From db4b63c1fcfe8ef1f2d1627187e18bab85f6cbf0 Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 11:09:54 +0200 Subject: [PATCH 01/14] playbooks --- ...ybook-A_Successful_login_from_TOR_Test.yml | 702 ++++++ ...as_configured_in_Google_Workspace_Test.yml | 1601 +++++++++++++ ...A_successful_SSO_sign-in_from_TOR_Test.yml | 616 +++++ ...multiple_LDAP_enumeration_queries_Test.yml | 1895 +++++++++++++++ ...s_Executed_With_Rare_Command_Line_Test.yml | 1407 +++++++++++ ..._account_unlock_or_password_reset_Test.yml | 1423 ++++++++++++ ...ejected_numerous_SSO_MFA_attempts_Test.yml | 1468 ++++++++++++ ...ential_Dumping_using_a_known_tool_Test.yml | 562 +++++ ...on_remote_scheduled_task_creation_Test.yml | 1204 ++++++++++ ...nt-playbook-Event_Log_Was_Cleared_Test.yml | 503 ++++ ...k-Excessive_User_Account_Lockouts_Test.yml | 1142 +++++++++ ...-Exchange_User_Mailbox_Forwarding_Test.yml | 1576 +++++++++++++ ...change_forwarding_rule_configured_Test.yml | 1605 +++++++++++++ ..._from_an_uncommon_remote_location_Test.yml | 1176 ++++++++++ ..._a_scheduled_task_via_file_access_Test.yml | 1456 ++++++++++++ ...book-Remote_WMI_Process_Execution_Test.yml | 1005 ++++++++ ...n_With_Suspicious_Characteristics_Test.yml | 1140 +++++++++ ...reated_with_HTTP_or_FTP_reference_Test.yml | 1045 +++++++++ ...-Successful_guest_user_invitation_Test.yml | 1511 ++++++++++++ ...ok-Suspicious_Hidden_User_Created_Test.yml | 1115 +++++++++ ...picious_Local_Administrator_Login_Test.yml | 673 ++++++ ..._SaaS_Access_From_a_TOR_Exit_Node_Test.yml | 1066 +++++++++ ...-Suspicious_certutil_command_line_Test.yml | 2048 +++++++++++++++++ ...picious_execution_from_tmp_folder_Test.yml | 1245 ++++++++++ ...eduled_task_on_a_sensitive_server_Test.yml | 797 +++++++ ...hadow_copy_by_a_high_risk_process_Test.yml | 840 +++++++ ...ok-Uncommon_execution_of_ODBCConf_Test.yml | 634 +++++ ...mon_remote_scheduled_task_created_Test.yml | 1324 +++++++++++ ...ed_process_opened_a_registry_hive_Test.yml | 560 +++++ ...ar_process_performed_an_injection_Test.yml | 754 ++++++ ...nd_executed_by_a_terminal_process_Test.yml | 982 ++++++++ ..._group_using_a_PowerShell_command_Test.yml | 650 ++++++ 32 files changed, 35725 insertions(+) create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Office_process_creates_a_scheduled_task_via_file_access_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Remote_WMI_Process_Execution_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml new file mode 100644 index 000000000000..7aeb02a92c30 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml @@ -0,0 +1,702 @@ +description: "This playbook is designed to handle the following alert:\n\n- A successful\ + \ login from TOR\n\nThe playbook executes the following stages:\n\nTriage:\n\n-\ + \ The playbook will fetch the user identity details.\n\nRemediation & Eradication:\n\ + \n- The playbooks will suggest several actions for the analyst to take: disabling\ + \ the user account using Active Directory or Azure Active Directory, expiring the\ + \ user password using Active Directory, or blocking traffic from TOR exit nodes\ + \ using PAN-OS and Palo Alto Networks' predefined EDL.\n\nThe analyst can select\ + \ multiple actions, which will then be executed by the playbook based on the analyst's\ + \ choices.\n\nRequirements: \nFor any response action, you will need one of the\ + \ following integrations: Azure Active Directory Users / Active Directory Users." +fromversion: 6.10.0 +id: silent-A Successful login from TOR Test +inputs: [] +issilent: true +name: silent-A Successful login from TOR Test +outputs: [] +starttaskid: '0' +tags: +- TA0001 - Initial Access +- T1090 - Proxy +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 31ec7e08-1f47-4c7c-8152-2892e9e547a9 + iscommand: false + name: '' + version: -1 + taskid: 31ec7e08-1f47-4c7c-8152-2892e9e547a9 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -70\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d792840b-3502-4cc8-87c4-2f02e5661e06 + iscommand: false + name: Containment & Eradication + type: title + version: -1 + taskid: d792840b-3502-4cc8-87c4-2f02e5661e06 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 360\n }\n}" + '10': + continueonerror: true + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + - '4' + note: true + quietmode: 0 + scriptarguments: + sAMAccountName: + simple: ${Core.OriginalAlert.event.login_data_dst_normalized_user.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieves detailed information about a user account. The user can + be specified by name, email address, or as an Active Directory Distinguished + Name (DN). If no filter is specified, all users are returned. + id: b5b43e75-8fc6-4216-8302-8bfffe18b6b7 + iscommand: true + name: Active Directory - Search User + script: '|||ad-get-user' + type: regular + version: -1 + taskid: b5b43e75-8fc6-4216-8302-8bfffe18b6b7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 660\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${ActiveDirectory.Users.sAMAccountName} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disables an Active Directory user account. + id: 8729df19-7078-4516-826d-0566d3be66d8 + iscommand: true + name: Active Directory - Disable User Account + script: '|||ad-disable-account' + type: regular + version: -1 + taskid: 8729df19-7078-4516-826d-0566d3be66d8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 990\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: a402f3c4-396d-4962-8210-267d645ad480 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: a402f3c4-396d-4962-8210-267d645ad480 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1640\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a5cfd092-601a-4ff2-8f25-7cabd460ec84 + iscommand: false + name: Done + type: title + version: -1 + taskid: a5cfd092-601a-4ff2-8f25-7cabd460ec84 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1800\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${Core.OriginalAlert.event.login_data_dst_normalized_user.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Expires the password of an Active Directory user. + id: a6e46587-a13a-4ca9-8276-199a1743d113 + iscommand: true + name: Active Directory - Expire User Password + script: '|||ad-expire-password' + type: regular + version: -1 + taskid: a6e46587-a13a-4ca9-8276-199a1743d113 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -460,\n \"y\": 990\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 82ced8bc-aea8-486b-8f86-374b6254bc37 + iscommand: true + name: Get User Identity Details + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 82ced8bc-aea8-486b-8f86-374b6254bc37 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 200\n }\n}" + '19': + continueonerror: true + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: true + quietmode: 0 + scriptarguments: + filter: + simple: startswith(userPrincipalName,'${Core.OriginalAlert.event.login_data_dst_normalized_user.username}@') + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Retrieves a list of user objects. + + Permissions: - User.ReadBasic.All (Delegated) - User.Read.All (Application).' + id: f0c501d7-19d6-4ef6-8864-980df56d8132 + iscommand: true + name: Azure AD - Search User + script: '|||msgraph-user-list' + type: regular + version: -1 + taskid: f0c501d7-19d6-4ef6-8864-980df56d8132 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 660\n }\n}" + '2': + continueonerrortype: '' + form: + description: '' + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Select containment plan for the user ${alert.username.[0]} + options: [] + optionsarg: + - {} + - simple: Disable the user account + - simple: Expire the user password (Active Directory Only) + placeholder: '' + readonly: false + required: false + tooltip: '' + type: multiSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '1' + label: '' + labelarg: + simple: "Would you like to block traffic from TOR exit nodes using PAN-OS\ + \ and Palo Alto Networks predefined EDL. \nNOTICE: By selecting \"Yes,\ + \ commit automatically\" you are allowing to automatically commit the\ + \ rule to your firewalls." + options: [] + optionsarg: + - simple: 'No' + - simple: Yes, commit manually + - simple: Yes, commit automatically + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Select containment & Eradication plans + totalanswers: 0 + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '8' + - '19' + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 331cade7-b3e9-4a82-8cf8-1ee613a71d7c + iscommand: false + name: Select containment & Eradication plans + type: collection + version: -1 + taskid: 331cade7-b3e9-4a82-8cf8-1ee613a71d7c + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 490\n }\n}" + '20': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.0 + operator: containsGeneral + right: + value: + simple: Disable the user account + - - left: + iscontext: true + value: + simple: MSGraphUser.ID + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + 'yes': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f5edf591-d22f-4306-8852-4f8d17ffee3f + iscommand: false + name: Disable User Account? + type: condition + version: -1 + taskid: f5edf591-d22f-4306-8852-4f8d17ffee3f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 820\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${MSGraphUser.ID} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 1adf22f2-87e0-415b-8aad-495172d41031 + iscommand: true + name: Azure AD - Disable User Account + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 1adf22f2-87e0-415b-8aad-495172d41031 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 990\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 964e5b3e-f677-43bd-87f8-84e400da8a36 + iscommand: false + name: Triage + type: title + version: -1 + taskid: 964e5b3e-f677-43bd-87f8-84e400da8a36 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 60\n }\n}" + '3': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.0 + operator: containsGeneral + right: + value: + simple: Disable the user account + - - left: + iscontext: true + value: + simple: ActiveDirectory.Users.sAMAccountName + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + 'yes': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9e1167c7-f6f3-4230-8db0-ef2f65c915b7 + iscommand: false + name: Disable User Account? + type: condition + version: -1 + taskid: 9e1167c7-f6f3-4230-8db0-ef2f65c915b7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 830\n }\n}" + '4': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.0 + operator: containsGeneral + right: + value: + simple: Expire the user password (Active Directory Only) + - - left: + iscontext: true + value: + simple: ActiveDirectory.Users.sAMAccountName + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + 'yes': + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 08e40ba9-ff3b-4bdf-809c-914a919a54fa + iscommand: false + name: Expire User Password? + type: condition + version: -1 + taskid: 08e40ba9-ff3b-4bdf-809c-914a919a54fa + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -460,\n \"y\": 830\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.1 + operator: containsGeneral + right: + value: + simple: Yes, commit automatically + - ignorecase: true + left: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.1 + operator: containsGeneral + right: + value: + simple: Yes, commit manually + label: 'yes' + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b31d6055-ca01-444c-8587-c9b76b4fed78 + iscommand: false + name: Block Traffic From TOR Exit Nodes? + type: condition + version: -1 + taskid: b31d6055-ca01-444c-8587-c9b76b4fed78 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1300\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: + value: + simple: 'No' + equals: {} + lhs: + iscontext: true + value: + simple: Select containment & Eradication plans.Answers.1 + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: Yes, commit automatically + rhsB: {} + then: + value: + simple: 'Yes' + operator: If-Then-Else + EDLName: + simple: panw-torexit-ip-list + RuleName: + simple: TOR Exit nodes from predefined EDLs was Blocked by Cortex XSIAM + separatecontext: true + skipunavailable: true + task: + brand: '' + description: This playbook blocks IP addresses from External Dynamic List using + Custom Block Rules in Palo Alto Networks Panorama or Firewall. The playbook + receives an EDL name as input, creates a custom "from" directional rule to + block, and commits the configuration. + id: 4e9d89fa-2d50-46c7-8e68-b33cda0f4dbe + iscommand: false + name: PAN-OS - Block IPs From EDL - Custom Block Rule + playbookId: PAN-OS - Block IPs From EDL - Custom Block Rule + type: playbook + version: -1 + taskid: 4e9d89fa-2d50-46c7-8e68-b33cda0f4dbe + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 880,\n \"y\": 1470\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 16e0ff95-8ea1-4a5c-84a5-45b385dd19ff + iscommand: false + name: Eradication + type: title + version: -1 + taskid: 16e0ff95-8ea1-4a5c-84a5-45b385dd19ff + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1160\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"20_8_#default#\": 0.23,\n \"3_12_yes\"\ + : 0.7,\n \"3_8_#default#\": 0.43,\n \"4_8_#default#\": 0.23,\n \"5_7_yes\"\ + : 0.51\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 1935,\n \ + \ \"width\": 1720,\n \"x\": -460,\n \"y\": -70\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml new file mode 100644 index 000000000000..a1f5eabcfd7f --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml @@ -0,0 +1,1601 @@ +description: "This playbook addresses the following alerts:\n\n- A mail forwarding\ + \ rule was configured in Google Workspace.\n- A mail forwarding rule was configured\ + \ in Google Workspace to an uncommon domain.\n\nPlaybook Stages:\n \nTriage: \n\n\ + - The playbook retrieves the caller's IP, the forwarding email address, and associated\ + \ filters.\n\nEarly Containment:\n\n- The playbook checks if the IP or domain of\ + \ the forwarding email address is malicious. If so, it suggests blocking the IP\ + \ using PAN-OS while continuing the investigation in parallel.\n\nInvestigation:\n\ + \n- The playbook verifies if the rule was created outside of working hours or from\ + \ an unusual geolocation and extracts suspicious keywords from the forwarding rules.\ + \ It then aggregates all evidence collected during the investigation.\n\nContainment:\n\ + \n- If only one suspicious evidence is found, the playbook executes soft response\ + \ actions, including signing the user out and deleting the forwarding email address\ + \ from the user account mailbox. The user will be notified of these actions via\ + \ email.\n- If multiple suspicious evidences are found, the playbook executes both\ + \ soft and hard response actions, recommending the analyst suspend the user account.\n\ + \nRequirements: \n\nFor any response action, you need one of the following integrations:\n\ + - Gmail integration to fetch filters and remove the forwarding email address.\n\ + - Google Workspace Admin access to sign out and suspend the user account.\n" +fromversion: 6.10.0 +id: silent-A mail forwarding rule was configured in Google Workspace Test +inputSections: +- description: Generic group for inputs + inputs: + - SendNotification + name: General (Inputs group) +inputs: +- description: If set to "true," the playbook will send an email notification to the + user informing them that the forwarding address was deleted. If "false," no notification + will be sent. + key: SendNotification + playbookInputQuery: null + required: false + value: + simple: 'true' +issilent: true +marketplaces: +- marketplacev2 +name: silent-A mail forwarding rule was configured in Google Workspace Test +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0009 - Collection +- T1114 - Email Collection +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f54996ae-66c2-4d51-8fe3-a1ad489e4afb + iscommand: false + name: '' + version: -1 + taskid: f54996ae-66c2-4d51-8fe3-a1ad489e4afb + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": -20\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + - '2' + - '12' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 586f11c0-89b5-4c58-86df-36aa1af4305d + iscommand: true + name: Get caller IP and forwarding mail address + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 586f11c0-89b5-4c58-86df-36aa1af4305d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 110\n }\n}" + '10': + continueonerror: true + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + scriptarguments: + forwarding_email: + simple: ${Core.OriginalAlert.event.raw_log.events.parameters.value} + user_id: + simple: ${Core.OriginalAlert.event.raw_log.actor.profileId} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Gets the specified forwarding address or a list of the forwarding + addresses for the specified account. + id: f636844f-1e17-47eb-8b12-e862f2863b85 + iscommand: true + name: Gmail - Get forwarding email address + script: '|||gmail-forwarding-address-get' + type: regular + version: -1 + taskid: f636844f-1e17-47eb-8b12-e862f2863b85 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1530\n }\n}" + '12': + continueonerror: true + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: caller_ip + root: Core.OriginalAlert.raw_abioc.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the reputation of an IP address. + id: 4a1a1abf-ed23-4539-892a-03f8111fb08c + iscommand: true + name: Get caller IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 4a1a1abf-ed23-4539-892a-03f8111fb08c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 280\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 23be2a95-6283-4e18-865a-9ce05445701f + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 23be2a95-6283-4e18-865a-9ce05445701f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -580,\n \"y\": 810\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + complex: + accessor: caller_ip + root: Core.OriginalAlert.raw_abioc.event + transformers: + - operator: uniq + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: f0dd7de0-9eac-4e6f-86a1-dd9ff4dc93f6 + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: f0dd7de0-9eac-4e6f-86a1-dd9ff4dc93f6 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": -580,\n \"y\": 945\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + closeReason: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs != rhs + conditionB: {} + conditionInBetween: {} + else: + value: + simple: Resolved as FALSE_POSITIVE - Handled by the playbook "A + mail forwarding rule was configured in Google Workspace" + equals: {} + lhs: + iscontext: true + value: + simple: Evidences + lhsB: {} + options: {} + optionsB: {} + rhs: {} + rhsB: {} + then: + value: + simple: Resolved as TRUE_POSITIVE - Handled by the playbook "A mail + forwarding rule was configured in Google Workspace" + operator: If-Then-Else + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 3028fe8a-9e44-4203-8458-c6be36fc42a7 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 3028fe8a-9e44-4203-8458-c6be36fc42a7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2410\n }\n}" + '18': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Gmail.ForwardingAddress.forwardingEmail + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: de8e5625-536a-4bb9-8bdc-70ee14eb72ff + iscommand: false + name: Check if the forwarding mail address still exists + type: condition + version: -1 + taskid: de8e5625-536a-4bb9-8bdc-70ee14eb72ff + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1690\n }\n}" + '2': + continueonerror: true + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + accessor: value + root: Core.OriginalAlert.event.raw_log.events.parameters + transformers: + - args: + delimiter: + value: + simple: '@' + fields: + value: + simple: '2' + operator: Cut + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the reputation of a domain. + id: bfb51251-f775-4f54-8ad2-20a46e1f1ac0 + iscommand: true + name: Get forwarding email domain reputation + script: '|||domain' + type: regular + version: -1 + taskid: bfb51251-f775-4f54-8ad2-20a46e1f1ac0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 280\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fe775a32-55a3-45a0-8502-c6e319e7ae91 + iscommand: false + name: Done + type: title + version: -1 + taskid: fe775a32-55a3-45a0-8502-c6e319e7ae91 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2570\n }\n}" + '21': + continueonerror: true + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '45' + note: false + quietmode: 0 + scriptarguments: + begin_time: + simple: '22:00:00' + end_time: + simple: 06:00:00 + extend-context: + simple: IsOutOfWorkingHours= + value: + complex: + accessor: event_timestamp + root: Core.OriginalAlert.raw_abioc.event + transformers: + - operator: TimeStampToDate + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the given value is within the specified time (hour) + range. + id: 252d8473-0602-420c-8fef-df880efcc695 + iscommand: false + name: Check if the rule was created outside of working hours + scriptName: BetweenHours + type: regular + version: -1 + taskid: 252d8473-0602-420c-8fef-df880efcc695 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 765\n }\n}" + '22': + continueonerror: true + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: IsAbnormalGeolocation= + left: + simple: ${Core.OriginalAlert.raw_abioc.event.saas_caller_ip_geolocation_days_seen_count},${Core.OriginalAlert.raw_abioc.event.service_caller_ip_asn_days_seen_count} + right: + simple: '0' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Returns all elements from the left side that have a substring + that is equal to an element from the right side. Note: This filter is case-insensitive. + + E.g -AnyMatch left=baby right=A will return baby. For more examples see the + filter''s Readme.' + id: a1b2240d-c96c-46a2-8749-c94f8a214538 + iscommand: false + name: Check for unusual geolocation connections + scriptName: AnyMatch + type: regular + version: -1 + taskid: a1b2240d-c96c-46a2-8749-c94f8a214538 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 765\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '52' + note: false + quietmode: 0 + scriptarguments: + forwarding_email: + simple: ${Gmail.ForwardingAddress.forwardingEmail} + user_id: + simple: ${Gmail.ForwardingAddress.userId} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Deletes the specified forwarding address and revokes any verification + that may have been required. This method is only available to service account + clients that have been delegated domain-wide authority. + id: 3023b302-dc80-4e51-8b44-4489de9d410c + iscommand: true + name: Gmail - Remove forwarding mail address + script: '|||gmail-forwarding-address-remove' + type: regular + version: -1 + taskid: 3023b302-dc80-4e51-8b44-4489de9d410c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1880\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + - '49' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f069e81d-7b35-45fc-864e-25e9051482ab + iscommand: false + name: Soft Response + type: title + version: -1 + taskid: f069e81d-7b35-45fc-864e-25e9051482ab + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1400\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 68992710-f44d-47dc-8ddb-82e8cea3339c + iscommand: false + name: Hard Response + type: title + version: -1 + taskid: 68992710-f44d-47dc-8ddb-82e8cea3339c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1400\n }\n}" + '29': + continueonerrortype: '' + form: + description: The investigation identified several suspicious indicators, suggesting + that the user who created the forwarding rule may have been compromised. The + forwarding email and associated filters have been automatically removed. Please + review and decide if any additional actions should be taken. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: "The following evidence was found: \n\n${Evidences}\n\nWould you\ + \ like to suspend the account ${Core.OriginalAlert.raw_abioc.event.identity_name}\ + \ using Google Workspace Admin?" + options: [] + optionsarg: + - {} + - simple: 'Yes' + - simple: 'No ' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Select user account containment steps + totalanswers: 0 + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 10a29f38-0fc1-4df2-82bc-e7afb761788b + iscommand: false + name: Decide Whether to Suspend User Account + type: collection + version: -1 + taskid: 10a29f38-0fc1-4df2-82bc-e7afb761788b + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1530\n }\n}" + '3': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4f9ab5b8-efb8-4999-873c-8390d318895c + iscommand: false + name: Check if forwarding email domain or IP is malicious + type: condition + version: -1 + taskid: 4f9ab5b8-efb8-4999-873c-8390d318895c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 450\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + user_key: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Signs a user out of all web and device sessions and reset their + sign-in cookies. + id: 172b1869-9064-4a18-869e-a522b8602b9a + iscommand: true + name: Sign-Out user account from Google Workspace + script: '|||gsuite-user-signout' + type: regular + version: -1 + taskid: 172b1869-9064-4a18-869e-a522b8602b9a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 2240\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + suspended: + simple: 'true' + user_key: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Updates a user. + id: 1b880cd2-e9af-4734-8364-ead4ccdb0a7b + iscommand: true + name: Suspend user in google workspace + script: '|||gsuite-user-update' + type: regular + version: -1 + taskid: 1b880cd2-e9af-4734-8364-ead4ccdb0a7b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1880\n }\n}" + '33': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Select user account containment steps.Answers.0 + operator: containsGeneral + right: + value: + simple: 'yes' + label: 'yes' + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2e040f98-61ea-4032-826c-66b48eece3d7 + iscommand: false + name: Check analyst decision + type: condition + version: -1 + taskid: 2e040f98-61ea-4032-826c-66b48eece3d7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1690\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 52b78c1f-6c70-4221-8440-d99cd5fa754c + iscommand: false + name: Early Containment Complete + type: title + version: -1 + taskid: 52b78c1f-6c70-4221-8440-d99cd5fa754c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -580,\n \"y\": 2270\n }\n}" + '37': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '1' + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fdc9701c-599a-4494-8a76-9b500a2bf90e + iscommand: false + name: Check if suspicious evidence detected + type: condition + version: -1 + taskid: fdc9701c-599a-4494-8a76-9b500a2bf90e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 1240\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + - '17' + - '46' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 65753a7c-d6c1-4592-8094-7a9efe197055 + iscommand: false + name: Verdict + type: title + version: -1 + taskid: 65753a7c-d6c1-4592-8094-7a9efe197055 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1100\n }\n}" + '40': + continueonerror: true + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '44' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: SuspiciousKeyWords + stringify: + simple: 'true' + value: + complex: + accessor: Criteria.query + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Gmail.Filter.Action.forward + operator: containsGeneral + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.raw_log.events.parameters.value + root: Gmail.Filter + transformers: + - operator: StringifyArray + - args: + error_if_no_match: {} + ignore_case: + value: + simple: 'true' + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: \b(accounting|agreement|bank|bic|capital call|cash|confidential|contribution|credentials|credit|deposit|dividend|docusign|finance|fund|iban|invoice|password|payment|payroll|purchase|sensitive|shares|ssn|statement|swift|tax|transfer|w2|wire|wiring + info|withdrawal)\b + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: cc0a92a6-27ec-43ee-852a-d6368282a74d + iscommand: false + name: Extract suspicious keywords from the forwarding rules + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: cc0a92a6-27ec-43ee-852a-d6368282a74d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 765\n }\n}" + '43': + continueonerror: true + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: true + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + stringify: + simple: 'true' + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: IsAbnormalGeolocation.[0] + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: 'True' + rhsB: {} + then: + value: + simple: The user connected from an unusual geolocation. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 9b154689-28ab-4f05-8ba4-e3cc23859851 + iscommand: false + name: Set abnormal geolocation to evidence + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9b154689-28ab-4f05-8ba4-e3cc23859851 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 930\n }\n}" + '44': + continueonerror: true + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: true + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs!=rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: SuspiciousKeyWords + lhsB: {} + options: {} + optionsB: {} + rhs: {} + rhsB: {} + then: + value: + simple: User has defined forwarding rule with querying for suspicious + words + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 47ef82fb-1c7d-4c4b-8f3b-40c46d3c5bac + iscommand: false + name: Set suspicious keywords to evidence + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 47ef82fb-1c7d-4c4b-8f3b-40c46d3c5bac + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 930\n }\n}" + '45': + continueonerror: true + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: true + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + stringify: + simple: 'true' + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: + value: + simple: lhsB==rhsB + conditionInBetween: + value: + simple: and + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: IsOutOfWorkingHours + lhsB: + iscontext: true + value: + simple: alert.severity + options: {} + optionsB: {} + rhs: + value: + simple: 'true' + rhsB: + value: + simple: '3' + then: + value: + simple: User took action outside of working hours + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 80b45a10-5b09-4f0f-89af-c4aced6131cd + iscommand: false + name: Set abnormal working hours to evidence + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 80b45a10-5b09-4f0f-89af-c4aced6131cd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 930\n }\n}" + '46': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '2' + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: GSuiteAdmin + - - left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 652eb822-a99d-4d31-8777-3d912ffd8e29 + iscommand: false + name: Check if multiple suspicious evidence detected + type: condition + version: -1 + taskid: 652eb822-a99d-4d31-8777-3d912ffd8e29 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 1240\n }\n}" + '47': + continueonerror: true + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + htmlBody: + simple: "\n\n\n \n\n\n\ + \n
\n

Dear <${Core.OriginalAlert.raw_abioc.event.identity_name}>,

\n\ + \ \n

As part of our ongoing security measures, we detected unusual\ + \ activity associated with your mailbox. A forwarding address and associated\ + \ rule were automatically removed from your account to protect your data\ + \ and ensure the security of our systems.

\n\n

If you did not set\ + \ up these rules, we recommend reviewing your recent activity and updating\ + \ your account password immediately. If you require assistance or further\ + \ information, please contact our security team.

\n\n

Thank you for\ + \ your understanding and cooperation.

\n
\n\n\n\n" + subject: + simple: Forwarding Rule and Address Removed from Your Mailbox + to: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + using: + simple: Built-in Mail Sender + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Sends an email. + id: 8f88c80e-c7e1-41f0-8f57-2e0b353172ca + iscommand: true + name: Send user notification via Email + script: '|||send-mail' + type: regular + version: -1 + taskid: 8f88c80e-c7e1-41f0-8f57-2e0b353172ca + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 2240\n }\n}" + '48': + continueonerror: true + continueonerrortype: '' + id: '48' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: true + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + stringify: + simple: 'true' + value: + simple: Known malicious indicators detected + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: f747c163-e58c-4da6-883b-a245234aed44 + iscommand: false + name: Save known malicious indicators detected to evidences + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: f747c163-e58c-4da6-883b-a245234aed44 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -580,\n \"y\": 620\n }\n}" + '49': + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '50' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve a user's details given a user key. + id: 89920c84-f44d-45ce-8bc5-0577831df61f + iscommand: true + name: Get Google Workspace user account + script: '|||gsuite-user-get' + type: regular + version: -1 + taskid: 89920c84-f44d-45ce-8bc5-0577831df61f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 1880\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + - '40' + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 971290fa-daf4-4510-81d2-610dd2cb9751 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 971290fa-daf4-4510-81d2-610dd2cb9751 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 620\n }\n}" + '50': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: GSuite.User.id + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '50' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 212fa2bf-f6ce-458e-846d-0536d50ed840 + iscommand: false + name: Check if Google Workspace user account found + type: condition + version: -1 + taskid: 212fa2bf-f6ce-458e-846d-0536d50ed840 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 2040\n }\n}" + '52': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: inputs.SendNotification + operator: isEqualString + right: + value: + simple: 'true' + label: 'yes' + continueonerrortype: '' + id: '52' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + 'yes': + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d87cf812-ca8d-4017-85a4-aedb561018e7 + iscommand: false + name: Check user notification requirement + type: condition + version: -1 + taskid: d87cf812-ca8d-4017-85a4-aedb561018e7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 2040\n }\n}" + '6': + continueonerror: true + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + user-id: + simple: ${Core.OriginalAlert.event.raw_log.actor.profileId} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Lists all filters in a user's mailbox. + id: 59e8a285-2f0f-49c3-83c8-f7126a101b53 + iscommand: true + name: Get filters for the specific forwarding address + script: '|||gmail-list-filters' + type: regular + version: -1 + taskid: 59e8a285-2f0f-49c3-83c8-f7126a101b53 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 830,\n \"y\": 280\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"18_17_#default#\": 0.31,\n \"18_25_yes\"\ + : 0.55,\n \"33_17_#default#\": 0.32,\n \"37_17_#default#\": 0.19,\n \"\ + 3_5_#default#\": 0.37,\n \"46_17_#default#\": 0.19,\n \"50_17_#default#\"\ + : 0.19,\n \"50_30_yes\": 0.76,\n \"52_17_#default#\": 0.5,\n \"52_47_yes\"\ + : 0.81\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 2655,\n \ + \ \"width\": 2090,\n \"x\": -580,\n \"y\": -20\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml new file mode 100644 index 000000000000..158caa53cdee --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml @@ -0,0 +1,616 @@ +description: "This playbook is designed to handle the following alerts:\n- A successful\ + \ SSO sign-in from TOR\n- A successful SSO sign-in from TOR via a mobile device\n\ + \nThe playbook executes the following stages:\n\nEarly Containment:\n- The playbooks\ + \ will perform early containment actions by clearing\\revoking user sessions and\ + \ enforcing re-authentication to terminate the connection from the Tor exit node\ + \ and verify the user's identity. \nDepending on the alert source, the playbook\ + \ will use either\nAzure Active Directory Users or Okta v2 integrations to clear\ + \ the user sessions.\n\nInvestigation:\nDuring the alert investigation, the playbook\ + \ will perform the following:\n- Checks the user's risk score.\n- Search for suspicious\ + \ user agent usage within the alert.\n- Search for related XDR alerts using the\ + \ following MITRE techniques to identify any malicious activity:\nT1566 - Phishing\ + \ \nT1621 - Multi-Factor Authentication Request Generation\n T1110 - Brute Force\n\ + \ T1556 - Modify Authentication Process\n\nRemediation:\n- Remediation actions will\ + \ be taken if the user\u2019s risk score is high, a suspicious user agent is detected,\ + \ or a related alert is found. In such cases, the playbook will disable the account.\n\ + By default, account disabling requires analyst approval.\n\nRequires: \nFor any\ + \ response action, you will need one of the following integrations: Azure Active\ + \ Directory Users / Okta v2." +fromversion: 6.10.0 +id: silent-A successful SSO sign-in from TOR Test +inputSections: +- description: Generic group for inputs + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-A successful SSO sign-in from TOR Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0011 - Command and Control +- T1090 - Proxy +- TA0001 - Initial Access +- T1078 - Valid Accounts +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 48d3588d-43e5-4b43-8b35-48ca384bcb15 + iscommand: false + name: '' + version: -1 + taskid: 48d3588d-43e5-4b43-8b35-48ca384bcb15 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -750\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff3d375d-21d5-461d-89f1-3afa5ba7f00b + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ff3d375d-21d5-461d-89f1-3afa5ba7f00b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 820\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8656afbe-1707-475f-8519-54e06e80f10a + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 8656afbe-1707-475f-8519-54e06e80f10a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -450\n }\n}" + '18': + continueonerror: true + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '39' + note: false + quietmode: 0 + scriptarguments: + user_id: + complex: + accessor: username + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 413c6747-9233-45db-864c-24c7e8cb1442 + iscommand: true + name: Get User Risk Level + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 413c6747-9233-45db-864c-24c7e8cb1442 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -20\n }\n}" + '20': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the number of related alerts found during the investigation + phase is greater than the 'RelatedAlertsThreshold' to determine if the activity + is malicious. + id: 87e8d6fa-ce8d-4b8b-80ae-5ab71367c73f + iscommand: false + name: Found related alerts requiring user disabling? + type: condition + version: -1 + taskid: 87e8d6fa-ce8d-4b8b-80ae-5ab71367c73f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 650\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + closeReason: + simple: Resolved - Handled by the playbook "A successful SSO sign-in from + TOR" + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: b3fc0a7d-b1ae-43a6-8867-87863d43a19d + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b3fc0a7d-b1ae-43a6-8867-87863d43a19d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1120\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c787ef1f-6b33-43ec-8f2b-ef107513f04a + iscommand: false + name: Investigation + type: title + version: -1 + taskid: c787ef1f-6b33-43ec-8f2b-ef107513f04a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -155\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + IAMUserDomain: + complex: + accessor: username + root: alert + transformers: + - args: + delimiter: + value: + simple: \ + fields: + value: + simple: '1' + operator: Cut + Username: + complex: + accessor: username + root: alert + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: + iscontext: true + value: + simple: alert.username + equals: {} + lhs: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.auth_server + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: Azure + rhsB: {} + then: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.auth_identity + operator: If-Then-Else + - args: + delimiter: + value: + simple: \ + operator: split + - operator: LastArrayElement + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook clears the users'' sessions using the Okta integration. (Currently, + the playbook supports only Okta.)' + id: 4e0e3028-bb27-43bd-84b8-37ea809825b6 + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: 4e0e3028-bb27-43bd-84b8-37ea809825b6 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -320\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + complex: + accessor: id + root: alert + transformers: + - operator: uniq + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 39e14077-fc34-4106-81a1-035728cbfcfc + iscommand: true + name: Get alert's extra data + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 39e14077-fc34-4106-81a1-035728cbfcfc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -615\n }\n}" + '31': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + - left: + iscontext: true + value: + simple: SuspiciousUserAgent + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '37' + 'yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate remediation actions based on the following: + + - User Risk Level + + - Suspicious User Agent ' + id: e5fd0cf2-e42d-4b66-8786-f2c339b80886 + iscommand: false + name: Is the user high-risk or is the user agent suspicious? + type: condition + version: -1 + taskid: e5fd0cf2-e42d-4b66-8786-f2c339b80886 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 320\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3200a260-eb1d-4089-8bf7-6895ea662306 + iscommand: false + name: Done + type: title + version: -1 + taskid: 3200a260-eb1d-4089-8bf7-6895ea662306 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1290\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(mitreattcktechnique:*T1566* or mitreattcktechnique:*T1110* + or mitreattcktechnique:*T1621* or mitreattcktechnique:*T1556* + or name:"SSO with an offensive user agent") and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches for suspicious alerts related to incident by\ + \ MITRE techniques that may indicate a compromised user.\nFocus on identifying\ + \ alerts associated with the following MITRE techniques:\n- T1566 - Phishing\ + \ \n- T1621 - Multi-Factor Authentication Request Generation\n- T1110 - Brute\ + \ Force\n- T1556 - Modify Authentication Process\n\nAnd the following alert:\n\ + - \"SSO with an offensive user agent\"\n\n\n\n\n\n" + id: 721a81cb-bb5a-4a3d-8775-c5a03b5e52b3 + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 721a81cb-bb5a-4a3d-8775-c5a03b5e52b3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 490\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + Tag: + simple: Bad Account + UserVerification: + simple: 'True' + Username: + simple: ${alert.username} + separatecontext: true + skipunavailable: false + task: + brand: '' + description: 'This playbook blocks malicious usernames using all integrations + that you have enabled. + + + Supported integrations for this playbook: + + * Active Directory + + * PAN-OS - This requires PAN-OS 9.1 or higher. + + * SailPoint + + * PingOne + + * AWS IAM + + * Clarizen IAM + + * Envoy IAM + + * ExceedLMS IAM + + * Okta + + * Microsoft Graph User (Azure Active Directory Users) + + * Google Workspace Admin + + * Slack IAM + + * ServiceNow IAM + + * Prisma Cloud IAM + + * Zoom IAM + + * Atlassian IAM + + * GitHub IAM.' + id: 140c4681-a58a-421d-8d18-faf0e81b1313 + iscommand: false + name: Block Account - Generic v2 + playbookName: Block Account - Generic v2 + type: playbook + version: -1 + taskid: 140c4681-a58a-421d-8d18-faf0e81b1313 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 950\n }\n}" + '39': + continueonerror: true + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + scriptarguments: + contextKey: + simple: SuspiciousUserAgent + data: + simple: ${Core.OriginalAlert.event.action_user_agent} + regex: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|REST)\b + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extracts regex data from the provided text. The script supports + groups and looping. + id: eb1d3c97-e1f0-409b-8c2e-fc00c0254b81 + iscommand: false + name: Extract suspicious user agent + scriptName: MatchRegexV2 + type: regular + version: -1 + taskid: eb1d3c97-e1f0-409b-8c2e-fc00c0254b81 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 150\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"20_11_yes\": 0.36,\n \"20_22_#default#\"\ + : 0.23,\n \"31_11_yes\": 0.3,\n \"31_37_#default#\": 0.62\n },\n \"paper\"\ + : {\n \"dimensions\": {\n \"height\": 2105,\n \"width\": 610,\n \ + \ \"x\": 450,\n \"y\": -750\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml new file mode 100644 index 000000000000..1f07a7aa465f --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml @@ -0,0 +1,1895 @@ +description: 'This playbook addresses the following alerts: + + + - A user executed suspicious LDAP enumeration queries + + + Playbook Stages: + + + Triage: + + + - Get additional event information about the LDAP searches executed by the user + + - Ensure that a single client IP exists in the alert + + - Get endpoint information for the client IP + + - Check preconditions for continuing investigation based on the number of suspicious + attributes, attack tool queries, and vulnerable certificate templates + + + + Investigation: + + + - Enrich the user that executed the queries + + - Check if the user was created recently + + - Search for additional discovery alerts in the incident + + - Check user groups and roles to determine if the user is unprivileged + + - Check user querying frequency to detect anomalies + + - Get host risk level + + - Search for recent malware alerts on client IP + + + Remediation: + + + - With analyst approval, disable the user in Active Directory if user-related anomalies + are found and the alert is a True Positive. + + - With analyst approval, isolate the endpoint if host-related anomalies are found + and the alert is a True Positive. + + - Logoff user from client host if an active session is detected and the alert is + a True Positive. + + + Requirements: + + + For any response action, you need the following integrations: + + + - Core - IR + + - Active Directory Query v2.' +fromversion: 6.10.0 +id: silent-A user executed multiple LDAP enumeration queries Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-A user executed multiple LDAP enumeration queries Test +outputs: [] +starttaskid: '0' +tags: +- T1087 - Account Discovery +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b3cdd99f-2cb2-48cf-82a2-83496b582087 + iscommand: false + name: '' + version: -1 + taskid: b3cdd99f-2cb2-48cf-82a2-83496b582087 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 30\n }\n}" + '10': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEqualString + right: + iscontext: true + value: + simple: alert.agentid + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.client + operator: isNotEqualString + right: + value: + simple: 127.0.0.1 + label: Non-Server + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Non-Server: + - '11' + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Ensures that the client that executed the LDAP queries is not a + server or the domain controller. + id: f1020a0f-6601-47cd-8617-10fb41f95280 + iscommand: false + name: Check client is not a server + type: condition + version: -1 + taskid: f1020a0f-6601-47cd-8617-10fb41f95280 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1330\n }\n}" + '11': + continueonerror: true + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + scriptarguments: + host_id: + complex: + accessor: endpoint_name + root: Core.Endpoint + transformers: + - operator: uniq + limit: + simple: '1' + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieves risk information for the client host. + id: d0f20db7-f43f-4f64-8517-f117cc5ce025 + iscommand: true + name: Get host risk level + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: d0f20db7-f43f-4f64-8517-f117cc5ce025 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1500\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + - '22' + - '29' + - '3' + note: false + quietmode: 0 + scriptarguments: + attributes: + simple: whenCreated + user_name: + simple: ${UsernameWithoutPrefix} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This script gathers user data from multiple integrations and returns + an Account entity with consolidated information to the context. + id: f26cce9f-ec35-472f-8ddc-820ac6c5ceae + iscommand: false + name: Enrich user + scriptName: get-user-data + type: regular + version: -1 + taskid: f26cce9f-ec35-472f-8ddc-820ac6c5ceae + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1320\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '49' + - '44' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: bf1f8757-6ccd-48fb-8deb-1949e097e4ac + iscommand: false + name: Remediation + type: title + version: -1 + taskid: bf1f8757-6ccd-48fb-8deb-1949e097e4ac + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2240\n }\n}" + '14': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_search_filter_suspicious_attributes + operator: greaterThan + right: + value: + simple: '15' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_search_filter_attack_tool_queries_reliable_signature + operator: greaterThan + right: + value: + simple: '0' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_search_filter_vulnerable_certificate_template + operator: greaterThan + right: + value: + simple: '0' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.visited_to_returned_ratio + operator: lessThan + right: + value: + simple: '0.1' + label: 'yes' + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '50' + 'yes': + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if investigation and remediation can be done based on pre-conditions + signifying high probability of a true positive alert and inherently malicious + behavior. + id: 0caeb27b-423f-45e3-8971-fa08e763f2d5 + iscommand: false + name: Check preconditions for continuing investigation + type: condition + version: -1 + taskid: 0caeb27b-423f-45e3-8971-fa08e763f2d5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 870\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b9b43bcd-a930-4a38-8459-1c1e985bd858 + iscommand: false + name: Skip / False Positive + type: title + version: -1 + taskid: b9b43bcd-a930-4a38-8459-1c1e985bd858 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1670,\n \"y\": 3090\n }\n}" + '17': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: MalwareAlertsOnHost + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: HostIsRisky + operator: isTrue + label: Remediate + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '42' + Remediate: + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether any host-related anomalies were found in the investigation + (the host is risky or malware alerts occurred on the host in the past 1 day). + id: 8f70c85b-5ef3-4fee-8d9a-7ca33697047a + iscommand: false + name: Check host analysis results + type: condition + version: -1 + taskid: 8f70c85b-5ef3-4fee-8d9a-7ca33697047a + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2560\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cbef50e1-da3d-48ca-8e11-ea9882cd7780 + iscommand: false + name: User Investigation + type: title + version: -1 + taskid: cbef50e1-da3d-48ca-8e11-ea9882cd7780 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1190\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5630dcc4-a789-44fd-8886-1c893f868719 + iscommand: false + name: Host Investigation + type: title + version: -1 + taskid: 5630dcc4-a789-44fd-8886-1c893f868719 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1190\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + - '57' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3b45073c-b0d9-4d5a-852c-df4e74dc0779 + iscommand: false + name: Triage + type: title + version: -1 + taskid: 3b45073c-b0d9-4d5a-852c-df4e74dc0779 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 180\n }\n}" + '20': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.actor_user_over_actor_user_ldap_query_count_distinct_search_filter_multiple_days_seen_count + operator: lessThan + right: + value: + simple: '20' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.actor_user_over_actor_user_ldap_query_count_distinct_search_filter_multiple_clients_multiple_days + operator: lessThan + right: + value: + simple: '5' + label: Anomaly + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Anomaly: + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user executes LDAP queries on a regular basis from + one or from multiple hosts, daily. + id: 778e431e-ce22-471f-87b3-94c1097cc9df + iscommand: false + name: Check user LDAP querying frequency + type: condition + version: -1 + taskid: 778e431e-ce22-471f-87b3-94c1097cc9df + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 1490\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserDoesNotRegularlyQuery + value: + simple: 'True' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves a context key indicating the user doesn't regularly execute + LDAP queries (from one or more hosts). + id: 75c00eb7-57a6-479b-8116-e1b3036785ab + iscommand: false + name: Save result - User does not perform LDAP queries regularly + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 75c00eb7-57a6-479b-8116-e1b3036785ab + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 1690\n }\n}" + '22': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Account.whenCreated.Value + operator: isNotEmpty + right: + value: {} + label: Exists + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Exists: + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the date and time of when the user was created is available. + id: f147ff27-f084-40cc-82ee-7187f4b11f11 + iscommand: false + name: Check if user creation date exists + type: condition + version: -1 + taskid: f147ff27-f084-40cc-82ee-7187f4b11f11 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1490\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserCreationDateInEpoch + value: + complex: + accessor: Value + root: Account.whenCreated + transformers: + - operator: toUnix + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Converts the user creation date to epoch to find relative time + of creation. + id: d2b6725d-73e9-468b-84d6-c59a4fd309af + iscommand: false + name: Convert user creation date to epoch + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d2b6725d-73e9-468b-84d6-c59a4fd309af + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1690\n }\n}" + '27': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: alert_generated_time + root: Core.OriginalAlert + transformers: + - args: + by: + iscontext: true + value: + simple: UserCreationDateInEpoch + operator: subtraction + operator: lessThanOrEqual + right: + value: + simple: '86400' + label: Anomaly + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Anomaly: + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user's creation date in AD happened 24 hours or less + since the time that this alert occurred. + id: 8082772d-1556-493e-89ce-9ced56fa975e + iscommand: false + name: Check if user was created recently + type: condition + version: -1 + taskid: 8082772d-1556-493e-89ce-9ced56fa975e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1850\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserCreatedLast24Hours + value: + simple: 'True' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves a context key indicating the user was created recently. + id: 0c17e758-0700-4d96-8fb9-e9e4a4f32253 + iscommand: false + name: Save result - User does not perform LDAP queries regularly + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 0c17e758-0700-4d96-8fb9-e9e4a4f32253 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 2040\n }\n}" + '29': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Domain Admins, + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Enterprise Admins + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Schema Admins + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Administrators + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Account Operators + - ignorecase: true + left: + iscontext: true + value: + simple: Account.Groups.Value + operator: containsGeneral + right: + value: + simple: CN=Backup Operators + root: Account.Groups.Value + operator: isEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.is_ldap_actor_user_service_account + operator: isFalse + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.is_ldap_actor_user_it_user + operator: isFalse + label: Anomaly + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Anomaly: + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user is part of built-in privileged Active Directory + groups. + id: 3b855ee6-8e16-4a2c-8567-185090bcd3ff + iscommand: false + name: Check user groups and roles + type: condition + version: -1 + taskid: 3b855ee6-8e16-4a2c-8567-185090bcd3ff + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -610,\n \"y\": 1490\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: DiscoveryAlertsInIncident= + fromdate: + simple: 1 days ago + ignore-outputs: + simple: 'true' + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: + value: + simple: ' and (mitreattcktechnique:*T1083* or mitreattcktechnique:*T1087* + or mitreattcktechnique:*T1615* or mitreattcktechnique:*T1016*) + and -id:' + operator: concat + - args: + prefix: {} + suffix: + iscontext: true + value: + simple: alert.id + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches for additional alerts in the incident that may further + indicate user attempts to enumerate Active Directory. + id: 2b12deed-65f6-4e1d-8b5e-175f07cb4c84 + iscommand: false + name: Search for additional discovery alerts in the incident + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 2b12deed-65f6-4e1d-8b5e-175f07cb4c84 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -1040,\n \"y\": 1490\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserIsUnprivileged + value: + simple: 'True' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves a context key indicating the user does not belong to default + privileged AD groups. + id: 4132aec2-37d9-44ce-84b0-7ca2ceb5e7d7 + iscommand: false + name: Save result - user is unprivileged + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 4132aec2-37d9-44ce-84b0-7ca2ceb5e7d7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -610,\n \"y\": 1690\n }\n}" + '35': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyHost.risk_level + operator: isNotEmpty + right: + value: {} + label: Anomaly + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Anomaly: + - '37' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the client host's risk level is high. + id: 8549af3b-58bb-4216-86b8-545001f9562b + iscommand: false + name: Check host risk level + type: condition + version: -1 + taskid: 8549af3b-58bb-4216-86b8-545001f9562b + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1670\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + key: + simple: HostIsRisky + value: + simple: 'True' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves a context key indicating that the client host's risk level + is high. + id: 69f4f4c5-9123-4058-8230-f35cc881ca48 + iscommand: false + name: Save risk result + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 69f4f4c5-9123-4058-8230-f35cc881ca48 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1870\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + command_type: + simple: powershell + commands: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + iscontext: true + value: + simple: UsernameWithoutPrefix + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + value: + simple: Active + root: Core.ScriptResult.results.command_output + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?<=\bconsole\s+)\d+ + unpack_matches: {} + operator: RegexExtractAll + - args: + prefix: + value: + simple: 'logoff ' + suffix: {} + operator: concat + endpoint_ids: + simple: ${Core.Endpoint.endpoint_id} + is_raw_command: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Logs off the user by using the logoff command for the active user + session''s ID. + + Note: the regex relies on the fact that interactively logged in users will + have an active "console" session in Windows machines.' + id: 164debc9-a89b-403d-8566-3fd31c1185ba + iscommand: true + name: Logoff user from client host + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 164debc9-a89b-403d-8566-3fd31c1185ba + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1260,\n \"y\": 3075\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEqualString + right: + iscontext: true + value: + simple: alert.agentid + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.os_type + operator: isEqualString + right: + value: + simple: AGENT_OS_WINDOWS + root: Core.Endpoint + transformers: + - operator: uniq + suppress_disconnected_endpoint_error: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the client host machine where the LDAP queries were executed. + id: c2828931-1af9-4e07-8701-bf60232a986a + iscommand: true + name: Isolate the endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: c2828931-1af9-4e07-8701-bf60232a986a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2890\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns detailed information about the LDAP searches executed by + the user. + id: 397aa0fb-bbfe-403b-807b-e1815c8e2bea + iscommand: true + name: Get additional event information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 397aa0fb-bbfe-403b-807b-e1815c8e2bea + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 320\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: {} + cc: null + format: '' + methods: [] + replyOptions: + - Isolate + - Do not isolate + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + Do not isolate: + - '42' + Isolate: + - '39' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Review the following findings and decide whether the host should + be isolated: + + + ${Core.Endpoint.endpoint_name} + + + Below are the findings of the investigation: + + + --- + + + #### Malware Alerts on Host: + + `${.=val.MalwareAlertsOnHost && val.MalwareAlertsOnHost.length > 0 ? "True" + : "False"}` + + + --- + + + #### Host is Risky: + + `${.=val.HostIsRisky ? "True" : "False"}` + + ' + id: 66791eda-dabf-4492-88bd-6841c95509eb + iscommand: false + name: Manual - decide whether to isolate the endpoint + type: condition + version: -1 + taskid: 66791eda-dabf-4492-88bd-6841c95509eb + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2725\n }\n}" + '41': + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: {} + cc: null + format: '' + methods: [] + replyOptions: + - Disable + - Do not disable + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + Disable: + - '43' + Do not disable: + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Review the following findings and decide whether you want to disable + the user. + + + Username: ${UsernameWithoutPrefix} + + + + Below are the findings of the investigation: + + + --- + + + #### User Created Recently: + + `${.=val.UserCreatedLast24Hours ? "True" : "False"}` + + + --- + + + #### Related Discovery Alerts: + + `${.=val.DiscoveryAlertsInIncident && Object.keys(val.DiscoveryAlertsInIncident).length + > 0 ? "True" : "False"}` + + + --- + + + #### User is Unprivileged: + + `${.=val.UserIsUnprivileged ? "True" : "False"}` + + + --- + + + #### User Rarely Executes Queries: + + `${.=val.UserDoesNotRegularlyQuery ? "True" : "False"}` + + ' + id: e95328f6-94c8-443b-84a0-0118c0aa0a6a + iscommand: false + name: Manual - decide whether to disable the user + type: condition + version: -1 + taskid: e95328f6-94c8-443b-84a0-0118c0aa0a6a + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 2725\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Closes the current alert. + id: 5c2a3c2d-4e31-497b-8511-e0a84c97a96a + iscommand: true + name: Close the alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 5c2a3c2d-4e31-497b-8511-e0a84c97a96a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 470,\n \"y\": 3250\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${UsernameWithoutPrefix} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disables the user that executed the LDAP enumeration queries in + Active Directory. + id: 8f55e219-35b2-459e-854f-cacc017c3c06 + iscommand: true + name: Disable user in AD + script: '|||ad-disable-account' + type: regular + version: -1 + taskid: 8f55e219-35b2-459e-854f-cacc017c3c06 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 2890\n }\n}" + '44': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEqualString + right: + iscontext: true + value: + simple: alert.agentid + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.os_type + operator: isEqualString + right: + value: + simple: AGENT_OS_WINDOWS + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + label: Non-Server + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '51' + Non-Server: + - '17' + - '53' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Ensures that the client is not a server, not the domain controller, + and runs the Windows operating system (required for automatic remediation). + id: e64d505f-b741-489d-8513-9b68a04129f1 + iscommand: false + name: Check that client OS is Windows and client role is not Server + type: condition + version: -1 + taskid: e64d505f-b741-489d-8513-9b68a04129f1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2390\n }\n}" + '49': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: UserCreatedLast24Hours + operator: isTrue + right: + value: {} + - left: + iscontext: true + value: + simple: UserDoesNotRegularlyQuery + operator: isTrue + - left: + iscontext: true + value: + simple: UserIsUnprivileged + operator: isTrue + - left: + iscontext: true + value: + simple: DiscoveryAlertsInIncident + operator: isNotEmpty + label: Remediate + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '42' + Remediate: + - '41' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether any user-related anomalies were found in the investigation. + id: 904e0927-8a4d-4289-8031-e7efbb6c5c30 + iscommand: false + name: Check user analysis results + type: condition + version: -1 + taskid: 904e0927-8a4d-4289-8031-e7efbb6c5c30 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 2390\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: MalwareAlertsOnHost= + fromdate: + simple: 1 days ago + ignore-outputs: + simple: 'true' + query: + complex: + accessor: client + root: Core.OriginalAlert.event + transformers: + - args: + prefix: + value: + simple: 'hostip:' + suffix: + value: + simple: ' and categoryname:Malware' + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches for alerts that happened in the past day with Malware + category where the host IP is the client IP of the current alert. + id: 2967545d-ba7a-4934-89fc-84f4a41ff124 + iscommand: false + name: Search for recent malware alerts on client IP + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 2967545d-ba7a-4934-89fc-84f4a41ff124 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1870\n }\n}" + '50': + continueonerrortype: '' + id: '50' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fb134545-e8fb-432f-8194-8a901d99a119 + iscommand: false + name: Insufficient evidence for remediation + type: title + version: -1 + taskid: fb134545-e8fb-432f-8194-8a901d99a119 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 1900\n }\n}" + '51': + continueonerrortype: '' + id: '51' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "The following host is a domain controller, a server, or not a\ + \ Windows machine. This means automatic remediation cannot be executed. \n\ + \nPlease review the information below and manually remediate the alert.\n\ + Endpoint name: ${Core.Endpoint.endpoint_name}\n\nFindings of the investigation:\n\ + \n---\n\n#### Malware Alerts on Host:\n`${.=val.MalwareAlertsOnHost && val.MalwareAlertsOnHost.length\ + \ > 0 ? \"True\" : \"False\"}`\n\n---\n\n#### Host is Risky:\n`${.=val.HostIsRisky\ + \ ? \"True\" : \"False\"}`\n" + id: 12287b3f-c14f-46d2-8873-42a4283f7c3d + iscommand: false + name: Manually remediate server / DC / non-Windows machine + type: regular + version: -1 + taskid: 12287b3f-c14f-46d2-8873-42a4283f7c3d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 470,\n \"y\": 2560\n }\n}" + '53': + continueonerrortype: '' + id: '53' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '54' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: quser ${UsernameWithoutPrefix} + endpoint_ids: + simple: ${Core.Endpoint.endpoint_id} + is_raw_command: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiates code execution on the client host to check if the user + is currently logged in to the host. + id: 2ad19e3a-59ad-43a6-8e87-3221a3e9fcc7 + iscommand: true + name: Check if user is logged in + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 2ad19e3a-59ad-43a6-8e87-3221a3e9fcc7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1270,\n \"y\": 2560\n }\n}" + '54': + continueonerrortype: '' + id: '54' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '55' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves results from the "quser" command for the user - which + can be used to tell if the user is currently logged in. + id: f369276b-2db7-4648-8fed-32516d14d725 + iscommand: true + name: Get log in check result + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: f369276b-2db7-4648-8fed-32516d14d725 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1270,\n \"y\": 2725\n }\n}" + '55': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + iscontext: true + value: + simple: UsernameWithoutPrefix + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + value: + simple: Active + root: Core.ScriptResult.results.command_output + operator: isNotEmpty + right: + value: {} + label: Active + continueonerrortype: '' + id: '55' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '16' + Active: + - '38' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the execution results show that there is currently an + active session for the user - which means the user is currently logged in. + id: e53a7044-64ba-47db-8470-d9d23b475850 + iscommand: false + name: Check for active session of the user + type: condition + version: -1 + taskid: e53a7044-64ba-47db-8470-d9d23b475850 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1270,\n \"y\": 2890\n }\n}" + '57': + continueonerrortype: '' + id: '57' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UsernameWithoutPrefix + value: + complex: + accessor: username + root: alert + transformers: + - operator: LastArrayElement + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?<=\\)[^\\]+$ + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the username without the domain prefix. + id: 699a3c31-10f1-431d-8287-6e5d296cd319 + iscommand: false + name: Save username without domain prefix + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 699a3c31-10f1-431d-8287-6e5d296cd319 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 880,\n \"y\": 320\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + - '19' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6effa91d-38e0-4dfb-8a92-df531a3d6b4e + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6effa91d-38e0-4dfb-8a92-df531a3d6b4e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1050\n }\n}" + '8': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: client + root: Core.OriginalAlert.event + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: \. + unpack_matches: {} + operator: RegexExtractAll + - operator: count + operator: isEqualString + right: + value: + simple: '3' + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.client + operator: isNotEqualString + right: + value: + simple: 127.0.0.1 + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Ensures that the alert contains only 1 client IP. LDAP enumeration + query alerts containing multiple IPs are not supported by the playbook. + id: a685af16-c239-4712-81ff-00dbcca78bca + iscommand: false + name: Ensure that a single client IP exists + type: condition + version: -1 + taskid: a685af16-c239-4712-81ff-00dbcca78bca + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 485\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + ip_list: + complex: + accessor: client + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the endpoint name, agent ID and more information about + the IP used by the client in which the LDAP queries were executed. + id: 1095fda1-e8e9-4711-8634-165e8ba8345d + iscommand: true + name: Get endpoint information for the client IP + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 1095fda1-e8e9-4711-8634-165e8ba8345d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 680\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_13_#default#\": 0.2,\n \"10_5_Non-Server\"\ + : 0.36,\n \"14_50_#default#\": 0.15,\n \"14_6_yes\": 0.49,\n \"17_40_Remediate\"\ + : 0.56,\n \"17_42_#default#\": 0.14,\n \"20_13_#default#\": 0.2,\n \"20_21_Anomaly\"\ + : 0.67,\n \"22_13_#default#\": 0.26,\n \"22_24_Exists\": 0.45,\n \"27_13_#default#\"\ + : 0.4,\n \"27_28_Anomaly\": 0.52,\n \"29_13_#default#\": 0.1,\n \"29_31_Anomaly\"\ + : 0.68,\n \"35_13_#default#\": 0.32,\n \"40_39_Isolate\": 0.53,\n \"40_42_Do\ + \ not isolate\": 0.27,\n \"41_42_Do not disable\": 0.36,\n \"41_43_Disable\"\ + : 0.59,\n \"49_41_Remediate\": 0.55,\n \"49_42_#default#\": 0.15,\n \"\ + 55_16_#default#\": 0.19,\n \"8_9_yes\": 0.41\n },\n \"paper\": {\n \"dimensions\"\ + : {\n \"height\": 3315,\n \"width\": 3090,\n \"x\": -1040,\n \ + \ \"y\": 30\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml new file mode 100644 index 000000000000..fa3733bd6530 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml @@ -0,0 +1,1407 @@ +description: 'This playbook handles "AppleScript Process Executed With Rare Command + Line" alerts. + + + Playbook Stages: + + + Investigation: + + During the alert investigation, the playbook will perform the following: + + + - Searches for XSIAM prevention alerts with the same causality process ID. + + - Checks if the causality|actor image has bad reputation or is not signed. + + - Checks if malicious|suspicious patterns found in the command line. + + - Searches for XSIAM insights alerts indicating a suspicious activity. + + + + Remediation: + + + - Automatically terminate the causality process. + + - Quarantine the causality|actor image (requires analyst approval). + + - Automatically Close the alert.' +fromversion: 8.8.0 +id: silent-AppleScript Process Executed With Rare Command Line Test +inputs: [] +issilent: true +name: silent-AppleScript Process Executed With Rare Command Line Test +outputs: [] +starttaskid: '0' +tags: +- T1059 - Command and Scripting Interpreter +- TA0002 - Execution +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + - '2' + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 96b3467b-22f7-49f9-854b-4db18875a216 + iscommand: false + name: '' + version: -1 + taskid: 96b3467b-22f7-49f9-854b-4db18875a216 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 40\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Approved: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '**Approval Required: Suspicious Activity Detection** + + + The investigation does not meet the thresholds for a definitive malicious + verdict. It falls into a suspicious category based on the following conditions: + + + **Matched Verdicts:** + + * Insights alerts indicating a suspicious activity found for the same agent + ID. + + * Medium-confidence patterns indicating a suspicious activity found in the + command line. + + + **Unmatched Verdicts:** + + * No prevention rule found for the same process ID. + + * No High-confidence patterns matches. + + * Causality and actor process images signature and reputation. + + + Analyst approval is required to proceed with further remediation.' + id: 6e8e4f36-db87-4688-8b5a-5d4f54a8c809 + iscommand: false + name: 'Approval Required: Suspicious Activity Detected' + type: condition + version: -1 + taskid: 6e8e4f36-db87-4688-8b5a-5d4f54a8c809 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 1580\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1b0568f2-929c-4dd5-807c-cd47f4352ecb + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 1b0568f2-929c-4dd5-807c-cd47f4352ecb + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1780\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: The alert has been resolved, confirmed as a False Positive + closeReason: + simple: Resolved - Handled by the playbook "AppleScript Process Executed With + Rare Command Line" as False Positive + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 0994341d-bfbd-40ac-81d3-39bc702d5050 + iscommand: true + name: Close the Alert as False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 0994341d-bfbd-40ac-81d3-39bc702d5050 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1765\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: aa718280-de78-4665-850d-baa2cf62a48b + iscommand: false + name: Terminate Process + type: title + version: -1 + taskid: aa718280-de78-4665-850d-baa2cf62a48b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1920\n }\n}" + '14': + continueonerror: true + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available from Cortex + XSIAM 2.4. + id: 793cc8a3-8328-4262-89cd-079e187751cb + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 793cc8a3-8328-4262-89cd-079e187751cb + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2060\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: A malicious activity of an AppleScript Process Executed With a Rare + Command Line was identified and remediated. + closeReason: + simple: Resolved - Handled by the playbook "AppleScript Process Executed With + Rare Command Line" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: 4318ccac-8f25-4e2f-89fd-db65f27eed83 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 4318ccac-8f25-4e2f-89fd-db65f27eed83 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3950\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ae1771df-b9da-49ce-83ee-fd1e479f4e2d + iscommand: false + name: Quarantine file + type: title + version: -1 + taskid: ae1771df-b9da-49ce-83ee-fd1e479f4e2d + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 2800\n }\n}" + '18': + continueonerror: true + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + file_hash: + simple: ${fileToQuarantine.sha256} + file_path: + simple: ${fileToQuarantine.path} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the quarantine status for a selected file. + id: c17a5312-b5cf-4b26-84eb-8c1a721c8f9d + iscommand: true + name: Get file quarantine status + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: c17a5312-b5cf-4b26-84eb-8c1a721c8f9d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 2930\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: 'Dear Analyst, + + Should perform quarantine on the suspected file? + + ${fileToQuarantine.path}' + cc: null + format: '' + methods: [] + replyOptions: + - Quarantine + - Don't Quarantine + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + Don't Quarantine: + - '22' + Quarantine: + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval for quarantine the initiator file. + id: 197835c5-10a3-4a1c-876f-753da8e45112 + iscommand: false + name: Analyst approval for quarantine the file + type: condition + version: -1 + taskid: 197835c5-10a3-4a1c-876f-753da8e45112 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -10,\n \"y\": 3270\n }\n}" + '2': + continueonerror: true + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 24 hours ago + query: + simple: agentid:${alert.agentid} + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Cortex XSIAM alerts. A summarized version of this scrips + is available with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + + For Cortex XSOAR 6.13, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations + + + For Cortex XSOAR Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Scripts + + + For Cortex XSOAR on-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Scripts + + + For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 54fc54f0-02d2-489a-87e2-b8eb888d1d45 + iscommand: false + name: Retrieve all alerts for the agent ID + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 54fc54f0-02d2-489a-87e2-b8eb888d1d45 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 870,\n \"y\": 180\n }\n}" + '20': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.quarantineFiles.status.status + operator: isEqualString + right: + value: + simple: 'true' + label: 'Yes' + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '19' + 'Yes': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether to quarantine the files based on their quarantine + status. + id: 8d5f2618-1b50-453e-86bc-a685df65cad6 + iscommand: false + name: Was the file already quarantined? + type: condition + version: -1 + taskid: 8d5f2618-1b50-453e-86bc-a685df65cad6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 3095\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook was unable to quarantine the suspected file due to the following + possible reasons: + + + - The file was not found or no longer exists on the local host. + + - The endpoint is currently disconnected. + + + Please take manual action to terminate the causality process if needed and + quarantine the file. + + ${fileToQuarantine.path}' + id: 8bc6262d-0b2e-4efe-843e-a3fa0219ac88 + iscommand: false + name: "Manual action needed \u2013 The file couldn't be quarantined" + type: regular + version: -1 + taskid: 8bc6262d-0b2e-4efe-843e-a3fa0219ac88 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -420,\n \"y\": 3640\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8b6abfb1-5cdb-4610-8984-2096d60c453c + iscommand: false + name: Quarantine file - Done + type: title + version: -1 + taskid: 8b6abfb1-5cdb-4610-8984-2096d60c453c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 3810\n }\n}" + '23': + continueonerror: true + continueonerrortype: errorPath + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '21' + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + file_hash: + simple: ${fileToQuarantine.sha256} + file_path: + simple: ${fileToQuarantine.path} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + interval_in_seconds: + simple: '20' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Quarantines a file on selected endpoints. + id: 8bfa2daf-8f92-4b36-86ab-d5aca7289056 + iscommand: true + name: File quarantine + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: 8bfa2daf-8f92-4b36-86ab-d5aca7289056 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 3460\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ccc94600-7dae-4b57-810a-78235a30902b + iscommand: false + name: Done + type: title + version: -1 + taskid: ccc94600-7dae-4b57-810a-78235a30902b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1935\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e5bba677-0576-4269-8aa2-4261f39f1f07 + iscommand: false + name: Done + type: title + version: -1 + taskid: e5bba677-0576-4269-8aa2-4261f39f1f07 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 4120\n }\n}" + '26': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatorsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.cgosha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: containsGeneral + right: + value: + simple: 'false' + label: 'Yes' + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '16' + 'Yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the verdict is malicious/unsigned+not prevalent was matched; + if so, a quarantine approval will be prompt. + id: e30c2f55-4e28-41bd-8d51-55979a512d75 + iscommand: false + name: Should quarantine the malicious/unsigned file? + type: condition + version: -1 + taskid: e30c2f55-4e28-41bd-8d51-55979a512d75 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2230\n }\n}" + '27': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.cgosha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + label: CGO + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + CGO: + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Clearly identify the exact file causing concern. + id: 9d42c881-fdc3-401c-8e1f-b102a17de188 + iscommand: false + name: check which file is malicious/unsigned + type: condition + version: -1 + taskid: 9d42c881-fdc3-401c-8e1f-b102a17de188 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 2410\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + keys: + simple: sha256, path + parent: + simple: fileToQuarantine + values: + simple: ${alert.initiatorsha256}, ${alert.initiatorpath} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set multiple keys/values to the context. + id: dc5b6061-54c0-438e-8abe-92693f2a1cdc + iscommand: false + name: Set actor image for quarantine + scriptName: SetMultipleValues + type: regular + version: -1 + taskid: dc5b6061-54c0-438e-8abe-92693f2a1cdc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 2630\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 914ee865-e0e8-49e2-8aa8-2fdde662ded1 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 914ee865-e0e8-49e2-8aa8-2fdde662ded1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 360\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + keys: + simple: sha256, path + parent: + simple: fileToQuarantine + values: + simple: ${alert.cgosha256}, ${alert.cgopath} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set multiple keys/values to the context. + id: 20a50139-428e-4edf-8391-8509df0e7e11 + iscommand: false + name: Set causality image for quarantine + scriptName: SetMultipleValues + type: regular + version: -1 + taskid: 20a50139-428e-4edf-8391-8509df0e7e11 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 2630\n }\n}" + '31': + continueonerror: true + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + sha256: + complex: + accessor: cgosha256 + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.initiatorsha256 + operator: append + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a file, identified by SHA256. + id: 4bf441b3-1834-4a7f-82dd-280b369469f8 + iscommand: true + name: Get the prevalence of the causality and actor processes + script: '|||core-get-hash-analytics-prevalence' + type: regular + version: -1 + taskid: 4bf441b3-1834-4a7f-82dd-280b369469f8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 180\n }\n}" + '32': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + label: Malicious + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + Malicious: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if the causality or actor process is malicious. + id: 3dcdc9d4-b47d-45d7-8861-d85f24643a4e + iscommand: false + name: Is the causality or actor process malicious? + type: condition + version: -1 + taskid: 3dcdc9d4-b47d-45d7-8861-d85f24643a4e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 830\n }\n}" + '4': + continueonerror: true + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + file: + complex: + accessor: cgosha256 + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.initiatorsha256 + operator: append + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the file reputation of the specified hash. + id: d66bb77c-00b8-4780-82d0-1dd3b0ac5991 + iscommand: true + name: Get the reputation of the causality and actor processes + script: '|||file' + type: regular + version: -1 + taskid: d66bb77c-00b8-4780-82d0-1dd3b0ac5991 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 30,\n \"y\": 180\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: cid + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.action + operator: isEqualString + right: + value: + simple: BLOCKED + root: foundIncidents.CustomFields + transformers: + - operator: FirstArrayElement + operator: isEqualString + right: + iscontext: true + value: + complex: + accessor: cid + root: alert + transformers: + - operator: FirstArrayElement + label: Malicious + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + Malicious: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determine if a prevention rule is triggered for the same causality + ID (an identifier linking a chain of events or processes). + id: 4fac2339-3584-4626-8ec6-9171c7e72097 + iscommand: false + name: Prevention rule with the same causality ID? + type: condition + version: -1 + taskid: 4fac2339-3584-4626-8ec6-9171c7e72097 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 490\n }\n}" + '6': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatorsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.process_name + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.cgoname + root: Core.AnalyticsPrevalence.Process + operator: containsGeneral + right: + value: + simple: 'false' + - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.process_name + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.osparentname + root: Core.AnalyticsPrevalence.Process + operator: containsGeneral + right: + value: + simple: 'false' + label: Malicious + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '32' + Malicious: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if the causality or actor process is unsigned and not prevalent. + id: 2cd75c00-6cae-42f3-82c3-9c2d50fc2a67 + iscommand: false + name: Is the causality or actor process unsigned and not prevalent? + type: condition + version: -1 + taskid: 2cd75c00-6cae-42f3-82c3-9c2d50fc2a67 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 660\n }\n}" + '7': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Insights.Contents.data.name + operator: isNotEmpty + label: Suspicious + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Suspicious: + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Checks if any of the following Insight alerts are present for + agentid:${alert.agentid}: + + + - Rare process accessed a Keychain file + + - A process connected to a rare external host + + - AppleScript executed a shell script + + - Netcat shell via named pipe + + - Sudoers discovery + + - Shell History Access + + - Unusual process accessed web browser cookies + + - Unusual process accessed a web browser history file + + + If one or more of these alerts are detected, proceed with the required remediation.' + id: 0c2c3e68-9530-4ade-8748-4be6db12df2e + iscommand: false + name: Insight alerts indicating a malicious usage? + type: condition + version: -1 + taskid: 0c2c3e68-9530-4ade-8748-4be6db12df2e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1340\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: Insights= + fromdate: + simple: 3 hours ago + ignore-outputs: + simple: 'true' + includeinformational: + simple: 'true' + query: + simple: "agentid:${alert.agentid} AND (name:\"Rare process accessed a Keychain\ + \ file\" OR \nname:\"A process connected to a rare external host\" OR \n\ + name:\"AppleScript executed a shell script\" OR \nname:\"Netcat shell via\ + \ named pipe\" OR \nname:\"Sudoers discovery\" OR \nname:\"Shell History\ + \ Access\" OR \nname:\"Unusual process accessed web browser cookies\" OR\ + \ \nname:\"Unusual process accessed a web browser history file\")" + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Cortex XSIAM alerts. A summarized version of this script + is available with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + + For Cortex XSOAR 6.13, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations + + + For Cortex XSOAR Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Scripts + + + For Cortex XSOAR on-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Scripts + + + For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 579c3360-a41e-4206-870e-45bc391a2cc4 + iscommand: false + name: Retrieve insights alerts for the agent ID + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 579c3360-a41e-4206-870e-45bc391a2cc4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1180\n }\n}" + '9': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + conditions: + value: + simple: "[\n {\n \"condition\": \"'telegram' in #{alert.targetprocesscmd.