + simple: Resolved - Handled by the playbook "Scheduled task created with HTTP + or FTP reference" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 639bf5a9-68a5-4358-878e-9003fb370d6b + iscommand: true + name: Close Alert - No results returned + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 639bf5a9-68a5-4358-878e-9003fb370d6b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 990\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"14_22_#error#\": 0.55,\n \"17_13_#default#\"\ + : 0.18,\n \"17_20_yes\": 0.43,\n \"18_13_#default#\": 0.16,\n \"18_25_yes\"\ + : 0.46,\n \"24_13_No\": 0.21,\n \"24_21_Yes\": 0.55,\n \"2_3_yes\": 0.28,\n\ + \ \"2_6_#default#\": 0.42,\n \"30_28_yes\": 0.53,\n \"8_3_yes\": 0.47,\n\ + \ \"8_5_#default#\": 0.48\n },\n \"paper\": {\n \"dimensions\": {\n \ + \ \"height\": 2835,\n \"width\": 1590,\n \"x\": 0,\n \"y\": 80\n\ + \ }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml new file mode 100644 index 00000000000..2a118a60bfd --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml @@ -0,0 +1,1511 @@ +description: "**This playbook addresses the following alert**:\n- Rare successful\ + \ guest invitation in the organization\n\n**Playbook Stages**:\n\n**Triage**:\n\ + - Gather initial information about the invited user and associated alerts.\n\n**Investigation**:\n\ + - **Check IOCs Reputation**:\n - Analyze the reputation of IP addresses, email\ + \ addresses, and domains related to the incident.\n- **Check for Azure Alerts**:\n\ + \ - Retrieve user Principal Name (UPN).\n - Extract recent Azure security alerts\ + \ for the inviting user.\n- **Check if User is Risky**:\n - Assess the risk score\ + \ of the inviting user based on Core and Azure risk indicators.\n - Investigate\ + \ reasons behind any identified risks, including recent detections.\n\n**Containment**:\n\ + - Provide a manual task for an analyst to review the findings and decide the next\ + \ steps.\n- Possible actions:\n - Disable the invited user.\n - Disable the inviting\ + \ user.\n - Disable both users.\n - Take no action.\n- If users are disabled,\ + \ revoke their active sessions to ensure immediate containment.\n\n**Requirements**:\n\ + For the best results, it's recommended to ensure these integrations are configured\ + \ and working:\n- `Cortex Core - Investigation and Response` for Core user risk\ + \ evaluation.\n- `Azure Risky Users` for retrieving user risk scores.\n- `Microsoft\ + \ 365 Defender` for advanced hunting queries and Azure security alerts.\n- `Microsoft\ + \ Graph User` for disabling accounts and revoking sessions." +fromversion: 8.9.0 +id: silent-Successful guest user invitation Test +inputs: [] +issilent: true +name: silent-Successful guest user invitation Test +outputs: [] +starttaskid: '0' +tags: +- TA0003 - Persistence +- T1078 - Valid Accounts +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d395cb57-8e6e-4be4-8ea4-e35bf7698692 + iscommand: false + name: '' + version: -1 + taskid: d395cb57-8e6e-4be4-8ea4-e35bf7698692 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -70\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: e6c32126-6a42-4792-84f8-33add6e8a05e + iscommand: true + name: Collect invited user information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: e6c32126-6a42-4792-84f8-33add6e8a05e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 190\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + query: + simple: let _start = now(-1d); AlertEvidence | where Timestamp >= _start | + where AccountUpn == "${UserUPN}" + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Advanced hunting is a threat-hunting tool that uses specially + constructed queries to examine the past 30 days of event data in Microsoft + 365 Defender. Details on how to write queries: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide.' + id: f04d72e0-226e-4913-849b-440a51cc1933 + iscommand: true + name: Get Azure alerts + script: '|||microsoft-365-defender-advanced-hunting' + type: regular + version: -1 + taskid: f04d72e0-226e-4913-849b-440a51cc1933 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 790\n }\n}" + '11': + continueonerrortype: '' + form: + description: Analyst review + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: '#### Invited User: + + `${Core.OriginalAlert.event.azure_ad_invited_user_email}` + + + #### Inviting User: + + `${Core.OriginalAlert.event.identity_invoked_by_name}` + + + --- + + + ### Malicious Indicators Found: + + - **Malicious IP**: `${.=val.MaliciousIP || "None"}` + + - **Malicious Domain**: `${.=val.MaliciousDomain || "None"}` + + - **Malicious Email**: `${.=val.MaliciousEmail || "None"}` + + + --- + + + ### Inviting User Risk Analysis: + + - **User is risky (Core)**: `${.=val.UserRiskyCoreReason ? "Yes, Reason: + " + val.UserRiskyCoreReason : "N/A"}` + + - **User is risky (Azure)**: `${.=val.UserRiskyAzureDetections ? "Yes, + Risk Types: " + val.UserRiskyAzureDetections : "N/A"}` + + + --- + + + ### Inviting User Azure Security Alerts: + + - **Alerts titles from last day**: `${.=val.AzureSecurityAlerts || "N/A"}` + + + --- + + + ### Action Required: + + Please choose the action you want to perform. + + ' + options: [] + optionsarg: + - simple: No Action + - simple: Disable Invited User + - simple: Disable Inviting User + - simple: Disable Both Users + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: Your SOC team + title: Analyst Action + totalanswers: 0 + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + scriptarguments: + key: + simple: Message + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e6461e8b-95a4-4c50-8e7d-691dbd4ff032 + iscommand: false + name: Manual Task - User Account Disablement Decision + type: collection + version: -1 + taskid: e6461e8b-95a4-4c50-8e7d-691dbd4ff032 + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1600\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousEmail + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: email + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: d05451a6-6c9e-40a4-8498-3655c8540813 + iscommand: false + name: Get malicious Email value + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d05451a6-6c9e-40a4-8498-3655c8540813 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -190,\n \"y\": 960\n }\n}" + '15': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + label: HIGH + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + HIGH: + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: b6d9862d-d090-4d8b-8e17-55a8ba786a55 + iscommand: false + name: Get risky user value + type: condition + version: -1 + taskid: b6d9862d-d090-4d8b-8e17-55a8ba786a55 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1110,\n \"y\": 790\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + detected_date_time_after: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a comma-separated list of the Risk Detection objects and + their properties. + id: cfddda6b-e851-4f07-8e6f-8e7c45261acf + iscommand: true + name: Get Azure risky user detections + script: '|||azure-risky-users-risk-detections-list' + type: regular + version: -1 + taskid: cfddda6b-e851-4f07-8e6f-8e7c45261acf + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 1130\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyCoreReason + value: + complex: + accessor: description + root: Core.RiskyUser.reasons + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: 1e118a21-f5b8-4d92-8c86-06046d48a485 + iscommand: false + name: Get risky user reasons value + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 1e118a21-f5b8-4d92-8c86-06046d48a485 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1110,\n \"y\": 970\n }\n}" + '19': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_orig.user.userPrincipalName + root: AzureRiskyUsers.RiskyUser.userPrincipalName + transformers: + - operator: toUpperCase + - operator: uniq + operator: isEqualString + right: + iscontext: true + value: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.event.identity_orig.user + transformers: + - operator: uniq + label: 'yes' + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + 'yes': + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9426357e-6d8e-42f5-844b-322c7dc76c22 + iscommand: false + name: Check if inviting user is risky + type: condition + version: -1 + taskid: 9426357e-6d8e-42f5-844b-322c7dc76c22 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 790\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: value + filters: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.raw_log.additionalDetails.key + operator: isEqualString + right: + value: + simple: ipaddr + root: Core.OriginalAlert.event.raw_log.additionalDetails + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: a1763bd9-5867-404f-8384-22d54fe63ed4 + iscommand: true + name: Check IP Reputation + script: '|||ip' + type: regular + version: -1 + taskid: a1763bd9-5867-404f-8384-22d54fe63ed4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -610,\n \"y\": 800\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyAzureDetections + value: + complex: + accessor: riskEventType + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_orig.user.userPrincipalName + - - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: atRisk + - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: confirmedCompromised + root: AzureRiskyUsers.RiskDetection + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: 6c02e6b9-cd98-4865-8412-1c1bf2e0b401 + iscommand: false + name: Extract Azure user detections + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 6c02e6b9-cd98-4865-8412-1c1bf2e0b401 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 1290\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: AzureSecurityAlerts + value: + complex: + accessor: Title + root: Microsoft365Defender.Hunt.results + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: a890149a-86f7-4dd2-8c9c-9b8fbb03de03 + iscommand: false + name: Extract Azure user alerts + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: a890149a-86f7-4dd2-8c9c-9b8fbb03de03 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 970\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserUPN + value: + complex: + accessor: identity_invoked_by_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: d2afb6c7-6bdb-450c-801f-5c051fd4b93a + iscommand: false + name: Get user UPN + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d2afb6c7-6bdb-450c-801f-5c051fd4b93a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 630\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousDomain + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: d29624dd-7417-474c-8a40-d7e5d03463c3 + iscommand: false + name: Get malicious Domain value + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d29624dd-7417-474c-8a40-d7e5d03463c3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 960\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '1' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: 0aef3402-3ee9-4560-80ad-8b50f6b202ba + iscommand: false + name: Get timestamp for Azure detections + scriptName: GetTime + type: regular + version: -1 + taskid: 0aef3402-3ee9-4560-80ad-8b50f6b202ba + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 970\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a90a63d9-83a0-4798-8214-cba052dc69ac + iscommand: false + name: 'Triage ' + type: title + version: -1 + taskid: a90a63d9-83a0-4798-8214-cba052dc69ac + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 60\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + - '9' + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2d6254cd-07ed-4958-8e96-faf1d7fabf2c + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 2d6254cd-07ed-4958-8e96-faf1d7fabf2c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 350\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousIP + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: d4e029ba-e082-48f7-8ea8-189f02abdbc9 + iscommand: false + name: Get malicious IP value + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d4e029ba-e082-48f7-8ea8-189f02abdbc9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -610,\n \"y\": 960\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9a373a18-fd7d-4626-8dc9-c783e832f73a + iscommand: false + name: Containment + type: title + version: -1 + taskid: 9a373a18-fd7d-4626-8dc9-c783e832f73a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1460\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + email: + complex: + accessor: azure_ad_invited_user_email + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Return email information and reputation. + id: e0039359-d2b9-4ccd-8a4f-6c2042d88fa8 + iscommand: true + name: Check Email Reputation + script: '|||email' + type: regular + version: -1 + taskid: e0039359-d2b9-4ccd-8a4f-6c2042d88fa8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -190,\n \"y\": 800\n }\n}" + '31': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Invited User + label: Disable Invited User + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Inviting User + label: Disable Inviting User + - condition: + - - left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Both Users + label: Disable Both + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Disable Both: + - '36' + Disable Invited User: + - '34' + Disable Inviting User: + - '35' + No Action: + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c44a7dd2-2ebd-420b-8e41-1a625c1fcdc6 + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: c44a7dd2-2ebd-420b-8e41-1a625c1fcdc6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1760\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 90bcff20-0d45-43cc-8d36-8893827cb927 + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: 90bcff20-0d45-43cc-8d36-8893827cb927 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2300\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + complex: + root: . + transformers: + - args: + conditions: + value: + simple: "[\n {\n \"condition\": \"#{Analyst Action.Answers.0}\ + \ in ['Disable Invited User','Disable Inviting User','Disable\ + \ Both Users']\",\n \"return\": \"Action was taken.\"\n \ + \ },\n {\n \"condition\": \"#{MaliciousIP} != null or\ + \ #{MaliciousEmail} != null or #{MaliciousDomain} != null or #{AzureSecurityAlerts}\ + \ != null or #{UserRiskyCoreReason} != null or #{UserRiskyAzureDetections}\ + \ != null\",\n \"return\": \"Evidence found, but no action\ + \ was taken.\"\n },\n {\n \"default\": \"No evidence\ + \ found, and no action was taken.\"\n }\n]" + flags: {} + operator: If-Elif + closeReason: + complex: + root: . + transformers: + - args: + conditions: + value: + simple: "[\n {\n \"condition\": \"#{Analyst Action.Answers.0}\ + \ in ['Disable Invited User','Disable Inviting User','Disable\ + \ Both Users']\",\n \"return\": \"Resolved - True Positive\"\ + \n },\n {\n \"condition\": \"#{MaliciousIP} != null\ + \ or #{MaliciousEmail} != null or #{MaliciousDomain} != null or\ + \ #{AzureSecurityAlerts} != null or #{UserRiskyCoreReason} !=\ + \ null or #{UserRiskyAzureDetections} != null\",\n \"return\"\ + : \"Resolved - Other\"\n },\n {\n \"default\": \"Resolved\ + \ - False Positive\"\n }\n]" + flags: {} + operator: If-Elif + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: a61f329c-9e81-4f34-8e85-4a2c381bdd81 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: a61f329c-9e81-4f34-8e85-4a2c381bdd81 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2430\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: referenced_resource_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 00f31533-8e09-486f-85ae-627ec0470249 + iscommand: true + name: Disable invited user + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 00f31533-8e09-486f-85ae-627ec0470249 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 1960\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: fc9cf6aa-4caf-4808-8384-24cca2e9811f + iscommand: true + name: Disable inviting user + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: fc9cf6aa-4caf-4808-8384-24cca2e9811f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1950\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - args: + item: + iscontext: true + value: + simple: Core.OriginalAlert.event.referenced_resource_name + operator: append + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 52dfce7a-8d58-44b6-80ef-795bd0557774 + iscommand: true + name: Disable both users + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 52dfce7a-8d58-44b6-80ef-795bd0557774 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -40,\n \"y\": 1960\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3d6594cb-2ea9-40c1-8bdb-84184f3a5a24 + iscommand: false + name: Done + type: title + version: -1 + taskid: 3d6594cb-2ea9-40c1-8bdb-84184f3a5a24 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2590\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Revoke a user session- Invalidates all the refresh tokens issued + to applications for a user. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: f0e00113-ce6d-4349-8f04-ff8c2f7bb692 + iscommand: true + name: Revoke user session + script: '|||msgraph-user-session-revoke' + type: regular + version: -1 + taskid: f0e00113-ce6d-4349-8f04-ff8c2f7bb692 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2130\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + accessor: value + filters: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.raw_log.additionalDetails.key + operator: isEqualString + right: + value: + simple: invitedUserEmailAddress + root: Core.OriginalAlert.event.raw_log.additionalDetails + transformers: + - operator: uniq + - args: + delimiter: + value: + simple: '@' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns domain information and reputation. + id: 10c53f6d-7f53-4bf5-8639-0f04d4045bdf + iscommand: true + name: Check Domain Reputation + script: '|||domain' + type: regular + version: -1 + taskid: 10c53f6d-7f53-4bf5-8639-0f04d4045bdf + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 800\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + - '3' + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c795477f-1d39-4f2d-86d7-c8f41049c282 + iscommand: false + name: Check IOCs Reputation + type: title + version: -1 + taskid: c795477f-1d39-4f2d-86d7-c8f41049c282 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -190,\n \"y\": 490\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 74b4c90b-dd73-40fe-894a-41fd31a2ea26 + iscommand: false + name: Check If User Is Risky + type: title + version: -1 + taskid: 74b4c90b-dd73-40fe-894a-41fd31a2ea26 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1320,\n \"y\": 490\n }\n}" + '7': + continueonerror: true + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 9afa3a6b-4c66-4a48-8b54-abd766944c71 + iscommand: true + name: Get core user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 9afa3a6b-4c66-4a48-8b54-abd766944c71 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1110,\n \"y\": 630\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + updated_after: + simple: 1 days + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: 028a7bc3-b0e3-41da-822b-87cc8aaeed88 + iscommand: true + name: Get Azure user risk score + script: '|||azure-risky-users-list' + type: regular + version: -1 + taskid: 028a7bc3-b0e3-41da-822b-87cc8aaeed88 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 630\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: ba77d817-81eb-485c-878b-04d0c5e33572 + iscommand: false + name: Check For Azure Alerts + type: title + version: -1 + taskid: ba77d817-81eb-485c-878b-04d0c5e33572 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 490\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"15_18_HIGH\": 0.43,\n \"15_29_#default#\"\ + : 0.16,\n \"19_24_yes\": 0.45,\n \"19_29_#default#\": 0.11,\n \"31_32_No\ + \ Action\": 0.55\n },\n \"paper\": {\n \"dimensions\": {\n \"height\"\ + : 2725,\n \"width\": 2520,\n \"x\": -610,\n \"y\": -70\n }\n \ + \ }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml new file mode 100644 index 00000000000..5e22d3765bd --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml @@ -0,0 +1,1115 @@ +description: 'This playbook addresses the following alerts: + + + - Suspicious Hidden User Created + + + Playbook Stages: + + + Triage: + + + - Retrieve event information about the created user + + + Investigation: + + + - Check if the user is local or domain. + + - For domain users: Retrieve AD attributes, including password expiration. + + - For local users: Run a Powershell command to get "Password Expires" attribute + of the local user. + + - Get risk level for the affected host. + + - Search for related Script Engine Activity alerts in the incident. + + + Containment: + + + - For alerts determined to be true positives, suggest to the analyst to disable + the user. + + - Upon analyst approval: Disable the suspicious user account (domain or local). + + - If a related alert about malicious activity exists, kill the Causality Group Owner + (CGO) process that created the suspicious user. + + + Requirements: + + + For response actions, you need the following integrations: + + + - Cortex Core - Investigation and Response + + - Active Directory Query v2 (for domain user actions).' +fromversion: 8.9.0 +id: silent-Suspicious Hidden User Created Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Suspicious Hidden User Created Test +outputs: [] +starttaskid: '0' +tags: +- T1136 - Create Account +- 'T1564.002 - Hide Artifacts: Hidden Users' +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6327954b-08af-4580-86fb-10b6cc36af72 + iscommand: false + name: '' + version: -1 + taskid: 6327954b-08af-4580-86fb-10b6cc36af72 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 60\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets extra information about the alert - such as the information + from the event itself, the name of the user that was created, and additional + computed fields. + id: ff60deb2-4aef-459e-8866-d41eef9ec252 + iscommand: true + name: Get event information for created user + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: ff60deb2-4aef-459e-8866-d41eef9ec252 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 320\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + key: + simple: PasswordNeverExpires + value: + complex: + accessor: DONT_EXPIRE_PASSWORD + root: ActiveDirectory.Users.userAccountControlFields + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: 'false' + operator: SetIfEmpty + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the value of the AD attribute DONT_EXPIRE_PASSWORD for the + domain user that was created. + id: 6987961f-d243-48be-840a-fb263ed5d37c + iscommand: false + name: Save password expiration status + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 6987961f-d243-48be-840a-fb263ed5d37c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1260\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + scriptarguments: + commands: + complex: + accessor: evtlog_target_username + root: Core.OriginalAlert.event + transformers: + - args: + prefix: + value: + simple: 'powershell -Command "NET USER ' + suffix: + value: + simple: '"' + operator: concat + endpoint_ids: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Runs a Powershell code snipper on the endpoint where the user was + created, in order to retrieve the PASSWORDEXPIRES attribute of the local user. + id: b4c6cb09-eaf2-4bcb-857d-cef36dc0c35d + iscommand: true + name: Retrieve local user password expiration status + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: b4c6cb09-eaf2-4bcb-857d-cef36dc0c35d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 940\n }\n}" + '12': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CIDToTerminate + operator: isNotEmpty + right: + value: {} + label: 'Yes' + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '24' + 'Yes': + - '22' + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether a malicious process was detected in a related alert + in this incident, by checking the previously saved CIDToTerminate key which + holds the Causality IDs used to terminate the main process. + id: 135ba6b9-09ce-4b11-889c-4d48c2beec81 + iscommand: false + name: Evaluate suspicious process involvement + type: condition + version: -1 + taskid: 135ba6b9-09ce-4b11-889c-4d48c2beec81 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1560\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7fd41810-cc95-4bf5-86f0-58891eec8437 + iscommand: false + name: User Checks + type: title + version: -1 + taskid: 7fd41810-cc95-4bf5-86f0-58891eec8437 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 620\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5ffbc163-0d81-493a-89f1-56bfcdfa6019 + iscommand: false + name: Related Alert Checks + type: title + version: -1 + taskid: 5ffbc163-0d81-493a-89f1-56bfcdfa6019 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 620\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: aba719e4-e95f-47fb-812f-c2acee433da6 + iscommand: false + name: Triage + type: title + version: -1 + taskid: aba719e4-e95f-47fb-812f-c2acee433da6 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 190\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0c51d3d5-197b-4a55-87da-153544e52ef1 + iscommand: false + name: Remediation - Terminate Process + type: title + version: -1 + taskid: 0c51d3d5-197b-4a55-87da-153544e52ef1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1910\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9457ee55-9539-45df-8ad2-e40a79080e8b + iscommand: false + name: Remediation - Disable User + type: title + version: -1 + taskid: 9457ee55-9539-45df-8ad2-e40a79080e8b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1910\n }\n}" + '24': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyHost.risk_level + operator: isNotEmpty + right: + value: {} + - - ignorecase: true + left: + iscontext: true + value: + simple: PasswordNeverExpires + operator: isEqualString + right: + value: + simple: 'true' + - ignorecase: true + left: + iscontext: true + value: + simple: LocalUserPasswordStatus + operator: containsString + right: + value: + simple: never + label: 'yes' + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '25' + 'yes': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the local/domain user's password never expires, and if + the risk level of the host where the alert occurred is HIGH. + id: 409ddefb-be6c-4bc1-8711-766fd39ebc3f + iscommand: false + name: User's password never expires & host risky? + type: condition + version: -1 + taskid: 409ddefb-be6c-4bc1-8711-766fd39ebc3f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 700,\n \"y\": 1730\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: b74eb7e6-f518-487a-8c6d-2dcc6b212d06 + iscommand: true + name: Close Investigation + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b74eb7e6-f518-487a-8c6d-2dcc6b212d06 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 2560\n }\n}" + '26': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.account_creation_is_local + operator: isFalse + right: + value: {} + label: Domain + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '32' + Domain: + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user is a domain user or a local user. + id: ad963433-40ff-4dc1-8cd9-a8f92923aee1 + iscommand: false + name: Check user type (Domain/Local) + type: condition + version: -1 + taskid: ad963433-40ff-4dc1-8cd9-a8f92923aee1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2220\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets the execution results for the Powershell code that was run. + id: cad56c70-2a13-4d13-8cd8-e7418afafb3a + iscommand: true + name: Get execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: cad56c70-2a13-4d13-8cd8-e7418afafb3a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 1100\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + key: + simple: LocalUserPasswordStatus + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.ScriptResult.results.[0].command_output + operator: containsGeneral + right: + value: + simple: Password expires + root: Core.ScriptResult.results.[0].command_output + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extracts and saves the PASSWORDEXPIRES value of the locally created + user from the results of the Powershell script execution. + id: debbbea1-ba6b-4627-8d3b-a22bcc475682 + iscommand: false + name: Extract password expiration flag + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: debbbea1-ba6b-4627-8d3b-a22bcc475682 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 1260\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + host_id: + simple: ${alert.hostname} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets the risk level of the host on which the user was created. + id: f02f7069-0dcd-4c6d-855f-0131096279de + iscommand: true + name: Get host risk level + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: f02f7069-0dcd-4c6d-855f-0131096279de + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -170,\n \"y\": 750\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + complex: + accessor: evtlog_target_username + root: Core.OriginalAlert.event + transformers: + - args: + prefix: + value: + simple: 'Would you like to disable the following user? + + ' + suffix: {} + operator: concat + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#default#': + - '25' + 'Yes': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Manual - Review the findings and make a decision regarding the + remediation of the suspicious user. + id: 226d8c69-2473-4f57-8e09-bf70c6d95fb3 + iscommand: false + name: Analyst review - disable suspicious user? + type: condition + version: -1 + taskid: 226d8c69-2473-4f57-8e09-bf70c6d95fb3 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2045\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${Core.OriginalAlert.event.evtlog_target_username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disables the suspicious user in Active Directory. + id: 3caf56b4-0399-423b-8db3-3bdf0ef48255 + iscommand: true + name: Disable user account in AD + script: '|||ad-disable-account' + type: regular + version: -1 + taskid: 3caf56b4-0399-423b-8db3-3bdf0ef48255 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 270,\n \"y\": 2390\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + commands: + complex: + accessor: evtlog_target_username + root: Core.OriginalAlert.event + transformers: + - args: + prefix: + value: + simple: powershell -Command Disable-LocalUser -Name " + suffix: + value: + simple: '"' + operator: concat + endpoint_ids: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Runs Powershell code on the affected host to disable the local + user on the machine. + id: 040c833c-b457-462c-817b-66b06e05c1ea + iscommand: true + name: Disable local user + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 040c833c-b457-462c-817b-66b06e05c1ea + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": 2390\n }\n}" + '33': + continueonerror: true + continueonerrortype: errorPath + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '36' + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + agent_id: + complex: + accessor: agentid + filters: + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: in + right: + iscontext: true + value: + simple: CIDToTerminate + root: foundIncidents + causality_id: + complex: + root: CIDToTerminate + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Kills the Causality Group Owner (CGO) of the process that created + the suspicious user. + id: 30254aac-2691-4f77-812f-f54e6658c365 + iscommand: true + name: Terminate causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 30254aac-2691-4f77-812f-f54e6658c365 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 2045\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + key: + simple: CIDToTerminate + value: + complex: + accessor: cid + filters: + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: isNotEmpty + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.severity + operator: isNotEqualString + right: + value: + simple: LOW + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.action + operator: isNotEqualString + right: + value: + simple: BLOCKED + root: foundIncidents.CustomFields + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the ID of the Causality Group Owner (CGO) if it exists in + the related alerts, in order to terminate it at the remediation stage. + id: 1a940847-23dc-4a7c-82b8-248f4594e9f5 + iscommand: false + name: Save causality ID + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 1a940847-23dc-4a7c-82b8-248f4594e9f5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 930\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e8cda6f4-6d4e-46fb-8ada-1b794d7caa27 + iscommand: false + name: Host Checks + type: title + version: -1 + taskid: e8cda6f4-6d4e-46fb-8ada-1b794d7caa27 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -170,\n \"y\": 620\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Investigate the alerts related to this incident, and terminate + the CGO (Causality Group Owner) process that caused the suspicious hidden + user to be created. + id: e3eb46f2-a249-479d-87bb-a81b9d74c0a9 + iscommand: false + name: Terminate causality process manually + type: regular + version: -1 + taskid: e3eb46f2-a249-479d-87bb-a81b9d74c0a9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -180,\n \"y\": 2390\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: + value: + simple: ' and name:"Script Engine Activity*"' + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches for Script Engine Activity alerts in the current incident, + which could indicate malicious script activity related to the creation of + the user. + id: 3e1146e5-c836-447b-8dd6-4a53c1e33a24 + iscommand: false + name: Search related Script Engine Activity alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 3e1146e5-c836-447b-8dd6-4a53c1e33a24 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 750\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + - '9' + - '16' + - '18' + - '35' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 512d76d2-719a-47e0-8387-02697e31076e + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 512d76d2-719a-47e0-8387-02697e31076e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 480\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + 'yes': + - '7' + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Active Directory Query v2 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the Active Directory Query v2 integration is enabled. + id: f56692b0-6188-4ca4-801e-1af5bbfeacc1 + iscommand: false + name: Check Active Directory availability + scriptName: IsIntegrationAvailable + type: condition + version: -1 + taskid: f56692b0-6188-4ca4-801e-1af5bbfeacc1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 930\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + username: + complex: + accessor: evtlog_target_username + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieves information about the domain user, and specifically the + DONT_EXPIRE_PASSWORD attribute of the user, in order to understand if the + user's password was set to never expire. + id: f4ffe67d-09b9-427e-83e6-3ea30cfda4ed + iscommand: true + name: Get AD user attributes + script: '|||ad-get-user' + type: regular + version: -1 + taskid: f4ffe67d-09b9-427e-83e6-3ea30cfda4ed + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1100\n }\n}" + '8': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.account_creation_is_local + operator: isFalse + right: + value: {} + label: Domain + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '11' + Domain: + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user is a domain user or a local user. + id: b0c8fef2-dc3e-4e36-81f1-c0d59a5f9b30 + iscommand: false + name: Check user type (Domain/Local) + type: condition + version: -1 + taskid: b0c8fef2-dc3e-4e36-81f1-c0d59a5f9b30 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 750\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ee07333d-6200-4175-8c32-8a543ed2dab5 + iscommand: false + name: Verdict + type: title + version: -1 + taskid: ee07333d-6200-4175-8c32-8a543ed2dab5 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1430\n }\n}" +tests: +- no tests +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"12_22_Yes\": 0.3,\n \"12_23_Yes\"\ + : 0.48,\n \"12_24_#default#\": 0.54,\n \"24_23_yes\": 0.54,\n \"24_25_#default#\"\ + : 0.16,\n \"30_25_#default#\": 0.24,\n \"33_36_#error#\": 0.61,\n \"6_7_yes\"\ + : 0.51,\n \"6_9_#default#\": 0.23\n },\n \"paper\": {\n \"dimensions\":\ + \ {\n \"height\": 2595,\n \"width\": 1660,\n \"x\": -180,\n \ + \ \"y\": 60\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml new file mode 100644 index 00000000000..8c480940b7c --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml @@ -0,0 +1,673 @@ +description: "This playbook addresses the following alerts:\n \n- Suspicious local\ + \ administrator login\n \nPlaybook Stages:\n \nInvestigation:\n \n- Retrieves the\ + \ name of the process image involved in the alert.\n- Checks for related Powershell/Command\ + \ and Scripting/WMI alerts in the incident.\n- Retrieves the host risk score.\n\ + \ \nContainment:\n \n- Provide a manual task for an analyst to review the findings\ + \ and decide the next steps.\n- Possible actions:\n - Disable User.\n - Take no\ + \ action.\n \nRequirements: \n\n- For response actions, the following integration\ + \ is required: Core - IR." +fromversion: 8.9.0 +id: silent-Suspicious Local Administrator Login Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Suspicious Local Administrator Login Test +outputs: [] +starttaskid: '0' +tags: +- T1078 - Valid Accounts +- TA0001 - Initial Access +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a8c8635f-056c-49cb-8010-5419ed231b19 + iscommand: false + name: '' + version: -1 + taskid: a8c8635f-056c-49cb-8010-5419ed231b19 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: + value: + simple: ' and (mitreattcktechnique:*T1086* or mitreattcktechnique:*T1059* + or mitreattcktechnique:* T1047*)' + operator: concat + - args: + prefix: {} + suffix: + value: + simple: ' and agentid:' + operator: concat + - args: + prefix: {} + suffix: + iscontext: true + value: + simple: alert.agentid + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches for alerts. A summarized version of this script is available + with the summarized version argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + For Cortex XSOAR 6.13, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations + + For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Scripts + + For Cortex XSOAR on-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Scripts + + For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 0e7b306b-245d-43c9-85fe-cfec167d92cd + iscommand: false + name: Search for Related Alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 0e7b306b-245d-43c9-85fe-cfec167d92cd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 330\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + scriptarguments: + command_type: + simple: native + commands: + simple: powershell -Command Disable-LocalUser -Name "${Core.OriginalAlert.raw_abioc.event.login_data.dst_user}" + endpoint_ids: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + is_raw_command: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiate a new endpoint script execution of shell commands. + id: 5bc51849-8fd5-4008-81e5-282079d5ebb9 + iscommand: true + name: Disable User + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 5bc51849-8fd5-4008-81e5-282079d5ebb9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1320\n }\n}" + '11': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable User + label: Disable user + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Disable user: + - '10' + No Action: + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8705127b-689c-4c77-8af4-828aa12d11da + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: 8705127b-689c-4c77-8af4-828aa12d11da + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 1130\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 0206dfb2-4202-44fb-8ea1-020a1df810d1 + iscommand: true + name: Get Related Process Information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 0206dfb2-4202-44fb-8ea1-020a1df810d1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 680\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + action_id: + complex: + accessor: action_id} + root: ${Core.GetActionStatus + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: 8ba62210-22a2-4b7a-8da5-c206c96f8fb3 + iscommand: true + name: Get Action Status + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: 8ba62210-22a2-4b7a-8da5-c206c96f8fb3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1650\n }\n}" + '14': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: containsString + right: + value: + simple: 'False' + label: 'yes' + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '16' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 77fb4b5f-d4a3-4f17-871c-bc11fbe9c3a0 + iscommand: false + name: Was the User Disabled? + type: condition + version: -1 + taskid: 77fb4b5f-d4a3-4f17-871c-bc11fbe9c3a0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1810\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + command_type: + simple: native + commands: + simple: powershell -Command Get-LocalUser -Name "${Core.OriginalAlert.raw_abioc.event.login_data.dst_user}" + endpoint_ids: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + is_raw_command: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiate a new endpoint script execution of shell commands. + id: 4047510e-a9c5-4230-8411-5b1ac7abbe5c + iscommand: true + name: Get User Status + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 4047510e-a9c5-4230-8411-5b1ac7abbe5c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1480\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process, the playbook failed to disable the following + user: ${Core.OriginalAlert.raw_abioc.event.dst_identity} + + Please investigate this before closing this alert. + + ' + id: 32c07163-7d2f-4049-87f0-e1e930fcbe47 + iscommand: false + name: Disable the User Manually + type: regular + version: -1 + taskid: 32c07163-7d2f-4049-87f0-e1e930fcbe47 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1260,\n \"y\": 1980\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8848143f-f15c-406c-8de1-be0eb454b59f + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 8848143f-f15c-406c-8de1-be0eb454b59f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 190\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + host_id: + complex: + accessor: hostname + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + id: 8c9e5c77-8b33-4aff-8460-b5e17a76333c + iscommand: true + name: Get Host Risk Level + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: 8c9e5c77-8b33-4aff-8460-b5e17a76333c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": 330\n }\n}" + '4': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + label: 'yes' + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cd0f32ec-8fce-4c74-8fd9-273e9f882f52 + iscommand: false + name: Check for Related Alerts or Host Risk Score + type: condition + version: -1 + taskid: cd0f32ec-8fce-4c74-8fd9-273e9f882f52 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 500\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 75c1f47a-5b53-434a-8070-0cf3fe5d203a + iscommand: false + name: 'Remediation ' + type: title + version: -1 + taskid: 75c1f47a-5b53-434a-8070-0cf3fe5d203a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 840\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6c607d33-069d-4ca2-82d1-9240c594c203 + iscommand: false + name: Done + type: title + version: -1 + taskid: 6c607d33-069d-4ca2-82d1-9240c594c203 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2320\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + closeReason: + simple: Resolved - Handled by the playbook "Suspicious Local Administrator + Login" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 2db5de07-51bf-49ad-87c8-47ec71234195 + iscommand: true + name: Close alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 2db5de07-51bf-49ad-87c8-47ec71234195 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 2150\n }\n}" + '8': + continueonerrortype: '' + form: + description: Analyst review + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: '#### User Name that involved in the alert: + + `${Core.OriginalAlert.raw_abioc.event.login_data_dst_normalized_user.identity}` + + + #### Host Name: + + `${alert.hostname}` + + + #### Host Risk Level: + + `${Core.RiskyHost.risk_level}` + + + #### Related Alerts Found in the Incident: + + `${.=val.foundIncidents.name || "None"}` + + + #### Process involved in login event: + + `${Core.OriginalAlert.event.login_data.process_image_name}` + + + #### Action Required: + + Please choose the action you want to perform. + + + ' + options: [] + optionsarg: + - simple: No Action + - simple: Disable user + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Analyst Action + totalanswers: 0 + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ac8e9263-a599-4cd4-8314-63f2af36daa5 + iscommand: false + name: Manual Task - User Action Decision + type: collection + version: -1 + taskid: ac8e9263-a599-4cd4-8314-63f2af36daa5 + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 970\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"11_10_Disable user\": 0.9,\n \"11_6_No\ + \ Action\": 0.1,\n \"14_16_#default#\": 0.49,\n \"14_7_yes\": 0.2,\n \"\ + 4_12_yes\": 0.46,\n \"4_6_#default#\": 0.1\n },\n \"paper\": {\n \"dimensions\"\ + : {\n \"height\": 2335,\n \"width\": 1400,\n \"x\": 240,\n \"\ + y\": 50\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml new file mode 100644 index 00000000000..18524de0984 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml @@ -0,0 +1,1066 @@ +description: "This playbook is designed to handle the following alerts:\n\n- Suspicious\ + \ SaaS API call from a Tor exit node\n- Suspicious SaaS API call from a Tor exit\ + \ node via a mobile device\n- Suspicious API call from a Tor exit node\n- Suspicious\ + \ Kubernetes API call from a Tor exit node\n\nPlaybook Stages:\n\nEarly Containment:\n\ + - To terminate the connection from the Tor exit node, the playbook will clear/revoke\ + \ the user's sessions and force re-authentication. Depending on the alert source,\ + \ the playbook will use either MS-Graph or G-Suite to clear the user sessions.\n\ + \nInvestigation:\n- The playbook will assess the risk score of the user connected\ + \ from the Tor exit node and examine the legitimacy of the user agent.\n\nContainment:\n\ + - If the user's risk score is high or the user agent is detected as suspicious,\ + \ the playbook will recommend blocking the account connected from the Tor exit node.\ + \ The playbook will use MS-Graph, G-Suite, or AWS-IAM, depending on the alert source.\n\ + \nEradication:\n- For users with PAN-OS enabled, the playbook will recommend blocking\ + \ all IPs from the Palo Alto Intelligence-based external dynamic list that contains\ + \ Tor exit nodes. The goal is to prevent the use of Tor within the organization.\n\ + \nRequirements:\n\nFor any response action, you will need one of the following integrations:\ + \ \n- Microsoft Graph User\n- G-Suite Admin\n- AWS-IAM." +fromversion: 8.9.0 +id: silent-Suspicious SaaS Access From a TOR Exit Node Test +inputs: [] +issilent: true +name: silent-Suspicious SaaS Access From a TOR Exit Node Test +outputs: [] +starttaskid: '0' +tags: +- T1090 - Proxy +- TA0011 - Command and Control +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9ce3ec2e-49a5-43c6-8812-1c8724eb4f95 + iscommand: false + name: '' + version: -1 + taskid: 9ce3ec2e-49a5-43c6-8812-1c8724eb4f95 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 240\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + alert_ids: + complex: + accessor: id + root: alert + transformers: + - operator: uniq + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 34b46f03-e24e-463b-8df9-2743ae0df003 + iscommand: true + name: Get User Identity + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 34b46f03-e24e-463b-8df9-2743ae0df003 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 370\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 0f076c81-4bbc-4f05-8306-4f8c0ac400b3 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 0f076c81-4bbc-4f05-8306-4f8c0ac400b3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3160\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 102922e3-2b05-4241-825c-8c4e325be898 + iscommand: false + name: Done + type: title + version: -1 + taskid: 102922e3-2b05-4241-825c-8c4e325be898 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3320\n }\n}" + '12': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + - left: + iscontext: true + value: + simple: SuspiciousUserAgent + operator: isNotEmpty + - - left: + iscontext: true + value: + simple: GSuite.User.id + operator: isNotEmpty + - left: + iscontext: true + value: + simple: MSGraphUser.ID + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: AWS - IAM + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '21' + 'yes': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f939fd39-89a2-4416-8475-6b8fe49537d8 + iscommand: false + name: Check if risk level is high or user agent is suspicious + type: condition + version: -1 + taskid: f939fd39-89a2-4416-8475-6b8fe49537d8 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1630\n }\n}" + '13': + continueonerrortype: '' + form: + description: You can block the user who created the connection. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Block The Account ${alert.username.[0]} using ${Account.Type}? + options: [] + optionsarg: + - {} + - simple: 'Yes' + - simple: 'No' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Decide if you want to block the account + totalanswers: 0 + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f8073e61-3193-43f2-819b-a8f4ea98e87a + iscommand: false + name: Decide if you want to block the account + type: collection + version: -1 + taskid: f8073e61-3193-43f2-819b-a8f4ea98e87a + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1800\n }\n}" + '15': + continueonerror: true + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + contextKey: + simple: SuspiciousUserAgent + data: + simple: ${alert.useragent.[0]} + regex: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|REST)\b + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extracts regex data from the provided text. The script supports + groups and looping. + id: dd1a92cb-c7eb-42c9-8679-429bd572a0b7 + iscommand: false + name: Check if user agent is suspicious + scriptName: MatchRegexV2 + type: regular + version: -1 + taskid: dd1a92cb-c7eb-42c9-8679-429bd572a0b7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 1330\n }\n}" + '16': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Decide if you want to block the account.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + - - left: + iscontext: true + value: + simple: MSGraphUser.ID + operator: isNotEmpty + label: Block Using MS-Graph + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Decide if you want to block the account.Answers.0 + operator: containsString + right: + value: + simple: 'Yes' + - - left: + iscontext: true + value: + simple: GSuite.User.id + operator: isNotEmpty + label: Block Using G-Suite + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Decide if you want to block the account.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: AWS - IAM + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: Delete Login Profile Using AWS + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '21' + Block Using G-Suite: + - '18' + Block Using MS-Graph: + - '17' + Delete Login Profile Using AWS: + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d70543c6-1970-4c3d-8c98-d02aaad561fb + iscommand: false + name: Block the account that used TOR? + type: condition + version: -1 + taskid: d70543c6-1970-4c3d-8c98-d02aaad561fb + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1960\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${MSGraphUser.ID} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: e7c3404d-5ca2-4ed4-875e-100cb2900acd + iscommand: true + name: Block user with MS-Graph + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: e7c3404d-5ca2-4ed4-875e-100cb2900acd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1080,\n \"y\": 2160\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + suspended: + simple: 'true' + user_key: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Updates a user. + id: 19ca9654-14bf-486d-8832-2a5835b118f2 + iscommand: true + name: Block user with G-Suite + script: '|||gsuite-user-update' + type: regular + version: -1 + taskid: 19ca9654-14bf-486d-8832-2a5835b118f2 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 2160\n }\n}" + '19': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Choose whether to block TOR using PAN-OS.Answers.0 + operator: containsString + right: + value: + simple: 'Yes' + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Panorama + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + label: Block TOR using PAN-OS + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '10' + Block TOR using PAN-OS: + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: be2a62ff-1113-46b6-8817-0811b761b3a5 + iscommand: false + name: Block TOR application with PAN-OS? + type: condition + version: -1 + taskid: be2a62ff-1113-46b6-8817-0811b761b3a5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 2805\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f9caeafe-1135-44a4-8288-2f6b3196e20a + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: f9caeafe-1135-44a4-8288-2f6b3196e20a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 530\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9032908c-104c-4178-896d-26343b3a9e4f + iscommand: false + name: Eradication + type: title + version: -1 + taskid: 9032908c-104c-4178-896d-26343b3a9e4f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2330\n }\n}" + '22': + continueonerrortype: '' + form: + description: 'You can block traffic from TOR exit node IPs using Palo Alto''s + built-in External Dynamic List (EDL). For more information on predefined EDLs, + visit: + + + https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-edls' + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Block TOR exit nodes using PAN-OS? + options: [] + optionsarg: + - {} + - simple: 'Yes' + - simple: 'No' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Choose whether to block TOR using PAN-OS + totalanswers: 0 + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fb9aab48-672e-4c9d-8ff4-7b5ab3c9f4d1 + iscommand: false + name: Choose whether to block TOR IPs using PAN-OS + type: collection + version: -1 + taskid: fb9aab48-672e-4c9d-8ff4-7b5ab3c9f4d1 + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 2640\n }\n}" + '23': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Panorama + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + right: + value: {} + label: 'Yes' + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '10' + 'Yes': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 54c87fa9-5981-42ed-8593-2fe4818214cc + iscommand: false + name: PAN-OS Enabled? + type: condition + version: -1 + taskid: 54c87fa9-5981-42ed-8593-2fe4818214cc + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2460\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + simple: 'No' + EDLName: + simple: panw-torexit-ip-list + RuleName: + simple: TOR Exit nodes from predefined EDLs was Blocked by XSIAM + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '' + id: 34616d1d-37f0-4406-8961-5e59b8de3af9 + iscommand: false + name: PAN-OS - Block IPs From EDL - Custom Block Rule + playbookName: PAN-OS - Block IPs From EDL - Custom Block Rule + type: playbook + version: -1 + taskid: 34616d1d-37f0-4406-8961-5e59b8de3af9 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 2990\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + userName: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Deletes the password for the specified IAM user, which terminates + the user's ability to access AWS services through the AWS Management Console. + id: e19e02a9-b241-4f18-8b4d-8f7754efbc19 + iscommand: true + name: Delete Login Profile Using AWS + script: '|||aws-iam-delete-login-profile' + type: regular + version: -1 + taskid: e19e02a9-b241-4f18-8b4d-8f7754efbc19 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1480,\n \"y\": 2160\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${MSGraphUser.ID} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Revoke a user session. Invalidates all the refresh tokens issued + to applications for a user. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: ef5395e8-62d0-407d-8c63-7b162bb01358 + iscommand: true + name: Clear user sessions using MS-Graph + script: '|||msgraph-user-session-revoke' + type: regular + version: -1 + taskid: ef5395e8-62d0-407d-8c63-7b162bb01358 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1020\n }\n}" + '4': + continueonerror: true + continueonerrortype: '' + fieldMapping: + - incidentfield: User SID + output: + complex: + accessor: '[0]' + root: alert.username + transformers: + - args: + delimiter: + value: + simple: \ + fields: + value: + simple: '2' + operator: Cut + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + filter: + simple: mail eq '${Core.OriginalAlert.event.identity_name}' + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Retrieves a list of user objects. + + Permissions: User.ReadBasic.All (Delegated), User.Read.All (Application).' + id: 250319b5-dde5-40f9-853f-2b3442d2ed52 + iscommand: true + name: Get User ID from MS-Graph + script: '|||msgraph-user-list' + type: regular + version: -1 + taskid: 250319b5-dde5-40f9-853f-2b3442d2ed52 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 860\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cloudprovider.[0] + operator: isEqualString + right: + value: + simple: MSFT + - ignorecase: true + left: + iscontext: true + value: + simple: alert.cloudprovider.[0] + operator: isEqualString + right: + value: + simple: AZURE + label: O365 + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cloudprovider.[0] + operator: isEqualString + right: + value: + simple: GOOGLE + - ignorecase: true + left: + iscontext: true + value: + simple: alert.cloudprovider.[0] + operator: isEqualString + right: + value: + simple: GCP + label: Google Workspaces + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '7' + Google Workspaces: + - '6' + O365: + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 826d5083-fff2-4ee9-846e-ab2cef5765e9 + iscommand: false + name: Which SaaS application? + type: condition + version: -1 + taskid: 826d5083-fff2-4ee9-846e-ab2cef5765e9 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 700,\n \"y\": 670\n }\n}" + '6': + continueonerror: true + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + scriptarguments: + user_key: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Signs a user out of all web and device sessions and resets their + sign-in cookies. + id: deb95ec9-2850-45c8-8a1c-1d2f2ccf07fe + iscommand: true + name: Sign out User using G-Suite Admin + script: '|||gsuite-user-signout' + type: regular + version: -1 + taskid: deb95ec9-2850-45c8-8a1c-1d2f2ccf07fe + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 700,\n \"y\": 1020\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c8772496-b9c9-442b-88e1-f5500d700142 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: c8772496-b9c9-442b-88e1-f5500d700142 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1190\n }\n}" + '8': + continueonerror: true + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username.