[0]}\ + \ and 'walletDesk' in #{alert.targetprocesscmd.[0]}\",\n\ + \ \"return\": \"Malicious\"\n },\n {\n \"condition\"\ + : \"'to set visible' in #{alert.targetprocesscmd.[0]} and\ + \ 'false' in #{alert.targetprocesscmd.[0]}\",\n \"return\"\ + : \"Malicious\"\n },\n {\n \"condition\": \"'display\ + \ dialog' in #{alert.targetprocesscmd.[0]} or 'curl -' in\ + \ #{alert.targetprocesscmd.[0]}\",\n \"return\": \"Malicious\"\ + \n },\n {\n \"default\": \"None\"\n }\n]" + flags: + value: + simple: case_insensitive + operator: If-Elif + operator: isEqualString + right: + value: + simple: Malicious + label: Malicious + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + conditions: + value: + simple: "[\n {\n \"condition\": \"'hidden answer' in #{alert.targetprocesscmd.[0]}\"\ + ,\n \"return\": \"Suspicious\"\n },\n {\n \"condition\"\ + : \"'chflags hidden' in #{alert.targetprocesscmd.[0]}\"\ + ,\n \"return\": \"Suspicious\"\n },\n {\n \"condition\"\ + : \"'curl -' in #{alert.targetprocesscmd.[0]}\",\n \"\ + return\": \"Suspicious\"\n },\n {\n \"default\": \"\ + None\"\n }\n]" + flags: + value: + simple: case_insensitive + operator: If-Elif + operator: isEqualString + right: + value: + simple: Suspicious + label: Suspicious + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + Malicious: + - '11' + Suspicious: + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Identify if there are any known IOCs (Indicators of Compromise) + or suspicious behaviors. + id: de15924d-c9ea-437a-8ae6-fefcaa0e3eed + iscommand: false + name: Malicious or Suspicious patterns detected? + type: condition + version: -1 + taskid: de15924d-c9ea-437a-8ae6-fefcaa0e3eed + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 1000\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_11_Approved\": 0.21,\n \"10_12_#default#\"\ + : 0.39,\n \"19_22_Don't Quarantine\": 0.35,\n \"19_23_Quarantine\": 0.61,\n\ + \ \"26_16_#default#\": 0.1,\n \"27_29_#default#\": 0.8,\n \"27_30_CGO\"\ + : 0.63,\n \"32_11_Malicious\": 0.4,\n \"32_9_#default#\": 0.65,\n \"5_11_Malicious\"\ + : 0.1,\n \"5_6_#default#\": 0.64,\n \"6_11_Malicious\": 0.18,\n \"6_32_#default#\"\ + : 0.65,\n \"7_10_Suspicious\": 0.55,\n \"7_12_#default#\": 0.37,\n \"9_10_Suspicious\"\ + : 0.49,\n \"9_11_Malicious\": 0.6,\n \"9_8_#default#\": 0.65\n },\n \"paper\"\ + : {\n \"dimensions\": {\n \"height\": 4145,\n \"width\": 2270,\n \ + \ \"x\": -420,\n \"y\": 40\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml new file mode 100644 index 000000000000..93155aa3a0e3 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml @@ -0,0 +1,1423 @@ +description: "**This playbook addresses the following alert**:\n- Azure AD account\ + \ unlock/successful password reset\n\n**Playbook Stages**:\n\n**Triage**:\n- Gather\ + \ initial information about the user.\n\n**Investigation**:\n- **Check IP Reputation**:\n\ + \ - Analyze the reputation of the IP address related to the alert.\n- **Check for\ + \ Azure Alerts**:\n - Extract recent Azure security alerts for the user.\n- **Check\ + \ if User is Risky**:\n - Assess the risk score of the user based on Core and Azure\ + \ risk indicators.\n - Investigate reasons behind any identified risks, including\ + \ recent detections.\n\n**Containment**:\n- Check if feature sum is greater than\ + \ 2 (Possible features:new user agent/new asn/new country). If yes, continue to\ + \ revoke user's active sessions to ensure immediate containment.\nIf no, continue\ + \ to check investigation findings.\n- Provide a manual task for an analyst to review\ + \ the findings and decide the next steps.\n- Possible actions:\n - Disable the\ + \ target user.\n - Disable the resource user.\n - Disable both users.\n - Take\ + \ no action.\n\n**Requirements**:\nFor the best results, it's recommended to ensure\ + \ these integrations are configured and working:\n- `Cortex Core - Investigation\ + \ and Response` for Core user risk evaluation.\n- `Azure Risky Users` for retrieving\ + \ user risk scores.\n- `Microsoft 365 Defender` for advanced hunting queries and\ + \ Azure security alerts.\n- `Microsoft Graph User` for disabling accounts and revoking\ + \ sessions." +fromversion: 6.10.0 +id: silent-Azure AD account unlock or password reset Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Azure AD account unlock or password reset Test +outputs: [] +starttaskid: '0' +tags: +- T1078 - Valid Accounts +- TA0003 - Persistence +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5e4b610f-ffdb-423f-8fe1-c54b8ada2e68 + iscommand: false + name: '' + version: -1 + taskid: 5e4b610f-ffdb-423f-8fe1-c54b8ada2e68 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 190\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ce1b1b8f-0d0f-4983-84d4-c071ecfc0ee5 + iscommand: false + name: Enrich IP + type: title + version: -1 + taskid: ce1b1b8f-0d0f-4983-84d4-c071ecfc0ee5 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 480\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a7b912f5-66c7-4190-8639-55d1d2860720 + iscommand: false + name: Done + type: title + version: -1 + taskid: a7b912f5-66c7-4190-8639-55d1d2860720 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 3400\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + - '20' + - '37' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c870efe1-6e26-4239-8283-bd8907b6edd3 + iscommand: false + name: Investigtion + type: title + version: -1 + taskid: c870efe1-6e26-4239-8283-bd8907b6edd3 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 970\n }\n}" + '13': + continueonerror: true + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + updated_after: + simple: 1 day + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: bff3bca0-fccb-41e1-8947-57c8dc132d8f + iscommand: true + name: Get Azure user risk score + script: '|||azure-risky-users-list' + type: regular + version: -1 + taskid: bff3bca0-fccb-41e1-8947-57c8dc132d8f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 1260\n }\n}" + '14': + continueonerror: true + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + query: + simple: let _start = now(-1d); AlertEvidence | where Timestamp >= _start | + where AccountUpn == "${Core.OriginalAlert.raw_abioc.event.identity_invoked_by_name}" + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Advanced hunting is a threat-hunting tool that uses specially + constructed queries to examine the past 30 days of event data in Microsoft + 365 Defender. Details on how to write queries: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide.' + id: 9031985a-2a22-409b-8121-ad55fcb546c5 + iscommand: true + name: 'Get Azure user alerts ' + script: '|||microsoft-365-defender-advanced-hunting' + type: regular + version: -1 + taskid: 9031985a-2a22-409b-8121-ad55fcb546c5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1260\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + query: + simple: "(name:\"Suspicious authentication method addition to Azure account\"\ + \ or name:\"Suspicious Azure AD Administrator Role assignment\u05F4 or name:\u05F4\ + Abnormal sign-in followed by suspicious activity in Azure AD\") and caller_ip=${alert.hostip}" + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Demisto alerts. A summarized version of this script is + available with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Permission-Management' + id: 4a1449ce-823c-4225-8208-8002607aadf5 + iscommand: false + name: Get source IP related alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 4a1449ce-823c-4225-8208-8002607aadf5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": 1260\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '39' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 7f0ec57c-0d61-4b37-8086-2f71a31beb9a + iscommand: true + name: Get core risky user + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 7f0ec57c-0d61-4b37-8086-2f71a31beb9a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 2160,\n \"y\": 1590\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + key: + simple: RiskyUserReason + value: + complex: + accessor: description + root: Core.RiskyUser.reasons + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex see + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 10eb3e27-4068-4ee5-8d18-08db15710e1d + iscommand: false + name: Extract user risk reasons + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 10eb3e27-4068-4ee5-8d18-08db15710e1d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 2160,\n \"y\": 1910\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d12fe789-b844-48ed-8097-78aa7af90a55 + iscommand: false + name: Check if user is risky + type: title + version: -1 + taskid: d12fe789-b844-48ed-8097-78aa7af90a55 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 1120\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 3bc71303-5ccd-4f2f-8761-aeeb4671c954 + iscommand: true + name: Get event information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 3bc71303-5ccd-4f2f-8761-aeeb4671c954 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 320\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d8ce9808-3363-48c1-86b5-7b5ca9c883fe + iscommand: false + name: Check for related alerts + type: title + version: -1 + taskid: d8ce9808-3363-48c1-86b5-7b5ca9c883fe + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 1120\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3e571631-0c12-4a50-87a0-4edb5a5988e1 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 3e571631-0c12-4a50-87a0-4edb5a5988e1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2080\n }\n}" + '22': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_orig.user.userPrincipalName + root: AzureRiskyUsers.RiskyUser.userPrincipalName + transformers: + - operator: uniq + operator: isEqualString + right: + iscontext: true + value: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.event.identity_orig.user + transformers: + - operator: uniq + label: 'yes' + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '21' + 'yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5704aa11-540c-495a-8af9-108025d7a5fe + iscommand: false + name: Check user azure risk score + type: condition + version: -1 + taskid: 5704aa11-540c-495a-8af9-108025d7a5fe + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 1420\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + key: + simple: AzureSecurityAlerts + value: + complex: + accessor: Title + root: Microsoft365Defender.Hunt.results + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6.x see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: ed4dabc2-05b3-4032-8034-bd5376d17f9f + iscommand: false + name: Extract Azure user alerts + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: ed4dabc2-05b3-4032-8034-bd5376d17f9f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1420\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + detected_date_time_after: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a comma-separated list of the Risk Detection objects and + their properties. + id: 56edf542-2170-4215-8659-844df93992e1 + iscommand: true + name: Get user risky detection list + script: '|||azure-risky-users-risk-detections-list' + type: regular + version: -1 + taskid: 56edf542-2170-4215-8659-844df93992e1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1750,\n \"y\": 1750\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyAzureDetections + value: + complex: + accessor: riskEventType + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_orig.user.userPrincipalName + - - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: atRisk + - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: confirmedCompromised + root: AzureRiskyUsers.RiskDetection + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex XSOAR + 6.x see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex XSOAR On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: fa26a407-b086-48c3-8eb5-7d306d91c7fe + iscommand: false + name: Extract Azure user detections + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: fa26a407-b086-48c3-8eb5-7d306d91c7fe + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1750,\n \"y\": 1910\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '1' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: c1105dd3-87ba-458e-8d93-d1a8e60f2c6d + iscommand: false + name: Get timestamp for Azure detections + scriptName: GetTime + type: regular + version: -1 + taskid: c1105dd3-87ba-458e-8d93-d1a8e60f2c6d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1750,\n \"y\": 1590\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: '[0]' + root: alert.hostip + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: 969fb1db-b3df-4a51-8489-b1060bebf3fe + iscommand: true + name: Check source IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 969fb1db-b3df-4a51-8489-b1060bebf3fe + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 620\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.event.raw_log.properties.targetResources + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: a6ee8fab-96cd-402e-8270-a64f974ab311 + iscommand: true + name: Disable target user + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: a6ee8fab-96cd-402e-8270-a64f974ab311 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1270,\n \"y\": 3065\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + key: + simple: CallerIpAlerts + value: + complex: + accessor: name + root: foundIncidents + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex see + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 88ee5b7e-f3e5-4ed3-84ee-46196dbc2c14 + iscommand: false + name: Extract source ip related alerts + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 88ee5b7e-f3e5-4ed3-84ee-46196dbc2c14 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": 1420\n }\n}" + '33': + continueonerrortype: '' + form: + description: Analyst review. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: '#### Resource User: + + `${Core.OriginalAlert.raw_abioc.event.identity_orig.user.userPrincipalName}` + + + #### Target User: + + `${Core.OriginalAlert.event.raw_log.properties.targetResources.userPrincipalName}` + + + --- + + + ### Malicious Indicators Found: + + - **Malicious IP**: `${.=val.MaliciousIP || "None"}` + + - **Malicious User Agent**: `${.=val.SuspiciousUserAgent || "None"}` + + + --- + + + ### User Risk Analysis: + + - **User is risky (Core)**: `${.=val.UserRiskyCoreReason ? "Yes, Reason: + " + val.UserRiskyCoreReason : "N/A"}` + + - **User is risky (Azure)**: `${.=val.UserRiskyAzureDetections ? "Yes, + Risk Types: " + val.UserRiskyAzureDetections : "N/A"}` + + + --- + + + ### User Azure Security Alerts: + + - **Alerts from last day**: `${.=val.AzureSecurityAlerts || "N/A"}` + + + --- + + + ### Caller IP Related Alerts + + - `${.=val.CallerIpAlerts || "N/A"}` + + + --- + + + ### Action Required: + + Please choose the action you want to perform.' + options: [] + optionsarg: + - simple: No Action + - simple: Disable resource user + - simple: Disable target user + - simple: Disable both + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Analyst Action + totalanswers: 0 + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 824395c1-ba17-412d-862a-2e55fdea816a + iscommand: false + name: Manual Task - Disable user account decision + type: collection + version: -1 + taskid: 824395c1-ba17-412d-862a-2e55fdea816a + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 1060,\n \"y\": 2730\n }\n}" + '34': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CoreRiskyUser + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: UserRiskyAzureDetections + operator: isNotEmpty + - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + - left: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.features_sum + operator: greaterThanOrEqual + right: + value: + simple: '2' + - left: + iscontext: true + value: + simple: MaliciousIP + operator: isNotEmpty + - left: + iscontext: true + value: + simple: SuspiciousUserAgent + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '41' + 'yes': + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9507bf6e-0bea-4883-80e1-695e5b21b167 + iscommand: false + name: Evaluate conditions for soft remediation + type: condition + version: -1 + taskid: 9507bf6e-0bea-4883-80e1-695e5b21b167 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2210\n }\n}" + '35': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable resource user + label: Disable resource user + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable target user + label: Disable target user + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable both + label: Disable both + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Disable both: + - '36' + Disable resource user: + - '8' + Disable target user: + - '31' + No Action: + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8716fa1c-18b7-4d93-8e5f-16ab80309eb4 + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: 8716fa1c-18b7-4d93-8e5f-16ab80309eb4 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1060,\n \"y\": 2890\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.raw_abioc.event.identity_orig.user + transformers: + - args: + item: + iscontext: true + value: + simple: ${Core.OriginalAlert.event.raw_log.properties.targetResources.userPrincipalName} + operator: append + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 1af19eea-5223-4d7f-8852-d18e51a9c561 + iscommand: true + name: Disable both users + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 1af19eea-5223-4d7f-8852-d18e51a9c561 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 2060,\n \"y\": 3065\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 47d4e985-1c95-4977-8508-87920395aa14 + iscommand: false + name: Check User Agent + type: title + version: -1 + taskid: 47d4e985-1c95-4977-8508-87920395aa14 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1120\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousIP + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex see + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 3bcedb8d-530d-48fd-87dc-bda42c0f67c8 + iscommand: false + name: Get source IP reputation results + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 3bcedb8d-530d-48fd-87dc-bda42c0f67c8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 785\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + scriptarguments: + key: + simple: CoreRiskyUser + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyUser + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. If no value is + entered, the script doesn't do anything.\n\nThis automation runs using the + default Limited User role, unless you explicitly change the permissions.\nFor + more information, see the section about permissions here:\n- For Cortex see + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n- + For Cortex.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: e6c72ffe-f542-4967-8e36-0a601dae93fc + iscommand: false + name: Extract user risk score + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: e6c72ffe-f542-4967-8e36-0a601dae93fc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 2160,\n \"y\": 1750\n }\n}" + '4': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.user_agent_data + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '21' + 'yes': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e9a066c5-a971-4c93-8339-89f10881daf2 + iscommand: false + name: Check user agent + type: condition + version: -1 + taskid: e9a066c5-a971-4c93-8339-89f10881daf2 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1260\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '41' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.raw_abioc.event.identity_orig.user + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Revoke a user session- Invalidates all the refresh tokens issued + to applications for a user. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: f0ec862f-1615-4c5a-80c2-c5b55cc983a0 + iscommand: true + name: Revoke user session + script: '|||msgraph-user-session-revoke' + type: regular + version: -1 + taskid: f0ec862f-1615-4c5a-80c2-c5b55cc983a0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1060,\n \"y\": 2390\n }\n}" + '41': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CoreRiskyUser + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: UserRiskyAzureDetections + operator: isNotEmpty + - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + 'yes': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e61bd954-7afa-4a37-8b15-ef9959339128 + iscommand: false + name: Evaluate conditions for hard remediation + type: condition + version: -1 + taskid: e61bd954-7afa-4a37-8b15-ef9959339128 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 2560\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + contextKey: + simple: SuspiciousUserAgent + data: + simple: ${Core.OriginalAlert.event.user_agent_data} + regex: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|REST)\b + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extracts regex data from the provided text. The script support + groups and looping. + id: 8b56f37b-d3ad-46fd-8a71-21e6dfc498ec + iscommand: false + name: Extract suspicious user agent + scriptName: MatchRegexV2 + type: regular + version: -1 + taskid: 8b56f37b-d3ad-46fd-8a71-21e6dfc498ec + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1450\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.raw_abioc.event.identity_orig.user + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: c752a467-d872-4669-87e9-689bbef4e94f + iscommand: true + name: Disable source user + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: c752a467-d872-4669-87e9-689bbef4e94f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1660,\n \"y\": 3065\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: ac620832-65be-484c-822b-56339cdfbddb + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: ac620832-65be-484c-822b-56339cdfbddb + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 850,\n \"y\": 3235\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"22_21_#default#\": 0.1,\n \"22_27_yes\"\ + : 0.5,\n \"34_40_yes\": 0.54,\n \"34_41_#default#\": 0.49,\n \"35_31_Disable\ + \ target user\": 0.62,\n \"35_8_Disable resource user\": 0.67,\n \"35_9_No\ + \ Action\": 0.45,\n \"41_33_yes\": 0.56,\n \"4_21_#default#\": 0.13,\n \ + \ \"4_5_yes\": 0.44\n },\n \"paper\": {\n \"dimensions\": {\n \"height\"\ + : 3275,\n \"width\": 2500,\n \"x\": 40,\n \"y\": 190\n }\n }\n\ + }" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml new file mode 100644 index 000000000000..7e865109ee27 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml @@ -0,0 +1,1468 @@ +description: "This playbook addresses the following alerts:\n\n- User rejected numerous\ + \ SSO MFA attempts\n- Multiple SSO MFA attempts were rejected by a user with suspicious\ + \ characteristics\n\nPlaybook Stages:\n\nTriage:\n- The playbook checks the IP address\ + \ reputation associated with the MFA attempts and gathers related login events.\n\ + \nEarly Containment:\n- If the IP address is identified as malicious, the playbook\ + \ blocks the IP. The investigation continues in parallel to this phase.\n\nInvestigation:\n\ + - The playbook performs an in-depth analysis, including:\n - Assessing the user's\ + \ risk score to identify potentially compromised accounts.\n - Checking for an\ + \ unusually high number of invalid credential attempts, which may indicate brute-force\ + \ or credential-stuffing activity.\n - Verifying whether Okta logs indicate a malicious\ + \ source IP based on Okta's threat intelligence.\n - Reviewing whether there have\ + \ been an excessive number of MFA rejections from the user, suggesting potentially\ + \ compromised behavior.\n - Looking for abnormal user agent patterns that may indicate\ + \ suspicious or compromised access methods.\n - Investigating previous failed Okta\ + \ login attempts within a specified timeframe to identify patterns.\n\nContainment:\n\ + - If suspicious activity is confirmed, the playbook initiates the following containment\ + \ actions:\n - Clears the user's active sessions and expires their password to\ + \ prevent further unauthorized access.\n - If a successful login attempt was also\ + \ detected, the playbook prompts a manual task for an analyst to review and decide\ + \ on further action.\n\nRequirements:\nFor any response actions, the following integration\ + \ is required:\n- Okta v2\n\nFor early containment actions, the following integration\ + \ is required:\n- Palo Alto Networks PAN-OS." +fromversion: 8.8.0 +id: silent-Compromise Accounts - User rejected numerous SSO MFA attempts Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Compromise Accounts - User rejected numerous SSO MFA attempts Test +outputs: [] +starttaskid: '0' +tags: +- T1586 - Compromise Accounts +- T1621 - Multi-Factor Authentication Request Generation +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d10d3ef6-73ad-4cde-89a4-c883b892ca51 + iscommand: false + name: '' + version: -1 + taskid: d10d3ef6-73ad-4cde-89a4-c883b892ca51 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 70\n }\n}" + '1': + continueonerror: true + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + ip: + simple: ${alert.localip} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Enriches the external source IP of the attack to check if it's + known as malicious. Skips on errors for cases where the IP address or the + !ip command is empty. + id: ebae547a-1c7b-4418-870a-cd2eb588d8dd + iscommand: true + name: Check source IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: ebae547a-1c7b-4418-870a-cd2eb588d8dd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 205\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 4c4ce503-367d-4e7c-8811-8eca2f8ab7d2 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 4c4ce503-367d-4e7c-8811-8eca2f8ab7d2 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3580\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${UserEmail} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Expires a password for an existing Okta user. + id: c16c6ff7-ff53-48f4-8386-cba54af59585 + iscommand: true + name: Expire Okta User's Password + script: '|||okta-expire-password' + type: regular + version: -1 + taskid: c16c6ff7-ff53-48f4-8386-cba54af59585 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2350\n }\n}" + '12': + continueonerrortype: '' + form: + description: Please choose whether to suspend the user in Okta. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Do you want to suspend the user ${Core.OriginalAlert.raw_abioc.event.auth_normalized_user.upn} + in Okta? + options: [] + optionsarg: + - simple: 'Yes' + - simple: 'No' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Okta - Suspend User + totalanswers: 0 + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a0f06b2f-1df9-4279-88c7-5673237c230c + iscommand: false + name: Manual task - Suspend user in Okta + type: collection + version: -1 + taskid: a0f06b2f-1df9-4279-88c7-5673237c230c + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2860\n }\n}" + '13': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Okta - suspend user.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + label: 'yes' + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + 'yes': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 69610310-90da-47b4-8cd3-8953b92c587c + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: 69610310-90da-47b4-8cd3-8953b92c587c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3030\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${UserEmail} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Suspends a single user. This operation can only be performed on + users with an ACTIVE status. After the porcess is completed, the user's status + is SUSPENDED. + id: 3c2da8e6-9226-445a-8514-1fe75124f8b5 + iscommand: true + name: Suspend user in Okta + script: '|||okta-suspend-user' + type: regular + version: -1 + taskid: 3c2da8e6-9226-445a-8514-1fe75124f8b5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3235\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserEmail + value: + complex: + accessor: upn + root: Core.OriginalAlert.raw_abioc.event.auth_normalized_user + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Save the user email from the alert data to a dedicated context + field. + id: 61d2d4db-f2aa-480a-8523-37fb0f3ddc42 + iscommand: false + name: Get user email + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 61d2d4db-f2aa-480a-8523-37fb0f3ddc42 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1010\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 124fea52-e5cd-428a-8655-73b748af6b5f + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 124fea52-e5cd-428a-8655-73b748af6b5f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2040\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: af1e2643-4eb2-4bbe-8e2c-01f9e146a5fc + iscommand: false + name: Successful Login Remediation + type: title + version: -1 + taskid: af1e2643-4eb2-4bbe-8e2c-01f9e146a5fc + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2720\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c63271a9-b73b-4266-8f6b-f02fc553887f + iscommand: false + name: Done + type: title + version: -1 + taskid: c63271a9-b73b-4266-8f6b-f02fc553887f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3740\n }\n}" + '19': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.risk + operator: containsString + right: + value: + simple: reasons=Anomalous + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.risk + operator: containsString + right: + value: + simple: ', Anomalous' + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.risk + operator: containsString + right: + value: + simple: level=HIGH + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.behaviors + operator: containsString + right: + value: + simple: New Geo-Location=POSITIVE, New Device=POSITIVE, New + IP=POSITIVE, New State=POSITIVE, New Country=POSITIVE, Velocity=POSITIVE, + New City=POSITIVE + root: OktaSSODebugLogs + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_action_country + operator: greaterThanOrEqual + right: + value: + simple: '3' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_action_country_is_rare_for_tenant + operator: greaterThanOrEqual + right: + value: + simple: '1' + - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_action_country_first_seen + operator: greaterThanOrEqual + right: + value: + simple: '1' + label: REMEDIATION + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task analyzes Okta SSO debug logs for suspicious activity. + It checks for anomalous behavior, high-risk levels, and unusual geographic + patterns in user actions. The task evaluates various risk indicators including + new locations, devices, IPs, and velocity anomalies. It also considers the + diversity and rarity of countries involved in user actions. Based on these + checks, the playbook determines whether to proceed with remediation or continue + to the Close Alert section. + id: 3e76261c-0241-4a6c-8547-012e233cb46f + iscommand: false + name: Check Okta logs for suspicious activity + type: condition + version: -1 + taskid: 3e76261c-0241-4a6c-8547-012e233cb46f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -550,\n \"y\": 1530\n }\n}" + '2': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThan + right: + value: + simple: '2' + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: inList + right: + iscontext: true + value: + simple: alert.localip + - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: isEqualString + right: + value: + simple: alert.localip + root: DBotScore + operator: isNotEmpty + right: + value: {} + label: 'Yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '24' + 'Yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the external Source IP is malicious (DBotScore above + 2). + id: 3aaad26e-4ec4-414c-8235-0b497e728fe1 + iscommand: false + name: Is the IP malicious? + type: condition + version: -1 + taskid: 3aaad26e-4ec4-414c-8235-0b497e728fe1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 365\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b36615c3-c917-44e9-8a7c-2685027ae22e + iscommand: false + name: Check Okta Debug Logs + type: title + version: -1 + taskid: b36615c3-c917-44e9-8a7c-2685027ae22e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -550,\n \"y\": 1380\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d2fb6b1c-8f4a-4b8d-8c52-c3a3ad837882 + iscommand: false + name: Check Alert Data + type: title + version: -1 + taskid: d2fb6b1c-8f4a-4b8d-8c52-c3a3ad837882 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -50,\n \"y\": 1380\n }\n}" + '22': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.OriginalAlert._all_events.auth_outcome_reason + operator: isEqualString + right: + value: + simple: INVALID_CREDENTIALS + root: Core.OriginalAlert._all_events.auth_outcome_reason + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '6' + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaSSODebugLogs.threatSuspected + operator: isEqualString + right: + value: + simple: 'true' + root: OktaSSODebugLogs.threatSuspected + transformers: + - operator: uniq + operator: isNotEmpty + - left: + iscontext: true + value: + simple: OktaSSODebugLogs.count_distinct_story_id_okta_push_denied + operator: greaterThanOrEqual + right: + value: + simple: '5' + label: REMEDIATION + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task evaluates potential security threats by examining multiple + factors. It checks for at least 6 instances of invalid credentials, verifies + if Okta's threat intelligence has flagged a potentially malicious IP involved + in the authentication attempt, and confirms if there have been 5 or more distinct + Okta push denials. If these conditions are met, the task initiates remediation + steps; if not, it proceeds to the Close Alert section. + id: 58388125-14c9-46c6-8197-72d32fd0c7e8 + iscommand: false + name: Verify High-Risk Alert with Rare Country Indicators + type: condition + version: -1 + taskid: 58388125-14c9-46c6-8197-72d32fd0c7e8 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -50,\n \"y\": 1530\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + - '20' + - '21' + - '29' + - '31' + note: false + quietmode: 0 + scriptarguments: + key: + simple: OktaSSODebugLogs + value: + complex: + accessor: sso_debug_data + root: Core.OriginalAlert._all_events + transformers: + - operator: ParseJSON + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: bad58157-c03d-446f-88fb-cfcc80a77ce1 + iscommand: false + name: Parse Okta SSO logs + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: bad58157-c03d-446f-88fb-cfcc80a77ce1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1180\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 687e79e6-ced4-4d10-853e-eda14fe423e3 + iscommand: false + name: Get Additional Data + type: title + version: -1 + taskid: 687e79e6-ced4-4d10-853e-eda14fe423e3 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 550\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d3b97b69-ddaa-4b3e-82b2-4a209166a1a9 + iscommand: false + name: Check If User Is Risky + type: title + version: -1 + taskid: d3b97b69-ddaa-4b3e-82b2-4a209166a1a9 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1380\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + scriptarguments: + user_id: + complex: + accessor: username + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 93676905-092b-4cf1-8567-9054e8d61ae6 + iscommand: true + name: Get user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 93676905-092b-4cf1-8567-9054e8d61ae6 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1530\n }\n}" + '27': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + label: REMEDIATION + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task evaluates if the user's risk level is HIGH. If so, it + initiates remediation steps; otherwise, it moves to the Close Alert section. + id: 070055d5-534b-4a27-817e-d752df2c4b8f + iscommand: false + name: Check risk score + type: condition + version: -1 + taskid: 070055d5-534b-4a27-817e-d752df2c4b8f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1690\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b5496eec-b661-4293-8e28-7164fd57e403 + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: b5496eec-b661-4293-8e28-7164fd57e403 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 2040\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2410733b-4efd-46fd-858a-b3e7ed9d1445 + iscommand: false + name: Check Previous Okta Failed Logins + type: title + version: -1 + taskid: 2410733b-4efd-46fd-858a-b3e7ed9d1445 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 1380\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 06e82d3f-2b4a-4f6d-84d1-12fc60d876bf + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 06e82d3f-2b4a-4f6d-84d1-12fc60d876bf + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 930,\n \"y\": 550\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 06fb7cdb-405c-4516-8b2d-dd4458431aa2 + iscommand: false + name: Check for Suspicious User-Agent + type: title + version: -1 + taskid: 06fb7cdb-405c-4516-8b2d-dd4458431aa2 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1380\n }\n}" + '32': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert._all_events.action_user_agent + operator: match + right: + value: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|python-requests|node-fetch|PostmanRuntime|GuzzleHttp)\b + root: Core.OriginalAlert._all_events.action_user_agent + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.stateful_raw_data.count_distinct_user_agent_first_seen_for_user + operator: greaterThanOrEqual + right: + value: + simple: '1' + label: REMEDIATION + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task examines the user agent strings in the alert for known + suspicious patterns. It checks for specific tools often used in automated + attacks or scraping. Additionally, it verifies if there's at least one new + user agent for this user. If both conditions are met, it triggers remediation; + otherwise, it proceeds to close the alert. + id: c107279a-f23a-45dc-82ce-e016897d6700 + iscommand: false + name: Check for a suspicious user agent + type: condition + version: -1 + taskid: c107279a-f23a-45dc-82ce-e016897d6700 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1470,\n \"y\": 1510\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + hoursAgo: + simple: '12' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: 2a72a190-9db8-4eac-8e77-8b1fd7cdf58d + iscommand: false + name: Retrieve timestamp for 12 hours window + scriptName: GetTime + type: regular + version: -1 + taskid: 2a72a190-9db8-4eac-8e77-8b1fd7cdf58d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 1510\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + scriptarguments: + since: + complex: + root: TimeNow + transformers: + - args: + variation: + value: + simple: in 0 hours + operator: ModifyDateTime + until: + complex: + root: TimeNow + transformers: + - args: + variation: + value: + simple: in 12 hours + operator: ModifyDateTime + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns failed login events. + id: a6a9262d-e3d6-4b7c-8290-97576811107b + iscommand: true + name: Get Okta failed logins + script: '|||okta-get-failed-logins' + type: regular + version: -1 + taskid: a6a9262d-e3d6-4b7c-8290-97576811107b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 1670\n }\n}" + '35': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Okta.Logs.Events.actor.alternateId + operator: isEqualString + right: + iscontext: true + value: + simple: UserEmail + root: Okta.Logs.Events.actor.alternateId + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '5' + label: REMEDIATION + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '28' + REMEDIATION: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task checks Okta logs for 5 or more failed login attempts + by the user within the past 12 hours. If threshold is met, it triggers remediation; + otherwise, it closes the alert. + id: 7d8c70a2-fbc0-4339-8477-de6d9aaed8b6 + iscommand: false + name: Check for 5 failed logins + type: condition + version: -1 + taskid: 7d8c70a2-fbc0-4339-8477-de6d9aaed8b6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": 1830\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousIPs + value: + complex: + accessor: Indicator + filters: + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + - - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: inList + right: + iscontext: true + value: + simple: alert.localip + - left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: isEqualString + right: + value: + simple: alert.localip + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 3ee60af9-d489-41ae-8c0a-bbbd3654982a + iscommand: false + name: Save malicious IPs to be blocked + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 3ee60af9-d489-41ae-8c0a-bbbd3654982a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 930,\n \"y\": 690\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + forEach: true + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + simple: ${MaliciousIPs} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: bf27b93c-08c7-4a4a-84b8-067d4957ad79 + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: bf27b93c-08c7-4a4a-84b8-067d4957ad79 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 930,\n \"y\": 855\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + Username: + simple: ${UserEmail} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook uses the ''Okta v2'' and ''MSGraph User'' integrations to clear + user sessions.' + id: 7b8e233a-e891-496a-8fae-dce79475f0b5 + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: 7b8e233a-e891-496a-8fae-dce79475f0b5 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2180\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 38d4401c-a37d-4601-822d-552ddd7deecf + iscommand: true + name: Collect login information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 38d4401c-a37d-4601-822d-552ddd7deecf + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 690\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6ce6c84b-26c8-48ce-8c4e-fdb9bfe99865 + iscommand: false + name: Analyze Alert Data + type: title + version: -1 + taskid: 6ce6c84b-26c8-48ce-8c4e-fdb9bfe99865 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 870\n }\n}" + '8': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: alert.details + operator: notContainsGeneral + right: + value: + simple: . 0 successful + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + 'yes': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the alert indicates that there was a successful + login or not. + id: 2242a45c-8715-41ab-8e7e-9b060920e9ad + iscommand: false + name: Check for successful login + type: condition + version: -1 + taskid: 2242a45c-8715-41ab-8e7e-9b060920e9ad + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2515\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 780502a5-9cfe-4d0e-8367-03f2d79595ce + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: 780502a5-9cfe-4d0e-8367-03f2d79595ce + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3440\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"13_14_yes\": 0.55,\n \"13_9_#default#\"\ + : 0.14,\n \"19_16_REMEDIATION\": 0.1,\n \"19_28_#default#\": 0.15,\n \"\ + 22_16_REMEDIATION\": 0.17,\n \"22_28_#default#\": 0.22,\n \"27_16_REMEDIATION\"\ + : 0.35,\n \"27_28_#default#\": 0.1,\n \"32_16_REMEDIATION\": 0.13,\n \"\ + 32_28_#default#\": 0.34,\n \"35_16_REMEDIATION\": 0.19,\n \"35_28_#default#\"\ + : 0.26,\n \"8_17_yes\": 0.59,\n \"8_9_#default#\": 0.16\n },\n \"paper\"\ + : {\n \"dimensions\": {\n \"height\": 3735,\n \"width\": 2400,\n \ + \ \"x\": -550,\n \"y\": 70\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml new file mode 100644 index 000000000000..5093e114cfb0 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml @@ -0,0 +1,562 @@ +description: 'This playbook is designed to handle the following alerts: + + - Command-line arguments match Mimikatz execution + + - Mimikatz command-line arguments + + - Credential dumping via wce.exe + + - Credential dumping via gsecdump.exe + + - PowerShell runs with known Mimikatz arguments + + - Hash cracking using Hashcat tool + + - Credential dumping via fgdump.exe + + - Credential dumping via LaZagne + + - Credential dumping via pwdumpx.exe + + - Dumping lsass.exe memory for credential extraction + + - Memory dumping with comsvcs.dll + + + The playbook executes the following stages: + + + Early Containment: + + - Handles malicious alerts by terminating the causality process. + + + Remediation: + + - Handles malicious alerts by suggesting the analyst to isolate the endpoint.' +fromversion: 8.8.0 +id: silent-Credential Dumping using a known tool Test +inputs: [] +issilent: true +name: silent-Credential Dumping using a known tool Test +outputs: [] +starttaskid: '0' +tags: +- TA0006 - Credential Access +- T1003 - OS Credential Dumping +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c5104fac-8485-4a26-8ac1-9eee0ae0ea5e + iscommand: false + name: '' + version: -1 + taskid: c5104fac-8485-4a26-8ac1-9eee0ae0ea5e + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -1280\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 06f5d734-c40b-4d0a-8c63-066e73bd9acb + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 06f5d734-c40b-4d0a-8c63-066e73bd9acb + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -240,\n \"y\": -780\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious activity detected + closeReason: + simple: Resolved - Handled by the playbook "Credential Dumping using a known + tool" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 11a229b7-5716-4011-800a-b4d215a25717 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 11a229b7-5716-4011-800a-b4d215a25717 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": 570\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7aa614c4-5aad-4465-803d-71563fec2665 + iscommand: false + name: Done + type: title + version: -1 + taskid: 7aa614c4-5aad-4465-803d-71563fec2665 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": 730\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 18d7aacc-c482-48a2-8f0b-9cc7251379db + iscommand: true + name: 'Isolate Endpoint ' + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 18d7aacc-c482-48a2-8f0b-9cc7251379db + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -280,\n \"y\": 400\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: bc3d1488-e2cc-425a-8fb3-87110d8ce804 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: bc3d1488-e2cc-425a-8fb3-87110d8ce804 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -290\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: Should perform isolation on the endpoint ${alert.hostname} ? + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#default#': + - '24' + 'Yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval is required to isolate the endpoint. + id: e175d505-aad6-4f06-8898-4b6f2e68782f + iscommand: false + name: Analyst approval for isolation + type: condition + version: -1 + taskid: e175d505-aad6-4f06-8898-4b6f2e68782f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -280,\n \"y\": 200\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields is + concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoints from the start + of the result set (start by counting from 0). + id: 02d8f791-2c65-4dab-870c-cd53cf133be9 + iscommand: true + name: Get endpoint info by endpoint ID + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 02d8f791-2c65-4dab-870c-cd53cf133be9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -155\n }\n}" + '31': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_type + root: Core.Endpoint + operator: containsString + right: + value: + simple: WORKSTATION + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_status + root: Core.Endpoint + operator: isEqualString + right: + value: + simple: CONNECTED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_UNISOLATED + label: Isolate + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_ISOLATED + label: Already isolated + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '36' + Already isolated: + - '24' + Isolate: + - '29' + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determine whether to isolate the endpoint based on its status, + isolation state, and OS type. + id: c887cbd2-5a09-4d82-83da-f2df7a9c068f + iscommand: false + name: Verify endpoint isn't isolated, disconnected, or a server + type: condition + version: -1 + taskid: c887cbd2-5a09-4d82-83da-f2df7a9c068f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": 10\n }\n}" + '32': + continueonerror: true + continueonerrortype: errorPath + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '33' + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process by it's causality ID. + id: e779dfc7-1f39-4ea1-8395-693901916095 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: e779dfc7-1f39-4ea1-8395-693901916095 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -240,\n \"y\": -650\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nDuring the remediation process, the playbook\ + \ couldn't terminate the process ${alert.cgoname} \n\nPlease terminate the\ + \ process manually if possible. \nNote that the next remediation step, if\ + \ possible, will be endpoint isolation." + id: f82b7572-1a45-4d6a-84b5-b6802dcc44af + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: f82b7572-1a45-4d6a-84b5-b6802dcc44af + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -430,\n \"y\": -460\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nPlease note that during the remediation process,\ + \ the playbook didn't isolate the following host: ${alert.hostname} \n\nThis\ + \ is due to one of the following reasons:\n- The device disconnected.\n- The\ + \ device has been identified as a server.\n\nPlease take manual action to\ + \ contain the attack and prevent the attacker from executing lateral movement\ + \ before closing this alert." + id: ca7ef243-bf2e-4de4-8e0c-d44f7703cd0f + iscommand: false + name: Manual remediation actions for a server or a disconnected endpoint + type: regular + version: -1 + taskid: ca7ef243-bf2e-4de4-8e0c-d44f7703cd0f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 300,\n \"y\": 200\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '41' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task searches for Cortex XSIAM related alerts to the current + incident. + id: cc0cf3c7-a04b-4a53-8132-52ea0b88609b + iscommand: false + name: Get Incident related alerts + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: cc0cf3c7-a04b-4a53-8132-52ea0b88609b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -1145\n }\n}" + '41': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: isEqualString + right: + value: + simple: alert.cid + root: foundIncidents.CustomFields + operator: isEqualString + right: + value: + simple: BLOCKED + label: Blocked + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Blocked: + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the incident's alerts for an alert that blocked the causality + using the agent. + id: 4d7bcdc0-6b74-421e-875a-d3c6a29cc564 + iscommand: false + name: Check if the causality was blocked by the agent + type: condition + version: -1 + taskid: 4d7bcdc0-6b74-421e-875a-d3c6a29cc564 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 10,\n \"y\": -980\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"29_24_#default#\": 0.4,\n \"29_27_Yes\"\ + : 0.55,\n \"31_24_Already isolated\": 0.16,\n \"31_29_Isolate\": 0.57,\n \ + \ \"32_33_#error#\": 0.53,\n \"41_28_Blocked\": 0.18\n },\n \"paper\": {\n\ + \ \"dimensions\": {\n \"height\": 2075,\n \"width\": 1110,\n \"\ + x\": -430,\n \"y\": -1280\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml new file mode 100644 index 000000000000..61028d99cd0d --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml @@ -0,0 +1,1204 @@ +contentitemexportablefields: + contentitemfields: {} +description: 'This playbook handles "Uncommon remote scheduled task creation" alert, + which is generated on the source host that created the remote scheduled task. + + + Playbook Stages: + + + Analysis: + + + - The playbook verifies whether the causality process is signed and prevalent. If + the process is not signed and not prevalent, it proceeds with remediation actions; + otherwise, it continues investigating the alert. + + + Investigation: + + + During the alert investigation, the playbook will perform the following: + + + - Searches for related Cortex XSIAM alerts on the endpoint that use the following + MITRE techniques to identify malicious activity: T1202 - Indirect Command Execution, + T1021 - Remote Services. + + - Searches for related Cortex XSIAM agent alerts on the remote endpoint, to determine + if the creation of the scheduled task is part of an attack pattern. + + - Searches for suspicious command-line parameters indicating a malicious scheduled + task. + + + Remediation: + + + - Automatically disable the malicious scheduled task on the remote host. + + - Automatically terminate the causality process. + + - Automatically close the alert.' +fromversion: 8.8.0 +id: silent-Endpoint initiated uncommon remote scheduled task creation Test +inputs: [] +issilent: true +name: silent-Endpoint initiated uncommon remote scheduled task creation Test +outputs: [] +starttaskid: '0' +tags: +- TA0002 - Execution +- T1053 - Scheduled Task/Job +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -240\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 540\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Endpoint initiated uncommon remote + scheduled task creation" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: da448fc0-16d7-49b4-892f-493b725ca59a + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: da448fc0-16d7-49b4-892f-493b725ca59a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3960\n }\n}" + '14': + continueonerror: true + continueonerrortype: errorPath + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '22' + '#none#': + - '69' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell.exe schtasks /change /tn "${ExtractedTaskName}" /disable + endpoint_ids: + complex: + accessor: endpoint_id + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_status + operator: isEqualString + right: + value: + simple: CONNECTED + root: Core.Endpoint + timeout: + simple: '120' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Disable the malicious scheduled task by executing shell commands. + id: 9de4fea1-2efe-427d-83e7-5ca0c0ffaff1 + iscommand: true + name: Disable the scheduled task on the remote host + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 9de4fea1-2efe-427d-83e7-5ca0c0ffaff1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2780\n }\n}" + '2': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: 'Yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '1' + 'Yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict based on the signature and prevalence + of the causality process. + id: 3ddedabb-1395-4234-81f5-a3b098a10721 + iscommand: false + name: Is the causality process unsigned and not prevalent? + type: condition + version: -1 + taskid: 3ddedabb-1395-4234-81f5-a3b098a10721 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 370\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '81' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process the playbook failed to disable the scheduled + task: ${Core.OriginalAlert.event.scheduled_task_path} + + on the remote host: ${Core.OriginalAlert.raw_abioc.event.schtasks_remote_host} + + + Please manually disable this scheduled task.' + id: 93c5df93-c13b-4e70-8ba4-8d0d405c5e56 + iscommand: false + name: Disable the scheduled task manually + type: regular + version: -1 + taskid: 93c5df93-c13b-4e70-8ba4-8d0d405c5e56 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 3310\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff18f72c-0256-4776-823c-90dd05fdba39 + iscommand: false + name: Done + type: title + version: -1 + taskid: ff18f72c-0256-4776-823c-90dd05fdba39 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 4120\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '74' + - '77' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 91b0123e-c227-465b-84d6-a3c53e9a8eb4 + iscommand: true + name: Get scheduled task details + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 91b0123e-c227-465b-84d6-a3c53e9a8eb4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 25\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + forEach: true + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '66' + note: false + quietmode: 0 + scriptarguments: + Commandline: + complex: + accessor: osparentcmd + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.targetprocesscmd + operator: append + - operator: uniq + StringSimilarityThreshold: + simple: '0.5' + separatecontext: true + skipunavailable: false + task: + brand: '' + description: "This playbook takes a command line from the alert and performs\ + \ the following actions:\n- Checks for base64 string and decodes if exists\n\ + - Extracts and enriches indicators from the command line\n- Checks specific\ + \ arguments for malicious usage \n\nAt the end of the playbook, it sets a\ + \ possible verdict for the command line, based on the finding:\n1. Indicators\ + \ found in the command line\n2. Found AMSI techniques\n3. Found suspicious\ + \ parameters\n4. Usage of malicious tools\n5. Indication of network activity\n\ + 6. Indication of suspicious LOLBIN execution\n7. Suspicious path and arguments\ + \ in the command line\n\nNote: To run this playbook with a list of command\ + \ lines, set this playbook to run in a loop. To do so, navigate to 'Loop'\ + \ and check \"For Each Input\"." + id: 5aad16e6-ce1d-45b5-8104-fd02073c0d4b + iscommand: false + name: Command-Line Analysis + playbookName: Command-Line Analysis + type: playbook + version: -1 + taskid: 5aad16e6-ce1d-45b5-8104-fd02073c0d4b + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 1140\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6d11f6e-a28a-459a-8004-bec570e4b02a + iscommand: false + name: Analysis + type: title + version: -1 + taskid: b6d11f6e-a28a-459a-8004-bec570e4b02a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -110\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '80' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ababf146-0f9f-4621-8323-18c3256738ee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ababf146-0f9f-4621-8323-18c3256738ee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2160\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '75' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6d96992e-fe69-4b71-8e3c-9f64ce6a2aec + iscommand: false + name: Investigation on remote host + type: title + version: -1 + taskid: 6d96992e-fe69-4b71-8e3c-9f64ce6a2aec + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1480\n }\n}" + '32': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines if there are agent alerts on the remote host indicating + that the alert was part of an attack pattern. + id: c9cda634-644d-4c93-8cc6-e1fa36a29e2f + iscommand: false + name: Found any alerts of malicious activity on the remote host? + type: condition + version: -1 + taskid: c9cda634-644d-4c93-8cc6-e1fa36a29e2f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1970\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + iscommand: false + name: Done + type: title + version: -1 + taskid: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1400,\n \"y\": 2450\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 5 hours ago + query: + simple: (mitreattcktechnique:*T1018* or name:"WildFire Malware" or name:"Local + Analysis Malware" or name:"Behavioral Threat") and agentid:${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches for related suspicious alerts by MITRE technique\ + \ and specific alert names to determine if this alert is part of an attack\ + \ pattern. \nFocus on identifying alerts from the past 5 hours on the endpoint\ + \ associated with:\n\nMITRE Technique: \n- T1018 - Remote System Discovery\n\ + \nAlerts:\n- \"WildFire Malware\"\n- \"Local Analysis Malware\"\n- \"Behavioral\ + \ Threat\"\n\nThe findings may indicate whether this alert is part of an attack\ + \ pattern." + id: a62156c1-5f66-4cc7-8cf5-53be739b6549 + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: a62156c1-5f66-4cc7-8cf5-53be739b6549 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 670\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d6cce08c-349e-44db-807d-b6348886db73 + iscommand: false + name: No evidence of malicious activity + type: title + version: -1 + taskid: d6cce08c-349e-44db-807d-b6348886db73 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1400,\n \"y\": 2160\n }\n}" + '56': + continueonerrortype: '' + id: '56' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3dca7f38-a58c-4c1c-8a67-e28182e1216a + iscommand: false + name: Command-line Investigation + type: title + version: -1 + taskid: 3dca7f38-a58c-4c1c-8a67-e28182e1216a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 1010\n }\n}" + '66': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CommandlineVerdict.AMSI + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: CommandlineVerdict.maliciousTools + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.networkActivity + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.SuspiciousLolbinExecution + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.SuspiciousCmdPathAndArguments + operator: isNotEmpty + label: 'Yes' + continueonerrortype: '' + id: '66' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '30' + 'Yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict based on the results of the + command-line analysis. + id: be97ffb8-982a-489c-8d0a-c45eb6618a1f + iscommand: false + name: Found any malicious Command-line parameters? + type: condition + version: -1 + taskid: be97ffb8-982a-489c-8d0a-c45eb6618a1f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 1300\n }\n}" + '67': + continueonerrortype: '' + id: '67' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '81' + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Dear Analyst,\n\nDuring the remediation process the playbook executed\ + \ a shell command to disable the following scheduled task: \n${ExtractedTaskName}\n\ + \nThe task was disabled on the following remote endpoint: \n${Core.OriginalAlert.raw_abioc.event.schtasks_remote_host}" + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints text to War Room (Markdown supported). + id: e2846c17-8044-43e0-881e-17219cfa784c + iscommand: false + name: Notify to War Room - Scheduled Task Disabled + scriptName: Print + type: regular + version: -1 + taskid: e2846c17-8044-43e0-881e-17219cfa784c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3310\n }\n}" + '69': + continueonerrortype: '' + id: '69' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '70' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: ba4fa808-bf46-4d09-8491-24e0aa59c3ee + iscommand: true + name: Get script execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: ba4fa808-bf46-4d09-8491-24e0aa59c3ee + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2950\n }\n}" + '70': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: AnyMatch + right: + value: + simple: SUCCESS + label: 'yes' + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '67' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Verify if the script successfully disabled the task. + id: 1666967d-c2af-4352-82f0-0d17d99b391f + iscommand: false + name: Has the script disabled the task successfully? + type: condition + version: -1 + taskid: 1666967d-c2af-4352-82f0-0d17d99b391f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3110\n }\n}" + '72': + continueonerror: true + continueonerrortype: '' + id: '72' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + key: + simple: ExtractedTaskName + value: + complex: + accessor: targetprocesscmd + root: alert + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?i).*tn\s(.*?)\s\/ + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extract the name and path of the malicious scheduled task and sets + the value in context key 'ExtractedTaskName'. + id: dfc8da1d-2f1d-4c5a-8de9-d2381c34b396 + iscommand: false + name: Extract the name and path of the scheduled task + scriptName: Set + type: regular + version: -1 + taskid: dfc8da1d-2f1d-4c5a-8de9-d2381c34b396 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2620\n }\n}" + '73': + continueonerrortype: '' + id: '73' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + query: + simple: (mitreattcktechnique:*T1202* or mitreattcktechnique:*T1021*) and -name:"Uncommon + remote scheduled task created" and agentid:${Core.Endpoint.endpoint_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for suspicious related alerts on the remote + endpoint using MITRE techniques. It focuses on identifying alerts from the + past 3 hours associated with the following techniques: + + - T1202 - Indirect Command Execution + + - T1021 - Remote Services + + ' + id: 8ef473cd-2dc1-46a1-805e-fa179910603d + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 8ef473cd-2dc1-46a1-805e-fa179910603d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1805\n }\n}" + '74': + continueonerrortype: '' + id: '74' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + hostname: + simple: ${Core.OriginalAlert.raw_abioc.event.schtasks_remote_host} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of the endpoint from the + start of the result set (start by counting from 0). + id: 4be27c4b-ad83-46b4-868b-795a35647cd0 + iscommand: true + name: Get remote endpoint details + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 4be27c4b-ad83-46b4-868b-795a35647cd0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 630,\n \"y\": 195\n }\n}" + '75': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '75' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '73' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the Cortex XDR agent is installed on the remote + endpoint. + id: a2bad801-d912-45ec-8ac6-5ece49400caa + iscommand: false + name: Is the XDR agent installed on the remote endpoint? + type: condition + version: -1 + taskid: a2bad801-d912-45ec-8ac6-5ece49400caa + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1610\n }\n}" + '76': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_status + operator: isEqualString + right: + value: + simple: CONNECTED + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '76' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '72' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the Cortex XDR agent is installed and connected + on the remote endpoint. + id: 36164015-8f07-4e5b-873d-024f66adb228 + iscommand: false + name: Is the XDR agent install and connected on the remote endpoint? + type: condition + version: -1 + taskid: 36164015-8f07-4e5b-873d-024f66adb228 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2420\n }\n}" + '77': + continueonerrortype: '' + id: '77' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + process_name: + simple: ${alert.cgoname} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: f54e9a6f-1a23-438f-8fbb-69aa1bab715e + iscommand: true + name: Get Causality process prevalence + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: f54e9a6f-1a23-438f-8fbb-69aa1bab715e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 190,\n \"y\": 195\n }\n}" + '78': + continueonerror: true + continueonerrortype: errorPath + id: '78' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '79' + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 5ec26302-ebf5-44f0-820f-608303db5477 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 5ec26302-ebf5-44f0-820f-608303db5477 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3610\n }\n}" + '79': + continueonerrortype: '' + id: '79' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process, the playbook failed to terminate the causality + process: ${alert.cgoname} + + Please investigate this before closing this alert. + + ' + id: 008355c5-1a8d-4320-89be-537f43d295e8 + iscommand: false + name: Terminate Causality Process Manually + type: regular + version: -1 + taskid: 008355c5-1a8d-4320-89be-537f43d295e8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 190,\n \"y\": 3790\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '56' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the alert contains agent alerts indicating that + the alert was part of an attack pattern. + id: 287b6585-4340-4fd2-8134-6ee815f90846 + iscommand: false + name: Found any alerts indicating this is a malicious scheduled task? + type: condition + version: -1 + taskid: 287b6585-4340-4fd2-8134-6ee815f90846 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 830\n }\n}" + '80': + continueonerrortype: '' + id: '80' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '76' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 15daefa9-4061-4aed-845a-473010c4b749 + iscommand: false + name: Remediation on the Remote Host + type: title + version: -1 + taskid: 15daefa9-4061-4aed-845a-473010c4b749 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2290\n }\n}" + '81': + continueonerrortype: '' + id: '81' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '78' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 74d0a222-b7d3-487e-8904-027e7a972231 + iscommand: false + name: Remediation on the Source Host + type: title + version: -1 + taskid: 74d0a222-b7d3-487e-8904-027e7a972231 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3480\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: 'No Evidence of Malicious Activity: + + - The causality process is signed and prevalent. + + - No related alerts indicating malicious activity were found on the source + host. + + - No malicious parameters were identified in the command line. + + - No related alerts indicating malicious activity were found on the remote + host.' + closeReason: + simple: Resolved - Handled by the playbook "Endpoint initiated uncommon remote + scheduled task creation" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: a376a415-7a05-4085-85ff-e80b02660456 + iscommand: true + name: Close Alert - No evidence of malicious activity + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: a376a415-7a05-4085-85ff-e80b02660456 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1400,\n \"y\": 2290\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"14_22_#error#\": 0.37,\n \"2_3_Yes\"\ + : 0.12,\n \"32_3_yes\": 0.29,\n \"66_3_Yes\": 0.19,\n \"70_22_#default#\"\ + : 0.66,\n \"70_67_yes\": 0.52,\n \"75_5_#default#\": 0.6,\n \"75_73_yes\"\ + : 0.41,\n \"76_22_#default#\": 0.27,\n \"76_72_yes\": 0.47,\n \"78_79_#error#\"\ + : 0.51,\n \"8_3_yes\": 0.13\n },\n \"paper\": {\n \"dimensions\": {\n \ + \ \"height\": 4425,\n \"width\": 1780,\n \"x\": 0,\n \"y\": -240\n\ + \ }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml new file mode 100644 index 000000000000..a4b8bf4ad285 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml @@ -0,0 +1,503 @@ +description: "This playbook is designed to handle the following alerts: \n- Windows\ + \ Event Log was cleared using wevtutil.exe\n- Security Event Log was cleared using\ + \ wevtutil.exe\n- A Sensitive Windows Event Log was cleared using wevtutil.exe\n\ + - Windows event logs were cleared with PowerShell\n- Suspicious clear or delete\ + \ security provider event logs with PowerShell\n- Suspicious clear or delete default\ + \ providers event logs with PowerShell\n- Windows event logs cleared using wmic.exe\n\ + \nThe playbook executes the following stages:\n\nInvestigation:\nCheck the following\ + \ parameters to determine if remediation actions are needed:\n- Cortex XSIAM alerts\ + \ related to the hostname by MITRE tactics indicating malicious activity.\n- Whether\ + \ the CGO or the OSParent process is unsigned.\n- The prevalence of the OSParent\ + \ process.\n\nRemediation:\n- Handles malicious alerts by terminating the relevant\ + \ processes.\n- Handles non-malicious alerts identified during the investigation." +fromversion: 8.8.0 +id: silent-Event Log Was Cleared Test +inputSections: +- description: Generic group for inputs. + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +name: silent-Event Log Was Cleared Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- T1070 - Indicator Removal +- T1490 - Inhibit System Recovery +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: acc9b1ca-5e6b-485d-8152-4171df653733 + iscommand: false + name: '' + version: -1 + taskid: acc9b1ca-5e6b-485d-8152-4171df653733 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 40\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '73' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3bcade69-bdb3-46e0-880b-c9f741342853 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 3bcade69-bdb3-46e0-880b-c9f741342853 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 170\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Suspicious activity detected + closeReason: + simple: Resolved - Handled by the playbook "Event Log was cleared". + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 7f649638-3182-4d2c-8369-d0a14ec35642 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 7f649638-3182-4d2c-8369-d0a14ec35642 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1475\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 331ffb07-1760-4644-837c-68732ecf9bee + iscommand: false + name: Done + type: title + version: -1 + taskid: 331ffb07-1760-4644-837c-68732ecf9bee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1655\n }\n}" + '24': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '26' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the incident contains related alerts by MITRE + Techniques, indicating that the alert was part of an attack pattern. + id: 5b4b20fd-e0f6-43d0-843d-7d3c52c89fb7 + iscommand: false + name: Found any alerts indicating this is malicious activity? + type: condition + version: -1 + taskid: 5b4b20fd-e0f6-43d0-843d-7d3c52c89fb7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 790\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '70' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 273d63e4-d318-4050-8e20-fa8b42b3b527 + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: 273d63e4-d318-4050-8e20-fa8b42b3b527 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1040,\n \"y\": 980\n }\n}" + '6': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.osparentsignature + operator: isNotEmpty + root: alert.osparentsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: 'yes' + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '77' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict based on: + + - Process Signature + + - CMD line/Process name prevalence' + id: d5887430-f83b-453c-87b3-649e9fac2eb7 + iscommand: false + name: Check for process signatures and prevalence + type: condition + version: -1 + taskid: d5887430-f83b-453c-87b3-649e9fac2eb7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 460\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '76' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1473ad2f-f097-4673-8227-54c63e7bb296 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 1473ad2f-f097-4673-8227-54c63e7bb296 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 980\n }\n}" + '70': + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No Results Found + closeReason: + simple: Resolved - Handled by the playbook "Event Log was cleared" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 53074f01-741a-4f1e-8f5f-4e19539684f3 + iscommand: true + name: Close Alert - No results returned + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 53074f01-741a-4f1e-8f5f-4e19539684f3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1040,\n \"y\": 1110\n }\n}" + '73': + continueonerrortype: '' + id: '73' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + process_name: + complex: + accessor: osparentname + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.cgoname + operator: append + - args: + empty_values: {} + remove_keys: + value: + simple: 'false' + operator: RemoveEmpty + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Get the prevalence of a process, identified by process name. + id: 11e37dbd-4664-442a-8b48-737b5e95ad75 + iscommand: true + name: Get prevalence for the processes in the causality + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: 11e37dbd-4664-442a-8b48-737b5e95ad75 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 300\n }\n}" + '76': + continueonerror: true + continueonerrortype: errorPath + id: '76' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '78' + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 7c9f23f6-7986-4c42-835f-f31c037a9fde + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 7c9f23f6-7986-4c42-835f-f31c037a9fde + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1110\n }\n}" + '77': + continueonerrortype: '' + id: '77' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(mitreattcktechnique:*T1055* or mitreattcktechnique:*T1059*) + and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches for Cortex XSIAM suspicious alerts related\ + \ to the current incident by Mitre Technique, indicating that the alert is\ + \ part of an attack pattern.\n\nFocus on identifying alerts associated with\ + \ the following MITRE techniques:\n- T1055 - Process Injection \n- T1059 -\ + \ Command and Scripting Interpreter" + id: 7270541a-9892-47dc-8e5f-2b8c5c9c4583 + iscommand: false + name: Search for suspicious-related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 7270541a-9892-47dc-8e5f-2b8c5c9c4583 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 630\n }\n}" + '78': + continueonerrortype: '' + id: '78' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process, the playbook failed to terminate the causality + process: ${alert.cgoname} + + Please investigate this before closing this alert. + + ' + id: 891baf84-9fd1-4e29-800c-35768048337b + iscommand: false + name: Terminate Causality Process Manually + type: regular + version: -1 + taskid: 891baf84-9fd1-4e29-800c-35768048337b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1290\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"24_7_yes\": 0.23,\n \"76_78_#error#\"\ + : 0.56\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 1680,\n \ + \ \"width\": 1220,\n \"x\": 200,\n \"y\": 40\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml new file mode 100644 index 000000000000..ba08e2af373f --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml @@ -0,0 +1,1142 @@ +description: 'This playbook addresses the following alerts: + + + - Excessive user account lockouts + + - Excessive account lockouts on suspicious users + + - Excessive user account lockouts from a suspicious source + + + The playbook investigates and responds to excessive user account lockout alerts. + It gathers information about the alert, enriches relevant host data, and analyzes + event patterns. This analysis helps distinguish between benign lockouts and lockouts + caused by brute-force or password spray attacks. + + + Playbook Stages: + + + Triage: + + + - The playbook enriches the alert with details about the lockout events. + + + Investigation: + + + - Analyzes the lockout event timestamps to detect patterns. + + - Checks for related medium severity brute-force alerts in the incident. + + - Retrieves the Risk Score for the Caller Computer that caused the lockouts. + + + Containment: + + + - With analyst approval, the playbook can isolate the endpoint (either the Caller + Computer or the target host) if it''s determined to be a true positive and not a + server. + + + Requirements: + + + - For response actions, the following integration is required: Core - IR.' +fromversion: 8.8.0 +id: silent-Excessive User Account Lockouts Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Excessive User Account Lockouts Test +outputs: [] +starttaskid: '0' +tags: +- T1110 - Brute Force +- TA0006 - Credential Access +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a6f8c311-b856-4f69-898f-31f3a2fa1068 + iscommand: false + name: '' + version: -1 + taskid: a6f8c311-b856-4f69-898f-31f3a2fa1068 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about the lockout events, including timestamps + and the Caller Computer name. + id: 34a5e2bb-48fc-49e6-8942-973578d1a7a6 + iscommand: true + name: Get more information about the lockout events + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 34a5e2bb-48fc-49e6-8942-973578d1a7a6 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 320\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f6c847f4-93f0-4cce-89f1-79fd4f983858 + iscommand: false + name: Verdict + type: title + version: -1 + taskid: f6c847f4-93f0-4cce-89f1-79fd4f983858 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 1680\n }\n}" + '12': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.severity + operator: isEqualString + right: + value: + simple: '1' + label: Low + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '15' + Low: + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the severity of the current alert. Different severity variations + have different conditions for verdict decision. + id: 8f3e49e5-3f1e-41bf-87ce-085572fb5519 + iscommand: false + name: Check alert severity + type: condition + version: -1 + taskid: 8f3e49e5-3f1e-41bf-87ce-085572fb5519 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 1810\n }\n}" + '13': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.id + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: IntervalAnalysis.IsPatternLikelyAutomated + operator: isTrue + label: True Positive + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '46' + True Positive: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if there are medium severity brute-force alerts in the incident, + and if the lockouts seem to be the result of an automated process. + id: 8bd9e5e8-d9a9-4d99-8f3d-8a4e8661dd1e + iscommand: false + name: Check verdict - low severity alert + type: condition + version: -1 + taskid: 8bd9e5e8-d9a9-4d99-8f3d-8a4e8661dd1e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 260,\n \"y\": 1980\n }\n}" + '15': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyHost + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: foundIncidents.id + operator: isNotEmpty + - left: + iscontext: true + value: + simple: IntervalAnalysis.IsPatternLikelyAutomated + operator: isTrue + label: True Positive + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '38' + True Positive: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the Caller Computer is risky, there are medium severity + brute-force alerts in the incident, or if the lockouts seem to be the result + of an automated process. + id: 94de6f92-b24f-47ce-8c6a-2b2bc2b3ddc5 + iscommand: false + name: Check verdict - medium/high severity alert + type: condition + version: -1 + taskid: 94de6f92-b24f-47ce-8c6a-2b2bc2b3ddc5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 1980\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '52' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0052b546-df3b-4fbd-8c65-9c7cceba5164 + iscommand: false + name: Containment + type: title + version: -1 + taskid: 0052b546-df3b-4fbd-8c65-9c7cceba5164 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2320\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b130c4f8-988f-41f5-83b2-c0d560e1749a + iscommand: false + name: Triage + type: title + version: -1 + taskid: b130c4f8-988f-41f5-83b2-c0d560e1749a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 180\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + complex: + accessor: endpoint_id + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: IsolationCandidate.