[0]} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: d6425055-2cd8-401c-83ac-81aba1c11524 + iscommand: true + name: Get User Risk Level + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: d6425055-2cd8-401c-83ac-81aba1c11524 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": 1330\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2ff5c5ea-6357-4ef6-8c43-8c3c52b6fe33 + iscommand: false + name: Containment + type: title + version: -1 + taskid: 2ff5c5ea-6357-4ef6-8c43-8c3c52b6fe33 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1500\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"12_21_#default#\": 0.2,\n \"16_17_Block\ + \ Using MS-Graph\": 0.7,\n \"16_18_Block Using G-Suite\": 0.62,\n \"16_21_#default#\"\ + : 0.4,\n \"19_10_#default#\": 0.34,\n \"23_10_#default#\": 0.14,\n \"23_22_Yes\"\ + : 0.44,\n \"5_4_O365\": 0.73,\n \"5_6_Google Workspaces\": 0.7,\n \"5_7_#default#\"\ + : 0.14\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 3145,\n \ + \ \"width\": 1620,\n \"x\": 240,\n \"y\": 240\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml new file mode 100644 index 00000000000..2091901f476 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml @@ -0,0 +1,2048 @@ +description: 'This playbook handles "Suspicious certutil command line" alerts. + + + Playbook Stages: + + + Analysis: + + + During the alert analysis, the playbook will perform the following actions: + + + - Extracts and enriches the URL from the command line. + + - Checks if the URL reputation is suspicious. + + - Checks if any process in the causality chain is unsigned. + + - Checks if any process in the causality chain is non-prevalent. + + - Searches for Cortex XDR agent alerts related to file drops using certutil. + + - Checks for any suspicious parameters in the command line (if the command line + risk score is medium or higher). + + + If the playbook detects any of these conditions, it will proceed to the early containment + stage; otherwise, it will close the alert. + + + Early Containment: + + + - Identify if an agent prevention rule was triggered. If triggered in **block mode**, + proceed with the URL reputation check; otherwise, terminate the causality process + tree. + + + Verdict: + + + - Based on the URL''s reputation, if found to be malicious, the playbook will perform + remediation actions; otherwise, it will close the alert. + + + Remediation: + + + If the URL is found to have a malicious reputation, the playbook will perform the + following actions: + + + - Block the malicious URL using PAN-OS (requires analyst approval). + + - Isolate the endpoint (requires analyst approval). + + - Execute an XQL query to check for file creation events by the certutil process, + and if a file is found, quarantine it (requires analyst approval). + + - Automatically close the alert. + + + Required Integrations: + + + For response actions, you need the following integrations: + + + - Palo Alto Networks PAN-OS + + - XQL Query Engine.' +fromversion: 8.9.0 +id: silent-Suspicious certutil command line Test +inputs: [] +issilent: true +name: silent-Suspicious certutil command line Test +outputs: [] +starttaskid: '0' +tags: +- TA0005 - Defense Evasion +- T1218 - System Binary Proxy Execution +- TA0011 - Command and Control +- T1105 - Ingress Tool Transfer +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 73f05945-ea83-4505-8833-cba0c65b30c4 + iscommand: false + name: '' + version: -1 + taskid: 73f05945-ea83-4505-8833-cba0c65b30c4 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -1180\n }\n}" + '10': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + root: DBotScore + operator: greaterThanOrEqual + right: + value: + simple: '2' + - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.osparentsignature + operator: isNotEmpty + root: alert.osparentsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual + right: + value: + simple: '25' + - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '47' + 'yes': + - '50' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task checks the following to determine if process termination + is needed: + + - If the URL reputation is suspicious. + + - If any process in the causality chain is unsigned. + + - If any process in the causality chain is non-prevalent. + + - If Cortex XDR agent alerts related to file drops using certutil are found. + + - If any suspicious parameters are found in the command line (if the command + line risk score is medium or higher).' + id: 87b36f66-b55b-4fac-8c75-d44ab9816417 + iscommand: false + name: Is the URL, process, or command suspicious? + type: condition + version: -1 + taskid: 87b36f66-b55b-4fac-8c75-d44ab9816417 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -410\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '36' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c4f026aa-b77e-4a51-8e9b-b8f01df16eee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: c4f026aa-b77e-4a51-8e9b-b8f01df16eee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 565\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + simple: 'Yes' + CustomURLCategory: + simple: XSIAM - Malicious URLs + URL: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + pre-post: + simple: pre-rulebase + type: + simple: URL List + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks URLs using Palo Alto Networks Panorama or + Firewall through Custom URL Categories. + + The playbook checks whether the input URL category already exists, and if + the URLs are a part of this category. Otherwise, it will create the category, + block the URLs, and commit the configuration.' + id: 994cd4ee-eed3-49a2-8632-ccfbe4846a4c + iscommand: false + name: PAN-OS - Block URL - Custom URL Category + playbookName: PAN-OS - Block URL - Custom URL Category + type: playbook + version: -1 + taskid: 994cd4ee-eed3-49a2-8632-ccfbe4846a4c + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1420\n }\n}" + '13': + continueonerrortype: '' + form: + description: Blocking the URL, quarantining the downloaded file, and isolating + the endpoint are recommended due to the URL's malicious reputation. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Should the XQL query be executed and the downloaded file quarantined + if found? + options: [] + optionsarg: + - simple: 'No' + - simple: 'Yes' + placeholder: '' + readonly: false + required: false + tooltip: This action will execute an XQL query to search for file creation + events using certutil and quarantine the file. + type: singleSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '1' + label: '' + labelarg: + simple: "Should Block the following malicious URL using PAN-OS? \n- ${URL.Data}\ + \ " + options: [] + optionsarg: + - simple: 'No' + - simple: 'Yes' + placeholder: '' + readonly: false + required: false + tooltip: This will block URLs using Palo Alto Networks Panorama or Firewall + through Custom URL Categories. The playbook checks whether the input URL + category already exists, and if the URLs are a part of this category. Otherwise, + it will create the category, block the URLs, and commit the configuration. + type: singleSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '2' + label: '' + labelarg: + simple: "Should Isolate the endpoint? \n- ${alert.hostname} " + options: [] + optionsarg: + - simple: 'No' + - simple: 'Yes' + placeholder: '' + readonly: false + required: false + tooltip: This action will isolate the endpoint and is recommended to prevent + the attacker from executing lateral movement. + type: singleSelect + sender: Your SOC team + title: RemediationApproval + totalanswers: 0 + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Analyst approval is required for the following actions: + + - Blocking the malicious URL. + + - Executing an XQL query to identify files downloaded via the malicious URL. + + - Isolating the endpoint.' + id: fbb1b0fb-ab08-4c33-882d-9be592e4bcbc + iscommand: false + name: Approve XQL search & quarantine & Block URL & Isolation + type: collection + version: -1 + taskid: fbb1b0fb-ab08-4c33-882d-9be592e4bcbc + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 890\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + - '18' + - '59' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 55b21f0b-e203-43a0-89f3-5d722343fe9e + iscommand: false + name: Search and quarantine file & Block URL + type: title + version: -1 + taskid: 55b21f0b-e203-43a0-89f3-5d722343fe9e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 1265\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + - '59' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4d8dfda3-60d6-421e-81c6-a63444e687b3 + iscommand: false + name: Search and quarantine file + type: title + version: -1 + taskid: 4d8dfda3-60d6-421e-81c6-a63444e687b3 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1265\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + - '59' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c987695c-86b1-4f23-844f-79c71bc0ed05 + iscommand: false + name: Block URL + type: title + version: -1 + taskid: c987695c-86b1-4f23-844f-79c71bc0ed05 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1265\n }\n}" + '17': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.1 + operator: isEqualString + right: + value: + simple: 'Yes' + label: Search File and quarantine & block url + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + label: Search File and Quarantine + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.1 + operator: isEqualString + right: + value: + simple: 'Yes' + label: Block URL Only + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '59' + Block URL Only: + - '16' + Search File and Quarantine: + - '15' + Search File and quarantine & block url: + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the analyst's answers and execute the appropriate actions + based on the responses. + id: 30a5a879-98ae-46ec-80f8-25c7787ec3a6 + iscommand: false + name: Check analyst answers + type: condition + version: -1 + taskid: 30a5a879-98ae-46ec-80f8-25c7787ec3a6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 1050\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '20' + 'yes': + - '41' + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: XQL Query Engine + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns 'yes' if integration brand 'XQL Query Engine' is available. + Otherwise returns 'no'. + id: 00247eff-9984-4d09-8bd5-e7a1fdce1cad + iscommand: false + name: Is the integration of 'XQL Query Engine' available? + scriptName: IsIntegrationAvailable + type: condition + version: -1 + taskid: 00247eff-9984-4d09-8bd5-e7a1fdce1cad + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1420\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + query: + simple: dataset = xdr_data | filter agent_hostname = "${alert.hostname}" + and actor_process_instance_id ="${alert.actionprocessinstanceid.[0]}" and + event_type = FILE and event_sub_type = FILE_WRITE | fields action_file_name, + action_file_path , action_file_sha256 + query_name: + simple: Search_Downloaded_files_by_certutil + time_frame: + simple: between ${QueryStartTime} and ${QueryEndTime} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Execute an XQL query and retrieve results of an executed XQL query + API. The command will be executed every 10 seconds until results are retrieved + or until a timeout error is raised. + + When more than 1000 results are retrieved, the command will return a compressed + gzipped JSON format file, + + unless the argument ''parse_result_file_to_context'' is set to true and then + the results will be extracted to the context.' + id: 0aa0b526-468f-42de-84fa-29a2f5d54480 + iscommand: true + name: XQL Query - Search file creation event by certutil + script: '|||xdr-xql-generic-query' + type: regular + version: -1 + taskid: 0aa0b526-468f-42de-84fa-29a2f5d54480 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1925\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(name:"File Drop - 1815185192" or name:"File Drop - 4219385159" + or name:"File Drop - 98943342") and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task searches for Cortex XSIAM agent alerts related to file + drops using certutil. + id: 6b287e61-9939-4790-8c8e-18755bf12ec8 + iscommand: false + name: Search for agent file drop alerts that blocked the process + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 6b287e61-9939-4790-8c8e-18755bf12ec8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": -910\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nEnsure that the 'XQL Query Engine' integration\ + \ is active. If it's not enabled, activate the integration or manually run\ + \ the following XQL query to determine if a file was successfully downloaded\ + \ from a malicious URL using certutil.\n\nQuery:\n\n dataset = xdr_data |\ + \ filter agent_hostname = \"${alert.hostname}\" and actor_process_instance_id\ + \ =\"${alert.actionprocessinstanceid}\" and event_type = FILE and event_sub_type\ + \ = FILE_WRITE | fields action_file_name, action_file_path , action_file_sha256\n\ + \nIf the query output indicates a file created by a malicious certutil command\ + \ line with a malicious URL, quarantine and remove the file immediately." + id: c88e2910-55e1-4b10-8be6-f22abe3bc3dc + iscommand: false + name: "Manual \u2013 Search file using XQL query and quarantine the file " + type: regular + version: -1 + taskid: c88e2910-55e1-4b10-8be6-f22abe3bc3dc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1600\n }\n}" + '21': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: PaloAltoNetworksXQL.GenericQuery.results.action_file_name + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: PaloAltoNetworksXQL.GenericQuery.results.action_file_path + operator: isNotEmpty + - - left: + iscontext: true + value: + simple: PaloAltoNetworksXQL.GenericQuery.results.action_file_sha256 + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + 'yes': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the XQL query has returned 'File Creation' events by + certutil. + id: 51da6740-feb1-4cac-81de-1d9481397f0f + iscommand: false + name: Found file created by certutil? + type: condition + version: -1 + taskid: 51da6740-feb1-4cac-81de-1d9481397f0f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 2090\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3f1b5543-e742-4133-87c8-5a0d1eb0db76 + iscommand: false + name: Quarantine File + type: title + version: -1 + taskid: 3f1b5543-e742-4133-87c8-5a0d1eb0db76 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 2270\n }\n}" + '23': + continueonerror: true + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + file_hash: + simple: ${PaloAltoNetworksXQL.GenericQuery.results.action_file_sha256} + file_path: + simple: ${PaloAltoNetworksXQL.GenericQuery.results.action_file_path} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the quarantine status for a selected file. + id: c312d63a-b220-4889-8343-92f330492b9f + iscommand: true + name: Get file quarantine status + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: c312d63a-b220-4889-8343-92f330492b9f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 2400\n }\n}" + '25': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: status + root: Core.quarantineFiles.status + operator: isEqualString + right: + value: + simple: 'false' + label: 'yes' + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + 'yes': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether to quarantine the files based on their quarantine + status. + id: acf62e77-11e5-4949-8063-586e57a33171 + iscommand: false + name: Should quarantine file? + type: condition + version: -1 + taskid: acf62e77-11e5-4949-8063-586e57a33171 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 2570\n }\n}" + '26': + continueonerror: true + continueonerrortype: errorPath + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '27' + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + file_hash: + simple: ${PaloAltoNetworksXQL.GenericQuery.results.action_file_sha256} + file_path: + simple: ${PaloAltoNetworksXQL.GenericQuery.results.action_file_path} + interval_in_seconds: + simple: '20' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Quarantines a file on selected endpoints. + id: c0cdf2a4-84df-438b-8bee-9dc890500d75 + iscommand: true + name: File quarantine + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: c0cdf2a4-84df-438b-8bee-9dc890500d75 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -90,\n \"y\": 2750\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'The playbook was unable to quarantine the downloaded file due + to the following possible reasons: + + + - The file does not exist or has been moved to another location on the host. + + - The endpoint is currently disconnected. + + + Please take manual action to quarantine the downloaded file.' + id: 66b2d9ee-311b-4bb3-86fe-929cadc13445 + iscommand: false + name: "Manual action needed \u2013The file couldn't be quarantined" + type: regular + version: -1 + taskid: 66b2d9ee-311b-4bb3-86fe-929cadc13445 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -270,\n \"y\": 2930\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious certutil command line detected with a malicious URL. + closeReason: + simple: True Positive - Resolved - Handled by the playbook "Suspicious certutil + command line" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 1b8d7af5-3ecd-47d1-8045-8b73d535a9a9 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 1b8d7af5-3ecd-47d1-8045-8b73d535a9a9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 630,\n \"y\": 3110\n }\n}" + '3': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + root: foundIncidents.CustomFields + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: BLOCKED + label: Blocked + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '7' + Blocked: + - '62' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the alert's alerts for an alert that blocked the causality + using the agent. + id: 8fa2386e-0186-4377-860d-cfc35f5ddeed + iscommand: false + name: Was the causality blocked by another alert? + type: condition + version: -1 + taskid: 8fa2386e-0186-4377-860d-cfc35f5ddeed + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -100\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6d6a776e-0551-429d-8feb-dea3d405ef0d + iscommand: false + name: Done + type: title + version: -1 + taskid: 6d6a776e-0551-429d-8feb-dea3d405ef0d + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1480,\n \"y\": 1580\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: "Suspicious certutil command line detected \u2013 the process has\ + \ been terminated." + closeReason: + simple: True Positive - Resolved - Handled by the playbook "Suspicious certutil + command line" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: b8204b08-44a8-4820-8638-c5173fe4527c + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b8204b08-44a8-4820-8638-c5173fe4527c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1480,\n \"y\": 1420\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b164bebc-f532-4a72-8a64-598a6af3d307 + iscommand: false + name: Done + type: title + version: -1 + taskid: b164bebc-f532-4a72-8a64-598a6af3d307 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 630,\n \"y\": 3280\n }\n}" + '36': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + root: foundIncidents.CustomFields + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: BLOCKED + label: Terminated + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Terminated: + - '37' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the alert's alerts for an alert that blocked the causality + using the agent. + id: 14cad4bf-d67a-4da9-8a8d-f808da7c291c + iscommand: false + name: Is the process has been terminate by the agent? + type: condition + version: -1 + taskid: 14cad4bf-d67a-4da9-8a8d-f808da7c291c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 710\n }\n}" + '37': + continueonerrortype: '' + form: + description: Blocking the URL is recommended, as its reputation is malicious. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: "Should Block the following malicious URL using PAN-OS? \n- ${URL.Data}\ + \ " + options: [] + optionsarg: + - simple: 'No' + - simple: 'Yes' + placeholder: '' + readonly: false + required: false + tooltip: This will block URLs using Palo Alto Networks Panorama or Firewall + through Custom URL Categories. The playbook checks whether the input URL + category already exists, and if the URLs are a part of this category. Otherwise, + it will create the category, block the URLs, and commit the configuration. + type: singleSelect + sender: Your SOC team + title: UrlBlockApproval + totalanswers: 0 + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval is required to block the malicious URL. + id: 4616c7a0-eb85-4ed3-82ec-f4417441326a + iscommand: false + name: Approve the URL block using PAN-OS + type: collection + version: -1 + taskid: 4616c7a0-eb85-4ed3-82ec-f4417441326a + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 890\n }\n}" + '38': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: UrlBlockApproval.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + label: Block URL Only + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '39' + Block URL Only: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the analyst's answers and execute the appropriate actions + based on the responses. + id: 280e1d4c-a22f-4e73-8c3e-c67e56c13f62 + iscommand: false + name: Check analyst answers + type: condition + version: -1 + taskid: 280e1d4c-a22f-4e73-8c3e-c67e56c13f62 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1050\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 717f0868-d441-40d1-846e-21cee80f3f31 + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: 717f0868-d441-40d1-846e-21cee80f3f31 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1480,\n \"y\": 1265\n }\n}" + '41': + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + key: + simple: QueryStartTime + value: + complex: + accessor: timestamp + root: alert + transformers: + - args: + variation: + value: + simple: 5 min ago + operator: ModifyDateTime + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. + id: bac2669e-6936-476c-8171-176df095d438 + iscommand: false + name: 'Retrieve the query''s timeframe: start time' + scriptName: Set + type: regular + version: -1 + taskid: bac2669e-6936-476c-8171-176df095d438 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1600\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + key: + simple: QueryEndTime + value: + complex: + accessor: timestamp + root: alert + transformers: + - args: + variation: + value: + simple: 15 min after + operator: ModifyDateTime + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. + id: fa3d50df-242b-4de5-8dcf-9b877439c9a3 + iscommand: false + name: 'Retrieve the query''s timeframe: end time' + scriptName: Set + type: regular + version: -1 + taskid: fa3d50df-242b-4de5-8dcf-9b877439c9a3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1760\n }\n}" + '45': + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 27452030-2116-4417-8cd8-a5fd4b716fe2 + iscommand: false + name: Done + type: title + version: -1 + taskid: 27452030-2116-4417-8cd8-a5fd4b716fe2 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": 70\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '45' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No indication of malicious activity was found + closeReason: + simple: Resolved - Handled by the playbook "Suspicious certutil command line" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: cfd56532-54ee-48d3-8dcd-bef9b0ad1eac + iscommand: true + name: Close Alert - No indication of malicious activity was found + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: cfd56532-54ee-48d3-8dcd-bef9b0ad1eac + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": -100\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: adb0f9eb-8a9c-47b0-89ea-52b000b7da5c + iscommand: false + name: No malicious activity was found + type: title + version: -1 + taskid: adb0f9eb-8a9c-47b0-89ea-52b000b7da5c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": -230\n }\n}" + '48': + continueonerrortype: '' + id: '48' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '49' + - '51' + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cdab80be-bc03-417e-8d31-e9db2a80e52c + iscommand: false + name: Analysis + type: title + version: -1 + taskid: cdab80be-bc03-417e-8d31-e9db2a80e52c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -1050\n }\n}" + '49': + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + process_name: + complex: + accessor: cgoname + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.osparentname + operator: append + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: 0c93af04-432d-4de1-801c-703a45330dc7 + iscommand: true + name: Check the processes prevalence + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: 0c93af04-432d-4de1-801c-703a45330dc7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 290,\n \"y\": -910\n }\n}" + '50': + continueonerrortype: '' + id: '50' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e8663374-f814-4699-863c-ca31c8594c9b + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: e8663374-f814-4699-863c-ca31c8594c9b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -230\n }\n}" + '51': + continueonerrortype: '' + id: '51' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + command_line: + simple: ${alert.targetprocesscmd} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This script evaluates command-line threats by analyzing both original + and decoded inputs. It assigns weighted scores to detected patterns, such + as AMSI bypass or credential dumping, and applies risk combination bonuses + for multiple detections. The total score is normalized to a 0-100 scale, with + risk levels categorized as follows: + + + * 0-25: Low Risk + + * 26-50: Medium Risk + + * 51-90: High Risk + + * 91-100: Critical Risk + + + The scoring mechanism provides a comprehensive risk assessment, considering + both the severity and frequency of malicious behaviors.' + id: 0c3bd267-8cc3-4946-82f2-636bcd174e35 + iscommand: false + name: Command Line Analysis + scriptName: CommandLineAnalysis + type: regular + version: -1 + taskid: 0c3bd267-8cc3-4946-82f2-636bcd174e35 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -910\n }\n}" + '52': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '52' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '39' + 'yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the URL reputation is malicious + id: 04eb7a8f-2192-48c7-8aa3-10e2aef1894c + iscommand: false + name: Is the URL reputation malicious? + type: condition + version: -1 + taskid: 04eb7a8f-2192-48c7-8aa3-10e2aef1894c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 380\n }\n}" + '54': + continueonerrortype: '' + id: '54' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '61' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: fb868f96-2f7d-43ab-86ee-b9723830ed39 + iscommand: true + name: 'Isolate Endpoint ' + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: fb868f96-2f7d-43ab-86ee-b9723830ed39 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -800,\n \"y\": 2165\n }\n}" + '56': + continueonerrortype: '' + id: '56' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '57' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields is + concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoints from the start + of the result set (start by counting from 0). + id: 71609f38-f610-4866-80bb-37f4c8f0fc10 + iscommand: true + name: Get endpoint info by endpoint ID + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 71609f38-f610-4866-80bb-37f4c8f0fc10 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 1785\n }\n}" + '57': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_type + root: Core.Endpoint + operator: containsString + right: + value: + simple: WORKSTATION + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_status + root: Core.Endpoint + operator: isEqualString + right: + value: + simple: CONNECTED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_UNISOLATED + label: Isolate + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_ISOLATED + label: Already isolated + continueonerrortype: '' + id: '57' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '58' + Already isolated: + - '61' + Isolate: + - '54' + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determine whether to isolate the endpoint based on its status, + isolation state, and OS type. + id: 71f66172-4ea1-4a71-8780-bd4076aad0c2 + iscommand: false + name: Verify endpoint isn't isolated, disconnected, or a server + type: condition + version: -1 + taskid: 71f66172-4ea1-4a71-8780-bd4076aad0c2 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 1950\n }\n}" + '58': + continueonerrortype: '' + id: '58' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '61' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nPlease note that during the remediation process,\ + \ the playbook didn't isolate the following host: ${alert.hostname} \n\nThis\ + \ is due to one of the following reasons:\n- The device disconnected.\n- The\ + \ device has been identified as a server.\n\nPlease take manual action to\ + \ contain the attack and prevent the attacker from executing lateral movement\ + \ before closing this alert." + id: 59b940e1-3fd4-4097-849e-d802fc89905a + iscommand: false + name: Manual remediation actions for a server or a disconnected endpoint + type: regular + version: -1 + taskid: 59b940e1-3fd4-4097-849e-d802fc89905a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -1220,\n \"y\": 2165\n }\n}" + '59': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.2 + operator: isEqualString + right: + value: + simple: 'Yes' + label: 'yes' + continueonerrortype: '' + id: '59' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '61' + 'yes': + - '60' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the analyst's answers and execute the endpoint isolation + actions accordingly. + id: 9489508e-a58b-4a84-818c-77a4568bac1e + iscommand: false + name: Check analyst answer - Should isolate the endpoint? + type: condition + version: -1 + taskid: 9489508e-a58b-4a84-818c-77a4568bac1e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 1420\n }\n}" + '60': + continueonerrortype: '' + id: '60' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '56' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check whether the values provided in arguments are equal. If either + of the arguments are missing, no is returned. + id: 5c4337e3-822f-42fa-829c-121aec493d72 + iscommand: false + name: Isolate Endpoint + type: title + version: -1 + taskid: 5c4337e3-822f-42fa-829c-121aec493d72 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 1645\n }\n}" + '61': + continueonerrortype: '' + id: '61' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a5106cbd-6599-4e8e-86c0-fc3ee770aafa + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: a5106cbd-6599-4e8e-86c0-fc3ee770aafa + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 2405\n }\n}" + '62': + continueonerrortype: '' + id: '62' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '52' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d5a64697-1494-4756-8755-76eeacff3e11 + iscommand: false + name: Verdict + type: title + version: -1 + taskid: d5a64697-1494-4756-8755-76eeacff3e11 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 250\n }\n}" + '7': + continueonerror: true + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '62' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available from Cortex + XSIAM 2.4. + id: 0c3f09bd-ab2b-42d5-84f9-06399154c231 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 0c3f09bd-ab2b-42d5-84f9-06399154c231 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 70\n }\n}" + '8': + continueonerror: true + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + url: + simple: ${URL.Data} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Gets a URL category from URL filtering. + id: b23acb51-0803-4d17-848b-959f2109f375 + iscommand: true + name: Url Enrichment + script: '|||url' + type: regular + version: -1 + taskid: b23acb51-0803-4d17-848b-959f2109f375 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -590\n }\n}" + '9': + continueonerror: true + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + url: + simple: ${URL.Data} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a verdict for a hash. + id: da84030a-4f57-4045-8d71-595cd4e82f95 + iscommand: true + name: Get Wildfire Verdict for URL + script: '|||wildfire-get-verdict' + type: regular + version: -1 + taskid: da84030a-4f57-4045-8d71-595cd4e82f95 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -750\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_50_yes\": 0.43,\n \"17_14_Search\ + \ File and quarantine \\u0026 block url\": 0.4,\n \"17_15_Search File and Quarantine\"\ + : 0.71,\n \"17_16_Block URL Only\": 0.6,\n \"18_41_yes\": 0.37,\n \"21_22_yes\"\ + : 0.41,\n \"21_29_#default#\": 0.14,\n \"25_29_#default#\": 0.27,\n \"\ + 26_27_#error#\": 0.46,\n \"36_13_#default#\": 0.71,\n \"36_37_Terminated\"\ + : 0.54,\n \"38_16_Block URL Only\": 0.34,\n \"38_39_#default#\": 0.39,\n \ + \ \"3_62_Blocked\": 0.41,\n \"52_11_yes\": 0.58,\n \"57_54_Isolate\": 0.55,\n\ + \ \"57_58_#default#\": 0.61,\n \"59_60_yes\": 0.35,\n \"59_61_#default#\"\ + : 0.2\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 4525,\n \ + \ \"width\": 3080,\n \"x\": -1220,\n \"y\": -1180\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml new file mode 100644 index 00000000000..d00f2191264 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml @@ -0,0 +1,1245 @@ +description: "This playbook addresses the following alerts for linux os:\n\n- Suspicious\ + \ process execution from tmp folder\n- Suspicious interactive execution of a binary\ + \ from the tmp folder\n- Suspicious cron job task execution of a binary from the\ + \ tmp folder\n- A web server process executed an unpopular application from the\ + \ tmp folder\n\nPlaybook Stages:\n\nAnalysis:\n\n- Check target process hash reputation\n\ + - Check commandline extracted indicators reputation\n\nThe playbook will proceed\ + \ directly to remediation if suspicious/Suspicious reputation is found during the\ + \ analysis stage.\n\nInvestigation:\n\n- Search for the following suspicious insights/related\ + \ alerts:\n - Suspicious access to shadow file\n - UNIX LOLBIN process connected\ + \ to a rare external host\n - Persistence through service registration\n - Adding\ + \ execution privileges \n - Modification of systemd service files\n - Adding\ + \ execution privileges\n - Local account discovery\n\nIf no suspicious reputation\ + \ is found in the analysis stage, but suspicious insights/related alerts are discovered\ + \ during investigation, the playbook will then proceed to remediation.\n\nRemediation:\n\ + \n- Terminate causality process\n- Quarantine the Suspicious process image file\ + \ (requires manual approval).\n- Disable the suspicious cron job task (requires\ + \ manual action)." +fromversion: 8.9.0 +id: silent-Suspicious execution from tmp folder Test +inputs: [] +issilent: true +name: silent-Suspicious execution from tmp folder Test +outputs: [] +starttaskid: '0' +tags: +- T1564 - Hide Artifacts +- TA0005 - Defense Evasion +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '68' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cea27ec4-42b2-4967-8165-fdd29fb21804 + iscommand: false + name: '' + version: -1 + taskid: cea27ec4-42b2-4967-8165-fdd29fb21804 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": -230\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '36' + note: false + quietmode: 0 + scriptarguments: + file: + simple: ${alert.targetprocesssha256} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve results for a file hash using WildFire. + id: 6806ade8-7ccd-44f7-8073-57a3f7de2e25 + iscommand: true + name: Check Target Process Hash Reputation + script: '|||file' + type: regular + version: -1 + taskid: 6806ade8-7ccd-44f7-8073-57a3f7de2e25 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 180,\n \"y\": 240\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '82' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + text: + simple: ${alert.targetprocesscmd} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.extract.indicators + id: 56f2d28b-1c34-400d-8a2e-1e4358ef44fb + iscommand: true + name: Check if commandline includes IOC (IP,URL,Domain) + script: Builtin|||extractIndicators + type: regular + version: -1 + taskid: 56f2d28b-1c34-400d-8a2e-1e4358ef44fb + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 607.5,\n \"y\": 240\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2fae8c5a-874b-4817-8ed0-0d899778501f + iscommand: false + name: Analysis + type: title + version: -1 + taskid: 2fae8c5a-874b-4817-8ed0-0d899778501f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 95\n }\n}" + '36': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + root: DBotScore + transformers: + - operator: uniq + operator: greaterThanOrEqual + right: + value: + simple: '2' + label: 'yes' + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '38' + 'yes': + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if Suspicious reputation of IOC is found + id: fbda5eca-fb73-48e7-8e28-07a0f8b40f20 + iscommand: false + name: Suspicious reputation found? + type: condition + version: -1 + taskid: fbda5eca-fb73-48e7-8e28-07a0f8b40f20 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 730\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '81' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1c41c07d-ca89-4b1b-8500-ade4d697bc95 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 1c41c07d-ca89-4b1b-8500-ade4d697bc95 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 827.5,\n \"y\": 905\n }\n}" + '41': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents + operator: isNotEmpty + right: + value: {} + label: Results Found + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '64' + Results Found: + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if related alerts or insights have been found + id: 47253db0-8d02-4ef1-8255-684ab6c93ba3 + iscommand: false + name: Check if related alerts found + type: condition + version: -1 + taskid: 47253db0-8d02-4ef1-8255-684ab6c93ba3 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 827.5,\n \"y\": 1225\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '69' + - '70' + - '72' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0e985a6e-740e-4ed0-8810-8b9d1e76fae9 + iscommand: false + name: Set Context for Remediation + type: title + version: -1 + taskid: 0e985a6e-740e-4ed0-8810-8b9d1e76fae9 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 1400\n }\n}" + '46': + continueonerror: true + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '51' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.actionprocessinstanceid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: ff8cc7f0-5ce7-4293-8352-2dfc99d17b19 + iscommand: true + name: Terminate Causality - Action Process + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: ff8cc7f0-5ce7-4293-8352-2dfc99d17b19 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 1875\n }\n}" + '51': + continueonerrortype: '' + id: '51' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '52' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ecc1c6ad-a79a-42e4-8a63-bd2cfea14a6b + iscommand: false + name: Quarantine file + type: title + version: -1 + taskid: ecc1c6ad-a79a-42e4-8a63-bd2cfea14a6b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 2090\n }\n}" + '52': + continueonerror: true + continueonerrortype: '' + id: '52' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '54' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + file_hash: + simple: ${SuspiciousFileHash} + file_path: + simple: ${SuspiciousFilePath} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the quarantine status for a selected file. + id: 4ddee1dc-2c8a-4ab0-8694-b46e6f5dd041 + iscommand: true + name: Get file quarantine status + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: 4ddee1dc-2c8a-4ab0-8694-b46e6f5dd041 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 2230\n }\n}" + '53': + continueonerrortype: '' + id: '53' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: {} + cc: null + format: '' + methods: [] + replyOptions: + - Quarantine + - No Quarantine + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + No Quarantine: + - '57' + Quarantine: + - '55' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\nShould we perform quarantine of the Suspicious\ + \ file?\n\nfile name: ${SuspiciousFileName}\n\nfile hash: \n${SuspiciousFileHash}\n" + id: 94f8d78a-43ad-4af0-8d77-fe665c805bf8 + iscommand: false + name: Analyst approval for quarantine the Suspicious file + type: condition + version: -1 + taskid: 94f8d78a-43ad-4af0-8d77-fe665c805bf8 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 2560\n }\n}" + '54': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: status + root: Core.quarantineFiles.status + operator: isEqualString + right: + value: + simple: 'false' + label: 'yes' + continueonerrortype: '' + id: '54' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '57' + 'yes': + - '53' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether to quarantine the files based on their quarantine + status and the successful calculation of the file hash. + id: 61ac8ab9-6cda-4602-8301-9abdda537429 + iscommand: false + name: Check if file already quarantined + type: condition + version: -1 + taskid: 61ac8ab9-6cda-4602-8301-9abdda537429 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 2390\n }\n}" + '55': + continueonerror: true + continueonerrortype: errorPath + id: '55' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '56' + '#none#': + - '57' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + file_hash: + simple: ${SuspiciousFileHash} + file_path: + simple: ${SuspiciousFilePath} + interval_in_seconds: + simple: '20' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Quarantines a file on selected endpoints. + id: bcf632e2-5875-405e-8b3d-6e4b2741a9be + iscommand: true + name: File quarantine + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: bcf632e2-5875-405e-8b3d-6e4b2741a9be + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -2.5,\n \"y\": 2745\n }\n}" + '56': + continueonerrortype: '' + id: '56' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '57' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook was unable to quarantine the Suspicious file due to the following + possible reasons: + + + - The file is not located on the local host. + + - The endpoint is currently disconnected. + + - The hash calculation was unsuccessful. + + + Please take manual action to terminate the causality process if needed and + quarantine the file.' + id: b97f5f22-2648-4924-8f0d-69f008fe4016 + iscommand: false + name: "Manual action needed \u2013 Suspicious file couldn't be quarantined" + type: regular + version: -1 + taskid: b97f5f22-2648-4924-8f0d-69f008fe4016 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -250,\n \"y\": 2930\n }\n}" + '57': + continueonerrortype: '' + id: '57' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '66' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a1f32319-1571-4677-89c3-a2655fb312e9 + iscommand: false + name: Quarantine file - Done + type: title + version: -1 + taskid: a1f32319-1571-4677-89c3-a2655fb312e9 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 3110\n }\n}" + '64': + continueonerrortype: '' + id: '64' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '65' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e465edf9-54cf-4194-802f-2f0e31bf146c + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: e465edf9-54cf-4194-802f-2f0e31bf146c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1290,\n \"y\": 1400\n }\n}" + '65': + continueonerrortype: '' + id: '65' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '67' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: False Positive + closeReason: + simple: Resolved - Handled by the playbook "Suspicious execution from tmp + folder" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: b516acfc-89ed-44ae-8e33-8ddcac4d7d4c + iscommand: true + name: Close Alert - False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b516acfc-89ed-44ae-8e33-8ddcac4d7d4c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1290,\n \"y\": 3295\n }\n}" + '66': + continueonerrortype: '' + id: '66' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '67' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Suspicious binary execution from /tmp directory detected + closeReason: + simple: Resolved - Handled by the playbook "Suspicious execution from tmp + folder" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: 49799f5d-bcfd-4046-84a4-eace34fdd6dd + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 49799f5d-bcfd-4046-84a4-eace34fdd6dd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 3265\n }\n}" + '67': + continueonerrortype: '' + id: '67' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e469c38e-c8cb-444f-86be-daa3870639e2 + iscommand: false + name: Done + type: title + version: -1 + taskid: e469c38e-c8cb-444f-86be-daa3870639e2 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 3470\n }\n}" + '68': + continueonerrortype: '' + id: '68' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: f0423588-d2cb-4a29-8ec9-2e8db1521c51 + iscommand: true + name: Get action process image file path + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: f0423588-d2cb-4a29-8ec9-2e8db1521c51 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": -100\n }\n}" + '69': + continueonerrortype: '' + id: '69' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '71' + note: false + quietmode: 0 + scriptarguments: + key: + simple: SuspiciousFileHash + value: + complex: + accessor: targetprocesssha256 + root: alert + transformers: + - operator: JoinIfSingleElementOnly + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 7f5616f0-c5d3-42e3-888d-5abbc771d15f + iscommand: false + name: Set Suspicious File Hash to Context + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 7f5616f0-c5d3-42e3-888d-5abbc771d15f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 810,\n \"y\": 1540\n }\n}" + '70': + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '71' + note: false + quietmode: 0 + scriptarguments: + key: + simple: SuspiciousFilePath + value: + simple: ${Core.OriginalAlert.event.action_process_image_path} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 5c009948-4810-4ae2-8863-6567a72a2141 + iscommand: false + name: Set Suspicious File Path to Context + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 5c009948-4810-4ae2-8863-6567a72a2141 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -60,\n \"y\": 1540\n }\n}" + '71': + continueonerrortype: '' + id: '71' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + - '78' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 50a216fa-340b-4a92-8ddb-b36f2e53110c + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 50a216fa-340b-4a92-8ddb-b36f2e53110c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 1710\n }\n}" + '72': + continueonerrortype: '' + id: '72' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '71' + note: false + quietmode: 0 + scriptarguments: + key: + simple: SuspiciousFileName + value: + complex: + accessor: targetprocessname + root: alert + transformers: + - operator: JoinIfSingleElementOnly + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 9e2e71c9-af8d-491c-8e0e-d7a12c97332f + iscommand: false + name: Set Suspicious File Name to Context + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9e2e71c9-af8d-491c-8e0e-d7a12c97332f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 1540\n }\n}" + '73': + continueonerrortype: '' + id: '73' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '66' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the investigation process, the Suspicious process was found to be executed + by a cronjob. + + + To complete all remediation steps, please consider disabling the Suspicious + cronjob manually, in addition to the automatic remediation steps. + + + Suspicious Process: ${SuspiciousFileName} + + + Suspicious Cronjob: ${SuspiciousCronjob}' + id: 6544b144-25f7-454f-80b5-0b93b555971e + iscommand: false + name: Disable Cronjob Manually + type: regular + version: -1 + taskid: 6544b144-25f7-454f-80b5-0b93b555971e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 3080\n }\n}" + '74': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: alert.name + operator: containsString + right: + value: + simple: cron job + label: 'yes' + continueonerrortype: '' + id: '74' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '67' + 'yes': + - '75' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if alert is the cronjob variant. + id: 8dbf40b2-645f-417f-89f3-b31dc85d2279 + iscommand: false + name: Check if cronjob alert + type: condition + version: -1 + taskid: 8dbf40b2-645f-417f-89f3-b31dc85d2279 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 2090\n }\n}" + '75': + continueonerrortype: '' + id: '75' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '76' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: crontab -u ${alert.username.[0]} -l + endpoint_ids: + simple: ${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiate a new endpoint script execution of shell commands. + id: d26c72fe-2f3b-4e52-80b5-85e11df5c807 + iscommand: true + name: Get user's crontab from endpoint + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: d26c72fe-2f3b-4e52-80b5-85e11df5c807 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 2435\n }\n}" + '76': + continueonerrortype: '' + id: '76' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '77' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: 86dec972-9b2e-4b9b-8437-eb9de637fff1 + iscommand: true + name: Get action results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: 86dec972-9b2e-4b9b-8437-eb9de637fff1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 2655\n }\n}" + '77': + continueonerrortype: '' + id: '77' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '73' + note: false + quietmode: 0 + scriptarguments: + key: + simple: SuspiciousCronjob + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + iscontext: true + value: + simple: SuspiciousFileName + - left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + iscontext: true + value: + simple: SuspiciousFilePath + - - left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + value: + simple: /tmp + root: Core.ScriptResult.results.command_output + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: b37c4f99-d410-4337-8155-23cb450132be + iscommand: false + name: Locate the Suspicious cronjob in crontab + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: b37c4f99-d410-4337-8155-23cb450132be + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 2855\n }\n}" + '78': + continueonerrortype: '' + id: '78' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '74' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5cb64b48-ebd2-49cf-8bc7-67c4f9d3aa05 + iscommand: false + name: Cronjob Remediation + type: title + version: -1 + taskid: 5cb64b48-ebd2-49cf-8bc7-67c4f9d3aa05 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 1855\n }\n}" + '81': + continueonerrortype: '' + id: '81' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '41' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 2 hours ago + includeinformational: + simple: 'true' + query: + simple: 'agentid:${alert.agentid} AND (name: "Suspicious access to shadow + file" or name: "UNIX LOLBIN process connected to a rare external host" + or name: "Persistence through service registration" or name: "Adding execution + privileges" or name: "Modification of systemd service files" or name: "Adding + execution privileges" or name: "Local account discovery")' + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM suspicious alerts related + to the current alert by Mitre Technique, indicating that the alert is part + of an attack pattern. + + + Focus on identifying alerts associated with the following MITRE techniques: + + - Any Agent Alerts within this alert. + + - T1059 - Command and Scripting Interpreter.' + id: 649b563c-6f47-4dab-88ff-691f4c9d71a5 + iscommand: false + name: Search for suspicious-related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 649b563c-6f47-4dab-88ff-691f4c9d71a5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 827.5,\n \"y\": 1050\n }\n}" + '82': + continueonerrortype: '' + id: '82' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '36' + note: false + quietmode: 0 + scriptarguments: + CVE: + complex: + accessor: ID + root: CVE + Domain: + complex: + accessor: Name + root: Domain + transformers: + - operator: uniq + Email: + complex: + accessor: Email.Address + root: Account + transformers: + - operator: uniq + Hostname: + complex: + accessor: Hostname + root: Endpoint + transformers: + - operator: uniq + IP: + complex: + accessor: Address + root: IP + transformers: + - operator: uniq + InternalRange: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join + MD5: + complex: + accessor: MD5 + root: File + transformers: + - operator: uniq + ResolveIP: + simple: 'False' + SHA1: + complex: + accessor: SHA1 + root: File + transformers: + - operator: uniq + SHA256: + complex: + accessor: SHA256 + root: File + transformers: + - operator: uniq + URL: + complex: + accessor: Data + root: URL + transformers: + - operator: uniq + URLSSLVerification: + simple: 'False' + UseReputationCommand: + simple: 'False' + Username: + complex: + accessor: Username + root: Account + transformers: + - operator: uniq + separatecontext: true + skipunavailable: false + task: + brand: '' + description: '' + id: e5de4f38-3bf6-44f0-8201-33290ea15e58 + iscommand: false + name: Entity Enrichment - Generic v3 + playbookName: Entity Enrichment - Generic v3 + type: playbook + version: -1 + taskid: e5de4f38-3bf6-44f0-8201-33290ea15e58 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 607.5,\n \"y\": 440\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"36_38_#default#\": 0.33,\n \"36_42_yes\"\ + : 0.37,\n \"53_57_No Quarantine\": 0.38,\n \"74_67_#default#\": 0.15\n },\n\ + \ \"paper\": {\n \"dimensions\": {\n \"height\": 3765,\n \"width\"\ + : 1920,\n \"x\": -250,\n \"y\": -230\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml new file mode 100644 index 00000000000..475ce84de30 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml @@ -0,0 +1,797 @@ +description: 'This playbook handles "Suspicious process execution by scheduled task + on a sensitive server" alerts. + + + Playbook Stages: + + + Analysis: + + + - Checks the suspicious process reputation. + + + Investigation: + + + - Searches for related XSIAM agent alerts to identify any malicious activity on + the server. + + + Remediation: + + + If the suspicious process reputation is malicious, or if a related alert is found, + the following remediation actions will be taken: + + + - Disable the scheduled task responsible for executing the process. + + - Terminate the malicious process. + + - Automatically Close the alert.' +fromversion: 8.9.0 +id: silent-Suspicious process execution by scheduled task on a sensitive server Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Suspicious process execution by scheduled task on a sensitive server + Test +outputs: [] +starttaskid: '0' +tags: +- TA0002 - Execution +- T1053 - Scheduled Task/Job +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -220\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 205\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Suspicious process execution by + scheduled task on a sensitive server" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 408e1d97-c97e-439e-80d9-c4a4e8b20cfa + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 408e1d97-c97e-439e-80d9-c4a4e8b20cfa + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2380\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8d184163-2d17-405f-8c45-17395f67790f + iscommand: false + name: Done + type: title + version: -1 + taskid: 8d184163-2d17-405f-8c45-17395f67790f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2550\n }\n}" + '2': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.targetprocesssha256 + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict based on the process reputation. + + ' + id: 2d5e9ca0-0a58-419b-809f-408f67e88427 + iscommand: false + name: Check if the process has a malicious reputation + type: condition + version: -1 + taskid: 2d5e9ca0-0a58-419b-809f-408f67e88427 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 340\n }\n}" + '21': + continueonerror: true + continueonerrortype: errorPath + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '37' + '#none#': + - '40' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell -Command "$ActionPath = '${alert.targetprocesscmd.[0]}'; + $tasks = Get-ScheduledTask | Where-Object { $_.Actions | Where-Object { + $_.Execute -eq $ActionPath } }; if ($tasks -or $tasks.Count -gt 0) { $tasks + | ForEach-Object { Disable-ScheduledTask -TaskPath $_.TaskPath -TaskName + $_.TaskName; Write-Host 'The task ' + $_.TaskName + ' has been disabled + successfully.' } } else { Write-Host 'No tasks found running the action + at ' + $ActionPath }" + endpoint_ids: + simple: ${alert.agentid} + timeout: + simple: '120' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'The script locates and disables the malicious scheduled task. + + ' + id: 4441878b-6246-43e1-89e9-2d39529ab7d1 + iscommand: true + name: Run script to locate and disable the malicious scheduled task. + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 4441878b-6246-43e1-89e9-2d39529ab7d1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1200\n }\n}" + '27': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.actionprocessinstanceid + root: foundIncidents.CustomFields + operator: isEqualString + right: + value: + simple: BLOCKED + label: Blocked + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + Blocked: + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the incident's alerts for an alert that blocked the causality + using the agent. + id: c949acc9-c497-4818-8560-69c5c4044f39 + iscommand: false + name: Check if the causality was blocked by the agent + type: condition + version: -1 + taskid: c949acc9-c497-4818-8560-69c5c4044f39 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1870\n }\n}" + '29': + continueonerror: true + continueonerrortype: errorPath + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '38' + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.actionprocessinstanceid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + XSIAM 2.4. + id: a6a1e05b-54c2-4fbd-891c-4089c958040d + iscommand: true + name: Terminate Causality - Action Process + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: a6a1e05b-54c2-4fbd-891c-4089c958040d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 180,\n \"y\": 2040\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ababf146-0f9f-4621-8323-18c3256738ee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ababf146-0f9f-4621-8323-18c3256738ee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1070\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook did not successfully disable the scheduled task responsible for + executing the suspicious process. + + + Please manually identify and disable the scheduled task with the following + execution path: ${alert.targetprocesscmd.