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + - - left: + iscontext: true + value: + simple: IsolationCandidate.endpoint_name + operator: isNotEmpty + root: IsolationCandidate + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 036c042d-4edd-4a67-81e7-4130eb342a38 + iscommand: true + name: Isolate the endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 036c042d-4edd-4a67-81e7-4130eb342a38 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2800\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + hostname: + complex: + accessor: norm_evtlog_target_domain_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + ignore-outputs: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves agent information for the Caller Computer that caused + the lockouts (if managed). + id: e80f56bc-9b7f-4194-8a3b-b7da358e127a + iscommand: true + name: Enrich Caller Computer + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: e80f56bc-9b7f-4194-8a3b-b7da358e127a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 830\n }\n}" + '31': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.norm_evtlog_target_domain_name + operator: isNotEmpty + right: + value: {} + label: Available + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '4' + Available: + - '3' + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the name of the Caller Computer is available in the event, + in order to avoid cases where all computers are queried due to an empty filter + in the core-get-endpoints command. + id: b114af3d-b553-4a33-8652-3b88a888c6f1 + iscommand: false + name: Check availability of Caller Computer Name + type: condition + version: -1 + taskid: b114af3d-b553-4a33-8652-3b88a888c6f1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 640\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f824171c-912c-4559-83e3-9c6c3908db98 + iscommand: false + name: False Positive + type: title + version: -1 + taskid: f824171c-912c-4559-83e3-9c6c3908db98 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2320\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c21218a5-d5ff-4fb6-84bb-cf1a0beb53cf + iscommand: false + name: False Positive + type: title + version: -1 + taskid: c21218a5-d5ff-4fb6-84bb-cf1a0beb53cf + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -170,\n \"y\": 2815\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '40' + note: false + quietmode: 0 + scriptarguments: + hostname: + complex: + accessor: hostname + root: alert + transformers: + - operator: uniq + ignore-outputs: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoint from the start + of the result set (start by counting from 0). + id: 83ff4126-8b59-42d1-80e7-492fa269b5d7 + iscommand: true + name: Get endpoint details for the target host + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 83ff4126-8b59-42d1-80e7-492fa269b5d7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -160,\n \"y\": 1180\n }\n}" + '40': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + label: Non-server + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '11' + Non-server: + - '43' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves agent information for the host where the lockouts were + logged. + id: cec099da-466d-4705-825f-5228bc8d77e0 + iscommand: false + name: Ensure target host is not a server + type: condition + version: -1 + taskid: cec099da-466d-4705-825f-5228bc8d77e0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -160,\n \"y\": 1340\n }\n}" + '41': + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + key: + simple: IsolationCandidate + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEmpty + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_name + operator: isEqualString + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.norm_evtlog_target_domain_name + root: Core.Endpoint + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the Caller Computer that caused the user lockouts as the + remediation target. + id: 054b82f0-47a5-4a50-82d3-42a7df367ebd + iscommand: false + name: Save Caller Computer as target for remediation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 054b82f0-47a5-4a50-82d3-42a7df367ebd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 250,\n \"y\": 1180\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + key: + simple: IsolationCandidate + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_id + operator: isNotEmpty + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_name + operator: isEqualString + right: + iscontext: true + value: + simple: alert.hostname + root: Core.Endpoint + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the host on which the lockouts occurred as the remediation + target. + id: 62222607-7815-4c38-8775-1cfe01426421 + iscommand: false + name: Save Target Host as target for remediation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 62222607-7815-4c38-8775-1cfe01426421 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 1510\n }\n}" + '46': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyHost + operator: isNotEmpty + right: + value: {} + label: Risky + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '39' + Risky: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the Caller Computer that caused the lockouts is risky + (if managed). + id: 0c636d74-3530-4485-8aab-eeb6b0a459e1 + iscommand: false + name: Check Caller Computer risk level + type: condition + version: -1 + taskid: 0c636d74-3530-4485-8aab-eeb6b0a459e1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 70,\n \"y\": 2150\n }\n}" + '48': + continueonerrortype: '' + id: '48' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 648a9503-9122-44fe-8bea-2e326ca79107 + iscommand: true + name: Close the alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 648a9503-9122-44fe-8bea-2e326ca79107 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2980\n }\n}" + '49': + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Automatic remediation was skipped due to one of the following + reasons: + + - The Caller Computer is not managed, and the target host is a server. + + - The Caller Computer and the Target Host are the same, and they are both + servers. + + + The analyst should take manual remediation steps such as fixing misconfigurations, + investigating lockout causes, etc.' + id: 7f81c1a1-0cf6-40e1-8d0a-66e9a2378131 + iscommand: false + name: Manual - host server or unavailable + type: regular + version: -1 + taskid: 7f81c1a1-0cf6-40e1-8d0a-66e9a2378131 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": 2630\n }\n}" + '5': + continueonerror: true + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + host_id: + complex: + accessor: norm_evtlog_target_domain_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets the risk level for the Caller Computer that caused the lockouts. + id: bba0b309-a23d-411c-8d5a-ac7bff8b971b + iscommand: true + name: Get Caller Computer risk level + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: bba0b309-a23d-411c-8d5a-ac7bff8b971b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 830\n }\n}" + '52': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: IsolationCandidate.endpoint_name + operator: isEmpty + right: + value: {} + label: Host unavailable/server + continueonerrortype: '' + id: '52' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '54' + Host unavailable/server: + - '49' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Checks if the Caller Computer or host where the lockouts occurred + can be remediated. + + + The IsolationCandidate key will hold the Caller Computer if it''s managed. + If not managed or a server, the key will hold the target hostname instead. + If the target host is a server, or is the same host as the Caller Computer + which happens to be a server, the IsolationCandidate key will be empty, requiring + analyst intervention.' + id: 8a3da735-27c1-40a2-814b-d8381a298c30 + iscommand: false + name: Check remediation preconditions + type: condition + version: -1 + taskid: 8a3da735-27c1-40a2-814b-d8381a298c30 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2455\n }\n}" + '53': + continueonerrortype: '' + id: '53' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: + value: + simple: ' and mitreattcktechnique:*T1110* and -severity:LOW and + -id:' + operator: concat + - args: + prefix: {} + suffix: + iscontext: true + value: + simple: alert.id + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches for non-low severity alerts with the Brute Force MITRE + technique (T1110) in the same incident, which may be related to the excessive + lockouts. + id: 3979d50a-f78e-4979-8103-27797180092d + iscommand: false + name: Search for suspicious brute force alerts in the incident + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 3979d50a-f78e-4979-8103-27797180092d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 630\n }\n}" + '54': + continueonerrortype: '' + id: '54' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: {} + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + 'No': + - '48' + 'Yes': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Review the following findings and decide whether the host should + be isolated: + + ${IsolationCandidate.endpoint_name} + + + Below are the findings of the investigation: + + + + #### Current Alert Severity: + + `${.=val.alert.severity > 1 ? "Medium or higher" : "Low"}` + + + --- + + + #### Pattern Likely Automated: + + `${.=val.IntervalAnalysis.IsPatternLikelyAutomated ? "True" : "False"}` + + + --- + + + #### Related Brute-Force Alerts: + + `${.=val.foundIncidents.id ? "True" : "False"}` + + + --- + + + #### Risky Caller Computer: + + `${.=val.Core.RiskyHost && val.Core.RiskyHost.risk_level === "HIGH" ? "True" + : "False or unavailable"}` + + + ' + id: 18e9d259-d6ef-4e2a-875b-a849d57f6d42 + iscommand: false + name: Manual - decide whether to isolate the endpoint + type: condition + version: -1 + taskid: 18e9d259-d6ef-4e2a-875b-a849d57f6d42 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2630\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + - '53' + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 35501fc7-5bf8-4a0e-873b-5beec9d343ea + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 35501fc7-5bf8-4a0e-873b-5beec9d343ea + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 480\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + timestamps: + simple: ${Core.OriginalAlert._all_events.event_timestamp} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyze a list of Unix timestamps in milliseconds, to detect simple + patterns of consistency or high frequency. The script can aid in the investigation + of multi-event alerts that contain a list of timestamps. + id: bb054ce8-8cc5-4060-817d-dba6db2ffee1 + iscommand: false + name: Analyze lockout timestamps + scriptName: AnalyzeTimestampIntervals + type: regular + version: -1 + taskid: bb054ce8-8cc5-4060-817d-dba6db2ffee1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 630\n }\n}" + '9': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: endpoint_id + filters: + - - left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: isNotEqualString + right: + value: + simple: AGENT_TYPE_SERVER + root: Core.Endpoint + operator: isNotEmpty + right: + value: {} + label: Non-server + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '4' + Non-server: + - '41' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the Caller Computer is managed and identified is + a server. + id: 984a779e-940a-429c-8846-b1f832ce1f17 + iscommand: false + name: Ensure Caller Computer is not a server + type: condition + version: -1 + taskid: 984a779e-940a-429c-8846-b1f832ce1f17 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 990\n }\n}" +tests: +- no tests +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"13_16_True Positive\": 0.46,\n \"\ + 13_46_#default#\": 0.6,\n \"15_16_True Positive\": 0.45,\n \"15_38_#default#\"\ + : 0.23,\n \"31_3_Available\": 0.55,\n \"31_4_#default#\": 0.16,\n \"40_11_#default#\"\ + : 0.2,\n \"46_16_Risky\": 0.49,\n \"46_39_#default#\": 0.49,\n \"52_49_Host\ + \ unavailable/server\": 0.68,\n \"54_48_No\": 0.54,\n \"9_41_Non-server\"\ + : 0.58,\n \"9_4_#default#\": 0.4\n },\n \"paper\": {\n \"dimensions\": {\n\ + \ \"height\": 3025,\n \"width\": 1620,\n \"x\": -170,\n \"y\"\ + : 50\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml new file mode 100644 index 000000000000..4c39a457aeb1 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml @@ -0,0 +1,1576 @@ +description: "**This playbook addresses the following alerts**:\n- Exchange user mailbox\ + \ forwarding.\n- Suspicious Exchange user mailbox forwarding.\n\n**Playbook Stages**:\n\ + \n**Triage**:\n- Collect initial information about the internal user and the associated\ + \ external forwarding address.\n\n**Investigation**:\n- **Check IOCs Reputation**:\n\ + \ - Analyze the reputation of IP addresses, email addresses, and domains associated\ + \ with the alert.\n- **Get External Email Statistics**:\n - Retrieve statistics\ + \ of email interactions between the internal user and the external forwarding address\ + \ over the last 2 days, including:\n - Number of emails sent to and received\ + \ from the external address.\n - Number of users interacting with the external\ + \ address.\n- **Check if User is Risky**:\n - Assess the internal user's risk score\ + \ using:\n - **Core Risk Evaluation**: Identify high-risk users and extract reasons\ + \ behind elevated risk levels.\n - **Azure Risk Indicators**: Retrieve Azure\ + \ risk scores, detections, and recent security alerts for the internal user.\n-\ + \ **Check for Azure Alerts**:\n - Perform an advanced hunting query in Microsoft\ + \ 365 Defender to extract recent Azure alerts associated with the internal user.\n\ + \n**Containment**:\n- Provide a manual task for an analyst to review the findings\ + \ and determine the appropriate response.\n- Possible actions:\n - Disable the\ + \ user in Azure AD to prevent further unauthorized actions.\n - Disable mailbox\ + \ forwarding for the user in Exchange Online.\n - Disable both user and forwarding.\n\ + \ - Take no action.\n- If the user is disabled, revoke active sessions to ensure\ + \ immediate containment.\n\n**Requirements**:\nFor the best results, it's recommended\ + \ to ensure these integrations are configured and working:\n- `Cortex Core - Investigation\ + \ and Response` for Core user risk evaluation.\n- `Azure Risky Users` for retrieving\ + \ Azure-based user risk scores and detections.\n- `Microsoft 365 Defender` for advanced\ + \ hunting queries and extracting Azure alerts.\n- `Microsoft Graph User` for disabling\ + \ user accounts and revoking active sessions.\n- `Exchange Online EWS` for disabling\ + \ mailbox forwarding.\n- `Security And Compliance V2` for fetching email interaction\ + \ statistics." +fromversion: 6.10.0 +id: silent-Exchange User Mailbox Forwarding Test +inputs: [] +issilent: true +name: silent-Exchange User Mailbox Forwarding Test +outputs: [] +starttaskid: '0' +tags: +- TA0009 - Collection +- TA0010 - Exfiltration +- T1114 - Email Collection +- T1020 - Automated Exfiltration +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1ac1b290-5044-4124-8c24-2b9b64b96c75 + iscommand: false + name: '' + version: -1 + taskid: 1ac1b290-5044-4124-8c24-2b9b64b96c75 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -440\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '1' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: 7ce27bae-e219-4888-8d78-5afe5d9c48b8 + iscommand: false + name: Get timestamp for Azure detections + scriptName: GetTime + type: regular + version: -1 + taskid: 7ce27bae-e219-4888-8d78-5afe5d9c48b8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 580\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: c0ff360a-1f8d-4af8-8635-9c29f2c06cf9 + iscommand: true + name: Collect user information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: c0ff360a-1f8d-4af8-8635-9c29f2c06cf9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -180\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: caller_ip + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: 8aee3a72-4abc-41e8-8d9a-4c3b79b1b016 + iscommand: true + name: Get IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 8aee3a72-4abc-41e8-8d9a-4c3b79b1b016 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -1050,\n \"y\": 260\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + scriptarguments: + email: + complex: + accessor: mailbox_forwarding_address + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Return email information and reputation. + id: 8b31ebe4-f831-4d96-8be9-68cc325b9bf1 + iscommand: true + name: Get Email reputation + script: '|||email' + type: regular + version: -1 + taskid: 8b31ebe4-f831-4d96-8be9-68cc325b9bf1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -630,\n \"y\": 260\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + accessor: mailbox_forwarding_address + root: Core.OriginalAlert.event + transformers: + - operator: uniq + - args: + delimiter: + value: + simple: '@' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns domain information and reputation. + id: b5f28af3-c85f-4e9a-8432-98de0d324f2d + iscommand: true + name: Get Domain reputation + script: '|||domain' + type: regular + version: -1 + taskid: b5f28af3-c85f-4e9a-8432-98de0d324f2d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 260\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + - '13' + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5563326e-2e66-48cd-83e6-804156328fed + iscommand: false + name: Check IOCs Reputation + type: title + version: -1 + taskid: 5563326e-2e66-48cd-83e6-804156328fed + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -630,\n \"y\": 120\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousEmail + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: email + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 64be2b3d-af92-455f-818a-e2e4e75a9ee3 + iscommand: false + name: Check Email reputation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 64be2b3d-af92-455f-818a-e2e4e75a9ee3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -630,\n \"y\": 420\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousDomain + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 35e0f51d-e1c2-4737-8f2a-d0b578241e90 + iscommand: false + name: Check Domain reputation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 35e0f51d-e1c2-4737-8f2a-d0b578241e90 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 420\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 02cbe31c-9cfd-4cb0-833a-85358b09721c + iscommand: false + name: 'Triage ' + type: title + version: -1 + taskid: 02cbe31c-9cfd-4cb0-833a-85358b09721c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -310\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + - '21' + - '2' + - '35' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d0de6bf8-23c5-45ee-8c4f-5007e86cd02c + iscommand: false + name: Investigation + type: title + version: -1 + taskid: d0de6bf8-23c5-45ee-8c4f-5007e86cd02c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -20\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: af350203-fe3e-4456-8cfe-13aa951ad866 + iscommand: false + name: Check If User Is Risky + type: title + version: -1 + taskid: af350203-fe3e-4456-8cfe-13aa951ad866 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 120\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousIP + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: a4f41b44-31cb-4ffa-8b04-13c043ef3e6e + iscommand: false + name: Check IP reputation + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: a4f41b44-31cb-4ffa-8b04-13c043ef3e6e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -1050,\n \"y\": 420\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d359526d-881e-4905-8933-9c999bd8862e + iscommand: false + name: Get External Email Statistics + type: title + version: -1 + taskid: d359526d-881e-4905-8933-9c999bd8862e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 120\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + allow_not_found_exchange_locations: + simple: 'true' + exchange_location: + simple: All + force: + simple: 'false' + kql: + simple: (from:${Core.OriginalAlert.event.mailbox_forwarding_address} OR to:${Core.OriginalAlert.event.mailbox_forwarding_address}) + AND (Received>=${ComplianceTime} OR Sent>=${ComplianceTime}) + polling_interval: + simple: '1' + polling_timeout: + simple: '45' + preview: + simple: 'true' + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook performs the following steps: + + 1. Creates a compliance search. + + 2. Starts a compliance search. + + 3. Waits for the compliance search to complete. + + 4. Gets the results of the compliance search as an output. + + 5. Gets the preview results, if specified.' + id: 2a178317-b1f5-418d-8716-9a2f93d42a8d + iscommand: false + name: O365 - Security And Compliance - Search + playbookName: O365 - Security And Compliance - Search + type: playbook + version: -1 + taskid: 2a178317-b1f5-418d-8716-9a2f93d42a8d + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 420\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '2' + extend-context: + simple: ComplianceTime=. + ignore-outputs: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: d6c7a3ca-8885-4e9e-8377-03cfe327e1f1 + iscommand: false + name: Get timestamp for compliance search + scriptName: GetTime + type: regular + version: -1 + taskid: d6c7a3ca-8885-4e9e-8377-03cfe327e1f1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 260\n }\n}" + '25': + continueonerrortype: '' + form: + description: Analyst review + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: "#### Internal User:\n`${Core.OriginalAlert.event.identity_name}`\n\ + \n#### External User (forwarded address):\n`${Core.OriginalAlert.event.mailbox_forwarding_address}`\n\ + \n---\n\n### Malicious Indicators Found:\n- **Malicious IP**: `${.=val.MaliciousIP\ + \ || \"None\"}`\n- **Malicious Domain**: `${.=val.MaliciousDomain || \"\ + None\"}`\n- **Malicious Email**: `${.=val.MaliciousEmail || \"None\"}`\n\ + \n---\n\n### Internal User Risk Analysis:\n- **User is risky (Core)**:\ + \ `${.=val.UserRiskyCoreReason ? \"Yes, Reason: \" + val.UserRiskyCoreReason\ + \ : \"N/A\"}`\n- **User is risky (Azure)**: `${.=val.UserRiskyAzureDetections\ + \ ? \"Yes, Risk Types: \" + val.UserRiskyAzureDetections : \"N/A\"}`\n\ + \n---\n\n### User Azure Security Alerts:\n- **Alerts titles from last\ + \ day**: `${.=val.AzureSecurityAlerts || \"N/A\"}`\n\n---\n\n### Email\ + \ Interaction Statistics of last 2 days:\n- **Number of users interacted\ + \ with ${Core.OriginalAlert.event.mailbox_forwarding_address}**: `${.=val.O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation\ + \ ? Object.keys(val.O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation).length\ + \ : \"No results\"}`\n\n- **Number of emails received from ${Core.OriginalAlert.event.mailbox_forwarding_address}**:\ + \ `${.=val.O365.SecurityAndCompliance.ContentSearch.SearchAction.Results\ + \ ? val.O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.filter(r\ + \ => r.Sender.toLowerCase() === val.Core.OriginalAlert.event.mailbox_forwarding_address.toLowerCase()).length\ + \ : \"No results\"}`\n\n- **Number of emails sent to ${Core.OriginalAlert.event.mailbox_forwarding_address}**:\ + \ `${.=val.O365.SecurityAndCompliance.ContentSearch.SearchAction.Results\ + \ ? val.O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.filter(r\ + \ => r.ReceivedTime && r.Sender.toLowerCase() !== val.Core.OriginalAlert.event.mailbox_forwarding_address.toLowerCase()).length\ + \ : \"No results\"}`\n\n---\n\n### Action Required:\nPlease choose the\ + \ action you want to perform:\n\n- **No Action**\n- **Disable User**:\ + \ Disable the user which configured the forwarding action on Azure.\n\ + \ - **Disable Forwarding**: Disable the forwarding action performed by\ + \ the user.\n- **Disable Both**: Disable the user in Azure and also disable\ + \ the forwarding action.\n\n**Note**: Disabling the auto-forwarding feature\ + \ organization-wide can prevent potential data leakage and improve email\ + \ security." + options: [] + optionsarg: + - simple: No Action + - simple: Disable User + - simple: Disable Forwarding + - simple: Disable Both + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: Your SOC team + title: Analyst Action + totalanswers: 0 + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + scriptarguments: + key: + simple: Message + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9a18dcd2-4dd3-4aa0-8697-02fa65b8089d + iscommand: false + name: Manual Task - User Action Decision + type: collection + version: -1 + taskid: 9a18dcd2-4dd3-4aa0-8697-02fa65b8089d + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1220\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9fceaec3-3ffe-45aa-8501-3eafac491d2c + iscommand: false + name: Containment + type: title + version: -1 + taskid: 9fceaec3-3ffe-45aa-8501-3eafac491d2c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1090\n }\n}" + '27': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable User + label: Disable User + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Forwarding + label: Disable Forwarding + - condition: + - - left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Both Users + label: Disable Both + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Disable Both: + - '39' + Disable Forwarding: + - '30' + Disable User: + - '31' + No Action: + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6947fa8d-dd5e-494a-8f94-03c19036be26 + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: 6947fa8d-dd5e-494a-8f94-03c19036be26 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1390\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0c2e3c83-aebd-47bf-84ce-2f3dd284005d + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: 0c2e3c83-aebd-47bf-84ce-2f3dd284005d + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 2090\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 555473c9-54f1-485f-87c7-77d049ff0ad1 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 555473c9-54f1-485f-87c7-77d049ff0ad1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 2230\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 6ec94329-01df-47f3-8591-913966bc4fa4 + iscommand: true + name: Get core user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 6ec94329-01df-47f3-8591-913966bc4fa4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 260\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + identity: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disable mail forwarding for a given user. + id: d8140792-902e-43dc-8735-ba8ea75032a8 + iscommand: true + name: Disable forwarding action + script: '|||ews-mail-forwarding-disable' + type: regular + version: -1 + taskid: d8140792-902e-43dc-8735-ba8ea75032a8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 750,\n \"y\": 1760\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: f1db6f8a-0f7f-44f4-8e03-97775d8bafe9 + iscommand: true + name: Disable user in Azure + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: f1db6f8a-0f7f-44f4-8e03-97775d8bafe9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 120,\n \"y\": 1760\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 37a8e3aa-8d05-49d5-8839-ea94acc26f3a + iscommand: false + name: Done + type: title + version: -1 + taskid: 37a8e3aa-8d05-49d5-8839-ea94acc26f3a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 460,\n \"y\": 2400\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Revoke a user session- Invalidates all the refresh tokens issued + to applications for a user. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: a5a85fc9-5d43-4dcf-8b3a-3303a8ed321b + iscommand: true + name: Revoke user session + script: '|||msgraph-user-session-revoke' + type: regular + version: -1 + taskid: a5a85fc9-5d43-4dcf-8b3a-3303a8ed321b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 120,\n \"y\": 1920\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: 6f4cd3b5-60d1-4cb6-8582-4321319b7aa8 + iscommand: false + name: Check For Azure Alerts + type: title + version: -1 + taskid: 6f4cd3b5-60d1-4cb6-8582-4321319b7aa8 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 120\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + note: false + quietmode: 0 + scriptarguments: + query: + simple: let _start = now(-1d); AlertEvidence | where Timestamp >= _start | + where AccountUpn == "${UserUPN}" + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Advanced hunting is a threat-hunting tool that uses specially + constructed queries to examine the past 30 days of event data in Microsoft + 365 Defender. Details on how to write queries: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide.' + id: e302b09c-496a-4e41-8a76-3eb89b8c8266 + iscommand: true + name: Get Azure alerts + script: '|||microsoft-365-defender-advanced-hunting' + type: regular + version: -1 + taskid: e302b09c-496a-4e41-8a76-3eb89b8c8266 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 420\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: AzureSecurityAlerts + value: + complex: + accessor: Title + root: Microsoft365Defender.Hunt.results + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: 8f66eab4-f9a6-49c3-8202-1e26c1993cd9 + iscommand: false + name: Extract Azure user alerts + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 8f66eab4-f9a6-49c3-8202-1e26c1993cd9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 580\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '36' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserUPN + value: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: FirstArrayElement + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: a8d35ffd-1cb6-4037-83b4-9d2a9b823606 + iscommand: false + name: Get user UPN + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: a8d35ffd-1cb6-4037-83b4-9d2a9b823606 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1500,\n \"y\": 260\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b3384680-5740-433d-8dbf-b3a1103b4580 + iscommand: false + name: Disable User & Forwarding Settings + type: title + version: -1 + taskid: b3384680-5740-433d-8dbf-b3a1103b4580 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1620\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + updated_after: + simple: 1 days + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: 81e20815-1f8f-4844-895e-68f66ea6db1f + iscommand: true + name: Get Azure user risk score + script: '|||azure-risky-users-list' + type: regular + version: -1 + taskid: 81e20815-1f8f-4844-895e-68f66ea6db1f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 260\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + label: HIGH + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '26' + HIGH: + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: 9e18431c-9d6c-4d10-8bf9-a79e259b5472 + iscommand: false + name: Check user risk score + type: condition + version: -1 + taskid: 9e18431c-9d6c-4d10-8bf9-a79e259b5472 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 420\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + detected_date_time_after: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a comma-separated list of the Risk Detection objects and + their properties. + id: 58e997bd-fa51-41b9-8e94-3473c3881e59 + iscommand: true + name: Get Azure risky user detections + script: '|||azure-risky-users-risk-detections-list' + type: regular + version: -1 + taskid: 58e997bd-fa51-41b9-8e94-3473c3881e59 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 745\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyCoreReason + value: + complex: + accessor: description + root: Core.RiskyUser.reasons + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: 9bca58e7-7159-4149-824f-169580c9eb81 + iscommand: false + name: Get risky user activity + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9bca58e7-7159-4149-824f-169580c9eb81 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 630\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: userPrincipalName + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.userPrincipalName + operator: isEqualString + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_name + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.riskState + operator: isEqualString + right: + value: + simple: atRisk + - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.riskState + operator: isEqualString + right: + value: + simple: confirmedCompromised + root: AzureRiskyUsers.RiskyUser + transformers: + - operator: uniq + operator: isEqualString + right: + iscontext: true + value: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '26' + 'yes': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 59da37a5-c608-4f67-84fe-087321520256 + iscommand: false + name: Check user risk score + type: condition + version: -1 + taskid: 59da37a5-c608-4f67-84fe-087321520256 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 420\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyAzureDetections + value: + complex: + accessor: riskEventType + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_name + - - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: atRisk + - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: confirmedCompromised + root: AzureRiskyUsers.RiskDetection + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 19e009b2-b4a9-4b69-8a41-18c78f22e4ac + iscommand: false + name: Extract Azure user detections + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 19e009b2-b4a9-4b69-8a41-18c78f22e4ac + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1090,\n \"y\": 910\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"27_28_No Action\": 0.74,\n \"27_30_Disable\ + \ Forwarding\": 0.86,\n \"27_31_Disable User\": 0.85,\n \"27_39_Disable Both\"\ + : 0.52,\n \"5_26_#default#\": 0.14,\n \"5_7_HIGH\": 0.6,\n \"8_26_#default#\"\ + : 0.19\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 2905,\n \ + \ \"width\": 2930,\n \"x\": -1050,\n \"y\": -440\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml new file mode 100644 index 000000000000..4aa782531d8c --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml @@ -0,0 +1,1605 @@ +description: "This playbook addresses the following alerts:\n\n- External Exchange\ + \ inbox forwarding rule configured.\n- Suspicious Exchange inbox forwarding rule\ + \ configured.\n- Suspicious Exchange email-hiding inbox rule.\n- Possible BEC Exchange\ + \ email-hiding inbox rule.\n- Exchange email-hiding transport rule based on message\ + \ keywords.\n- Suspicious Exchange email-hiding transport rule.\n- Exchange transport\ + \ forwarding rule configured.\n- Suspicious Exchange transport forwarding rule configured.\n\ + \nPlaybook Stages:\n \nTriage: \n\n- The playbook retrieves the caller's IP, the\ + \ forwarding email address, and the domain.\n\nEarly Containment:\n\n- The playbook\ + \ checks if the IP or domain of the forwarding email address is malicious. If so,\ + \ it suggests blocking the IP using PAN-OS while continuing the investigation in\ + \ parallel.\n\nInvestigation:\n\n- The playbook checks for suspicious behaviors,\ + \ including whether an Exchange admin created the rule outside of working hours,\ + \ from unusual geolocation, or if the user who created the rule has a high-risk\ + \ score. It then aggregates all evidence collected during the investigation.\n\n\ + Containment:\n\n- Soft Response Actions: If at least two suspicious pieces of evidence\ + \ are identified, the playbook will execute soft response actions. These actions\ + \ include signing the user out and disabling the forwarding rule configured in the\ + \ user's account mailbox.\n- Hard Response Actions: If more than two suspicious\ + \ pieces of evidence are identified, the playbook escalates to hard response actions.\ + \ These actions include disabling the user account upon analyst decision and removing\ + \ the forwarding rule from the user's account mailbox.\n\nRequirements: \n\nFor\ + \ any response action, you need the following integrations:\n- EWS Extension Online\ + \ Powershell v3 integration.\n- Azure Active Directory Users." +fromversion: 6.10.0 +id: silent-Exchange forwarding rule configured Test +inputSections: +- description: Generic group for inputs. + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Exchange forwarding rule configured Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0009 - Collection +- TA0010 - Exfiltration +- T1114 - Email Collection +- T1020 - Automated Exfiltration +- TA0005 - Defense Evasion +- T1564.008 - Hide Artifacts +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d8b9f650-e109-4dd6-886d-da90aef71bff + iscommand: false + name: '' + version: -1 + taskid: d8b9f650-e109-4dd6-886d-da90aef71bff + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -310\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + - '28' + - '6' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 3fa5a92e-3b86-4a05-8b86-53cd466bb1cb + iscommand: true + name: Get caller IP and forwarding mail address + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 3fa5a92e-3b86-4a05-8b86-53cd466bb1cb + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -180\n }\n}" + '10': + continueonerror: true + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: IsAbnormalGeolocation= + left: + simple: ${Core.OriginalAlert.event.saas_caller_ip_geolocation_days_seen_count},${Core.OriginalAlert.event.service_caller_ip_asn_days_seen_count} + right: + simple: '0' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Returns all elements from the left side that have a substring + that is equal to an element from the right side. Note: This filter is case-insensitive.' + id: cdba5566-f4de-4815-85ba-46d04083adf2 + iscommand: false + name: Analyze geolocation anomalies + scriptName: AnyMatch + type: regular + version: -1 + taskid: cdba5566-f4de-4815-85ba-46d04083adf2 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 660\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + scriptarguments: + closeReason: + simple: Resolved - Handled by the playbook "Exchange forwarding rule configured" + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 2a5b29fd-1460-4830-819f-be57d5c524df + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 2a5b29fd-1460-4830-819f-be57d5c524df + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2170\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + identity: + simple: ${Core.OriginalAlert.raw_abioc.event.exchange_rule_name} + mailbox: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disable an existing inbox rule in a given mailbox. + id: 08bbda77-f3ca-482f-83bb-6590a059f649 + iscommand: true + name: Disable the Exchange forwarding inbox rule + script: '|||ews-rule-disable' + type: regular + version: -1 + taskid: 08bbda77-f3ca-482f-83bb-6590a059f649 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 2000\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 58ed5fd7-71b7-4865-8de2-a4b02de08967 + iscommand: false + name: Done + type: title + version: -1 + taskid: 58ed5fd7-71b7-4865-8de2-a4b02de08967 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2330\n }\n}" + '2': + continueonerror: true + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: caller_ip + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: be117be2-af06-4d9e-8b01-19cc4b115d02 + iscommand: true + name: 'Check caller IP reputation ' + script: '|||ip' + type: regular + version: -1 + taskid: be117be2-af06-4d9e-8b01-19cc4b115d02 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -160,\n \"y\": -10\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + Username: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook uses the ''Okta v2'' and ''MSGraph User'' integrations to clear + user sessions.' + id: 34930460-5127-496b-8e0c-3edcd48e29af + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: 34930460-5127-496b-8e0c-3edcd48e29af + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 1490\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: HIGH + rhsB: {} + then: + value: + simple: The user risk level is high. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This script runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about script permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 88f80ddf-8d28-480d-8c67-9bb233890c41 + iscommand: false + name: Set risky user to aggregated evidences + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 88f80ddf-8d28-480d-8c67-9bb233890c41 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 840,\n \"y\": 820\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: IsAbnormalGeolocation.[0] + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: 'True' + rhsB: {} + then: + value: + simple: The user connected from an unusual geolocation. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This script runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about script permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 44ae1921-e62d-4ace-8ad6-604f750b32e0 + iscommand: false + name: Set abnormal geolocation to aggregated evidences + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 44ae1921-e62d-4ace-8ad6-604f750b32e0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 820\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: IsOutOfWorkingHours + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: 'true' + rhsB: {} + then: + value: + simple: User created forwarding rule outside of business hours. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This script runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about script permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 347eeeb4-facc-4e53-8832-013274dac80f + iscommand: false + name: Set abnormal working hours to aggregated evidences + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 347eeeb4-facc-4e53-8832-013274dac80f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 820\n }\n}" + '25': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '2' + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + label: 'Yes' + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'Yes': + - '20' + - '43' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 627d5819-cb1e-4b21-8e88-8b6d82ae21ac + iscommand: false + name: Checking soft remediation conditions + type: condition + version: -1 + taskid: 627d5819-cb1e-4b21-8e88-8b6d82ae21ac + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 1270\n }\n}" + '28': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.forwarding_domain_with_tld + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b09a9327-e34b-4f81-8782-e54ae932ca27 + iscommand: false + name: Check if a forwarding address domain exists + type: condition + version: -1 + taskid: b09a9327-e34b-4f81-8782-e54ae932ca27 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": -10\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + - '37' + - '36' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 73936401-a8d4-4374-8d30-4c9bc55f590e + iscommand: false + name: Evaluate investigation results + type: title + version: -1 + taskid: 73936401-a8d4-4374-8d30-4c9bc55f590e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 990\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + accessor: forwarding_domain_with_tld + root: Core.OriginalAlert.raw_abioc.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of a domain. + id: b504ebe2-56d0-400e-8222-a7d57b546615 + iscommand: true + name: Check forwarding email Domain reputation + script: '|||domain' + type: regular + version: -1 + taskid: b504ebe2-56d0-400e-8222-a7d57b546615 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 180\n }\n}" + '30': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.severity + operator: isEqualString + right: + value: + simple: SEV_030_MEDIUM + - - left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '2' + label: 'yes' + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7a967a10-abda-42b5-8535-2b3502c52c05 + iscommand: false + name: Checking medium severity conditions + type: condition + version: -1 + taskid: 7a967a10-abda-42b5-8535-2b3502c52c05 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 1270\n }\n}" + '32': + continueonerrortype: '' + form: + description: The investigation revealed several suspicious indicators suggesting + the user who created the forwarding rule may be compromised. The associated + forwarding email and filters have been automatically removed. Please decide + whether to take any additional recommended actions. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: "The following evidence was found: \n\n${Evidences}\n\nWould you\ + \ like to disable the account ${Core.OriginalAlert.raw_abioc.event.identity_name}?" + options: [] + optionsarg: + - simple: 'Yes' + - simple: 'No' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Select user account containment steps + totalanswers: 0 + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6cc4ec9a-a36d-48e5-852b-a5c1bc1b782f + iscommand: false + name: Decide whether to disable the user account + type: collection + version: -1 + taskid: 6cc4ec9a-a36d-48e5-852b-a5c1bc1b782f + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1470\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 008f1f26-4377-498c-8921-ddb3736ef0fa + iscommand: true + name: Disable user account via MS-Graph + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 008f1f26-4377-498c-8921-ddb3736ef0fa + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1830\n }\n}" + '34': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Select user account containment steps.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + label: 'yes' + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 65ab206a-9e3f-4b64-8efe-0ec2ba0d3e54 + iscommand: false + name: Check analyst decision + type: condition + version: -1 + taskid: 65ab206a-9e3f-4b64-8efe-0ec2ba0d3e54 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1660\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ed34eb8f-329b-49f1-8f12-d0e979055d77 + iscommand: false + name: Early Containment Complete + type: title + version: -1 + taskid: ed34eb8f-329b-49f1-8f12-d0e979055d77 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -450,\n \"y\": 2015\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + - '41' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ec931801-d2f1-4042-84b4-0a7adf76ed05 + iscommand: false + name: Hard Remediation + type: title + version: -1 + taskid: ec931801-d2f1-4042-84b4-0a7adf76ed05 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 1130\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f6057cef-9260-4970-8b1d-88edb25b4059 + iscommand: false + name: Soft Remediation + type: title + version: -1 + taskid: f6057cef-9260-4970-8b1d-88edb25b4059 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 1130\n }\n}" + '4': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0b23837d-9e34-4468-8c26-2d54a9705b83 + iscommand: false + name: Evaluate domain and IP address risk level + type: condition + version: -1 + taskid: 0b23837d-9e34-4468-8c26-2d54a9705b83 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -160,\n \"y\": 350\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + append: + simple: 'true' + key: + simple: Evidences + value: + complex: + accessor: '}' + root: ${ + transformers: + - args: + condition: + value: + simple: lhs==rhs + conditionB: {} + conditionInBetween: {} + else: {} + equals: {} + lhs: + iscontext: true + value: + simple: Core.OriginalAlert.event.service_sub_type + lhsB: {} + options: {} + optionsB: {} + rhs: + value: + simple: ExchangeAdmin + rhsB: {} + then: + value: + simple: The user has admin privileges. + operator: If-Then-Else + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This script runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about script permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script' + id: 0ad3c032-8b63-40e8-8c30-edab2a540918 + iscommand: false + name: Verify if user is an Exchange admin + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 0ad3c032-8b63-40e8-8c30-edab2a540918 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1230,\n \"y\": 660\n }\n}" + '41': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + root: Evidences + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d4c540d3-adaf-4f1b-869f-32ddd550508f + iscommand: false + name: Checking hard remediation conditions + type: condition + version: -1 + taskid: d4c540d3-adaf-4f1b-869f-32ddd550508f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -170,\n \"y\": 1275\n }\n}" + '43': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: EWS Extension Online Powershell v3 + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '44' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 70e37f74-2f2f-41bf-88fc-463eaba78af7 + iscommand: false + name: Check EWS Extension Online Powershell availability + type: condition + version: -1 + taskid: 70e37f74-2f2f-41bf-88fc-463eaba78af7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1490\n }\n}" + '44': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: External Exchange inbox forwarding rule configured + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Suspicious Exchange inbox forwarding rule configured + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Possible BEC Exchange email-hiding inbox rule + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Suspicious Exchange email-hiding inbox rule + label: Inbox Rule + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Exchange email-hiding transport rule based on message keywords + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Suspicious Exchange email-hiding transport rule + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Exchange transport forwarding rule configured + - ignorecase: true + left: + iscontext: true + value: + simple: alert.name + operator: isEqualString + right: + value: + simple: Suspicious Exchange transport forwarding rule configured + label: Transport Rule + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Inbox Rule: + - '46' + Transport Rule: + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f89e9955-3dd9-4670-8a5e-08f041d3414b + iscommand: false + name: Check Alert type + type: condition + version: -1 + taskid: f89e9955-3dd9-4670-8a5e-08f041d3414b + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1660\n }\n}" + '45': + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + identity: + simple: ${Core.OriginalAlert.event.exchange_transport_rule_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disable a mail flow rule (transport rule) in the organization. + id: cce63e53-a02d-4d25-89ec-3684f0de635e + iscommand: true + name: Disable the Exchange forwarding transport rule + script: '|||ews-mail-flow-rule-disable' + type: regular + version: -1 + taskid: cce63e53-a02d-4d25-89ec-3684f0de635e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1280,\n \"y\": 2000\n }\n}" + '46': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: ${Core.OriginalAlert.raw_abioc.event.exchange_rule_name} + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 040c3bcd-4166-4768-847f-e4d09303d1f5 + iscommand: false + name: Check if inbox rule name is not empty + type: condition + version: -1 + taskid: 040c3bcd-4166-4768-847f-e4d09303d1f5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 1830\n }\n}" + '47': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.raw_abioc.event.exchange_transport_rule_name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '45' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a5bf70e3-c221-4511-8166-f205c7ee13b6 + iscommand: false + name: Check if transport rule name is not empty + type: condition + version: -1 + taskid: a5bf70e3-c221-4511-8166-f205c7ee13b6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1280,\n \"y\": 1830\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4592715d-e397-4035-8f6a-aa8adebe4d8b + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: 4592715d-e397-4035-8f6a-aa8adebe4d8b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -450,\n \"y\": 520\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + - '9' + - '8' + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3147a19e-41fd-493f-823d-87582c61e37b + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 3147a19e-41fd-493f-823d-87582c61e37b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 520\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + simple: ${Core.OriginalAlert.event.caller_ip} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: aa988d9d-9321-4428-8426-cdd5d7c15e5d + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: aa988d9d-9321-4428-8426-cdd5d7c15e5d + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": -450,\n \"y\": 660\n }\n}" + '8': + continueonerror: true + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${Core.OriginalAlert.raw_abioc.event.identity_normalized.identity} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 150bae48-03a8-495a-87b5-11b63bd85444 + iscommand: true + name: Get user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 150bae48-03a8-495a-87b5-11b63bd85444 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 840,\n \"y\": 660\n }\n}" + '9': + continueonerror: true + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + begin_time: + simple: '22:00:00' + end_time: + simple: 06:00:00 + extend-context: + simple: IsOutOfWorkingHours= + value: + complex: + accessor: event_timestamp + root: Core.OriginalAlert.event + transformers: + - operator: TimeStampToDate + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the given value is within the specified time (hour) + range. + id: 146faa60-9405-4cf2-8f7c-7ce02160a0c4 + iscommand: false + name: Check if rule creation occurred outside business hours + scriptName: BetweenHours + type: regular + version: -1 + taskid: 146faa60-9405-4cf2-8f7c-7ce02160a0c4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 660\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"25_14_#default#\": 0.17,\n \"25_20_Yes\"\ + : 0.52,\n \"25_43_Yes\": 0.51,\n \"28_3_yes\": 0.43,\n \"28_6_#default#\"\ + : 0.25,\n \"30_14_#default#\": 0.1,\n \"30_32_yes\": 0.43,\n \"34_14_#default#\"\ + : 0.32,\n \"34_33_yes\": 0.55,\n \"41_14_#default#\": 0.16,\n \"41_32_yes\"\ + : 0.4,\n \"43_14_#default#\": 0.24,\n \"43_44_yes\": 0.47,\n \"44_46_Inbox\ + \ Rule\": 0.45,\n \"44_47_Transport Rule\": 0.53,\n \"46_14_#default#\": 0.45,\n\ + \ \"47_14_#default#\": 0.22,\n \"4_5_yes\": 0.38,\n \"4_6_#default#\":\ + \ 0.19\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 2705,\n \ + \ \"width\": 2110,\n \"x\": -450,\n \"y\": -310\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml new file mode 100644 index 000000000000..6cd2cbe6c2d5 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml @@ -0,0 +1,1176 @@ +description: "This playbook addresses the following alerts:\n \n- Msiexec execution\ + \ of an executable from an uncommon remote location with a specific port\n- Msiexec\ + \ execution of an executable from an uncommon remote location without properties\n\ + \ \nPlaybook Stages:\n \nAnalysis: \n \n- Check extracted URL reputation:\n -\ + \ Determine if the MSI package was installed from a malicious source\n - If the\ + \ URL is found to be malicious, the playbook will proceed directly to remediation\ + \ steps\n \nInvestigation:\n\n- Check extracted domain's prevalence and causality\ + \ process signature status:\n - Evaluate the prevalence of the domain from which\ + \ the MSI package was downloaded\n - Verify if the causality process (CGO) is signed\ + \ or unsigned\n - If the domain is found malicious and the causality process is\ + \ unsigned, the playbook will proceed directly to remediation steps\n\n- Check for\ + \ the following related alerts: \n - Local Analysis Malware\n - Mitre Techniques:\n\ + \ - T1140 - Deobfuscate/Decode Files or Information\n - T1059 - Command and\ + \ Scripting Interpreter \n\n- Analyze CGO command line for defense evasion techniques:\n\ + \ - Evaluate the command line for suspicious patterns which indicates attempts\ + \ to bypass security controls\n\n- If the command line contains suspicious patterns\ + \ or related alerts are found, the playbook will proceed directly to remediation\ + \ steps\n\nContainment:\n \n- Terminate causality process\n- Block maliciou URL\ + \ (Manual approval)\n - Implement URL blocking using PAN-OS through Custom URL\ + \ Categories\n- Isolate endpoint (Manual approval)\n \nRequirements: \n \nFor any\ + \ response action, you need the following integration:\n \n- PAN-OS." +fromversion: 8.8.0 +id: silent-Msiexec execution of an executable from an uncommon remote location Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Msiexec execution of an executable from an uncommon remote location Test +outputs: [] +starttaskid: '0' +tags: +- TA0005 - Defense Evasion +- T1218 - System Binary Proxy Execution +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4ac8c300-a0ba-4b0f-8816-e8f4a9e451df + iscommand: false + name: '' + version: -1 + taskid: 4ac8c300-a0ba-4b0f-8816-e8f4a9e451df + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 960,\n \"y\": -1110\n }\n}" + '1': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualString + right: + value: + simple: '3' + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + label: Malicious + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '43' + Malicious: + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check reputation of the remote URL from which the MSI was downloaded + and installed. + id: 95e1f313-a103-47b7-8d45-7c458de2dc48 + iscommand: false + name: Check extracted remote URL's reputation + type: condition + version: -1 + taskid: 95e1f313-a103-47b7-8d45-7c458de2dc48 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 750,\n \"y\": -280\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + domain_name: + simple: ${Domain.Name} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a domain, identified by domain_name. + id: fd751959-f8ae-4ef0-8735-aaca8b0ee92b + iscommand: true + name: Check domain prevalence + script: '|||core-get-domain-analytics-prevalence' + type: regular + version: -1 + taskid: fd751959-f8ae-4ef0-8735-aaca8b0ee92b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 100\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c6614547-d98f-4f0c-84ec-7466f1b8ac41 + iscommand: false + name: Done + type: title + version: -1 + taskid: c6614547-d98f-4f0c-84ec-7466f1b8ac41 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1300,\n \"y\": 2550\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '((mitreattcktechnique:*T1059* or mitreattcktechnique:*1140* + or name:*Local Analysis Malware*) and caseid:' + suffix: + value: + simple: ) + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM suspicious alerts related + to the current alert by Mitre Technique, indicating that the alert is part + of an attack pattern. + + + Focus on identifying alerts associated with the following MITRE techniques: + + - Any Agent Alerts within this alert. + + - T1059 - Command and Scripting Interpreter.' + id: 62f69c52-5b95-41c1-83e5-a7b0822cc82d + iscommand: false + name: Search for suspicious-related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 62f69c52-5b95-41c1-83e5-a7b0822cc82d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 660\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious attempt to install .msi package from remote URL + closeReason: + simple: Resolved - Handled by the playbook "Suspicious msiexec execution" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: ee22533d-2819-4162-88a0-15379051d139 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: ee22533d-2819-4162-88a0-15379051d139 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": 2380\n }\n}" + '21': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + root: Core.AnalyticsPrevalence.Domain + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: 'False' + - left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Ip.value + operator: isEqualString + right: + value: + simple: 'False' + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + label: Malicious + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Malicious: + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This condition checks if the domain prevalence is not False (i.e., + the domain is prevalent) and if the causality process is signed. If both conditions + are met, the task is considered malicious. + id: b4037b3b-bc13-46d6-8bbf-3883cac5b0e5 + iscommand: false + name: Check if domain is not prevalent AND CGO process is unsigned + type: condition + version: -1 + taskid: b4037b3b-bc13-46d6-8bbf-3883cac5b0e5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 430\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4366472d-cc91-4059-894c-59066b6611a1 + iscommand: false + name: Inconclusive + type: title + version: -1 + taskid: 4366472d-cc91-4059-894c-59066b6611a1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1300,\n \"y\": 1390\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + scriptarguments: + url: + simple: ${URL.Data} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns a verdict for a hash. + id: f999a637-3507-4144-8eb8-3f0d871d4fb1 + iscommand: true + name: Get Wildfire Verdict for URL + script: '|||wildfire-get-verdict' + type: regular + version: -1 + taskid: f999a637-3507-4144-8eb8-3f0d871d4fb1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 750,\n \"y\": -440\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 036d604c-7aac-4e5a-8d47-399ea4ca6934 + iscommand: false + name: Analyze CGO Commandline + type: title + version: -1 + taskid: 036d604c-7aac-4e5a-8d47-399ea4ca6934 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 840\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 08dd5d27-1e08-4e7e-8661-8b8801ab0883 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 08dd5d27-1e08-4e7e-8661-8b8801ab0883 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 270\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 0f6a3195-3710-4629-86cd-b810f988f805 + iscommand: true + name: Isolate endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 0f6a3195-3710-4629-86cd-b810f988f805 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2210\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + command_line: + complex: + accessor: cgocmd + root: alert + transformers: + - args: + delimiter: + value: + simple: ' + + ' + operator: splitAndTrim + - args: + empty_values: {} + remove_keys: + value: + simple: 'true' + operator: RemoveEmpty + - args: + separator: {} + operator: join + custom_patterns: + simple: ((cmd|type)= 30, indicating high confidence\ + \ probability for malicious behavior.\n\n* Score >= 10 with a prevention rule\ + \ detected in the same incident, correlating to malicious activity.\n\n**Action\ + \ Required:**\n\n* Isolate the remote host: ${Endpoint.Hostname}" + id: c2b18800-ab04-4323-8962-209698d7d91e + iscommand: false + name: "Approval Required \u2013 Malicious Activity Detected" + type: condition + version: -1 + taskid: c2b18800-ab04-4323-8962-209698d7d91e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2560\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${Endpoint.ID} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 7df12c62-a960-428c-8e0f-dccf404b63e0 + iscommand: true + name: Isolate endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 7df12c62-a960-428c-8e0f-dccf404b63e0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2755\n }\n}" + '19': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: CommandLineAnalysis.findings + operator: AnyMatch + right: + value: + simple: mixed case powershell, reversed command, powershell suspicious + patterns, credential dumping, double encoding, amsi techniques, malicious + commands + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: IP + root: DBotScore + operator: greaterThanOrEqual + right: + value: + simple: '3' + - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual + right: + value: + simple: '30' + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_UNISOLATED + label: 'Yes' + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'Yes': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: If the condition "Check for high-confidence evidence or malicious + IP address" was matched and the remote endpoint ID is available, an endpoint + isolation is suggested. + id: f4474c65-78f5-4acd-8954-1ed6559bc89e + iscommand: false + name: Should proceed to isolate the remote endpoint? + type: condition + version: -1 + taskid: f4474c65-78f5-4acd-8954-1ed6559bc89e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2200\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + ip_list: + simple: ${Core.OriginalAlert.event.actor_remote_ip} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of the endpoint from the + start of the result set (start by counting from 0). + id: b93c8d2f-f8f3-41a0-8d5e-3505f27a0ce5 + iscommand: true + name: Search for the attacker's agent ID + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: b93c8d2f-f8f3-41a0-8d5e-3505f27a0ce5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2040\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + - '1' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 0c30d0e2-4703-413a-8bc0-2e5c223d443d + iscommand: true + name: Get the attacker's remote host IP address + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 0c30d0e2-4703-413a-8bc0-2e5c223d443d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 90\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f + iscommand: false + name: Enrichment + type: title + version: -1 + taskid: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -40\n }\n}" + '23': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: containsString + right: + value: + simple: WORKSTATION + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_status + operator: isEqualString + right: + value: + simple: CONNECTED + label: WORKSTATION + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '24' + WORKSTATION: + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the endpoint is a workstation or a server. + id: c5470fce-c24b-4768-844b-ce10abd9c6ba + iscommand: false + name: Check if the endpoint is workstation or a server + type: condition + version: -1 + taskid: c5470fce-c24b-4768-844b-ce10abd9c6ba + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2380\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nPlease note that during the remediation process,\ + \ the playbook didn't isolate the following host: ${Endpoint.Hostname} \n\n\ + This is due to one of the following reasons:\n- The device disconnected.\n\ + - The device has been identified as a server.\n\nPlease take manual action\ + \ to contain the attack and prevent the attacker from executing lateral movement\ + \ before closing this alert." + id: dc9a785d-392b-4233-89ad-b308d3412477 + iscommand: false + name: Manual remediation actions for a server or a disconnected endpoint + type: regular + version: -1 + taskid: dc9a785d-392b-4233-89ad-b308d3412477 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 2560\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + command_line: + simple: ${Core.OriginalAlert.event.action_process_image_command_line} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This script evaluates command-line threats by analyzing both original + and decoded inputs. It assigns weighted scores to detected patterns, such + as AMSI bypass or credential dumping, and applies risk combination bonuses + for multiple detections. The total score is normalized to a 0-100 scale, with + risk levels categorized as follows: + + + * 0-25: Low Risk + + * 26-50: Medium Risk + + * 51-90: High Risk + + * 91-100: Critical Risk + + + The scoring mechanism provides a comprehensive risk assessment, considering + both the severity and frequency of malicious behaviors.' + id: b6c5e8f1-54fa-4924-8ad4-a65fdfb76818 + iscommand: false + name: Analyze command line + scriptName: CommandLineAnalysis + type: regular + version: -1 + taskid: b6c5e8f1-54fa-4924-8ad4-a65fdfb76818 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 575\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2bc56cd9-7962-499b-8b89-2c1019c24e51 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 2bc56cd9-7962-499b-8b89-2c1019c24e51 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 440\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: CommandLineAnalysis.findings + operator: AnyMatch + right: + value: + simple: mixed case powershell, reversed command, powershell suspicious + patterns, credential dumping, double encoding, amsi techniques, malicious + commands + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: IP + root: DBotScore + operator: isEqualString + right: + value: + simple: '3' + - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual + right: + value: + simple: '30' + label: Malicious + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + Malicious: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task evaluates the command line analysis results and checks + if the profile matches one or more high-risk categories or if the overall + score indicates a critical risk. + + + **Conditions:** + + + - A profile matches one or more of the following categories: **mixed case + PowerShell, reversed command, PowerShell suspicious patterns, credential dumping, + double encoding, AMSI techniques, or malicious commands.** + + - OR the score is **greater than or equal to 30**. + + - OR an **IP address** involved in the incident is flagged as **malicious**. + + + If any condition is met, mark the result as **Malicious**.' + id: d0a04858-443a-4a4c-8ac2-5ddb45a55041 + iscommand: false + name: Check for high-confidence evidence or malicious IP address + type: condition + version: -1 + taskid: d0a04858-443a-4a4c-8ac2-5ddb45a55041 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 740\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Cortex XSIAM alerts. A summarized version of this scrips + is available with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + + For Cortex XSOAR 6.13, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations + + + For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Scripts + + + For Cortex XSOAR on-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Scripts + + + For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: d8651cb0-32f4-4f7f-8c14-f9404dcf2c52 + iscommand: false + name: Retrieve all incident alerts + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: d8651cb0-32f4-4f7f-8c14-f9404dcf2c52 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 260\n }\n}" + '8': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual + right: + value: + simple: '10' + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.action + operator: containsGeneral + right: + value: + simple: BLOCKED + label: Malicious + - condition: + - - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: lessThan + right: + value: + simple: '10' + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.action + operator: containsGeneral + right: + value: + simple: BLOCKED + label: Medium Confidence + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + Malicious: + - '11' + Medium Confidence: + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task identifies the risk level by considering the score and + whether a prevention rule is present in the same incident. + + + **Conditions:** + + + - If Score is **greater than or equal to 10** AND a **prevention rule exists** + in the same incident, classify the result as **Malicious**. + + - Else, if Score is **less than 10** AND a **prevention rule exists** in the + same incident, classify the result as **Suspicious**. + + + High-risk behavior with prevention rule: **Malicious**. + + Low-risk behavior with prevention rule: **Suspicious**. + + ' + id: d5387b4c-0757-45ad-8915-0b127bbc64c0 + iscommand: false + name: Check for medium-confidence threshold with a prevention alert + type: condition + version: -1 + taskid: d5387b4c-0757-45ad-8915-0b127bbc64c0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 920\n }\n}" + '9': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: InRange + right: + value: + simple: 10,29 + label: 'yes' + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '16' + 'yes': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task identifies medium-risk cases based on the score received\ + \ from the command line analysis script.\n\n**Conditions:**\n\nIf the score\ + \ is in the range of **10\u201329**, mark the result as **Suspicious**." + id: f75ed630-b4ed-418a-8f72-f92b03afc587 + iscommand: false + name: Check for medium-confidence and request remediation approval + type: condition + version: -1 + taskid: f75ed630-b4ed-418a-8f72-f92b03afc587 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 930,\n \"y\": 1100\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_11_Approved\": 0.38,\n \"10_16_#default#\"\ + : 0.1,\n \"12_13_#error#\": 0.51,\n \"17_14_#default#\": 0.43,\n \"17_18_Isolate\"\ + : 0.4,\n \"19_14_#default#\": 0.21,\n \"19_23_Yes\": 0.37,\n \"23_17_WORKSTATION\"\ + : 0.46,\n \"23_24_#default#\": 0.62,\n \"5_11_Malicious\": 0.46,\n \"5_8_#default#\"\ + : 0.42,\n \"8_11_Malicious\": 0.22,\n \"8_9_#default#\": 0.58,\n \"9_10_yes\"\ + : 0.32,\n \"9_16_#default#\": 0.16\n },\n \"paper\": {\n \"dimensions\"\ + : {\n \"height\": 3335,\n \"width\": 1340,\n \"x\": 180,\n \"\ + y\": -170\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml new file mode 100644 index 000000000000..721a68533c19 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml @@ -0,0 +1,1140 @@ +description: "**This playbook addresses the following alerts**:\n- SSO authentication\ + \ attempt with suspicious characteristics.\n- Successful SSO authentication with\ + \ suspicious characteristics.\n\n**Playbook Stages**:\n\n**Triage**:\n- Collect\ + \ initial information about the user and the SSO authentication event.\n- Validate\ + \ whether the authentication proxy is linked to iCloud Relay.\n\n**Investigation**:\n\ + - **Check IOCs Reputation**:\n - Analyze the reputation of IP addresses associated\ + \ with the alert.\n- **Search Related Alerts**:\n - Look for alerts related to\ + \ the same user within the system to identify suspicious activity trends.\n- **Check\ + \ If User Is Risky**:\n - Retrieve the user's risk score and evaluate high-risk\ + \ indicators for suspicious activities.\n- **Check User Agent**:\n - Identify suspicious\ + \ user agents used during the authentication attempts.\n- **Check Okta Logs**:\n\ + \ - Retrieve Okta authentication logs for failed login attempts and suspicious\ + \ authentication activities within the last day.\n\n**Containment**:\n- **Automatic\ + \ Actions**:\n - Clear user sessions if any suspicious evidence is found during\ + \ the investigation.\n- **Analyst Review**:\n - Provide an analyst with findings\ + \ for review and determine the appropriate action:\n - No action required.\n\ + \ - Suspend the user in Okta.\n - If the analyst chooses to suspend the user,\ + \ their active sessions are cleared in Okta.\n\n**Requirements**:\nFor the best\ + \ results, it's recommended to ensure these integrations are configured and working:\n\ + - **Core** integration for user risk evaluation and suspicious activity checks.\n\ + - **Okta v2** integration for analyzing authentication logs, clearing sessions,\ + \ and user suspension.\n- Any IP reputation integration that supports the `!ip`\ + \ command for checking IP address reputation." +fromversion: 6.10.0 +id: silent-SSO Authentication With Suspicious Characteristics Test +inputs: [] +issilent: true +name: silent-SSO Authentication With Suspicious Characteristics Test +outputs: [] +starttaskid: '0' +tags: +- TA0001 - Initial Access +- T1078 - Valid Accounts +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8bd29f9d-77ae-4ae9-86f7-77b429390af6 + iscommand: false + name: '' + version: -1 + taskid: 8bd29f9d-77ae-4ae9-86f7-77b429390af6 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 20\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 3ace4f94-cff7-49ea-8267-0eff392840ab + iscommand: true + name: Collect authentication information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 3ace4f94-cff7-49ea-8267-0eff392840ab + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 300\n }\n}" + '12': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: tunnels + root: Core.OriginalAlert.raw_abioc.event.sso_debug_data + transformers: + - operator: uniq + operator: containsGeneral + right: + value: + simple: ICLOUD_RELAY_PROXY + label: yes - close alert + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + yes - close alert: + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 538168f1-8287-431d-83bd-86eb4ed96eec + iscommand: false + name: Check if auth proxy is iCloud + type: condition + version: -1 + taskid: 538168f1-8287-431d-83bd-86eb4ed96eec + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 470\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: b77a453e-6a23-4585-8044-fc2f8918c4c9 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b77a453e-6a23-4585-8044-fc2f8918c4c9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 2525\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ed5c95fb-afe7-4912-8a11-b467acfaddba + iscommand: false + name: Done + type: title + version: -1 + taskid: ed5c95fb-afe7-4912-8a11-b467acfaddba + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 2690\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b0feadde-e88c-4393-8c46-569ebc9141ac + iscommand: false + name: Containment + type: title + version: -1 + taskid: b0feadde-e88c-4393-8c46-569ebc9141ac + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1465\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + Username: + simple: ${Core.OriginalAlert.event.auth_normalized_user.upn} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook uses the ''Okta v2'' and ''MSGraph User'' integrations to clear + user sessions.' + id: 615f55bb-76d6-481a-86cd-06196dbf65aa + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: 615f55bb-76d6-481a-86cd-06196dbf65aa + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1610\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9e0cca91-c3e9-429c-8036-b7b89c3b5202 + iscommand: false + name: Check If User Is Risky + type: title + version: -1 + taskid: 9e0cca91-c3e9-429c-8036-b7b89c3b5202 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 810\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c0ea2a44-413f-44ef-85b7-a2664bf9148f + iscommand: false + name: 'Triage ' + type: title + version: -1 + taskid: c0ea2a44-413f-44ef-85b7-a2664bf9148f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 170\n }\n}" + '20': + continueonerror: true + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 4476bd38-fefa-4180-8f32-afc58b6cd7b9 + iscommand: true + name: Get core user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 4476bd38-fefa-4180-8f32-afc58b6cd7b9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 940\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyCoreReason + value: + complex: + accessor: reasons.description + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyUser + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script + + - For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automationsscript' + id: f8a044d0-204a-4078-8b6a-7af93fda9194 + iscommand: false + name: Get risky user activity + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: f8a044d0-204a-4078-8b6a-7af93fda9194 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1100\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 10882af2-70d1-4918-8486-8add87c9ba58 + iscommand: false + name: Search Related Alerts + type: title + version: -1 + taskid: 10882af2-70d1-4918-8486-8add87c9ba58 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 810\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: action_local_ip + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: 10fbb0a2-eed8-485a-8809-8bbee09975b7 + iscommand: true + name: Get IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 10fbb0a2-eed8-485a-8809-8bbee09975b7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -360,\n \"y\": 940\n }\n}" + '30': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Suspend User + label: Suspend User + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + No Action: + - '14' + Suspend User: + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c94c6f69-9012-4ed2-8893-4b7cced387d0 + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: c94c6f69-9012-4ed2-8893-4b7cced387d0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1950\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${Core.OriginalAlert.event.auth_normalized_user.upn} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Suspends a single user. This operation can only be performed on + users with an ACTIVE status. After the porcess is completed, the user's status + is SUSPENDED. + id: ebb75b74-3580-4d8f-82af-238299139250 + iscommand: true + name: Suspend user in Okta + script: '|||okta-suspend-user' + type: regular + version: -1 + taskid: ebb75b74-3580-4d8f-82af-238299139250 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 2170\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c19cb304-bab7-42d2-8249-03ffb9bccb45 + iscommand: false + name: Check Okta Logs + type: title + version: -1 + taskid: c19cb304-bab7-42d2-8249-03ffb9bccb45 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1320,\n \"y\": 810\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '45' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1c995d99-d73a-4635-840c-0cae9c8941b6 + iscommand: false + name: Check User Agent + type: title + version: -1 + taskid: 1c995d99-d73a-4635-840c-0cae9c8941b6 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 900,\n \"y\": 810\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: OktaLogs=. + filter: + simple: (outcome.result eq "SUCCESS" AND (eventType eq "app.oauth2.client_id_rate_limit_warning" + OR eventType eq "user.mfa.attempt_bypass")) OR (outcome.result eq "FAILURE" + AND ( eventType eq "user.authentication.auth_via_mfa" OR eventType eq "user.authentication.auth_via_IDP" + OR eventType eq "user.account.lock" OR eventType eq "user.authentication.auth_via_social" + OR eventType eq "user.account.unlock" OR eventType eq "user.account.use_token" + OR eventType eq "app.oauth2.token.grant" OR eventType eq "app.oauth2.as.evaluate.claim" + OR eventType eq "app.oauth2.as.token.revoke")) AND actor.alternateId eq + "${Core.OriginalAlert.event.auth_normalized_user.upn}" + ignore-outputs: + simple: 'true' + since: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Gets logs by providing optional filters. + id: 452c9c63-44ef-4552-8ea7-55538f5a67a8 + iscommand: true + name: Search for suspicious authentication activity + script: '|||okta-get-logs' + type: regular + version: -1 + taskid: 452c9c63-44ef-4552-8ea7-55538f5a67a8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 1110\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '39' + - '42' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '1' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: 6ef61263-52ea-4fd5-8979-c9a56a6f75af + iscommand: false + name: Get timestamp for Okta logs + scriptName: GetTime + type: regular + version: -1 + taskid: 6ef61263-52ea-4fd5-8979-c9a56a6f75af + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1320,\n \"y\": 940\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + extend-context: + simple: FailedLogins=. + ignore-outputs: + simple: 'true' + since: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns failed login events. + id: 8d12f625-ee04-4af9-8495-3bfb4a0c9997 + iscommand: true + name: Get Okta failed logins in last day + script: '|||okta-get-failed-logins' + type: regular + version: -1 + taskid: 8d12f625-ee04-4af9-8495-3bfb4a0c9997 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1120,\n \"y\": 1110\n }\n}" + '43': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: OktaLogs + operator: isNotEqualString + right: + value: + simple: No logs found + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: FailedLogins.actor.alternateId + operator: isEqualString + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.auth_normalized_user.upn + root: FailedLogins + transformers: + - operator: count + operator: greaterThanOrEqual + right: + value: + simple: '5' + - left: + iscontext: true + value: + simple: foundIncidents.id + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + operator: isNotEmpty + - left: + iscontext: true + value: + simple: UserAgent + operator: isNotEmpty + - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: tunnels + root: Core.OriginalAlert.raw_abioc.event.sso_debug_data + transformers: + - operator: uniq + operator: containsGeneral + right: + value: + simple: '"TOR_PROXY"' + label: 'yes' + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 10ecbe66-7ca4-4080-89bb-d5af2ae0c4d0 + iscommand: false + name: Check for suspicious evidence + type: condition + version: -1 + taskid: 10ecbe66-7ca4-4080-89bb-d5af2ae0c4d0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1280\n }\n}" + '45': + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserAgent + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.normalized_user_agent + operator: match + right: + value: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|python-requests|node-fetch|PostmanRuntime|GuzzleHttp)\b + root: Core.OriginalAlert.event.normalized_user_agent + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: fe290ade-179c-411b-818a-20eb58f6d94f + iscommand: false + name: Check for a suspicious User Agent + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: fe290ade-179c-411b-818a-20eb58f6d94f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 900,\n \"y\": 940\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + ClearUserSessions: + simple: 'True' + Username: + simple: ${Core.OriginalAlert.event.auth_normalized_user.upn} + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '## Containment Plan - Clear User Sessions + + + This playbook is a sub-playbook within the containment plan playbook. + + The playbook uses the ''Okta v2'' and ''MSGraph User'' integrations to clear + user sessions.' + id: b62483ff-7b2a-40dc-8eed-7cca09b538a2 + iscommand: false + name: Containment Plan - Clear User Sessions + playbookName: Containment Plan - Clear User Sessions + type: playbook + version: -1 + taskid: b62483ff-7b2a-40dc-8eed-7cca09b538a2 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 2350\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 2 hours ago + query: + complex: + accessor: '[0]' + root: alert.username + transformers: + - args: + limit: {} + replaceWith: + value: + simple: \\ + toReplace: + value: + simple: \ + operator: replace + - args: + prefix: + value: + simple: username:* + suffix: + value: + simple: '* AND (name:"A successful SSO sign-in from TOR" or name:"A + user connected from a new country using an anonymized proxy" or + name:"Abnormal first access to a resource by a user via SSO")' + operator: concat + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches Cortex alerts. A summarized version of this scrips is + avilable with the summarizedversion argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations' + id: 29b64812-1e6f-4477-84f1-a657139dcf1e + iscommand: false + name: Search for related alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 29b64812-1e6f-4477-84f1-a657139dcf1e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 60,\n \"y\": 940\n }\n}" + '48': + continueonerrortype: '' + form: + description: Analyst review + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: '#### Username: + + `${Core.OriginalAlert.event.auth_normalized_user.upn}` + + + --- + + + #### Malicious IP Found: + + `${.