[0]}' + id: 17d5b08e-68f9-4099-8de8-29df0394f8f9 + iscommand: false + name: Disable the malicious scheduled task manually + type: regular + version: -1 + taskid: 17d5b08e-68f9-4099-8de8-29df0394f8f9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 180,\n \"y\": 1700\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook couldn''t terminate the process: ${alert.targetprocessname} + + + Please terminate the process manually if possible. ' + id: 95f5747a-f209-47b2-855c-9035ae5fa433 + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: 95f5747a-f209-47b2-855c-9035ae5fa433 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 20,\n \"y\": 2210\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + scriptarguments: + file: + simple: ${alert.targetprocesssha256} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the file reputation of the specified hash. + id: 1e47b57c-e541-4f30-8de2-d17a7d4d22ed + iscommand: true + name: Check the process reputation + script: '|||file' + type: regular + version: -1 + taskid: 1e47b57c-e541-4f30-8de2-d17a7d4d22ed + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 40\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '41' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: 684f7170-5892-477b-8eae-47b5d3143493 + iscommand: true + name: Get script execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: 684f7170-5892-477b-8eae-47b5d3143493 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1370\n }\n}" + '41': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: AnyMatch + right: + value: + simple: '--------' + label: 'yes' + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '37' + 'yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Verify if the script successfully disabled the task. + id: 729a62c7-ddec-4f8f-829b-0ea4266ca887 + iscommand: false + name: Has the script disabled the task successfully? + type: condition + version: -1 + taskid: 729a62c7-ddec-4f8f-829b-0ea4266ca887 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1530\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 66bdcd2f-9d8b-435a-8b3a-b2896c694ac1 + iscommand: false + name: Done + type: title + version: -1 + taskid: 66bdcd2f-9d8b-435a-8b3a-b2896c694ac1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 1360\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '39' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: edb87387-6638-4845-84b3-ead6433e8f54 + iscommand: false + name: Analysis + type: title + version: -1 + taskid: edb87387-6638-4845-84b3-ead6433e8f54 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -90\n }\n}" + '44': + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: 'Dear Analyst, + + + The playbook did not identify any related alerts indicating malicious process + execution, and the file reputation is not flagged as malicious. + + + Please review the alert to determine if remediation actions are necessary, + such as disabling the scheduled task and terminating the process, or if + the alert should be closed as a false positive. + + ' + cc: null + format: '' + methods: [] + replyOptions: + - Remediation + - False Positive + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + False Positive: + - '5' + Remediation: + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst review is required to determine whether to take remediation + actions, such as disabling the scheduled task and terminating the process + if malicious, or to close the alert as a false positive. + id: 2d8044c7-5bce-4043-84f2-5044da195500 + iscommand: false + name: Analyst decision to proceed with remediation actions + type: condition + version: -1 + taskid: 2d8044c7-5bce-4043-84f2-5044da195500 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 880,\n \"y\": 880\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d6cce08c-349e-44db-807d-b6348886db73 + iscommand: false + name: False Positive + type: title + version: -1 + taskid: d6cce08c-349e-44db-807d-b6348886db73 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 1070\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM related alerts to the current + incident. + + ' + id: 1af6e23e-8c24-4a76-8cc8-7959b9b6fb1f + iscommand: false + name: Get Incident related alerts + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 1af6e23e-8c24-4a76-8cc8-7959b9b6fb1f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 720,\n \"y\": 525\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.sourceBrand + operator: isEqualString + right: + value: + simple: TRAPS + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.categoryname + operator: isEqualString + right: + value: + simple: Malware + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '44' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the alert contains agent alerts indicating that + the alert was part of an attack pattern. + id: 8f551570-3805-49d7-879a-cae5facbe566 + iscommand: false + name: Found any alerts indicating a malicious process execution? + type: condition + version: -1 + taskid: 8f551570-3805-49d7-879a-cae5facbe566 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 720,\n \"y\": 690\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: False Positive + closeReason: + simple: Resolved - Handled by the playbook "Suspicious process execution by + scheduled task on a sensitive server" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 4ddeb53e-ca31-47cf-8a68-30b6fd21e81c + iscommand: true + name: Close Alert - False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 4ddeb53e-ca31-47cf-8a68-30b6fd21e81c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 1200\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"21_37_#error#\": 0.53,\n \"27_13_Blocked\"\ + : 0.34,\n \"29_38_#error#\": 0.49,\n \"2_3_yes\": 0.29,\n \"41_27_yes\"\ + : 0.4,\n \"44_3_Remediation\": 0.39,\n \"44_5_False Positive\": 0.4,\n \ + \ \"8_3_yes\": 0.49,\n \"8_44_#default#\": 0.59\n },\n \"paper\": {\n \"\ + dimensions\": {\n \"height\": 2835,\n \"width\": 1560,\n \"x\": 20,\n\ + \ \"y\": -220\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml new file mode 100644 index 00000000000..3895114510c --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml @@ -0,0 +1,840 @@ +description: "This playbook addresses the following alerts:\n \n- Uncommon creation\ + \ or access operation of sensitive shadow copy by a high-risk process\n \nPlaybook\ + \ Stages:\n \nTriage: \n \n- Check if the causality process image (CGO) is signed\ + \ or not\n \nInvestigation:\n \n- If CGO is unsigned:\n - Check the CGO process\ + \ prevalence\n - Check if the process image path is common\n- If CGO is signed:\n\ + \ - Check process image name\n - Check initiating process image name\n - Check\ + \ if username is SYSTEM\n - Check if host is a server\n - Check for previous similar\ + \ alert closed as False Positive\n \nContainment:\n \n- Terminate causality process\ + \ (CGO) process - when a signed high-risk process or an unsigned process from an\ + \ uncommon path attempting to create or access sensitive shadow copy data." +fromversion: 8.9.0 +id: silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk + process Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk + process Test +outputs: [] +starttaskid: '0' +tags: +- T1003 - OS Credential Dumping +- TA0006 - Credential Access +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 702ceef5-880a-4344-8843-15c70b9f776f + iscommand: false + name: '' + version: -1 + taskid: 702ceef5-880a-4344-8843-15c70b9f776f + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": -385\n }\n}" + '10': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: VSSVC.exe + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.username + operator: containsString + right: + value: + simple: SYSTEM + label: 'yes' + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + 'yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 94c093a8-954a-4f10-85ef-1d1d6722367c + iscommand: false + name: Check actor_process_image_name VSSVC.exe & username SYSTEM + type: condition + version: -1 + taskid: 94c093a8-954a-4f10-85ef-1d1d6722367c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 555\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d79d5426-6060-414b-8771-82dab80acfb8 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: d79d5426-6060-414b-8771-82dab80acfb8 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 1110\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fa876d07-2376-4c1b-8c18-65a7cd3d512e + iscommand: false + name: Inconclusive + type: title + version: -1 + taskid: fa876d07-2376-4c1b-8c18-65a7cd3d512e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 915,\n \"y\": 1090\n }\n}" + '13': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: isEqualString + right: + value: + simple: mmc.exe + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.agentossubtype + operator: containsString + right: + value: + simple: Server + label: 'yes' + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '15' + 'yes': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6775c20-09f1-42a1-86dd-edcf030bf185 + iscommand: false + name: Check CGO image name is mmc.exe & OS is server + type: condition + version: -1 + taskid: b6775c20-09f1-42a1-86dd-edcf030bf185 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 512.5,\n \"y\": 385\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4e71e24a-0071-4d1c-8b0e-aba35683d33f + iscommand: false + name: Common False Positive behavior + type: title + version: -1 + taskid: 4e71e24a-0071-4d1c-8b0e-aba35683d33f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 512.5,\n \"y\": 1090\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e2cb2f95-a439-4b77-871b-5104add62100 + iscommand: false + name: Inconclusive + type: title + version: -1 + taskid: e2cb2f95-a439-4b77-871b-5104add62100 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 915,\n \"y\": 555\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a1588134-cd1e-4479-884a-66526f8f2604 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: a1588134-cd1e-4479-884a-66526f8f2604 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1330,\n \"y\": 860\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: 4716fbae-6a4a-44ff-8abd-46cc28455231 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 4716fbae-6a4a-44ff-8abd-46cc28455231 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1330,\n \"y\": 70\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Found common false positive behavior or previous similar alerts closed + as False Positive. + closeReason: + simple: Resolved - Handled by the playbook "Uncommon creation or access operation + of sensitive shadow copy by a high-risk process" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 654152a7-b8e4-4d43-8a75-fc1153122d9f + iscommand: true + name: Close Alert - False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 654152a7-b8e4-4d43-8a75-fc1153122d9f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 512.5,\n \"y\": 1230\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 483ab1ce-e4ce-4a97-8952-22d5be91e79e + iscommand: false + name: Done + type: title + version: -1 + taskid: 483ab1ce-e4ce-4a97-8952-22d5be91e79e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 512.5,\n \"y\": 1760\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious Process attempted to create or access ShadowCopy + closeReason: + simple: Resolved - Handled by the playbook "Suspicious access to shadow file" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: 3dc743ae-6b2f-40e2-8186-3cc1c120a50d + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 3dc743ae-6b2f-40e2-8186-3cc1c120a50d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 1590\n }\n}" + '26': + continueonerror: true + continueonerrortype: errorPath + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '27' + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 17338ce2-c9a1-4e55-89d8-c380573be240 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 17338ce2-c9a1-4e55-89d8-c380573be240 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 107.5,\n \"y\": 1240\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process, the playbook failed to terminate the causality + process: ${alert.cgoname} + + Please investigate this before closing this alert. + + ' + id: 2ed915fc-31b3-4f83-84d2-e9a0e2f08c83 + iscommand: false + name: Terminate Causality Process Manually + type: regular + version: -1 + taskid: 2ed915fc-31b3-4f83-84d2-e9a0e2f08c83 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -110,\n \"y\": 1420\n }\n}" + '28': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatorpath + operator: notContainsString + right: + value: + simple: C:\Program Files + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatorpath + operator: notContainsString + right: + value: + simple: C:\Windows + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: Uncommon-Path + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '15' + Uncommon-Path: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cf4eaf8d-b284-4184-82b0-c23a4e624c86 + iscommand: false + name: Check if process path is common & causality process is prevalent + type: condition + version: -1 + taskid: cf4eaf8d-b284-4184-82b0-c23a4e624c86 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1330,\n \"y\": 385\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 2 + scriptarguments: + fromdate: + simple: 30 days ago + name: + simple: ${alert.name} + query: + simple: name:"Uncommon creation or access operation of sensitive shadow copy + by a high-risk process" and resolution_status:*False*Positive* and cgo_name:${alert.cgoname.[0]} + and initiatedby:${alert.initiatedby.[0]} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Finds past similar alerts based on alert fields'' similarity. + + ' + id: 9f7dc92f-e3a0-4293-83e8-9a3c8151ebc9 + iscommand: false + name: Check if Previous Similar Alerts + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 9f7dc92f-e3a0-4293-83e8-9a3c8151ebc9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 915,\n \"y\": 685\n }\n}" + '30': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + 'yes': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 21611b1a-4209-446e-83c9-26a2765062b1 + iscommand: false + name: Check if Previous Alerts Closed as False Positive + type: condition + version: -1 + taskid: 21611b1a-4209-446e-83c9-26a2765062b1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 915,\n \"y\": 845\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b9a90c8e-ca78-4778-80ff-a9d845994475 + iscommand: false + name: Triage + type: title + version: -1 + taskid: b9a90c8e-ca78-4778-80ff-a9d845994475 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": -240\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + process_name: + simple: ${alert.cgoname} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: fca6bd1f-3bac-4832-8590-38184d577db3 + iscommand: true + name: Get Causality process prevalence + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: fca6bd1f-3bac-4832-8590-38184d577db3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1330,\n \"y\": 210\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b289c1f0-975c-4375-8359-6da2b9599a77 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: b289c1f0-975c-4375-8359-6da2b9599a77 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 70\n }\n}" + '6': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.osparentsignature + operator: isEqualString + right: + value: + simple: SIGNATURE_SIGNED + label: CGO-Signed + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + CGO-Signed: + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8c57cacd-97c2-424a-827d-c38fb9eaf53d + iscommand: false + name: Check if CGO is signed + type: condition + version: -1 + taskid: 8c57cacd-97c2-424a-827d-c38fb9eaf53d + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": -105\n }\n}" + '7': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: isEqualString + right: + value: + simple: powershell.exe + label: powershell.exe + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: isEqualString + right: + value: + simple: cmd.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: isEqualString + right: + value: + simple: rundll32.exe + label: cmd.exe|rundll32.exe + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + cmd.exe|rundll32.exe: + - '10' + powershell.exe: + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a297376c-f25a-4276-8808-f4d82539a7a9 + iscommand: false + name: Check CGO image name + type: condition + version: -1 + taskid: a297376c-f25a-4276-8808-f4d82539a7a9 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 210\n }\n}" + '9': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: powershell.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: cmd.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: esentutl.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: ntdsutil.exe + label: powershell.exe|ntdsutil.exe|esentutl.exe|cmd.exe + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '10' + powershell.exe|ntdsutil.exe|esentutl.exe|cmd.exe: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 972c8b30-67cc-4544-8206-347b4eae0170 + iscommand: false + name: Check actor_process_image_name + type: condition + version: -1 + taskid: 972c8b30-67cc-4544-8206-347b4eae0170 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 385\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_11_yes\": 0.38,\n \"10_12_#default#\"\ + : 0.4,\n \"26_27_#error#\": 0.57,\n \"30_12_#default#\": 0.33,\n \"7_10_cmd.exe|rundll32.exe\"\ + : 0.42,\n \"7_13_#default#\": 0.51,\n \"7_9_powershell.exe\": 0.65,\n \"\ + 9_11_powershell.exe|ntdsutil.exe|esentutl.exe|cmd.exe\": 0.34\n },\n \"paper\"\ + : {\n \"dimensions\": {\n \"height\": 2210,\n \"width\": 1920,\n \ + \ \"x\": -210,\n \"y\": -385\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml new file mode 100644 index 00000000000..27e6fd24254 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml @@ -0,0 +1,634 @@ +contentitemexportablefields: + contentitemfields: {} +description: "This playbook handles \"Uncommon execution of ODBCConf\" alerts.\n\n\ + Playbook Stages:\n\nAnalysis:\nDuring the analysis, the playbook will perform the\ + \ following:\n\n- Checks if the causality process (CGO) is signed and prevalent.\n\ + - Checks for the host's risk score.\n\nIf the CGO process is not signed and not\ + \ prevalent, or if either of these conditions is met in addition to having a high-risk\ + \ score, the playbook proceeds with remediation actions. Otherwise, it will continue\ + \ to the investigation phase.\n\nInvestigation:\nDuring the alert investigation,\ + \ the playbook will perform the following:\n\nSearches for related Cortex XSIAM\ + \ alerts and insights on the same causalities chains by specific alert names : \ + \ \n- Evasion Technique - 3048798454\n- An uncommon LOLBIN added to startup-related\ + \ Registry keys\n- Behavioral Threat\n- An uncommon file was created in the startup\ + \ folder\n- Unsigned process running from a temporary directory\n- Execution From\ + \ a Restricted Location\n- Execution of an uncommon process with a local/domain\ + \ user SID at an early startup stage by Windows system binary - Explorer CGO\n\n\ + The playbook determines the appropriate verdict. If related alerts are found, it\ + \ proceeds to remediation actions. In case of related insights are found ,and one\ + \ of the following is met: the host score is listed as high or the CGO process is\ + \ not prevalent, it will proceed to remediation actions. Otherwise, it closes the\ + \ alert with the following message: \"No indication of malicious activity was found\"\ + .\n\n\nRemediation: \n\n- Automatically terminate the causality process.\n- Automatically\ + \ Close the alert." +fromversion: 8.9.0 +id: silent-Uncommon execution of ODBCConf Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Uncommon execution of ODBCConf Test +outputs: [] +starttaskid: '0' +system: true +tags: +- 'T1218.008 - System Binary Proxy Execution: Odbcconf' +- TA0005 - Defense Evasion +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ccc98587-c43d-4666-8b85-c27092f73e1a + iscommand: false + name: '' + version: -1 + taskid: ccc98587-c43d-4666-8b85-c27092f73e1a + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -190\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + process_name: + simple: ${alert.cgoname} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by the process_name. + id: d6d828b0-4213-478a-84e4-56ab20a4ce74 + iscommand: true + name: Check if the causality process is prevalent + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: d6d828b0-4213-478a-84e4-56ab20a4ce74 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": -52\n }\n}" + '10': + continueonerror: true + continueonerrortype: errorPath + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '7' + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available for Cortex + XSIAM 2.4 and above. + id: 2f2ea69d-4ed3-404f-869e-8d0f824d82e6 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 2f2ea69d-4ed3-404f-869e-8d0f824d82e6 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1320\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + host_id: + simple: ${alert.hostname} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + id: 94c0909f-061e-47d4-88e4-82fd6440f9cd + iscommand: true + name: Get Host's Risk Score + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: 94c0909f-061e-47d4-88e4-82fd6440f9cd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 671,\n \"y\": -52\n }\n}" + '12': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the host risk score was retrieved. + id: bcca051a-ab0b-4b59-8846-c6b7238fe153 + iscommand: false + name: Is There a Host Risk Score? + type: condition + version: -1 + taskid: bcca051a-ab0b-4b59-8846-c6b7238fe153 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 240\n }\n}" + '13': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: High + label: Malicious + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + Malicious: + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the host risk score is "High" and the CGO isn't prevalent + or unsigned. + id: e200ea58-debd-4d02-ad61-eef4808cce89 + iscommand: false + name: Is the Host Risk Score High and is the CGO not prevalent or unsigned + type: condition + version: -1 + taskid: e200ea58-debd-4d02-ad61-eef4808cce89 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": 420\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 5 Hours Ago + includeinformational: + simple: 'true' + query: + simple: "(cid:${alert.cid.[0]} or actorprocessinstanceid:${alert.cid.[0]}\ + \ or actionprocessinstanceid:${alert.cid.[0]} or actorprocessinstanceid:${alert.actorprocessinstanceid.[0]}\ + \ or actionprocessinstanceid:${alert.actorprocessinstanceid.[0]}) AND (name:\"\ + Evasion Technique - 3048798454\" OR \nname:\"An uncommon LOLBIN added to\ + \ startup-related Registry keys\" OR name:\"Behavioral Threat\" OR\nname:\"\ + An uncommon file was created in the startup folder\" OR \nname:\"Unsigned\ + \ process running from a temporary directory\" OR \nname:\"Execution From\ + \ a Restricted Location\" OR name:\"Execution of an uncommon process with\ + \ a local/domain user SID at an early startup stage by Windows system binary\ + \ - Explorer CGO\")" + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches Cortex XSIAM alerts. A summarized version of this scripts + is available with the summarizedversion argument. + id: 7ce3bc2a-81a0-42e7-8d82-c6f35d296cbf + iscommand: false + name: Check For Specific Alerts By CGO + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 7ce3bc2a-81a0-42e7-8d82-c6f35d296cbf + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 610\n }\n}" + '15': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + label: Related Alerts + - condition: + - - left: + iscontext: true + value: + simple: Insights.Contents.data.name + operator: isNotEmpty + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: risk_level + root: Core.RiskyHost + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: 'false' + operator: SetIfEmpty + operator: isEqualString + right: + value: + simple: High + - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: Related Insights + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + Related Alerts: + - '4' + Related Insights: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task checks if any related alerts or Insights were found. + id: 479b74ff-7b0c-4e72-8abb-e037908adbc1 + iscommand: false + name: Found any related alerts or Insights? + type: condition + version: -1 + taskid: 479b74ff-7b0c-4e72-8abb-e037908adbc1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 790\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 07941cf5-7b9b-445c-8034-9f73fed3a7a7 + iscommand: false + name: Related Insights + type: title + version: -1 + taskid: 07941cf5-7b9b-445c-8034-9f73fed3a7a7 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 790,\n \"y\": 1030\n }\n}" + '2': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: Malicious + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Malicious: + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the causality process is not prevalent and unsigned. + id: e4ef5f69-4552-4de2-b9fa-3c00f70a2e7f + iscommand: false + name: Check if the causality process is not prevalent and not signed + type: condition + version: -1 + taskid: e4ef5f69-4552-4de2-b9fa-3c00f70a2e7f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 70\n }\n}" + '4': + continueonerror: true + continueonerrortype: errorPath + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available for Cortex + XSIAM 2.4 and above. + id: 765fe8d2-bdd1-4be4-8a98-48c82c984a70 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 765fe8d2-bdd1-4be4-8a98-48c82c984a70 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1170\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious activity detected - Alert was remediated + closeReason: + simple: Resolved - True Positive + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert as a True Positive. + id: bd9cacdf-4ffb-44e7-81b4-7d958cb76986 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: bd9cacdf-4ffb-44e7-81b4-7d958cb76986 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1700\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: deab0d59-be1c-454b-8043-540b7456529e + iscommand: false + name: Done + type: title + version: -1 + taskid: deab0d59-be1c-454b-8043-540b7456529e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1870\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nDuring the remediation process, the playbook\ + \ couldn\u2019t terminate the process: ${alert.cgoname}\n\nPlease terminate\ + \ the process manually if possible." + id: 8d7bf580-9887-46c9-85bc-05eab9fad48f + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: 8d7bf580-9887-46c9-85bc-05eab9fad48f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 1482\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No indication of malicious activity was found. Closed automatically + without any further action. + closeReason: + simple: Resolved - False Positive + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert as a False Positive. + id: 5b00bf39-f41c-4580-8ee8-a7eb6546221f + iscommand: true + name: Close Alert - No malicious activity was found + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 5b00bf39-f41c-4580-8ee8-a7eb6546221f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1062,\n \"y\": 1700\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6bb015bc-9dc9-4669-8e89-17a7be7c0a70 + iscommand: false + name: No malicious activity was found + type: title + version: -1 + taskid: 6bb015bc-9dc9-4669-8e89-17a7be7c0a70 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1062,\n \"y\": 1170\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_7_#error#\": 0.45,\n \"15_16_Related\ + \ Insights\": 0.42,\n \"15_4_Related Alerts\": 0.65\n },\n \"paper\": {\n \ + \ \"dimensions\": {\n \"height\": 2120,\n \"width\": 1223,\n \"\ + x\": 220,\n \"y\": -190\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml new file mode 100644 index 00000000000..6a0e7f52dd2 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml @@ -0,0 +1,1324 @@ +contentitemexportablefields: + contentitemfields: {} +description: "This playbook handles \"Uncommon remote scheduled task created\" alerts.\n\ + \nPlaybook Stages:\n\nAnalysis:\n\n- The playbook checks if the remote IP is external\ + \ or has a bad reputation.\n\nInvestigation:\nDuring the alert investigation, the\ + \ playbook will perform the following:\n\n- Searches for related XSIAM alerts on\ + \ the endpoint that use the following MITRE techniques to identify malicious activity:\ + \ T1202 - Indirect Command Execution, T1021 - Remote Services.\n- Searches for related\ + \ XSIAM agent alerts on the remote endpoint, to determine if the creation of the\ + \ scheduled task is part of an attack pattern.\n- Searches for suspicious command-line\ + \ parameters indicating a malicious scheduled task.\n\nRemediation:\n\n- Automatically\ + \ disable the malicious scheduled task.\n- Block the malicious IP (requires analyst\ + \ approval).\n- Automatically Close the alert.\n\nRequirements:\n\nFor response\ + \ actions, the following integrations are required: \n\n- PAN-OS." +fromversion: 8.9.0 +id: silent-Uncommon remote scheduled task created Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Uncommon remote scheduled task created Test +outputs: [] +starttaskid: '0' +tags: +- TA0002 - Execution +- T1053 - Scheduled Task/Job +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -440\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 520\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Uncommon remote scheduled task + created" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: cbb88a25-3267-48dc-8423-605dbeb295a0 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: cbb88a25-3267-48dc-8423-605dbeb295a0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3840\n }\n}" + '14': + continueonerror: true + continueonerrortype: errorPath + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '22' + '#none#': + - '69' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell.exe schtasks /change /tn "${Core.OriginalAlert.event.scheduled_task_path}" + /disable + endpoint_ids: + simple: ${alert.agentid} + timeout: + simple: '120' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Disable the malicious scheduled task by executing shell commands. + id: bb3ed083-823b-4e17-8494-16ec6bc49b2a + iscommand: true + name: Disable the malicious scheduled task + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: bb3ed083-823b-4e17-8494-16ec6bc49b2a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2650\n }\n}" + '17': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + 'yes': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether a malicious IP is detected and requires blocking. + id: 47529ac8-a0ed-4d35-8019-a8b679181f22 + iscommand: false + name: Is there a malicious IP to block? + type: condition + version: -1 + taskid: 47529ac8-a0ed-4d35-8019-a8b679181f22 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3360\n }\n}" + '2': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: IP.InRange + operator: isEqualString + right: + value: + simple: 'no' + label: 'Yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '1' + 'Yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict if the task was created from + an external IP address. + + + Remote scheduled tasks created from an external IP address may indicate unauthorized + access or malicious activity. Legitimate remote scheduled tasks should be + created from trusted internal sources. If the task is created from an external + IP, the playbook will proceed with remediation actions; otherwise, it will + continue investigating the alert.' + id: eae7099d-0e36-4442-8d50-a5e79d067791 + iscommand: false + name: Check whether the remote IP is external + type: condition + version: -1 + taskid: eae7099d-0e36-4442-8d50-a5e79d067791 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 350\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: 53d9f3a4-a2b0-488e-8dc1-3ec51aea3c00 + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: 53d9f3a4-a2b0-488e-8dc1-3ec51aea3c00 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": -10,\n \"y\": 3660\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process the playbook failed to disable the scheduled + task: ${Core.OriginalAlert.event.scheduled_task_path} + + + Please manually disable this scheduled task.' + id: 25929bfd-f6cd-43f9-87cd-8d0c0caf677d + iscommand: false + name: Disable the malicious scheduled task manually + type: regular + version: -1 + taskid: 25929bfd-f6cd-43f9-87cd-8d0c0caf677d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 3180\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c5219f31-047d-4cee-888e-f7c63909a296 + iscommand: false + name: Block Malicious IP + type: title + version: -1 + taskid: c5219f31-047d-4cee-888e-f7c63909a296 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -10,\n \"y\": 3530\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff18f72c-0256-4776-823c-90dd05fdba39 + iscommand: false + name: Done + type: title + version: -1 + taskid: ff18f72c-0256-4776-823c-90dd05fdba39 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 4000\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 91b0123e-c227-465b-84d6-a3c53e9a8eb4 + iscommand: true + name: Get scheduled task details + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 91b0123e-c227-465b-84d6-a3c53e9a8eb4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -305\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '66' + note: false + quietmode: 0 + scriptarguments: + Commandline: + simple: ${Core.OriginalAlert.event.scheduled_task_image_command_line} + StringSimilarityThreshold: + simple: '0.5' + separatecontext: true + skipunavailable: false + task: + brand: '' + description: '' + id: fc12c772-ab66-433e-85e8-d1a3d8daadcb + iscommand: false + name: Command-Line Analysis + playbookName: Command-Line Analysis + type: playbook + version: -1 + taskid: fc12c772-ab66-433e-85e8-d1a3d8daadcb + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1640\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '68' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6d11f6e-a28a-459a-8004-bec570e4b02a + iscommand: false + name: Analysis + type: title + version: -1 + taskid: b6d11f6e-a28a-459a-8004-bec570e4b02a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -130\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ababf146-0f9f-4621-8323-18c3256738ee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ababf146-0f9f-4621-8323-18c3256738ee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2510\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6d96992e-fe69-4b71-8e3c-9f64ce6a2aec + iscommand: false + name: Investigation on remote host + type: title + version: -1 + taskid: 6d96992e-fe69-4b71-8e3c-9f64ce6a2aec + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1010\n }\n}" + '31': + continueonerror: true + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 1 day ago + ignore-outputs: + simple: 'false' + query: + simple: agent_ip_addresses:${Core.OriginalAlert.event.actor_remote_ip} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task searches for XSIAM agent related alerts on the remote + endpoint from the past 24 hours, if an agent is installed. + id: 58967e13-7736-4385-858d-85a8966dacd3 + iscommand: false + name: Search for related alerts on the remote host + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 58967e13-7736-4385-858d-85a8966dacd3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1145\n }\n}" + '32': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.sourceBrand + operator: isEqualString + right: + value: + simple: TRAPS + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.categoryname + operator: isEqualString + right: + value: + simple: Malware + label: 'yes' + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '56' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines if there are agent alerts on the remote host indicating + that the alert was part of an attack pattern. + id: 789cf6e0-eded-4b32-8108-8091409a2537 + iscommand: false + name: Found any alerts of malicious activity on the remote host? + type: condition + version: -1 + taskid: 789cf6e0-eded-4b32-8108-8091409a2537 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1320\n }\n}" + '38': + continueonerror: true + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.OriginalAlert.event.actor_remote_ip + operator: notContainsGeneral + right: + value: + simple: '::' + root: Core.OriginalAlert.event.actor_remote_ip + ipRanges: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns yes if the IP is in one of the ranges provided, returns + no otherwise. + id: 7272972f-d88b-484d-897b-61c0fce7def0 + iscommand: false + name: Determine whether the remote IP address is internal or external + scriptName: IsIPInRanges + type: regular + version: -1 + taskid: 7272972f-d88b-484d-897b-61c0fce7def0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 180\n }\n}" + '41': + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '71' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5ba5e082-b8f3-413f-89f6-40261ef6a811 + iscommand: false + name: Analyst Decision + type: title + version: -1 + taskid: 5ba5e082-b8f3-413f-89f6-40261ef6a811 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2030\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '44' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fb2896f9-3c9e-4e1f-8d40-db749410a130 + iscommand: false + name: False Positive + type: title + version: -1 + taskid: fb2896f9-3c9e-4e1f-8d40-db749410a130 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2550\n }\n}" + '44': + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '45' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: False Positive + closeReason: + simple: Resolved - Handled as False Positive by the playbook "Uncommon remote + scheduled task created" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 86404fb8-c406-4ba8-89c3-508c91daaa5b + iscommand: true + name: Close Alert - False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 86404fb8-c406-4ba8-89c3-508c91daaa5b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2690\n }\n}" + '45': + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2329c33f-d84f-4b85-8a5a-08264d5756ae + iscommand: false + name: Done + type: title + version: -1 + taskid: 2329c33f-d84f-4b85-8a5a-08264d5756ae + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2850\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + iscommand: false + name: Done + type: title + version: -1 + taskid: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1670,\n \"y\": 2400\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + query: + simple: (mitreattcktechnique:*T1202* or mitreattcktechnique:*T1021* or name:"WildFire + Malware") and -name:"Uncommon remote scheduled task created" and agentid:${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches by MITRE technique for suspicious related alerts + that may indicate a compromised endpoint. + + Focus on identifying alerts associated with the following MITRE techniques + from the last 3 hours: + + - T1202 - Indirect Command Execution + + - T1021 - Remote Services + + + And the following alert: + + - "WildFire Malware" + + + ' + id: 4373ba97-486c-4617-8298-86a924dc5ca8 + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 4373ba97-486c-4617-8298-86a924dc5ca8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 650\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d6cce08c-349e-44db-807d-b6348886db73 + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: d6cce08c-349e-44db-807d-b6348886db73 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1670,\n \"y\": 2030\n }\n}" + '56': + continueonerrortype: '' + id: '56' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3dca7f38-a58c-4c1c-8a67-e28182e1216a + iscommand: false + name: Command-line Investigation + type: title + version: -1 + taskid: 3dca7f38-a58c-4c1c-8a67-e28182e1216a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1510\n }\n}" + '66': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CommandlineVerdict.AMSI + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: CommandlineVerdict.maliciousTools + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.networkActivity + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.SuspiciousLolbinExecution + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.SuspiciousCmdPathAndArguments + operator: isNotEmpty + label: Malicious Cmd parameters + - condition: + - - left: + iscontext: true + value: + simple: CommandlineVerdict.base64 + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.suspiciousParameters + operator: isNotEmpty + label: Suspicious Cmd parameters + continueonerrortype: '' + id: '66' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + Malicious Cmd parameters: + - '3' + Suspicious Cmd parameters: + - '41' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict based on the results of the + command-line analysis. + id: f5c5e77b-66e5-465a-8773-c1d20a200bfa + iscommand: false + name: Found any malicious or suspicious cmd parameters? + type: condition + version: -1 + taskid: f5c5e77b-66e5-465a-8773-c1d20a200bfa + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1800\n }\n}" + '67': + continueonerrortype: '' + id: '67' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Dear Analyst,\n\nDuring the remediation process the playbook executed\ + \ a shell command to disable the following scheduled task: \n${Core.OriginalAlert.event.scheduled_task_path}\n\ + \n" + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints text to war room (Markdown supported) + id: e7cb4db3-f70e-4474-8ae5-1ad159731138 + iscommand: false + name: Notify to War Room - Scheduled Task Disabled + scriptName: Print + type: regular + version: -1 + taskid: e7cb4db3-f70e-4474-8ae5-1ad159731138 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3180\n }\n}" + '68': + continueonerrortype: '' + id: '68' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + ip: + simple: ${Core.OriginalAlert.event.actor_remote_ip} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the reputation of an IP address. + id: 661be0e9-3bb5-4a3c-8908-4586f05d54e7 + iscommand: true + name: Check remote IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 661be0e9-3bb5-4a3c-8908-4586f05d54e7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 10\n }\n}" + '69': + continueonerrortype: '' + id: '69' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '70' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: ba4fa808-bf46-4d09-8491-24e0aa59c3ee + iscommand: true + name: Get script execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: ba4fa808-bf46-4d09-8491-24e0aa59c3ee + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2820\n }\n}" + '70': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: AnyMatch + right: + value: + simple: SUCCESS + label: 'yes' + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '67' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Verify if the script successfully disabled the task. + id: 1666967d-c2af-4352-82f0-0d17d99b391f + iscommand: false + name: Has the script disabled the task successfully? + type: condition + version: -1 + taskid: 1666967d-c2af-4352-82f0-0d17d99b391f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2980\n }\n}" + '71': + continueonerrortype: '' + form: + description: "Dear Analyst,\n\nSummary of the investigation of the remote scheduled\ + \ task creation:\n\n- The task was created from an internal IP address.\n\ + - No related alerts were found indicating malicious activity on the endpoint\ + \ or remote endpoint.\n- No malicious command line indicators were detected.\n\ + \ \nHowever, the playbook detected suspicious arguments in the command line.\ + \ \n\nDecision Needed: " + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: 'The following command line contains suspicious parameters: + + + ${Core.OriginalAlert.event.scheduled_task_image_command_line} + + + Would you like to proceed with disabling the scheduled task, or should + this be considered a false positive? ' + options: [] + optionsarg: + - {} + - simple: Disable Schedule Task + - simple: False Positive + placeholder: '' + readonly: false + required: true + tooltip: '' + type: singleSelect + sender: '' + title: Analyst Decision to Disable Scheduled Task + totalanswers: 0 + id: '71' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: "Dear Analyst,\n\nSummary of the investigation of the remote scheduled\ + \ task creation:\n\n- The task was created from an internal IP address:\ + \ ${Core.OriginalAlert.event.actor_remote_ip}.\n- No related alerts were\ + \ found indicating malicious activity on the endpoint or remote endpoint.\n\ + - No malicious command line indicators were detected.\n \nHowever, the playbook\ + \ detected suspicious arguments in the command line. \nThe following command\ + \ line contains suspicious parameters:\n\n${Core.OriginalAlert.event.scheduled_task_image_command_line}\n\ + \nDecision Needed: \n\nWould you like to proceed with disabling the scheduled\ + \ task, or should this be considered a false positive?" + cc: null + format: '' + methods: [] + replyOptions: + - Disable Schedule Task + - False Positive + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '72' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst review is required to determine, based on suspicious command-line + parameters, whether to take remediation actions such as disabling the scheduled + task and blocking the IP if malicious or to close the alert as a false positive. + id: 0ae56624-11e4-4420-8245-6b62c02d8a2f + iscommand: false + name: Analyst decision for suspicious cmd parameters + type: collection + version: -1 + taskid: 0ae56624-11e4-4420-8245-6b62c02d8a2f + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2180\n }\n}" + '72': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Decision to Disable Scheduled Task.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Schedule Task + label: Disable Schedule Task + continueonerrortype: '' + id: '72' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '43' + Disable Schedule Task: + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the scheduled task should be disabled based on the analyst's + decision. + id: f12ee6de-ec1a-4c0b-872a-7653ef15891c + iscommand: false + name: Should disable schedule task based on the analyst decision? + type: condition + version: -1 + taskid: f12ee6de-ec1a-4c0b-872a-7653ef15891c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2340\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '30' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the alert contains agent alerts indicating that + the alert was part of an attack pattern. + id: 287b6585-4340-4fd2-8134-6ee815f90846 + iscommand: false + name: Found any alerts indicating this is a malicious scheduled task? + type: condition + version: -1 + taskid: 287b6585-4340-4fd2-8134-6ee815f90846 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 830\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No Results Found + closeReason: + simple: Resolved - Handled by the playbook "Uncommon remote scheduled task + created" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 3444c540-601c-4417-8813-0ceacb6ec77e + iscommand: true + name: Close Alert - No results returned + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 3444c540-601c-4417-8813-0ceacb6ec77e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1670,\n \"y\": 2180\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"14_22_#error#\": 0.55,\n \"17_13_#default#\"\ + : 0.42,\n \"17_23_yes\": 0.69,\n \"2_3_Yes\": 0.12,\n \"32_3_yes\": 0.29,\n\ + \ \"66_3_Malicious Cmd parameters\": 0.36,\n \"66_41_Suspicious Cmd parameters\"\ + : 0.57,\n \"70_67_yes\": 0.52,\n \"72_3_Disable Schedule Task\": 0.42,\n \ + \ \"72_43_#default#\": 0.53,\n \"8_30_#default#\": 0.55,\n \"8_3_yes\":\ + \ 0.13\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 4505,\n \ + \ \"width\": 2060,\n \"x\": -10,\n \"y\": -440\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml new file mode 100644 index 00000000000..e45c3bc0fdf --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml @@ -0,0 +1,560 @@ +description: 'This playbook is designed to handle the ''Unprivileged process opened + a registry hive'' alert. + + + Playbook Stages: + + + Investigation: + + + During the alert investigation, the playbook will perform the following: + + + - Checks the prevalence of the unprivileged process that triggered the alert. + + - Checks the prevalence of the command line used by the unprivileged process. + + - Searches for additional suspicious Cortex XSIAM alerts within the same incident + in order to determine whether a remediation measure is required. + + + Remediation: + + + - To prevent malicious activity from continuing, the playbook terminates the causality + processes that triggered the alert.' +fromversion: 8.9.0 +id: silent-Unprivileged process opened a registry hive Test +inputSections: +- description: Generic group for inputs. + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Unprivileged process opened a registry hive Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0006 - Credential Access +- T1552 - Unsecured Credentials +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 48d3588d-43e5-4b43-8b35-48ca384bcb15 + iscommand: false + name: '' + version: -1 + taskid: 48d3588d-43e5-4b43-8b35-48ca384bcb15 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": -580\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '44' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff3d375d-21d5-461d-89f1-3afa5ba7f00b + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ff3d375d-21d5-461d-89f1-3afa5ba7f00b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 380\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + assetid: + simple: 'Resolved - False Positive + + ' + closeNotes: + simple: Resolved - Handled by the playbook "Unprivileged process opened a + registry hive" + closeReason: + simple: Resolved - True Positive + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 7842ac2c-e9a5-4b66-8fde-abd99966ae2f + iscommand: true + name: Close Alert as True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 7842ac2c-e9a5-4b66-8fde-abd99966ae2f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 850\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '49' + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c787ef1f-6b33-43ec-8f2b-ef107513f04a + iscommand: false + name: Investigation + type: title + version: -1 + taskid: c787ef1f-6b33-43ec-8f2b-ef107513f04a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": -445\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3200a260-eb1d-4089-8bf7-6895ea662306 + iscommand: false + name: Done + type: title + version: -1 + taskid: 3200a260-eb1d-4089-8bf7-6895ea662306 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1020\n }\n}" + '44': + continueonerror: true + continueonerrortype: errorPath + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '62' + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + agent_id: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + causality_id: + complex: + accessor: cid + root: alert + transformers: + - operator: uniq + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 041c6225-6062-47ad-86be-3b7d81f4fb19 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 041c6225-6062-47ad-86be-3b7d81f4fb19 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 510\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '53' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(mitreattcktechnique:*T1003* or mitreattcktechnique:*T1036* + or mitreattcktechnique:*T1552* or mitreattcktechnique:*T1059*) + and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches for Cortex XSIAM suspicious alerts related\ + \ to the current incident by Mitre Technique, indicating that the alert is\ + \ part of an attack pattern.\n\nFocus on identifying alerts associated with\ + \ the following MITRE techniques:\n- T1003 - OS Credential Dumping \n- T1036\ + \ - Masquerading \n- T1552 - Unsecured Credentials \n- T1059 - Command and\ + \ Scripting Interpreter" + id: 02cefbac-04e3-4606-8570-a778e38fb0c0 + iscommand: false + name: Search for suspicious-related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 02cefbac-04e3-4606-8570-a778e38fb0c0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 45\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '61' + note: false + quietmode: 0 + scriptarguments: + process_command_line: + complex: + accessor: cgocmd + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.osparentcmd + raw: {} + operator: AppendIfNotEmpty + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process_command_line, identified by process_command_line. + id: ce97d194-4dca-4f9c-8aaf-7c54ab40e966 + iscommand: true + name: Get Actor CommandLine and CGO CommandLine prevalence + script: '|||core-get-cmd-analytics-prevalence' + type: regular + version: -1 + taskid: ce97d194-4dca-4f9c-8aaf-7c54ab40e966 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 650,\n \"y\": -300\n }\n}" + '49': + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '61' + note: false + quietmode: 0 + scriptarguments: + process_name: + complex: + accessor: osparentname + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.cgoname + raw: {} + operator: AppendIfNotEmpty + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: e0e01cdc-0f66-414b-8558-24155f2650e7 + iscommand: true + name: Get Actor Process and CGO Process prevalence + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: e0e01cdc-0f66-414b-8558-24155f2650e7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": -300\n }\n}" + '53': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents + operator: isNotEmpty + right: + value: {} + label: 'Yes' + continueonerrortype: '' + id: '53' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '60' + 'Yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: A verdict is determined based on whether the incident contained + any related alerts. + id: 9f115642-48a0-4395-8608-b29f1d2de9ca + iscommand: false + name: Found related alerts requiring causality termination + type: condition + version: -1 + taskid: 9f115642-48a0-4395-8608-b29f1d2de9ca + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 205\n }\n}" + '60': + continueonerrortype: '' + id: '60' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Resolved - Handled by the playbook "Unprivileged process opened a + registry hive" + closeReason: + simple: Resolved - False Positive + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 0be96afe-dfcb-4780-8822-af5ad5f865df + iscommand: true + name: Close Alert as False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 0be96afe-dfcb-4780-8822-af5ad5f865df + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 510\n }\n}" + '61': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.osparentsignature + operator: isNotEmpty + root: alert.osparentsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + root: Core.AnalyticsPrevalence.Process + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: 'False' + - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + root: Core.AnalyticsPrevalence.Cmd + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: 'False' + label: Unsigned and not prevalent + continueonerrortype: '' + id: '61' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '46' + Unsigned and not prevalent: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict based on the Actor & CGO process + signature and the prevalence of the Actor & CGO process and Actor & CGO CommandLine. + id: eca46ccf-77d3-4853-8b71-f516e49814b7 + iscommand: false + name: Check for process signatures and prevalence + type: condition + version: -1 + taskid: eca46ccf-77d3-4853-8b71-f516e49814b7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": -130\n }\n}" + '62': + continueonerrortype: '' + id: '62' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nDuring the remediation process, the playbook\ + \ couldn't terminate the process ${alert.cgoname} \n\nPlease terminate the\ + \ process manually if possible. \nNote that the next remediation step, if\ + \ possible, will be endpoint isolation." + id: 2647e32a-15b8-4b10-8724-3cdeaf72552f + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: 2647e32a-15b8-4b10-8724-3cdeaf72552f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 180,\n \"y\": 680\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"44_62_#error#\": 0.55,\n \"53_11_Yes\"\ + : 0.17,\n \"61_11_Unsigned and not prevalent\": 0.27\n },\n \"paper\": {\n\ + \ \"dimensions\": {\n \"height\": 1665,\n \"width\": 1110,\n \"\ + x\": 180,\n \"y\": -580\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml new file mode 100644 index 00000000000..e98fdb15f6e --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml @@ -0,0 +1,754 @@ +description: "This playbook addresses the following alerts:\n\n- Unsigned and unpopular\ + \ process performed injection into a commonly abused process\n- Unsigned and unpopular\ + \ process performed process hollowing injection\n- Unsigned and unpopular process\ + \ performed queue APC injection\n- Unsigned and unpopular process performed injection\ + \ into a sensitive process\n- Unsigned and unpopular process performed injection\ + \ into svchost.exe\n\n\nPlaybook Stages:\n\nTriage:\n\n- Retrieve all alerts associated\ + \ with the case for initial analysis.\n\nEarly Containment:\n\n- Identify whether\ + \ an agent prevention rule was triggered for the same process ID. If so, there is\ + \ high confidence that the alert is malicious.\n - **If triggered in prevent mode**:\ + \ This indicates a high-confidence verdict and the playbook proceeds with endpoint\ + \ isolation.\n - **If triggered in report mode**: This also indicates a high-confidence\ + \ verdict. The playbook will notify the customer, advise an update to **prevent\ + \ mode** for better protection in the future, and proceed with the investigation.\n\ + \ - **If no rule is triggered**: The playbook will continue with additional checks\ + \ to ensure thorough assessment.\n\nInvestigation:\n\n- Check for commonly triggered\ + \ alerts that often precede process injection:\n - If found, initiate containment.\n\ + \ - If not found, proceed with additional checks.\n- Analyze if any alerts align\ + \ with MITRE ATT&CK tactics **TA0004 (Privilege Escalation)** and **TA0005 (Defense\ + \ Evasion)**:\n - If matching tactics are found, initiate containment.\n - If\ + \ not, proceed with further investigation.\n- Determine if the causality (parent)\ + \ process is signed:\n - If signed by a trusted authority, close the alert.\n \ + \ - If unsigned, escalate for manual approval for containment.\n\nContainment:\n\ + \n- For alerts validated as threats, execute the following actions:\n - Terminate\ + \ the causality process (CGO) if deemed malicious.\n - Isolate the endpoint in\ + \ high-risk scenarios to prevent further compromise.\n\nRequirements:\n\nFor response\ + \ actions, you need the following integrations:\n\n- Cortex Core - Investigation\ + \ and Response." +fromversion: 8.9.0 +id: silent-Unsigned and unpopular process performed an injection Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Unsigned and unpopular process performed an injection Test +outputs: [] +starttaskid: '0' +tags: +- T1055 - Process Injection +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 59a33321-30c5-4810-8ed1-754dd374851e + iscommand: false + name: '' + version: -1 + taskid: 59a33321-30c5-4810-8ed1-754dd374851e + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 260\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 358ad811-3ae6-4e1d-826e-ba15c09f050c + iscommand: false + name: Containment + type: title + version: -1 + taskid: 358ad811-3ae6-4e1d-826e-ba15c09f050c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1490\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + Isolate: + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Endpoint Isolation is recommended since the following verdicts\ + \ have been confirmed:\n\n - In addition to the analytics rule, an agent rule\ + \ has blocked the same causality process.\n\nOR\n\n - The case includes additional\ + \ rules protecting from PowerShell protection module or the 'Unsigned process\ + \ injecting into a Windows system binary with no command line'.\n\nOR\n\n\ + \ - The case includes at least two additional rules tagged as 'TA0004 - Privilege\ + \ Escalation' and 'TA0005 - Defense Evasion'" + id: a4e84519-ae9c-4cde-86db-4210bd57a617 + iscommand: false + name: Approve the endpoint isolation + type: condition + version: -1 + taskid: a4e84519-ae9c-4cde-86db-4210bd57a617 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 2210\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 324312f8-a792-4ff6-8046-848f554bdf15 + iscommand: true + name: Isolate endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 324312f8-a792-4ff6-8046-848f554bdf15 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 2400\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '20' + 'Yes': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Our only verdict is an unsigned causality process, we need the + analyst''s approval to continue the containment phase. + + + Unmatched verdicts: + + - No BTP rule found for the same causality ID + + - No known preceding alerts found in the same case + + + Matched verdicts: + + - The causality process is not signed' + id: 5e10c74a-e684-4d52-8131-45f0d93e265e + iscommand: false + name: Should terminate the causality (CGO)? + type: condition + version: -1 + taskid: 5e10c74a-e684-4d52-8131-45f0d93e265e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 1320\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + value: + simple: 'We have successfully identified a potential security threat involving + process injection on your system. While the detection rule correctly flagged + the suspicious activity, it was operating in **report** mode at the time. + This means that although we detected the activity, no automatic preventive + action was taken to block the threat. + + + If this rule had been set to **prevent** mode, the malicious action could + have been stopped immediately, reducing the risk of compromise. We strongly + recommend switching the rule to prevent mode to proactively block such threats + in the future.' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints text to war room (Markdown supported) + id: 000b6c70-38b6-404f-86db-45f3d9426d26 + iscommand: false + name: Suggest activate prevention mode for Process Injection module + scriptName: Print + type: regular + version: -1 + taskid: 000b6c70-38b6-404f-86db-45f3d9426d26 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 900\n }\n}" + '18': + continueonerror: true + continueonerrortype: errorPath + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '19' + '#none#': + - '12' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + XSIAM 2.4. + id: f3da08e0-1190-40a3-82de-72068e560176 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: f3da08e0-1190-40a3-82de-72068e560176 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1620\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nDuring the containment phase, the playbook couldn\u2019\ + t terminate the process: ${alert.cgoname}\n\nPlease terminate the process\ + \ manually if possible." + id: 2c05918a-ebe2-4d61-8d7a-2e9f237ebf15 + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: 2c05918a-ebe2-4d61-8d7a-2e9f237ebf15 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1850\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9f8b5e4e-ec32-44ae-85ed-1211ce9107e8 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 9f8b5e4e-ec32-44ae-85ed-1211ce9107e8 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 400\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: The alert has been resolved, confirmed as a False Positive + closeReason: + simple: Resolved - Handled by the playbook "Unsigned and unpopular process + performed an injection" as False Positive + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 00471e39-8234-45c7-8764-b5c711e53ab7 + iscommand: true + name: Close the Alert as False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 00471e39-8234-45c7-8764-b5c711e53ab7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 980,\n \"y\": 2580\n }\n}" + '21': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: notStartWith + right: + value: + simple: Powershell Activity + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEqualString + right: + value: + simple: Unsigned process injecting into a Windows system binary with + no command line + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: isNotEqualString + right: + iscontext: true + value: + simple: alert.cid + root: foundIncidents.CustomFields + operator: notIn + right: + value: + simple: Reported, BLOCKED + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.mitreattcktactic + operator: notContainsGeneral + right: + value: + simple: TA0004 - Privilege Escalation + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.mitreattcktactic + operator: notContainsGeneral + right: + value: + simple: TA0005 - Defense Evasion + label: Weak + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Weak: + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: If only the last check is matched, the verdict is marked as 'weak' + to indicate reduced confidence. + id: da0b7884-3a34-4348-8e2a-11c868bb4bbb + iscommand: false + name: Weak verdict - Check if only final check is satisfied + type: condition + version: -1 + taskid: da0b7884-3a34-4348-8e2a-11c868bb4bbb + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 300,\n \"y\": 2030\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task searches for Cortex XSIAM alerts related to the current + incident. + id: 28112aa4-5c02-4bd9-8a2a-6f10174c7771 + iscommand: false + name: Search for alerts that blocked the causality + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 28112aa4-5c02-4bd9-8a2a-6f10174c7771 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 535\n }\n}" + '4': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.cid + root: foundIncidents.CustomFields + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: BLOCKED + label: Blocked + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: isEqualString + right: + iscontext: true + value: + simple: alert.cid + root: foundIncidents.CustomFields + operator: isEqualString + right: + value: + simple: Reported + label: Reported + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '7' + Blocked: + - '12' + Reported: + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the incident's alerts for an alert that blocked the causality + using the agent. + id: 698f092a-758e-4028-84b8-25bbb7d4c626 + iscommand: false + name: Was the causality blocked by another alert? + type: condition + version: -1 + taskid: 698f092a-758e-4028-84b8-25bbb7d4c626 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 700\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + label: Signed + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + Signed: + - '20' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if the causality process image is signed. + id: 7c09ff5c-2f1e-4c55-85f1-557891e3e8f7 + iscommand: false + name: Check if the causality process is signed + type: condition + version: -1 + taskid: 7c09ff5c-2f1e-4c55-85f1-557891e3e8f7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 980,\n \"y\": 1150\n }\n}" + '7': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: startWith + right: + value: + simple: Powershell Activity + - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isEqualString + right: + value: + simple: Unsigned process injecting into a Windows system binary with + no command line + label: Behavioral Alerts + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.mitreattcktactic + operator: containsGeneral + right: + value: + simple: TA0004 - Privilege Escalation + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.mitreattcktactic + operator: containsGeneral + right: + value: + simple: TA0005 - Defense Evasion + label: MITRE Tactic + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + Behavioral Alerts: + - '10' + MITRE Tactic: + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Search for commonly triggered alert names preceding the injection + alert. + id: 3e3d733d-1317-44cf-8178-e0015cc3b874 + iscommand: false + name: Were known preceding alerts detected? + type: condition + version: -1 + taskid: 3e3d733d-1317-44cf-8178-e0015cc3b874 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 900\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: The alert has been resolved, confirmed as a True Positive + closeReason: + simple: Resolved - Handled by the playbook "Unsigned and unpopular process + performed an injection" as True Positive + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 81db7e8a-cc03-44e9-86a5-70d784b286ee + iscommand: true + name: Close the Alert as True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 81db7e8a-cc03-44e9-86a5-70d784b286ee + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 2580\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3214ade0-7bba-484f-8945-3bc4367178a9 + iscommand: false + name: Done + type: title + version: -1 + taskid: 3214ade0-7bba-484f-8945-3bc4367178a9 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 770,\n \"y\": 2750\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"12_13_Isolate\": 0.42,\n \"12_8_#default#\"\ + : 0.44,\n \"14_10_Yes\": 0.37,\n \"14_20_#default#\": 0.23,\n \"18_19_#error#\"\ + : 0.65,\n \"21_12_#default#\": 0.3,\n \"21_8_Weak\": 0.32,\n \"4_12_Blocked\"\ + : 0.1,\n \"4_15_Reported\": 0.66,\n \"4_7_#default#\": 0.81,\n \"5_14_#default#\"\ + : 0.38,\n \"5_20_Signed\": 0.12,\n \"7_10_Behavioral Alerts\": 0.39,\n \ + \ \"7_14_MITRE Tactic\": 0.64,\n \"7_5_#default#\": 0.64\n },\n \"paper\":\ + \ {\n \"dimensions\": {\n \"height\": 2555,\n \"width\": 1660,\n \ + \ \"x\": -300,\n \"y\": 260\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml new file mode 100644 index 00000000000..5fb47801115 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml @@ -0,0 +1,982 @@ +contentitemexportablefields: + contentitemfields: {} +description: 'This playbook handles "Unusual process accessed web browser credentials + and executed by a terminal process" alerts. + + + Playbook Stages: + + + Analysis: + + During the analysis, the playbook will perform the following: + + + - Checks the initiator file path for any suspicious locations. + + - Checks the initiator process reputation. + + + If the file is malicious, it proceeds to remediation actions; otherwise, it continues + to the investigation phase. + + + Investigation: + + During the alert investigation, the playbook will perform the following: + + + - Searches for related Cortex XSIAM alerts and insights on the endpoint by specific + alert names or by the following MITRE technique to identify malicious activity: T1555.001 + - Credentials from Password Stores: Keychain. + + + The playbook determines the appropriate verdict. If related alerts or insights are + found, it proceeds to remediation actions; otherwise, it closes the alert with the + message "No indication of malicious activity was found". + + + Remediation: + + + - Automatically terminate the causality process. + + - Quarantine the initiator file if its reputation is malicious, if medium- to high-severity + alerts indicating malicious activity are found, or if related insights are found + and the initiator is running from a suspicious path. (This action requires analyst + approval). + + - Automatically Close the alert.' +fromversion: 8.9.0 +id: silent-Unusual process accessed web browser credentials and executed by a terminal + process Test +inputs: [] +issilent: true +name: silent-Unusual process accessed web browser credentials and executed by a terminal + process Test +outputs: [] +starttaskid: '0' +tags: +- TA0006 - Credential Access +- T1555 - Credentials from Password Stores +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": -1110\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '47' + - '90' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": -490\n }\n}" + '100': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.quarantineFiles.status.status + operator: isEqualString + right: + value: + simple: 'true' + label: 'Yes' + continueonerrortype: '' + id: '100' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '114' + 'Yes': + - '104' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether to quarantine the files based on their quarantine + status. + id: 47c6abf6-2897-4efd-8dd6-c306bbaf31fa + iscommand: false + name: Is the initiator file already quarantined? + type: condition + version: -1 + taskid: 47c6abf6-2897-4efd-8dd6-c306bbaf31fa + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 925\n }\n}" + '103': + continueonerrortype: '' + id: '103' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '104' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook was unable to quarantine the initiator file due to the following + possible reasons: + + + - The file is not found or no longer exists on the local host. + + - The endpoint is currently disconnected. + + + Please take manual action to terminate the causality process if needed and + quarantine the initiator file. + + ${alert.initiatorpath}' + id: 6c9d287f-9f21-4d9d-8210-45e93032fbf7 + iscommand: false + name: "Manual action needed \u2013 The initiator couldn't be quarantined" + type: regular + version: -1 + taskid: 6c9d287f-9f21-4d9d-8210-45e93032fbf7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -220,\n \"y\": 1470\n }\n}" + '104': + continueonerrortype: '' + id: '104' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5640b892-54ac-4b0b-829a-d1a6fbf4153e + iscommand: false + name: Quarantine file - Done + type: title + version: -1 + taskid: 5640b892-54ac-4b0b-829a-d1a6fbf4153e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1640\n }\n}" + '109': + continueonerrortype: '' + id: '109' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '111' + note: false + quietmode: 0 + scriptarguments: + file: + simple: ${alert.initiatorsha256} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve results for a file hash using WildFire. + id: bf8290ca-de3c-4257-84d0-ecbf78f9fb73 + iscommand: true + name: Check the initiator process reputation + script: '|||file' + type: regular + version: -1 + taskid: bf8290ca-de3c-4257-84d0-ecbf78f9fb73 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": -840\n }\n}" + '110': + continueonerrortype: '' + id: '110' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '87' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ddd65f8b-99c5-41c1-82ca-b80cca85cad5 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ddd65f8b-99c5-41c1-82ca-b80cca85cad5 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 135\n }\n}" + '111': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'Yes' + continueonerrortype: '' + id: '111' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '1' + 'Yes': + - '110' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict if the reputation of the initiator + file is malicious. + id: 8d1cc819-2c59-4b93-8324-8ef70e6e9af3 + iscommand: false + name: Does the initiator process have a malicious reputation? + type: condition + version: -1 + taskid: 8d1cc819-2c59-4b93-8324-8ef70e6e9af3 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": -670\n }\n}" + '112': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: name + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.severity + operator: containsGeneral + right: + value: + simple: MEDIUM + - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.severity + operator: containsGeneral + right: + value: + simple: HIGH + root: foundIncidents + operator: isNotEmpty + - ignorecase: true + left: + iscontext: true + value: + complex: + root: . + transformers: + - args: + conditions: + value: + simple: "[{\n \"condition\": \"('LOW' in #{foundIncidents.severity}\ + \ or 'INFO' in #{foundIncidents.severity}) and #{SuspiciousInitiatorProcessPath}\ + \ != null\",\n \"return\": \"true\"\n },\n{\n\"default\"\ + : \"false\"\n}\n]" + flags: {} + operator: If-Elif + operator: isEqualString + right: + value: + simple: 'true' + label: 'Yes' + continueonerrortype: '' + id: '112' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'Yes': + - '93' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines if the initiator file should be quarantined based on + the following conditions: + + - The initiator file has a malicious reputation. + + - Specific MEDIUM-HIGH related alerts have been found. + + - Specific related insights were found, and the initiator process is running + from a suspicious location.' + id: 5014f90e-d2d9-433f-8d5c-c7a94b0ed16a + iscommand: false + name: Should quarantine the initiator file? + type: condition + version: -1 + taskid: 5014f90e-d2d9-433f-8d5c-c7a94b0ed16a + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 440\n }\n}" + '113': + continueonerror: true + continueonerrortype: errorPath + id: '113' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '103' + '#none#': + - '104' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + file_hash: + simple: ${alert.initiatorsha256} + file_path: + simple: ${alert.initiatorpath} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + interval_in_seconds: + simple: '20' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Quarantines a file on selected endpoints. ' + id: 6d075347-56c2-426d-861f-32f86341d3a4 + iscommand: true + name: File quarantine + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: 6d075347-56c2-426d-861f-32f86341d3a4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -10,\n \"y\": 1290\n }\n}" + '114': + continueonerrortype: '' + id: '114' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + No Quarantine: + - '104' + Quarantine: + - '113' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "**Approval required to quarantine the initiator file**\n\nDear\ + \ Analyst,\n\nThe following initiator file has been identified for potential\ + \ quarantine based on at least one of the following reasons:\n\n - The file's\ + \ reputation is identified as malicious.\n- Medium-high severity alerts indicating\ + \ malicious activity have been detected.\n- Related insights were found, and\ + \ the initiator is running from a suspicious path.\n\n**File Details:**\n\ + - File Name: ${alert.initiatedby.[0]}\n- File Path: ${alert.initiatorpath.[0]}\n\ + - File Hash (sha256): ${alert.initiatorsha256.[0]}\n\n**Given these findings,\ + \ do you approve proceeding with the quarantine action?**" + id: 21083533-ab21-4dce-87d8-91e845074319 + iscommand: false + name: Analyst approval to quarantine the initiator file + type: condition + version: -1 + taskid: 21083533-ab21-4dce-87d8-91e845074319 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 1110\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Unusual process accessed web browser + credentials using terminal" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: fc6ed827-a79f-4f1a-8386-38c098e35af9 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: fc6ed827-a79f-4f1a-8386-38c098e35af9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1775\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff18f72c-0256-4776-823c-90dd05fdba39 + iscommand: false + name: Done + type: title + version: -1 + taskid: ff18f72c-0256-4776-823c-90dd05fdba39 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1940\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '109' + - '92' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6d11f6e-a28a-459a-8004-bec570e4b02a + iscommand: false + name: Analysis + type: title + version: -1 + taskid: b6d11f6e-a28a-459a-8004-bec570e4b02a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": -980\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f250815c-f894-4a5a-8a7f-999a76debdac + iscommand: false + name: Verdict + type: title + version: -1 + taskid: f250815c-f894-4a5a-8a7f-999a76debdac + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": -180\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + iscommand: false + name: Done + type: title + version: -1 + taskid: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 925\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + query: + simple: (name:"AppleScript process executed with a rare command line, possibly + using Finder to perform operations" or name:"*Malware Activity*" or name:"*Credential + Gathering Protection*" name:"WildFire Malware" or name:"Local Analysis Malware") + and agentid:${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for suspicious related alerts from the last + 3 hours that may indicate a compromised endpoint. + + The task searches for alert with the following names: + + - "AppleScript process executed with a rare command line, possibly using Finder + to perform operations" + + - "Malware Activity" + + - "Credential Gathering Protection" + + - "WildFire Malware" + + - "Local Analysis Malware"' + id: cc067b07-78ba-4752-8c8d-9e73216baaca + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: cc067b07-78ba-4752-8c8d-9e73216baaca + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": -350\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fe468065-4795-4712-840c-a25f576f1f8f + iscommand: false + name: No malicious activity was found + type: title + version: -1 + taskid: fe468065-4795-4712-840c-a25f576f1f8f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 630\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: SuspiciousInitiatorProcessPath + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '110' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict if the playbook found any related + alerts or if the process was running from a suspicious path. + id: 49522c10-5c05-4337-8a99-792382e83d55 + iscommand: false + name: Found related alerts or process running from a suspicious path? + type: condition + version: -1 + taskid: 49522c10-5c05-4337-8a99-792382e83d55 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": -50\n }\n}" + '87': + continueonerror: true + continueonerrortype: '' + id: '87' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '112' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available from Cortex + XSIAM 2.4. + id: 319c7043-3979-4197-810b-aad9fa76ebcc + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 319c7043-3979-4197-810b-aad9fa76ebcc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 270\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No indication of malicious activity was found + closeReason: + simple: Resolved - Handled by the playbook "Unusual process accessed web browser + credentials using terminal" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 5a7ba8a5-3056-405e-84b3-f5a6afcfe1ef + iscommand: true + name: Close Alert - No indication of malicious activity was found + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 5a7ba8a5-3056-405e-84b3-f5a6afcfe1ef + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 760\n }\n}" + '90': + continueonerrortype: '' + id: '90' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + includeinformational: + simple: 'true' + query: + simple: (mitreattcktechnique:* T1555.001* or name:"A process connected to + a rare external host" or name:"A user connected a new USB storage device + to a host" or name:"A user connected a USB storage device for the first + time" or name:"Globally less common process execution from a signed process") + and agentid:${alert.agentid} and (cid:${alert.cid.[0]} or actorprocessinstanceid:${alert.cid.[0]} + or actionprocessinstanceid:${alert.cid.[0]} or actorprocessinstanceid:${alert.actorprocessinstanceid.[0]} + or actionprocessinstanceid:${alert.actorprocessinstanceid.[0]}) + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches by MITRE technique and alert names for suspicious\ + \ related insights that may indicate a compromised endpoint.\nIt focuses on\ + \ identifying alerts linked to the following MITRE techniques within the same\ + \ causality chain from the last 3 hours:\n- T1555.001 - Credentials from Password\ + \ Stores: Keychain\n\nAnd the following alert:\n- \"A process connected to\ + \ a rare external host\" \n- \"A user connected a new USB storage device to\ + \ a host\"\n- \"A user connected a USB storage device for the first time\"\ + \n- \"Globally less common process execution from a signed process\"" + id: a2f7df4f-55fc-4fb2-8cca-b497f09debd3 + iscommand: false + name: Search for related insights by name + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: a2f7df4f-55fc-4fb2-8cca-b497f09debd3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1110,\n \"y\": -350\n }\n}" + '92': + continueonerror: true + continueonerrortype: '' + id: '92' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '111' + note: false + quietmode: 0 + scriptarguments: + contextKey: + simple: SuspiciousInitiatorProcessPath + data: + simple: ${alert.initiatorpath} + ignore-outputs: + simple: 'false' + regex: + simple: (?i)(\/Volumes\/|\/Downloads\/) + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Uses regex to extract the suspicious segment from the initiator + path. + id: 99e9656e-95b3-4cb9-8ddc-5b451529ee04 + iscommand: false + name: Check the initiator process path for any suspicious locations + scriptName: MatchRegexV2 + type: regular + version: -1 + taskid: 99e9656e-95b3-4cb9-8ddc-5b451529ee04 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": -840\n }\n}" + '93': + continueonerrortype: '' + id: '93' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '97' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 27776082-8565-47a8-8ff4-68b4bde0e077 + iscommand: false + name: Quarantine file + type: title + version: -1 + taskid: 27776082-8565-47a8-8ff4-68b4bde0e077 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 630\n }\n}" + '97': + continueonerror: true + continueonerrortype: '' + id: '97' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '100' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + file_hash: + simple: ${alert.initiatorsha256} + file_path: + simple: ${alert.initiatorpath} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the quarantine status for a selected file. + id: 777b3a56-c91b-4ea4-823f-7d1b1231f031 + iscommand: true + name: Get file quarantine status + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: 777b3a56-c91b-4ea4-823f-7d1b1231f031 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 760\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"100_104_Yes\": 0.22,\n \"113_103_#error#\"\ + : 0.6,\n \"114_104_No Quarantine\": 0.29,\n \"114_113_Quarantine\": 0.49\n\ + \ },\n \"paper\": {\n \"dimensions\": {\n \"height\": 3115,\n \"\ + width\": 1710,\n \"x\": -220,\n \"y\": -1110\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml new file mode 100644 index 00000000000..2ff6382980f --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml @@ -0,0 +1,650 @@ +description: 'This playbook is designed to handle the alert + + ''User added to local administrator group using a PowerShell command'' + + + The playbook executes the following stages: + + + Investigation: + + Check the following parameters to determine if remediation actions are needed: + + - Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious + activity. + + - Whether the process is unsigned. + + + Remediation: + + Handles malicious alerts by terminating the relevant processes and requesting the + analyst''s approval to remove the user from the local Administrators group. + + Handles non-malicious alerts identified during the investigation.' +fromversion: 8.9.0 +id: silent-User added to local administrator group using a PowerShell command Test +inputSections: +- description: Generic group for inputs. + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +name: silent-User added to local administrator group using a PowerShell command Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0003 - Persistence +- T1098 - Account Manipulation +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: bb220bb9-b474-4c84-85f3-dca73838520b + iscommand: false + name: '' + version: -1 + taskid: bb220bb9-b474-4c84-85f3-dca73838520b + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 160\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fc66d0b2-7618-4a38-8f04-e821aba4a989 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: fc66d0b2-7618-4a38-8f04-e821aba4a989 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 310\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Suspicious activity detected + closeReason: + simple: Resolved - Handled by the playbook "User added to local administrator + group using a PowerShell command" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 88be804e-5e38-4909-87d4-f83461f24630 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 88be804e-5e38-4909-87d4-f83461f24630 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 2145\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 948acfa9-d0a3-42b0-8b06-ee6736be5f92 + iscommand: false + name: Done + type: title + version: -1 + taskid: 948acfa9-d0a3-42b0-8b06-ee6736be5f92 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 2315\n }\n}" + '24': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '26' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the incident contains related alerts by MITRE + Techniques, indicating that the alert was part of an attack pattern. + id: 2f745b02-269a-408e-8aec-c7f3a8bc5115 + iscommand: false + name: Found any alerts indicating this is malicious activity? + type: condition + version: -1 + taskid: 2f745b02-269a-408e-8aec-c7f3a8bc5115 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 790\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '70' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8018c8e4-2938-479d-8670-7801a8aff36c + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: 8018c8e4-2938-479d-8670-7801a8aff36c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 980\n }\n}" + '6': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: osparentsignature + filters: + - - left: + iscontext: true + value: + simple: alert.osparentsigner + operator: isNotEmpty + root: alert + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + label: 'yes' + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '77' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict based on process signature. + + ' + id: 22756e65-c2a2-43a1-8192-b98244e84591 + iscommand: false + name: Check for unsigned CGO or OS process + type: condition + version: -1 + taskid: 22756e65-c2a2-43a1-8192-b98244e84591 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 460\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '76' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6f76440-2eec-49c0-8dc0-ed49708da484 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: b6f76440-2eec-49c0-8dc0-ed49708da484 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 980\n }\n}" + '70': + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No Results Found + closeReason: + simple: Resolved - Handled by the playbook "User added to local administrator + group using a PowerShell command" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: b2c25c91-84e4-4adc-852e-afceed01e5f1 + iscommand: true + name: Close Alert - No results returned + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b2c25c91-84e4-4adc-852e-afceed01e5f1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 1120\n }\n}" + '76': + continueonerror: true + continueonerrortype: '' + id: '76' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '79' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 43d9acfc-9cd7-43f6-8675-484582c3ac4d + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 43d9acfc-9cd7-43f6-8675-484582c3ac4d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1110\n }\n}" + '77': + continueonerrortype: '' + id: '77' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(mitreattcktechnique:*T1001* or mitreattcktechnique:*T1140* + or mitreattcktechnique:*T1059* or name:"Suspicious local user + account creation") and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM suspicious alerts related + to the current incident by Mitre Techniques that may indicate suspicious activity. + + + Focus on identifying alerts associated with the following MITRE techniques: + + - T1001 - Data Obfuscation + + - T1140 - Deobfuscate/Decode Files or Information + + - T1059 - Command and Scripting Interpreter + + + And the following alert: + + - "Suspicious local user account creation" + + ' + id: 94f27bbd-224a-47ef-8892-edb62f47292e + iscommand: false + name: Search for related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 94f27bbd-224a-47ef-8892-edb62f47292e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 630\n }\n}" + '79': + continueonerrortype: '' + id: '79' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '82' + note: false + quietmode: 0 + scriptarguments: + key: + simple: ExtractedUsername + value: + complex: + accessor: targetprocesscmd + root: alert + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?i)Administrators[\\]?[\"|']?