=val.DBotScore && val.DBotScore.filter(d => d.Type === "ip" && d.Score + === 3).length > 0 ? val.DBotScore.filter(d => d.Type === "ip" && d.Score + === 3)[0].Indicator : "None"}` + + + --- + + + #### Core User Risk Analysis: + + - **User is risky**: `${.=val.UserRiskyCoreReason ? "Yes, Reason: " + + val.UserRiskyCoreReason : "N/A"}` + + + --- + + + #### Related Alerts: + + ${.=val.foundIncidents && val.foundIncidents.length > 0 ? Array.from(new + Set(val.foundIncidents.map(incident => " - " + incident.name))).join("\n\n") + : "N/A"} + + + --- + + + #### User Agent Analysis: + + - **Suspicious User Agent**: `${.=val.UserAgent ? val.UserAgent : "N/A"}` + + + --- + + + #### Okta Logs Analysis: + + - **Last Day Failed Login Attempts**: `${.=val.FailedLogins && val.FailedLogins + !== "No logs found" ? val.FailedLogins.filter(f => f.actor.alternateId + === val.Core.OriginalAlert.event.auth_normalized_user.upn).length : "N/A"}` + + - **Number of Suspicious Okta System Logs from Last Day**: + + `${.=val.OktaLogs !== "No logs found" ? val.OktaLogs.length : "N/A"}` + + + #### Action Required: + + Please choose the action you want to perform: + + + - **No Action** + + - **Suspend User**: Suspend the user in Okta.' + options: [] + optionsarg: + - simple: No Action + - simple: Suspend User + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: Your SOC team + title: Analyst Action + totalanswers: 0 + id: '48' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + scriptarguments: + key: + simple: Message + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5f4c7dba-a5ad-4f41-8487-1f5d4d981f62 + iscommand: false + name: Manual Task - User Action Decision + type: collection + version: -1 + taskid: 5f4c7dba-a5ad-4f41-8487-1f5d4d981f62 + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 1780\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b7c04990-1c58-4572-83e5-be31d44fe88a + iscommand: false + name: Check IOCs Reputation + type: title + version: -1 + taskid: b7c04990-1c58-4572-83e5-be31d44fe88a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -360,\n \"y\": 810\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + - '24' + - '19' + - '35' + - '36' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: eec90eed-fe16-4f75-8f44-60e27270f03e + iscommand: false + name: Investigation + type: title + version: -1 + taskid: eec90eed-fe16-4f75-8f44-60e27270f03e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 480,\n \"y\": 660\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"12_14_yes - close alert\": 0.16,\n \ + \ \"12_9_#default#\": 0.36,\n \"30_14_No Action\": 0.29,\n \"30_32_Suspend\ + \ User\": 0.63,\n \"43_14_#default#\": 0.11,\n \"43_17_yes\": 0.57\n },\n\ + \ \"paper\": {\n \"dimensions\": {\n \"height\": 2735,\n \"width\"\ + : 2270,\n \"x\": -360,\n \"y\": 20\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml new file mode 100644 index 000000000000..a7df77ff5084 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml @@ -0,0 +1,1045 @@ +description: 'This playbook is designed to handle the alert "Scheduled task created + with HTTP or FTP reference". + + + The playbook executes the following stages: + + + Investigation: + + During the alert investigation, the playbook will perform the following: + + - Checks the IP and the URL reputation. + + - Checks the CGO process signature. + + - Searches for related XDR agent alerts to determine if the creation of the scheduled + task is part of an attack pattern. + + + Remediation: + + - Remediation actions will be taken if the CGO process is unsigned, the IP or URL + has a malicious reputation, or a related alert is detected. In these cases, the + playbook will disable the scheduled task, block the malicious indicators, and close + the alert. + + + Requires: To block the malicious URL and IP, configure ''Palo Alto Networks PAN-OS'' + integration. + + ' +fromversion: 6.10.0 +id: silent-Scheduled task created with HTTP or FTP reference Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Scheduled task created with HTTP or FTP reference Test +outputs: [] +starttaskid: '0' +tags: +- TA0002 - Execution +- T1053 - Scheduled Task/Job +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 80\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 210\n }\n}" + '10': + continueonerror: true + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + key: + simple: ExtractedTaskName + value: + complex: + accessor: targetprocesscmd + root: alert + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?i).*tn\s(.*?)\s\/ + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extract the name and path of the malicious scheduled task and sets + the value in context key 'ExtractedTaskName'. + id: f5deb02f-7086-4e3f-8672-40de9759ae36 + iscommand: false + name: Extract the name and path of the malicious scheduled task + scriptName: Set + type: regular + version: -1 + taskid: f5deb02f-7086-4e3f-8672-40de9759ae36 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 990\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Scheduled task created with HTTP + or FTP reference" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: 4189ee6f-1a2c-4ff7-8c0e-8d096e6ecf0e + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 4189ee6f-1a2c-4ff7-8c0e-8d096e6ecf0e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2690\n }\n}" + '14': + continueonerror: true + continueonerrortype: errorPath + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '22' + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell.exe schtasks /change /tn "${ExtractedTaskName}" /disable + endpoint_ids: + simple: ${alert.agentid} + timeout: + simple: '120' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Disable the malicious scheduled task by executing shell commands. + id: 5fb7fc6e-1bed-4e79-8ba3-b757fd583e94 + iscommand: true + name: Disable the malicious scheduled task + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 5fb7fc6e-1bed-4e79-8ba3-b757fd583e94 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1160\n }\n}" + '17': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + 'yes': + - '20' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether a malicious IP is detected and requires blocking. + id: 47529ac8-a0ed-4d35-8019-a8b679181f22 + iscommand: false + name: Is there a malicious IP to block? + type: condition + version: -1 + taskid: 47529ac8-a0ed-4d35-8019-a8b679181f22 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 2000\n }\n}" + '18': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + 'yes': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether a malicious URL is detected and requires blocking. + id: 9b2696ef-df04-4496-8451-531d164d904c + iscommand: false + name: Is there a malicious URL to block? + type: condition + version: -1 + taskid: 9b2696ef-df04-4496-8451-531d164d904c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2000\n }\n}" + '2': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict based on: + + - Process Signature (CGO Process) + + - IP Reputation + + - URL Reputation' + id: 1726e203-af36-4ddf-88ea-b94006caadeb + iscommand: false + name: Check for unsigned CGO or malicious IP or URL + type: condition + version: -1 + taskid: 1726e203-af36-4ddf-88ea-b94006caadeb + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 340\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: 53d9f3a4-a2b0-488e-8dc1-3ec51aea3c00 + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: 53d9f3a4-a2b0-488e-8dc1-3ec51aea3c00 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 2190\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + simple: 'Yes' + CustomURLCategory: + simple: XSIAM - Malicious URLs + URL: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + pre-post: + simple: pre-rulebase + type: + simple: URL List + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks URLs using Palo Alto Networks Panorama or + Firewall through Custom URL Categories. + + The playbook checks whether the input URL category already exists, and if + the URLs are a part of this category. Otherwise, it will create the category, + block the URLs, and commit the configuration.' + id: a7b4dd30-58d1-4e5a-8fae-e4079d446aae + iscommand: false + name: PAN-OS - Block URL - Custom URL Category + playbookName: PAN-OS - Block URL - Custom URL Category + type: playbook + version: -1 + taskid: a7b4dd30-58d1-4e5a-8fae-e4079d446aae + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 30,\n \"y\": 2520\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + Please note that during the remediation process, the playbook failed to disable + the scheduled task ${ExtractedTaskName} + + + Please take manual action to disable the scheduled task. ' + id: e5e0d51f-b834-47d0-81f2-326aaab123dc + iscommand: false + name: Disable the malicious scheduled task manually + type: regular + version: -1 + taskid: e5e0d51f-b834-47d0-81f2-326aaab123dc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 1690\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c5219f31-047d-4cee-888e-f7c63909a296 + iscommand: false + name: Block Malicious Indicators + type: title + version: -1 + taskid: c5219f31-047d-4cee-888e-f7c63909a296 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1860\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: 'Should Block the following malicious URL: ${BadUrl} using PAN-OS?' + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + 'No': + - '13' + 'Yes': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval required for URL blocking. + id: e16a5d0b-f119-4691-811e-28c3d0221004 + iscommand: false + name: Analyst approval for Block URL + type: condition + version: -1 + taskid: e16a5d0b-f119-4691-811e-28c3d0221004 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2350\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + key: + simple: BadUrl + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 635dc7e9-df29-49fe-8218-dbf28d22be32 + iscommand: false + name: Set malicious URL's + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 635dc7e9-df29-49fe-8218-dbf28d22be32 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 2190\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff18f72c-0256-4776-823c-90dd05fdba39 + iscommand: false + name: Done + type: title + version: -1 + taskid: ff18f72c-0256-4776-823c-90dd05fdba39 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2850\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Dear Analyst,\n\nPlease note that during the remediation process,\ + \ the playbook executed a shell command to disable the following scheduled\ + \ task: \n${ExtractedTaskName}" + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints text to war room (Markdown supported) + id: 4ebfbf7e-b9c0-4ec7-86c5-b741ec7142fa + iscommand: false + name: Notify to War Room - Scheduled Task Disabled + scriptName: Print + type: regular + version: -1 + taskid: 4ebfbf7e-b9c0-4ec7-86c5-b741ec7142fa + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1690\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: 917a0b85-38b9-4f5a-86bf-2bc724829f8e + iscommand: true + name: Get script execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: 917a0b85-38b9-4f5a-86bf-2bc724829f8e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1325\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ababf146-0f9f-4621-8323-18c3256738ee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ababf146-0f9f-4621-8323-18c3256738ee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 860\n }\n}" + '30': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: AnyMatch + right: + value: + simple: SUCCESS + label: 'yes' + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Verify if the script successfully disabled the task. + id: 9bca942b-9378-49c2-85f9-1b04f168f8a3 + iscommand: false + name: Has the script disabled the task successfully? + type: condition + version: -1 + taskid: 9bca942b-9378-49c2-85f9-1b04f168f8a3 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1490\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a3fc63d5-f57f-4e5b-89cb-9fcd435227fc + iscommand: false + name: Done + type: title + version: -1 + taskid: a3fc63d5-f57f-4e5b-89cb-9fcd435227fc + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 1150\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d6cce08c-349e-44db-807d-b6348886db73 + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: d6cce08c-349e-44db-807d-b6348886db73 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 860\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM related alerts to the current + incident. + + + ' + id: a4828e36-f8a7-4072-8c5b-959194e04595 + iscommand: false + name: Get Incident related alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: a4828e36-f8a7-4072-8c5b-959194e04595 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 840,\n \"y\": 525\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.sourceBrand + operator: isEqualString + right: + value: + simple: TRAPS + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.categoryname + operator: isEqualString + right: + value: + simple: Malware + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the incident contains agent alerts indicating + that the alert was part of an attack pattern. + id: 7f8c3f22-69fa-442d-854f-b29ccb764512 + iscommand: false + name: Found any alerts indicating this is a malicious scheduled task? + type: condition + version: -1 + taskid: 7f8c3f22-69fa-442d-854f-b29ccb764512 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 840,\n \"y\": 690\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No Results Found + closeReason: + simple: Resolved - Handled by the playbook "Scheduled task created with HTTP + or FTP reference" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 639bf5a9-68a5-4358-878e-9003fb370d6b + iscommand: true + name: Close Alert - No results returned + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 639bf5a9-68a5-4358-878e-9003fb370d6b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1210,\n \"y\": 990\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"14_22_#error#\": 0.55,\n \"17_13_#default#\"\ + : 0.18,\n \"17_20_yes\": 0.43,\n \"18_13_#default#\": 0.16,\n \"18_25_yes\"\ + : 0.46,\n \"24_13_No\": 0.21,\n \"24_21_Yes\": 0.55,\n \"2_3_yes\": 0.28,\n\ + \ \"2_6_#default#\": 0.42,\n \"30_28_yes\": 0.53,\n \"8_3_yes\": 0.47,\n\ + \ \"8_5_#default#\": 0.48\n },\n \"paper\": {\n \"dimensions\": {\n \ + \ \"height\": 2835,\n \"width\": 1590,\n \"x\": 0,\n \"y\": 80\n\ + \ }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml new file mode 100644 index 000000000000..be0d3780731b --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml @@ -0,0 +1,1511 @@ +description: "**This playbook addresses the following alert**:\n- Rare successful\ + \ guest invitation in the organization\n\n**Playbook Stages**:\n\n**Triage**:\n\ + - Gather initial information about the invited user and associated alerts.\n\n**Investigation**:\n\ + - **Check IOCs Reputation**:\n - Analyze the reputation of IP addresses, email\ + \ addresses, and domains related to the incident.\n- **Check for Azure Alerts**:\n\ + \ - Retrieve user Principal Name (UPN).\n - Extract recent Azure security alerts\ + \ for the inviting user.\n- **Check if User is Risky**:\n - Assess the risk score\ + \ of the inviting user based on Core and Azure risk indicators.\n - Investigate\ + \ reasons behind any identified risks, including recent detections.\n\n**Containment**:\n\ + - Provide a manual task for an analyst to review the findings and decide the next\ + \ steps.\n- Possible actions:\n - Disable the invited user.\n - Disable the inviting\ + \ user.\n - Disable both users.\n - Take no action.\n- If users are disabled,\ + \ revoke their active sessions to ensure immediate containment.\n\n**Requirements**:\n\ + For the best results, it's recommended to ensure these integrations are configured\ + \ and working:\n- `Cortex Core - Investigation and Response` for Core user risk\ + \ evaluation.\n- `Azure Risky Users` for retrieving user risk scores.\n- `Microsoft\ + \ 365 Defender` for advanced hunting queries and Azure security alerts.\n- `Microsoft\ + \ Graph User` for disabling accounts and revoking sessions." +fromversion: 6.10.0 +id: silent-Successful guest user invitation Test +inputs: [] +issilent: true +name: silent-Successful guest user invitation Test +outputs: [] +starttaskid: '0' +tags: +- TA0003 - Persistence +- T1078 - Valid Accounts +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d395cb57-8e6e-4be4-8ea4-e35bf7698692 + iscommand: false + name: '' + version: -1 + taskid: d395cb57-8e6e-4be4-8ea4-e35bf7698692 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -70\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: e6c32126-6a42-4792-84f8-33add6e8a05e + iscommand: true + name: Collect invited user information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: e6c32126-6a42-4792-84f8-33add6e8a05e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 190\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + query: + simple: let _start = now(-1d); AlertEvidence | where Timestamp >= _start | + where AccountUpn == "${UserUPN}" + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Advanced hunting is a threat-hunting tool that uses specially + constructed queries to examine the past 30 days of event data in Microsoft + 365 Defender. Details on how to write queries: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language?view=o365-worldwide.' + id: f04d72e0-226e-4913-849b-440a51cc1933 + iscommand: true + name: Get Azure alerts + script: '|||microsoft-365-defender-advanced-hunting' + type: regular + version: -1 + taskid: f04d72e0-226e-4913-849b-440a51cc1933 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 790\n }\n}" + '11': + continueonerrortype: '' + form: + description: Analyst review + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: '#### Invited User: + + `${Core.OriginalAlert.event.azure_ad_invited_user_email}` + + + #### Inviting User: + + `${Core.OriginalAlert.event.identity_invoked_by_name}` + + + --- + + + ### Malicious Indicators Found: + + - **Malicious IP**: `${.=val.MaliciousIP || "None"}` + + - **Malicious Domain**: `${.=val.MaliciousDomain || "None"}` + + - **Malicious Email**: `${.=val.MaliciousEmail || "None"}` + + + --- + + + ### Inviting User Risk Analysis: + + - **User is risky (Core)**: `${.=val.UserRiskyCoreReason ? "Yes, Reason: + " + val.UserRiskyCoreReason : "N/A"}` + + - **User is risky (Azure)**: `${.=val.UserRiskyAzureDetections ? "Yes, + Risk Types: " + val.UserRiskyAzureDetections : "N/A"}` + + + --- + + + ### Inviting User Azure Security Alerts: + + - **Alerts titles from last day**: `${.=val.AzureSecurityAlerts || "N/A"}` + + + --- + + + ### Action Required: + + Please choose the action you want to perform. + + ' + options: [] + optionsarg: + - simple: No Action + - simple: Disable Invited User + - simple: Disable Inviting User + - simple: Disable Both Users + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: Your SOC team + title: Analyst Action + totalanswers: 0 + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + scriptarguments: + key: + simple: Message + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e6461e8b-95a4-4c50-8e7d-691dbd4ff032 + iscommand: false + name: Manual Task - User Account Disablement Decision + type: collection + version: -1 + taskid: e6461e8b-95a4-4c50-8e7d-691dbd4ff032 + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1600\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousEmail + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: email + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: d05451a6-6c9e-40a4-8498-3655c8540813 + iscommand: false + name: Get malicious Email value + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d05451a6-6c9e-40a4-8498-3655c8540813 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -190,\n \"y\": 960\n }\n}" + '15': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + label: HIGH + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + HIGH: + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: b6d9862d-d090-4d8b-8e17-55a8ba786a55 + iscommand: false + name: Get risky user value + type: condition + version: -1 + taskid: b6d9862d-d090-4d8b-8e17-55a8ba786a55 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1110,\n \"y\": 790\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + scriptarguments: + detected_date_time_after: + simple: ${TimeNow} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a comma-separated list of the Risk Detection objects and + their properties. + id: cfddda6b-e851-4f07-8e6f-8e7c45261acf + iscommand: true + name: Get Azure risky user detections + script: '|||azure-risky-users-risk-detections-list' + type: regular + version: -1 + taskid: cfddda6b-e851-4f07-8e6f-8e7c45261acf + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 1130\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyCoreReason + value: + complex: + accessor: description + root: Core.RiskyUser.reasons + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: 1e118a21-f5b8-4d92-8c86-06046d48a485 + iscommand: false + name: Get risky user reasons value + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 1e118a21-f5b8-4d92-8c86-06046d48a485 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1110,\n \"y\": 970\n }\n}" + '19': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskyUser.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_orig.user.userPrincipalName + root: AzureRiskyUsers.RiskyUser.userPrincipalName + transformers: + - operator: toUpperCase + - operator: uniq + operator: isEqualString + right: + iscontext: true + value: + complex: + accessor: userPrincipalName + root: Core.OriginalAlert.event.identity_orig.user + transformers: + - operator: uniq + label: 'yes' + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + 'yes': + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9426357e-6d8e-42f5-844b-322c7dc76c22 + iscommand: false + name: Check if inviting user is risky + type: condition + version: -1 + taskid: 9426357e-6d8e-42f5-844b-322c7dc76c22 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 790\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + accessor: value + filters: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.raw_log.additionalDetails.key + operator: isEqualString + right: + value: + simple: ipaddr + root: Core.OriginalAlert.event.raw_log.additionalDetails + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Checks the reputation of an IP address. + id: a1763bd9-5867-404f-8384-22d54fe63ed4 + iscommand: true + name: Check IP Reputation + script: '|||ip' + type: regular + version: -1 + taskid: a1763bd9-5867-404f-8384-22d54fe63ed4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -610,\n \"y\": 800\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserRiskyAzureDetections + value: + complex: + accessor: riskEventType + filters: + - - left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.userPrincipalName + operator: in + right: + iscontext: true + value: + simple: Core.OriginalAlert.event.identity_orig.user.userPrincipalName + - - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: atRisk + - ignorecase: true + left: + iscontext: true + value: + simple: AzureRiskyUsers.RiskDetection.riskState + operator: isEqualString + right: + value: + simple: confirmedCompromised + root: AzureRiskyUsers.RiskDetection + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: 6c02e6b9-cd98-4865-8412-1c1bf2e0b401 + iscommand: false + name: Extract Azure user detections + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 6c02e6b9-cd98-4865-8412-1c1bf2e0b401 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 1290\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: AzureSecurityAlerts + value: + complex: + accessor: Title + root: Microsoft365Defender.Hunt.results + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: a890149a-86f7-4dd2-8c9c-9b8fbb03de03 + iscommand: false + name: Extract Azure user alerts + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: a890149a-86f7-4dd2-8c9c-9b8fbb03de03 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 970\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + key: + simple: UserUPN + value: + complex: + accessor: identity_invoked_by_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: d2afb6c7-6bdb-450c-801f-5c051fd4b93a + iscommand: false + name: Get user UPN + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d2afb6c7-6bdb-450c-801f-5c051fd4b93a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 630\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousDomain + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: domain + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: d29624dd-7417-474c-8a40-d7e5d03463c3 + iscommand: false + name: Get malicious Domain value + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d29624dd-7417-474c-8a40-d7e5d03463c3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 960\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + scriptarguments: + dateFormat: + simple: ISO + daysAgo: + simple: '1' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Retrieves the current date and time. + + ' + id: 0aef3402-3ee9-4560-80ad-8b50f6b202ba + iscommand: false + name: Get timestamp for Azure detections + scriptName: GetTime + type: regular + version: -1 + taskid: 0aef3402-3ee9-4560-80ad-8b50f6b202ba + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 970\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a90a63d9-83a0-4798-8214-cba052dc69ac + iscommand: false + name: 'Triage ' + type: title + version: -1 + taskid: a90a63d9-83a0-4798-8214-cba052dc69ac + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 60\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + - '9' + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2d6254cd-07ed-4958-8e96-faf1d7fabf2c + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 2d6254cd-07ed-4958-8e96-faf1d7fabf2c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 350\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + key: + simple: MaliciousIP + value: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: greaterThanOrEqual + right: + value: + simple: '3' + root: DBotScore + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Set a value in context under the key you entered. If no value + is entered, the script doesn''t do anything. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + - For Cortex XSOAR 6, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations + + - For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script + + - For Cortex XSOAR 8 On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script' + id: d4e029ba-e082-48f7-8ea8-189f02abdbc9 + iscommand: false + name: Get malicious IP value + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: d4e029ba-e082-48f7-8ea8-189f02abdbc9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -610,\n \"y\": 960\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9a373a18-fd7d-4626-8dc9-c783e832f73a + iscommand: false + name: Containment + type: title + version: -1 + taskid: 9a373a18-fd7d-4626-8dc9-c783e832f73a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1460\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + email: + complex: + accessor: azure_ad_invited_user_email + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Return email information and reputation. + id: e0039359-d2b9-4ccd-8a4f-6c2042d88fa8 + iscommand: true + name: Check Email Reputation + script: '|||email' + type: regular + version: -1 + taskid: e0039359-d2b9-4ccd-8a4f-6c2042d88fa8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -190,\n \"y\": 800\n }\n}" + '31': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Invited User + label: Disable Invited User + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Inviting User + label: Disable Inviting User + - condition: + - - left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Both Users + label: Disable Both + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Disable Both: + - '36' + Disable Invited User: + - '34' + Disable Inviting User: + - '35' + No Action: + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c44a7dd2-2ebd-420b-8e41-1a625c1fcdc6 + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: c44a7dd2-2ebd-420b-8e41-1a625c1fcdc6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1760\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 90bcff20-0d45-43cc-8d36-8893827cb927 + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: 90bcff20-0d45-43cc-8d36-8893827cb927 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2300\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '37' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + complex: + root: . + transformers: + - args: + conditions: + value: + simple: "[\n {\n \"condition\": \"#{Analyst Action.Answers.0}\ + \ in ['Disable Invited User','Disable Inviting User','Disable\ + \ Both Users']\",\n \"return\": \"Action was taken.\"\n \ + \ },\n {\n \"condition\": \"#{MaliciousIP} != null or\ + \ #{MaliciousEmail} != null or #{MaliciousDomain} != null or #{AzureSecurityAlerts}\ + \ != null or #{UserRiskyCoreReason} != null or #{UserRiskyAzureDetections}\ + \ != null\",\n \"return\": \"Evidence found, but no action\ + \ was taken.\"\n },\n {\n \"default\": \"No evidence\ + \ found, and no action was taken.\"\n }\n]" + flags: {} + operator: If-Elif + closeReason: + complex: + root: . + transformers: + - args: + conditions: + value: + simple: "[\n {\n \"condition\": \"#{Analyst Action.Answers.0}\ + \ in ['Disable Invited User','Disable Inviting User','Disable\ + \ Both Users']\",\n \"return\": \"Resolved - True Positive\"\ + \n },\n {\n \"condition\": \"#{MaliciousIP} != null\ + \ or #{MaliciousEmail} != null or #{MaliciousDomain} != null or\ + \ #{AzureSecurityAlerts} != null or #{UserRiskyCoreReason} !=\ + \ null or #{UserRiskyAzureDetections} != null\",\n \"return\"\ + : \"Resolved - Other\"\n },\n {\n \"default\": \"Resolved\ + \ - False Positive\"\n }\n]" + flags: {} + operator: If-Elif + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: a61f329c-9e81-4f34-8e85-4a2c381bdd81 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: a61f329c-9e81-4f34-8e85-4a2c381bdd81 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2430\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: referenced_resource_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 00f31533-8e09-486f-85ae-627ec0470249 + iscommand: true + name: Disable invited user + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 00f31533-8e09-486f-85ae-627ec0470249 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 860,\n \"y\": 1960\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: fc9cf6aa-4caf-4808-8384-24cca2e9811f + iscommand: true + name: Disable inviting user + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: fc9cf6aa-4caf-4808-8384-24cca2e9811f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1950\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - args: + item: + iscontext: true + value: + simple: Core.OriginalAlert.event.referenced_resource_name + operator: append + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables user, + + but does not terminate an existing session. Supported only in a self deployed + app flow with the + + Permission: Directory.AccessAsUser.All(Delegated).' + id: 52dfce7a-8d58-44b6-80ef-795bd0557774 + iscommand: true + name: Disable both users + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: 52dfce7a-8d58-44b6-80ef-795bd0557774 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -40,\n \"y\": 1960\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3d6594cb-2ea9-40c1-8bdb-84184f3a5a24 + iscommand: false + name: Done + type: title + version: -1 + taskid: 3d6594cb-2ea9-40c1-8bdb-84184f3a5a24 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2590\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + user: + complex: + accessor: identity_name + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Revoke a user session- Invalidates all the refresh tokens issued + to applications for a user. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: f0e00113-ce6d-4349-8f04-ff8c2f7bb692 + iscommand: true + name: Revoke user session + script: '|||msgraph-user-session-revoke' + type: regular + version: -1 + taskid: f0e00113-ce6d-4349-8f04-ff8c2f7bb692 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 2130\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + domain: + complex: + accessor: value + filters: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.raw_log.additionalDetails.key + operator: isEqualString + right: + value: + simple: invitedUserEmailAddress + root: Core.OriginalAlert.event.raw_log.additionalDetails + transformers: + - operator: uniq + - args: + delimiter: + value: + simple: '@' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns domain information and reputation. + id: 10c53f6d-7f53-4bf5-8639-0f04d4045bdf + iscommand: true + name: Check Domain Reputation + script: '|||domain' + type: regular + version: -1 + taskid: 10c53f6d-7f53-4bf5-8639-0f04d4045bdf + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 800\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + - '3' + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c795477f-1d39-4f2d-86d7-c8f41049c282 + iscommand: false + name: Check IOCs Reputation + type: title + version: -1 + taskid: c795477f-1d39-4f2d-86d7-c8f41049c282 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -190,\n \"y\": 490\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 74b4c90b-dd73-40fe-894a-41fd31a2ea26 + iscommand: false + name: Check If User Is Risky + type: title + version: -1 + taskid: 74b4c90b-dd73-40fe-894a-41fd31a2ea26 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1320,\n \"y\": 490\n }\n}" + '7': + continueonerror: true + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: 9afa3a6b-4c66-4a48-8b54-abd766944c71 + iscommand: true + name: Get core user risk score + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: 9afa3a6b-4c66-4a48-8b54-abd766944c71 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1110,\n \"y\": 630\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + updated_after: + simple: 1 days + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: 028a7bc3-b0e3-41da-822b-87cc8aaeed88 + iscommand: true + name: Get Azure user risk score + script: '|||azure-risky-users-list' + type: regular + version: -1 + taskid: 028a7bc3-b0e3-41da-822b-87cc8aaeed88 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1530,\n \"y\": 630\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns a list of all risky users and their properties. + id: ba77d817-81eb-485c-878b-04d0c5e33572 + iscommand: false + name: Check For Azure Alerts + type: title + version: -1 + taskid: ba77d817-81eb-485c-878b-04d0c5e33572 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 670,\n \"y\": 490\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"15_18_HIGH\": 0.43,\n \"15_29_#default#\"\ + : 0.16,\n \"19_24_yes\": 0.45,\n \"19_29_#default#\": 0.11,\n \"31_32_No\ + \ Action\": 0.55\n },\n \"paper\": {\n \"dimensions\": {\n \"height\"\ + : 2725,\n \"width\": 2520,\n \"x\": -610,\n \"y\": -70\n }\n \ + \ }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml new file mode 100644 index 000000000000..0e2886916d57 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml @@ -0,0 +1,1115 @@ +description: 'This playbook addresses the following alerts: + + + - Suspicious Hidden User Created + + + Playbook Stages: + + + Triage: + + + - Retrieve event information about the created user + + + Investigation: + + + - Check if the user is local or domain. + + - For domain users: Retrieve AD attributes, including password expiration. + + - For local users: Run a Powershell command to get "Password Expires" attribute + of the local user. + + - Get risk level for the affected host. + + - Search for related Script Engine Activity alerts in the incident. + + + Containment: + + + - For alerts determined to be true positives, suggest to the analyst to disable + the user. + + - Upon analyst approval: Disable the suspicious user account (domain or local). + + - If a related alert about malicious activity exists, kill the Causality Group Owner + (CGO) process that created the suspicious user. + + + Requirements: + + + For response actions, you need the following integrations: + + + - Cortex Core - Investigation and Response + + - Active Directory Query v2 (for domain user actions).' +fromversion: 8.8.0 +id: silent-Suspicious Hidden User Created Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Suspicious Hidden User Created Test +outputs: [] +starttaskid: '0' +tags: +- T1136 - Create Account +- 'T1564.002 - Hide Artifacts: Hidden Users' +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6327954b-08af-4580-86fb-10b6cc36af72 + iscommand: false + name: '' + version: -1 + taskid: 6327954b-08af-4580-86fb-10b6cc36af72 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 60\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets extra information about the alert - such as the information + from the event itself, the name of the user that was created, and additional + computed fields. + id: ff60deb2-4aef-459e-8866-d41eef9ec252 + iscommand: true + name: Get event information for created user + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: ff60deb2-4aef-459e-8866-d41eef9ec252 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 320\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + key: + simple: PasswordNeverExpires + value: + complex: + accessor: DONT_EXPIRE_PASSWORD + root: ActiveDirectory.Users.userAccountControlFields + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: 'false' + operator: SetIfEmpty + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the value of the AD attribute DONT_EXPIRE_PASSWORD for the + domain user that was created. + id: 6987961f-d243-48be-840a-fb263ed5d37c + iscommand: false + name: Save password expiration status + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 6987961f-d243-48be-840a-fb263ed5d37c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1260\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + scriptarguments: + commands: + complex: + accessor: evtlog_target_username + root: Core.OriginalAlert.event + transformers: + - args: + prefix: + value: + simple: 'powershell -Command "NET USER ' + suffix: + value: + simple: '"' + operator: concat + endpoint_ids: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Runs a Powershell code snipper on the endpoint where the user was + created, in order to retrieve the PASSWORDEXPIRES attribute of the local user. + id: b4c6cb09-eaf2-4bcb-857d-cef36dc0c35d + iscommand: true + name: Retrieve local user password expiration status + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: b4c6cb09-eaf2-4bcb-857d-cef36dc0c35d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 940\n }\n}" + '12': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CIDToTerminate + operator: isNotEmpty + right: + value: {} + label: 'Yes' + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '24' + 'Yes': + - '22' + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether a malicious process was detected in a related alert + in this incident, by checking the previously saved CIDToTerminate key which + holds the Causality IDs used to terminate the main process. + id: 135ba6b9-09ce-4b11-889c-4d48c2beec81 + iscommand: false + name: Evaluate suspicious process involvement + type: condition + version: -1 + taskid: 135ba6b9-09ce-4b11-889c-4d48c2beec81 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1560\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7fd41810-cc95-4bf5-86f0-58891eec8437 + iscommand: false + name: User Checks + type: title + version: -1 + taskid: 7fd41810-cc95-4bf5-86f0-58891eec8437 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 620\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5ffbc163-0d81-493a-89f1-56bfcdfa6019 + iscommand: false + name: Related Alert Checks + type: title + version: -1 + taskid: 5ffbc163-0d81-493a-89f1-56bfcdfa6019 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 620\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: aba719e4-e95f-47fb-812f-c2acee433da6 + iscommand: false + name: Triage + type: title + version: -1 + taskid: aba719e4-e95f-47fb-812f-c2acee433da6 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 190\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0c51d3d5-197b-4a55-87da-153544e52ef1 + iscommand: false + name: Remediation - Terminate Process + type: title + version: -1 + taskid: 0c51d3d5-197b-4a55-87da-153544e52ef1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 1910\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9457ee55-9539-45df-8ad2-e40a79080e8b + iscommand: false + name: Remediation - Disable User + type: title + version: -1 + taskid: 9457ee55-9539-45df-8ad2-e40a79080e8b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1910\n }\n}" + '24': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + root: Core.RiskyHost.risk_level + operator: isNotEmpty + right: + value: {} + - - ignorecase: true + left: + iscontext: true + value: + simple: PasswordNeverExpires + operator: isEqualString + right: + value: + simple: 'true' + - ignorecase: true + left: + iscontext: true + value: + simple: LocalUserPasswordStatus + operator: containsString + right: + value: + simple: never + label: 'yes' + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '25' + 'yes': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the local/domain user's password never expires, and if + the risk level of the host where the alert occurred is HIGH. + id: 409ddefb-be6c-4bc1-8711-766fd39ebc3f + iscommand: false + name: User's password never expires & host risky? + type: condition + version: -1 + taskid: 409ddefb-be6c-4bc1-8711-766fd39ebc3f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 700,\n \"y\": 1730\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + scriptarguments: + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: b74eb7e6-f518-487a-8c6d-2dcc6b212d06 + iscommand: true + name: Close Investigation + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b74eb7e6-f518-487a-8c6d-2dcc6b212d06 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 2560\n }\n}" + '26': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.account_creation_is_local + operator: isFalse + right: + value: {} + label: Domain + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '32' + Domain: + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user is a domain user or a local user. + id: ad963433-40ff-4dc1-8cd9-a8f92923aee1 + iscommand: false + name: Check user type (Domain/Local) + type: condition + version: -1 + taskid: ad963433-40ff-4dc1-8cd9-a8f92923aee1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2220\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets the execution results for the Powershell code that was run. + id: cad56c70-2a13-4d13-8cd8-e7418afafb3a + iscommand: true + name: Get execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: cad56c70-2a13-4d13-8cd8-e7418afafb3a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 1100\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + key: + simple: LocalUserPasswordStatus + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.ScriptResult.results.[0].command_output + operator: containsGeneral + right: + value: + simple: Password expires + root: Core.ScriptResult.results.[0].command_output + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extracts and saves the PASSWORDEXPIRES value of the locally created + user from the results of the Powershell script execution. + id: debbbea1-ba6b-4627-8d3b-a22bcc475682 + iscommand: false + name: Extract password expiration flag + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: debbbea1-ba6b-4627-8d3b-a22bcc475682 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1100,\n \"y\": 1260\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + host_id: + simple: ${alert.hostname} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets the risk level of the host on which the user was created. + id: f02f7069-0dcd-4c6d-855f-0131096279de + iscommand: true + name: Get host risk level + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: f02f7069-0dcd-4c6d-855f-0131096279de + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -170,\n \"y\": 750\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + complex: + accessor: evtlog_target_username + root: Core.OriginalAlert.event + transformers: + - args: + prefix: + value: + simple: 'Would you like to disable the following user? + + ' + suffix: {} + operator: concat + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#default#': + - '25' + 'Yes': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Manual - Review the findings and make a decision regarding the + remediation of the suspicious user. + id: 226d8c69-2473-4f57-8e09-bf70c6d95fb3 + iscommand: false + name: Analyst review - disable suspicious user? + type: condition + version: -1 + taskid: 226d8c69-2473-4f57-8e09-bf70c6d95fb3 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2045\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + username: + simple: ${Core.OriginalAlert.event.evtlog_target_username} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Disables the suspicious user in Active Directory. + id: 3caf56b4-0399-423b-8db3-3bdf0ef48255 + iscommand: true + name: Disable user account in AD + script: '|||ad-disable-account' + type: regular + version: -1 + taskid: 3caf56b4-0399-423b-8db3-3bdf0ef48255 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 270,\n \"y\": 2390\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + commands: + complex: + accessor: evtlog_target_username + root: Core.OriginalAlert.event + transformers: + - args: + prefix: + value: + simple: powershell -Command Disable-LocalUser -Name " + suffix: + value: + simple: '"' + operator: concat + endpoint_ids: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Runs Powershell code on the affected host to disable the local + user on the machine. + id: 040c833c-b457-462c-817b-66b06e05c1ea + iscommand: true + name: Disable local user + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 040c833c-b457-462c-817b-66b06e05c1ea + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": 2390\n }\n}" + '33': + continueonerror: true + continueonerrortype: errorPath + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '36' + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + agent_id: + complex: + accessor: agentid + filters: + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: in + right: + iscontext: true + value: + simple: CIDToTerminate + root: foundIncidents + causality_id: + complex: + root: CIDToTerminate + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Kills the Causality Group Owner (CGO) of the process that created + the suspicious user. + id: 30254aac-2691-4f77-812f-f54e6658c365 + iscommand: true + name: Terminate causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 30254aac-2691-4f77-812f-f54e6658c365 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 40,\n \"y\": 2045\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + key: + simple: CIDToTerminate + value: + complex: + accessor: cid + filters: + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: isNotEmpty + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.severity + operator: isNotEqualString + right: + value: + simple: LOW + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.action + operator: isNotEqualString + right: + value: + simple: BLOCKED + root: foundIncidents.CustomFields + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Saves the ID of the Causality Group Owner (CGO) if it exists in + the related alerts, in order to terminate it at the remediation stage. + id: 1a940847-23dc-4a7c-82b8-248f4594e9f5 + iscommand: false + name: Save causality ID + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 1a940847-23dc-4a7c-82b8-248f4594e9f5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 930\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e8cda6f4-6d4e-46fb-8ada-1b794d7caa27 + iscommand: false + name: Host Checks + type: title + version: -1 + taskid: e8cda6f4-6d4e-46fb-8ada-1b794d7caa27 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -170,\n \"y\": 620\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Investigate the alerts related to this incident, and terminate + the CGO (Causality Group Owner) process that caused the suspicious hidden + user to be created. + id: e3eb46f2-a249-479d-87bb-a81b9d74c0a9 + iscommand: false + name: Terminate causality process manually + type: regular + version: -1 + taskid: e3eb46f2-a249-479d-87bb-a81b9d74c0a9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -180,\n \"y\": 2390\n }\n}" + '4': + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: + value: + simple: ' and name:"Script Engine Activity*"' + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches for Script Engine Activity alerts in the current incident, + which could indicate malicious script activity related to the creation of + the user. + id: 3e1146e5-c836-447b-8dd6-4a53c1e33a24 + iscommand: false + name: Search related Script Engine Activity alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 3e1146e5-c836-447b-8dd6-4a53c1e33a24 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 750\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + - '9' + - '16' + - '18' + - '35' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 512d76d2-719a-47e0-8387-02697e31076e + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 512d76d2-719a-47e0-8387-02697e31076e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 480\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + 'yes': + - '7' + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: Active Directory Query v2 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the Active Directory Query v2 integration is enabled. + id: f56692b0-6188-4ca4-801e-1af5bbfeacc1 + iscommand: false + name: Check Active Directory availability + scriptName: IsIntegrationAvailable + type: condition + version: -1 + taskid: f56692b0-6188-4ca4-801e-1af5bbfeacc1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 930\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + username: + complex: + accessor: evtlog_target_username + root: Core.OriginalAlert.event + transformers: + - operator: uniq + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieves information about the domain user, and specifically the + DONT_EXPIRE_PASSWORD attribute of the user, in order to understand if the + user's password was set to never expire. + id: f4ffe67d-09b9-427e-83e6-3ea30cfda4ed + iscommand: true + name: Get AD user attributes + script: '|||ad-get-user' + type: regular + version: -1 + taskid: f4ffe67d-09b9-427e-83e6-3ea30cfda4ed + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1100\n }\n}" + '8': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.OriginalAlert.event.account_creation_is_local + operator: isFalse + right: + value: {} + label: Domain + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '11' + Domain: + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the user is a domain user or a local user. + id: b0c8fef2-dc3e-4e36-81f1-c0d59a5f9b30 + iscommand: false + name: Check user type (Domain/Local) + type: condition + version: -1 + taskid: b0c8fef2-dc3e-4e36-81f1-c0d59a5f9b30 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 750\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ee07333d-6200-4175-8c32-8a543ed2dab5 + iscommand: false + name: Verdict + type: title + version: -1 + taskid: ee07333d-6200-4175-8c32-8a543ed2dab5 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1430\n }\n}" +tests: +- no tests +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"12_22_Yes\": 0.3,\n \"12_23_Yes\"\ + : 0.48,\n \"12_24_#default#\": 0.54,\n \"24_23_yes\": 0.54,\n \"24_25_#default#\"\ + : 0.16,\n \"30_25_#default#\": 0.24,\n \"33_36_#error#\": 0.61,\n \"6_7_yes\"\ + : 0.51,\n \"6_9_#default#\": 0.23\n },\n \"paper\": {\n \"dimensions\":\ + \ {\n \"height\": 2595,\n \"width\": 1660,\n \"x\": -180,\n \ + \ \"y\": 60\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml new file mode 100644 index 000000000000..83f51b699e11 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml @@ -0,0 +1,673 @@ +description: "This playbook addresses the following alerts:\n \n- Suspicious local\ + \ administrator login\n \nPlaybook Stages:\n \nInvestigation:\n \n- Retrieves the\ + \ name of the process image involved in the alert.\n- Checks for related Powershell/Command\ + \ and Scripting/WMI alerts in the incident.\n- Retrieves the host risk score.\n\ + \ \nContainment:\n \n- Provide a manual task for an analyst to review the findings\ + \ and decide the next steps.\n- Possible actions:\n - Disable User.\n - Take no\ + \ action.\n \nRequirements: \n\n- For response actions, the following integration\ + \ is required: Core - IR." +fromversion: 6.10.0 +id: silent-Suspicious Local Administrator Login Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Suspicious Local Administrator Login Test +outputs: [] +starttaskid: '0' +tags: +- T1078 - Valid Accounts +- TA0001 - Initial Access +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a8c8635f-056c-49cb-8010-5419ed231b19 + iscommand: false + name: '' + version: -1 + taskid: a8c8635f-056c-49cb-8010-5419ed231b19 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 50\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: + value: + simple: ' and (mitreattcktechnique:*T1086* or mitreattcktechnique:*T1059* + or mitreattcktechnique:* T1047*)' + operator: concat + - args: + prefix: {} + suffix: + value: + simple: ' and agentid:' + operator: concat + - args: + prefix: {} + suffix: + iscontext: true + value: + simple: alert.agentid + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Searches for alerts. A summarized version of this script is available + with the summarized version argument. + + + This automation runs using the default Limited User role, unless you explicitly + change the permissions. + + For more information, see the section about permissions here: + + For Cortex XSOAR 6.13, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.13/Cortex-XSOAR-Administrator-Guide/Automations + + For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Scripts + + For Cortex XSOAR on-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Scripts + + For Cortex XSIAM, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Automations' + id: 0e7b306b-245d-43c9-85fe-cfec167d92cd + iscommand: false + name: Search for Related Alerts + scriptName: SearchAlertsV2 + type: regular + version: -1 + taskid: 0e7b306b-245d-43c9-85fe-cfec167d92cd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 330\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + scriptarguments: + command_type: + simple: native + commands: + simple: powershell -Command Disable-LocalUser -Name "${Core.OriginalAlert.raw_abioc.event.login_data.dst_user}" + endpoint_ids: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + is_raw_command: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiate a new endpoint script execution of shell commands. + id: 5bc51849-8fd5-4008-81e5-282079d5ebb9 + iscommand: true + name: Disable User + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 5bc51849-8fd5-4008-81e5-282079d5ebb9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1320\n }\n}" + '11': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: Disable User + label: Disable user + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Action.Answers.0 + operator: isEqualString + right: + value: + simple: No Action + label: No Action + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + Disable user: + - '10' + No Action: + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8705127b-689c-4c77-8af4-828aa12d11da + iscommand: false + name: Evaluate Analyst Response for Next Action + type: condition + version: -1 + taskid: 8705127b-689c-4c77-8af4-828aa12d11da + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 1130\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 0206dfb2-4202-44fb-8ea1-020a1df810d1 + iscommand: true + name: Get Related Process Information + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 0206dfb2-4202-44fb-8ea1-020a1df810d1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 680\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + action_id: + complex: + accessor: action_id} + root: ${Core.GetActionStatus + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: 8ba62210-22a2-4b7a-8da5-c206c96f8fb3 + iscommand: true + name: Get Action Status + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: 8ba62210-22a2-4b7a-8da5-c206c96f8fb3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1650\n }\n}" + '14': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: containsString + right: + value: + simple: 'False' + label: 'yes' + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '16' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 77fb4b5f-d4a3-4f17-871c-bc11fbe9c3a0 + iscommand: false + name: Was the User Disabled? + type: condition + version: -1 + taskid: 77fb4b5f-d4a3-4f17-871c-bc11fbe9c3a0 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1810\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + command_type: + simple: native + commands: + simple: powershell -Command Get-LocalUser -Name "${Core.OriginalAlert.raw_abioc.event.login_data.dst_user}" + endpoint_ids: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + is_raw_command: + simple: 'true' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiate a new endpoint script execution of shell commands. + id: 4047510e-a9c5-4230-8411-5b1ac7abbe5c + iscommand: true + name: Get User Status + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 4047510e-a9c5-4230-8411-5b1ac7abbe5c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1480\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process, the playbook failed to disable the following + user: ${Core.OriginalAlert.raw_abioc.event.dst_identity} + + Please investigate this before closing this alert. + + ' + id: 32c07163-7d2f-4049-87f0-e1e930fcbe47 + iscommand: false + name: Disable the User Manually + type: regular + version: -1 + taskid: 32c07163-7d2f-4049-87f0-e1e930fcbe47 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1260,\n \"y\": 1980\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8848143f-f15c-406c-8de1-be0eb454b59f + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 8848143f-f15c-406c-8de1-be0eb454b59f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 190\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + host_id: + complex: + accessor: hostname + root: alert + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + id: 8c9e5c77-8b33-4aff-8460-b5e17a76333c + iscommand: true + name: Get Host Risk Level + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: 8c9e5c77-8b33-4aff-8460-b5e17a76333c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": 330\n }\n}" + '4': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: HIGH + label: 'yes' + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cd0f32ec-8fce-4c74-8fd9-273e9f882f52 + iscommand: false + name: Check for Related Alerts or Host Risk Score + type: condition + version: -1 + taskid: cd0f32ec-8fce-4c74-8fd9-273e9f882f52 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 500\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 75c1f47a-5b53-434a-8070-0cf3fe5d203a + iscommand: false + name: 'Remediation ' + type: title + version: -1 + taskid: 75c1f47a-5b53-434a-8070-0cf3fe5d203a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 840\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6c607d33-069d-4ca2-82d1-9240c594c203 + iscommand: false + name: Done + type: title + version: -1 + taskid: 6c607d33-069d-4ca2-82d1-9240c594c203 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2320\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + closeReason: + simple: Resolved - Handled by the playbook "Suspicious Local Administrator + Login" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 2db5de07-51bf-49ad-87c8-47ec71234195 + iscommand: true + name: Close alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 2db5de07-51bf-49ad-87c8-47ec71234195 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 2150\n }\n}" + '8': + continueonerrortype: '' + form: + description: Analyst review + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: '#### User Name that involved in the alert: + + `${Core.OriginalAlert.raw_abioc.event.login_data_dst_normalized_user.identity}` + + + #### Host Name: + + `${alert.hostname}` + + + #### Host Risk Level: + + `${Core.RiskyHost.risk_level}` + + + #### Related Alerts Found in the Incident: + + `${.=val.foundIncidents.name || "None"}` + + + #### Process involved in login event: + + `${Core.OriginalAlert.event.login_data.process_image_name}` + + + #### Action Required: + + Please choose the action you want to perform. + + + ' + options: [] + optionsarg: + - simple: No Action + - simple: Disable user + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Analyst Action + totalanswers: 0 + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ac8e9263-a599-4cd4-8314-63f2af36daa5 + iscommand: false + name: Manual Task - User Action Decision + type: collection + version: -1 + taskid: ac8e9263-a599-4cd4-8314-63f2af36daa5 + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 970\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"11_10_Disable user\": 0.9,\n \"11_6_No\ + \ Action\": 0.1,\n \"14_16_#default#\": 0.49,\n \"14_7_yes\": 0.2,\n \"\ + 4_12_yes\": 0.46,\n \"4_6_#default#\": 0.1\n },\n \"paper\": {\n \"dimensions\"\ + : {\n \"height\": 2335,\n \"width\": 1400,\n \"x\": 240,\n \"\ + y\": 50\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml new file mode 100644 index 000000000000..00002936c10a --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml @@ -0,0 +1,1066 @@ +description: "This playbook is designed to handle the following alerts:\n\n- Suspicious\ + \ SaaS API call from a Tor exit node\n- Suspicious SaaS API call from a Tor exit\ + \ node via a mobile device\n- Suspicious API call from a Tor exit node\n- Suspicious\ + \ Kubernetes API call from a Tor exit node\n\nPlaybook Stages:\n\nEarly Containment:\n\ + - To terminate the connection from the Tor exit node, the playbook will clear/revoke\ + \ the user's sessions and force re-authentication. Depending on the alert source,\ + \ the playbook will use either MS-Graph or G-Suite to clear the user sessions.\n\ + \nInvestigation:\n- The playbook will assess the risk score of the user connected\ + \ from the Tor exit node and examine the legitimacy of the user agent.\n\nContainment:\n\ + - If the user's risk score is high or the user agent is detected as suspicious,\ + \ the playbook will recommend blocking the account connected from the Tor exit node.\ + \ The playbook will use MS-Graph, G-Suite, or AWS-IAM, depending on the alert source.\n\ + \nEradication:\n- For users with PAN-OS enabled, the playbook will recommend blocking\ + \ all IPs from the Palo Alto Intelligence-based external dynamic list that contains\ + \ Tor exit nodes. The goal is to prevent the use of Tor within the organization.\n\ + \nRequirements:\n\nFor any response action, you will need one of the following integrations:\ + \ \n- Microsoft Graph User\n- G-Suite Admin\n- AWS-IAM." +fromversion: 6.10.0 +id: silent-Suspicious SaaS Access From a TOR Exit Node Test +inputs: [] +issilent: true +name: silent-Suspicious SaaS Access From a TOR Exit Node Test +outputs: [] +starttaskid: '0' +tags: +- T1090 - Proxy +- TA0011 - Command and Control +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9ce3ec2e-49a5-43c6-8812-1c8724eb4f95 + iscommand: false + name: '' + version: -1 + taskid: 9ce3ec2e-49a5-43c6-8812-1c8724eb4f95 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 240\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + alert_ids: + complex: + accessor: id + root: alert + transformers: + - operator: uniq + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 34b46f03-e24e-463b-8df9-2743ae0df003 + iscommand: true + name: Get User Identity + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 34b46f03-e24e-463b-8df9-2743ae0df003 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 370\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + scriptarguments: + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 0f076c81-4bbc-4f05-8306-4f8c0ac400b3 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 0f076c81-4bbc-4f05-8306-4f8c0ac400b3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3160\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 102922e3-2b05-4241-825c-8c4e325be898 + iscommand: false + name: Done + type: title + version: -1 + taskid: 102922e3-2b05-4241-825c-8c4e325be898 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 3320\n }\n}" + '12': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyUser.risk_level + operator: isEqualString + right: + value: + simple: HIGH + - left: + iscontext: true + value: + simple: SuspiciousUserAgent + operator: isNotEmpty + - - left: + iscontext: true + value: + simple: GSuite.User.id + operator: isNotEmpty + - left: + iscontext: true + value: + simple: MSGraphUser.ID + operator: isNotEmpty + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: AWS - IAM + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '21' + 'yes': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f939fd39-89a2-4416-8475-6b8fe49537d8 + iscommand: false + name: Check if risk level is high or user agent is suspicious + type: condition + version: -1 + taskid: f939fd39-89a2-4416-8475-6b8fe49537d8 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1630\n }\n}" + '13': + continueonerrortype: '' + form: + description: You can block the user who created the connection. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Block The Account ${alert.username.[0]} using ${Account.Type}? + options: [] + optionsarg: + - {} + - simple: 'Yes' + - simple: 'No' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Decide if you want to block the account + totalanswers: 0 + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f8073e61-3193-43f2-819b-a8f4ea98e87a + iscommand: false + name: Decide if you want to block the account + type: collection + version: -1 + taskid: f8073e61-3193-43f2-819b-a8f4ea98e87a + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1800\n }\n}" + '15': + continueonerror: true + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + contextKey: + simple: SuspiciousUserAgent + data: + simple: ${alert.useragent.[0]} + regex: + simple: \b(Python-urllib|libwww-perl|Scrapy|curl|Wget|sqlmap|Nikto|Xrumer|Hydra|JohnTheRipper|LOIC|HOIC|MJ12bot|Baiduspider|BlackWidow|HeadlessChrome|PhantomJS|Selenium|REST)\b + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Extracts regex data from the provided text. The script supports + groups and looping. + id: dd1a92cb-c7eb-42c9-8679-429bd572a0b7 + iscommand: false + name: Check if user agent is suspicious + scriptName: MatchRegexV2 + type: regular + version: -1 + taskid: dd1a92cb-c7eb-42c9-8679-429bd572a0b7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 240,\n \"y\": 1330\n }\n}" + '16': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Decide if you want to block the account.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + - - left: + iscontext: true + value: + simple: MSGraphUser.ID + operator: isNotEmpty + label: Block Using MS-Graph + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Decide if you want to block the account.Answers.0 + operator: containsString + right: + value: + simple: 'Yes' + - - left: + iscontext: true + value: + simple: GSuite.User.id + operator: isNotEmpty + label: Block Using G-Suite + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Decide if you want to block the account.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + - - left: + iscontext: true + value: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: AWS - IAM + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isExists + label: Delete Login Profile Using AWS + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '21' + Block Using G-Suite: + - '18' + Block Using MS-Graph: + - '17' + Delete Login Profile Using AWS: + - '25' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d70543c6-1970-4c3d-8c98-d02aaad561fb + iscommand: false + name: Block the account that used TOR? + type: condition + version: -1 + taskid: d70543c6-1970-4c3d-8c98-d02aaad561fb + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 1960\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${MSGraphUser.ID} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Disables a user from all Office 365 applications, and prevents + sign in. Note: This command disables a user, + + but does not terminate an existing session. Supported only in a self-deployed + app flow. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: e7c3404d-5ca2-4ed4-875e-100cb2900acd + iscommand: true + name: Block user with MS-Graph + script: '|||msgraph-user-account-disable' + type: regular + version: -1 + taskid: e7c3404d-5ca2-4ed4-875e-100cb2900acd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1080,\n \"y\": 2160\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + suspended: + simple: 'true' + user_key: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Updates a user. + id: 19ca9654-14bf-486d-8832-2a5835b118f2 + iscommand: true + name: Block user with G-Suite + script: '|||gsuite-user-update' + type: regular + version: -1 + taskid: 19ca9654-14bf-486d-8832-2a5835b118f2 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 680,\n \"y\": 2160\n }\n}" + '19': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Choose whether to block TOR using PAN-OS.Answers.0 + operator: containsString + right: + value: + simple: 'Yes' + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Panorama + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + label: Block TOR using PAN-OS + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '10' + Block TOR using PAN-OS: + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: be2a62ff-1113-46b6-8817-0811b761b3a5 + iscommand: false + name: Block TOR application with PAN-OS? + type: condition + version: -1 + taskid: be2a62ff-1113-46b6-8817-0811b761b3a5 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 2805\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f9caeafe-1135-44a4-8288-2f6b3196e20a + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: f9caeafe-1135-44a4-8288-2f6b3196e20a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 530\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9032908c-104c-4178-896d-26343b3a9e4f + iscommand: false + name: Eradication + type: title + version: -1 + taskid: 9032908c-104c-4178-896d-26343b3a9e4f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2330\n }\n}" + '22': + continueonerrortype: '' + form: + description: 'You can block traffic from TOR exit node IPs using Palo Alto''s + built-in External Dynamic List (EDL). For more information on predefined EDLs, + visit: + + + https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-edls' + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Block TOR exit nodes using PAN-OS? + options: [] + optionsarg: + - {} + - simple: 'Yes' + - simple: 'No' + placeholder: '' + readonly: false + required: false + tooltip: '' + type: singleSelect + sender: '' + title: Choose whether to block TOR using PAN-OS + totalanswers: 0 + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fb9aab48-672e-4c9d-8ff4-7b5ab3c9f4d1 + iscommand: false + name: Choose whether to block TOR IPs using PAN-OS + type: collection + version: -1 + taskid: fb9aab48-672e-4c9d-8ff4-7b5ab3c9f4d1 + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 710,\n \"y\": 2640\n }\n}" + '23': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: brand + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.brand + operator: isEqualString + right: + value: + simple: Panorama + - - ignorecase: true + left: + iscontext: true + value: + simple: modules.state + operator: isEqualString + right: + value: + simple: active + root: modules + operator: isNotEmpty + right: + value: {} + label: 'Yes' + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '10' + 'Yes': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 54c87fa9-5981-42ed-8593-2fe4818214cc + iscommand: false + name: PAN-OS Enabled? + type: condition + version: -1 + taskid: 54c87fa9-5981-42ed-8593-2fe4818214cc + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2460\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + simple: 'No' + EDLName: + simple: panw-torexit-ip-list + RuleName: + simple: TOR Exit nodes from predefined EDLs was Blocked by XSIAM + separatecontext: true + skipunavailable: true + task: + brand: '' + description: '' + id: 34616d1d-37f0-4406-8961-5e59b8de3af9 + iscommand: false + name: PAN-OS - Block IPs From EDL - Custom Block Rule + playbookName: PAN-OS - Block IPs From EDL - Custom Block Rule + type: playbook + version: -1 + taskid: 34616d1d-37f0-4406-8961-5e59b8de3af9 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 2990\n }\n}" + '25': + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + userName: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Deletes the password for the specified IAM user, which terminates + the user's ability to access AWS services through the AWS Management Console. + id: e19e02a9-b241-4f18-8b4d-8f7754efbc19 + iscommand: true + name: Delete Login Profile Using AWS + script: '|||aws-iam-delete-login-profile' + type: regular + version: -1 + taskid: e19e02a9-b241-4f18-8b4d-8f7754efbc19 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1480,\n \"y\": 2160\n }\n}" + '3': + continueonerror: true + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + scriptarguments: + user: + simple: ${MSGraphUser.ID} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Revoke a user session. Invalidates all the refresh tokens issued + to applications for a user. + + Permission: Directory.AccessAsUser.All(Delegated).' + id: ef5395e8-62d0-407d-8c63-7b162bb01358 + iscommand: true + name: Clear user sessions using MS-Graph + script: '|||msgraph-user-session-revoke' + type: regular + version: -1 + taskid: ef5395e8-62d0-407d-8c63-7b162bb01358 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 1020\n }\n}" + '4': + continueonerror: true + continueonerrortype: '' + fieldMapping: + - incidentfield: User SID + output: + complex: + accessor: '[0]' + root: alert.username + transformers: + - args: + delimiter: + value: + simple: \ + fields: + value: + simple: '2' + operator: Cut + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + filter: + simple: mail eq '${Core.OriginalAlert.event.identity_name}' + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Retrieves a list of user objects. + + Permissions: User.ReadBasic.All (Delegated), User.Read.All (Application).' + id: 250319b5-dde5-40f9-853f-2b3442d2ed52 + iscommand: true + name: Get User ID from MS-Graph + script: '|||msgraph-user-list' + type: regular + version: -1 + taskid: 250319b5-dde5-40f9-853f-2b3442d2ed52 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1150,\n \"y\": 860\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cloudprovider.[0] + operator: isEqualString + right: + value: + simple: MSFT + - ignorecase: true + left: + iscontext: true + value: + simple: alert.cloudprovider.[0] + operator: isEqualString + right: + value: + simple: AZURE + label: O365 + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cloudprovider.[0] + operator: isEqualString + right: + value: + simple: GOOGLE + - ignorecase: true + left: + iscontext: true + value: + simple: alert.cloudprovider.[0] + operator: isEqualString + right: + value: + simple: GCP + label: Google Workspaces + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '7' + Google Workspaces: + - '6' + O365: + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 826d5083-fff2-4ee9-846e-ab2cef5765e9 + iscommand: false + name: Which SaaS application? + type: condition + version: -1 + taskid: 826d5083-fff2-4ee9-846e-ab2cef5765e9 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 700,\n \"y\": 670\n }\n}" + '6': + continueonerror: true + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + scriptarguments: + user_key: + simple: ${Core.OriginalAlert.event.identity_name} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Signs a user out of all web and device sessions and resets their + sign-in cookies. + id: deb95ec9-2850-45c8-8a1c-1d2f2ccf07fe + iscommand: true + name: Sign out User using G-Suite Admin + script: '|||gsuite-user-signout' + type: regular + version: -1 + taskid: deb95ec9-2850-45c8-8a1c-1d2f2ccf07fe + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 700,\n \"y\": 1020\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c8772496-b9c9-442b-88e1-f5500d700142 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: c8772496-b9c9-442b-88e1-f5500d700142 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1190\n }\n}" + '8': + continueonerror: true + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + user_id: + simple: ${alert.username.[0]} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the risk score of a specific user or list of users with + the highest risk score in the environment along with the reason affecting + each score. + id: d6425055-2cd8-401c-83ac-81aba1c11524 + iscommand: true + name: Get User Risk Level + script: '|||core-list-risky-users' + type: regular + version: -1 + taskid: d6425055-2cd8-401c-83ac-81aba1c11524 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": 1330\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2ff5c5ea-6357-4ef6-8c43-8c3c52b6fe33 + iscommand: false + name: Containment + type: title + version: -1 + taskid: 2ff5c5ea-6357-4ef6-8c43-8c3c52b6fe33 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1500\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"12_21_#default#\": 0.2,\n \"16_17_Block\ + \ Using MS-Graph\": 0.7,\n \"16_18_Block Using G-Suite\": 0.62,\n \"16_21_#default#\"\ + : 0.4,\n \"19_10_#default#\": 0.34,\n \"23_10_#default#\": 0.14,\n \"23_22_Yes\"\ + : 0.44,\n \"5_4_O365\": 0.73,\n \"5_6_Google Workspaces\": 0.7,\n \"5_7_#default#\"\ + : 0.14\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 3145,\n \ + \ \"width\": 1620,\n \"x\": 240,\n \"y\": 240\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml new file mode 100644 index 000000000000..e3331003d53a --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml @@ -0,0 +1,2048 @@ +description: 'This playbook handles "Suspicious certutil command line" alerts. + + + Playbook Stages: + + + Analysis: + + + During the alert analysis, the playbook will perform the following actions: + + + - Extracts and enriches the URL from the command line. + + - Checks if the URL reputation is suspicious. + + - Checks if any process in the causality chain is unsigned. + + - Checks if any process in the causality chain is non-prevalent. + + - Searches for Cortex XDR agent alerts related to file drops using certutil. + + - Checks for any suspicious parameters in the command line (if the command line + risk score is medium or higher). + + + If the playbook detects any of these conditions, it will proceed to the early containment + stage; otherwise, it will close the alert. + + + Early Containment: + + + - Identify if an agent prevention rule was triggered. If triggered in **block mode**, + proceed with the URL reputation check; otherwise, terminate the causality process + tree. + + + Verdict: + + + - Based on the URL''s reputation, if found to be malicious, the playbook will perform + remediation actions; otherwise, it will close the alert. + + + Remediation: + + + If the URL is found to have a malicious reputation, the playbook will perform the + following actions: + + + - Block the malicious URL using PAN-OS (requires analyst approval). + + - Isolate the endpoint (requires analyst approval). + + - Execute an XQL query to check for file creation events by the certutil process, + and if a file is found, quarantine it (requires analyst approval). + + - Automatically close the alert. + + + Required Integrations: + + + For response actions, you need the following integrations: + + + - Palo Alto Networks PAN-OS + + - XQL Query Engine.' +fromversion: 8.8.0 +id: silent-Suspicious certutil command line Test +inputs: [] +issilent: true +name: silent-Suspicious certutil command line Test +outputs: [] +starttaskid: '0' +tags: +- TA0005 - Defense Evasion +- T1218 - System Binary Proxy Execution +- TA0011 - Command and Control +- T1105 - Ingress Tool Transfer +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 73f05945-ea83-4505-8833-cba0c65b30c4 + iscommand: false + name: '' + version: -1 + taskid: 73f05945-ea83-4505-8833-cba0c65b30c4 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -1180\n }\n}" + '10': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + root: DBotScore + operator: greaterThanOrEqual + right: + value: + simple: '2' + - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.osparentsignature + operator: isNotEmpty + root: alert.osparentsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - left: + iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual + right: + value: + simple: '25' + - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '47' + 'yes': + - '50' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task checks the following to determine if process termination + is needed: + + - If the URL reputation is suspicious. + + - If any process in the causality chain is unsigned. + + - If any process in the causality chain is non-prevalent. + + - If Cortex XDR agent alerts related to file drops using certutil are found. + + - If any suspicious parameters are found in the command line (if the command + line risk score is medium or higher).' + id: 87b36f66-b55b-4fac-8c75-d44ab9816417 + iscommand: false + name: Is the URL, process, or command suspicious? + type: condition + version: -1 + taskid: 87b36f66-b55b-4fac-8c75-d44ab9816417 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -410\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '36' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c4f026aa-b77e-4a51-8e9b-b8f01df16eee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: c4f026aa-b77e-4a51-8e9b-b8f01df16eee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 565\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + AutoCommit: + simple: 'Yes' + CustomURLCategory: + simple: XSIAM - Malicious URLs + URL: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + pre-post: + simple: pre-rulebase + type: + simple: URL List + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks URLs using Palo Alto Networks Panorama or + Firewall through Custom URL Categories. + + The playbook checks whether the input URL category already exists, and if + the URLs are a part of this category. Otherwise, it will create the category, + block the URLs, and commit the configuration.' + id: 994cd4ee-eed3-49a2-8632-ccfbe4846a4c + iscommand: false + name: PAN-OS - Block URL - Custom URL Category + playbookName: PAN-OS - Block URL - Custom URL Category + type: playbook + version: -1 + taskid: 994cd4ee-eed3-49a2-8632-ccfbe4846a4c + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1420\n }\n}" + '13': + continueonerrortype: '' + form: + description: Blocking the URL, quarantining the downloaded file, and isolating + the endpoint are recommended due to the URL's malicious reputation. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: Should the XQL query be executed and the downloaded file quarantined + if found? + options: [] + optionsarg: + - simple: 'No' + - simple: 'Yes' + placeholder: '' + readonly: false + required: false + tooltip: This action will execute an XQL query to search for file creation + events using certutil and quarantine the file. + type: singleSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '1' + label: '' + labelarg: + simple: "Should Block the following malicious URL using PAN-OS? \n- ${URL.Data}\ + \ " + options: [] + optionsarg: + - simple: 'No' + - simple: 'Yes' + placeholder: '' + readonly: false + required: false + tooltip: This will block URLs using Palo Alto Networks Panorama or Firewall + through Custom URL Categories. The playbook checks whether the input URL + category already exists, and if the URLs are a part of this category. Otherwise, + it will create the category, block the URLs, and commit the configuration. + type: singleSelect + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '2' + label: '' + labelarg: + simple: "Should Isolate the endpoint? \n- ${alert.hostname} " + options: [] + optionsarg: + - simple: 'No' + - simple: 'Yes' + placeholder: '' + readonly: false + required: false + tooltip: This action will isolate the endpoint and is recommended to prevent + the attacker from executing lateral movement. + type: singleSelect + sender: Your SOC team + title: RemediationApproval + totalanswers: 0 + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Analyst approval is required for the following actions: + + - Blocking the malicious URL. + + - Executing an XQL query to identify files downloaded via the malicious URL. + + - Isolating the endpoint.' + id: fbb1b0fb-ab08-4c33-882d-9be592e4bcbc + iscommand: false + name: Approve XQL search & quarantine & Block URL & Isolation + type: collection + version: -1 + taskid: fbb1b0fb-ab08-4c33-882d-9be592e4bcbc + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 890\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + - '18' + - '59' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 55b21f0b-e203-43a0-89f3-5d722343fe9e + iscommand: false + name: Search and quarantine file & Block URL + type: title + version: -1 + taskid: 55b21f0b-e203-43a0-89f3-5d722343fe9e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 1265\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + - '59' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4d8dfda3-60d6-421e-81c6-a63444e687b3 + iscommand: false + name: Search and quarantine file + type: title + version: -1 + taskid: 4d8dfda3-60d6-421e-81c6-a63444e687b3 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1265\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '12' + - '59' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c987695c-86b1-4f23-844f-79c71bc0ed05 + iscommand: false + name: Block URL + type: title + version: -1 + taskid: c987695c-86b1-4f23-844f-79c71bc0ed05 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1265\n }\n}" + '17': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.1 + operator: isEqualString + right: + value: + simple: 'Yes' + label: Search File and quarantine & block url + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + label: Search File and Quarantine + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.1 + operator: isEqualString + right: + value: + simple: 'Yes' + label: Block URL Only + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '59' + Block URL Only: + - '16' + Search File and Quarantine: + - '15' + Search File and quarantine & block url: + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the analyst's answers and execute the appropriate actions + based on the responses. + id: 30a5a879-98ae-46ec-80f8-25c7787ec3a6 + iscommand: false + name: Check analyst answers + type: condition + version: -1 + taskid: 30a5a879-98ae-46ec-80f8-25c7787ec3a6 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 1050\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '20' + 'yes': + - '41' + note: false + quietmode: 0 + scriptarguments: + brandname: + simple: XQL Query Engine + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns 'yes' if integration brand 'XQL Query Engine' is available. + Otherwise returns 'no'. + id: 00247eff-9984-4d09-8bd5-e7a1fdce1cad + iscommand: false + name: Is the integration of 'XQL Query Engine' available? + scriptName: IsIntegrationAvailable + type: condition + version: -1 + taskid: 00247eff-9984-4d09-8bd5-e7a1fdce1cad + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1420\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + query: + simple: dataset = xdr_data | filter agent_hostname = "${alert.hostname}" + and actor_process_instance_id ="${alert.actionprocessinstanceid.[0]}" and + event_type = FILE and event_sub_type = FILE_WRITE | fields action_file_name, + action_file_path , action_file_sha256 + query_name: + simple: Search_Downloaded_files_by_certutil + time_frame: + simple: between ${QueryStartTime} and ${QueryEndTime} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: 'Execute an XQL query and retrieve results of an executed XQL query + API. The command will be executed every 10 seconds until results are retrieved + or until a timeout error is raised. + + When more than 1000 results are retrieved, the command will return a compressed + gzipped JSON format file, + + unless the argument ''parse_result_file_to_context'' is set to true and then + the results will be extracted to the context.' + id: 0aa0b526-468f-42de-84fa-29a2f5d54480 + iscommand: true + name: XQL Query - Search file creation event by certutil + script: '|||xdr-xql-generic-query' + type: regular + version: -1 + taskid: 0aa0b526-468f-42de-84fa-29a2f5d54480 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1925\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(name:"File Drop - 1815185192" or name:"File Drop - 4219385159" + or name:"File Drop - 98943342") and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task searches for Cortex XSIAM agent alerts related to file + drops using certutil. + id: 6b287e61-9939-4790-8c8e-18755bf12ec8 + iscommand: false + name: Search for agent file drop alerts that blocked the process + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 6b287e61-9939-4790-8c8e-18755bf12ec8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": -910\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nEnsure that the 'XQL Query Engine' integration\ + \ is active. If it's not enabled, activate the integration or manually run\ + \ the following XQL query to determine if a file was successfully downloaded\ + \ from a malicious URL using certutil.\n\nQuery:\n\n dataset = xdr_data |\ + \ filter agent_hostname = \"${alert.hostname}\" and actor_process_instance_id\ + \ =\"${alert.actionprocessinstanceid}\" and event_type = FILE and event_sub_type\ + \ = FILE_WRITE | fields action_file_name, action_file_path , action_file_sha256\n\ + \nIf the query output indicates a file created by a malicious certutil command\ + \ line with a malicious URL, quarantine and remove the file immediately." + id: c88e2910-55e1-4b10-8be6-f22abe3bc3dc + iscommand: false + name: "Manual \u2013 Search file using XQL query and quarantine the file " + type: regular + version: -1 + taskid: c88e2910-55e1-4b10-8be6-f22abe3bc3dc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 510,\n \"y\": 1600\n }\n}" + '21': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: PaloAltoNetworksXQL.GenericQuery.results.action_file_name + operator: isNotEmpty + right: + value: {} + - - left: + iscontext: true + value: + simple: PaloAltoNetworksXQL.GenericQuery.results.action_file_path + operator: isNotEmpty + - - left: + iscontext: true + value: + simple: PaloAltoNetworksXQL.GenericQuery.results.action_file_sha256 + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + 'yes': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the XQL query has returned 'File Creation' events by + certutil. + id: 51da6740-feb1-4cac-81de-1d9481397f0f + iscommand: false + name: Found file created by certutil? + type: condition + version: -1 + taskid: 51da6740-feb1-4cac-81de-1d9481397f0f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 2090\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3f1b5543-e742-4133-87c8-5a0d1eb0db76 + iscommand: false + name: Quarantine File + type: title + version: -1 + taskid: 3f1b5543-e742-4133-87c8-5a0d1eb0db76 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 2270\n }\n}" + '23': + continueonerror: true + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '25' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + file_hash: + simple: ${PaloAltoNetworksXQL.GenericQuery.results.action_file_sha256} + file_path: + simple: ${PaloAltoNetworksXQL.GenericQuery.results.action_file_path} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the quarantine status for a selected file. + id: c312d63a-b220-4889-8343-92f330492b9f + iscommand: true + name: Get file quarantine status + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: c312d63a-b220-4889-8343-92f330492b9f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 2400\n }\n}" + '25': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: status + root: Core.quarantineFiles.status + operator: isEqualString + right: + value: + simple: 'false' + label: 'yes' + continueonerrortype: '' + id: '25' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + 'yes': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether to quarantine the files based on their quarantine + status. + id: acf62e77-11e5-4949-8063-586e57a33171 + iscommand: false + name: Should quarantine file? + type: condition + version: -1 + taskid: acf62e77-11e5-4949-8063-586e57a33171 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 2570\n }\n}" + '26': + continueonerror: true + continueonerrortype: errorPath + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '27' + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + file_hash: + simple: ${PaloAltoNetworksXQL.GenericQuery.results.action_file_sha256} + file_path: + simple: ${PaloAltoNetworksXQL.GenericQuery.results.action_file_path} + interval_in_seconds: + simple: '20' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Quarantines a file on selected endpoints. + id: c0cdf2a4-84df-438b-8bee-9dc890500d75 + iscommand: true + name: File quarantine + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: c0cdf2a4-84df-438b-8bee-9dc890500d75 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -90,\n \"y\": 2750\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'The playbook was unable to quarantine the downloaded file due + to the following possible reasons: + + + - The file does not exist or has been moved to another location on the host. + + - The endpoint is currently disconnected. + + + Please take manual action to quarantine the downloaded file.' + id: 66b2d9ee-311b-4bb3-86fe-929cadc13445 + iscommand: false + name: "Manual action needed \u2013The file couldn't be quarantined" + type: regular + version: -1 + taskid: 66b2d9ee-311b-4bb3-86fe-929cadc13445 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -270,\n \"y\": 2930\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious certutil command line detected with a malicious URL. + closeReason: + simple: True Positive - Resolved - Handled by the playbook "Suspicious certutil + command line" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 1b8d7af5-3ecd-47d1-8045-8b73d535a9a9 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 1b8d7af5-3ecd-47d1-8045-8b73d535a9a9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 630,\n \"y\": 3110\n }\n}" + '3': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + root: foundIncidents.CustomFields + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: BLOCKED + label: Blocked + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '7' + Blocked: + - '62' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the alert's alerts for an alert that blocked the causality + using the agent. + id: 8fa2386e-0186-4377-860d-cfc35f5ddeed + iscommand: false + name: Was the causality blocked by another alert? + type: condition + version: -1 + taskid: 8fa2386e-0186-4377-860d-cfc35f5ddeed + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -100\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6d6a776e-0551-429d-8feb-dea3d405ef0d + iscommand: false + name: Done + type: title + version: -1 + taskid: 6d6a776e-0551-429d-8feb-dea3d405ef0d + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1480,\n \"y\": 1580\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: "Suspicious certutil command line detected \u2013 the process has\ + \ been terminated." + closeReason: + simple: True Positive - Resolved - Handled by the playbook "Suspicious certutil + command line" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: b8204b08-44a8-4820-8638-c5173fe4527c + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b8204b08-44a8-4820-8638-c5173fe4527c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1480,\n \"y\": 1420\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b164bebc-f532-4a72-8a64-598a6af3d307 + iscommand: false + name: Done + type: title + version: -1 + taskid: b164bebc-f532-4a72-8a64-598a6af3d307 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 630,\n \"y\": 3280\n }\n}" + '36': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + root: foundIncidents.CustomFields + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: BLOCKED + label: Terminated + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + Terminated: + - '37' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the alert's alerts for an alert that blocked the causality + using the agent. + id: 14cad4bf-d67a-4da9-8a8d-f808da7c291c + iscommand: false + name: Is the process has been terminate by the agent? + type: condition + version: -1 + taskid: 14cad4bf-d67a-4da9-8a8d-f808da7c291c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 710\n }\n}" + '37': + continueonerrortype: '' + form: + description: Blocking the URL is recommended, as its reputation is malicious. + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: "Should Block the following malicious URL using PAN-OS? \n- ${URL.Data}\ + \ " + options: [] + optionsarg: + - simple: 'No' + - simple: 'Yes' + placeholder: '' + readonly: false + required: false + tooltip: This will block URLs using Palo Alto Networks Panorama or Firewall + through Custom URL Categories. The playbook checks whether the input URL + category already exists, and if the URLs are a part of this category. Otherwise, + it will create the category, block the URLs, and commit the configuration. + type: singleSelect + sender: Your SOC team + title: UrlBlockApproval + totalanswers: 0 + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval is required to block the malicious URL. + id: 4616c7a0-eb85-4ed3-82ec-f4417441326a + iscommand: false + name: Approve the URL block using PAN-OS + type: collection + version: -1 + taskid: 4616c7a0-eb85-4ed3-82ec-f4417441326a + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 890\n }\n}" + '38': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: UrlBlockApproval.Answers.0 + operator: isEqualString + right: + value: + simple: 'Yes' + label: Block URL Only + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '39' + Block URL Only: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the analyst's answers and execute the appropriate actions + based on the responses. + id: 280e1d4c-a22f-4e73-8c3e-c67e56c13f62 + iscommand: false + name: Check analyst answers + type: condition + version: -1 + taskid: 280e1d4c-a22f-4e73-8c3e-c67e56c13f62 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1030,\n \"y\": 1050\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 717f0868-d441-40d1-846e-21cee80f3f31 + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: 717f0868-d441-40d1-846e-21cee80f3f31 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1480,\n \"y\": 1265\n }\n}" + '41': + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + key: + simple: QueryStartTime + value: + complex: + accessor: timestamp + root: alert + transformers: + - args: + variation: + value: + simple: 5 min ago + operator: ModifyDateTime + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. + id: bac2669e-6936-476c-8171-176df095d438 + iscommand: false + name: 'Retrieve the query''s timeframe: start time' + scriptName: Set + type: regular + version: -1 + taskid: bac2669e-6936-476c-8171-176df095d438 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1600\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + key: + simple: QueryEndTime + value: + complex: + accessor: timestamp + root: alert + transformers: + - args: + variation: + value: + simple: 15 min after + operator: ModifyDateTime + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. + id: fa3d50df-242b-4de5-8dcf-9b877439c9a3 + iscommand: false + name: 'Retrieve the query''s timeframe: end time' + scriptName: Set + type: regular + version: -1 + taskid: fa3d50df-242b-4de5-8dcf-9b877439c9a3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1760\n }\n}" + '45': + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 27452030-2116-4417-8cd8-a5fd4b716fe2 + iscommand: false + name: Done + type: title + version: -1 + taskid: 27452030-2116-4417-8cd8-a5fd4b716fe2 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": 70\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '45' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No indication of malicious activity was found + closeReason: + simple: Resolved - Handled by the playbook "Suspicious certutil command line" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: cfd56532-54ee-48d3-8dcd-bef9b0ad1eac + iscommand: true + name: Close Alert - No indication of malicious activity was found + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: cfd56532-54ee-48d3-8dcd-bef9b0ad1eac + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": -100\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: adb0f9eb-8a9c-47b0-89ea-52b000b7da5c + iscommand: false + name: No malicious activity was found + type: title + version: -1 + taskid: adb0f9eb-8a9c-47b0-89ea-52b000b7da5c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1310,\n \"y\": -230\n }\n}" + '48': + continueonerrortype: '' + id: '48' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '49' + - '51' + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cdab80be-bc03-417e-8d31-e9db2a80e52c + iscommand: false + name: Analysis + type: title + version: -1 + taskid: cdab80be-bc03-417e-8d31-e9db2a80e52c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -1050\n }\n}" + '49': + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + process_name: + complex: + accessor: cgoname + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.osparentname + operator: append + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: 0c93af04-432d-4de1-801c-703a45330dc7 + iscommand: true + name: Check the processes prevalence + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: 0c93af04-432d-4de1-801c-703a45330dc7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 290,\n \"y\": -910\n }\n}" + '50': + continueonerrortype: '' + id: '50' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e8663374-f814-4699-863c-ca31c8594c9b + iscommand: false + name: Early Containment + type: title + version: -1 + taskid: e8663374-f814-4699-863c-ca31c8594c9b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -230\n }\n}" + '51': + continueonerrortype: '' + id: '51' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + command_line: + simple: ${alert.targetprocesscmd} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This script evaluates command-line threats by analyzing both original + and decoded inputs. It assigns weighted scores to detected patterns, such + as AMSI bypass or credential dumping, and applies risk combination bonuses + for multiple detections. The total score is normalized to a 0-100 scale, with + risk levels categorized as follows: + + + * 0-25: Low Risk + + * 26-50: Medium Risk + + * 51-90: High Risk + + * 91-100: Critical Risk + + + The scoring mechanism provides a comprehensive risk assessment, considering + both the severity and frequency of malicious behaviors.' + id: 0c3bd267-8cc3-4946-82f2-636bcd174e35 + iscommand: false + name: Command Line Analysis + scriptName: CommandLineAnalysis + type: regular + version: -1 + taskid: 0c3bd267-8cc3-4946-82f2-636bcd174e35 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -910\n }\n}" + '52': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: url + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '52' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '39' + 'yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the URL reputation is malicious + id: 04eb7a8f-2192-48c7-8aa3-10e2aef1894c + iscommand: false + name: Is the URL reputation malicious? + type: condition + version: -1 + taskid: 04eb7a8f-2192-48c7-8aa3-10e2aef1894c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 380\n }\n}" + '54': + continueonerrortype: '' + id: '54' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '61' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: fb868f96-2f7d-43ab-86ee-b9723830ed39 + iscommand: true + name: 'Isolate Endpoint ' + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: fb868f96-2f7d-43ab-86ee-b9723830ed39 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -800,\n \"y\": 2165\n }\n}" + '56': + continueonerrortype: '' + id: '56' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '57' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields is + concatenated using the AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of endpoints from the start + of the result set (start by counting from 0). + id: 71609f38-f610-4866-80bb-37f4c8f0fc10 + iscommand: true + name: Get endpoint info by endpoint ID + script: '|||core-get-endpoints' + type: regular + version: -1 + taskid: 71609f38-f610-4866-80bb-37f4c8f0fc10 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 1785\n }\n}" + '57': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_type + root: Core.Endpoint + operator: containsString + right: + value: + simple: WORKSTATION + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: endpoint_status + root: Core.Endpoint + operator: isEqualString + right: + value: + simple: CONNECTED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_UNISOLATED + label: Isolate + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString + right: + value: + simple: AGENT_ISOLATED + label: Already isolated + continueonerrortype: '' + id: '57' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '58' + Already isolated: + - '61' + Isolate: + - '54' + note: false + quietmode: 2 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determine whether to isolate the endpoint based on its status, + isolation state, and OS type. + id: 71f66172-4ea1-4a71-8780-bd4076aad0c2 + iscommand: false + name: Verify endpoint isn't isolated, disconnected, or a server + type: condition + version: -1 + taskid: 71f66172-4ea1-4a71-8780-bd4076aad0c2 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 1950\n }\n}" + '58': + continueonerrortype: '' + id: '58' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '61' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nPlease note that during the remediation process,\ + \ the playbook didn't isolate the following host: ${alert.hostname} \n\nThis\ + \ is due to one of the following reasons:\n- The device disconnected.\n- The\ + \ device has been identified as a server.\n\nPlease take manual action to\ + \ contain the attack and prevent the attacker from executing lateral movement\ + \ before closing this alert." + id: 59b940e1-3fd4-4097-849e-d802fc89905a + iscommand: false + name: Manual remediation actions for a server or a disconnected endpoint + type: regular + version: -1 + taskid: 59b940e1-3fd4-4097-849e-d802fc89905a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -1220,\n \"y\": 2165\n }\n}" + '59': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: RemediationApproval.Answers.2 + operator: isEqualString + right: + value: + simple: 'Yes' + label: 'yes' + continueonerrortype: '' + id: '59' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '61' + 'yes': + - '60' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the analyst's answers and execute the endpoint isolation + actions accordingly. + id: 9489508e-a58b-4a84-818c-77a4568bac1e + iscommand: false + name: Check analyst answer - Should isolate the endpoint? + type: condition + version: -1 + taskid: 9489508e-a58b-4a84-818c-77a4568bac1e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 1420\n }\n}" + '60': + continueonerrortype: '' + id: '60' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '56' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check whether the values provided in arguments are equal. If either + of the arguments are missing, no is returned. + id: 5c4337e3-822f-42fa-829c-121aec493d72 + iscommand: false + name: Isolate Endpoint + type: title + version: -1 + taskid: 5c4337e3-822f-42fa-829c-121aec493d72 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 1645\n }\n}" + '61': + continueonerrortype: '' + id: '61' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a5106cbd-6599-4e8e-86c0-fc3ee770aafa + iscommand: false + name: Close Alert + type: title + version: -1 + taskid: a5106cbd-6599-4e8e-86c0-fc3ee770aafa + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -570,\n \"y\": 2405\n }\n}" + '62': + continueonerrortype: '' + id: '62' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '52' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d5a64697-1494-4756-8755-76eeacff3e11 + iscommand: false + name: Verdict + type: title + version: -1 + taskid: d5a64697-1494-4756-8755-76eeacff3e11 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 250\n }\n}" + '7': + continueonerror: true + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '62' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available from Cortex + XSIAM 2.4. + id: 0c3f09bd-ab2b-42d5-84f9-06399154c231 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 0c3f09bd-ab2b-42d5-84f9-06399154c231 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 530,\n \"y\": 70\n }\n}" + '8': + continueonerror: true + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + url: + simple: ${URL.Data} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Gets a URL category from URL filtering. + id: b23acb51-0803-4d17-848b-959f2109f375 + iscommand: true + name: Url Enrichment + script: '|||url' + type: regular + version: -1 + taskid: b23acb51-0803-4d17-848b-959f2109f375 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -590\n }\n}" + '9': + continueonerror: true + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + url: + simple: ${URL.Data} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Returns a verdict for a hash. + id: da84030a-4f57-4045-8d71-595cd4e82f95 + iscommand: true + name: Get Wildfire Verdict for URL + script: '|||wildfire-get-verdict' + type: regular + version: -1 + taskid: da84030a-4f57-4045-8d71-595cd4e82f95 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 800,\n \"y\": -750\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_50_yes\": 0.43,\n \"17_14_Search\ + \ File and quarantine \\u0026 block url\": 0.4,\n \"17_15_Search File and Quarantine\"\ + : 0.71,\n \"17_16_Block URL Only\": 0.6,\n \"18_41_yes\": 0.37,\n \"21_22_yes\"\ + : 0.41,\n \"21_29_#default#\": 0.14,\n \"25_29_#default#\": 0.27,\n \"\ + 26_27_#error#\": 0.46,\n \"36_13_#default#\": 0.71,\n \"36_37_Terminated\"\ + : 0.54,\n \"38_16_Block URL Only\": 0.34,\n \"38_39_#default#\": 0.39,\n \ + \ \"3_62_Blocked\": 0.41,\n \"52_11_yes\": 0.58,\n \"57_54_Isolate\": 0.55,\n\ + \ \"57_58_#default#\": 0.61,\n \"59_60_yes\": 0.35,\n \"59_61_#default#\"\ + : 0.2\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 4525,\n \ + \ \"width\": 3080,\n \"x\": -1220,\n \"y\": -1180\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml new file mode 100644 index 000000000000..26780e79b4f9 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml @@ -0,0 +1,1245 @@ +description: "This playbook addresses the following alerts for linux os:\n\n- Suspicious\ + \ process execution from tmp folder\n- Suspicious interactive execution of a binary\ + \ from the tmp folder\n- Suspicious cron job task execution of a binary from the\ + \ tmp folder\n- A web server process executed an unpopular application from the\ + \ tmp folder\n\nPlaybook Stages:\n\nAnalysis:\n\n- Check target process hash reputation\n\ + - Check commandline extracted indicators reputation\n\nThe playbook will proceed\ + \ directly to remediation if suspicious/Suspicious reputation is found during the\ + \ analysis stage.\n\nInvestigation:\n\n- Search for the following suspicious insights/related\ + \ alerts:\n - Suspicious access to shadow file\n - UNIX LOLBIN process connected\ + \ to a rare external host\n - Persistence through service registration\n - Adding\ + \ execution privileges \n - Modification of systemd service files\n - Adding\ + \ execution privileges\n - Local account discovery\n\nIf no suspicious reputation\ + \ is found in the analysis stage, but suspicious insights/related alerts are discovered\ + \ during investigation, the playbook will then proceed to remediation.\n\nRemediation:\n\ + \n- Terminate causality process\n- Quarantine the Suspicious process image file\ + \ (requires manual approval).\n- Disable the suspicious cron job task (requires\ + \ manual action)." +fromversion: 8.8.0 +id: silent-Suspicious execution from tmp folder Test +inputs: [] +issilent: true +name: silent-Suspicious execution from tmp folder Test +outputs: [] +starttaskid: '0' +tags: +- T1564 - Hide Artifacts +- TA0005 - Defense Evasion +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '68' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cea27ec4-42b2-4967-8165-fdd29fb21804 + iscommand: false + name: '' + version: -1 + taskid: cea27ec4-42b2-4967-8165-fdd29fb21804 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": -230\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '36' + note: false + quietmode: 0 + scriptarguments: + file: + simple: ${alert.targetprocesssha256} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve results for a file hash using WildFire. + id: 6806ade8-7ccd-44f7-8073-57a3f7de2e25 + iscommand: true + name: Check Target Process Hash Reputation + script: '|||file' + type: regular + version: -1 + taskid: 6806ade8-7ccd-44f7-8073-57a3f7de2e25 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 180,\n \"y\": 240\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '82' + note: false + quietmode: 0 + reputationcalc: 2 + scriptarguments: + text: + simple: ${alert.targetprocesscmd} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.extract.indicators + id: 56f2d28b-1c34-400d-8a2e-1e4358ef44fb + iscommand: true + name: Check if commandline includes IOC (IP,URL,Domain) + script: Builtin|||extractIndicators + type: regular + version: -1 + taskid: 56f2d28b-1c34-400d-8a2e-1e4358ef44fb + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 607.5,\n \"y\": 240\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2fae8c5a-874b-4817-8ed0-0d899778501f + iscommand: false + name: Analysis + type: title + version: -1 + taskid: 2fae8c5a-874b-4817-8ed0-0d899778501f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 95\n }\n}" + '36': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + root: DBotScore + transformers: + - operator: uniq + operator: greaterThanOrEqual + right: + value: + simple: '2' + label: 'yes' + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '38' + 'yes': + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if Suspicious reputation of IOC is found + id: fbda5eca-fb73-48e7-8e28-07a0f8b40f20 + iscommand: false + name: Suspicious reputation found? + type: condition + version: -1 + taskid: fbda5eca-fb73-48e7-8e28-07a0f8b40f20 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 730\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '81' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1c41c07d-ca89-4b1b-8500-ade4d697bc95 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 1c41c07d-ca89-4b1b-8500-ade4d697bc95 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 827.5,\n \"y\": 905\n }\n}" + '41': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents + operator: isNotEmpty + right: + value: {} + label: Results Found + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '64' + Results Found: + - '42' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if related alerts or insights have been found + id: 47253db0-8d02-4ef1-8255-684ab6c93ba3 + iscommand: false + name: Check if related alerts found + type: condition + version: -1 + taskid: 47253db0-8d02-4ef1-8255-684ab6c93ba3 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 827.5,\n \"y\": 1225\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '69' + - '70' + - '72' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0e985a6e-740e-4ed0-8810-8b9d1e76fae9 + iscommand: false + name: Set Context for Remediation + type: title + version: -1 + taskid: 0e985a6e-740e-4ed0-8810-8b9d1e76fae9 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 1400\n }\n}" + '46': + continueonerror: true + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '51' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.actionprocessinstanceid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: ff8cc7f0-5ce7-4293-8352-2dfc99d17b19 + iscommand: true + name: Terminate Causality - Action Process + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: ff8cc7f0-5ce7-4293-8352-2dfc99d17b19 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 1875\n }\n}" + '51': + continueonerrortype: '' + id: '51' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '52' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ecc1c6ad-a79a-42e4-8a63-bd2cfea14a6b + iscommand: false + name: Quarantine file + type: title + version: -1 + taskid: ecc1c6ad-a79a-42e4-8a63-bd2cfea14a6b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 2090\n }\n}" + '52': + continueonerror: true + continueonerrortype: '' + id: '52' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '54' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + file_hash: + simple: ${SuspiciousFileHash} + file_path: + simple: ${SuspiciousFilePath} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the quarantine status for a selected file. + id: 4ddee1dc-2c8a-4ab0-8694-b46e6f5dd041 + iscommand: true + name: Get file quarantine status + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: 4ddee1dc-2c8a-4ab0-8694-b46e6f5dd041 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 2230\n }\n}" + '53': + continueonerrortype: '' + id: '53' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: {} + cc: null + format: '' + methods: [] + replyOptions: + - Quarantine + - No Quarantine + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + No Quarantine: + - '57' + Quarantine: + - '55' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\nShould we perform quarantine of the Suspicious\ + \ file?\n\nfile name: ${SuspiciousFileName}\n\nfile hash: \n${SuspiciousFileHash}\n" + id: 94f8d78a-43ad-4af0-8d77-fe665c805bf8 + iscommand: false + name: Analyst approval for quarantine the Suspicious file + type: condition + version: -1 + taskid: 94f8d78a-43ad-4af0-8d77-fe665c805bf8 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 2560\n }\n}" + '54': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: status + root: Core.quarantineFiles.status + operator: isEqualString + right: + value: + simple: 'false' + label: 'yes' + continueonerrortype: '' + id: '54' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '57' + 'yes': + - '53' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether to quarantine the files based on their quarantine + status and the successful calculation of the file hash. + id: 61ac8ab9-6cda-4602-8301-9abdda537429 + iscommand: false + name: Check if file already quarantined + type: condition + version: -1 + taskid: 61ac8ab9-6cda-4602-8301-9abdda537429 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 2390\n }\n}" + '55': + continueonerror: true + continueonerrortype: errorPath + id: '55' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '56' + '#none#': + - '57' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + file_hash: + simple: ${SuspiciousFileHash} + file_path: + simple: ${SuspiciousFilePath} + interval_in_seconds: + simple: '20' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Quarantines a file on selected endpoints. + id: bcf632e2-5875-405e-8b3d-6e4b2741a9be + iscommand: true + name: File quarantine + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: bcf632e2-5875-405e-8b3d-6e4b2741a9be + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -2.5,\n \"y\": 2745\n }\n}" + '56': + continueonerrortype: '' + id: '56' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '57' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook was unable to quarantine the Suspicious file due to the following + possible reasons: + + + - The file is not located on the local host. + + - The endpoint is currently disconnected. + + - The hash calculation was unsuccessful. + + + Please take manual action to terminate the causality process if needed and + quarantine the file.' + id: b97f5f22-2648-4924-8f0d-69f008fe4016 + iscommand: false + name: "Manual action needed \u2013 Suspicious file couldn't be quarantined" + type: regular + version: -1 + taskid: b97f5f22-2648-4924-8f0d-69f008fe4016 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -250,\n \"y\": 2930\n }\n}" + '57': + continueonerrortype: '' + id: '57' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '66' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a1f32319-1571-4677-89c3-a2655fb312e9 + iscommand: false + name: Quarantine file - Done + type: title + version: -1 + taskid: a1f32319-1571-4677-89c3-a2655fb312e9 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 3110\n }\n}" + '64': + continueonerrortype: '' + id: '64' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '65' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e465edf9-54cf-4194-802f-2f0e31bf146c + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: e465edf9-54cf-4194-802f-2f0e31bf146c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1290,\n \"y\": 1400\n }\n}" + '65': + continueonerrortype: '' + id: '65' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '67' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: False Positive + closeReason: + simple: Resolved - Handled by the playbook "Suspicious execution from tmp + folder" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: b516acfc-89ed-44ae-8e33-8ddcac4d7d4c + iscommand: true + name: Close Alert - False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b516acfc-89ed-44ae-8e33-8ddcac4d7d4c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1290,\n \"y\": 3295\n }\n}" + '66': + continueonerrortype: '' + id: '66' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '67' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Suspicious binary execution from /tmp directory detected + closeReason: + simple: Resolved - Handled by the playbook "Suspicious execution from tmp + folder" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: 49799f5d-bcfd-4046-84a4-eace34fdd6dd + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 49799f5d-bcfd-4046-84a4-eace34fdd6dd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 3265\n }\n}" + '67': + continueonerrortype: '' + id: '67' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e469c38e-c8cb-444f-86be-daa3870639e2 + iscommand: false + name: Done + type: title + version: -1 + taskid: e469c38e-c8cb-444f-86be-daa3870639e2 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 3470\n }\n}" + '68': + continueonerrortype: '' + id: '68' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '35' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: f0423588-d2cb-4a29-8ec9-2e8db1521c51 + iscommand: true + name: Get action process image file path + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: f0423588-d2cb-4a29-8ec9-2e8db1521c51 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": -100\n }\n}" + '69': + continueonerrortype: '' + id: '69' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '71' + note: false + quietmode: 0 + scriptarguments: + key: + simple: SuspiciousFileHash + value: + complex: + accessor: targetprocesssha256 + root: alert + transformers: + - operator: JoinIfSingleElementOnly + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 7f5616f0-c5d3-42e3-888d-5abbc771d15f + iscommand: false + name: Set Suspicious File Hash to Context + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 7f5616f0-c5d3-42e3-888d-5abbc771d15f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 810,\n \"y\": 1540\n }\n}" + '70': + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '71' + note: false + quietmode: 0 + scriptarguments: + key: + simple: SuspiciousFilePath + value: + simple: ${Core.OriginalAlert.event.action_process_image_path} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 5c009948-4810-4ae2-8863-6567a72a2141 + iscommand: false + name: Set Suspicious File Path to Context + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 5c009948-4810-4ae2-8863-6567a72a2141 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -60,\n \"y\": 1540\n }\n}" + '71': + continueonerrortype: '' + id: '71' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + - '78' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 50a216fa-340b-4a92-8ddb-b36f2e53110c + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 50a216fa-340b-4a92-8ddb-b36f2e53110c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 1710\n }\n}" + '72': + continueonerrortype: '' + id: '72' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '71' + note: false + quietmode: 0 + scriptarguments: + key: + simple: SuspiciousFileName + value: + complex: + accessor: targetprocessname + root: alert + transformers: + - operator: JoinIfSingleElementOnly + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: 9e2e71c9-af8d-491c-8e0e-d7a12c97332f + iscommand: false + name: Set Suspicious File Name to Context + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: 9e2e71c9-af8d-491c-8e0e-d7a12c97332f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 377.5,\n \"y\": 1540\n }\n}" + '73': + continueonerrortype: '' + id: '73' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '66' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the investigation process, the Suspicious process was found to be executed + by a cronjob. + + + To complete all remediation steps, please consider disabling the Suspicious + cronjob manually, in addition to the automatic remediation steps. + + + Suspicious Process: ${SuspiciousFileName} + + + Suspicious Cronjob: ${SuspiciousCronjob}' + id: 6544b144-25f7-454f-80b5-0b93b555971e + iscommand: false + name: Disable Cronjob Manually + type: regular + version: -1 + taskid: 6544b144-25f7-454f-80b5-0b93b555971e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 3080\n }\n}" + '74': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: alert.name + operator: containsString + right: + value: + simple: cron job + label: 'yes' + continueonerrortype: '' + id: '74' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '67' + 'yes': + - '75' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if alert is the cronjob variant. + id: 8dbf40b2-645f-417f-89f3-b31dc85d2279 + iscommand: false + name: Check if cronjob alert + type: condition + version: -1 + taskid: 8dbf40b2-645f-417f-89f3-b31dc85d2279 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 2090\n }\n}" + '75': + continueonerrortype: '' + id: '75' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '76' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: crontab -u ${alert.username.[0]} -l + endpoint_ids: + simple: ${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiate a new endpoint script execution of shell commands. + id: d26c72fe-2f3b-4e52-80b5-85e11df5c807 + iscommand: true + name: Get user's crontab from endpoint + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: d26c72fe-2f3b-4e52-80b5-85e11df5c807 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 2435\n }\n}" + '76': + continueonerrortype: '' + id: '76' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '77' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: 86dec972-9b2e-4b9b-8437-eb9de637fff1 + iscommand: true + name: Get action results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: 86dec972-9b2e-4b9b-8437-eb9de637fff1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 2655\n }\n}" + '77': + continueonerrortype: '' + id: '77' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '73' + note: false + quietmode: 0 + scriptarguments: + key: + simple: SuspiciousCronjob + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + iscontext: true + value: + simple: SuspiciousFileName + - left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + iscontext: true + value: + simple: SuspiciousFilePath + - - left: + iscontext: true + value: + simple: Core.ScriptResult.results.command_output + operator: containsGeneral + right: + value: + simple: /tmp + root: Core.ScriptResult.results.command_output + transformers: + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Set a value in context under the key you entered. If no value\ + \ is entered, the script doesn't do anything.\n\nThis automation runs using\ + \ the default Limited User role, unless you explicitly change the permissions.\n\ + For more information, see the section about permissions here:\n- For Cortex\ + \ XSOAR 6.x, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations\ + \ \n- For Cortex XSOAR 8 Cloud, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script\n\ + - For Cortex XSOAR On-prem, see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script" + id: b37c4f99-d410-4337-8155-23cb450132be + iscommand: false + name: Locate the Suspicious cronjob in crontab + scriptName: SetAndHandleEmpty + type: regular + version: -1 + taskid: b37c4f99-d410-4337-8155-23cb450132be + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 2855\n }\n}" + '78': + continueonerrortype: '' + id: '78' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '74' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5cb64b48-ebd2-49cf-8bc7-67c4f9d3aa05 + iscommand: false + name: Cronjob Remediation + type: title + version: -1 + taskid: 5cb64b48-ebd2-49cf-8bc7-67c4f9d3aa05 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 927.5,\n \"y\": 1855\n }\n}" + '81': + continueonerrortype: '' + id: '81' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '41' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 2 hours ago + includeinformational: + simple: 'true' + query: + simple: 'agentid:${alert.agentid} AND (name: "Suspicious access to shadow + file" or name: "UNIX LOLBIN process connected to a rare external host" + or name: "Persistence through service registration" or name: "Adding execution + privileges" or name: "Modification of systemd service files" or name: "Adding + execution privileges" or name: "Local account discovery")' + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM suspicious alerts related + to the current alert by Mitre Technique, indicating that the alert is part + of an attack pattern. + + + Focus on identifying alerts associated with the following MITRE techniques: + + - Any Agent Alerts within this alert. + + - T1059 - Command and Scripting Interpreter.' + id: 649b563c-6f47-4dab-88ff-691f4c9d71a5 + iscommand: false + name: Search for suspicious-related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 649b563c-6f47-4dab-88ff-691f4c9d71a5 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 827.5,\n \"y\": 1050\n }\n}" + '82': + continueonerrortype: '' + id: '82' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '36' + note: false + quietmode: 0 + scriptarguments: + CVE: + complex: + accessor: ID + root: CVE + Domain: + complex: + accessor: Name + root: Domain + transformers: + - operator: uniq + Email: + complex: + accessor: Email.Address + root: Account + transformers: + - operator: uniq + Hostname: + complex: + accessor: Hostname + root: Endpoint + transformers: + - operator: uniq + IP: + complex: + accessor: Address + root: IP + transformers: + - operator: uniq + InternalRange: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join + MD5: + complex: + accessor: MD5 + root: File + transformers: + - operator: uniq + ResolveIP: + simple: 'False' + SHA1: + complex: + accessor: SHA1 + root: File + transformers: + - operator: uniq + SHA256: + complex: + accessor: SHA256 + root: File + transformers: + - operator: uniq + URL: + complex: + accessor: Data + root: URL + transformers: + - operator: uniq + URLSSLVerification: + simple: 'False' + UseReputationCommand: + simple: 'False' + Username: + complex: + accessor: Username + root: Account + transformers: + - operator: uniq + separatecontext: true + skipunavailable: false + task: + brand: '' + description: '' + id: e5de4f38-3bf6-44f0-8201-33290ea15e58 + iscommand: false + name: Entity Enrichment - Generic v3 + playbookName: Entity Enrichment - Generic v3 + type: playbook + version: -1 + taskid: e5de4f38-3bf6-44f0-8201-33290ea15e58 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 607.5,\n \"y\": 440\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"36_38_#default#\": 0.33,\n \"36_42_yes\"\ + : 0.37,\n \"53_57_No Quarantine\": 0.38,\n \"74_67_#default#\": 0.15\n },\n\ + \ \"paper\": {\n \"dimensions\": {\n \"height\": 3765,\n \"width\"\ + : 1920,\n \"x\": -250,\n \"y\": -230\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml new file mode 100644 index 000000000000..b96bb272f1e3 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml @@ -0,0 +1,797 @@ +description: 'This playbook handles "Suspicious process execution by scheduled task + on a sensitive server" alerts. + + + Playbook Stages: + + + Analysis: + + + - Checks the suspicious process reputation. + + + Investigation: + + + - Searches for related XSIAM agent alerts to identify any malicious activity on + the server. + + + Remediation: + + + If the suspicious process reputation is malicious, or if a related alert is found, + the following remediation actions will be taken: + + + - Disable the scheduled task responsible for executing the process. + + - Terminate the malicious process. + + - Automatically Close the alert.' +fromversion: 8.8.0 +id: silent-Suspicious process execution by scheduled task on a sensitive server Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Suspicious process execution by scheduled task on a sensitive server + Test +outputs: [] +starttaskid: '0' +tags: +- TA0002 - Execution +- T1053 - Scheduled Task/Job +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '43' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -220\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 205\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Suspicious process execution by + scheduled task on a sensitive server" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 408e1d97-c97e-439e-80d9-c4a4e8b20cfa + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 408e1d97-c97e-439e-80d9-c4a4e8b20cfa + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2380\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8d184163-2d17-405f-8c45-17395f67790f + iscommand: false + name: Done + type: title + version: -1 + taskid: 8d184163-2d17-405f-8c45-17395f67790f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2550\n }\n}" + '2': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.targetprocesssha256 + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '6' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict based on the process reputation. + + ' + id: 2d5e9ca0-0a58-419b-809f-408f67e88427 + iscommand: false + name: Check if the process has a malicious reputation + type: condition + version: -1 + taskid: 2d5e9ca0-0a58-419b-809f-408f67e88427 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 340\n }\n}" + '21': + continueonerror: true + continueonerrortype: errorPath + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '37' + '#none#': + - '40' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell -Command "$ActionPath = '${alert.targetprocesscmd.[0]}'; + $tasks = Get-ScheduledTask | Where-Object { $_.Actions | Where-Object { + $_.Execute -eq $ActionPath } }; if ($tasks -or $tasks.Count -gt 0) { $tasks + | ForEach-Object { Disable-ScheduledTask -TaskPath $_.TaskPath -TaskName + $_.TaskName; Write-Host 'The task ' + $_.TaskName + ' has been disabled + successfully.' } } else { Write-Host 'No tasks found running the action + at ' + $ActionPath }" + endpoint_ids: + simple: ${alert.agentid} + timeout: + simple: '120' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'The script locates and disables the malicious scheduled task. + + ' + id: 4441878b-6246-43e1-89e9-2d39529ab7d1 + iscommand: true + name: Run script to locate and disable the malicious scheduled task. + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 4441878b-6246-43e1-89e9-2d39529ab7d1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1200\n }\n}" + '27': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.actionprocessinstanceid + root: foundIncidents.CustomFields + operator: isEqualString + right: + value: + simple: BLOCKED + label: Blocked + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '29' + Blocked: + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the incident's alerts for an alert that blocked the causality + using the agent. + id: c949acc9-c497-4818-8560-69c5c4044f39 + iscommand: false + name: Check if the causality was blocked by the agent + type: condition + version: -1 + taskid: c949acc9-c497-4818-8560-69c5c4044f39 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1870\n }\n}" + '29': + continueonerror: true + continueonerrortype: errorPath + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '38' + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.actionprocessinstanceid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + XSIAM 2.4. + id: a6a1e05b-54c2-4fbd-891c-4089c958040d + iscommand: true + name: Terminate Causality - Action Process + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: a6a1e05b-54c2-4fbd-891c-4089c958040d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 180,\n \"y\": 2040\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ababf146-0f9f-4621-8323-18c3256738ee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ababf146-0f9f-4621-8323-18c3256738ee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1070\n }\n}" + '37': + continueonerrortype: '' + id: '37' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook did not successfully disable the scheduled task responsible for + executing the suspicious process. + + + Please manually identify and disable the scheduled task with the following + execution path: ${alert.targetprocesscmd.[0]}' + id: 17d5b08e-68f9-4099-8de8-29df0394f8f9 + iscommand: false + name: Disable the malicious scheduled task manually + type: regular + version: -1 + taskid: 17d5b08e-68f9-4099-8de8-29df0394f8f9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 180,\n \"y\": 1700\n }\n}" + '38': + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook couldn''t terminate the process: ${alert.targetprocessname} + + + Please terminate the process manually if possible. ' + id: 95f5747a-f209-47b2-855c-9035ae5fa433 + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: 95f5747a-f209-47b2-855c-9035ae5fa433 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 20,\n \"y\": 2210\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + scriptarguments: + file: + simple: ${alert.targetprocesssha256} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the file reputation of the specified hash. + id: 1e47b57c-e541-4f30-8de2-d17a7d4d22ed + iscommand: true + name: Check the process reputation + script: '|||file' + type: regular + version: -1 + taskid: 1e47b57c-e541-4f30-8de2-d17a7d4d22ed + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 40\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '41' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: 684f7170-5892-477b-8eae-47b5d3143493 + iscommand: true + name: Get script execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: 684f7170-5892-477b-8eae-47b5d3143493 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1370\n }\n}" + '41': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: AnyMatch + right: + value: + simple: '--------' + label: 'yes' + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '37' + 'yes': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Verify if the script successfully disabled the task. + id: 729a62c7-ddec-4f8f-829b-0ea4266ca887 + iscommand: false + name: Has the script disabled the task successfully? + type: condition + version: -1 + taskid: 729a62c7-ddec-4f8f-829b-0ea4266ca887 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1530\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 66bdcd2f-9d8b-435a-8b3a-b2896c694ac1 + iscommand: false + name: Done + type: title + version: -1 + taskid: 66bdcd2f-9d8b-435a-8b3a-b2896c694ac1 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 1360\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '39' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: edb87387-6638-4845-84b3-ead6433e8f54 + iscommand: false + name: Analysis + type: title + version: -1 + taskid: edb87387-6638-4845-84b3-ead6433e8f54 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -90\n }\n}" + '44': + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: 'Dear Analyst, + + + The playbook did not identify any related alerts indicating malicious process + execution, and the file reputation is not flagged as malicious. + + + Please review the alert to determine if remediation actions are necessary, + such as disabling the scheduled task and terminating the process, or if + the alert should be closed as a false positive. + + ' + cc: null + format: '' + methods: [] + replyOptions: + - Remediation + - False Positive + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + False Positive: + - '5' + Remediation: + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst review is required to determine whether to take remediation + actions, such as disabling the scheduled task and terminating the process + if malicious, or to close the alert as a false positive. + id: 2d8044c7-5bce-4043-84f2-5044da195500 + iscommand: false + name: Analyst decision to proceed with remediation actions + type: condition + version: -1 + taskid: 2d8044c7-5bce-4043-84f2-5044da195500 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 880,\n \"y\": 880\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d6cce08c-349e-44db-807d-b6348886db73 + iscommand: false + name: False Positive + type: title + version: -1 + taskid: d6cce08c-349e-44db-807d-b6348886db73 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 1070\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM related alerts to the current + incident. + + ' + id: 1af6e23e-8c24-4a76-8cc8-7959b9b6fb1f + iscommand: false + name: Get Incident related alerts + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 1af6e23e-8c24-4a76-8cc8-7959b9b6fb1f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 720,\n \"y\": 525\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.sourceBrand + operator: isEqualString + right: + value: + simple: TRAPS + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.categoryname + operator: isEqualString + right: + value: + simple: Malware + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '44' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the alert contains agent alerts indicating that + the alert was part of an attack pattern. + id: 8f551570-3805-49d7-879a-cae5facbe566 + iscommand: false + name: Found any alerts indicating a malicious process execution? + type: condition + version: -1 + taskid: 8f551570-3805-49d7-879a-cae5facbe566 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 720,\n \"y\": 690\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '42' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: False Positive + closeReason: + simple: Resolved - Handled by the playbook "Suspicious process execution by + scheduled task on a sensitive server" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 4ddeb53e-ca31-47cf-8a68-30b6fd21e81c + iscommand: true + name: Close Alert - False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 4ddeb53e-ca31-47cf-8a68-30b6fd21e81c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1200,\n \"y\": 1200\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"21_37_#error#\": 0.53,\n \"27_13_Blocked\"\ + : 0.34,\n \"29_38_#error#\": 0.49,\n \"2_3_yes\": 0.29,\n \"41_27_yes\"\ + : 0.4,\n \"44_3_Remediation\": 0.39,\n \"44_5_False Positive\": 0.4,\n \ + \ \"8_3_yes\": 0.49,\n \"8_44_#default#\": 0.59\n },\n \"paper\": {\n \"\ + dimensions\": {\n \"height\": 2835,\n \"width\": 1560,\n \"x\": 20,\n\ + \ \"y\": -220\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml new file mode 100644 index 000000000000..1eaa9ab12ea5 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml @@ -0,0 +1,840 @@ +description: "This playbook addresses the following alerts:\n \n- Uncommon creation\ + \ or access operation of sensitive shadow copy by a high-risk process\n \nPlaybook\ + \ Stages:\n \nTriage: \n \n- Check if the causality process image (CGO) is signed\ + \ or not\n \nInvestigation:\n \n- If CGO is unsigned:\n - Check the CGO process\ + \ prevalence\n - Check if the process image path is common\n- If CGO is signed:\n\ + \ - Check process image name\n - Check initiating process image name\n - Check\ + \ if username is SYSTEM\n - Check if host is a server\n - Check for previous similar\ + \ alert closed as False Positive\n \nContainment:\n \n- Terminate causality process\ + \ (CGO) process - when a signed high-risk process or an unsigned process from an\ + \ uncommon path attempting to create or access sensitive shadow copy data." +fromversion: 8.8.0 +id: silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk + process Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk + process Test +outputs: [] +starttaskid: '0' +tags: +- T1003 - OS Credential Dumping +- TA0006 - Credential Access +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 702ceef5-880a-4344-8843-15c70b9f776f + iscommand: false + name: '' + version: -1 + taskid: 702ceef5-880a-4344-8843-15c70b9f776f + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": -385\n }\n}" + '10': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: VSSVC.exe + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.username + operator: containsString + right: + value: + simple: SYSTEM + label: 'yes' + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + 'yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 94c093a8-954a-4f10-85ef-1d1d6722367c + iscommand: false + name: Check actor_process_image_name VSSVC.exe & username SYSTEM + type: condition + version: -1 + taskid: 94c093a8-954a-4f10-85ef-1d1d6722367c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 555\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d79d5426-6060-414b-8771-82dab80acfb8 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: d79d5426-6060-414b-8771-82dab80acfb8 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 1110\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fa876d07-2376-4c1b-8c18-65a7cd3d512e + iscommand: false + name: Inconclusive + type: title + version: -1 + taskid: fa876d07-2376-4c1b-8c18-65a7cd3d512e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 915,\n \"y\": 1090\n }\n}" + '13': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: isEqualString + right: + value: + simple: mmc.exe + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.agentossubtype + operator: containsString + right: + value: + simple: Server + label: 'yes' + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '15' + 'yes': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6775c20-09f1-42a1-86dd-edcf030bf185 + iscommand: false + name: Check CGO image name is mmc.exe & OS is server + type: condition + version: -1 + taskid: b6775c20-09f1-42a1-86dd-edcf030bf185 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 512.5,\n \"y\": 385\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 4e71e24a-0071-4d1c-8b0e-aba35683d33f + iscommand: false + name: Common False Positive behavior + type: title + version: -1 + taskid: 4e71e24a-0071-4d1c-8b0e-aba35683d33f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 512.5,\n \"y\": 1090\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e2cb2f95-a439-4b77-871b-5104add62100 + iscommand: false + name: Inconclusive + type: title + version: -1 + taskid: e2cb2f95-a439-4b77-871b-5104add62100 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 915,\n \"y\": 555\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a1588134-cd1e-4479-884a-66526f8f2604 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: a1588134-cd1e-4479-884a-66526f8f2604 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1330,\n \"y\": 860\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: 4716fbae-6a4a-44ff-8abd-46cc28455231 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 4716fbae-6a4a-44ff-8abd-46cc28455231 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1330,\n \"y\": 70\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Found common false positive behavior or previous similar alerts closed + as False Positive. + closeReason: + simple: Resolved - Handled by the playbook "Uncommon creation or access operation + of sensitive shadow copy by a high-risk process" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 654152a7-b8e4-4d43-8a75-fc1153122d9f + iscommand: true + name: Close Alert - False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 654152a7-b8e4-4d43-8a75-fc1153122d9f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 512.5,\n \"y\": 1230\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 483ab1ce-e4ce-4a97-8952-22d5be91e79e + iscommand: false + name: Done + type: title + version: -1 + taskid: 483ab1ce-e4ce-4a97-8952-22d5be91e79e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 512.5,\n \"y\": 1760\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '19' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious Process attempted to create or access ShadowCopy + closeReason: + simple: Resolved - Handled by the playbook "Suspicious access to shadow file" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: 3dc743ae-6b2f-40e2-8186-3cc1c120a50d + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 3dc743ae-6b2f-40e2-8186-3cc1c120a50d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 1590\n }\n}" + '26': + continueonerror: true + continueonerrortype: errorPath + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '27' + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 17338ce2-c9a1-4e55-89d8-c380573be240 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 17338ce2-c9a1-4e55-89d8-c380573be240 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 107.5,\n \"y\": 1240\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process, the playbook failed to terminate the causality + process: ${alert.cgoname} + + Please investigate this before closing this alert. + + ' + id: 2ed915fc-31b3-4f83-84d2-e9a0e2f08c83 + iscommand: false + name: Terminate Causality Process Manually + type: regular + version: -1 + taskid: 2ed915fc-31b3-4f83-84d2-e9a0e2f08c83 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -110,\n \"y\": 1420\n }\n}" + '28': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatorpath + operator: notContainsString + right: + value: + simple: C:\Program Files + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatorpath + operator: notContainsString + right: + value: + simple: C:\Windows + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: Uncommon-Path + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '15' + Uncommon-Path: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: cf4eaf8d-b284-4184-82b0-c23a4e624c86 + iscommand: false + name: Check if process path is common & causality process is prevalent + type: condition + version: -1 + taskid: cf4eaf8d-b284-4184-82b0-c23a4e624c86 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1330,\n \"y\": 385\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '30' + note: false + quietmode: 2 + scriptarguments: + fromdate: + simple: 30 days ago + name: + simple: ${alert.name} + query: + simple: name:"Uncommon creation or access operation of sensitive shadow copy + by a high-risk process" and resolution_status:*False*Positive* and cgo_name:${alert.cgoname.[0]} + and initiatedby:${alert.initiatedby.[0]} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Finds past similar alerts based on alert fields'' similarity. + + ' + id: 9f7dc92f-e3a0-4293-83e8-9a3c8151ebc9 + iscommand: false + name: Check if Previous Similar Alerts + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 9f7dc92f-e3a0-4293-83e8-9a3c8151ebc9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 915,\n \"y\": 685\n }\n}" + '30': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + 'yes': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 21611b1a-4209-446e-83c9-26a2765062b1 + iscommand: false + name: Check if Previous Alerts Closed as False Positive + type: condition + version: -1 + taskid: 21611b1a-4209-446e-83c9-26a2765062b1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 915,\n \"y\": 845\n }\n}" + '31': + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b9a90c8e-ca78-4778-80ff-a9d845994475 + iscommand: false + name: Triage + type: title + version: -1 + taskid: b9a90c8e-ca78-4778-80ff-a9d845994475 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": -240\n }\n}" + '32': + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + scriptarguments: + process_name: + simple: ${alert.cgoname} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: fca6bd1f-3bac-4832-8590-38184d577db3 + iscommand: true + name: Get Causality process prevalence + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: fca6bd1f-3bac-4832-8590-38184d577db3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1330,\n \"y\": 210\n }\n}" + '33': + continueonerrortype: '' + id: '33' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b289c1f0-975c-4375-8359-6da2b9599a77 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: b289c1f0-975c-4375-8359-6da2b9599a77 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 70\n }\n}" + '6': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.osparentsignature + operator: isEqualString + right: + value: + simple: SIGNATURE_SIGNED + label: CGO-Signed + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '17' + CGO-Signed: + - '33' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8c57cacd-97c2-424a-827d-c38fb9eaf53d + iscommand: false + name: Check if CGO is signed + type: condition + version: -1 + taskid: 8c57cacd-97c2-424a-827d-c38fb9eaf53d + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 705,\n \"y\": -105\n }\n}" + '7': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: isEqualString + right: + value: + simple: powershell.exe + label: powershell.exe + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: isEqualString + right: + value: + simple: cmd.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: isEqualString + right: + value: + simple: rundll32.exe + label: cmd.exe|rundll32.exe + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + cmd.exe|rundll32.exe: + - '10' + powershell.exe: + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: a297376c-f25a-4276-8808-f4d82539a7a9 + iscommand: false + name: Check CGO image name + type: condition + version: -1 + taskid: a297376c-f25a-4276-8808-f4d82539a7a9 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 110,\n \"y\": 210\n }\n}" + '9': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: powershell.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: cmd.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: esentutl.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.initiatedby + operator: isEqualString + right: + value: + simple: ntdsutil.exe + label: powershell.exe|ntdsutil.exe|esentutl.exe|cmd.exe + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '10' + powershell.exe|ntdsutil.exe|esentutl.exe|cmd.exe: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 972c8b30-67cc-4544-8206-347b4eae0170 + iscommand: false + name: Check actor_process_image_name + type: condition + version: -1 + taskid: 972c8b30-67cc-4544-8206-347b4eae0170 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -210,\n \"y\": 385\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_11_yes\": 0.38,\n \"10_12_#default#\"\ + : 0.4,\n \"26_27_#error#\": 0.57,\n \"30_12_#default#\": 0.33,\n \"7_10_cmd.exe|rundll32.exe\"\ + : 0.42,\n \"7_13_#default#\": 0.51,\n \"7_9_powershell.exe\": 0.65,\n \"\ + 9_11_powershell.exe|ntdsutil.exe|esentutl.exe|cmd.exe\": 0.34\n },\n \"paper\"\ + : {\n \"dimensions\": {\n \"height\": 2210,\n \"width\": 1920,\n \ + \ \"x\": -210,\n \"y\": -385\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml new file mode 100644 index 000000000000..33b879b90464 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml @@ -0,0 +1,634 @@ +contentitemexportablefields: + contentitemfields: {} +description: "This playbook handles \"Uncommon execution of ODBCConf\" alerts.\n\n\ + Playbook Stages:\n\nAnalysis:\nDuring the analysis, the playbook will perform the\ + \ following:\n\n- Checks if the causality process (CGO) is signed and prevalent.\n\ + - Checks for the host's risk score.\n\nIf the CGO process is not signed and not\ + \ prevalent, or if either of these conditions is met in addition to having a high-risk\ + \ score, the playbook proceeds with remediation actions. Otherwise, it will continue\ + \ to the investigation phase.\n\nInvestigation:\nDuring the alert investigation,\ + \ the playbook will perform the following:\n\nSearches for related Cortex XSIAM\ + \ alerts and insights on the same causalities chains by specific alert names : \ + \ \n- Evasion Technique - 3048798454\n- An uncommon LOLBIN added to startup-related\ + \ Registry keys\n- Behavioral Threat\n- An uncommon file was created in the startup\ + \ folder\n- Unsigned process running from a temporary directory\n- Execution From\ + \ a Restricted Location\n- Execution of an uncommon process with a local/domain\ + \ user SID at an early startup stage by Windows system binary - Explorer CGO\n\n\ + The playbook determines the appropriate verdict. If related alerts are found, it\ + \ proceeds to remediation actions. In case of related insights are found ,and one\ + \ of the following is met: the host score is listed as high or the CGO process is\ + \ not prevalent, it will proceed to remediation actions. Otherwise, it closes the\ + \ alert with the following message: \"No indication of malicious activity was found\"\ + .\n\n\nRemediation: \n\n- Automatically terminate the causality process.\n- Automatically\ + \ Close the alert." +fromversion: 8.8.0 +id: silent-Uncommon execution of ODBCConf Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Uncommon execution of ODBCConf Test +outputs: [] +starttaskid: '0' +system: true +tags: +- 'T1218.008 - System Binary Proxy Execution: Odbcconf' +- TA0005 - Defense Evasion +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ccc98587-c43d-4666-8b85-c27092f73e1a + iscommand: false + name: '' + version: -1 + taskid: ccc98587-c43d-4666-8b85-c27092f73e1a + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -190\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + process_name: + simple: ${alert.cgoname} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by the process_name. + id: d6d828b0-4213-478a-84e4-56ab20a4ce74 + iscommand: true + name: Check if the causality process is prevalent + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: d6d828b0-4213-478a-84e4-56ab20a4ce74 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": -52\n }\n}" + '10': + continueonerror: true + continueonerrortype: errorPath + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '7' + '#none#': + - '5' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available for Cortex + XSIAM 2.4 and above. + id: 2f2ea69d-4ed3-404f-869e-8d0f824d82e6 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 2f2ea69d-4ed3-404f-869e-8d0f824d82e6 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1320\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + host_id: + simple: ${alert.hostname} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve the risk score of a specific host or list of hosts with + the highest risk score in the environment along with the reason affecting + each score. + id: 94c0909f-061e-47d4-88e4-82fd6440f9cd + iscommand: true + name: Get Host's Risk Score + script: '|||core-list-risky-hosts' + type: regular + version: -1 + taskid: 94c0909f-061e-47d4-88e4-82fd6440f9cd + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 671,\n \"y\": -52\n }\n}" + '12': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'yes': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the host risk score was retrieved. + id: bcca051a-ab0b-4b59-8846-c6b7238fe153 + iscommand: false + name: Is There a Host Risk Score? + type: condition + version: -1 + taskid: bcca051a-ab0b-4b59-8846-c6b7238fe153 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 240\n }\n}" + '13': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.RiskyHost.risk_level + operator: isEqualString + right: + value: + simple: High + label: Malicious + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + Malicious: + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the host risk score is "High" and the CGO isn't prevalent + or unsigned. + id: e200ea58-debd-4d02-ad61-eef4808cce89 + iscommand: false + name: Is the Host Risk Score High and is the CGO not prevalent or unsigned + type: condition + version: -1 + taskid: e200ea58-debd-4d02-ad61-eef4808cce89 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": 420\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 5 Hours Ago + includeinformational: + simple: 'true' + query: + simple: "(cid:${alert.cid.[0]} or actorprocessinstanceid:${alert.cid.[0]}\ + \ or actionprocessinstanceid:${alert.cid.[0]} or actorprocessinstanceid:${alert.actorprocessinstanceid.[0]}\ + \ or actionprocessinstanceid:${alert.actorprocessinstanceid.[0]}) AND (name:\"\ + Evasion Technique - 3048798454\" OR \nname:\"An uncommon LOLBIN added to\ + \ startup-related Registry keys\" OR name:\"Behavioral Threat\" OR\nname:\"\ + An uncommon file was created in the startup folder\" OR \nname:\"Unsigned\ + \ process running from a temporary directory\" OR \nname:\"Execution From\ + \ a Restricted Location\" OR name:\"Execution of an uncommon process with\ + \ a local/domain user SID at an early startup stage by Windows system binary\ + \ - Explorer CGO\")" + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Searches Cortex XSIAM alerts. A summarized version of this scripts + is available with the summarizedversion argument. + id: 7ce3bc2a-81a0-42e7-8d82-c6f35d296cbf + iscommand: false + name: Check For Specific Alerts By CGO + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 7ce3bc2a-81a0-42e7-8d82-c6f35d296cbf + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 610\n }\n}" + '15': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + label: Related Alerts + - condition: + - - left: + iscontext: true + value: + simple: Insights.Contents.data.name + operator: isNotEmpty + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: risk_level + root: Core.RiskyHost + transformers: + - args: + applyIfEmpty: {} + defaultValue: + value: + simple: 'false' + operator: SetIfEmpty + operator: isEqualString + right: + value: + simple: High + - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: Related Insights + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '9' + Related Alerts: + - '4' + Related Insights: + - '16' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task checks if any related alerts or Insights were found. + id: 479b74ff-7b0c-4e72-8abb-e037908adbc1 + iscommand: false + name: Found any related alerts or Insights? + type: condition + version: -1 + taskid: 479b74ff-7b0c-4e72-8abb-e037908adbc1 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 940,\n \"y\": 790\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 07941cf5-7b9b-445c-8034-9f73fed3a7a7 + iscommand: false + name: Related Insights + type: title + version: -1 + taskid: 07941cf5-7b9b-445c-8034-9f73fed3a7a7 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 790,\n \"y\": 1030\n }\n}" + '2': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.AnalyticsPrevalence.Process.value + operator: isEqualString + right: + value: + simple: 'False' + label: Malicious + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Malicious: + - '4' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the causality process is not prevalent and unsigned. + id: e4ef5f69-4552-4de2-b9fa-3c00f70a2e7f + iscommand: false + name: Check if the causality process is not prevalent and not signed + type: condition + version: -1 + taskid: e4ef5f69-4552-4de2-b9fa-3c00f70a2e7f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 70\n }\n}" + '4': + continueonerror: true + continueonerrortype: errorPath + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available for Cortex + XSIAM 2.4 and above. + id: 765fe8d2-bdd1-4be4-8a98-48c82c984a70 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: 765fe8d2-bdd1-4be4-8a98-48c82c984a70 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1170\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious activity detected - Alert was remediated + closeReason: + simple: Resolved - True Positive + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert as a True Positive. + id: bd9cacdf-4ffb-44e7-81b4-7d958cb76986 + iscommand: true + name: Close Alert + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: bd9cacdf-4ffb-44e7-81b4-7d958cb76986 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1700\n }\n}" + '6': + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: deab0d59-be1c-454b-8043-540b7456529e + iscommand: false + name: Done + type: title + version: -1 + taskid: deab0d59-be1c-454b-8043-540b7456529e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1870\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '5' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nDuring the remediation process, the playbook\ + \ couldn\u2019t terminate the process: ${alert.cgoname}\n\nPlease terminate\ + \ the process manually if possible." + id: 8d7bf580-9887-46c9-85bc-05eab9fad48f + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: 8d7bf580-9887-46c9-85bc-05eab9fad48f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 220,\n \"y\": 1482\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No indication of malicious activity was found. Closed automatically + without any further action. + closeReason: + simple: Resolved - False Positive + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert as a False Positive. + id: 5b00bf39-f41c-4580-8ee8-a7eb6546221f + iscommand: true + name: Close Alert - No malicious activity was found + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 5b00bf39-f41c-4580-8ee8-a7eb6546221f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1062,\n \"y\": 1700\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6bb015bc-9dc9-4669-8e89-17a7be7c0a70 + iscommand: false + name: No malicious activity was found + type: title + version: -1 + taskid: 6bb015bc-9dc9-4669-8e89-17a7be7c0a70 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1062,\n \"y\": 1170\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_7_#error#\": 0.45,\n \"15_16_Related\ + \ Insights\": 0.42,\n \"15_4_Related Alerts\": 0.65\n },\n \"paper\": {\n \ + \ \"dimensions\": {\n \"height\": 2120,\n \"width\": 1223,\n \"\ + x\": 220,\n \"y\": -190\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml new file mode 100644 index 000000000000..f398e9572872 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml @@ -0,0 +1,1324 @@ +contentitemexportablefields: + contentitemfields: {} +description: "This playbook handles \"Uncommon remote scheduled task created\" alerts.\n\ + \nPlaybook Stages:\n\nAnalysis:\n\n- The playbook checks if the remote IP is external\ + \ or has a bad reputation.\n\nInvestigation:\nDuring the alert investigation, the\ + \ playbook will perform the following:\n\n- Searches for related XSIAM alerts on\ + \ the endpoint that use the following MITRE techniques to identify malicious activity:\ + \ T1202 - Indirect Command Execution, T1021 - Remote Services.\n- Searches for related\ + \ XSIAM agent alerts on the remote endpoint, to determine if the creation of the\ + \ scheduled task is part of an attack pattern.\n- Searches for suspicious command-line\ + \ parameters indicating a malicious scheduled task.\n\nRemediation:\n\n- Automatically\ + \ disable the malicious scheduled task.\n- Block the malicious IP (requires analyst\ + \ approval).\n- Automatically Close the alert.