\s+-Member\s+([^\s;}]+) + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. + id: 052a58a3-8922-40dd-851e-4212df94e9c2 + iscommand: false + name: Extract Username + scriptName: Set + type: regular + version: -1 + taskid: 052a58a3-8922-40dd-851e-4212df94e9c2 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1270\n }\n}" + '80': + continueonerrortype: '' + id: '80' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: 'Remove the user: ${ExtractedUsername} from local admin group?' + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + 'No': + - '21' + 'Yes': + - '81' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval is required to remove the user from the local + Administrator group. + id: 7d039298-b7e0-44c1-8f77-39e71f387d96 + iscommand: false + name: Analyst approval to remove user from local Administrator group + type: condition + version: -1 + taskid: 7d039298-b7e0-44c1-8f77-39e71f387d96 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1610\n }\n}" + '81': + continueonerror: true + continueonerrortype: errorPath + id: '81' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '83' + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell.exe Remove-LocalGroupMember -Group "Administrators" -Member + ${ExtractedUsername} + endpoint_ids: + simple: ${alert.agentid} + timeout: + simple: '180' + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiate a new endpoint script execution of shell commands. + id: 4861afe9-34c3-4415-8e53-ac6b0e3fbbba + iscommand: true + name: Remove user from local Administrator group + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 4861afe9-34c3-4415-8e53-ac6b0e3fbbba + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 190,\n \"y\": 1780\n }\n}" + '82': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: ExtractedUsername + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '82' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '83' + 'yes': + - '80' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check whether the extracted username is defined. + id: 24e90eb8-1d77-4ca6-80a9-f5020bff758c + iscommand: false + name: Is the extracted username defined? + type: condition + version: -1 + taskid: 24e90eb8-1d77-4ca6-80a9-f5020bff758c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1430\n }\n}" + '83': + continueonerrortype: '' + id: '83' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + Please note that during the remediation process, the playbook failed to remove + the user from the local administrator group on the host: ${alert.hostname} + . + + + Please take manual action to remove the user from the local administrator + group on the host: ${alert.hostname} . + + + The user can be found in the following PowerShell command: + + ${alert.targetprocesscmd} + + ' + id: 45d20664-73f2-40b5-8f30-8d1ce01f51f1 + iscommand: false + name: Remove the user from the local administrator group manually + type: regular + version: -1 + taskid: 45d20664-73f2-40b5-8f30-8d1ce01f51f1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -40,\n \"y\": 1970\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"24_7_yes\": 0.23,\n \"6_7_yes\": 0.35,\n\ + \ \"80_21_No\": 0.48,\n \"80_81_Yes\": 0.57,\n \"81_83_#error#\": 0.5,\n\ + \ \"82_80_yes\": 0.39,\n \"82_83_#default#\": 0.66\n },\n \"paper\": {\n\ + \ \"dimensions\": {\n \"height\": 2220,\n \"width\": 1550,\n \"\ + x\": -40,\n \"y\": 160\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml index b220352b9b3..ae05faedbb2 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml @@ -1352,4 +1352,4 @@ inputs: [] outputs: [] tests: - No tests (auto formatted) -fromversion: 8.9.0 +fromversion: 8.9.0 \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_20.md b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_20.md new file mode 100644 index 00000000000..f4302cbb63d --- /dev/null +++ b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_20.md @@ -0,0 +1 @@ +## Documentation and metadata improvements. \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json new file mode 100644 index 00000000000..3ec553a481f --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json @@ -0,0 +1,44 @@ +{ + "trigger_id": "f316852d358f8de8192842f6a7156142", + "playbook_id": "silent-Suspicious SaaS Access From a TOR Exit Node Test", + "suggestion_reason": "Recommended for Suspicious SaaS Access From a TOR Exit Node alerts", + "description": "This trigger is responsible for handling Suspicious SaaS Access From a TOR Exit Node", + "trigger_name": "silent-Suspicious SaaS Access From a TOR Exit Node Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "Suspicious SaaS API call from a Tor exit node" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "Suspicious SaaS API call from a Tor exit node via Mobile Device" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "Suspicious API call from a Tor exit node" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "Suspicious Kubernetes API call from a Tor exit node" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json new file mode 100644 index 00000000000..e9f26bb0047 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "52c5358feb547561b409817ba1f129d2", + "playbook_id": "silent-A user executed multiple LDAP enumeration queries Test", + "suggestion_reason": "Recommended for A user executed suspicious LDAP enumeration queries alerts.", + "description": "This trigger is responsible for handling alerts where a user executes suspicious LDAP enumeration queries.", + "trigger_name": "silent-A user executed multiple LDAP enumeration queries Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A user executed suspicious LDAP enumeration queries" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json new file mode 100644 index 00000000000..376eedc4bb2 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "49f4f8a7a81eecadfe694353481fda1d", + "playbook_id": "silent-A mail forwarding rule was configured in Google Workspace Test", + "suggestion_reason": "Recommended for 'A mail forwarding rule was configured in Google Workspace' and 'A mail forwarding rule was configured in Google Workspace to an uncommon domain' alerts", + "description": "This trigger runs the A mail forwarding rule was configured in Google Workspace playbook, which handles the A mail forwarding rule was configured in Google Workspace and A mail forwarding rule was configured in Google Workspace to an uncommon domain alerts.", + "trigger_name": "silent-A mail forwarding rule was configured in Google Workspace Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A mail forwarding rule was configured in Google Workspace" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A mail forwarding rule was configured in Google Workspace to an uncommon domain" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json new file mode 100644 index 00000000000..a46931a5135 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "4a90702e6a1e31ff92c4a5b8e27360cd", + "playbook_id": "silent-A successful SSO sign-in from TOR Test", + "suggestion_reason": "Recommended for 'A successful SSO sign-in from TOR' and 'A successful SSO sign-in from TOR via a mobile device' alerts", + "description": "This trigger is responsible for handling the 'A successful SSO sign-in from TOR' and the 'A successful SSO sign-in from TOR via a mobile device' alerts", + "trigger_name": "silent-A successful SSO sign-in from TOR Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A successful SSO sign-in from TOR" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A successful SSO sign-in from TOR via a mobile device" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json new file mode 100644 index 00000000000..928fc8f0895 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "48cae2955f760d5ed08bf3c0b922887a", + "playbook_id": "silent-A Successful login from TOR Test", + "suggestion_reason": "Recommended for 'A Successful login from TOR' alert", + "description": "This trigger is responsible for handling the 'A Successful login from TOR' alert", + "trigger_name": "silent-A Successful login from TOR Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A Successful login from TOR" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json new file mode 100644 index 00000000000..bb8ba51ca34 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json @@ -0,0 +1,29 @@ +{ + "trigger_id": "66c14136957cd342e560cedc6e29d3c6", + "playbook_id": "silent-AppleScript Process Executed With Rare Command Line Test", + "suggestion_reason": "Recommended for 'AppleScript Process Executed With Rare Command Line' alerts", + "description": "This trigger is responsible for handling several the 'AppleScript Process Executed With Rare Command Line' alerts", + "trigger_name": "silent-AppleScript Process Executed With Rare Command Line Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "AppleScript executed with a rare command line possibly using Finder to perform operations" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json new file mode 100644 index 00000000000..e0d197a5c79 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "0e8741d5fbc51b23a796898b77c3a21d", + "playbook_id": "silent-Azure AD account unlock or password reset Test", + "suggestion_reason": "Recommended for 'Azure AD account unlock/successful password reset' alert", + "description": "This trigger is responsible for handling the 'Azure AD account unlock/successful password reset' alert", + "trigger_name": "silent-Azure AD account unlock or password reset Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure AD account unlock/successful password reset" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json new file mode 100644 index 00000000000..294e6f6c323 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "3120c09a8de842f4aae8506487b01e8c", + "playbook_id": "silent-Compromise Accounts - User rejected numerous SSO MFA attempts Test", + "suggestion_reason": "Recommended for Compromise Accounts alerts triggered by multiple MFA rejections.", + "description": "This trigger is responsible for handling Compromise Accounts alerts where user rejected MFA attempts.", + "trigger_name": "silent-Compromise Accounts - User has rejected numerous SSO MFA attempts Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "User rejected numerous SSO MFA attempts" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Multiple SSO MFA attempts were rejected by a user with suspicious characteristics" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json new file mode 100644 index 00000000000..721c33fd966 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json @@ -0,0 +1,79 @@ +{ + "trigger_id": "07b3e02109c59c627caf03a46a877d4e", + "playbook_id": "silent-Credential Dumping using a known tool Test", + "suggestion_reason": "Recommended for 'Credential Dumping using a known tool' alerts", + "description": "This trigger is responsible for handling the 'Credential Dumping using a known tool' alerts", + "trigger_name": "silent-Credential Dumping using a known tool Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Command-line arguments match Mimikatz execution" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Mimikatz command-line arguments" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via wce.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via gsecdump.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "PowerShell runs with known Mimikatz arguments" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Hash cracking using Hashcat tool" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via fgdump.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via LaZagne" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via pwdumpx.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Dumping lsass.exe memory for credential extraction" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Memory dumping with comsvcs.dll" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json new file mode 100644 index 00000000000..bf659318853 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "a7ca7229e794c8355cea0ec9827ac9f9", + "playbook_id": "silent-Endpoint initiated uncommon remote scheduled task creation Test", + "suggestion_reason": "Recommended for the 'Uncommon remote scheduled task creation' alert", + "description": "This trigger is responsible for handling 'Uncommon remote scheduled task creation' alerts", + "trigger_name": "silent-Endpoint initiated uncommon remote scheduled task creation Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon remote scheduled task creation" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json new file mode 100644 index 00000000000..3c129f591de --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json @@ -0,0 +1,59 @@ +{ + "trigger_id": "1f4a5afb3a984d8e6eaec744d04a1a78", + "playbook_id": "silent-Event Log Was Cleared Test", + "suggestion_reason": "Recommended for 'Windows Event Log Was Cleared' alerts", + "description": "This trigger is responsible for handling the 'Windows Event Log Was Cleared' alerts", + "trigger_name": "silent-Event Log Was Cleared Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Windows Event Log was cleared using wevtutil.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Security Event Log was cleared using wevtutil.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A Sensitive Windows Event Log was cleared using wevtutil.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Windows event logs were cleared with PowerShell" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious clear or delete security provider event logs with PowerShell" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious clear or delete default providers event logs with PowerShell" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Windows event logs cleared using wmic.exe" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json new file mode 100644 index 00000000000..ae9261a0574 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json @@ -0,0 +1,39 @@ +{ + "trigger_id": "16b8fde633a06edcc92b4f6aa7b52db2", + "playbook_id": "silent-Excessive User Account Lockouts Test", + "fromVersion": "8.9.0", + "suggestion_reason": "Recommended for Excessive User Account Lockouts alerts.", + "description": "This trigger is responsible for handling excessive user account lockouts.", + "trigger_name": "silent-Excessive User Account Lockouts Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Excessive user account lockouts" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Excessive account lockouts on suspicious users" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Excessive user account lockouts from a suspicious source" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json new file mode 100644 index 00000000000..fc88cd3b8e1 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "87c352f11994a9c17008e7e0354a2c96", + "playbook_id": "silent-Exchange User Mailbox Forwarding Test", + "suggestion_reason": "Recommended for Exchange User Mailbox Forwarding alerts.", + "description": "This trigger is responsible for handling Exchange User Mailbox Forwarding alerts.", + "trigger_name": "silent-Exchange User Mailbox Forwarding Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Exchange User Mailbox Forwarding" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange User Mailbox Forwarding" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json new file mode 100644 index 00000000000..5446d0b3465 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json @@ -0,0 +1,64 @@ +{ + "trigger_id": "4402083915accc60f72e10bb59224616", + "playbook_id": "silent-Exchange forwarding rule configured Test", + "fromVersion": "8.9.0", + "suggestion_reason": "Recommended for External Exchange inbox forwarding rule configured, Suspicious Exchange inbox forwarding rule configured and Suspicious Exchange email-hiding inbox rule", + "description": "This trigger runs the Exchange forwarding rule alerts playbook, which handles the External Exchange inbox forwarding rule configured, Suspicious Exchange inbox forwarding rule configured and Suspicious Exchange email-hiding inbox rule alerts.", + "trigger_name": "silent-Exchange forwarding rule configured Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "External Exchange inbox forwarding rule configured" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange inbox forwarding rule configured" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange email-hiding inbox rule" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Possible BEC Exchange email-hiding inbox rule" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Exchange email-hiding transport rule based on message keywords" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange email-hiding transport rule" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Exchange transport forwarding rule configured" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange transport forwarding rule configured" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json new file mode 100644 index 00000000000..a2600701487 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "c3f1be30b61c743ffb869c7dbb0c51f9", + "playbook_id": "silent-Msiexec execution of an executable from an uncommon remote location Test", + "suggestion_reason": "Recommended for 'Msiexec execution of an executable from an uncommon remote location without properties' and 'Msiexec execution of an executable from an uncommon remote location with a specific port' alerts", + "description": "This trigger is responsible for handling the 'Msiexec execution of an executable from an uncommon remote location with a specific port' and 'Msiexec execution of an executable from an uncommon remote location without properties' alerts via the 'Msiexec_execution_of_an_executable_from_an_uncommon_remote_location' playbook", + "trigger_name": "silent-Msiexec execution of an executable from an uncommon remote location Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Msiexec execution of an executable from an uncommon remote location with a specific port" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Msiexec execution of an executable from an uncommon remote location without properties" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json new file mode 100644 index 00000000000..c690441e804 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json @@ -0,0 +1,20 @@ +{ + "trigger_id": "407c5db410d816a487249e77cbbf411a", + "playbook_id": "silent-Netcat Makes or Gets Connections Test", + "suggestion_reason": "Recommended for `Netcat Makes or Gets Connections` Alerts ", + "description": "This trigger is responsible for handling `Netcat Makes or Gets Connections` alert", + "trigger_name": "silent-Netcat Makes or Gets Connections Test", + "fromVersion": "8.9.0", + "issilent": true, + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Netcat makes or gets connections" + } + ] + } + } +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json new file mode 100644 index 00000000000..ccadc0df258 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "5a18cefb3601f01ff4201962af6ae475", + "playbook_id": "silent-Office process creates a scheduled task via file access Test", + "suggestion_reason": "Recommended for the 'Office process creates a scheduled task via file access' alert", + "description": "This trigger is responsible for handling 'Office process creates a scheduled task via file access' alerts", + "trigger_name": "silent-Office process creates a scheduled task via file access Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Office process creates a scheduled task via file access" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json new file mode 100644 index 00000000000..aeecfb45244 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "edbc72:e3551d463dc2e16d3838c9af3", + "playbook_id": "silent-Remote WMI Process Execution Test", + "suggestion_reason": "Recommended for Remote WMI Process Execution alerts", + "description": "This trigger is responsible for handling Remote WMI Process Execution alerts", + "trigger_name": "silent-Remote WMI Process Execution Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Remote WMI process execution" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious remote WMI process execution" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json new file mode 100644 index 00000000000..0d6cd6cb642 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "44d98a2f42036c1d90a3d45c23bb3282", + "playbook_id": "silent-SSO Authentication With Suspicious Characteristics Test", + "suggestion_reason": "Recommended for SSO Authentication With Suspicious Characteristics alerts", + "description": "This trigger is responsible for handling SSO Authentication With Suspicious Characteristics alerts", + "trigger_name": "silent-SSO Authentication With Suspicious Characteristics Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "SSO authentication attempt with suspicious characteristics" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Successful SSO authentication with suspicious characteristics" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json new file mode 100644 index 00000000000..80e585e31e5 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "36c302a212aa8edc87468e6b214b5f4e", + "playbook_id": "silent-Scheduled task created with HTTP or FTP reference Test", + "suggestion_reason": "Recommended for the 'Scheduled task created with HTTP or FTP reference' alert", + "description": "This trigger is responsible for handling 'Scheduled task created with HTTP or FTP reference' alert", + "trigger_name": "silent-Scheduled task created with HTTP or FTP reference Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Scheduled task created with HTTP or FTP reference" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json new file mode 100644 index 00000000000..ab4cd54ba60 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "06fd5112c09b4312c1a8e92bcb6aa30f", + "playbook_id": "silent-Successful guest user invitation Test", + "suggestion_reason": "Recommended for Valid Accounts alerts involving successful guest user invitations.", + "description": "This trigger is responsible for handling Valid Accounts alerts related to successful guest user invitations.", + "trigger_name": "silent-Successful guest user invitation Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Rare successful guest invitation in the organization" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json new file mode 100644 index 00000000000..5db61081f8a --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "4ce60e9:49d518fdc734c3151e2cfe4a", + "playbook_id": "silent-Suspicious Hidden User Created Test", + "suggestion_reason": "Recommended for Suspicious Hidden User Created alerts.", + "description": "This trigger is responsible for handling alerts where a suspicious hidden user is created.", + "trigger_name": "silent-Alert Trigger - Suspicious Hidden User Created Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious hidden user created" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json new file mode 100644 index 00000000000..9b2d65d61c3 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "1dd58cf4145efadf6f4d44f53ef5d034", + "playbook_id": "silent-Suspicious Local Administrator Login Test", + "suggestion_reason": "Recommended for Suspicious local administrator login alerts.", + "description": "This trigger is responsible for handling alerts for Suspicious local administrator login.", + "trigger_name": "silent-Suspicious local administrator login Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious local administrator login" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json new file mode 100644 index 00000000000..c6a76517acc --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "41f9310d50c55b761fdc0aa5c48d6459", + "playbook_id": "silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk process Test", + "suggestion_reason": "Recommended for the 'Uncommon creation or access operation of sensitive shadow copy by a high-risk process' alert", + "description": "This trigger is responsible for handling 'Uncommon creation or access operation of sensitive shadow copy by a high-risk process", + "trigger_name": "silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk process Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon creation or access operation of sensitive shadow copy by a high-risk process" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json new file mode 100644 index 00000000000..759a4d1b5fd --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "e30b757218c4a36e4b94d8033cf55785", + "playbook_id": "silent-Suspicious certutil command line Test", + "suggestion_reason": "Recommended for the 'Suspicious certutil command line' alerts", + "description": "This trigger is responsible for handling 'Suspicious certutil command line' alerts", + "trigger_name": "silent-Suspicious certutil command line Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious certutil command line" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json new file mode 100644 index 00000000000..f0140cd7399 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json @@ -0,0 +1,39 @@ +{ + "trigger_id": "a69c1c4b466ed567ee21a788e0146b21", + "playbook_id": "silent-Suspicious execution from tmp folder Test", + "suggestion_reason": "Recommended for 'Suspicious interactive execution of a binary from the tmp folder', 'Suspicious cron job task execution of a binary from the tmp folder' and 'A web server process executed an unpopular application from the tmp folder' alerts", + "description": "This trigger is responsible for handling the 'Suspicious interactive execution of a binary from the tmp folder', 'Suspicious cron job task execution of a binary from the tmp folder' and 'A web server process executed an unpopular application from the tmp folder' alerts via the 'Suspicious execution from tmp folder' playbook", + "trigger_name": "silent-Suspicious execution from tmp folder Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious process execution from tmp folder" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious interactive execution of a binary from the tmp folder" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious cron job task execution of a binary from the tmp folder" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A web server process executed an unpopular application from the tmp folder" + } + ] + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json new file mode 100644 index 00000000000..b81caa72ee6 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "f7f6758a6905g037fec8a37308f1739a", + "playbook_id": "silent-Suspicious process execution by scheduled task on a sensitive server Test", + "suggestion_reason": "Recommended for the 'Suspicious process execution by scheduled task on a sensitive server' alert", + "description": "This trigger is responsible for handling 'Suspicious process execution by scheduled task on a sensitive server' alert", + "trigger_name": "silent-Suspicious process execution by scheduled task on a sensitive server Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious process execution by scheduled task on a sensitive server" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json new file mode 100644 index 00000000000..72077339360 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "214d2812b0ffe67e5459g0ee54049d3a", + "playbook_id": "silent-Uncommon execution of ODBCConf Test", + "suggestion_reason": "Recommended for the 'Uncommon execution of ODBCConf' alert.", + "description": "This trigger is responsible for handling 'Uncommon execution of ODBCConf' alerts.", + "trigger_name": "silent-Uncommon execution of ODBCConf Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon execution of ODBCConf" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon execution of ODBCConf to load dll directly" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json new file mode 100644 index 00000000000..0eff050ecd4 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "b0becdc3d9a6a5636291dd23bf5998b1", + "playbook_id": "silent-Uncommon remote scheduled task created Test", + "suggestion_reason": "Recommended for the 'Uncommon remote scheduled task created' alert", + "description": "This trigger is responsible for handling 'Uncommon remote scheduled task created", + "trigger_name": "silent-Uncommon remote scheduled task created Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon remote scheduled task created" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json new file mode 100644 index 00000000000..5abafc8d4c4 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "a8782c70ecf48029bd6c6634f1c5beb5", + "playbook_id": "silent-Unprivileged process opened a registry hive Test", + "suggestion_reason": "Recommended for 'Unprivileged process opened a registry hive' alert", + "description": "This trigger is responsible for handling the 'Unprivileged process opened a registry hive' alert", + "trigger_name": "silent-Unprivileged process opened a registry hive Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unprivileged process opened a registry hive" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true, + "fromVersion": "8.9.0" +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json new file mode 100644 index 00000000000..6834069da14 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json @@ -0,0 +1,49 @@ +{ + "trigger_id": "934cafcebab59e0ca432603850b0e2e5", + "playbook_id": "silent-Unsigned and unpopular process performed an injection Test", + "suggestion_reason": "Recommended for 'Unsigned and unpopular process performed an injection' alerts", + "description": "This trigger is responsible for handling several the 'Unsigned and unpopular process performed an injection' alerts", + "trigger_name": "silent-Unsigned and unpopular process performed an injection Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed injection into a commonly abused process" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed process hollowing injection" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed queue APC injection" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed injection into a sensitive process" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed injection into svchost.exe" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json new file mode 100644 index 00000000000..766499c1501 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "da8d34ff22661f1bddb0fa372aee9dca", + "playbook_id": "silent-Unusual process accessed web browser credentials and executed by a terminal process Test", + "suggestion_reason": "Recommended for the 'Unusual process accessed web browser credentials and executed by a terminal process", + "description": "This trigger is responsible for handling 'Unusual process accessed web browser credentials and executed by a terminal process' alerts", + "trigger_name": "silent-Unusual process accessed web browser credentials and executed by a terminal process Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unusual process accessed web browser credentials and executed by a terminal process" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json new file mode 100644 index 00000000000..e754004cfee --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "87918b1270d5c44ac4e1d7abf2eefa12", + "playbook_id": "silent-User added to local administrator group using a PowerShell command Test", + "suggestion_reason": "Recommended for the 'User added to local administrator group using a PowerShell command' alert", + "description": "This trigger is responsible for handling 'User added to local administrator group using a PowerShell command' alert", + "trigger_name": "silent-User added to local administrator group using a PowerShell command Test", + "fromVersion": "8.9.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "User added to local administrator group using a PowerShell command" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/pack_metadata.json b/Packs/CortexResponseAndRemediation/pack_metadata.json index 3a1e9b389c1..898f4412ba5 100644 --- a/Packs/CortexResponseAndRemediation/pack_metadata.json +++ b/Packs/CortexResponseAndRemediation/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex Response And Remediation", "description": "The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes. Built to support an Autonomous SOC vision.", "support": "xsoar", - "currentVersion": "1.1.19", + "currentVersion": "1.1.20", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",