\n\nRequirements:\n\nFor response\ + \ actions, the following integrations are required: \n\n- PAN-OS." +fromversion: 6.10.0 +id: silent-Uncommon remote scheduled task created Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Uncommon remote scheduled task created Test +outputs: [] +starttaskid: '0' +tags: +- TA0002 - Execution +- T1053 - Scheduled Task/Job +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '27' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -440\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 520\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Uncommon remote scheduled task + created" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: cbb88a25-3267-48dc-8423-605dbeb295a0 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: cbb88a25-3267-48dc-8423-605dbeb295a0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3840\n }\n}" + '14': + continueonerror: true + continueonerrortype: errorPath + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '22' + '#none#': + - '69' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell.exe schtasks /change /tn "${Core.OriginalAlert.event.scheduled_task_path}" + /disable + endpoint_ids: + simple: ${alert.agentid} + timeout: + simple: '120' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Disable the malicious scheduled task by executing shell commands. + id: bb3ed083-823b-4e17-8494-16ec6bc49b2a + iscommand: true + name: Disable the malicious scheduled task + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: bb3ed083-823b-4e17-8494-16ec6bc49b2a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2650\n }\n}" + '17': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'yes' + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '13' + 'yes': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether a malicious IP is detected and requires blocking. + id: 47529ac8-a0ed-4d35-8019-a8b679181f22 + iscommand: false + name: Is there a malicious IP to block? + type: condition + version: -1 + taskid: 47529ac8-a0ed-4d35-8019-a8b679181f22 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3360\n }\n}" + '2': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: IP.InRange + operator: isEqualString + right: + value: + simple: 'no' + label: 'Yes' + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '1' + 'Yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict if the task was created from + an external IP address. + + + Remote scheduled tasks created from an external IP address may indicate unauthorized + access or malicious activity. Legitimate remote scheduled tasks should be + created from trusted internal sources. If the task is created from an external + IP, the playbook will proceed with remediation actions; otherwise, it will + continue investigating the alert.' + id: eae7099d-0e36-4442-8d50-a5e79d067791 + iscommand: false + name: Check whether the remote IP is external + type: condition + version: -1 + taskid: eae7099d-0e36-4442-8d50-a5e79d067791 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 350\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 0 + wait: 1 + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + scriptarguments: + MaliciousIPs: + complex: + accessor: Indicator + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: ip + - - left: + iscontext: true + value: + simple: DBotScore.Score + operator: isEqualNumber + right: + value: + simple: '3' + root: DBotScore + transformers: + - operator: uniq + separatecontext: true + skipunavailable: true + task: + brand: '' + description: 'This playbook blocks IP addresses with 2 optional actions: + + + - Block IP addresses using Static Address Groups in Palo Alto Networks Panorama + or Firewall. The playbook receives malicious IP addresses and an address group + name as inputs, verifies that the addresses are not already a part of the + address group, adds them and commits the configuration. + + + + - Utilize the Dynamic Address Group (DAG) capability of PAN-OS. DAG enables + analysts to create a rule one time, where the group is the source/destination, + and adds IP addresses dynamically without the need to commit the configuration + every time. + + The playbook checks if the given tag already exists. If the tag exists, then + the IP address is added to the tag. + + If the tag does not exist, a new address group is created with the given tag + and a matching rule, and the configuration is committed.' + id: 53d9f3a4-a2b0-488e-8dc1-3ec51aea3c00 + iscommand: false + name: PAN-OS - Block IP + playbookName: PAN-OS - Block IP + type: playbook + version: -1 + taskid: 53d9f3a4-a2b0-488e-8dc1-3ec51aea3c00 + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": -10,\n \"y\": 3660\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + During the remediation process the playbook failed to disable the scheduled + task: ${Core.OriginalAlert.event.scheduled_task_path} + + + Please manually disable this scheduled task.' + id: 25929bfd-f6cd-43f9-87cd-8d0c0caf677d + iscommand: false + name: Disable the malicious scheduled task manually + type: regular + version: -1 + taskid: 25929bfd-f6cd-43f9-87cd-8d0c0caf677d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 0,\n \"y\": 3180\n }\n}" + '23': + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '20' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c5219f31-047d-4cee-888e-f7c63909a296 + iscommand: false + name: Block Malicious IP + type: title + version: -1 + taskid: c5219f31-047d-4cee-888e-f7c63909a296 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -10,\n \"y\": 3530\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff18f72c-0256-4776-823c-90dd05fdba39 + iscommand: false + name: Done + type: title + version: -1 + taskid: ff18f72c-0256-4776-823c-90dd05fdba39 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 4000\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns information about each alert ID. + id: 91b0123e-c227-465b-84d6-a3c53e9a8eb4 + iscommand: true + name: Get scheduled task details + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 91b0123e-c227-465b-84d6-a3c53e9a8eb4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -305\n }\n}" + '28': + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + loop: + exitCondition: '' + iscommand: false + max: 100 + wait: 1 + nexttasks: + '#none#': + - '66' + note: false + quietmode: 0 + scriptarguments: + Commandline: + simple: ${Core.OriginalAlert.event.scheduled_task_image_command_line} + StringSimilarityThreshold: + simple: '0.5' + separatecontext: true + skipunavailable: false + task: + brand: '' + description: '' + id: fc12c772-ab66-433e-85e8-d1a3d8daadcb + iscommand: false + name: Command-Line Analysis + playbookName: Command-Line Analysis + type: playbook + version: -1 + taskid: fc12c772-ab66-433e-85e8-d1a3d8daadcb + timertriggers: [] + type: playbook + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1640\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '68' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6d11f6e-a28a-459a-8004-bec570e4b02a + iscommand: false + name: Analysis + type: title + version: -1 + taskid: b6d11f6e-a28a-459a-8004-bec570e4b02a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": -130\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ababf146-0f9f-4621-8323-18c3256738ee + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ababf146-0f9f-4621-8323-18c3256738ee + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2510\n }\n}" + '30': + continueonerrortype: '' + id: '30' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '31' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6d96992e-fe69-4b71-8e3c-9f64ce6a2aec + iscommand: false + name: Investigation on remote host + type: title + version: -1 + taskid: 6d96992e-fe69-4b71-8e3c-9f64ce6a2aec + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1010\n }\n}" + '31': + continueonerror: true + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '32' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 1 day ago + ignore-outputs: + simple: 'false' + query: + simple: agent_ip_addresses:${Core.OriginalAlert.event.actor_remote_ip} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task searches for XSIAM agent related alerts on the remote + endpoint from the past 24 hours, if an agent is installed. + id: 58967e13-7736-4385-858d-85a8966dacd3 + iscommand: false + name: Search for related alerts on the remote host + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 58967e13-7736-4385-858d-85a8966dacd3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1145\n }\n}" + '32': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.sourceBrand + operator: isEqualString + right: + value: + simple: TRAPS + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.categoryname + operator: isEqualString + right: + value: + simple: Malware + label: 'yes' + continueonerrortype: '' + id: '32' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '56' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines if there are agent alerts on the remote host indicating + that the alert was part of an attack pattern. + id: 789cf6e0-eded-4b32-8108-8091409a2537 + iscommand: false + name: Found any alerts of malicious activity on the remote host? + type: condition + version: -1 + taskid: 789cf6e0-eded-4b32-8108-8091409a2537 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 920,\n \"y\": 1320\n }\n}" + '38': + continueonerror: true + continueonerrortype: '' + id: '38' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + scriptarguments: + ip: + complex: + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.OriginalAlert.event.actor_remote_ip + operator: notContainsGeneral + right: + value: + simple: '::' + root: Core.OriginalAlert.event.actor_remote_ip + ipRanges: + complex: + accessor: PrivateIPs + root: lists + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (\b(?:\d{1,3}\.){3}\d{1,3}\b/\d{1,2}) + unpack_matches: {} + operator: RegexExtractAll + - args: + separator: + value: + simple: ',' + operator: join + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Returns yes if the IP is in one of the ranges provided, returns + no otherwise. + id: 7272972f-d88b-484d-897b-61c0fce7def0 + iscommand: false + name: Determine whether the remote IP address is internal or external + scriptName: IsIPInRanges + type: regular + version: -1 + taskid: 7272972f-d88b-484d-897b-61c0fce7def0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 180\n }\n}" + '41': + continueonerrortype: '' + id: '41' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '71' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5ba5e082-b8f3-413f-89f6-40261ef6a811 + iscommand: false + name: Analyst Decision + type: title + version: -1 + taskid: 5ba5e082-b8f3-413f-89f6-40261ef6a811 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2030\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '44' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fb2896f9-3c9e-4e1f-8d40-db749410a130 + iscommand: false + name: False Positive + type: title + version: -1 + taskid: fb2896f9-3c9e-4e1f-8d40-db749410a130 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2550\n }\n}" + '44': + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '45' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: False Positive + closeReason: + simple: Resolved - Handled as False Positive by the playbook "Uncommon remote + scheduled task created" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 86404fb8-c406-4ba8-89c3-508c91daaa5b + iscommand: true + name: Close Alert - False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 86404fb8-c406-4ba8-89c3-508c91daaa5b + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2690\n }\n}" + '45': + continueonerrortype: '' + id: '45' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 2329c33f-d84f-4b85-8a5a-08264d5756ae + iscommand: false + name: Done + type: title + version: -1 + taskid: 2329c33f-d84f-4b85-8a5a-08264d5756ae + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2850\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + iscommand: false + name: Done + type: title + version: -1 + taskid: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1670,\n \"y\": 2400\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + query: + simple: (mitreattcktechnique:*T1202* or mitreattcktechnique:*T1021* or name:"WildFire + Malware") and -name:"Uncommon remote scheduled task created" and agentid:${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches by MITRE technique for suspicious related alerts + that may indicate a compromised endpoint. + + Focus on identifying alerts associated with the following MITRE techniques + from the last 3 hours: + + - T1202 - Indirect Command Execution + + - T1021 - Remote Services + + + And the following alert: + + - "WildFire Malware" + + + ' + id: 4373ba97-486c-4617-8298-86a924dc5ca8 + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 4373ba97-486c-4617-8298-86a924dc5ca8 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 650\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: d6cce08c-349e-44db-807d-b6348886db73 + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: d6cce08c-349e-44db-807d-b6348886db73 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1670,\n \"y\": 2030\n }\n}" + '56': + continueonerrortype: '' + id: '56' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '28' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3dca7f38-a58c-4c1c-8a67-e28182e1216a + iscommand: false + name: Command-line Investigation + type: title + version: -1 + taskid: 3dca7f38-a58c-4c1c-8a67-e28182e1216a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1510\n }\n}" + '66': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: CommandlineVerdict.AMSI + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: CommandlineVerdict.maliciousTools + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.networkActivity + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.SuspiciousLolbinExecution + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.SuspiciousCmdPathAndArguments + operator: isNotEmpty + label: Malicious Cmd parameters + - condition: + - - left: + iscontext: true + value: + simple: CommandlineVerdict.base64 + operator: isNotEmpty + - left: + iscontext: true + value: + simple: CommandlineVerdict.suspiciousParameters + operator: isNotEmpty + label: Suspicious Cmd parameters + continueonerrortype: '' + id: '66' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + Malicious Cmd parameters: + - '3' + Suspicious Cmd parameters: + - '41' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict based on the results of the + command-line analysis. + id: f5c5e77b-66e5-465a-8773-c1d20a200bfa + iscommand: false + name: Found any malicious or suspicious cmd parameters? + type: condition + version: -1 + taskid: f5c5e77b-66e5-465a-8773-c1d20a200bfa + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 1800\n }\n}" + '67': + continueonerrortype: '' + id: '67' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '17' + note: false + quietmode: 0 + scriptarguments: + value: + simple: "Dear Analyst,\n\nDuring the remediation process the playbook executed\ + \ a shell command to disable the following scheduled task: \n${Core.OriginalAlert.event.scheduled_task_path}\n\ + \n" + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints text to war room (Markdown supported) + id: e7cb4db3-f70e-4474-8ae5-1ad159731138 + iscommand: false + name: Notify to War Room - Scheduled Task Disabled + scriptName: Print + type: regular + version: -1 + taskid: e7cb4db3-f70e-4474-8ae5-1ad159731138 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 3180\n }\n}" + '68': + continueonerrortype: '' + id: '68' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '38' + note: false + quietmode: 0 + scriptarguments: + ip: + simple: ${Core.OriginalAlert.event.actor_remote_ip} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks the reputation of an IP address. + id: 661be0e9-3bb5-4a3c-8908-4586f05d54e7 + iscommand: true + name: Check remote IP reputation + script: '|||ip' + type: regular + version: -1 + taskid: 661be0e9-3bb5-4a3c-8908-4586f05d54e7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 10\n }\n}" + '69': + continueonerrortype: '' + id: '69' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '70' + note: false + quietmode: 0 + scriptarguments: + action_id: + simple: ${Core.ScriptRun.action_id} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieve the results of a script execution action. + id: ba4fa808-bf46-4d09-8491-24e0aa59c3ee + iscommand: true + name: Get script execution results + script: '|||core-get-script-execution-results' + type: regular + version: -1 + taskid: ba4fa808-bf46-4d09-8491-24e0aa59c3ee + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2820\n }\n}" + '70': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.ScriptResult.results.standard_output + operator: AnyMatch + right: + value: + simple: SUCCESS + label: 'yes' + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '22' + 'yes': + - '67' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Verify if the script successfully disabled the task. + id: 1666967d-c2af-4352-82f0-0d17d99b391f + iscommand: false + name: Has the script disabled the task successfully? + type: condition + version: -1 + taskid: 1666967d-c2af-4352-82f0-0d17d99b391f + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 410,\n \"y\": 2980\n }\n}" + '71': + continueonerrortype: '' + form: + description: "Dear Analyst,\n\nSummary of the investigation of the remote scheduled\ + \ task creation:\n\n- The task was created from an internal IP address.\n\ + - No related alerts were found indicating malicious activity on the endpoint\ + \ or remote endpoint.\n- No malicious command line indicators were detected.\n\ + \ \nHowever, the playbook detected suspicious arguments in the command line.\ + \ \n\nDecision Needed: " + expired: false + questions: + - defaultrows: [] + fieldassociated: '' + gridcolumns: [] + id: '0' + label: '' + labelarg: + simple: 'The following command line contains suspicious parameters: + + + ${Core.OriginalAlert.event.scheduled_task_image_command_line} + + + Would you like to proceed with disabling the scheduled task, or should + this be considered a false positive? ' + options: [] + optionsarg: + - {} + - simple: Disable Schedule Task + - simple: False Positive + placeholder: '' + readonly: false + required: true + tooltip: '' + type: singleSelect + sender: '' + title: Analyst Decision to Disable Scheduled Task + totalanswers: 0 + id: '71' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: "Dear Analyst,\n\nSummary of the investigation of the remote scheduled\ + \ task creation:\n\n- The task was created from an internal IP address:\ + \ ${Core.OriginalAlert.event.actor_remote_ip}.\n- No related alerts were\ + \ found indicating malicious activity on the endpoint or remote endpoint.\n\ + - No malicious command line indicators were detected.\n \nHowever, the playbook\ + \ detected suspicious arguments in the command line. \nThe following command\ + \ line contains suspicious parameters:\n\n${Core.OriginalAlert.event.scheduled_task_image_command_line}\n\ + \nDecision Needed: \n\nWould you like to proceed with disabling the scheduled\ + \ task, or should this be considered a false positive?" + cc: null + format: '' + methods: [] + replyOptions: + - Disable Schedule Task + - False Positive + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + '#none#': + - '72' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst review is required to determine, based on suspicious command-line + parameters, whether to take remediation actions such as disabling the scheduled + task and blocking the IP if malicious or to close the alert as a false positive. + id: 0ae56624-11e4-4420-8245-6b62c02d8a2f + iscommand: false + name: Analyst decision for suspicious cmd parameters + type: collection + version: -1 + taskid: 0ae56624-11e4-4420-8245-6b62c02d8a2f + timertriggers: [] + type: collection + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2180\n }\n}" + '72': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Analyst Decision to Disable Scheduled Task.Answers.0 + operator: isEqualString + right: + value: + simple: Disable Schedule Task + label: Disable Schedule Task + continueonerrortype: '' + id: '72' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '43' + Disable Schedule Task: + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the scheduled task should be disabled based on the analyst's + decision. + id: f12ee6de-ec1a-4c0b-872a-7653ef15891c + iscommand: false + name: Should disable schedule task based on the analyst decision? + type: condition + version: -1 + taskid: f12ee6de-ec1a-4c0b-872a-7653ef15891c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1070,\n \"y\": 2340\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '30' + 'yes': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the alert contains agent alerts indicating that + the alert was part of an attack pattern. + id: 287b6585-4340-4fd2-8134-6ee815f90846 + iscommand: false + name: Found any alerts indicating this is a malicious scheduled task? + type: condition + version: -1 + taskid: 287b6585-4340-4fd2-8134-6ee815f90846 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 760,\n \"y\": 830\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No Results Found + closeReason: + simple: Resolved - Handled by the playbook "Uncommon remote scheduled task + created" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 3444c540-601c-4417-8813-0ceacb6ec77e + iscommand: true + name: Close Alert - No results returned + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 3444c540-601c-4417-8813-0ceacb6ec77e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1670,\n \"y\": 2180\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"14_22_#error#\": 0.55,\n \"17_13_#default#\"\ + : 0.42,\n \"17_23_yes\": 0.69,\n \"2_3_Yes\": 0.12,\n \"32_3_yes\": 0.29,\n\ + \ \"66_3_Malicious Cmd parameters\": 0.36,\n \"66_41_Suspicious Cmd parameters\"\ + : 0.57,\n \"70_67_yes\": 0.52,\n \"72_3_Disable Schedule Task\": 0.42,\n \ + \ \"72_43_#default#\": 0.53,\n \"8_30_#default#\": 0.55,\n \"8_3_yes\":\ + \ 0.13\n },\n \"paper\": {\n \"dimensions\": {\n \"height\": 4505,\n \ + \ \"width\": 2060,\n \"x\": -10,\n \"y\": -440\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml new file mode 100644 index 000000000000..0ad68c7a7426 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml @@ -0,0 +1,560 @@ +description: 'This playbook is designed to handle the ''Unprivileged process opened + a registry hive'' alert. + + + Playbook Stages: + + + Investigation: + + + During the alert investigation, the playbook will perform the following: + + + - Checks the prevalence of the unprivileged process that triggered the alert. + + - Checks the prevalence of the command line used by the unprivileged process. + + - Searches for additional suspicious Cortex XSIAM alerts within the same incident + in order to determine whether a remediation measure is required. + + + Remediation: + + + - To prevent malicious activity from continuing, the playbook terminates the causality + processes that triggered the alert.' +fromversion: 8.0.0 +id: silent-Unprivileged process opened a registry hive Test +inputSections: +- description: Generic group for inputs. + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Unprivileged process opened a registry hive Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0006 - Credential Access +- T1552 - Unsecured Credentials +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 48d3588d-43e5-4b43-8b35-48ca384bcb15 + iscommand: false + name: '' + version: -1 + taskid: 48d3588d-43e5-4b43-8b35-48ca384bcb15 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": -580\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '44' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff3d375d-21d5-461d-89f1-3afa5ba7f00b + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ff3d375d-21d5-461d-89f1-3afa5ba7f00b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 380\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + assetid: + simple: 'Resolved - False Positive + + ' + closeNotes: + simple: Resolved - Handled by the playbook "Unprivileged process opened a + registry hive" + closeReason: + simple: Resolved - True Positive + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 7842ac2c-e9a5-4b66-8fde-abd99966ae2f + iscommand: true + name: Close Alert as True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 7842ac2c-e9a5-4b66-8fde-abd99966ae2f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 850\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '49' + - '47' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: c787ef1f-6b33-43ec-8f2b-ef107513f04a + iscommand: false + name: Investigation + type: title + version: -1 + taskid: c787ef1f-6b33-43ec-8f2b-ef107513f04a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": -445\n }\n}" + '34': + continueonerrortype: '' + id: '34' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3200a260-eb1d-4089-8bf7-6895ea662306 + iscommand: false + name: Done + type: title + version: -1 + taskid: 3200a260-eb1d-4089-8bf7-6895ea662306 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 1020\n }\n}" + '44': + continueonerror: true + continueonerrortype: errorPath + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '62' + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + agent_id: + complex: + accessor: agentid + root: alert + transformers: + - operator: uniq + causality_id: + complex: + accessor: cid + root: alert + transformers: + - operator: uniq + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 041c6225-6062-47ad-86be-3b7d81f4fb19 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 041c6225-6062-47ad-86be-3b7d81f4fb19 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": 510\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '53' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(mitreattcktechnique:*T1003* or mitreattcktechnique:*T1036* + or mitreattcktechnique:*T1552* or mitreattcktechnique:*T1059*) + and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches for Cortex XSIAM suspicious alerts related\ + \ to the current incident by Mitre Technique, indicating that the alert is\ + \ part of an attack pattern.\n\nFocus on identifying alerts associated with\ + \ the following MITRE techniques:\n- T1003 - OS Credential Dumping \n- T1036\ + \ - Masquerading \n- T1552 - Unsecured Credentials \n- T1059 - Command and\ + \ Scripting Interpreter" + id: 02cefbac-04e3-4606-8570-a778e38fb0c0 + iscommand: false + name: Search for suspicious-related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 02cefbac-04e3-4606-8570-a778e38fb0c0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 45\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '61' + note: false + quietmode: 0 + scriptarguments: + process_command_line: + complex: + accessor: cgocmd + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.osparentcmd + raw: {} + operator: AppendIfNotEmpty + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process_command_line, identified by process_command_line. + id: ce97d194-4dca-4f9c-8aaf-7c54ab40e966 + iscommand: true + name: Get Actor CommandLine and CGO CommandLine prevalence + script: '|||core-get-cmd-analytics-prevalence' + type: regular + version: -1 + taskid: ce97d194-4dca-4f9c-8aaf-7c54ab40e966 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 650,\n \"y\": -300\n }\n}" + '49': + continueonerrortype: '' + id: '49' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '61' + note: false + quietmode: 0 + scriptarguments: + process_name: + complex: + accessor: osparentname + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.cgoname + raw: {} + operator: AppendIfNotEmpty + - operator: uniq + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process, identified by process_name. + id: e0e01cdc-0f66-414b-8558-24155f2650e7 + iscommand: true + name: Get Actor Process and CGO Process prevalence + script: '|||core-get-process-analytics-prevalence' + type: regular + version: -1 + taskid: e0e01cdc-0f66-414b-8558-24155f2650e7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": -300\n }\n}" + '53': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents + operator: isNotEmpty + right: + value: {} + label: 'Yes' + continueonerrortype: '' + id: '53' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '60' + 'Yes': + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: A verdict is determined based on whether the incident contained + any related alerts. + id: 9f115642-48a0-4395-8608-b29f1d2de9ca + iscommand: false + name: Found related alerts requiring causality termination + type: condition + version: -1 + taskid: 9f115642-48a0-4395-8608-b29f1d2de9ca + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 205\n }\n}" + '60': + continueonerrortype: '' + id: '60' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '34' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Resolved - Handled by the playbook "Unprivileged process opened a + registry hive" + closeReason: + simple: Resolved - False Positive + id: + complex: + accessor: id + root: alert + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 0be96afe-dfcb-4780-8822-af5ad5f865df + iscommand: true + name: Close Alert as False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 0be96afe-dfcb-4780-8822-af5ad5f865df + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 910,\n \"y\": 510\n }\n}" + '61': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.osparentsignature + operator: isNotEmpty + root: alert.osparentsignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + root: Core.AnalyticsPrevalence.Process + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: 'False' + - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: value + root: Core.AnalyticsPrevalence.Cmd + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: 'False' + label: Unsigned and not prevalent + continueonerrortype: '' + id: '61' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '46' + Unsigned and not prevalent: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict based on the Actor & CGO process + signature and the prevalence of the Actor & CGO process and Actor & CGO CommandLine. + id: eca46ccf-77d3-4853-8b71-f516e49814b7 + iscommand: false + name: Check for process signatures and prevalence + type: condition + version: -1 + taskid: eca46ccf-77d3-4853-8b71-f516e49814b7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 440,\n \"y\": -130\n }\n}" + '62': + continueonerrortype: '' + id: '62' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nDuring the remediation process, the playbook\ + \ couldn't terminate the process ${alert.cgoname} \n\nPlease terminate the\ + \ process manually if possible. \nNote that the next remediation step, if\ + \ possible, will be endpoint isolation." + id: 2647e32a-15b8-4b10-8724-3cdeaf72552f + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: 2647e32a-15b8-4b10-8724-3cdeaf72552f + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 180,\n \"y\": 680\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"44_62_#error#\": 0.55,\n \"53_11_Yes\"\ + : 0.17,\n \"61_11_Unsigned and not prevalent\": 0.27\n },\n \"paper\": {\n\ + \ \"dimensions\": {\n \"height\": 1665,\n \"width\": 1110,\n \"\ + x\": 180,\n \"y\": -580\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml new file mode 100644 index 000000000000..96003c10e5b0 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml @@ -0,0 +1,754 @@ +description: "This playbook addresses the following alerts:\n\n- Unsigned and unpopular\ + \ process performed injection into a commonly abused process\n- Unsigned and unpopular\ + \ process performed process hollowing injection\n- Unsigned and unpopular process\ + \ performed queue APC injection\n- Unsigned and unpopular process performed injection\ + \ into a sensitive process\n- Unsigned and unpopular process performed injection\ + \ into svchost.exe\n\n\nPlaybook Stages:\n\nTriage:\n\n- Retrieve all alerts associated\ + \ with the case for initial analysis.\n\nEarly Containment:\n\n- Identify whether\ + \ an agent prevention rule was triggered for the same process ID. If so, there is\ + \ high confidence that the alert is malicious.\n - **If triggered in prevent mode**:\ + \ This indicates a high-confidence verdict and the playbook proceeds with endpoint\ + \ isolation.\n - **If triggered in report mode**: This also indicates a high-confidence\ + \ verdict. The playbook will notify the customer, advise an update to **prevent\ + \ mode** for better protection in the future, and proceed with the investigation.\n\ + \ - **If no rule is triggered**: The playbook will continue with additional checks\ + \ to ensure thorough assessment.\n\nInvestigation:\n\n- Check for commonly triggered\ + \ alerts that often precede process injection:\n - If found, initiate containment.\n\ + \ - If not found, proceed with additional checks.\n- Analyze if any alerts align\ + \ with MITRE ATT&CK tactics **TA0004 (Privilege Escalation)** and **TA0005 (Defense\ + \ Evasion)**:\n - If matching tactics are found, initiate containment.\n - If\ + \ not, proceed with further investigation.\n- Determine if the causality (parent)\ + \ process is signed:\n - If signed by a trusted authority, close the alert.\n \ + \ - If unsigned, escalate for manual approval for containment.\n\nContainment:\n\ + \n- For alerts validated as threats, execute the following actions:\n - Terminate\ + \ the causality process (CGO) if deemed malicious.\n - Isolate the endpoint in\ + \ high-risk scenarios to prevent further compromise.\n\nRequirements:\n\nFor response\ + \ actions, you need the following integrations:\n\n- Cortex Core - Investigation\ + \ and Response." +fromversion: 8.0.0 +id: silent-Unsigned and unpopular process performed an injection Test +inputs: [] +issilent: true +marketplaces: +- marketplacev2 +name: silent-Unsigned and unpopular process performed an injection Test +outputs: [] +starttaskid: '0' +tags: +- T1055 - Process Injection +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '2' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 59a33321-30c5-4810-8ed1-754dd374851e + iscommand: false + name: '' + version: -1 + taskid: 59a33321-30c5-4810-8ed1-754dd374851e + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 260\n }\n}" + '10': + continueonerrortype: '' + id: '10' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 358ad811-3ae6-4e1d-826e-ba15c09f050c + iscommand: false + name: Containment + type: title + version: -1 + taskid: 358ad811-3ae6-4e1d-826e-ba15c09f050c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1490\n }\n}" + '12': + continueonerrortype: '' + id: '12' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '8' + Isolate: + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Endpoint Isolation is recommended since the following verdicts\ + \ have been confirmed:\n\n - In addition to the analytics rule, an agent rule\ + \ has blocked the same causality process.\n\nOR\n\n - The case includes additional\ + \ rules protecting from PowerShell protection module or the 'Unsigned process\ + \ injecting into a Windows system binary with no command line'.\n\nOR\n\n\ + \ - The case includes at least two additional rules tagged as 'TA0004 - Privilege\ + \ Escalation' and 'TA0005 - Defense Evasion'" + id: a4e84519-ae9c-4cde-86db-4210bd57a617 + iscommand: false + name: Approve the endpoint isolation + type: condition + version: -1 + taskid: a4e84519-ae9c-4cde-86db-4210bd57a617 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 2210\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 324312f8-a792-4ff6-8046-848f554bdf15 + iscommand: true + name: Isolate endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 324312f8-a792-4ff6-8046-848f554bdf15 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 2400\n }\n}" + '14': + continueonerrortype: '' + id: '14' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '20' + 'Yes': + - '10' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Our only verdict is an unsigned causality process, we need the + analyst''s approval to continue the containment phase. + + + Unmatched verdicts: + + - No BTP rule found for the same causality ID + + - No known preceding alerts found in the same case + + + Matched verdicts: + + - The causality process is not signed' + id: 5e10c74a-e684-4d52-8131-45f0d93e265e + iscommand: false + name: Should terminate the causality (CGO)? + type: condition + version: -1 + taskid: 5e10c74a-e684-4d52-8131-45f0d93e265e + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 1320\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '10' + note: false + quietmode: 0 + scriptarguments: + value: + simple: 'We have successfully identified a potential security threat involving + process injection on your system. While the detection rule correctly flagged + the suspicious activity, it was operating in **report** mode at the time. + This means that although we detected the activity, no automatic preventive + action was taken to block the threat. + + + If this rule had been set to **prevent** mode, the malicious action could + have been stopped immediately, reducing the risk of compromise. We strongly + recommend switching the rule to prevent mode to proactively block such threats + in the future.' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Prints text to war room (Markdown supported) + id: 000b6c70-38b6-404f-86db-45f3d9426d26 + iscommand: false + name: Suggest activate prevention mode for Process Injection module + scriptName: Print + type: regular + version: -1 + taskid: 000b6c70-38b6-404f-86db-45f3d9426d26 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 900\n }\n}" + '18': + continueonerror: true + continueonerrortype: errorPath + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '19' + '#none#': + - '12' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + XSIAM 2.4. + id: f3da08e0-1190-40a3-82de-72068e560176 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: f3da08e0-1190-40a3-82de-72068e560176 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1620\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nDuring the containment phase, the playbook couldn\u2019\ + t terminate the process: ${alert.cgoname}\n\nPlease terminate the process\ + \ manually if possible." + id: 2c05918a-ebe2-4d61-8d7a-2e9f237ebf15 + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: 2c05918a-ebe2-4d61-8d7a-2e9f237ebf15 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 90,\n \"y\": 1850\n }\n}" + '2': + continueonerrortype: '' + id: '2' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 9f8b5e4e-ec32-44ae-85ed-1211ce9107e8 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 9f8b5e4e-ec32-44ae-85ed-1211ce9107e8 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 400\n }\n}" + '20': + continueonerrortype: '' + id: '20' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: The alert has been resolved, confirmed as a False Positive + closeReason: + simple: Resolved - Handled by the playbook "Unsigned and unpopular process + performed an injection" as False Positive + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 00471e39-8234-45c7-8764-b5c711e53ab7 + iscommand: true + name: Close the Alert as False Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 00471e39-8234-45c7-8764-b5c711e53ab7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 980,\n \"y\": 2580\n }\n}" + '21': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: notStartWith + right: + value: + simple: Powershell Activity + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEqualString + right: + value: + simple: Unsigned process injecting into a Windows system binary with + no command line + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: isNotEqualString + right: + iscontext: true + value: + simple: alert.cid + root: foundIncidents.CustomFields + operator: notIn + right: + value: + simple: Reported, BLOCKED + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.mitreattcktactic + operator: notContainsGeneral + right: + value: + simple: TA0004 - Privilege Escalation + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.mitreattcktactic + operator: notContainsGeneral + right: + value: + simple: TA0005 - Defense Evasion + label: Weak + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '12' + Weak: + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: If only the last check is matched, the verdict is marked as 'weak' + to indicate reduced confidence. + id: da0b7884-3a34-4348-8e2a-11c868bb4bbb + iscommand: false + name: Weak verdict - Check if only final check is satisfied + type: condition + version: -1 + taskid: da0b7884-3a34-4348-8e2a-11c868bb4bbb + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 300,\n \"y\": 2030\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '4' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: This task searches for Cortex XSIAM alerts related to the current + incident. + id: 28112aa4-5c02-4bd9-8a2a-6f10174c7771 + iscommand: false + name: Search for alerts that blocked the causality + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 28112aa4-5c02-4bd9-8a2a-6f10174c7771 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 535\n }\n}" + '4': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.cid + root: foundIncidents.CustomFields + transformers: + - operator: uniq + operator: isEqualString + right: + value: + simple: BLOCKED + label: Blocked + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: action + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.CustomFields.cid + operator: isEqualString + right: + iscontext: true + value: + simple: alert.cid + root: foundIncidents.CustomFields + operator: isEqualString + right: + value: + simple: Reported + label: Reported + continueonerrortype: '' + id: '4' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '7' + Blocked: + - '12' + Reported: + - '15' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check the incident's alerts for an alert that blocked the causality + using the agent. + id: 698f092a-758e-4028-84b8-25bbb7d4c626 + iscommand: false + name: Was the causality blocked by another alert? + type: condition + version: -1 + taskid: 698f092a-758e-4028-84b8-25bbb7d4c626 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": -300,\n \"y\": 700\n }\n}" + '5': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + label: Signed + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + Signed: + - '20' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if the causality process image is signed. + id: 7c09ff5c-2f1e-4c55-85f1-557891e3e8f7 + iscommand: false + name: Check if the causality process is signed + type: condition + version: -1 + taskid: 7c09ff5c-2f1e-4c55-85f1-557891e3e8f7 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 980,\n \"y\": 1150\n }\n}" + '7': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: startWith + right: + value: + simple: Powershell Activity + - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isEqualString + right: + value: + simple: Unsigned process injecting into a Windows system binary with + no command line + label: Behavioral Alerts + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.mitreattcktactic + operator: containsGeneral + right: + value: + simple: TA0004 - Privilege Escalation + - - left: + iscontext: true + value: + simple: foundIncidents.CustomFields.mitreattcktactic + operator: containsGeneral + right: + value: + simple: TA0005 - Defense Evasion + label: MITRE Tactic + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + Behavioral Alerts: + - '10' + MITRE Tactic: + - '14' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Search for commonly triggered alert names preceding the injection + alert. + id: 3e3d733d-1317-44cf-8178-e0015cc3b874 + iscommand: false + name: Were known preceding alerts detected? + type: condition + version: -1 + taskid: 3e3d733d-1317-44cf-8178-e0015cc3b874 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 900\n }\n}" + '8': + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: The alert has been resolved, confirmed as a True Positive + closeReason: + simple: Resolved - Handled by the playbook "Unsigned and unpopular process + performed an injection" as True Positive + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 81db7e8a-cc03-44e9-86a5-70d784b286ee + iscommand: true + name: Close the Alert as True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 81db7e8a-cc03-44e9-86a5-70d784b286ee + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 560,\n \"y\": 2580\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 3214ade0-7bba-484f-8945-3bc4367178a9 + iscommand: false + name: Done + type: title + version: -1 + taskid: 3214ade0-7bba-484f-8945-3bc4367178a9 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 770,\n \"y\": 2750\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"12_13_Isolate\": 0.42,\n \"12_8_#default#\"\ + : 0.44,\n \"14_10_Yes\": 0.37,\n \"14_20_#default#\": 0.23,\n \"18_19_#error#\"\ + : 0.65,\n \"21_12_#default#\": 0.3,\n \"21_8_Weak\": 0.32,\n \"4_12_Blocked\"\ + : 0.1,\n \"4_15_Reported\": 0.66,\n \"4_7_#default#\": 0.81,\n \"5_14_#default#\"\ + : 0.38,\n \"5_20_Signed\": 0.12,\n \"7_10_Behavioral Alerts\": 0.39,\n \ + \ \"7_14_MITRE Tactic\": 0.64,\n \"7_5_#default#\": 0.64\n },\n \"paper\":\ + \ {\n \"dimensions\": {\n \"height\": 2555,\n \"width\": 1660,\n \ + \ \"x\": -300,\n \"y\": 260\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml new file mode 100644 index 000000000000..29c64bdd5897 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml @@ -0,0 +1,982 @@ +contentitemexportablefields: + contentitemfields: {} +description: 'This playbook handles "Unusual process accessed web browser credentials + and executed by a terminal process" alerts. + + + Playbook Stages: + + + Analysis: + + During the analysis, the playbook will perform the following: + + + - Checks the initiator file path for any suspicious locations. + + - Checks the initiator process reputation. + + + If the file is malicious, it proceeds to remediation actions; otherwise, it continues + to the investigation phase. + + + Investigation: + + During the alert investigation, the playbook will perform the following: + + + - Searches for related Cortex XSIAM alerts and insights on the endpoint by specific + alert names or by the following MITRE technique to identify malicious activity: T1555.001 + - Credentials from Password Stores: Keychain. + + + The playbook determines the appropriate verdict. If related alerts or insights are + found, it proceeds to remediation actions; otherwise, it closes the alert with the + message "No indication of malicious activity was found". + + + Remediation: + + + - Automatically terminate the causality process. + + - Quarantine the initiator file if its reputation is malicious, if medium- to high-severity + alerts indicating malicious activity are found, or if related insights are found + and the initiator is running from a suspicious path. (This action requires analyst + approval). + + - Automatically Close the alert.' +fromversion: 8.8.0 +id: silent-Unusual process accessed web browser credentials and executed by a terminal + process Test +inputs: [] +issilent: true +name: silent-Unusual process accessed web browser credentials and executed by a terminal + process Test +outputs: [] +starttaskid: '0' +tags: +- TA0006 - Credential Access +- T1555 - Credentials from Password Stores +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '29' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e27de70b-ada6-422e-81fe-6950a566b050 + iscommand: false + name: '' + version: -1 + taskid: e27de70b-ada6-422e-81fe-6950a566b050 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": -1110\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '47' + - '90' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: 6f7359e7-6ace-48a6-8f72-c30dc8bce825 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": -490\n }\n}" + '100': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.quarantineFiles.status.status + operator: isEqualString + right: + value: + simple: 'true' + label: 'Yes' + continueonerrortype: '' + id: '100' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '114' + 'Yes': + - '104' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether to quarantine the files based on their quarantine + status. + id: 47c6abf6-2897-4efd-8dd6-c306bbaf31fa + iscommand: false + name: Is the initiator file already quarantined? + type: condition + version: -1 + taskid: 47c6abf6-2897-4efd-8dd6-c306bbaf31fa + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 925\n }\n}" + '103': + continueonerrortype: '' + id: '103' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '104' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + The playbook was unable to quarantine the initiator file due to the following + possible reasons: + + + - The file is not found or no longer exists on the local host. + + - The endpoint is currently disconnected. + + + Please take manual action to terminate the causality process if needed and + quarantine the initiator file. + + ${alert.initiatorpath}' + id: 6c9d287f-9f21-4d9d-8210-45e93032fbf7 + iscommand: false + name: "Manual action needed \u2013 The initiator couldn't be quarantined" + type: regular + version: -1 + taskid: 6c9d287f-9f21-4d9d-8210-45e93032fbf7 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -220,\n \"y\": 1470\n }\n}" + '104': + continueonerrortype: '' + id: '104' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '13' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 5640b892-54ac-4b0b-829a-d1a6fbf4153e + iscommand: false + name: Quarantine file - Done + type: title + version: -1 + taskid: 5640b892-54ac-4b0b-829a-d1a6fbf4153e + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1640\n }\n}" + '109': + continueonerrortype: '' + id: '109' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '111' + note: false + quietmode: 0 + scriptarguments: + file: + simple: ${alert.initiatorsha256} + separatecontext: false + skipunavailable: true + task: + brand: '' + description: Retrieve results for a file hash using WildFire. + id: bf8290ca-de3c-4257-84d0-ecbf78f9fb73 + iscommand: true + name: Check the initiator process reputation + script: '|||file' + type: regular + version: -1 + taskid: bf8290ca-de3c-4257-84d0-ecbf78f9fb73 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 200,\n \"y\": -840\n }\n}" + '110': + continueonerrortype: '' + id: '110' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '87' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ddd65f8b-99c5-41c1-82ca-b80cca85cad5 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: ddd65f8b-99c5-41c1-82ca-b80cca85cad5 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 135\n }\n}" + '111': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + label: 'Yes' + continueonerrortype: '' + id: '111' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '1' + 'Yes': + - '110' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict if the reputation of the initiator + file is malicious. + id: 8d1cc819-2c59-4b93-8324-8ef70e6e9af3 + iscommand: false + name: Does the initiator process have a malicious reputation? + type: condition + version: -1 + taskid: 8d1cc819-2c59-4b93-8324-8ef70e6e9af3 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": -670\n }\n}" + '112': + conditions: + - condition: + - - left: + iscontext: true + value: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Indicator + operator: containsGeneral + right: + iscontext: true + value: + simple: alert.initiatorsha256 + root: DBotScore + operator: isEqualNumber + right: + value: + simple: '3' + - left: + iscontext: true + value: + complex: + accessor: name + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.severity + operator: containsGeneral + right: + value: + simple: MEDIUM + - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.severity + operator: containsGeneral + right: + value: + simple: HIGH + root: foundIncidents + operator: isNotEmpty + - ignorecase: true + left: + iscontext: true + value: + complex: + root: . + transformers: + - args: + conditions: + value: + simple: "[{\n \"condition\": \"('LOW' in #{foundIncidents.severity}\ + \ or 'INFO' in #{foundIncidents.severity}) and #{SuspiciousInitiatorProcessPath}\ + \ != null\",\n \"return\": \"true\"\n },\n{\n\"default\"\ + : \"false\"\n}\n]" + flags: {} + operator: If-Elif + operator: isEqualString + right: + value: + simple: 'true' + label: 'Yes' + continueonerrortype: '' + id: '112' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'Yes': + - '93' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines if the initiator file should be quarantined based on + the following conditions: + + - The initiator file has a malicious reputation. + + - Specific MEDIUM-HIGH related alerts have been found. + + - Specific related insights were found, and the initiator process is running + from a suspicious location.' + id: 5014f90e-d2d9-433f-8d5c-c7a94b0ed16a + iscommand: false + name: Should quarantine the initiator file? + type: condition + version: -1 + taskid: 5014f90e-d2d9-433f-8d5c-c7a94b0ed16a + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 440\n }\n}" + '113': + continueonerror: true + continueonerrortype: errorPath + id: '113' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '103' + '#none#': + - '104' + note: false + quietmode: 0 + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + file_hash: + simple: ${alert.initiatorsha256} + file_path: + simple: ${alert.initiatorpath} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + interval_in_seconds: + simple: '20' + timeout_in_seconds: + simple: '120' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Quarantines a file on selected endpoints. ' + id: 6d075347-56c2-426d-861f-32f86341d3a4 + iscommand: true + name: File quarantine + script: '|||core-quarantine-files' + type: regular + version: -1 + taskid: 6d075347-56c2-426d-861f-32f86341d3a4 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -10,\n \"y\": 1290\n }\n}" + '114': + continueonerrortype: '' + id: '114' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + No Quarantine: + - '104' + Quarantine: + - '113' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "**Approval required to quarantine the initiator file**\n\nDear\ + \ Analyst,\n\nThe following initiator file has been identified for potential\ + \ quarantine based on at least one of the following reasons:\n\n - The file's\ + \ reputation is identified as malicious.\n- Medium-high severity alerts indicating\ + \ malicious activity have been detected.\n- Related insights were found, and\ + \ the initiator is running from a suspicious path.\n\n**File Details:**\n\ + - File Name: ${alert.initiatedby.[0]}\n- File Path: ${alert.initiatorpath.[0]}\n\ + - File Hash (sha256): ${alert.initiatorsha256.[0]}\n\n**Given these findings,\ + \ do you approve proceeding with the quarantine action?**" + id: 21083533-ab21-4dce-87d8-91e845074319 + iscommand: false + name: Analyst approval to quarantine the initiator file + type: condition + version: -1 + taskid: 21083533-ab21-4dce-87d8-91e845074319 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 1110\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Malicious scheduled task detected + closeReason: + simple: Resolved - Handled by the playbook "Unusual process accessed web browser + credentials using terminal" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: Close the current alert. + id: fc6ed827-a79f-4f1a-8386-38c098e35af9 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: fc6ed827-a79f-4f1a-8386-38c098e35af9 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1775\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: ff18f72c-0256-4776-823c-90dd05fdba39 + iscommand: false + name: Done + type: title + version: -1 + taskid: ff18f72c-0256-4776-823c-90dd05fdba39 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1940\n }\n}" + '29': + continueonerrortype: '' + id: '29' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '109' + - '92' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6d11f6e-a28a-459a-8004-bec570e4b02a + iscommand: false + name: Analysis + type: title + version: -1 + taskid: b6d11f6e-a28a-459a-8004-bec570e4b02a + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": -980\n }\n}" + '3': + continueonerrortype: '' + id: '3' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '8' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: f250815c-f894-4a5a-8a7f-999a76debdac + iscommand: false + name: Verdict + type: title + version: -1 + taskid: f250815c-f894-4a5a-8a7f-999a76debdac + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": -180\n }\n}" + '46': + continueonerrortype: '' + id: '46' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + iscommand: false + name: Done + type: title + version: -1 + taskid: e9832b8f-c70f-45f0-8ba4-d7f746daa77b + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 925\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + query: + simple: (name:"AppleScript process executed with a rare command line, possibly + using Finder to perform operations" or name:"*Malware Activity*" or name:"*Credential + Gathering Protection*" name:"WildFire Malware" or name:"Local Analysis Malware") + and agentid:${alert.agentid} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for suspicious related alerts from the last + 3 hours that may indicate a compromised endpoint. + + The task searches for alert with the following names: + + - "AppleScript process executed with a rare command line, possibly using Finder + to perform operations" + + - "Malware Activity" + + - "Credential Gathering Protection" + + - "WildFire Malware" + + - "Local Analysis Malware"' + id: cc067b07-78ba-4752-8c8d-9e73216baaca + iscommand: false + name: Search for related alerts by name and MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: cc067b07-78ba-4752-8c8d-9e73216baaca + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 660,\n \"y\": -350\n }\n}" + '5': + continueonerrortype: '' + id: '5' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '9' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fe468065-4795-4712-840c-a25f576f1f8f + iscommand: false + name: No malicious activity was found + type: title + version: -1 + taskid: fe468065-4795-4712-840c-a25f576f1f8f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 630\n }\n}" + '8': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + - left: + iscontext: true + value: + simple: SuspiciousInitiatorProcessPath + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '8' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '5' + 'yes': + - '110' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines the appropriate verdict if the playbook found any related + alerts or if the process was running from a suspicious path. + id: 49522c10-5c05-4337-8a99-792382e83d55 + iscommand: false + name: Found related alerts or process running from a suspicious path? + type: condition + version: -1 + taskid: 49522c10-5c05-4337-8a99-792382e83d55 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": -50\n }\n}" + '87': + continueonerror: true + continueonerrortype: '' + id: '87' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '112' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available from Cortex + XSIAM 2.4. + id: 319c7043-3979-4197-810b-aad9fa76ebcc + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 319c7043-3979-4197-810b-aad9fa76ebcc + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 270\n }\n}" + '9': + continueonerrortype: '' + id: '9' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '46' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No indication of malicious activity was found + closeReason: + simple: Resolved - Handled by the playbook "Unusual process accessed web browser + credentials using terminal" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 5a7ba8a5-3056-405e-84b3-f5a6afcfe1ef + iscommand: true + name: Close Alert - No indication of malicious activity was found + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 5a7ba8a5-3056-405e-84b3-f5a6afcfe1ef + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 890,\n \"y\": 760\n }\n}" + '90': + continueonerrortype: '' + id: '90' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '3' + note: false + quietmode: 0 + scriptarguments: + fromdate: + simple: 3 hours ago + includeinformational: + simple: 'true' + query: + simple: (mitreattcktechnique:* T1555.001* or name:"A process connected to + a rare external host" or name:"A user connected a new USB storage device + to a host" or name:"A user connected a USB storage device for the first + time" or name:"Globally less common process execution from a signed process") + and agentid:${alert.agentid} and (cid:${alert.cid.[0]} or actorprocessinstanceid:${alert.cid.[0]} + or actionprocessinstanceid:${alert.cid.[0]} or actorprocessinstanceid:${alert.actorprocessinstanceid.[0]} + or actionprocessinstanceid:${alert.actorprocessinstanceid.[0]}) + todate: + simple: now + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task searches by MITRE technique and alert names for suspicious\ + \ related insights that may indicate a compromised endpoint.\nIt focuses on\ + \ identifying alerts linked to the following MITRE techniques within the same\ + \ causality chain from the last 3 hours:\n- T1555.001 - Credentials from Password\ + \ Stores: Keychain\n\nAnd the following alert:\n- \"A process connected to\ + \ a rare external host\" \n- \"A user connected a new USB storage device to\ + \ a host\"\n- \"A user connected a USB storage device for the first time\"\ + \n- \"Globally less common process execution from a signed process\"" + id: a2f7df4f-55fc-4fb2-8cca-b497f09debd3 + iscommand: false + name: Search for related insights by name + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: a2f7df4f-55fc-4fb2-8cca-b497f09debd3 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1110,\n \"y\": -350\n }\n}" + '92': + continueonerror: true + continueonerrortype: '' + id: '92' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '111' + note: false + quietmode: 0 + scriptarguments: + contextKey: + simple: SuspiciousInitiatorProcessPath + data: + simple: ${alert.initiatorpath} + ignore-outputs: + simple: 'false' + regex: + simple: (?i)(\/Volumes\/|\/Downloads\/) + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Uses regex to extract the suspicious segment from the initiator + path. + id: 99e9656e-95b3-4cb9-8ddc-5b451529ee04 + iscommand: false + name: Check the initiator process path for any suspicious locations + scriptName: MatchRegexV2 + type: regular + version: -1 + taskid: 99e9656e-95b3-4cb9-8ddc-5b451529ee04 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 640,\n \"y\": -840\n }\n}" + '93': + continueonerrortype: '' + id: '93' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '97' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 27776082-8565-47a8-8ff4-68b4bde0e077 + iscommand: false + name: Quarantine file + type: title + version: -1 + taskid: 27776082-8565-47a8-8ff4-68b4bde0e077 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 630\n }\n}" + '97': + continueonerror: true + continueonerrortype: '' + id: '97' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '100' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${alert.agentid} + file_hash: + simple: ${alert.initiatorsha256} + file_path: + simple: ${alert.initiatorpath} + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Retrieves the quarantine status for a selected file. + id: 777b3a56-c91b-4ea4-823f-7d1b1231f031 + iscommand: true + name: Get file quarantine status + script: '|||core-get-quarantine-status' + type: regular + version: -1 + taskid: 777b3a56-c91b-4ea4-823f-7d1b1231f031 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 760\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"100_104_Yes\": 0.22,\n \"113_103_#error#\"\ + : 0.6,\n \"114_104_No Quarantine\": 0.29,\n \"114_113_Quarantine\": 0.49\n\ + \ },\n \"paper\": {\n \"dimensions\": {\n \"height\": 3115,\n \"\ + width\": 1710,\n \"x\": -220,\n \"y\": -1110\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml new file mode 100644 index 000000000000..f5bad52555cc --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml @@ -0,0 +1,650 @@ +description: 'This playbook is designed to handle the alert + + ''User added to local administrator group using a PowerShell command'' + + + The playbook executes the following stages: + + + Investigation: + + Check the following parameters to determine if remediation actions are needed: + + - Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious + activity. + + - Whether the process is unsigned. + + + Remediation: + + Handles malicious alerts by terminating the relevant processes and requesting the + analyst''s approval to remove the user from the local Administrators group. + + Handles non-malicious alerts identified during the investigation.' +fromversion: 8.8.0 +id: silent-User added to local administrator group using a PowerShell command Test +inputSections: +- description: Generic group for inputs. + inputs: [] + name: General (Inputs group) +inputs: [] +issilent: true +name: silent-User added to local administrator group using a PowerShell command Test +outputSections: +- description: Generic group for outputs. + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' +tags: +- TA0003 - Persistence +- T1098 - Account Manipulation +tasks: + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '1' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: bb220bb9-b474-4c84-85f3-dca73838520b + iscommand: false + name: '' + version: -1 + taskid: bb220bb9-b474-4c84-85f3-dca73838520b + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 160\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '6' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: fc66d0b2-7618-4a38-8f04-e821aba4a989 + iscommand: false + name: Investigation + type: title + version: -1 + taskid: fc66d0b2-7618-4a38-8f04-e821aba4a989 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 310\n }\n}" + '21': + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: Suspicious activity detected + closeReason: + simple: Resolved - Handled by the playbook "User added to local administrator + group using a PowerShell command" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: 88be804e-5e38-4909-87d4-f83461f24630 + iscommand: true + name: Close Alert - True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: 88be804e-5e38-4909-87d4-f83461f24630 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 2145\n }\n}" + '22': + continueonerrortype: '' + id: '22' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 948acfa9-d0a3-42b0-8b06-ee6736be5f92 + iscommand: false + name: Done + type: title + version: -1 + taskid: 948acfa9-d0a3-42b0-8b06-ee6736be5f92 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 2315\n }\n}" + '24': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents.name + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '26' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Determines whether the incident contains related alerts by MITRE + Techniques, indicating that the alert was part of an attack pattern. + id: 2f745b02-269a-408e-8aec-c7f3a8bc5115 + iscommand: false + name: Found any alerts indicating this is malicious activity? + type: condition + version: -1 + taskid: 2f745b02-269a-408e-8aec-c7f3a8bc5115 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 790\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '70' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 8018c8e4-2938-479d-8670-7801a8aff36c + iscommand: false + name: No Results Found + type: title + version: -1 + taskid: 8018c8e4-2938-479d-8670-7801a8aff36c + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 980\n }\n}" + '6': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + complex: + accessor: osparentsignature + filters: + - - left: + iscontext: true + value: + simple: alert.osparentsigner + operator: isNotEmpty + root: alert + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + - ignorecase: true + left: + iscontext: true + value: + complex: + filters: + - - left: + iscontext: true + value: + simple: alert.cgosignature + operator: isNotEmpty + root: alert.cgosignature + operator: isNotEqualString + right: + value: + simple: SIGNATURE_SIGNED + label: 'yes' + continueonerrortype: '' + id: '6' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '77' + 'yes': + - '7' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Determines the appropriate verdict based on process signature. + + ' + id: 22756e65-c2a2-43a1-8192-b98244e84591 + iscommand: false + name: Check for unsigned CGO or OS process + type: condition + version: -1 + taskid: 22756e65-c2a2-43a1-8192-b98244e84591 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 460\n }\n}" + '7': + continueonerrortype: '' + id: '7' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '76' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: b6f76440-2eec-49c0-8dc0-ed49708da484 + iscommand: false + name: Remediation + type: title + version: -1 + taskid: b6f76440-2eec-49c0-8dc0-ed49708da484 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 980\n }\n}" + '70': + continueonerrortype: '' + id: '70' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '22' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: No Results Found + closeReason: + simple: Resolved - Handled by the playbook "User added to local administrator + group using a PowerShell command" + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: b2c25c91-84e4-4adc-852e-afceed01e5f1 + iscommand: true + name: Close Alert - No results returned + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b2c25c91-84e4-4adc-852e-afceed01e5f1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1130,\n \"y\": 1120\n }\n}" + '76': + continueonerror: true + continueonerrortype: '' + id: '76' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '79' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4. + id: 43d9acfc-9cd7-43f6-8675-484582c3ac4d + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' + type: regular + version: -1 + taskid: 43d9acfc-9cd7-43f6-8675-484582c3ac4d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1110\n }\n}" + '77': + continueonerrortype: '' + id: '77' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '24' + note: false + quietmode: 0 + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(mitreattcktechnique:*T1001* or mitreattcktechnique:*T1140* + or mitreattcktechnique:*T1059* or name:"Suspicious local user + account creation") and caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task searches for Cortex XSIAM suspicious alerts related + to the current incident by Mitre Techniques that may indicate suspicious activity. + + + Focus on identifying alerts associated with the following MITRE techniques: + + - T1001 - Data Obfuscation + + - T1140 - Deobfuscate/Decode Files or Information + + - T1059 - Command and Scripting Interpreter + + + And the following alert: + + - "Suspicious local user account creation" + + ' + id: 94f27bbd-224a-47ef-8892-edb62f47292e + iscommand: false + name: Search for related alerts by MITRE Technique + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 94f27bbd-224a-47ef-8892-edb62f47292e + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 740,\n \"y\": 630\n }\n}" + '79': + continueonerrortype: '' + id: '79' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '82' + note: false + quietmode: 0 + scriptarguments: + key: + simple: ExtractedUsername + value: + complex: + accessor: targetprocesscmd + root: alert + transformers: + - args: + error_if_no_match: {} + ignore_case: {} + multi_line: {} + period_matches_newline: {} + regex: + value: + simple: (?i)Administrators[\\]?[\"|']?\s+-Member\s+([^\s;}]+) + unpack_matches: {} + operator: RegexExtractAll + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Set a value in context under the key you entered. + id: 052a58a3-8922-40dd-851e-4212df94e9c2 + iscommand: false + name: Extract Username + scriptName: Set + type: regular + version: -1 + taskid: 052a58a3-8922-40dd-851e-4212df94e9c2 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1270\n }\n}" + '80': + continueonerrortype: '' + id: '80' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: + simple: 'Remove the user: ${ExtractedUsername} from local admin group?' + cc: null + format: '' + methods: [] + replyOptions: + - 'Yes' + - 'No' + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null + nexttasks: + 'No': + - '21' + 'Yes': + - '81' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Analyst approval is required to remove the user from the local + Administrator group. + id: 7d039298-b7e0-44c1-8f77-39e71f387d96 + iscommand: false + name: Analyst approval to remove user from local Administrator group + type: condition + version: -1 + taskid: 7d039298-b7e0-44c1-8f77-39e71f387d96 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1610\n }\n}" + '81': + continueonerror: true + continueonerrortype: errorPath + id: '81' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#error#': + - '83' + '#none#': + - '21' + note: false + quietmode: 0 + scriptarguments: + commands: + simple: powershell.exe Remove-LocalGroupMember -Group "Administrators" -Member + ${ExtractedUsername} + endpoint_ids: + simple: ${alert.agentid} + timeout: + simple: '180' + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Initiate a new endpoint script execution of shell commands. + id: 4861afe9-34c3-4415-8e53-ac6b0e3fbbba + iscommand: true + name: Remove user from local Administrator group + script: '|||core-run-script-execute-commands' + type: regular + version: -1 + taskid: 4861afe9-34c3-4415-8e53-ac6b0e3fbbba + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 190,\n \"y\": 1780\n }\n}" + '82': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: ExtractedUsername + operator: isNotEmpty + right: + value: {} + label: 'yes' + continueonerrortype: '' + id: '82' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '83' + 'yes': + - '80' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check whether the extracted username is defined. + id: 24e90eb8-1d77-4ca6-80a9-f5020bff758c + iscommand: false + name: Is the extracted username defined? + type: condition + version: -1 + taskid: 24e90eb8-1d77-4ca6-80a9-f5020bff758c + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 420,\n \"y\": 1430\n }\n}" + '83': + continueonerrortype: '' + id: '83' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '21' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'Dear Analyst, + + + Please note that during the remediation process, the playbook failed to remove + the user from the local administrator group on the host: ${alert.hostname} + . + + + Please take manual action to remove the user from the local administrator + group on the host: ${alert.hostname} . + + + The user can be found in the following PowerShell command: + + ${alert.targetprocesscmd} + + ' + id: 45d20664-73f2-40b5-8f30-8d1ce01f51f1 + iscommand: false + name: Remove the user from the local administrator group manually + type: regular + version: -1 + taskid: 45d20664-73f2-40b5-8f30-8d1ce01f51f1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": -40,\n \"y\": 1970\n }\n}" +tests: +- No tests (auto formatted) +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"24_7_yes\": 0.23,\n \"6_7_yes\": 0.35,\n\ + \ \"80_21_No\": 0.48,\n \"80_81_Yes\": 0.57,\n \"81_83_#error#\": 0.5,\n\ + \ \"82_80_yes\": 0.39,\n \"82_83_#default#\": 0.66\n },\n \"paper\": {\n\ + \ \"dimensions\": {\n \"height\": 2220,\n \"width\": 1550,\n \"\ + x\": -40,\n \"y\": 160\n }\n }\n}" From 5d26b8a3fb14c0f05aaeea7d179924aa973ec271 Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 11:14:15 +0200 Subject: [PATCH 02/14] rn --- Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_18.md | 1 + Packs/CortexResponseAndRemediation/pack_metadata.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_18.md diff --git a/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_18.md b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_18.md new file mode 100644 index 000000000000..724a98578202 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_18.md @@ -0,0 +1 @@ +## Documentation and metadata improvements. diff --git a/Packs/CortexResponseAndRemediation/pack_metadata.json b/Packs/CortexResponseAndRemediation/pack_metadata.json index 7bbfda0974e2..3846556e1c44 100644 --- a/Packs/CortexResponseAndRemediation/pack_metadata.json +++ b/Packs/CortexResponseAndRemediation/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex Response And Remediation", "description": "The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes. Built to support an Autonomous SOC vision.", "support": "xsoar", - "currentVersion": "1.1.16", + "currentVersion": "1.1.18", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 2f1fdb4cc615647a5ade0cd7d236a7573774311b Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 11:26:30 +0200 Subject: [PATCH 03/14] Triggers --- ...SaaS_Access_From_a_TOR_Exit_Node_Test.json | 43 ++++++++++ ...ultiple_LDAP_enumeration_queries_Test.json | 25 ++++++ ...s_configured_in_Google_Workspace_Test.json | 33 ++++++++ ..._successful_SSO_sign_in_from_TOR_Test.json | 33 ++++++++ ...er_-_A_successful_login_from_TOR_Test.json | 24 ++++++ ..._Executed_With_Rare_Command_Line_Test.json | 29 +++++++ ...account_unlock_or_password_reset_Test.json | 24 ++++++ ...jected_numerous_SSO_MFA_attempts_Test.json | 34 ++++++++ ...ntial_Dumping_using_a_known_tool_Test.json | 79 +++++++++++++++++++ ...n_remote_scheduled_task_creation_Test.json | 25 ++++++ ...-Trigger_-_Event_Log_Was_Cleared_Test.json | 59 ++++++++++++++ ...Excessive_User_Account_Lockkouts_Test.json | 39 +++++++++ ...Exchange_User_Mailbox_Forwarding_Test.json | 33 ++++++++ ...hange_forwarding_rule_configured_Test.json | 64 +++++++++++++++ ...from_an_uncommon_remote_location_Test.json | 34 ++++++++ ...a_scheduled_task_via_file_access_Test.json | 25 ++++++ ...r_-_Remote_WMI_Process_Execution_Test.json | 33 ++++++++ ..._With_Suspicious_Characteristics_Test.json | 33 ++++++++ ...eated_with_HTTP_or_FTP_reference_Test.json | 24 ++++++ ...Successful_guest_user_invitation_Test.json | 25 ++++++ ...-_Suspicious_Hidden_User_Created_Test.json | 25 ++++++ ...icious_Local_Administrator_Login_Test.json | 24 ++++++ ...Suspicious_access_to_shadow_file_Test.json | 25 ++++++ ...Suspicious_certutil_command_line_Test.json | 25 ++++++ ...icious_execution_from_tmp_folder_Test.json | 39 +++++++++ ...duled_task_on_a_sensitive_server_Test.json | 25 ++++++ ...-_Uncommon_execution_of_ODBCconf_Test.json | 34 ++++++++ ...on_remote_scheduled_task_created_Test.json | 24 ++++++ ...d_process_opened_a_registry_hive_Test.json | 24 ++++++ ...r_process_performed_an_injection_Test.json | 49 ++++++++++++ ...d_executed_by_a_terminal_process_Test.json | 25 ++++++ ...group_using_a_PowerShell_command_Test.json | 25 ++++++ 32 files changed, 1062 insertions(+) create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json new file mode 100644 index 000000000000..12d3720489b6 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json @@ -0,0 +1,43 @@ +{ + "trigger_id": "f316852d358f8de8192842f6a7156142", + "playbook_id": "silent-Suspicious SaaS Access From a TOR Exit Node Test", + "suggestion_reason": "Recommended for Suspicious SaaS Access From a TOR Exit Node alerts", + "description": "This trigger is responsible for handling Suspicious SaaS Access From a TOR Exit Node", + "trigger_name": "silent-Suspicious SaaS Access From a TOR Exit Node Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "Suspicious SaaS API call from a Tor exit node" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "Suspicious SaaS API call from a Tor exit node via Mobile Device" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "Suspicious API call from a Tor exit node" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "Suspicious Kubernetes API call from a Tor exit node" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json new file mode 100644 index 000000000000..a5d46f86d2c7 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "52c5358feb547561b409817ba1f129d2", + "playbook_id": "silent-A user executed multiple LDAP enumeration queries Test", + "suggestion_reason": "Recommended for A user executed suspicious LDAP enumeration queries alerts.", + "description": "This trigger is responsible for handling alerts where a user executes suspicious LDAP enumeration queries.", + "trigger_name": "silent-A user executed multiple LDAP enumeration queries Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A user executed suspicious LDAP enumeration queries" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json new file mode 100644 index 000000000000..4bdaf5a0d78f --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json @@ -0,0 +1,33 @@ +{ + "trigger_id": "49f4f8a7a81eecadfe694353481fda1d", + "playbook_id": "silent-A mail forwarding rule was configured in Google Workspace Test", + "suggestion_reason": "Recommended for 'A mail forwarding rule was configured in Google Workspace' and 'A mail forwarding rule was configured in Google Workspace to an uncommon domain' alerts", + "description": "This trigger runs the A mail forwarding rule was configured in Google Workspace playbook, which handles the A mail forwarding rule was configured in Google Workspace and A mail forwarding rule was configured in Google Workspace to an uncommon domain alerts.", + "trigger_name": "silent-A mail forwarding rule was configured in Google Workspace Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A mail forwarding rule was configured in Google Workspace" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A mail forwarding rule was configured in Google Workspace to an uncommon domain" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json new file mode 100644 index 000000000000..304d01f17d28 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json @@ -0,0 +1,33 @@ +{ + "trigger_id": "4a90702e6a1e31ff92c4a5b8e27360cd", + "playbook_id": "silent-A successful SSO sign-in from TOR Test", + "suggestion_reason": "Recommended for 'A successful SSO sign-in from TOR' and 'A successful SSO sign-in from TOR via a mobile device' alerts", + "description": "This trigger is responsible for handling the 'A successful SSO sign-in from TOR' and the 'A successful SSO sign-in from TOR via a mobile device' alerts", + "trigger_name": "silent-A successful SSO sign-in from TOR Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A successful SSO sign-in from TOR" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A successful SSO sign-in from TOR via a mobile device" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json new file mode 100644 index 000000000000..c972b6db2747 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json @@ -0,0 +1,24 @@ +{ + "trigger_id": "48cae2955f760d5ed08bf3c0b922887a", + "playbook_id": "silent-A Successful login from TOR Test", + "suggestion_reason": "Recommended for 'A Successful login from TOR' alert", + "description": "This trigger is responsible for handling the 'A Successful login from TOR' alert", + "trigger_name": "silent-A Successful login from TOR Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A Successful login from TOR" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json new file mode 100644 index 000000000000..61f3a812bac4 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json @@ -0,0 +1,29 @@ +{ + "trigger_id": "66c14136957cd342e560cedc6e29d3c6", + "playbook_id": "silent-AppleScript Process Executed With Rare Command Line Test", + "suggestion_reason": "Recommended for 'AppleScript Process Executed With Rare Command Line' alerts", + "description": "This trigger is responsible for handling several the 'AppleScript Process Executed With Rare Command Line' alerts", + "trigger_name": "silent-AppleScript Process Executed With Rare Command Line Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "CONTAINS", + "SEARCH_VALUE": "AppleScript executed with a rare command line possibly using Finder to perform operations" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json new file mode 100644 index 000000000000..6912932d53c7 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json @@ -0,0 +1,24 @@ +{ + "trigger_id": "0e8741d5fbc51b23a796898b77c3a21d", + "playbook_id": "silent-Azure AD account unlock or password reset Test", + "suggestion_reason": "Recommended for 'Azure AD account unlock/successful password reset' alert", + "description": "This trigger is responsible for handling the 'Azure AD account unlock/successful password reset' alert", + "trigger_name": "silent-Azure AD account unlock or password reset Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Azure AD account unlock/successful password reset" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json new file mode 100644 index 000000000000..27b1e83c47a0 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "3120c09a8de842f4aae8506487b01e8c", + "playbook_id": "silent-Compromise Accounts - User rejected numerous SSO MFA attempts Test", + "suggestion_reason": "Recommended for Compromise Accounts alerts triggered by multiple MFA rejections.", + "description": "This trigger is responsible for handling Compromise Accounts alerts where user rejected MFA attempts.", + "trigger_name": "silent-Compromise Accounts - User has rejected numerous SSO MFA attempts Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "User rejected numerous SSO MFA attempts" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Multiple SSO MFA attempts were rejected by a user with suspicious characteristics" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json new file mode 100644 index 000000000000..bdeb762e85c4 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json @@ -0,0 +1,79 @@ +{ + "trigger_id": "07b3e02109c59c627caf03a46a877d4e", + "playbook_id": "silent-Credential Dumping using a known tool Test", + "suggestion_reason": "Recommended for 'Credential Dumping using a known tool' alerts", + "description": "This trigger is responsible for handling the 'Credential Dumping using a known tool' alerts", + "trigger_name": "silent-Credential Dumping using a known tool Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Command-line arguments match Mimikatz execution" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Mimikatz command-line arguments" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via wce.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via gsecdump.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "PowerShell runs with known Mimikatz arguments" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Hash cracking using Hashcat tool" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via fgdump.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via LaZagne" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Credential dumping via pwdumpx.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Dumping lsass.exe memory for credential extraction" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Memory dumping with comsvcs.dll" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json new file mode 100644 index 000000000000..f594978ce8c2 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "a7ca7229e794c8355cea0ec9827ac9f9", + "playbook_id": "silent-Endpoint initiated uncommon remote scheduled task creation Test", + "suggestion_reason": "Recommended for the 'Uncommon remote scheduled task creation' alert", + "description": "This trigger is responsible for handling 'Uncommon remote scheduled task creation' alerts", + "trigger_name": "silent-Endpoint initiated uncommon remote scheduled task creation Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon remote scheduled task creation" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json new file mode 100644 index 000000000000..6d56bc592f0d --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json @@ -0,0 +1,59 @@ +{ + "trigger_id": "1f4a5afb3a984d8e6eaec744d04a1a78", + "playbook_id": "silent-Event Log Was Cleared Test", + "suggestion_reason": "Recommended for 'Windows Event Log Was Cleared' alerts", + "description": "This trigger is responsible for handling the 'Windows Event Log Was Cleared' alerts", + "trigger_name": "silent-Event Log Was Cleared Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Windows Event Log was cleared using wevtutil.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Security Event Log was cleared using wevtutil.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A Sensitive Windows Event Log was cleared using wevtutil.exe" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Windows event logs were cleared with PowerShell" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious clear or delete security provider event logs with PowerShell" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious clear or delete default providers event logs with PowerShell" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Windows event logs cleared using wmic.exe" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json new file mode 100644 index 000000000000..756fd197fe4b --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json @@ -0,0 +1,39 @@ +{ + "trigger_id": "16b8fde633a06edcc92b4f6aa7b52db2", + "playbook_id": "silent-Excessive User Account Lockouts Test", + "fromVersion": "8.8.0", + "suggestion_reason": "Recommended for Excessive User Account Lockouts alerts.", + "description": "This trigger is responsible for handling excessive user account lockouts.", + "trigger_name": "silent-Excessive User Account Lockouts Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Excessive user account lockouts" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Excessive account lockouts on suspicious users" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Excessive user account lockouts from a suspicious source" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json new file mode 100644 index 000000000000..6ad8130fe3aa --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json @@ -0,0 +1,33 @@ +{ + "trigger_id": "87c352f11994a9c17008e7e0354a2c96", + "playbook_id": "silent-Exchange User Mailbox Forwarding Test", + "suggestion_reason": "Recommended for Exchange User Mailbox Forwarding alerts.", + "description": "This trigger is responsible for handling Exchange User Mailbox Forwarding alerts.", + "trigger_name": "silent-Exchange User Mailbox Forwarding Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Exchange User Mailbox Forwarding" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange User Mailbox Forwarding" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json new file mode 100644 index 000000000000..4fb4dba98a09 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json @@ -0,0 +1,64 @@ +{ + "trigger_id": "4402083915accc60f72e10bb59224616", + "playbook_id": "silent-Exchange forwarding rule configured Test", + "fromVersion": "8.8.0", + "suggestion_reason": "Recommended for External Exchange inbox forwarding rule configured, Suspicious Exchange inbox forwarding rule configured and Suspicious Exchange email-hiding inbox rule", + "description": "This trigger runs the Exchange forwarding rule alerts playbook, which handles the External Exchange inbox forwarding rule configured, Suspicious Exchange inbox forwarding rule configured and Suspicious Exchange email-hiding inbox rule alerts.", + "trigger_name": "silent-Exchange forwarding rule configured Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "External Exchange inbox forwarding rule configured" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange inbox forwarding rule configured" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange email-hiding inbox rule" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Possible BEC Exchange email-hiding inbox rule" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Exchange email-hiding transport rule based on message keywords" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange email-hiding transport rule" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Exchange transport forwarding rule configured" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious Exchange transport forwarding rule configured" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json new file mode 100644 index 000000000000..3d5a39db66a5 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "c3f1be30b61c743ffb869c7dbb0c51f9", + "playbook_id": "silent-Msiexec execution of an executable from an uncommon remote location Test", + "suggestion_reason": "Recommended for 'Msiexec execution of an executable from an uncommon remote location without properties' and 'Msiexec execution of an executable from an uncommon remote location with a specific port' alerts", + "description": "This trigger is responsible for handling the 'Msiexec execution of an executable from an uncommon remote location with a specific port' and 'Msiexec execution of an executable from an uncommon remote location without properties' alerts via the 'Msiexec_execution_of_an_executable_from_an_uncommon_remote_location' playbook", + "trigger_name": "silent-Msiexec execution of an executable from an uncommon remote location Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Msiexec execution of an executable from an uncommon remote location with a specific port" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Msiexec execution of an executable from an uncommon remote location without properties" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json new file mode 100644 index 000000000000..f8c252cf8a7b --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "5a18cefb3601f01ff4201962af6ae475", + "playbook_id": "silent-Office process creates a scheduled task via file access Test", + "suggestion_reason": "Recommended for the 'Office process creates a scheduled task via file access' alert", + "description": "This trigger is responsible for handling 'Office process creates a scheduled task via file access' alerts", + "trigger_name": "silent-Office process creates a scheduled task via file access Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Office process creates a scheduled task via file access" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json new file mode 100644 index 000000000000..697ca9a30162 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json @@ -0,0 +1,33 @@ +{ + "trigger_id": "edbc72:e3551d463dc2e16d3838c9af3", + "playbook_id": "silent-Remote WMI Process Execution Test", + "suggestion_reason": "Recommended for Remote WMI Process Execution alerts", + "description": "This trigger is responsible for handling Remote WMI Process Execution alerts", + "trigger_name": "silent-Remote WMI Process Execution Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Remote WMI process execution" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious remote WMI process execution" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json new file mode 100644 index 000000000000..9bb75b818342 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json @@ -0,0 +1,33 @@ +{ + "trigger_id": "44d98a2f42036c1d90a3d45c23bb3282", + "playbook_id": "silent-SSO Authentication With Suspicious Characteristics Test", + "suggestion_reason": "Recommended for SSO Authentication With Suspicious Characteristics alerts", + "description": "This trigger is responsible for handling SSO Authentication With Suspicious Characteristics alerts", + "trigger_name": "silent-SSO Authentication With Suspicious Characteristics Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "SSO authentication attempt with suspicious characteristics" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Successful SSO authentication with suspicious characteristics" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json new file mode 100644 index 000000000000..e445037699d4 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json @@ -0,0 +1,24 @@ +{ + "trigger_id": "36c302a212aa8edc87468e6b214b5f4e", + "playbook_id": "silent-Scheduled task created with HTTP or FTP reference Test", + "suggestion_reason": "Recommended for the 'Scheduled task created with HTTP or FTP reference' alert", + "description": "This trigger is responsible for handling 'Scheduled task created with HTTP or FTP reference' alert", + "trigger_name": "silent-Scheduled task created with HTTP or FTP reference Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Scheduled task created with HTTP or FTP reference" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json new file mode 100644 index 000000000000..93d0a885214e --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "06fd5112c09b4312c1a8e92bcb6aa30f", + "playbook_id": "silent-Successful guest user invitation Test", + "suggestion_reason": "Recommended for Valid Accounts alerts involving successful guest user invitations.", + "description": "This trigger is responsible for handling Valid Accounts alerts related to successful guest user invitations.", + "trigger_name": "silent-Successful guest user invitation Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Rare successful guest invitation in the organization" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json new file mode 100644 index 000000000000..4601de6f3e17 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "4ce60e9:49d518fdc734c3151e2cfe4a", + "playbook_id": "silent-Suspicious Hidden User Created Test", + "suggestion_reason": "Recommended for Suspicious Hidden User Created alerts.", + "description": "This trigger is responsible for handling alerts where a suspicious hidden user is created.", + "trigger_name": "silent-Alert Trigger - Suspicious Hidden User Created Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious hidden user created" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json new file mode 100644 index 000000000000..e5480cb8cf30 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json @@ -0,0 +1,24 @@ +{ + "trigger_id": "1dd58cf4145efadf6f4d44f53ef5d034", + "playbook_id": "silent-Suspicious Local Administrator Login Test", + "suggestion_reason": "Recommended for Suspicious local administrator login alerts.", + "description": "This trigger is responsible for handling alerts for Suspicious local administrator login.", + "trigger_name": "silent-Suspicious local administrator login Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious local administrator login" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json new file mode 100644 index 000000000000..d672ffb620eb --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "41f9310d50c55b761fdc0aa5c48d6459", + "playbook_id": "silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk process Test", + "suggestion_reason": "Recommended for the 'Uncommon creation or access operation of sensitive shadow copy by a high-risk process' alert", + "description": "This trigger is responsible for handling 'Uncommon creation or access operation of sensitive shadow copy by a high-risk process", + "trigger_name": "silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk process Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon creation or access operation of sensitive shadow copy by a high-risk process" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json new file mode 100644 index 000000000000..9d3307b33b74 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "e30b757218c4a36e4b94d8033cf55785", + "playbook_id": "silent-Suspicious certutil command line Test", + "suggestion_reason": "Recommended for the 'Suspicious certutil command line' alerts", + "description": "This trigger is responsible for handling 'Suspicious certutil command line' alerts", + "trigger_name": "silent-Suspicious certutil command line Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious certutil command line" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json new file mode 100644 index 000000000000..db18cc1aa40f --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json @@ -0,0 +1,39 @@ +{ + "trigger_id": "a69c1c4b466ed567ee21a788e0146b21", + "playbook_id": "silent-Suspicious execution from tmp folder Test", + "suggestion_reason": "Recommended for 'Suspicious interactive execution of a binary from the tmp folder', 'Suspicious cron job task execution of a binary from the tmp folder' and 'A web server process executed an unpopular application from the tmp folder' alerts", + "description": "This trigger is responsible for handling the 'Suspicious interactive execution of a binary from the tmp folder', 'Suspicious cron job task execution of a binary from the tmp folder' and 'A web server process executed an unpopular application from the tmp folder' alerts via the 'Suspicious execution from tmp folder' playbook", + "trigger_name": "silent-Suspicious execution from tmp folder Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious process execution from tmp folder" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious interactive execution of a binary from the tmp folder" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious cron job task execution of a binary from the tmp folder" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "A web server process executed an unpopular application from the tmp folder" + } + ] + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json new file mode 100644 index 000000000000..0a4724a28c73 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "f7f6758a6905g037fec8a37308f1739a", + "playbook_id": "silent-Suspicious process execution by scheduled task on a sensitive server Test", + "suggestion_reason": "Recommended for the 'Suspicious process execution by scheduled task on a sensitive server' alert", + "description": "This trigger is responsible for handling 'Suspicious process execution by scheduled task on a sensitive server' alert", + "trigger_name": "silent-Suspicious process execution by scheduled task on a sensitive server Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Suspicious process execution by scheduled task on a sensitive server" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json new file mode 100644 index 000000000000..828af2ac129b --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json @@ -0,0 +1,34 @@ +{ + "trigger_id": "214d2812b0ffe67e5459g0ee54049d3a", + "playbook_id": "silent-Uncommon execution of ODBCConf Test", + "suggestion_reason": "Recommended for the 'Uncommon execution of ODBCConf' alert.", + "description": "This trigger is responsible for handling 'Uncommon execution of ODBCConf' alerts.", + "trigger_name": "silent-Uncommon execution of ODBCConf Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon execution of ODBCConf" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon execution of ODBCConf to load dll directly" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json new file mode 100644 index 000000000000..3127f6f68e58 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json @@ -0,0 +1,24 @@ +{ + "trigger_id": "b0becdc3d9a6a5636291dd23bf5998b1", + "playbook_id": "silent-Uncommon remote scheduled task created Test", + "suggestion_reason": "Recommended for the 'Uncommon remote scheduled task created' alert", + "description": "This trigger is responsible for handling 'Uncommon remote scheduled task created", + "trigger_name": "silent-Uncommon remote scheduled task created Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Uncommon remote scheduled task created" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json new file mode 100644 index 000000000000..be4671095245 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json @@ -0,0 +1,24 @@ +{ + "trigger_id": "a8782c70ecf48029bd6c6634f1c5beb5", + "playbook_id": "silent-Unprivileged process opened a registry hive Test", + "suggestion_reason": "Recommended for 'Unprivileged process opened a registry hive' alert", + "description": "This trigger is responsible for handling the 'Unprivileged process opened a registry hive' alert", + "trigger_name": "silent-Unprivileged process opened a registry hive Test", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unprivileged process opened a registry hive" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json new file mode 100644 index 000000000000..14c69ebd93e9 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json @@ -0,0 +1,49 @@ +{ + "trigger_id": "934cafcebab59e0ca432603850b0e2e5", + "playbook_id": "silent-Unsigned and unpopular process performed an injection Test", + "suggestion_reason": "Recommended for 'Unsigned and unpopular process performed an injection' alerts", + "description": "This trigger is responsible for handling several the 'Unsigned and unpopular process performed an injection' alerts", + "trigger_name": "silent-Unsigned and unpopular process performed an injection Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "OR": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed injection into a commonly abused process" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed process hollowing injection" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed queue APC injection" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed injection into a sensitive process" + }, + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unsigned and unpopular process performed injection into svchost.exe" + } + ] + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json new file mode 100644 index 000000000000..2ff832dfb95c --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "da8d34ff22661f1bddb0fa372aee9dca", + "playbook_id": "silent-Unusual process accessed web browser credentials and executed by a terminal process Test", + "suggestion_reason": "Recommended for the 'Unusual process accessed web browser credentials and executed by a terminal process", + "description": "This trigger is responsible for handling 'Unusual process accessed web browser credentials and executed by a terminal process' alerts", + "trigger_name": "silent-Unusual process accessed web browser credentials and executed by a terminal process Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Unusual process accessed web browser credentials and executed by a terminal process" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json new file mode 100644 index 000000000000..e5de8eede701 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json @@ -0,0 +1,25 @@ +{ + "trigger_id": "87918b1270d5c44ac4e1d7abf2eefa12", + "playbook_id": "silent-User added to local administrator group using a PowerShell command Test", + "suggestion_reason": "Recommended for the 'User added to local administrator group using a PowerShell command' alert", + "description": "This trigger is responsible for handling 'User added to local administrator group using a PowerShell command' alert", + "trigger_name": "silent-User added to local administrator group using a PowerShell command Test", + "fromVersion": "8.8.0", + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "User added to local administrator group using a PowerShell command" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } + }, + "issilent": true +} \ No newline at end of file From eb917f580c9d98ab4fd604b152521e9b01f1328a Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 11:38:10 +0200 Subject: [PATCH 04/14] packignore --- .../CortexResponseAndRemediation/.pack-ignore | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/Packs/CortexResponseAndRemediation/.pack-ignore b/Packs/CortexResponseAndRemediation/.pack-ignore index a762b2e2f08f..cf5a7d6af218 100644 --- a/Packs/CortexResponseAndRemediation/.pack-ignore +++ b/Packs/CortexResponseAndRemediation/.pack-ignore @@ -1,12 +1,19 @@ [file:playbook-Azure_AD_account_unlock_or_password_reset.yml] ignore=GR103 +[file:playbook-Azure_AD_account_unlock_or_password_reset_Test.yml] +ignore=GR103 + [file:silent-playbook-Authentication_method_added_to_an_Azure_account.yml] ignore=GR103 [file:playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml] ignore=PB106 +[file:playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml] +ignore=PB106 + + [file:README.md] ignore=RM104,RM106 @@ -14,10 +21,18 @@ ignore=RM104,RM106 [file:playbook-Suspicious_Hidden_User_Created.yml] ignore=GR103 +# See CIAC-7711, CIAC-11954 +[file:playbook-Suspicious_Hidden_User_Created_Test.yml] +ignore=GR103 + # See CIAC-7711, CIAC-11954 [file:playbook-Suspicious_Local_Administrator_Login.yml] ignore=GR103 +# See CIAC-7711, CIAC-11954 +[file:playbook-Suspicious_Local_Administrator_Login_Test.yml] +ignore=GR103 + # See CIAC-7711, CIAC-11954 [file:silent-playbook-MFA_was_disabled_for_an_Azure_identity.yml] ignore=GR103 @@ -26,18 +41,34 @@ ignore=GR103 [file:playbook-Excessive_User_Account_Lockouts.yml] ignore=GR103 +# See CIAC-7711, CIAC-11954 +[file:playbook-Excessive_User_Account_Lockouts_Test.yml] +ignore=GR103 + # GR103 is temporary, see CIAC-11954 [file:playbook-Scheduled_task_created_with_HTTP_or_FTP_reference.yml] ignore=GR103 +# GR103 is temporary, see CIAC-11954 +[file:playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml] +ignore=GR103 + # GR103 fails on SearchAlertsv2 [file:playbook-A_user_executed_multiple_LDAP_enumeration_queries.yml] ignore=GR103 +# GR103 fails on SearchAlertsv2 +[file:playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml] +ignore=GR103 + # GR103 fails on SearchAlertsv2 [file:playbook-SSO_Authentication_With_Suspicious_Characteristics.yml] ignore=GR103 +# GR103 fails on SearchAlertsv2 +[file:playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml] +ignore=GR103 + # GR103 fails on SearchAlertsv2 [file:silent-SPNs_cleared_from_a_machine_account.yml] ignore=GR103 From 5b67551166e609e308a38b24bf8ca9b7d4aaf2d2 Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 11:55:29 +0200 Subject: [PATCH 05/14] ignores --- Packs/CortexResponseAndRemediation/.pack-ignore | 12 ++++++------ Packs/CortexResponseAndRemediation/.secrets-ignore | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/Packs/CortexResponseAndRemediation/.pack-ignore b/Packs/CortexResponseAndRemediation/.pack-ignore index cf5a7d6af218..1672c65ad313 100644 --- a/Packs/CortexResponseAndRemediation/.pack-ignore +++ b/Packs/CortexResponseAndRemediation/.pack-ignore @@ -22,7 +22,7 @@ ignore=RM104,RM106 ignore=GR103 # See CIAC-7711, CIAC-11954 -[file:playbook-Suspicious_Hidden_User_Created_Test.yml] +[file:silent-playbook-Suspicious_Hidden_User_Created_Test.yml] ignore=GR103 # See CIAC-7711, CIAC-11954 @@ -30,7 +30,7 @@ ignore=GR103 ignore=GR103 # See CIAC-7711, CIAC-11954 -[file:playbook-Suspicious_Local_Administrator_Login_Test.yml] +[file:silent-playbook-Suspicious_Local_Administrator_Login_Test.yml] ignore=GR103 # See CIAC-7711, CIAC-11954 @@ -42,7 +42,7 @@ ignore=GR103 ignore=GR103 # See CIAC-7711, CIAC-11954 -[file:playbook-Excessive_User_Account_Lockouts_Test.yml] +[file:silent-playbook-Excessive_User_Account_Lockouts_Test.yml] ignore=GR103 # GR103 is temporary, see CIAC-11954 @@ -50,7 +50,7 @@ ignore=GR103 ignore=GR103 # GR103 is temporary, see CIAC-11954 -[file:playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml] +[file:silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml] ignore=GR103 # GR103 fails on SearchAlertsv2 @@ -58,7 +58,7 @@ ignore=GR103 ignore=GR103 # GR103 fails on SearchAlertsv2 -[file:playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml] +[file:silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml] ignore=GR103 # GR103 fails on SearchAlertsv2 @@ -66,7 +66,7 @@ ignore=GR103 ignore=GR103 # GR103 fails on SearchAlertsv2 -[file:playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml] +[file:silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml] ignore=GR103 # GR103 fails on SearchAlertsv2 diff --git a/Packs/CortexResponseAndRemediation/.secrets-ignore b/Packs/CortexResponseAndRemediation/.secrets-ignore index dd51812b3650..a18adeab1d77 100644 --- a/Packs/CortexResponseAndRemediation/.secrets-ignore +++ b/Packs/CortexResponseAndRemediation/.secrets-ignore @@ -1,6 +1,7 @@ 1.1.1.1 2.2.2.2 8.8.8.8 +440 3.3.3.3 5.5.5.5 0.0.0.0 From a95285473c89a8771f51742eadca03ced950d810 Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 12:02:46 +0200 Subject: [PATCH 06/14] ignores --- Packs/CortexResponseAndRemediation/.pack-ignore | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/CortexResponseAndRemediation/.pack-ignore b/Packs/CortexResponseAndRemediation/.pack-ignore index 1672c65ad313..2a3a553f9986 100644 --- a/Packs/CortexResponseAndRemediation/.pack-ignore +++ b/Packs/CortexResponseAndRemediation/.pack-ignore @@ -1,7 +1,7 @@ [file:playbook-Azure_AD_account_unlock_or_password_reset.yml] ignore=GR103 -[file:playbook-Azure_AD_account_unlock_or_password_reset_Test.yml] +[file:silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml] ignore=GR103 [file:silent-playbook-Authentication_method_added_to_an_Azure_account.yml] @@ -10,7 +10,7 @@ ignore=GR103 [file:playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml] ignore=PB106 -[file:playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml] +[file:silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml] ignore=PB106 From e23ac37a4fb91b5c5dc74db06c6816988ec5f502 Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 12:07:48 +0200 Subject: [PATCH 07/14] netcatpb --- ...-Netcat_Makes_or_Gets_Connections_Test.yml | 1035 +++++++++++++++++ ...Netcat_Makes_or_Gets_Connections_Test.json | 20 + 2 files changed, 1055 insertions(+) create mode 100644 Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml create mode 100644 Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml new file mode 100644 index 000000000000..82ec483ee49f --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml @@ -0,0 +1,1035 @@ +id: Netcat Makes or Gets Connections Test +version: -1 +name: Netcat Makes or Gets Connections Test +description: "This playbook is designed to handle the following alerts:\n \n- Netcat makes or gets connections\n\nThe playbook executes the following stages:\n\nAnalysis:\n\n- Investigate the IP and Domain reputation\n- Search previous similar alerts\n\nRemediation:\n \n- Handles malicious alerts by terminating the causality process." +issilent: true +tags: +- T1090 - Proxy +- TA0011 - Command and Control +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: c2e37c25-ae9c-4fd9-86ac-e7a3ab82bd53 + type: start + task: + id: c2e37c25-ae9c-4fd9-86ac-e7a3ab82bd53 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "48" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -430 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: b3351b14-149a-4979-80f2-e6adada9cbf6 + type: title + task: + id: b3351b14-149a-4979-80f2-e6adada9cbf6 + version: -1 + name: Analysis + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "35" + - "36" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 425 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 2b932894-ad39-45a2-8195-adf6cf9e1310 + type: regular + task: + id: 2b932894-ad39-45a2-8195-adf6cf9e1310 + version: -1 + name: Get IP prevalence + description: Get the prevalence of an IP, identified by ip_address. + script: '|||core-get-IP-analytics-prevalence' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "21" + scriptarguments: + ip_address: + complex: + root: alert + accessor: remoteip + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 730, + "y": 900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: 98d0d4cc-dd10-4282-8706-129362de2573 + type: regular + task: + id: 98d0d4cc-dd10-4282-8706-129362de2573 + version: -1 + name: Get Domain Name reputation + description: Checks the reputation of a domain. + script: '|||domain' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "21" + scriptarguments: + domain: + simple: ${Core.OriginalAlert.raw_abioc.event.dst_action_external_hostname} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 140, + "y": 900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: a5f8583c-7a45-4e75-845f-0633a5c03441 + type: regular + task: + id: a5f8583c-7a45-4e75-845f-0633a5c03441 + version: -1 + name: Get destination IP reputation + description: Checks the specified IP address against the AbuseIP database. + script: '|||ip' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "15" + scriptarguments: + ip: + complex: + root: alert + accessor: remoteip + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 730, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 30d6024b-0ba2-4dce-8069-f3e029c70305 + type: title + task: + id: 30d6024b-0ba2-4dce-8069-f3e029c70305 + version: -1 + name: Execute Remediation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "41" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2175 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 78252ce0-493f-4161-8bce-41c2add220e9 + type: condition + task: + id: 78252ce0-493f-4161-8bce-41c2add220e9 + version: -1 + name: Check if Domain Name Exist? + description: Checks if the domain name in the alert exists. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "21" + "yes": + - "16" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: Core.OriginalAlert.raw_abioc.event.dst_action_external_hostname + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 140, + "y": 715 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "21": + id: "21" + taskid: 1f0bfec1-5d6c-4ef6-8a82-87e300f58d18 + type: condition + task: + id: 1f0bfec1-5d6c-4ef6-8a82-87e300f58d18 + version: -1 + name: Check if Command Line exist? + description: Get the prevalence of a process_command_line, identified by process_command_line. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "30" + "yes": + - "43" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: alert.initiatorcmd + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1075 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: d5ad5db4-2f81-4f7e-88ce-d6c5816133a7 + type: title + task: + id: d5ad5db4-2f81-4f7e-88ce-d6c5816133a7 + version: -1 + name: Done + description: commands.local.cmd.close.inv + type: title + iscommand: false + brand: Builtin + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2850 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: 2e173da3-70ab-4819-8cff-398f49230173 + type: title + task: + id: 2e173da3-70ab-4819-8cff-398f49230173 + version: -1 + name: Investigation + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "39" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1680 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: 1f947551-b967-46be-8909-8d67c4ff696b + type: condition + task: + id: 1f947551-b967-46be-8909-8d67c4ff696b + version: -1 + name: Malicious reputation found? + description: '' + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "24" + Malicious: + - "19" + Prevalent: + - "32" + separatecontext: false + conditions: + - label: Malicious + condition: + - - operator: isNotEmpty + left: + value: + simple: IP.Malicious + iscontext: true + right: + value: {} + - operator: isNotEmpty + left: + value: + simple: Domain.Malicious + iscontext: true + ignorecase: true + - label: Prevalent + condition: + - - operator: isEqualString + left: + value: + simple: Core.AnalyticsPrevalence.Ip.data.local_prevalence.value + iscontext: true + right: + value: + simple: "True" + ignorecase: true + - - operator: isEqualString + left: + value: + simple: Core.AnalyticsPrevalence.Cmd.data.local_prevalence.value + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1475 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: dc4b41b8-382b-4b8a-868b-52c9d8c492f2 + type: condition + task: + id: dc4b41b8-382b-4b8a-868b-52c9d8c492f2 + version: -1 + name: Found Relevant Previous Alert? + description: Checks if there are any relevant previous alerts. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "32" + True Positive: + - "19" + separatecontext: false + conditions: + - label: True Positive + condition: + - - operator: isNotEmpty + left: + value: + simple: foundIncidents + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1990 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "32": + id: "32" + taskid: a402685d-d13d-4230-84cf-a9c944a013cf + type: title + task: + id: a402685d-d13d-4230-84cf-a9c944a013cf + version: -1 + name: False Positive + description: Set a value in context under the key you entered. + type: title + iscommand: false + brand: Builtin + nexttasks: + '#none#': + - "40" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 950, + "y": 2175 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "33": + id: "33" + taskid: de2809e5-8f9b-441d-8dae-2906b35449d5 + type: condition + task: + id: de2809e5-8f9b-441d-8dae-2906b35449d5 + version: -1 + name: Similar False Positive Alerts Found? + description: Checks if similar false positive alerts have been found. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "13" + "yes": + - "32" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: foundIncidents + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 240 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 1d708279-bef2-41a0-896a-777378045861 + type: regular + task: + id: 1d708279-bef2-41a0-896a-777378045861 + version: -1 + name: Close the Alert as True Positive + description: commands.local.cmd.close.inv + script: Builtin|||closeInvestigation + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "23" + scriptarguments: + closeReason: + simple: Resolved - Handled by the playbook "Netcat makes or gets connections" as True Positive + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2675 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: a87830ee-7271-4d99-8f6e-2518001d92af + type: title + task: + id: a87830ee-7271-4d99-8f6e-2518001d92af + version: -1 + name: IP + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "18" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 730, + "y": 570 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: 6c9a12cf-b704-42f1-8a69-7bc21b9ae610 + type: title + task: + id: 6c9a12cf-b704-42f1-8a69-7bc21b9ae610 + version: -1 + name: Domain + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "20" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 140, + "y": 570 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "39": + id: "39" + taskid: caf85c97-751f-424d-8db1-93642a0fb048 + type: regular + task: + id: caf85c97-751f-424d-8db1-93642a0fb048 + version: -1 + name: Search related alerts by MITRE technique + description: | + This task searches for suspicious alerts related to an incident by mitre techniques that may indicate a compromised user. + Focus on identifying alerts associated with the following MITRE techniques & tactics: + - T1059- Command and Scripting Interpreter + - T1072 - Software Deployment Tools + - TA0010 - Exfiltration + - T0006 - Credential Access + scriptName: SearchIncidentsV2 + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "31" + scriptarguments: + query: + complex: + root: alert + accessor: parentXDRIncident + transformers: + - operator: Cut + args: + delimiter: + value: + simple: '-' + fields: + value: + simple: "2" + - operator: concat + args: + prefix: + value: + simple: '(mitreattcktechnique:*T1059* or mitreattcktechnique:*T1072* or mitreattcktactic:*TA0010* or mitreattcktactic:*TA0006*) and caseid:' + suffix: {} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1830 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: 8f19c901-a6ff-4bd7-897a-0e9590e468a6 + type: regular + task: + id: 8f19c901-a6ff-4bd7-897a-0e9590e468a6 + version: -1 + name: Close the Alert as False Positive + description: commands.local.cmd.close.inv + script: Builtin|||closeInvestigation + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "23" + scriptarguments: + closeReason: + simple: Resolved - Handled by the playbook "Netcat makes or gets connections" as False Positive + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 950, + "y": 2675 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: d572bfa1-1284-41e3-88b9-c7ea4c5555e6 + type: regular + task: + id: d572bfa1-1284-41e3-88b9-c7ea4c5555e6 + version: -1 + name: Terminate Causality (CGO) + description: Terminate a process tree by its causality ID. Available only for XSIAM 2.4. + script: '|||core-terminate-causality' + type: regular + iscommand: true + brand: "" + nexttasks: + '#error#': + - "47" + '#none#': + - "34" + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 450, + "y": 2330 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: 4851d11b-0b02-45f9-8d0f-274d42eded84 + type: regular + task: + id: 4851d11b-0b02-45f9-8d0f-274d42eded84 + version: -1 + name: Check Previous similar Alerts + description: | + Finds past similar alerts based on alert fields' similarity. + scriptName: SearchIncidentsV2 + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "33" + scriptarguments: + fromdate: + simple: 3 months ago + name: + simple: ${alert.name} + query: + simple: 'resolution_status: STATUS_060_RESOLVED_FALSE_POSITIVE and hostname: ${alert.hostname}' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 70 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 2 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: 2fba2490-e199-46fb-87ef-68d26e786be6 + type: regular + task: + id: 2fba2490-e199-46fb-87ef-68d26e786be6 + version: -1 + name: Get Commandline prevalence + description: Get the prevalence of a process_command_line, identified by process_command_line. + script: '|||core-get-cmd-analytics-prevalence' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "30" + scriptarguments: + process_command_line: + simple: ${alert.osparentcmd} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1265 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 7d2b21cc-a875-43ed-8030-e3d6943b3307 + type: condition + task: + id: 7d2b21cc-a875-43ed-8030-e3d6943b3307 + version: -1 + name: Destination IP is External? + description: '' + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "45" + External: + - "42" + separatecontext: false + conditions: + - label: External + condition: + - - operator: isEqualString + left: + value: + simple: Core.OriginalAlert.event.dst_is_internal_ip + iscontext: true + right: + value: + simple: "False" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: 557e2a2f-1856-400b-84e6-09f3e5f093cb + type: title + task: + id: 557e2a2f-1856-400b-84e6-09f3e5f093cb + version: -1 + name: Insufficient data for verdict + description: Set a value in context under the key you entered. + type: title + iscommand: false + brand: Builtin + nexttasks: + '#none#': + - "23" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -90, + "y": 2175 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "47": + id: "47" + taskid: 737ed667-8e97-45cb-8254-21df848a9c63 + type: regular + task: + id: 737ed667-8e97-45cb-8254-21df848a9c63 + version: -1 + name: Terminate Process Manually + description: |- + Dear Analyst, + + During the remediation process, the playbook couldn’t terminate the process: ${alert.cgoname} + + Please terminate the process manually if possible. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "34" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 160, + "y": 2500 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: 011406e5-8d0d-47aa-8adf-07af58682c3c + type: regular + task: + id: 011406e5-8d0d-47aa-8adf-07af58682c3c + version: -1 + name: Get Extra Data for DNS query name + description: Returns information about each alert ID. + script: '|||core-get-cloud-original-alerts' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "44" + scriptarguments: + alert_ids: + complex: + root: alert + accessor: id + transformers: + - operator: uniq + filter_alert_fields: + simple: "false" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -285 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "20_16_yes": 0.54, + "30_19_Malicious": 0.14, + "30_32_Prevalent": 0.13, + "31_19_True Positive": 0.89, + "41_47_#error#": 0.61, + "44_42_External": 0.53 + }, + "paper": { + "dimensions": { + "height": 3345, + "width": 1420, + "x": -90, + "y": -430 + } + } + } +inputs: [] +inputSections: +- inputs: [] + name: General (Inputs group) + description: Generic group for inputs +outputSections: +- outputs: [] + name: General (Outputs group) + description: Generic group for outputs +outputs: [] +tests: +- No tests (auto formatted) +fromversion: 8.8.0 diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json new file mode 100644 index 000000000000..46f0fba8d9a4 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json @@ -0,0 +1,20 @@ +{ + "trigger_id": "407c5db410d816a487249e77cbbf411a", + "playbook_id": "Netcat Makes or Gets Connections Test", + "suggestion_reason": "Recommended for `Netcat Makes or Gets Connections` Alerts ", + "description": "This trigger is responsible for handling `Netcat Makes or Gets Connections` alert", + "trigger_name": "Netcat Makes or Gets Connections Test", + "fromVersion": "8.8.0", + "issilent": true, + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "Netcat makes or gets connections" + } + ] + } + } +} \ No newline at end of file From 3ffedeec22da282f077f2ce69e0042c65d11b02b Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 12:57:45 +0200 Subject: [PATCH 08/14] fix --- ...ilent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json index 46f0fba8d9a4..5862afabce4e 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json @@ -1,9 +1,9 @@ { "trigger_id": "407c5db410d816a487249e77cbbf411a", - "playbook_id": "Netcat Makes or Gets Connections Test", + "playbook_id": "silent-Netcat Makes or Gets Connections Test", "suggestion_reason": "Recommended for `Netcat Makes or Gets Connections` Alerts ", "description": "This trigger is responsible for handling `Netcat Makes or Gets Connections` alert", - "trigger_name": "Netcat Makes or Gets Connections Test", + "trigger_name": "silent-Netcat Makes or Gets Connections Test", "fromVersion": "8.8.0", "issilent": true, "alerts_filter": { From 22981463db7a7773e35c2d6babaf127ff3349c73 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Mon, 3 Mar 2025 11:01:15 +0000 Subject: [PATCH 09/14] Bump pack from version CortexResponseAndRemediation to 1.1.19. --- Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md | 1 + Packs/CortexResponseAndRemediation/pack_metadata.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md diff --git a/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md new file mode 100644 index 000000000000..724a98578202 --- /dev/null +++ b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md @@ -0,0 +1 @@ +## Documentation and metadata improvements. diff --git a/Packs/CortexResponseAndRemediation/pack_metadata.json b/Packs/CortexResponseAndRemediation/pack_metadata.json index 3846556e1c44..3a1e9b389c1d 100644 --- a/Packs/CortexResponseAndRemediation/pack_metadata.json +++ b/Packs/CortexResponseAndRemediation/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex Response And Remediation", "description": "The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes. Built to support an Autonomous SOC vision.", "support": "xsoar", - "currentVersion": "1.1.18", + "currentVersion": "1.1.19", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 76a287e296906f18781959ea987f29b166d70f36 Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 13:07:10 +0200 Subject: [PATCH 10/14] fix --- .../silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml index 82ec483ee49f..40473e55099c 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml @@ -1,6 +1,6 @@ -id: Netcat Makes or Gets Connections Test +id: silent-Netcat Makes or Gets Connections Test version: -1 -name: Netcat Makes or Gets Connections Test +name: silent-Netcat Makes or Gets Connections Test description: "This playbook is designed to handle the following alerts:\n \n- Netcat makes or gets connections\n\nThe playbook executes the following stages:\n\nAnalysis:\n\n- Investigate the IP and Domain reputation\n- Search previous similar alerts\n\nRemediation:\n \n- Handles malicious alerts by terminating the causality process." issilent: true tags: From d8f03c738751701307a78f1a4d4ec4810fca8425 Mon Sep 17 00:00:00 2001 From: ArikDay Date: Mon, 3 Mar 2025 13:15:44 +0200 Subject: [PATCH 11/14] fix fromversions --- ...ybook-A_Successful_login_from_TOR_Test.yml | 2 +- ...as_configured_in_Google_Workspace_Test.yml | 2 +- ...A_successful_SSO_sign-in_from_TOR_Test.yml | 2 +- ...multiple_LDAP_enumeration_queries_Test.yml | 2 +- ...s_Executed_With_Rare_Command_Line_Test.yml | 2 +- ..._account_unlock_or_password_reset_Test.yml | 2 +- ...ejected_numerous_SSO_MFA_attempts_Test.yml | 2 +- ...ential_Dumping_using_a_known_tool_Test.yml | 2 +- ...on_remote_scheduled_task_creation_Test.yml | 2 +- ...nt-playbook-Event_Log_Was_Cleared_Test.yml | 2 +- ...k-Excessive_User_Account_Lockouts_Test.yml | 2 +- ...-Exchange_User_Mailbox_Forwarding_Test.yml | 2 +- ...change_forwarding_rule_configured_Test.yml | 2 +- ..._from_an_uncommon_remote_location_Test.yml | 2 +- ...-Netcat_Makes_or_Gets_Connections_Test.yml | 1411 +++++------ ..._a_scheduled_task_via_file_access_Test.yml | 2 +- ...book-Remote_WMI_Process_Execution_Test.yml | 2 +- ...n_With_Suspicious_Characteristics_Test.yml | 2 +- ...reated_with_HTTP_or_FTP_reference_Test.yml | 2 +- ...-Successful_guest_user_invitation_Test.yml | 2 +- ...ok-Suspicious_Hidden_User_Created_Test.yml | 2 +- ...picious_Local_Administrator_Login_Test.yml | 2 +- ..._SaaS_Access_From_a_TOR_Exit_Node_Test.yml | 2 +- ...-Suspicious_certutil_command_line_Test.yml | 2 +- ...picious_execution_from_tmp_folder_Test.yml | 2 +- ...eduled_task_on_a_sensitive_server_Test.yml | 2 +- ...hadow_copy_by_a_high_risk_process_Test.yml | 2 +- ...ok-Uncommon_execution_of_ODBCConf_Test.yml | 2 +- ...mon_remote_scheduled_task_created_Test.yml | 2 +- ...ed_process_opened_a_registry_hive_Test.yml | 2 +- ...ar_process_performed_an_injection_Test.yml | 2 +- ...nd_executed_by_a_terminal_process_Test.yml | 2 +- ..._group_using_a_PowerShell_command_Test.yml | 2 +- ...k-WmiPrvSe.exe_Rare_Child_Command_Line.yml | 2082 ++++++++--------- ...SaaS_Access_From_a_TOR_Exit_Node_Test.json | 3 +- ...ultiple_LDAP_enumeration_queries_Test.json | 2 +- ...s_configured_in_Google_Workspace_Test.json | 3 +- ..._successful_SSO_sign_in_from_TOR_Test.json | 3 +- ...er_-_A_successful_login_from_TOR_Test.json | 3 +- ..._Executed_With_Rare_Command_Line_Test.json | 2 +- ...account_unlock_or_password_reset_Test.json | 3 +- ...jected_numerous_SSO_MFA_attempts_Test.json | 2 +- ...ntial_Dumping_using_a_known_tool_Test.json | 2 +- ...n_remote_scheduled_task_creation_Test.json | 2 +- ...-Trigger_-_Event_Log_Was_Cleared_Test.json | 2 +- ...Excessive_User_Account_Lockkouts_Test.json | 2 +- ...Exchange_User_Mailbox_Forwarding_Test.json | 3 +- ...hange_forwarding_rule_configured_Test.json | 2 +- ...from_an_uncommon_remote_location_Test.json | 2 +- ...Netcat_Makes_or_Gets_Connections_Test.json | 2 +- ...a_scheduled_task_via_file_access_Test.json | 2 +- ...r_-_Remote_WMI_Process_Execution_Test.json | 3 +- ..._With_Suspicious_Characteristics_Test.json | 3 +- ...eated_with_HTTP_or_FTP_reference_Test.json | 3 +- ...Successful_guest_user_invitation_Test.json | 2 +- ...-_Suspicious_Hidden_User_Created_Test.json | 2 +- ...icious_Local_Administrator_Login_Test.json | 3 +- ...Suspicious_access_to_shadow_file_Test.json | 2 +- ...Suspicious_certutil_command_line_Test.json | 2 +- ...icious_execution_from_tmp_folder_Test.json | 2 +- ...duled_task_on_a_sensitive_server_Test.json | 2 +- ...-_Uncommon_execution_of_ODBCconf_Test.json | 2 +- ...on_remote_scheduled_task_created_Test.json | 3 +- ...d_process_opened_a_registry_hive_Test.json | 3 +- ...r_process_performed_an_injection_Test.json | 2 +- ...d_executed_by_a_terminal_process_Test.json | 2 +- ...group_using_a_PowerShell_command_Test.json | 2 +- ..._WmiPrvSe.exe_Rare_Child_Command_Line.json | 44 +- 68 files changed, 1692 insertions(+), 1987 deletions(-) diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml index 7aeb02a92c30..af0245035b71 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_Successful_login_from_TOR_Test.yml @@ -8,7 +8,7 @@ description: "This playbook is designed to handle the following alert:\n\n- A su \ multiple actions, which will then be executed by the playbook based on the analyst's\ \ choices.\n\nRequirements: \nFor any response action, you will need one of the\ \ following integrations: Azure Active Directory Users / Active Directory Users." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-A Successful login from TOR Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml index a1f5eabcfd7f..edd1d8cde74a 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.yml @@ -16,7 +16,7 @@ description: "This playbook addresses the following alerts:\n\n- A mail forwardi \nRequirements: \n\nFor any response action, you need one of the following integrations:\n\ - Gmail integration to fetch filters and remove the forwarding email address.\n\ - Google Workspace Admin access to sign out and suspend the user account.\n" -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-A mail forwarding rule was configured in Google Workspace Test inputSections: - description: Generic group for inputs diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml index 158caa53cdee..b5c6d25c2c8f 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_successful_SSO_sign-in_from_TOR_Test.yml @@ -16,7 +16,7 @@ description: "This playbook is designed to handle the following alerts:\n- A suc By default, account disabling requires analyst approval.\n\nRequires: \nFor any\ \ response action, you will need one of the following integrations: Azure Active\ \ Directory Users / Okta v2." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-A successful SSO sign-in from TOR Test inputSections: - description: Generic group for inputs diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml index 1f07a7aa465f..c0aa77c9fba2 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-A_user_executed_multiple_LDAP_enumeration_queries_Test.yml @@ -61,7 +61,7 @@ description: 'This playbook addresses the following alerts: - Core - IR - Active Directory Query v2.' -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-A user executed multiple LDAP enumeration queries Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml index fa3733bd6530..3a77652b1195 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-AppleScript_Process_Executed_With_Rare_Command_Line_Test.yml @@ -28,7 +28,7 @@ description: 'This playbook handles "AppleScript Process Executed With Rare Comm - Quarantine the causality|actor image (requires analyst approval). - Automatically Close the alert.' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-AppleScript Process Executed With Rare Command Line Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml index 93155aa3a0e3..3f2cbb7d8b78 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Azure_AD_account_unlock_or_password_reset_Test.yml @@ -17,7 +17,7 @@ description: "**This playbook addresses the following alert**:\n- Azure AD accou \ user risk scores.\n- `Microsoft 365 Defender` for advanced hunting queries and\ \ Azure security alerts.\n- `Microsoft Graph User` for disabling accounts and revoking\ \ sessions." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-Azure AD account unlock or password reset Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml index 7e865109ee27..85ebddb73aa7 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.yml @@ -20,7 +20,7 @@ description: "This playbook addresses the following alerts:\n\n- User rejected n \ on further action.\n\nRequirements:\nFor any response actions, the following integration\ \ is required:\n- Okta v2\n\nFor early containment actions, the following integration\ \ is required:\n- Palo Alto Networks PAN-OS." -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Compromise Accounts - User rejected numerous SSO MFA attempts Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml index 5093e114cfb0..9da266a48753 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Credential_Dumping_using_a_known_tool_Test.yml @@ -34,7 +34,7 @@ description: 'This playbook is designed to handle the following alerts: Remediation: - Handles malicious alerts by suggesting the analyst to isolate the endpoint.' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Credential Dumping using a known tool Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml index 61028d99cd0d..79b3b4e7a58e 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.yml @@ -40,7 +40,7 @@ description: 'This playbook handles "Uncommon remote scheduled task creation" al - Automatically terminate the causality process. - Automatically close the alert.' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Endpoint initiated uncommon remote scheduled task creation Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml index a4b8bf4ad285..6d211dd5111c 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Event_Log_Was_Cleared_Test.yml @@ -10,7 +10,7 @@ description: "This playbook is designed to handle the following alerts: \n- Win \ the CGO or the OSParent process is unsigned.\n- The prevalence of the OSParent\ \ process.\n\nRemediation:\n- Handles malicious alerts by terminating the relevant\ \ processes.\n- Handles non-malicious alerts identified during the investigation." -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Event Log Was Cleared Test inputSections: - description: Generic group for inputs. diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml index ba08e2af373f..7e696572e06e 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Excessive_User_Account_Lockouts_Test.yml @@ -45,7 +45,7 @@ description: 'This playbook addresses the following alerts: - For response actions, the following integration is required: Core - IR.' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Excessive User Account Lockouts Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml index 4c39a457aeb1..346292ec1214 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_User_Mailbox_Forwarding_Test.yml @@ -26,7 +26,7 @@ description: "**This playbook addresses the following alerts**:\n- Exchange user \ user accounts and revoking active sessions.\n- `Exchange Online EWS` for disabling\ \ mailbox forwarding.\n- `Security And Compliance V2` for fetching email interaction\ \ statistics." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-Exchange User Mailbox Forwarding Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml index 4aa782531d8c..fb43ee75bc90 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Exchange_forwarding_rule_configured_Test.yml @@ -21,7 +21,7 @@ description: "This playbook addresses the following alerts:\n\n- External Exchan \ the forwarding rule from the user's account mailbox.\n\nRequirements: \n\nFor\ \ any response action, you need the following integrations:\n- EWS Extension Online\ \ Powershell v3 integration.\n- Azure Active Directory Users." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-Exchange forwarding rule configured Test inputSections: - description: Generic group for inputs. diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml index 6cd2cbe6c2d5..5f46c68f30e6 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.yml @@ -19,7 +19,7 @@ description: "This playbook addresses the following alerts:\n \n- Msiexec execut \ (Manual approval)\n - Implement URL blocking using PAN-OS through Custom URL\ \ Categories\n- Isolate endpoint (Manual approval)\n \nRequirements: \n \nFor any\ \ response action, you need the following integration:\n \n- PAN-OS." -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Msiexec execution of an executable from an uncommon remote location Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml index 40473e55099c..78919a7c4545 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Netcat_Makes_or_Gets_Connections_Test.yml @@ -1,1035 +1,880 @@ +description: "This playbook is designed to handle the following alerts:\n \n- Netcat\ + \ makes or gets connections\n\nThe playbook executes the following stages:\n\nAnalysis:\n\ + \n- Investigate the IP and Domain reputation\n- Search previous similar alerts\n\ + \nRemediation:\n \n- Handles malicious alerts by terminating the causality process." +fromversion: 8.9.0 id: silent-Netcat Makes or Gets Connections Test -version: -1 -name: silent-Netcat Makes or Gets Connections Test -description: "This playbook is designed to handle the following alerts:\n \n- Netcat makes or gets connections\n\nThe playbook executes the following stages:\n\nAnalysis:\n\n- Investigate the IP and Domain reputation\n- Search previous similar alerts\n\nRemediation:\n \n- Handles malicious alerts by terminating the causality process." +inputSections: +- description: Generic group for inputs + inputs: [] + name: General (Inputs group) +inputs: [] issilent: true +name: silent-Netcat Makes or Gets Connections Test +outputSections: +- description: Generic group for outputs + name: General (Outputs group) + outputs: [] +outputs: [] +starttaskid: '0' tags: - T1090 - Proxy - TA0011 - Command and Control -starttaskid: "0" tasks: - "0": - id: "0" - taskid: c2e37c25-ae9c-4fd9-86ac-e7a3ab82bd53 - type: start + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '48' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: '' + description: '' id: c2e37c25-ae9c-4fd9-86ac-e7a3ab82bd53 - version: -1 - name: "" iscommand: false - brand: "" - description: '' + name: '' + version: -1 + taskid: c2e37c25-ae9c-4fd9-86ac-e7a3ab82bd53 + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -430\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "48" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": -430 - } - } + - '35' + - '36' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "13": - id: "13" - taskid: b3351b14-149a-4979-80f2-e6adada9cbf6 - type: title + separatecontext: false + skipunavailable: false task: + brand: '' + description: '' id: b3351b14-149a-4979-80f2-e6adada9cbf6 - version: -1 + iscommand: false name: Analysis type: title - iscommand: false - brand: "" - description: '' - nexttasks: - '#none#': - - "35" - - "36" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 425 - } - } - note: false + version: -1 + taskid: b3351b14-149a-4979-80f2-e6adada9cbf6 timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 425\n }\n}" + '15': + continueonerrortype: '' + id: '15' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "15": - id: "15" - taskid: 2b932894-ad39-45a2-8195-adf6cf9e1310 - type: regular - task: - id: 2b932894-ad39-45a2-8195-adf6cf9e1310 - version: -1 - name: Get IP prevalence - description: Get the prevalence of an IP, identified by ip_address. - script: '|||core-get-IP-analytics-prevalence' - type: regular - iscommand: true - brand: "" + isoversize: false nexttasks: '#none#': - - "21" + - '21' + note: false + quietmode: 0 scriptarguments: ip_address: complex: - root: alert accessor: remoteip + root: alert transformers: - operator: uniq separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 730, - "y": 900 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "16": - id: "16" - taskid: 98d0d4cc-dd10-4282-8706-129362de2573 - type: regular task: - id: 98d0d4cc-dd10-4282-8706-129362de2573 - version: -1 - name: Get Domain Name reputation - description: Checks the reputation of a domain. - script: '|||domain' - type: regular + brand: '' + description: Get the prevalence of an IP, identified by ip_address. + id: 2b932894-ad39-45a2-8195-adf6cf9e1310 iscommand: true - brand: "" + name: Get IP prevalence + script: '|||core-get-IP-analytics-prevalence' + type: regular + version: -1 + taskid: 2b932894-ad39-45a2-8195-adf6cf9e1310 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 730,\n \"y\": 900\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "21" + - '21' + note: false + quietmode: 0 scriptarguments: domain: simple: ${Core.OriginalAlert.raw_abioc.event.dst_action_external_hostname} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 140, - "y": 900 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "18": - id: "18" - taskid: a5f8583c-7a45-4e75-845f-0633a5c03441 - type: regular task: - id: a5f8583c-7a45-4e75-845f-0633a5c03441 - version: -1 - name: Get destination IP reputation - description: Checks the specified IP address against the AbuseIP database. - script: '|||ip' - type: regular + brand: '' + description: Checks the reputation of a domain. + id: 98d0d4cc-dd10-4282-8706-129362de2573 iscommand: true - brand: "" + name: Get Domain Name reputation + script: '|||domain' + type: regular + version: -1 + taskid: 98d0d4cc-dd10-4282-8706-129362de2573 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 900\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "15" + - '15' + note: false + quietmode: 0 scriptarguments: ip: complex: - root: alert accessor: remoteip + root: alert transformers: - operator: uniq separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 730, - "y": 715 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "19": - id: "19" - taskid: 30d6024b-0ba2-4dce-8069-f3e029c70305 - type: title task: - id: 30d6024b-0ba2-4dce-8069-f3e029c70305 + brand: '' + description: Checks the specified IP address against the AbuseIP database. + id: a5f8583c-7a45-4e75-845f-0633a5c03441 + iscommand: true + name: Get destination IP reputation + script: '|||ip' + type: regular version: -1 - name: Execute Remediation - type: title - iscommand: false - brand: "" - description: '' + taskid: a5f8583c-7a45-4e75-845f-0633a5c03441 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 730,\n \"y\": 715\n }\n}" + '19': + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "41" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 2175 - } - } + - '41' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "20": - id: "20" - taskid: 78252ce0-493f-4161-8bce-41c2add220e9 - type: condition + separatecontext: false + skipunavailable: false task: - id: 78252ce0-493f-4161-8bce-41c2add220e9 - version: -1 - name: Check if Domain Name Exist? - description: Checks if the domain name in the alert exists. - type: condition + brand: '' + description: '' + id: 30d6024b-0ba2-4dce-8069-f3e029c70305 iscommand: false - brand: "" - nexttasks: - '#default#': - - "21" - "yes": - - "16" - separatecontext: false + name: Execute Remediation + type: title + version: -1 + taskid: 30d6024b-0ba2-4dce-8069-f3e029c70305 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2175\n }\n}" + '20': conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: + - condition: + - - left: + iscontext: true value: simple: Core.OriginalAlert.raw_abioc.event.dst_action_external_hostname - iscontext: true + operator: isNotEmpty right: value: {} - continueonerrortype: "" - view: |- - { - "position": { - "x": 140, - "y": 715 - } - } - note: false - timertriggers: [] + label: 'yes' + continueonerrortype: '' + id: '20' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "21": - id: "21" - taskid: 1f0bfec1-5d6c-4ef6-8a82-87e300f58d18 - type: condition - task: - id: 1f0bfec1-5d6c-4ef6-8a82-87e300f58d18 - version: -1 - name: Check if Command Line exist? - description: Get the prevalence of a process_command_line, identified by process_command_line. - type: condition - iscommand: false - brand: "" + isoversize: false nexttasks: '#default#': - - "30" - "yes": - - "43" + - '21' + 'yes': + - '16' + note: false + quietmode: 0 separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if the domain name in the alert exists. + id: 78252ce0-493f-4161-8bce-41c2add220e9 + iscommand: false + name: Check if Domain Name Exist? + type: condition + version: -1 + taskid: 78252ce0-493f-4161-8bce-41c2add220e9 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 715\n }\n}" + '21': conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: + - condition: + - - left: + iscontext: true value: simple: alert.initiatorcmd - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 1075 - } - } + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '21' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '30' + 'yes': + - '43' note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Get the prevalence of a process_command_line, identified by process_command_line. + id: 1f0bfec1-5d6c-4ef6-8a82-87e300f58d18 + iscommand: false + name: Check if Command Line exist? + type: condition + version: -1 + taskid: 1f0bfec1-5d6c-4ef6-8a82-87e300f58d18 timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1075\n }\n}" + '23': + continueonerrortype: '' + id: '23' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "23": - id: "23" - taskid: d5ad5db4-2f81-4f7e-88ce-d6c5816133a7 - type: title + isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: Builtin + description: commands.local.cmd.close.inv id: d5ad5db4-2f81-4f7e-88ce-d6c5816133a7 - version: -1 + iscommand: false name: Done - description: commands.local.cmd.close.inv type: title - iscommand: false - brand: Builtin - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 2850 - } - } - note: false + version: -1 + taskid: d5ad5db4-2f81-4f7e-88ce-d6c5816133a7 timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2850\n }\n}" + '24': + continueonerrortype: '' + id: '24' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "24": - id: "24" - taskid: 2e173da3-70ab-4819-8cff-398f49230173 - type: title - task: - id: 2e173da3-70ab-4819-8cff-398f49230173 - version: -1 - name: Investigation - type: title - iscommand: false - brand: "" - description: '' + isoversize: false nexttasks: '#none#': - - "39" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 1680 - } - } + - '39' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "30": - id: "30" - taskid: 1f947551-b967-46be-8909-8d67c4ff696b - type: condition + separatecontext: false + skipunavailable: false task: - id: 1f947551-b967-46be-8909-8d67c4ff696b - version: -1 - name: Malicious reputation found? + brand: '' description: '' - type: condition + id: 2e173da3-70ab-4819-8cff-398f49230173 iscommand: false - brand: "" - nexttasks: - '#default#': - - "24" - Malicious: - - "19" - Prevalent: - - "32" - separatecontext: false + name: Investigation + type: title + version: -1 + taskid: 2e173da3-70ab-4819-8cff-398f49230173 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1680\n }\n}" + '30': conditions: - - label: Malicious - condition: - - - operator: isNotEmpty - left: + - condition: + - - left: + iscontext: true value: simple: IP.Malicious - iscontext: true + operator: isNotEmpty right: value: {} - - operator: isNotEmpty + - ignorecase: true left: + iscontext: true value: simple: Domain.Malicious - iscontext: true - ignorecase: true - - label: Prevalent - condition: - - - operator: isEqualString + operator: isNotEmpty + label: Malicious + - condition: + - - ignorecase: true left: + iscontext: true value: simple: Core.AnalyticsPrevalence.Ip.data.local_prevalence.value - iscontext: true + operator: isEqualString right: value: - simple: "True" - ignorecase: true - - - operator: isEqualString + simple: 'True' + - - ignorecase: true left: + iscontext: true value: simple: Core.AnalyticsPrevalence.Cmd.data.local_prevalence.value - iscontext: true + operator: isEqualString right: value: - simple: "True" - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 1475 - } - } - note: false - timertriggers: [] + simple: 'True' + label: Prevalent + continueonerrortype: '' + id: '30' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "31": - id: "31" - taskid: dc4b41b8-382b-4b8a-868b-52c9d8c492f2 - type: condition - task: - id: dc4b41b8-382b-4b8a-868b-52c9d8c492f2 - version: -1 - name: Found Relevant Previous Alert? - description: Checks if there are any relevant previous alerts. - type: condition - iscommand: false - brand: "" + isoversize: false nexttasks: '#default#': - - "32" - True Positive: - - "19" + - '24' + Malicious: + - '19' + Prevalent: + - '32' + note: false + quietmode: 0 separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 1f947551-b967-46be-8909-8d67c4ff696b + iscommand: false + name: Malicious reputation found? + type: condition + version: -1 + taskid: 1f947551-b967-46be-8909-8d67c4ff696b + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1475\n }\n}" + '31': conditions: - - label: True Positive - condition: - - - operator: isNotEmpty - left: + - condition: + - - left: + iscontext: true value: simple: foundIncidents - iscontext: true + operator: isNotEmpty right: value: {} - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 1990 - } - } + label: True Positive + continueonerrortype: '' + id: '31' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '32' + True Positive: + - '19' note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks if there are any relevant previous alerts. + id: dc4b41b8-382b-4b8a-868b-52c9d8c492f2 + iscommand: false + name: Found Relevant Previous Alert? + type: condition + version: -1 + taskid: dc4b41b8-382b-4b8a-868b-52c9d8c492f2 timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1990\n }\n}" + '32': + continueonerrortype: '' + id: '32' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "32": - id: "32" - taskid: a402685d-d13d-4230-84cf-a9c944a013cf - type: title + isoversize: false + nexttasks: + '#none#': + - '40' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: Builtin + description: Set a value in context under the key you entered. id: a402685d-d13d-4230-84cf-a9c944a013cf - version: -1 + iscommand: false name: False Positive - description: Set a value in context under the key you entered. type: title - iscommand: false - brand: Builtin - nexttasks: - '#none#': - - "40" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 950, - "y": 2175 - } - } - note: false + version: -1 + taskid: a402685d-d13d-4230-84cf-a9c944a013cf timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 2175\n }\n}" + '33': + conditions: + - condition: + - - left: + iscontext: true + value: + simple: foundIncidents + operator: isNotEmpty + label: 'yes' + continueonerrortype: '' + id: '33' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "33": - id: "33" - taskid: de2809e5-8f9b-441d-8dae-2906b35449d5 - type: condition + isoversize: false + nexttasks: + '#default#': + - '13' + 'yes': + - '32' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: '' + description: Checks if similar false positive alerts have been found. id: de2809e5-8f9b-441d-8dae-2906b35449d5 - version: -1 + iscommand: false name: Similar False Positive Alerts Found? - description: Checks if similar false positive alerts have been found. type: condition - iscommand: false - brand: "" - nexttasks: - '#default#': - - "13" - "yes": - - "32" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: isNotEmpty - left: - value: - simple: foundIncidents - iscontext: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 240 - } - } - note: false + version: -1 + taskid: de2809e5-8f9b-441d-8dae-2906b35449d5 timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 240\n }\n}" + '34': + continueonerrortype: '' + id: '34' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "34": - id: "34" - taskid: 1d708279-bef2-41a0-896a-777378045861 - type: regular + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + scriptarguments: + closeReason: + simple: Resolved - Handled by the playbook "Netcat makes or gets connections" + as True Positive + separatecontext: false + skipunavailable: false task: + brand: Builtin + description: commands.local.cmd.close.inv id: 1d708279-bef2-41a0-896a-777378045861 - version: -1 + iscommand: true name: Close the Alert as True Positive - description: commands.local.cmd.close.inv script: Builtin|||closeInvestigation type: regular - iscommand: true - brand: Builtin + version: -1 + taskid: 1d708279-bef2-41a0-896a-777378045861 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2675\n }\n}" + '35': + continueonerrortype: '' + id: '35' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "23" - scriptarguments: - closeReason: - simple: Resolved - Handled by the playbook "Netcat makes or gets connections" as True Positive - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 2675 - } - } + - '18' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "35": - id: "35" - taskid: a87830ee-7271-4d99-8f6e-2518001d92af - type: title + separatecontext: false + skipunavailable: false task: + brand: '' + description: '' id: a87830ee-7271-4d99-8f6e-2518001d92af - version: -1 + iscommand: false name: IP type: title - iscommand: false - brand: "" - description: '' + version: -1 + taskid: a87830ee-7271-4d99-8f6e-2518001d92af + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 730,\n \"y\": 570\n }\n}" + '36': + continueonerrortype: '' + id: '36' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "18" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 730, - "y": 570 - } - } + - '20' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "36": - id: "36" - taskid: 6c9a12cf-b704-42f1-8a69-7bc21b9ae610 - type: title + separatecontext: false + skipunavailable: false task: + brand: '' + description: '' id: 6c9a12cf-b704-42f1-8a69-7bc21b9ae610 - version: -1 + iscommand: false name: Domain type: title - iscommand: false - brand: "" - description: '' + version: -1 + taskid: 6c9a12cf-b704-42f1-8a69-7bc21b9ae610 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 140,\n \"y\": 570\n }\n}" + '39': + continueonerrortype: '' + id: '39' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "20" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 140, - "y": 570 - } - } + - '31' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "39": - id: "39" - taskid: caf85c97-751f-424d-8db1-93642a0fb048 - type: regular + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: '(mitreattcktechnique:*T1059* or mitreattcktechnique:*T1072* + or mitreattcktactic:*TA0010* or mitreattcktactic:*TA0006*) and + caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false task: - id: caf85c97-751f-424d-8db1-93642a0fb048 - version: -1 - name: Search related alerts by MITRE technique - description: | - This task searches for suspicious alerts related to an incident by mitre techniques that may indicate a compromised user. - Focus on identifying alerts associated with the following MITRE techniques & tactics: + brand: '' + description: 'This task searches for suspicious alerts related to an incident + by mitre techniques that may indicate a compromised user. + + Focus on identifying alerts associated with the following MITRE techniques + & tactics: + - T1059- Command and Scripting Interpreter + - T1072 - Software Deployment Tools + - TA0010 - Exfiltration + - T0006 - Credential Access + + ' + id: caf85c97-751f-424d-8db1-93642a0fb048 + iscommand: false + name: Search related alerts by MITRE technique scriptName: SearchIncidentsV2 type: regular - iscommand: false - brand: "" + version: -1 + taskid: caf85c97-751f-424d-8db1-93642a0fb048 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1830\n }\n}" + '40': + continueonerrortype: '' + id: '40' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "31" + - '23' + note: false + quietmode: 0 scriptarguments: - query: - complex: - root: alert - accessor: parentXDRIncident - transformers: - - operator: Cut - args: - delimiter: - value: - simple: '-' - fields: - value: - simple: "2" - - operator: concat - args: - prefix: - value: - simple: '(mitreattcktechnique:*T1059* or mitreattcktechnique:*T1072* or mitreattcktactic:*TA0010* or mitreattcktactic:*TA0006*) and caseid:' - suffix: {} + closeReason: + simple: Resolved - Handled by the playbook "Netcat makes or gets connections" + as False Positive separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 1830 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "40": - id: "40" - taskid: 8f19c901-a6ff-4bd7-897a-0e9590e468a6 - type: regular task: + brand: Builtin + description: commands.local.cmd.close.inv id: 8f19c901-a6ff-4bd7-897a-0e9590e468a6 - version: -1 + iscommand: true name: Close the Alert as False Positive - description: commands.local.cmd.close.inv script: Builtin|||closeInvestigation type: regular - iscommand: true - brand: Builtin - nexttasks: - '#none#': - - "23" - scriptarguments: - closeReason: - simple: Resolved - Handled by the playbook "Netcat makes or gets connections" as False Positive - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 950, - "y": 2675 - } - } - note: false + version: -1 + taskid: 8f19c901-a6ff-4bd7-897a-0e9590e468a6 timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 2675\n }\n}" + '41': + continueonerror: true + continueonerrortype: errorPath + id: '41' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "41": - id: "41" - taskid: d572bfa1-1284-41e3-88b9-c7ea4c5555e6 - type: regular - task: - id: d572bfa1-1284-41e3-88b9-c7ea4c5555e6 - version: -1 - name: Terminate Causality (CGO) - description: Terminate a process tree by its causality ID. Available only for XSIAM 2.4. - script: '|||core-terminate-causality' - type: regular - iscommand: true - brand: "" + isoversize: false nexttasks: '#error#': - - "47" + - '47' '#none#': - - "34" + - '34' + note: false + quietmode: 0 scriptarguments: agent_id: simple: ${alert.agentid} causality_id: simple: ${alert.cid} separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 450, - "y": 2330 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "42": - id: "42" - taskid: 4851d11b-0b02-45f9-8d0f-274d42eded84 - type: regular task: - id: 4851d11b-0b02-45f9-8d0f-274d42eded84 - version: -1 - name: Check Previous similar Alerts - description: | - Finds past similar alerts based on alert fields' similarity. - scriptName: SearchIncidentsV2 + brand: '' + description: Terminate a process tree by its causality ID. Available only for + XSIAM 2.4. + id: d572bfa1-1284-41e3-88b9-c7ea4c5555e6 + iscommand: true + name: Terminate Causality (CGO) + script: '|||core-terminate-causality' type: regular - iscommand: false - brand: "" + version: -1 + taskid: d572bfa1-1284-41e3-88b9-c7ea4c5555e6 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2330\n }\n}" + '42': + continueonerrortype: '' + id: '42' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "33" + - '33' + note: false + quietmode: 2 scriptarguments: fromdate: simple: 3 months ago name: simple: ${alert.name} query: - simple: 'resolution_status: STATUS_060_RESOLVED_FALSE_POSITIVE and hostname: ${alert.hostname}' + simple: 'resolution_status: STATUS_060_RESOLVED_FALSE_POSITIVE and hostname: + ${alert.hostname}' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 70 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 2 - isoversize: false - isautoswitchedtoquietmode: false - "43": - id: "43" - taskid: 2fba2490-e199-46fb-87ef-68d26e786be6 - type: regular task: - id: 2fba2490-e199-46fb-87ef-68d26e786be6 - version: -1 - name: Get Commandline prevalence - description: Get the prevalence of a process_command_line, identified by process_command_line. - script: '|||core-get-cmd-analytics-prevalence' + brand: '' + description: 'Finds past similar alerts based on alert fields'' similarity. + + ' + id: 4851d11b-0b02-45f9-8d0f-274d42eded84 + iscommand: false + name: Check Previous similar Alerts + scriptName: SearchIncidentsV2 type: regular - iscommand: true - brand: "" + version: -1 + taskid: 4851d11b-0b02-45f9-8d0f-274d42eded84 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 70\n }\n}" + '43': + continueonerrortype: '' + id: '43' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "30" + - '30' + note: false + quietmode: 0 scriptarguments: process_command_line: simple: ${alert.osparentcmd} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 1265 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "44": - id: "44" - taskid: 7d2b21cc-a875-43ed-8030-e3d6943b3307 - type: condition task: - id: 7d2b21cc-a875-43ed-8030-e3d6943b3307 + brand: '' + description: Get the prevalence of a process_command_line, identified by process_command_line. + id: 2fba2490-e199-46fb-87ef-68d26e786be6 + iscommand: true + name: Get Commandline prevalence + script: '|||core-get-cmd-analytics-prevalence' + type: regular version: -1 - name: Destination IP is External? - description: '' - type: condition - iscommand: false - brand: "" - nexttasks: - '#default#': - - "45" - External: - - "42" - separatecontext: false + taskid: 2fba2490-e199-46fb-87ef-68d26e786be6 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1265\n }\n}" + '44': conditions: - - label: External - condition: - - - operator: isEqualString + - condition: + - - ignorecase: true left: + iscontext: true value: simple: Core.OriginalAlert.event.dst_is_internal_ip - iscontext: true + operator: isEqualString right: value: - simple: "False" - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": -120 - } - } + simple: 'False' + label: External + continueonerrortype: '' + id: '44' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '45' + External: + - '42' note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7d2b21cc-a875-43ed-8030-e3d6943b3307 + iscommand: false + name: Destination IP is External? + type: condition + version: -1 + taskid: 7d2b21cc-a875-43ed-8030-e3d6943b3307 timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -120\n }\n}" + '45': + continueonerrortype: '' + id: '45' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "45": - id: "45" - taskid: 557e2a2f-1856-400b-84e6-09f3e5f093cb - type: title + isoversize: false + nexttasks: + '#none#': + - '23' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: + brand: Builtin + description: Set a value in context under the key you entered. id: 557e2a2f-1856-400b-84e6-09f3e5f093cb - version: -1 + iscommand: false name: Insufficient data for verdict - description: Set a value in context under the key you entered. type: title - iscommand: false - brand: Builtin + version: -1 + taskid: 557e2a2f-1856-400b-84e6-09f3e5f093cb + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": -90,\n \"y\": 2175\n }\n}" + '47': + continueonerrortype: '' + id: '47' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "23" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": -90, - "y": 2175 - } - } + - '34' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "47": - id: "47" - taskid: 737ed667-8e97-45cb-8254-21df848a9c63 - type: regular + separatecontext: false + skipunavailable: false task: + brand: '' + description: "Dear Analyst,\n\nDuring the remediation process, the playbook\ + \ couldn\u2019t terminate the process: ${alert.cgoname}\n\nPlease terminate\ + \ the process manually if possible." id: 737ed667-8e97-45cb-8254-21df848a9c63 - version: -1 + iscommand: false name: Terminate Process Manually - description: |- - Dear Analyst, - - During the remediation process, the playbook couldn’t terminate the process: ${alert.cgoname} - - Please terminate the process manually if possible. type: regular - iscommand: false - brand: "" - nexttasks: - '#none#': - - "34" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 160, - "y": 2500 - } - } - note: false + version: -1 + taskid: 737ed667-8e97-45cb-8254-21df848a9c63 timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 160,\n \"y\": 2500\n }\n}" + '48': + continueonerrortype: '' + id: '48' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "48": - id: "48" - taskid: 011406e5-8d0d-47aa-8adf-07af58682c3c - type: regular - task: - id: 011406e5-8d0d-47aa-8adf-07af58682c3c - version: -1 - name: Get Extra Data for DNS query name - description: Returns information about each alert ID. - script: '|||core-get-cloud-original-alerts' - type: regular - iscommand: true - brand: "" + isoversize: false nexttasks: '#none#': - - "44" + - '44' + note: false + quietmode: 0 scriptarguments: alert_ids: complex: - root: alert accessor: id + root: alert transformers: - operator: uniq filter_alert_fields: - simple: "false" + simple: 'false' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": -285 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false -view: |- - { - "linkLabelsPosition": { - "20_16_yes": 0.54, - "30_19_Malicious": 0.14, - "30_32_Prevalent": 0.13, - "31_19_True Positive": 0.89, - "41_47_#error#": 0.61, - "44_42_External": 0.53 - }, - "paper": { - "dimensions": { - "height": 3345, - "width": 1420, - "x": -90, - "y": -430 - } - } - } -inputs: [] -inputSections: -- inputs: [] - name: General (Inputs group) - description: Generic group for inputs -outputSections: -- outputs: [] - name: General (Outputs group) - description: Generic group for outputs -outputs: [] + task: + brand: '' + description: Returns information about each alert ID. + id: 011406e5-8d0d-47aa-8adf-07af58682c3c + iscommand: true + name: Get Extra Data for DNS query name + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: 011406e5-8d0d-47aa-8adf-07af58682c3c + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -285\n }\n}" tests: - No tests (auto formatted) -fromversion: 8.8.0 +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"20_16_yes\": 0.54,\n \"30_19_Malicious\"\ + : 0.14,\n \"30_32_Prevalent\": 0.13,\n \"31_19_True Positive\": 0.89,\n \ + \ \"41_47_#error#\": 0.61,\n \"44_42_External\": 0.53\n },\n \"paper\": {\n\ + \ \"dimensions\": {\n \"height\": 3345,\n \"width\": 1420,\n \"\ + x\": -90,\n \"y\": -430\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Office_process_creates_a_scheduled_task_via_file_access_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Office_process_creates_a_scheduled_task_via_file_access_Test.yml index af2a38bf1dfa..c1f376aa9417 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Office_process_creates_a_scheduled_task_via_file_access_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Office_process_creates_a_scheduled_task_via_file_access_Test.yml @@ -50,7 +50,7 @@ description: 'This playbook handles "Office process creates a scheduled task via - Quarantine the Office file (requires analyst approval). - Automatically close the alert.' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Office process creates a scheduled task via file access Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Remote_WMI_Process_Execution_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Remote_WMI_Process_Execution_Test.yml index 6b0260681ad3..f98c663914d5 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Remote_WMI_Process_Execution_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Remote_WMI_Process_Execution_Test.yml @@ -10,7 +10,7 @@ description: "This playbook addresses the following alerts:\n\n* Remote WMI proc * Attempt to terminate the malicious process tree using its causality ID.\n\n* Provide\ \ guidance for manual process termination if the automated action fails.\n\n* Propose\ \ endpoint isolation to prevent further compromise if malicious activity is confirmed." -fromversion: 8.0.0 +fromversion: 8.9.0 id: silent-Remote WMI Process Execution Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml index 721a68533c19..35988b749da8 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-SSO_Authentication_With_Suspicious_Characteristics_Test.yml @@ -21,7 +21,7 @@ description: "**This playbook addresses the following alerts**:\n- SSO authentic - **Okta v2** integration for analyzing authentication logs, clearing sessions,\ \ and user suspension.\n- Any IP reputation integration that supports the `!ip`\ \ command for checking IP address reputation." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-SSO Authentication With Suspicious Characteristics Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml index a7df77ff5084..216c7ac16412 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_Test.yml @@ -29,7 +29,7 @@ description: 'This playbook is designed to handle the alert "Scheduled task crea integration. ' -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-Scheduled task created with HTTP or FTP reference Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml index be0d3780731b..2a118a60bfd5 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Successful_guest_user_invitation_Test.yml @@ -16,7 +16,7 @@ description: "**This playbook addresses the following alert**:\n- Rare successfu \ evaluation.\n- `Azure Risky Users` for retrieving user risk scores.\n- `Microsoft\ \ 365 Defender` for advanced hunting queries and Azure security alerts.\n- `Microsoft\ \ Graph User` for disabling accounts and revoking sessions." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-Successful guest user invitation Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml index 0e2886916d57..5e22d3765bdb 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml @@ -49,7 +49,7 @@ description: 'This playbook addresses the following alerts: - Cortex Core - Investigation and Response - Active Directory Query v2 (for domain user actions).' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Suspicious Hidden User Created Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml index 83f51b699e11..8c480940b7ce 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Local_Administrator_Login_Test.yml @@ -6,7 +6,7 @@ description: "This playbook addresses the following alerts:\n \n- Suspicious loc \ and decide the next steps.\n- Possible actions:\n - Disable User.\n - Take no\ \ action.\n \nRequirements: \n\n- For response actions, the following integration\ \ is required: Core - IR." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-Suspicious Local Administrator Login Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml index 00002936c10a..18524de0984c 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.yml @@ -15,7 +15,7 @@ description: "This playbook is designed to handle the following alerts:\n\n- Sus \ Tor exit nodes. The goal is to prevent the use of Tor within the organization.\n\ \nRequirements:\n\nFor any response action, you will need one of the following integrations:\ \ \n- Microsoft Graph User\n- G-Suite Admin\n- AWS-IAM." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-Suspicious SaaS Access From a TOR Exit Node Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml index e3331003d53a..2091901f4766 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_certutil_command_line_Test.yml @@ -69,7 +69,7 @@ description: 'This playbook handles "Suspicious certutil command line" alerts. - Palo Alto Networks PAN-OS - XQL Query Engine.' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Suspicious certutil command line Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml index 26780e79b4f9..d00f2191264e 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_execution_from_tmp_folder_Test.yml @@ -15,7 +15,7 @@ description: "This playbook addresses the following alerts for linux os:\n\n- Su \n- Terminate causality process\n- Quarantine the Suspicious process image file\ \ (requires manual approval).\n- Disable the suspicious cron job task (requires\ \ manual action)." -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Suspicious execution from tmp folder Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml index b96bb272f1e3..475ce84de30b 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.yml @@ -30,7 +30,7 @@ description: 'This playbook handles "Suspicious process execution by scheduled t - Terminate the malicious process. - Automatically Close the alert.' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Suspicious process execution by scheduled task on a sensitive server Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml index 1eaa9ab12ea5..3895114510c2 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_Test.yml @@ -8,7 +8,7 @@ description: "This playbook addresses the following alerts:\n \n- Uncommon creat \ alert closed as False Positive\n \nContainment:\n \n- Terminate causality process\ \ (CGO) process - when a signed high-risk process or an unsigned process from an\ \ uncommon path attempting to create or access sensitive shadow copy data." -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk process Test inputs: [] diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml index 33b879b90464..27e6fd242547 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_execution_of_ODBCConf_Test.yml @@ -21,7 +21,7 @@ description: "This playbook handles \"Uncommon execution of ODBCConf\" alerts.\n \ alert with the following message: \"No indication of malicious activity was found\"\ .\n\n\nRemediation: \n\n- Automatically terminate the causality process.\n- Automatically\ \ Close the alert." -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Uncommon execution of ODBCConf Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml index f398e9572872..6a0e7f52dd29 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Uncommon_remote_scheduled_task_created_Test.yml @@ -12,7 +12,7 @@ description: "This playbook handles \"Uncommon remote scheduled task created\" a \ disable the malicious scheduled task.\n- Block the malicious IP (requires analyst\ \ approval).\n- Automatically Close the alert.\n\nRequirements:\n\nFor response\ \ actions, the following integrations are required: \n\n- PAN-OS." -fromversion: 6.10.0 +fromversion: 8.9.0 id: silent-Uncommon remote scheduled task created Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml index 0ad68c7a7426..e45c3bc0fdf8 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unprivileged_process_opened_a_registry_hive_Test.yml @@ -24,7 +24,7 @@ description: 'This playbook is designed to handle the ''Unprivileged process ope - To prevent malicious activity from continuing, the playbook terminates the causality processes that triggered the alert.' -fromversion: 8.0.0 +fromversion: 8.9.0 id: silent-Unprivileged process opened a registry hive Test inputSections: - description: Generic group for inputs. diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml index 96003c10e5b0..e98fdb15f6e6 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unsigned_and_unpopular_process_performed_an_injection_Test.yml @@ -25,7 +25,7 @@ description: "This playbook addresses the following alerts:\n\n- Unsigned and un \ high-risk scenarios to prevent further compromise.\n\nRequirements:\n\nFor response\ \ actions, you need the following integrations:\n\n- Cortex Core - Investigation\ \ and Response." -fromversion: 8.0.0 +fromversion: 8.9.0 id: silent-Unsigned and unpopular process performed an injection Test inputs: [] issilent: true diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml index 29c64bdd5897..5fb478011153 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.yml @@ -47,7 +47,7 @@ description: 'This playbook handles "Unusual process accessed web browser creden approval). - Automatically Close the alert.' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-Unusual process accessed web browser credentials and executed by a terminal process Test inputs: [] diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml index f5bad52555cc..2ff6382980f6 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_Test.yml @@ -22,7 +22,7 @@ description: 'This playbook is designed to handle the alert analyst''s approval to remove the user from the local Administrators group. Handles non-malicious alerts identified during the investigation.' -fromversion: 8.8.0 +fromversion: 8.9.0 id: silent-User added to local administrator group using a PowerShell command Test inputSections: - description: Generic group for inputs. diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml index 015dc9574702..3704fb2a0e64 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml @@ -1,1355 +1,1203 @@ -id: silent-WmiPrvSe.exe Rare Child Command Line -version: -1 contentitemexportablefields: contentitemfields: {} -name: silent-WmiPrvSe.exe Rare Child Command Line +description: "This playbook addresses the following alerts:\n\n* WmiPrvSe.exe Rare\ + \ Child Command Line\n\n**Playbook Stages:**\n\n**Analysis:**\n\n* Enrich the attacker\u2019\ + s IP address to identify any known malicious activity.\n\n* Retrieve all alert-related\ + \ alerts to consolidate context for further analysis.\n\n**Investigation:**\n\n\ + * Analyze command-line activity to assess risks based on suspicious patterns.\n\n\ + * Check for high-confidence evidence, such as malicious IP addresses or suspicious\ + \ command-line activity, to determine the next course of action.\n\n* Evaluate medium-confidence\ + \ detections and request analyst approval for further containment if required.\n\ + \n**Containment:**\n\n* Attempt to terminate the malicious process.\n\n* Provide\ + \ guidance for manual process termination if the automated action fails.\n\n* Propose\ + \ endpoint isolation to prevent further compromise if malicious activity is confirmed." +fromversion: 8.9.0 +id: silent-WmiPrvSe.exe Rare Child Command Line +inputs: [] issilent: true -description: |- - This playbook addresses the following alerts: - - * WmiPrvSe.exe Rare Child Command Line - - **Playbook Stages:** - - **Analysis:** - - * Enrich the attacker’s IP address to identify any known malicious activity. - - * Retrieve all alert-related alerts to consolidate context for further analysis. - - **Investigation:** - - * Analyze command-line activity to assess risks based on suspicious patterns. - - * Check for high-confidence evidence, such as malicious IP addresses or suspicious command-line activity, to determine the next course of action. - - * Evaluate medium-confidence detections and request analyst approval for further containment if required. - - **Containment:** - - * Attempt to terminate the malicious process. - - * Provide guidance for manual process termination if the automated action fails. - - * Propose endpoint isolation to prevent further compromise if malicious activity is confirmed. +name: silent-WmiPrvSe.exe Rare Child Command Line +outputs: [] +starttaskid: '0' tags: - TA0008 - Lateral Movement - T1021 - Remote Services -starttaskid: "0" tasks: - "0": - id: "0" - taskid: d0d9e83a-eb37-4c5e-8669-4610c07f402f - type: start - task: - id: d0d9e83a-eb37-4c5e-8669-4610c07f402f - version: -1 - name: "" - iscommand: false - brand: "" - description: '' + '0': + continueonerrortype: '' + id: '0' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "22" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": -150 - } - } + - '22' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "1": - id: "1" - taskid: 3dea1ef1-2e15-40b1-8043-d23c49082ae9 - type: regular + separatecontext: false + skipunavailable: false task: - id: 3dea1ef1-2e15-40b1-8043-d23c49082ae9 + brand: '' + description: '' + id: d0d9e83a-eb37-4c5e-8669-4610c07f402f + iscommand: false + name: '' version: -1 - name: Enrich attacker's IP address - description: Checks the specified IP address against the AbuseIP database. - script: '|||ip' - type: regular - iscommand: true - brand: "" + taskid: d0d9e83a-eb37-4c5e-8669-4610c07f402f + timertriggers: [] + type: start + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -150\n }\n}" + '1': + continueonerrortype: '' + id: '1' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "4" + - '4' + note: false + quietmode: 0 scriptarguments: ip: complex: - root: Core.OriginalAlert.event accessor: actor_remote_ip + root: Core.OriginalAlert.event transformers: - - operator: SetIfEmpty - args: + - args: applyIfEmpty: {} defaultValue: + iscontext: true value: simple: alert.hostip - iscontext: true + operator: SetIfEmpty separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 663, - "y": 221 - } - } - note: false + skipunavailable: true + task: + brand: '' + description: Checks the specified IP address against the AbuseIP database. + id: 3dea1ef1-2e15-40b1-8043-d23c49082ae9 + iscommand: true + name: Enrich attacker's IP address + script: '|||ip' + type: regular + version: -1 + taskid: 3dea1ef1-2e15-40b1-8043-d23c49082ae9 timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 663,\n \"y\": 221\n }\n}" + '10': + continueonerrortype: '' + id: '10' ignoreworker: false - skipunavailable: true - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "3": - id: "3" - taskid: e6a68fa1-07fe-477e-839b-e34f1ea94317 - type: regular + isoversize: false + nexttasks: + '#default#': + - '16' + Approved: + - '11' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: - id: e6a68fa1-07fe-477e-839b-e34f1ea94317 - version: -1 - name: Analyze command line - description: |- - This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows: + brand: '' + description: '**Approval Required: Suspicious Activity Detection** - * 0-25: Low Risk - * 26-50: Medium Risk - * 51-90: High Risk - * 91-100: Critical Risk - The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors. - scriptName: CommandLineAnalysis - type: regular + The detection does not meet the thresholds for a definitive malicious verdict. + It falls into a suspicious category based on the following conditions: + + + **One of the following supporting evidences** + + + * Command Line Analysis score is in range 10 to 25 + + * Command Line Analysis score below 15 with a prevention rule in the same + incident. + + * Suspicious process tree detected + + + **Unmatched Verdicts:** + + * No matches for high-risk command line analysis profiles. + + * No malicious IP address detected. + + * The command line analysis score is below 15 with high-confidence indicators. + + + Analyst approval is required to proceed with further containment or escalation.' + id: b5b70f92-16a9-4883-ba8c-720d18105221 iscommand: false - brand: "" + name: 'Approval Required: Medium Confidence Detection' + type: condition + version: -1 + taskid: b5b70f92-16a9-4883-ba8c-720d18105221 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 830,\n \"y\": 1350\n }\n}" + '11': + continueonerrortype: '' + id: '11' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "5" - scriptarguments: - command_line: - complex: - root: alert - accessor: targetprocesscmd - transformers: - - operator: append - args: - item: - value: - simple: alert.initiatorcmd - iscontext: true - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 478 - } - } + - '28' note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 0a1c5a5b-8df2-4b95-8fbe-d1d655f55346 + iscommand: false + name: Containment + type: title + version: -1 + taskid: 0a1c5a5b-8df2-4b95-8fbe-d1d655f55346 timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1530\n }\n}" + '12': + continueonerror: true + continueonerrortype: errorPath + id: '12' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "4": - id: "4" - taskid: 2bc56cd9-7962-499b-8b89-2c1019c24e51 - type: title + isoversize: false + nexttasks: + '#error#': + - '13' + '#none#': + - '27' + note: false + quietmode: 0 + scriptarguments: + agent_id: + simple: ${alert.agentid} + instance_id: + simple: ${alert.actionprocessinstanceid} + timeout_in_seconds: + simple: '180' + separatecontext: false + skipunavailable: false task: - id: 2bc56cd9-7962-499b-8b89-2c1019c24e51 + brand: '' + description: Terminate a process by its instance ID. Available only for Cortex + XSIAM 2.4 and above. + id: cd768fe6-4308-492c-8f3f-02d4d77daf5d + iscommand: true + name: Terminate target process + script: '|||core-terminate-process' + type: regular version: -1 - name: Investigation - type: title - iscommand: false - brand: "" - description: '' + taskid: cd768fe6-4308-492c-8f3f-02d4d77daf5d + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 70,\n \"y\": 1840\n }\n}" + '13': + continueonerrortype: '' + id: '13' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "3" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 365 - } - } + - '27' note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "Dear Analyst,\n\nDuring the containment phase, the playbook couldn\u2019\ + t terminate the process: ${Core.OriginalAlert.event.action_process_image_name}\n\ + \nPlease terminate the process manually if possible." + id: be6e0678-b817-46a9-8a0d-f6b2ac546436 + iscommand: false + name: Terminate Process Manually + type: regular + version: -1 + taskid: be6e0678-b817-46a9-8a0d-f6b2ac546436 timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2007\n }\n}" + '14': + continueonerrortype: '' + id: '14' ignoreworker: false - skipunavailable: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '15' + note: false quietmode: 0 + scriptarguments: + closeNotes: + simple: The alert has been resolved. Confirmed as a True Positive by the playbook + "WmiPrvSe.exe Rare Child Command Line" + closeReason: + simple: Resolved - True Positive + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false + task: + brand: Builtin + description: commands.local.cmd.close.inv + id: b9bddcb7-e2bf-4cb6-8ccf-9a10b71ffb8a + iscommand: true + name: Close the Alert as True Positive + script: Builtin|||closeInvestigation + type: regular + version: -1 + taskid: b9bddcb7-e2bf-4cb6-8ccf-9a10b71ffb8a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 172,\n \"y\": 3007\n }\n}" + '15': + continueonerrortype: '' + id: '15' + ignoreworker: false + isautoswitchedtoquietmode: false isoversize: false + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: '' + id: 7f02a14e-8ff0-4bb6-860b-17d2471ce868 + iscommand: false + name: Done + type: title + version: -1 + taskid: 7f02a14e-8ff0-4bb6-860b-17d2471ce868 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 172,\n \"y\": 3177\n }\n}" + '16': + continueonerrortype: '' + id: '16' + ignoreworker: false isautoswitchedtoquietmode: false - "5": - id: "5" - taskid: e3a5f626-810e-4be2-814a-4e7e39a901b6 - type: condition + isoversize: false + nexttasks: + '#none#': + - '15' + note: false + quietmode: 0 + scriptarguments: + closeNotes: + simple: The alert has been resolved. Confirmed as a False Positive by the + playbook "WmiPrvSe.exe Rare Child Command Line" + closeReason: + simple: Resolved - False Positive + id: + simple: ${alert.id} + separatecontext: false + skipunavailable: false task: - id: e3a5f626-810e-4be2-814a-4e7e39a901b6 + brand: Builtin + description: commands.local.cmd.close.inv + id: 7122a5a1-429a-4ba1-8069-c7d736845fa1 + iscommand: true + name: Close the Alert as False Positive + script: Builtin|||closeInvestigation + type: regular version: -1 - name: Check for high-confidence evidence or malicious IP address - description: |- - This task evaluates the command line analysis results and checks if the profile matches one or more high-risk categories or if the overall score indicates a critical risk. - - **Conditions:** - - - A profile matches one or more of the following categories: **mixed case PowerShell, reversed command, PowerShell suspicious patterns, credential dumping, double encoding, AMSI techniques, or malicious commands.** - - OR the score is **greater than or equal to 25**. - - OR an **IP address** involved in the alert is flagged as **malicious**. - - If any condition is met, mark the result as **Malicious**. - type: condition - iscommand: false - brand: "" + taskid: 7122a5a1-429a-4ba1-8069-c7d736845fa1 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 1140,\n \"y\": 3007\n }\n}" + '17': + continueonerrortype: '' + id: '17' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + message: + bcc: null + body: null + cc: null + format: '' + methods: [] + replyOptions: + - Isolate + subject: null + timings: + completeafterreplies: 1 + completeaftersla: false + completeafterv2: true + retriescount: 2 + retriesinterval: 360 + to: null nexttasks: '#default#': - - "8" - Malicious: - - "11" + - '14' + Isolate: + - '18' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "**Recommendation: Isolation Required \u2013 Malicious Activity\ + \ Detected**\n\nThe detection meets high-confidence criteria for malicious\ + \ activity based on the following conditions:\n\n**Matched Verdicts:**\n*\ + \ Matches for high-risk command line analysis profiles: mixed_case_powershell,\ + \ double_encoding, amsi_techniques, malicious_commands, or powershell_suspicious_network_patterns.\n\ + \n* Score >= 25, indicating high confidence probability for malicious behavior.\n\ + \n**Action Required:**\n\n* Isolate the remote host: ${Endpoint.Hostname}" + id: 095c11b6-e83f-49f8-8761-24fe79b5d968 + iscommand: false + name: "Approval Required \u2013 Malicious Activity Detected" + type: condition + version: -1 + taskid: 095c11b6-e83f-49f8-8761-24fe79b5d968 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2670\n }\n}" + '18': + continueonerrortype: '' + id: '18' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#none#': + - '14' + note: false + quietmode: 0 + scriptarguments: + endpoint_id: + simple: ${Endpoint.ID} + incident_id: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut separatecontext: false + skipunavailable: false + task: + brand: '' + description: Isolates the specified endpoint. + id: 7df12c62-a960-428c-8e0f-dccf404b63e0 + iscommand: true + name: Isolate endpoint + script: '|||core-isolate-endpoint' + type: regular + version: -1 + taskid: 7df12c62-a960-428c-8e0f-dccf404b63e0 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2865\n }\n}" + '19': conditions: - - label: Malicious - condition: - - - operator: AnyMatch + - condition: + - - ignorecase: true left: + iscontext: true value: simple: CommandLineAnalysis.findings - iscontext: true + operator: AnyMatch right: value: - simple: mixed case powershell, reversed command, powershell suspicious patterns, credential dumping, double encoding, amsi techniques, malicious commands - ignorecase: true - - operator: isEqualString - left: - value: - complex: - root: DBotScore - filters: - - - operator: isEqualString - left: - value: - simple: DBotScore.Type - iscontext: true - right: - value: - simple: IP - ignorecase: true - accessor: Score + simple: mixed case powershell, reversed command, powershell suspicious + patterns, credential dumping, double encoding, amsi techniques, malicious + commands + - left: iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual right: value: - simple: "3" - - operator: greaterThanOrEqual + simple: '25' + - - ignorecase: true left: - value: - simple: CommandLineAnalysis.score iscontext: true + value: + simple: Core.Endpoint.is_isolated + operator: isEqualString right: value: - simple: "25" - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 602 - } - } + simple: AGENT_UNISOLATED + label: 'Yes' + continueonerrortype: '' + id: '19' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '14' + 'Yes': + - '23' note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: If the condition "Check for high-confidence evidence" was matched + and the endpoint ID is available, an endpoint isolation is suggested. + id: aa59de8b-dca5-485b-90db-49fc8bad71dc + iscommand: false + name: Should proceed to isolate the endpoint? + type: condition + version: -1 + taskid: aa59de8b-dca5-485b-90db-49fc8bad71dc timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2310\n }\n}" + '22': + continueonerrortype: '' + id: '22' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "6": - id: "6" - taskid: 19cbb840-f9a2-4334-8050-ea85ec73736a - type: regular + isoversize: false + nexttasks: + '#none#': + - '26' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false task: - id: 19cbb840-f9a2-4334-8050-ea85ec73736a + brand: '' + description: '' + id: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f + iscommand: false + name: Analysis + type: title version: -1 - name: Retrieve all incident alerts - description: This task searches for Cortex XSIAM alerts related to the current incident. - scriptName: SearchIncidentsV2 - type: regular + taskid: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -20\n }\n}" + '23': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_type + operator: containsString + right: + value: + simple: WORKSTATION + - - ignorecase: true + left: + iscontext: true + value: + simple: Core.Endpoint.endpoint_status + operator: isEqualString + right: + value: + simple: CONNECTED + label: WORKSTATION + continueonerrortype: '' + id: '23' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false + nexttasks: + '#default#': + - '24' + WORKSTATION: + - '17' + note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Checks whether the endpoint is a workstation or a server. + id: c5470fce-c24b-4768-844b-ce10abd9c6ba iscommand: false - brand: "" + name: Check if the endpoint is workstation or a server + type: condition + version: -1 + taskid: c5470fce-c24b-4768-844b-ce10abd9c6ba + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2490\n }\n}" + '24': + continueonerrortype: '' + id: '24' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "4" - scriptarguments: - query: - complex: - root: alert - accessor: parentXDRIncident - transformers: - - operator: Cut - args: - delimiter: - value: - simple: '-' - fields: - value: - simple: "2" - - operator: concat - args: - prefix: - value: - simple: 'caseid:' - suffix: {} - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 230, - "y": 221 - } - } + - '14' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "8": - id: "8" - taskid: 80d9b967-a4d6-46a5-814a-06d806805237 - type: condition + separatecontext: false + skipunavailable: false task: - id: 80d9b967-a4d6-46a5-814a-06d806805237 - version: -1 - name: Check for medium-confidence threshold with a prevention alert - description: | - This task identifies the risk level by considering the score and whether a prevention rule is present in the same alert. - - **Conditions:** - - - If Score is **greater than or equal to 15** AND a **prevention rule exists** in the same alert, classify the result as **Malicious**. - - Else, if Score is **less than 15** AND a **prevention rule exists** in the same alert, classify the result as **Suspicious**. - - High-risk behavior with prevention rule: **Malicious**. - Low-risk behavior with prevention rule: **Suspicious**. - type: condition + brand: '' + description: "Dear Analyst,\n\nPlease note that during the remediation process,\ + \ the playbook didn't isolate the following host: ${Endpoint.Hostname} \n\n\ + This is due to one of the following reasons:\n- The device disconnected.\n\ + - The device has been identified as a server.\n\nPlease take manual action\ + \ to contain the attack and prevent the attacker from executing lateral movement\ + \ before closing this alert." + id: dc9a785d-392b-4233-89ad-b308d3412477 iscommand: false - brand: "" - nexttasks: - '#default#': - - "9" - Malicious: - - "11" - Medium Confidence: - - "10" - separatecontext: false + name: Manual remediation actions for a server or a disconnected endpoint + type: regular + version: -1 + taskid: dc9a785d-392b-4233-89ad-b308d3412477 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 891,\n \"y\": 2670\n }\n}" + '25': conditions: - - label: Malicious - condition: - - - operator: greaterThanOrEqual + - condition: + - - ignorecase: true left: - value: - simple: CommandLineAnalysis.score iscontext: true + value: + simple: alert.initiatedby + operator: containsGeneral right: value: - simple: "15" - - - operator: containsGeneral + simple: WmiPrvSE.exe + - ignorecase: true left: - value: - simple: foundIncidents.CustomFields.action iscontext: true + value: + simple: alert.initiatedby + operator: containsGeneral right: value: - simple: BLOCKED - ignorecase: true - - operator: isEqualString + simple: WMIC.exe + - ignorecase: true left: - value: - simple: foundIncidents.CustomFields.action iscontext: true + value: + simple: alert.initiatedby + operator: containsGeneral right: value: - simple: REPORTED - - label: Medium Confidence - condition: - - - operator: lessThan + simple: WMICodeCreator.exe + - - ignorecase: true left: - value: - simple: CommandLineAnalysis.score iscontext: true + value: + simple: alert.targetprocessname + operator: containsGeneral right: value: - simple: "15" - - - operator: containsGeneral + simple: powershell.exe + - ignorecase: true left: - value: - simple: foundIncidents.CustomFields.action iscontext: true + value: + simple: alert.targetprocessname + operator: containsGeneral right: value: - simple: BLOCKED - ignorecase: true - - operator: isEqualString + simple: cmd.exe + - ignorecase: true left: - value: - simple: foundIncidents.CustomFields.action iscontext: true + value: + simple: alert.targetprocessname + operator: containsGeneral right: value: - simple: REPORTED - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 780 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "9": - id: "9" - taskid: d7ea9ec9-e8b0-4c5f-8ecf-84dcbb2b422a - type: condition - task: - id: d7ea9ec9-e8b0-4c5f-8ecf-84dcbb2b422a - version: -1 - name: Check for medium-confidence and request remediation approval - description: |- - This task identifies medium-risk cases based on the score received from the command line analysis script. - - **Conditions:** - - If the score is in the range of **10–25**, mark the result as **Suspicious**. - type: condition - iscommand: false - brand: "" - nexttasks: - '#default#': - - "25" - "yes": - - "10" - separatecontext: false - conditions: - - label: "yes" - condition: - - - operator: InRange + simple: ntdsutil.exe + - ignorecase: true left: + iscontext: true value: - simple: CommandLineAnalysis.score + simple: alert.targetprocessname + operator: containsGeneral + right: + value: + simple: rundll32.exe + - - ignorecase: true + left: iscontext: true + value: + simple: alert.targetprocesscmd + operator: notContainsGeneral right: value: - simple: 10,25 - continueonerrortype: "" - view: |- - { - "position": { - "x": 830, - "y": 960 - } - } - note: false - timertriggers: [] + simple: C:\Windows\CCM + label: 'yes' + continueonerrortype: '' + id: '25' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "10": - id: "10" - taskid: b5b70f92-16a9-4883-ba8c-720d18105221 - type: condition - task: - id: b5b70f92-16a9-4883-ba8c-720d18105221 - version: -1 - name: 'Approval Required: Medium Confidence Detection' - description: |- - **Approval Required: Suspicious Activity Detection** - - The detection does not meet the thresholds for a definitive malicious verdict. It falls into a suspicious category based on the following conditions: - - **One of the following supporting evidences** - - * Command Line Analysis score is in range 10 to 25 - * Command Line Analysis score below 15 with a prevention rule in the same incident. - * Suspicious process tree detected - - **Unmatched Verdicts:** - * No matches for high-risk command line analysis profiles. - * No malicious IP address detected. - * The command line analysis score is below 15 with high-confidence indicators. - - Analyst approval is required to proceed with further containment or escalation. - type: condition - iscommand: false - brand: "" + isoversize: false nexttasks: '#default#': - - "16" - Approved: - - "11" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 830, - "y": 1350 - } - } + - '16' + 'yes': + - '10' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "11": - id: "11" - taskid: 0a1c5a5b-8df2-4b95-8fbe-d1d655f55346 - type: title + separatecontext: false + skipunavailable: false task: - id: 0a1c5a5b-8df2-4b95-8fbe-d1d655f55346 - version: -1 - name: Containment - type: title + brand: '' + description: Checks if a suspicious process execution chain was detected. This + Indicates a high probability of malicious behavior. + id: d5bfd9fb-9daf-442c-8107-77255db16b94 iscommand: false - brand: "" - description: '' + name: Check for suspicious process tree + type: condition + version: -1 + taskid: d5bfd9fb-9daf-442c-8107-77255db16b94 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 1140,\n \"y\": 1150\n }\n}" + '26': + continueonerrortype: '' + id: '26' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: '#none#': - - "28" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 1530 - } - } + - '1' + - '6' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "12": - id: "12" - taskid: cd768fe6-4308-492c-8f3f-02d4d77daf5d - type: regular + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: 'false' + separatecontext: false + skipunavailable: false task: - id: cd768fe6-4308-492c-8f3f-02d4d77daf5d - version: -1 - name: Terminate target process - description: Terminate a process by its instance ID. Available only for Cortex XSIAM 2.4 and above. - script: '|||core-terminate-process' - type: regular + brand: '' + description: Returns information about each alert ID. + id: f0b93f7f-3f2c-4141-8de9-78fa361a7597 iscommand: true - brand: "" + name: Get the attacker's remote host IP address + script: '|||core-get-cloud-original-alerts' + type: regular + version: -1 + taskid: f0b93f7f-3f2c-4141-8de9-78fa361a7597 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 93\n }\n}" + '27': + continueonerrortype: '' + id: '27' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: - '#error#': - - "13" '#none#': - - "27" + - '19' + note: false + quietmode: 0 scriptarguments: - agent_id: + endpoint_id_list: simple: ${alert.agentid} - instance_id: - simple: ${alert.actionprocessinstanceid} - timeout_in_seconds: - simple: "180" separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 70, - "y": 1840 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "13": - id: "13" - taskid: be6e0678-b817-46a9-8a0d-f6b2ac546436 - type: regular task: - id: be6e0678-b817-46a9-8a0d-f6b2ac546436 - version: -1 - name: Terminate Process Manually - description: |- - Dear Analyst, - - During the containment phase, the playbook couldn’t terminate the process: ${Core.OriginalAlert.event.action_process_image_name} - - Please terminate the process manually if possible. + brand: '' + description: Gets a list of endpoints, according to the passed filters. If there + are no filters, all endpoints are returned. Filtering by multiple fields will + be concatenated using AND condition (OR is not supported). Maximum result + set size is 100. Offset is the zero-based number of the endpoint from the + start of the result set (start by counting from 0). + id: de317f0e-4b02-4628-81fa-134576939a13 + iscommand: true + name: Get endpoint status + script: '|||core-get-endpoints' type: regular - iscommand: false - brand: "" + version: -1 + taskid: de317f0e-4b02-4628-81fa-134576939a13 + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2140\n }\n}" + '28': + conditions: + - condition: + - - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: containsGeneral + right: + value: + simple: WmiPrvSE.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: containsGeneral + right: + value: + simple: WMIC.exe + - ignorecase: true + left: + iscontext: true + value: + simple: alert.cgoname + operator: containsGeneral + right: + value: + simple: WMICodeCreator.exe + label: WMI + continueonerrortype: '' + id: '28' + ignoreworker: false + isautoswitchedtoquietmode: false + isoversize: false nexttasks: - '#none#': - - "27" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 2007 - } - } + '#default#': + - '29' + WMI: + - '12' note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: Check if the causality process image name is WMI. + id: 894c36a0-db47-468b-887c-79316156c692 + iscommand: false + name: Check if the causality is WMI + type: condition + version: -1 + taskid: 894c36a0-db47-468b-887c-79316156c692 timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1643\n }\n}" + '29': + continueonerror: true + continueonerrortype: errorPath + id: '29' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "14": - id: "14" - taskid: b9bddcb7-e2bf-4cb6-8ccf-9a10b71ffb8a - type: regular - task: - id: b9bddcb7-e2bf-4cb6-8ccf-9a10b71ffb8a - version: -1 - name: Close the Alert as True Positive - description: commands.local.cmd.close.inv - script: Builtin|||closeInvestigation - type: regular - iscommand: true - brand: Builtin + isoversize: false nexttasks: + '#error#': + - '13' '#none#': - - "15" + - '27' + note: false + quietmode: 0 scriptarguments: - closeNotes: - simple: The alert has been resolved. Confirmed as a True Positive by the playbook "WmiPrvSe.exe Rare Child Command Line" - closeReason: - simple: Resolved - True Positive - id: - simple: ${alert.id} + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: '180' separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 172, - "y": 3007 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "15": - id: "15" - taskid: 7f02a14e-8ff0-4bb6-860b-17d2471ce868 - type: title task: - id: 7f02a14e-8ff0-4bb6-860b-17d2471ce868 + brand: '' + description: Terminate a process tree by its causality ID. Available only for + Cortex XSIAM 2.4 and above. + id: 2aabb75e-d911-4d92-8974-0891c6156934 + iscommand: true + name: Terminate causality process + script: '|||core-terminate-causality' + type: regular version: -1 - name: Done - type: title - iscommand: false - brand: "" - description: '' - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 172, - "y": 3177 - } - } - note: false + taskid: 2aabb75e-d911-4d92-8974-0891c6156934 timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 819,\n \"y\": 1840\n }\n}" + '3': + continueonerrortype: '' + id: '3' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "16": - id: "16" - taskid: 7122a5a1-429a-4ba1-8069-c7d736845fa1 - type: regular - task: - id: 7122a5a1-429a-4ba1-8069-c7d736845fa1 - version: -1 - name: Close the Alert as False Positive - description: commands.local.cmd.close.inv - script: Builtin|||closeInvestigation - type: regular - iscommand: true - brand: Builtin + isoversize: false nexttasks: '#none#': - - "15" + - '5' + note: false + quietmode: 0 scriptarguments: - closeNotes: - simple: The alert has been resolved. Confirmed as a False Positive by the playbook "WmiPrvSe.exe Rare Child Command Line" - closeReason: - simple: Resolved - False Positive - id: - simple: ${alert.id} + command_line: + complex: + accessor: targetprocesscmd + root: alert + transformers: + - args: + item: + iscontext: true + value: + simple: alert.initiatorcmd + operator: append separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 1140, - "y": 3007 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "17": - id: "17" - taskid: 095c11b6-e83f-49f8-8761-24fe79b5d968 - type: condition task: - id: 095c11b6-e83f-49f8-8761-24fe79b5d968 - version: -1 - name: Approval Required – Malicious Activity Detected - description: |- - **Recommendation: Isolation Required – Malicious Activity Detected** + brand: '' + description: 'This script evaluates command-line threats by analyzing both original + and decoded inputs. It assigns weighted scores to detected patterns, such + as AMSI bypass or credential dumping, and applies risk combination bonuses + for multiple detections. The total score is normalized to a 0-100 scale, with + risk levels categorized as follows: - The detection meets high-confidence criteria for malicious activity based on the following conditions: - **Matched Verdicts:** - * Matches for high-risk command line analysis profiles: mixed_case_powershell, double_encoding, amsi_techniques, malicious_commands, or powershell_suspicious_network_patterns. + * 0-25: Low Risk - * Score >= 25, indicating high confidence probability for malicious behavior. + * 26-50: Medium Risk - **Action Required:** + * 51-90: High Risk - * Isolate the remote host: ${Endpoint.Hostname} - type: condition + * 91-100: Critical Risk + + + The scoring mechanism provides a comprehensive risk assessment, considering + both the severity and frequency of malicious behaviors.' + id: e6a68fa1-07fe-477e-839b-e34f1ea94317 iscommand: false - brand: "" - nexttasks: - '#default#': - - "14" - Isolate: - - "18" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 451, - "y": 2670 - } - } - note: false + name: Analyze command line + scriptName: CommandLineAnalysis + type: regular + version: -1 + taskid: e6a68fa1-07fe-477e-839b-e34f1ea94317 timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 478\n }\n}" + '4': + continueonerrortype: '' + id: '4' ignoreworker: false - message: - to: - subject: - body: - methods: [] - format: "" - bcc: - cc: - timings: - retriescount: 2 - retriesinterval: 360 - completeafterreplies: 1 - completeafterv2: true - completeaftersla: false - replyOptions: - - Isolate - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "18": - id: "18" - taskid: 7df12c62-a960-428c-8e0f-dccf404b63e0 - type: regular - task: - id: 7df12c62-a960-428c-8e0f-dccf404b63e0 - version: -1 - name: Isolate endpoint - description: Isolates the specified endpoint. - script: '|||core-isolate-endpoint' - type: regular - iscommand: true - brand: "" + isoversize: false nexttasks: '#none#': - - "14" - scriptarguments: - endpoint_id: - simple: ${Endpoint.ID} - incident_id: - complex: - root: alert - accessor: parentXDRIncident - transformers: - - operator: Cut - args: - delimiter: - value: - simple: '-' - fields: - value: - simple: "2" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 451, - "y": 2865 - } - } + - '3' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "19": - id: "19" - taskid: aa59de8b-dca5-485b-90db-49fc8bad71dc - type: condition + separatecontext: false + skipunavailable: false task: - id: aa59de8b-dca5-485b-90db-49fc8bad71dc - version: -1 - name: Should proceed to isolate the endpoint? - description: If the condition "Check for high-confidence evidence" was matched and the endpoint ID is available, an endpoint isolation is suggested. - type: condition + brand: '' + description: '' + id: 2bc56cd9-7962-499b-8b89-2c1019c24e51 iscommand: false - brand: "" - nexttasks: - '#default#': - - "14" - "Yes": - - "23" - separatecontext: false + name: Investigation + type: title + version: -1 + taskid: 2bc56cd9-7962-499b-8b89-2c1019c24e51 + timertriggers: [] + type: title + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 365\n }\n}" + '5': conditions: - - label: "Yes" - condition: - - - operator: AnyMatch + - condition: + - - ignorecase: true left: + iscontext: true value: simple: CommandLineAnalysis.findings - iscontext: true + operator: AnyMatch right: value: - simple: mixed case powershell, reversed command, powershell suspicious patterns, credential dumping, double encoding, amsi techniques, malicious commands - ignorecase: true - - operator: greaterThanOrEqual - left: - value: - simple: CommandLineAnalysis.score + simple: mixed case powershell, reversed command, powershell suspicious + patterns, credential dumping, double encoding, amsi techniques, malicious + commands + - left: iscontext: true - right: value: - simple: "25" - - - operator: isEqualString - left: + complex: + accessor: Score + filters: + - - ignorecase: true + left: + iscontext: true + value: + simple: DBotScore.Type + operator: isEqualString + right: + value: + simple: IP + root: DBotScore + operator: isEqualString + right: value: - simple: Core.Endpoint.is_isolated + simple: '3' + - left: iscontext: true + value: + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual right: value: - simple: AGENT_UNISOLATED - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 451, - "y": 2310 - } - } - note: false - timertriggers: [] + simple: '25' + label: Malicious + continueonerrortype: '' + id: '5' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "22": - id: "22" - taskid: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f - type: title - task: - id: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f - version: -1 - name: Analysis - type: title - iscommand: false - brand: "" - description: '' - nexttasks: - '#none#': - - "26" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": -20 - } - } - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 isoversize: false - isautoswitchedtoquietmode: false - "23": - id: "23" - taskid: c5470fce-c24b-4768-844b-ce10abd9c6ba - type: condition - task: - id: c5470fce-c24b-4768-844b-ce10abd9c6ba - version: -1 - name: Check if the endpoint is workstation or a server - description: Checks whether the endpoint is a workstation or a server. - type: condition - iscommand: false - brand: "" nexttasks: '#default#': - - "24" - WORKSTATION: - - "17" - separatecontext: false - conditions: - - label: WORKSTATION - condition: - - - operator: containsString - left: - value: - simple: Core.Endpoint.endpoint_type - iscontext: true - right: - value: - simple: WORKSTATION - ignorecase: true - - - operator: isEqualString - left: - value: - simple: Core.Endpoint.endpoint_status - iscontext: true - right: - value: - simple: CONNECTED - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 451, - "y": 2490 - } - } + - '8' + Malicious: + - '11' note: false + quietmode: 0 + separatecontext: false + skipunavailable: false + task: + brand: '' + description: 'This task evaluates the command line analysis results and checks + if the profile matches one or more high-risk categories or if the overall + score indicates a critical risk. + + + **Conditions:** + + + - A profile matches one or more of the following categories: **mixed case + PowerShell, reversed command, PowerShell suspicious patterns, credential dumping, + double encoding, AMSI techniques, or malicious commands.** + + - OR the score is **greater than or equal to 25**. + + - OR an **IP address** involved in the alert is flagged as **malicious**. + + + If any condition is met, mark the result as **Malicious**.' + id: e3a5f626-810e-4be2-814a-4e7e39a901b6 + iscommand: false + name: Check for high-confidence evidence or malicious IP address + type: condition + version: -1 + taskid: e3a5f626-810e-4be2-814a-4e7e39a901b6 timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 602\n }\n}" + '6': + continueonerrortype: '' + id: '6' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "24": - id: "24" - taskid: dc9a785d-392b-4233-89ad-b308d3412477 - type: regular - task: - id: dc9a785d-392b-4233-89ad-b308d3412477 - version: -1 - name: Manual remediation actions for a server or a disconnected endpoint - description: "Dear Analyst,\n\nPlease note that during the remediation process, the playbook didn't isolate the following host: ${Endpoint.Hostname} \n\nThis is due to one of the following reasons:\n- The device disconnected.\n- The device has been identified as a server.\n\nPlease take manual action to contain the attack and prevent the attacker from executing lateral movement before closing this alert." - type: regular - iscommand: false - brand: "" + isoversize: false nexttasks: '#none#': - - "14" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 891, - "y": 2670 - } - } + - '4' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "25": - id: "25" - taskid: d5bfd9fb-9daf-442c-8107-77255db16b94 - type: condition + scriptarguments: + query: + complex: + accessor: parentXDRIncident + root: alert + transformers: + - args: + delimiter: + value: + simple: '-' + fields: + value: + simple: '2' + operator: Cut + - args: + prefix: + value: + simple: 'caseid:' + suffix: {} + operator: concat + separatecontext: false + skipunavailable: false task: - id: d5bfd9fb-9daf-442c-8107-77255db16b94 - version: -1 - name: Check for suspicious process tree - description: Checks if a suspicious process execution chain was detected. This Indicates a high probability of malicious behavior. - type: condition + brand: '' + description: This task searches for Cortex XSIAM alerts related to the current + incident. + id: 19cbb840-f9a2-4334-8050-ea85ec73736a iscommand: false - brand: "" - nexttasks: - '#default#': - - "16" - "yes": - - "10" - separatecontext: false + name: Retrieve all incident alerts + scriptName: SearchIncidentsV2 + type: regular + version: -1 + taskid: 19cbb840-f9a2-4334-8050-ea85ec73736a + timertriggers: [] + type: regular + view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 221\n }\n}" + '8': conditions: - - label: "yes" - condition: - - - operator: containsGeneral - left: - value: - simple: alert.initiatedby + - condition: + - - left: iscontext: true - right: - value: - simple: WmiPrvSE.exe - ignorecase: true - - operator: containsGeneral - left: value: - simple: alert.initiatedby - iscontext: true + simple: CommandLineAnalysis.score + operator: greaterThanOrEqual right: value: - simple: WMIC.exe - ignorecase: true - - operator: containsGeneral + simple: '15' + - - ignorecase: true left: - value: - simple: alert.initiatedby iscontext: true - right: - value: - simple: WMICodeCreator.exe - ignorecase: true - - - operator: containsGeneral - left: value: - simple: alert.targetprocessname - iscontext: true + simple: foundIncidents.CustomFields.action + operator: containsGeneral right: value: - simple: powershell.exe - ignorecase: true - - operator: containsGeneral - left: - value: - simple: alert.targetprocessname + simple: BLOCKED + - left: iscontext: true - right: value: - simple: cmd.exe - ignorecase: true - - operator: containsGeneral - left: + simple: foundIncidents.CustomFields.action + operator: isEqualString + right: value: - simple: alert.targetprocessname + simple: REPORTED + label: Malicious + - condition: + - - left: iscontext: true + value: + simple: CommandLineAnalysis.score + operator: lessThan right: value: - simple: ntdsutil.exe - ignorecase: true - - operator: containsGeneral + simple: '15' + - - ignorecase: true left: - value: - simple: alert.targetprocessname iscontext: true - right: value: - simple: rundll32.exe - ignorecase: true - - - operator: notContainsGeneral - left: + simple: foundIncidents.CustomFields.action + operator: containsGeneral + right: value: - simple: alert.targetprocesscmd + simple: BLOCKED + - left: iscontext: true + value: + simple: foundIncidents.CustomFields.action + operator: isEqualString right: value: - simple: C:\Windows\CCM - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 1140, - "y": 1150 - } - } - note: false - timertriggers: [] + simple: REPORTED + label: Medium Confidence + continueonerrortype: '' + id: '8' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "26": - id: "26" - taskid: f0b93f7f-3f2c-4141-8de9-78fa361a7597 - type: regular - task: - id: f0b93f7f-3f2c-4141-8de9-78fa361a7597 - version: -1 - name: Get the attacker's remote host IP address - description: Returns information about each alert ID. - script: '|||core-get-cloud-original-alerts' - type: regular - iscommand: true - brand: "" + isoversize: false nexttasks: - '#none#': - - "1" - - "6" - scriptarguments: - alert_ids: - simple: ${alert.id} - filter_alert_fields: - simple: "false" - separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 93 - } - } + '#default#': + - '9' + Malicious: + - '11' + Medium Confidence: + - '10' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "27": - id: "27" - taskid: de317f0e-4b02-4628-81fa-134576939a13 - type: regular - task: - id: de317f0e-4b02-4628-81fa-134576939a13 - version: -1 - name: Get endpoint status - description: Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of the endpoint from the start of the result set (start by counting from 0). - script: '|||core-get-endpoints' - type: regular - iscommand: true - brand: "" - nexttasks: - '#none#': - - "19" - scriptarguments: - endpoint_id_list: - simple: ${alert.agentid} separatecontext: false - continueonerrortype: "" - view: |- - { - "position": { - "x": 451, - "y": 2140 - } - } - note: false - timertriggers: [] - ignoreworker: false skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - "28": - id: "28" - taskid: 894c36a0-db47-468b-887c-79316156c692 - type: condition task: - id: 894c36a0-db47-468b-887c-79316156c692 - version: -1 - name: Check if the causality is WMI - description: Check if the causality process image name is WMI. - type: condition + brand: '' + description: 'This task identifies the risk level by considering the score and + whether a prevention rule is present in the same alert. + + + **Conditions:** + + + - If Score is **greater than or equal to 15** AND a **prevention rule exists** + in the same alert, classify the result as **Malicious**. + + - Else, if Score is **less than 15** AND a **prevention rule exists** in the + same alert, classify the result as **Suspicious**. + + + High-risk behavior with prevention rule: **Malicious**. + + Low-risk behavior with prevention rule: **Suspicious**. + + ' + id: 80d9b967-a4d6-46a5-814a-06d806805237 iscommand: false - brand: "" - nexttasks: - '#default#': - - "29" - WMI: - - "12" - separatecontext: false + name: Check for medium-confidence threshold with a prevention alert + type: condition + version: -1 + taskid: 80d9b967-a4d6-46a5-814a-06d806805237 + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 780\n }\n}" + '9': conditions: - - label: WMI - condition: - - - operator: containsGeneral - left: - value: - simple: alert.cgoname - iscontext: true - right: - value: - simple: WmiPrvSE.exe - ignorecase: true - - operator: containsGeneral - left: - value: - simple: alert.cgoname + - condition: + - - left: iscontext: true - right: - value: - simple: WMIC.exe - ignorecase: true - - operator: containsGeneral - left: value: - simple: alert.cgoname - iscontext: true + simple: CommandLineAnalysis.score + operator: InRange right: value: - simple: WMICodeCreator.exe - ignorecase: true - continueonerrortype: "" - view: |- - { - "position": { - "x": 450, - "y": 1643 - } - } - note: false - timertriggers: [] + simple: 10,25 + label: 'yes' + continueonerrortype: '' + id: '9' ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false isautoswitchedtoquietmode: false - "29": - id: "29" - taskid: 2aabb75e-d911-4d92-8974-0891c6156934 - type: regular - task: - id: 2aabb75e-d911-4d92-8974-0891c6156934 - version: -1 - name: Terminate causality process - description: Terminate a process tree by its causality ID. Available only for Cortex XSIAM 2.4 and above. - script: '|||core-terminate-causality' - type: regular - iscommand: true - brand: "" + isoversize: false nexttasks: - '#error#': - - "13" - '#none#': - - "27" - scriptarguments: - agent_id: - simple: ${alert.agentid} - causality_id: - simple: ${alert.cid} - timeout_in_seconds: - simple: "180" - separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: |- - { - "position": { - "x": 819, - "y": 1840 - } - } + '#default#': + - '25' + 'yes': + - '10' note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false -view: |- - { - "linkLabelsPosition": { - "10_11_Approved": 0.38, - "10_16_#default#": 0.1, - "12_13_#error#": 0.64, - "17_14_#default#": 0.43, - "17_18_Isolate": 0.4, - "19_14_#default#": 0.21, - "19_23_Yes": 0.37, - "23_17_WORKSTATION": 0.46, - "23_24_#default#": 0.62, - "25_10_yes": 0.55, - "25_16_#default#": 0.1, - "28_12_WMI": 0.59, - "28_29_#default#": 0.6, - "29_13_#error#": 0.63, - "5_11_Malicious": 0.4, - "5_8_#default#": 0.42, - "8_10_Medium Confidence": 0.82, - "8_11_Malicious": 0.8, - "8_9_#default#": 0.64, - "9_10_yes": 0.25, - "9_25_#default#": 0.48 - }, - "paper": { - "dimensions": { - "height": 3387, - "width": 1451, - "x": 70, - "y": -150 - } - } - } -inputs: [] -outputs: [] + separatecontext: false + skipunavailable: false + task: + brand: '' + description: "This task identifies medium-risk cases based on the score received\ + \ from the command line analysis script.\n\n**Conditions:**\n\nIf the score\ + \ is in the range of **10\u201325**, mark the result as **Suspicious**." + id: d7ea9ec9-e8b0-4c5f-8ecf-84dcbb2b422a + iscommand: false + name: Check for medium-confidence and request remediation approval + type: condition + version: -1 + taskid: d7ea9ec9-e8b0-4c5f-8ecf-84dcbb2b422a + timertriggers: [] + type: condition + view: "{\n \"position\": {\n \"x\": 830,\n \"y\": 960\n }\n}" tests: - No tests (auto formatted) -fromversion: 8.8.0 +version: -1 +view: "{\n \"linkLabelsPosition\": {\n \"10_11_Approved\": 0.38,\n \"10_16_#default#\"\ + : 0.1,\n \"12_13_#error#\": 0.64,\n \"17_14_#default#\": 0.43,\n \"17_18_Isolate\"\ + : 0.4,\n \"19_14_#default#\": 0.21,\n \"19_23_Yes\": 0.37,\n \"23_17_WORKSTATION\"\ + : 0.46,\n \"23_24_#default#\": 0.62,\n \"25_10_yes\": 0.55,\n \"25_16_#default#\"\ + : 0.1,\n \"28_12_WMI\": 0.59,\n \"28_29_#default#\": 0.6,\n \"29_13_#error#\"\ + : 0.63,\n \"5_11_Malicious\": 0.4,\n \"5_8_#default#\": 0.42,\n \"8_10_Medium\ + \ Confidence\": 0.82,\n \"8_11_Malicious\": 0.8,\n \"8_9_#default#\": 0.64,\n\ + \ \"9_10_yes\": 0.25,\n \"9_25_#default#\": 0.48\n },\n \"paper\": {\n \ + \ \"dimensions\": {\n \"height\": 3387,\n \"width\": 1451,\n \"\ + x\": 70,\n \"y\": -150\n }\n }\n}" diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json index 12d3720489b6..3ec553a481fc 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_Test.json @@ -39,5 +39,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json index a5d46f86d2c7..e9f26bb00478 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger-_-A_user_executed_multiple_LDAP_enumeration_queries_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for A user executed suspicious LDAP enumeration queries alerts.", "description": "This trigger is responsible for handling alerts where a user executes suspicious LDAP enumeration queries.", "trigger_name": "silent-A user executed multiple LDAP enumeration queries Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json index 4bdaf5a0d78f..376eedc4bb2a 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace_Test.json @@ -29,5 +29,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json index 304d01f17d28..a46931a51353 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_SSO_sign_in_from_TOR_Test.json @@ -29,5 +29,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json index c972b6db2747..928fc8f08951 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_A_successful_login_from_TOR_Test.json @@ -20,5 +20,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json index 61f3a812bac4..bb8ba51ca347 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_AppleScript_Process_Executed_With_Rare_Command_Line_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for 'AppleScript Process Executed With Rare Command Line' alerts", "description": "This trigger is responsible for handling several the 'AppleScript Process Executed With Rare Command Line' alerts", "trigger_name": "silent-AppleScript Process Executed With Rare Command Line Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json index 6912932d53c7..e0d197a5c798 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Azure_AD_account_unlock_or_password_reset_Test.json @@ -20,5 +20,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json index 27b1e83c47a0..294e6f6c323f 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for Compromise Accounts alerts triggered by multiple MFA rejections.", "description": "This trigger is responsible for handling Compromise Accounts alerts where user rejected MFA attempts.", "trigger_name": "silent-Compromise Accounts - User has rejected numerous SSO MFA attempts Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json index bdeb762e85c4..721c33fd966e 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Credential_Dumping_using_a_known_tool_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for 'Credential Dumping using a known tool' alerts", "description": "This trigger is responsible for handling the 'Credential Dumping using a known tool' alerts", "trigger_name": "silent-Credential Dumping using a known tool Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json index f594978ce8c2..bf659318853f 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for the 'Uncommon remote scheduled task creation' alert", "description": "This trigger is responsible for handling 'Uncommon remote scheduled task creation' alerts", "trigger_name": "silent-Endpoint initiated uncommon remote scheduled task creation Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json index 6d56bc592f0d..3c129f591def 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Event_Log_Was_Cleared_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for 'Windows Event Log Was Cleared' alerts", "description": "This trigger is responsible for handling the 'Windows Event Log Was Cleared' alerts", "trigger_name": "silent-Event Log Was Cleared Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json index 756fd197fe4b..ae9261a0574c 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Excessive_User_Account_Lockkouts_Test.json @@ -1,7 +1,7 @@ { "trigger_id": "16b8fde633a06edcc92b4f6aa7b52db2", "playbook_id": "silent-Excessive User Account Lockouts Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "suggestion_reason": "Recommended for Excessive User Account Lockouts alerts.", "description": "This trigger is responsible for handling excessive user account lockouts.", "trigger_name": "silent-Excessive User Account Lockouts Test", diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json index 6ad8130fe3aa..fc88cd3b8e1c 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_User_Mailbox_Forwarding_Test.json @@ -29,5 +29,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json index 4fb4dba98a09..5446d0b34654 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Exchange_forwarding_rule_configured_Test.json @@ -1,7 +1,7 @@ { "trigger_id": "4402083915accc60f72e10bb59224616", "playbook_id": "silent-Exchange forwarding rule configured Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "suggestion_reason": "Recommended for External Exchange inbox forwarding rule configured, Suspicious Exchange inbox forwarding rule configured and Suspicious Exchange email-hiding inbox rule", "description": "This trigger runs the Exchange forwarding rule alerts playbook, which handles the External Exchange inbox forwarding rule configured, Suspicious Exchange inbox forwarding rule configured and Suspicious Exchange email-hiding inbox rule alerts.", "trigger_name": "silent-Exchange forwarding rule configured Test", diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json index 3d5a39db66a5..a2600701487c 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for 'Msiexec execution of an executable from an uncommon remote location without properties' and 'Msiexec execution of an executable from an uncommon remote location with a specific port' alerts", "description": "This trigger is responsible for handling the 'Msiexec execution of an executable from an uncommon remote location with a specific port' and 'Msiexec execution of an executable from an uncommon remote location without properties' alerts via the 'Msiexec_execution_of_an_executable_from_an_uncommon_remote_location' playbook", "trigger_name": "silent-Msiexec execution of an executable from an uncommon remote location Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json index 5862afabce4e..c690441e8047 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Netcat_Makes_or_Gets_Connections_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for `Netcat Makes or Gets Connections` Alerts ", "description": "This trigger is responsible for handling `Netcat Makes or Gets Connections` alert", "trigger_name": "silent-Netcat Makes or Gets Connections Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "issilent": true, "alerts_filter": { "filter": { diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json index f8c252cf8a7b..ccadc0df258f 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Office_process_creates_a_scheduled_task_via_file_access_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for the 'Office process creates a scheduled task via file access' alert", "description": "This trigger is responsible for handling 'Office process creates a scheduled task via file access' alerts", "trigger_name": "silent-Office process creates a scheduled task via file access Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json index 697ca9a30162..aeecfb45244c 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Remote_WMI_Process_Execution_Test.json @@ -29,5 +29,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json index 9bb75b818342..0d6cd6cb6421 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_SSO_Authentication_With_Suspicious_Characteristics_Test.json @@ -29,5 +29,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json index e445037699d4..80e585e31e53 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference_Test.json @@ -20,5 +20,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json index 93d0a885214e..ab4cd54ba604 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Successful_guest_user_invitation_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for Valid Accounts alerts involving successful guest user invitations.", "description": "This trigger is responsible for handling Valid Accounts alerts related to successful guest user invitations.", "trigger_name": "silent-Successful guest user invitation Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json index 4601de6f3e17..5db61081f8a8 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Hidden_User_Created_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for Suspicious Hidden User Created alerts.", "description": "This trigger is responsible for handling alerts where a suspicious hidden user is created.", "trigger_name": "silent-Alert Trigger - Suspicious Hidden User Created Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json index e5480cb8cf30..9b2d65d61c38 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_Local_Administrator_Login_Test.json @@ -20,5 +20,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json index d672ffb620eb..c6a76517acce 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_access_to_shadow_file_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for the 'Uncommon creation or access operation of sensitive shadow copy by a high-risk process' alert", "description": "This trigger is responsible for handling 'Uncommon creation or access operation of sensitive shadow copy by a high-risk process", "trigger_name": "silent-Uncommon creation or access operation of sensitive shadow copy by a high-risk process Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json index 9d3307b33b74..759a4d1b5fd8 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_certutil_command_line_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for the 'Suspicious certutil command line' alerts", "description": "This trigger is responsible for handling 'Suspicious certutil command line' alerts", "trigger_name": "silent-Suspicious certutil command line Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json index db18cc1aa40f..f0140cd73994 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_execution_from_tmp_folder_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for 'Suspicious interactive execution of a binary from the tmp folder', 'Suspicious cron job task execution of a binary from the tmp folder' and 'A web server process executed an unpopular application from the tmp folder' alerts", "description": "This trigger is responsible for handling the 'Suspicious interactive execution of a binary from the tmp folder', 'Suspicious cron job task execution of a binary from the tmp folder' and 'A web server process executed an unpopular application from the tmp folder' alerts via the 'Suspicious execution from tmp folder' playbook", "trigger_name": "silent-Suspicious execution from tmp folder Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json index 0a4724a28c73..b81caa72ee6b 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for the 'Suspicious process execution by scheduled task on a sensitive server' alert", "description": "This trigger is responsible for handling 'Suspicious process execution by scheduled task on a sensitive server' alert", "trigger_name": "silent-Suspicious process execution by scheduled task on a sensitive server Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json index 828af2ac129b..72077339360c 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_execution_of_ODBCconf_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for the 'Uncommon execution of ODBCConf' alert.", "description": "This trigger is responsible for handling 'Uncommon execution of ODBCConf' alerts.", "trigger_name": "silent-Uncommon execution of ODBCConf Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json index 3127f6f68e58..0eff050ecd43 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Uncommon_remote_scheduled_task_created_Test.json @@ -20,5 +20,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json index be4671095245..5abafc8d4c4a 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unprivileged_process_opened_a_registry_hive_Test.json @@ -20,5 +20,6 @@ ] } }, - "issilent": true + "issilent": true, + "fromVersion": "8.9.0" } \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json index 14c69ebd93e9..6834069da14e 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unsigned_and_unpopular_process_performed_an_injection_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for 'Unsigned and unpopular process performed an injection' alerts", "description": "This trigger is responsible for handling several the 'Unsigned and unpopular process performed an injection' alerts", "trigger_name": "silent-Unsigned and unpopular process performed an injection Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json index 2ff832dfb95c..766499c15017 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_Unusual_process_accessed_web_browser_credentials_and_executed_by_a_terminal_process_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for the 'Unusual process accessed web browser credentials and executed by a terminal process", "description": "This trigger is responsible for handling 'Unusual process accessed web browser credentials and executed by a terminal process' alerts", "trigger_name": "silent-Unusual process accessed web browser credentials and executed by a terminal process Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json index e5de8eede701..e754004cfee8 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command_Test.json @@ -4,7 +4,7 @@ "suggestion_reason": "Recommended for the 'User added to local administrator group using a PowerShell command' alert", "description": "This trigger is responsible for handling 'User added to local administrator group using a PowerShell command' alert", "trigger_name": "silent-User added to local administrator group using a PowerShell command Test", - "fromVersion": "8.8.0", + "fromVersion": "8.9.0", "alerts_filter": { "filter": { "AND": [ diff --git a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_WmiPrvSe.exe_Rare_Child_Command_Line.json b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_WmiPrvSe.exe_Rare_Child_Command_Line.json index 99134c41368d..5df2536b9625 100644 --- a/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_WmiPrvSe.exe_Rare_Child_Command_Line.json +++ b/Packs/CortexResponseAndRemediation/Triggers/silent-Trigger_-_WmiPrvSe.exe_Rare_Child_Command_Line.json @@ -1,25 +1,25 @@ { - "trigger_id": "28d01c211cb6b82e18cac5b9d8f5f443", - "playbook_id": "silent-WmiPrvSe.exe Rare Child Command Line", - "suggestion_reason": "Recommended for WmiPrvSe.exe Rare Child Command Line alerts", - "description": "This trigger is responsible for handling WmiPrvSe.exe Rare Child Command Line alerts", - "trigger_name": "silent-WmiPrvSe.exe Rare Child Command Line", - "fromVersion": "8.8.0", - "issilent": true, - "alerts_filter": { - "filter": { - "AND": [ - { - "SEARCH_FIELD": "alert_name", - "SEARCH_TYPE": "EQ", - "SEARCH_VALUE": "WmiPrvSe.exe Rare Child Command Line" - }, - { - "SEARCH_FIELD": "alert_type", - "SEARCH_TYPE": "NEQ", - "SEARCH_VALUE": "Correlation" - } - ] + "trigger_id": "28d01c211cb6b82e18cac5b9d8f5f443", + "playbook_id": "silent-WmiPrvSe.exe Rare Child Command Line", + "suggestion_reason": "Recommended for WmiPrvSe.exe Rare Child Command Line alerts", + "description": "This trigger is responsible for handling WmiPrvSe.exe Rare Child Command Line alerts", + "trigger_name": "silent-WmiPrvSe.exe Rare Child Command Line", + "fromVersion": "8.9.0", + "issilent": true, + "alerts_filter": { + "filter": { + "AND": [ + { + "SEARCH_FIELD": "alert_name", + "SEARCH_TYPE": "EQ", + "SEARCH_VALUE": "WmiPrvSe.exe Rare Child Command Line" + }, + { + "SEARCH_FIELD": "alert_type", + "SEARCH_TYPE": "NEQ", + "SEARCH_VALUE": "Correlation" + } + ] + } } - } } \ No newline at end of file From a7110a0b37972b19d387d8dd0afe15178c93a02d Mon Sep 17 00:00:00 2001 From: ArikDay Date: Tue, 4 Mar 2025 08:42:35 +0200 Subject: [PATCH 12/14] fixes --- Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_20.md | 1 + Packs/CortexResponseAndRemediation/pack_metadata.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_20.md diff --git a/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_20.md b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_20.md new file mode 100644 index 000000000000..f4302cbb63df --- /dev/null +++ b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_20.md @@ -0,0 +1 @@ +## Documentation and metadata improvements. \ No newline at end of file diff --git a/Packs/CortexResponseAndRemediation/pack_metadata.json b/Packs/CortexResponseAndRemediation/pack_metadata.json index 3a1e9b389c1d..898f4412ba57 100644 --- a/Packs/CortexResponseAndRemediation/pack_metadata.json +++ b/Packs/CortexResponseAndRemediation/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Cortex Response And Remediation", "description": "The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes. Built to support an Autonomous SOC vision.", "support": "xsoar", - "currentVersion": "1.1.19", + "currentVersion": "1.1.20", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 6b7709358b73ee12fe05e2fda166c600ffa45a27 Mon Sep 17 00:00:00 2001 From: ArikDay Date: Tue, 4 Mar 2025 08:44:53 +0200 Subject: [PATCH 13/14] fix --- ...k-WmiPrvSe.exe_Rare_Child_Command_Line.yml | 2070 +++++++++-------- 1 file changed, 1116 insertions(+), 954 deletions(-) diff --git a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml index b81487962d93..ae05faedbb20 100644 --- a/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml +++ b/Packs/CortexResponseAndRemediation/Playbooks/silent-playbook-WmiPrvSe.exe_Rare_Child_Command_Line.yml @@ -1,1193 +1,1355 @@ +id: silent-WmiPrvSe.exe Rare Child Command Line +version: -1 contentitemexportablefields: contentitemfields: {} -description: "This playbook addresses the following alerts:\n\n* WmiPrvSe.exe Rare\ - \ Child Command Line\n\n**Playbook Stages:**\n\n**Analysis:**\n\n* Enrich the attacker\u2019\ - s IP address to identify any known malicious activity.\n\n* Retrieve all alert-related\ - \ alerts to consolidate context for further analysis.\n\n**Investigation:**\n\n\ - * Analyze command-line activity to assess risks based on suspicious patterns.\n\n\ - * Check for high-confidence evidence, such as malicious IP addresses or suspicious\ - \ command-line activity, to determine the next course of action.\n\n* Evaluate medium-confidence\ - \ detections and request analyst approval for further containment if required.\n\ - \n**Containment:**\n\n* Attempt to terminate the malicious process.\n\n* Provide\ - \ guidance for manual process termination if the automated action fails.\n\n* Propose\ - \ endpoint isolation to prevent further compromise if malicious activity is confirmed." -fromversion: 8.9.0 -id: silent-WmiPrvSe.exe Rare Child Command Line -inputs: [] -issilent: true name: silent-WmiPrvSe.exe Rare Child Command Line -outputs: [] -starttaskid: '0' +issilent: true +description: |- + This playbook addresses the following alerts: + + * WmiPrvSe.exe Rare Child Command Line + + **Playbook Stages:** + + **Analysis:** + + * Enrich the attacker’s IP address to identify any known malicious activity. + + * Retrieve all alert-related alerts to consolidate context for further analysis. + + **Investigation:** + + * Analyze command-line activity to assess risks based on suspicious patterns. + + * Check for high-confidence evidence, such as malicious IP addresses or suspicious command-line activity, to determine the next course of action. + + * Evaluate medium-confidence detections and request analyst approval for further containment if required. + + **Containment:** + + * Attempt to terminate the malicious process. + + * Provide guidance for manual process termination if the automated action fails. + + * Propose endpoint isolation to prevent further compromise if malicious activity is confirmed. tags: - TA0008 - Lateral Movement - T1021 - Remote Services +starttaskid: "0" tasks: - '0': - continueonerrortype: '' - id: '0' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - '22' - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false + "0": + id: "0" + taskid: d0d9e83a-eb37-4c5e-8669-4610c07f402f + type: start task: - brand: '' - description: '' id: d0d9e83a-eb37-4c5e-8669-4610c07f402f - iscommand: false - name: '' version: -1 - taskid: d0d9e83a-eb37-4c5e-8669-4610c07f402f + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "22" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -150 + } + } + note: false timertriggers: [] - type: start - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -150\n }\n}" - '1': - continueonerrortype: '' - id: '1' ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 3dea1ef1-2e15-40b1-8043-d23c49082ae9 + type: regular + task: + id: 3dea1ef1-2e15-40b1-8043-d23c49082ae9 + version: -1 + name: Enrich attacker's IP address + description: Checks the specified IP address against the AbuseIP database. + script: '|||ip' + type: regular + iscommand: true + brand: "" nexttasks: '#none#': - - '4' - note: false - quietmode: 0 + - "4" scriptarguments: ip: complex: - accessor: actor_remote_ip root: Core.OriginalAlert.event + accessor: actor_remote_ip transformers: - - args: + - operator: SetIfEmpty + args: applyIfEmpty: {} defaultValue: - iscontext: true value: simple: alert.hostip - operator: SetIfEmpty + iscontext: true separatecontext: false - skipunavailable: true - task: - brand: '' - description: Checks the specified IP address against the AbuseIP database. - id: 3dea1ef1-2e15-40b1-8043-d23c49082ae9 - iscommand: true - name: Enrich attacker's IP address - script: '|||ip' - type: regular - version: -1 - taskid: 3dea1ef1-2e15-40b1-8043-d23c49082ae9 + continueonerrortype: "" + view: |- + { + "position": { + "x": 663, + "y": 221 + } + } + note: false timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 663,\n \"y\": 221\n }\n}" - '10': - continueonerrortype: '' - id: '10' ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - '16' - Approved: - - '11' - note: false + skipunavailable: true quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: e6a68fa1-07fe-477e-839b-e34f1ea94317 + type: regular task: - brand: '' - description: '**Approval Required: Suspicious Activity Detection** - - - The detection does not meet the thresholds for a definitive malicious verdict. - It falls into a suspicious category based on the following conditions: - - - **One of the following supporting evidences** - - - * Command Line Analysis score is in range 10 to 25 - - * Command Line Analysis score below 15 with a prevention rule in the same - incident. - - * Suspicious process tree detected - - - **Unmatched Verdicts:** - - * No matches for high-risk command line analysis profiles. - - * No malicious IP address detected. - - * The command line analysis score is below 15 with high-confidence indicators. + id: e6a68fa1-07fe-477e-839b-e34f1ea94317 + version: -1 + name: Analyze command line + description: |- + This script evaluates command-line threats by analyzing both original and decoded inputs. It assigns weighted scores to detected patterns, such as AMSI bypass or credential dumping, and applies risk combination bonuses for multiple detections. The total score is normalized to a 0-100 scale, with risk levels categorized as follows: + * 0-25: Low Risk + * 26-50: Medium Risk + * 51-90: High Risk + * 91-100: Critical Risk - Analyst approval is required to proceed with further containment or escalation.' - id: b5b70f92-16a9-4883-ba8c-720d18105221 - iscommand: false - name: 'Approval Required: Medium Confidence Detection' - type: condition - version: -1 - taskid: b5b70f92-16a9-4883-ba8c-720d18105221 - timertriggers: [] - type: condition - view: "{\n \"position\": {\n \"x\": 830,\n \"y\": 1350\n }\n}" - '11': - continueonerrortype: '' - id: '11' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - '28' - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: '' - description: '' - id: 0a1c5a5b-8df2-4b95-8fbe-d1d655f55346 + The scoring mechanism provides a comprehensive risk assessment, considering both the severity and frequency of malicious behaviors. + scriptName: CommandLineAnalysis + type: regular iscommand: false - name: Containment - type: title - version: -1 - taskid: 0a1c5a5b-8df2-4b95-8fbe-d1d655f55346 - timertriggers: [] - type: title - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1530\n }\n}" - '12': - continueonerror: true - continueonerrortype: errorPath - id: '12' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + brand: "" nexttasks: - '#error#': - - '13' '#none#': - - '27' - note: false - quietmode: 0 + - "5" scriptarguments: - agent_id: - simple: ${alert.agentid} - instance_id: - simple: ${alert.actionprocessinstanceid} - timeout_in_seconds: - simple: '180' + command_line: + complex: + root: alert + accessor: targetprocesscmd + transformers: + - operator: append + args: + item: + value: + simple: alert.initiatorcmd + iscontext: true separatecontext: false - skipunavailable: false - task: - brand: '' - description: Terminate a process by its instance ID. Available only for Cortex - XSIAM 2.4 and above. - id: cd768fe6-4308-492c-8f3f-02d4d77daf5d - iscommand: true - name: Terminate target process - script: '|||core-terminate-process' - type: regular - version: -1 - taskid: cd768fe6-4308-492c-8f3f-02d4d77daf5d - timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 70,\n \"y\": 1840\n }\n}" - '13': - continueonerrortype: '' - id: '13' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - '27' + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 478 + } + } note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: '' - description: "Dear Analyst,\n\nDuring the containment phase, the playbook couldn\u2019\ - t terminate the process: ${Core.OriginalAlert.event.action_process_image_name}\n\ - \nPlease terminate the process manually if possible." - id: be6e0678-b817-46a9-8a0d-f6b2ac546436 - iscommand: false - name: Terminate Process Manually - type: regular - version: -1 - taskid: be6e0678-b817-46a9-8a0d-f6b2ac546436 timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 2007\n }\n}" - '14': - continueonerrortype: '' - id: '14' ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - '15' - note: false - quietmode: 0 - scriptarguments: - closeNotes: - simple: The alert has been resolved. Confirmed as a True Positive by the playbook - "WmiPrvSe.exe Rare Child Command Line" - closeReason: - simple: Resolved - True Positive - id: - simple: ${alert.id} - separatecontext: false skipunavailable: false - task: - brand: Builtin - description: commands.local.cmd.close.inv - id: b9bddcb7-e2bf-4cb6-8ccf-9a10b71ffb8a - iscommand: true - name: Close the Alert as True Positive - script: Builtin|||closeInvestigation - type: regular - version: -1 - taskid: b9bddcb7-e2bf-4cb6-8ccf-9a10b71ffb8a - timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 172,\n \"y\": 3007\n }\n}" - '15': - continueonerrortype: '' - id: '15' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - note: false quietmode: 0 - separatecontext: false - skipunavailable: false + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 2bc56cd9-7962-499b-8b89-2c1019c24e51 + type: title task: - brand: '' - description: '' - id: 7f02a14e-8ff0-4bb6-860b-17d2471ce868 - iscommand: false - name: Done - type: title + id: 2bc56cd9-7962-499b-8b89-2c1019c24e51 version: -1 - taskid: 7f02a14e-8ff0-4bb6-860b-17d2471ce868 - timertriggers: [] - type: title - view: "{\n \"position\": {\n \"x\": 172,\n \"y\": 3177\n }\n}" - '16': - continueonerrortype: '' - id: '16' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + name: Investigation + type: title + iscommand: false + brand: "" + description: '' nexttasks: '#none#': - - '15' - note: false - quietmode: 0 - scriptarguments: - closeNotes: - simple: The alert has been resolved. Confirmed as a False Positive by the - playbook "WmiPrvSe.exe Rare Child Command Line" - closeReason: - simple: Resolved - False Positive - id: - simple: ${alert.id} + - "3" separatecontext: false - skipunavailable: false - task: - brand: Builtin - description: commands.local.cmd.close.inv - id: 7122a5a1-429a-4ba1-8069-c7d736845fa1 - iscommand: true - name: Close the Alert as False Positive - script: Builtin|||closeInvestigation - type: regular - version: -1 - taskid: 7122a5a1-429a-4ba1-8069-c7d736845fa1 + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 365 + } + } + note: false timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 1140,\n \"y\": 3007\n }\n}" - '17': - continueonerrortype: '' - id: '17' ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - message: - bcc: null - body: null - cc: null - format: '' - methods: [] - replyOptions: - - Isolate - subject: null - timings: - completeafterreplies: 1 - completeaftersla: false - completeafterv2: true - retriescount: 2 - retriesinterval: 360 - to: null - nexttasks: - '#default#': - - '14' - Isolate: - - '18' - note: false - quietmode: 0 - separatecontext: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: e3a5f626-810e-4be2-814a-4e7e39a901b6 + type: condition task: - brand: '' - description: "**Recommendation: Isolation Required \u2013 Malicious Activity\ - \ Detected**\n\nThe detection meets high-confidence criteria for malicious\ - \ activity based on the following conditions:\n\n**Matched Verdicts:**\n*\ - \ Matches for high-risk command line analysis profiles: mixed_case_powershell,\ - \ double_encoding, amsi_techniques, malicious_commands, or powershell_suspicious_network_patterns.\n\ - \n* Score >= 25, indicating high confidence probability for malicious behavior.\n\ - \n**Action Required:**\n\n* Isolate the remote host: ${Endpoint.Hostname}" - id: 095c11b6-e83f-49f8-8761-24fe79b5d968 - iscommand: false - name: "Approval Required \u2013 Malicious Activity Detected" - type: condition + id: e3a5f626-810e-4be2-814a-4e7e39a901b6 version: -1 - taskid: 095c11b6-e83f-49f8-8761-24fe79b5d968 - timertriggers: [] - type: condition - view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2670\n }\n}" - '18': - continueonerrortype: '' - id: '18' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false + name: Check for high-confidence evidence or malicious IP address + description: |- + This task evaluates the command line analysis results and checks if the profile matches one or more high-risk categories or if the overall score indicates a critical risk. + + **Conditions:** + + - A profile matches one or more of the following categories: **mixed case PowerShell, reversed command, PowerShell suspicious patterns, credential dumping, double encoding, AMSI techniques, or malicious commands.** + - OR the score is **greater than or equal to 25**. + - OR an **IP address** involved in the alert is flagged as **malicious**. + + If any condition is met, mark the result as **Malicious**. + type: condition + iscommand: false + brand: "" nexttasks: - '#none#': - - '14' - note: false - quietmode: 0 - scriptarguments: - endpoint_id: - simple: ${Endpoint.ID} - incident_id: - complex: - accessor: parentXDRIncident - root: alert - transformers: - - args: - delimiter: - value: - simple: '-' - fields: - value: - simple: '2' - operator: Cut + '#default#': + - "8" + Malicious: + - "11" separatecontext: false - skipunavailable: false - task: - brand: '' - description: Isolates the specified endpoint. - id: 7df12c62-a960-428c-8e0f-dccf404b63e0 - iscommand: true - name: Isolate endpoint - script: '|||core-isolate-endpoint' - type: regular - version: -1 - taskid: 7df12c62-a960-428c-8e0f-dccf404b63e0 - timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2865\n }\n}" - '19': conditions: - - condition: - - - ignorecase: true + - label: Malicious + condition: + - - operator: AnyMatch left: - iscontext: true value: simple: CommandLineAnalysis.findings - operator: AnyMatch - right: - value: - simple: mixed case powershell, reversed command, powershell suspicious - patterns, credential dumping, double encoding, amsi techniques, malicious - commands - - left: iscontext: true - value: - simple: CommandLineAnalysis.score - operator: greaterThanOrEqual right: value: - simple: '25' - - - ignorecase: true + simple: mixed case powershell, reversed command, powershell suspicious patterns, credential dumping, double encoding, amsi techniques, malicious commands + ignorecase: true + - operator: isEqualString left: - iscontext: true - value: - simple: Core.Endpoint.is_isolated - operator: isEqualString - right: value: - simple: AGENT_UNISOLATED - label: 'Yes' - continueonerrortype: '' - id: '19' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - '14' - 'Yes': - - '23' - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: '' - description: If the condition "Check for high-confidence evidence" was matched - and the endpoint ID is available, an endpoint isolation is suggested. - id: aa59de8b-dca5-485b-90db-49fc8bad71dc - iscommand: false - name: Should proceed to isolate the endpoint? - type: condition - version: -1 - taskid: aa59de8b-dca5-485b-90db-49fc8bad71dc - timertriggers: [] - type: condition - view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2310\n }\n}" - '22': - continueonerrortype: '' - id: '22' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#none#': - - '26' - note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: '' - description: '' - id: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f - iscommand: false - name: Analysis - type: title - version: -1 - taskid: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f - timertriggers: [] - type: title - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": -20\n }\n}" - '23': - conditions: - - condition: - - - ignorecase: true - left: + complex: + root: DBotScore + filters: + - - operator: isEqualString + left: + value: + simple: DBotScore.Type + iscontext: true + right: + value: + simple: IP + ignorecase: true + accessor: Score iscontext: true - value: - simple: Core.Endpoint.endpoint_type - operator: containsString right: value: - simple: WORKSTATION - - - ignorecase: true + simple: "3" + - operator: greaterThanOrEqual left: - iscontext: true value: - simple: Core.Endpoint.endpoint_status - operator: isEqualString + simple: CommandLineAnalysis.score + iscontext: true right: value: - simple: CONNECTED - label: WORKSTATION - continueonerrortype: '' - id: '23' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - '24' - WORKSTATION: - - '17' + simple: "25" + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 602 + } + } note: false - quietmode: 0 - separatecontext: false - skipunavailable: false - task: - brand: '' - description: Checks whether the endpoint is a workstation or a server. - id: c5470fce-c24b-4768-844b-ce10abd9c6ba - iscommand: false - name: Check if the endpoint is workstation or a server - type: condition - version: -1 - taskid: c5470fce-c24b-4768-844b-ce10abd9c6ba timertriggers: [] - type: condition - view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2490\n }\n}" - '24': - continueonerrortype: '' - id: '24' ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 19cbb840-f9a2-4334-8050-ea85ec73736a + type: regular + task: + id: 19cbb840-f9a2-4334-8050-ea85ec73736a + version: -1 + name: Retrieve all incident alerts + description: This task searches for Cortex XSIAM alerts related to the current incident. + scriptName: SearchIncidentsV2 + type: regular + iscommand: false + brand: "" nexttasks: '#none#': - - '14' - note: false - quietmode: 0 + - "4" + scriptarguments: + query: + complex: + root: alert + accessor: parentXDRIncident + transformers: + - operator: Cut + args: + delimiter: + value: + simple: '-' + fields: + value: + simple: "2" + - operator: concat + args: + prefix: + value: + simple: 'caseid:' + suffix: {} separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 230, + "y": 221 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: 80d9b967-a4d6-46a5-814a-06d806805237 + type: condition task: - brand: '' - description: "Dear Analyst,\n\nPlease note that during the remediation process,\ - \ the playbook didn't isolate the following host: ${Endpoint.Hostname} \n\n\ - This is due to one of the following reasons:\n- The device disconnected.\n\ - - The device has been identified as a server.\n\nPlease take manual action\ - \ to contain the attack and prevent the attacker from executing lateral movement\ - \ before closing this alert." - id: dc9a785d-392b-4233-89ad-b308d3412477 - iscommand: false - name: Manual remediation actions for a server or a disconnected endpoint - type: regular + id: 80d9b967-a4d6-46a5-814a-06d806805237 version: -1 - taskid: dc9a785d-392b-4233-89ad-b308d3412477 - timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 891,\n \"y\": 2670\n }\n}" - '25': + name: Check for medium-confidence threshold with a prevention alert + description: | + This task identifies the risk level by considering the score and whether a prevention rule is present in the same alert. + + **Conditions:** + + - If Score is **greater than or equal to 15** AND a **prevention rule exists** in the same alert, classify the result as **Malicious**. + - Else, if Score is **less than 15** AND a **prevention rule exists** in the same alert, classify the result as **Suspicious**. + + High-risk behavior with prevention rule: **Malicious**. + Low-risk behavior with prevention rule: **Suspicious**. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "9" + Malicious: + - "11" + Medium Confidence: + - "10" + separatecontext: false conditions: - - condition: - - - ignorecase: true + - label: Malicious + condition: + - - operator: greaterThanOrEqual left: - iscontext: true - value: - simple: alert.initiatedby - operator: containsGeneral - right: value: - simple: WmiPrvSE.exe - - ignorecase: true - left: + simple: CommandLineAnalysis.score iscontext: true - value: - simple: alert.initiatedby - operator: containsGeneral right: value: - simple: WMIC.exe - - ignorecase: true + simple: "15" + - - operator: containsGeneral left: - iscontext: true - value: - simple: alert.initiatedby - operator: containsGeneral - right: value: - simple: WMICodeCreator.exe - - - ignorecase: true - left: + simple: foundIncidents.CustomFields.action iscontext: true - value: - simple: alert.targetprocessname - operator: containsGeneral right: value: - simple: powershell.exe - - ignorecase: true + simple: BLOCKED + ignorecase: true + - operator: isEqualString left: - iscontext: true value: - simple: alert.targetprocessname - operator: containsGeneral + simple: foundIncidents.CustomFields.action + iscontext: true right: value: - simple: cmd.exe - - ignorecase: true + simple: REPORTED + - label: Medium Confidence + condition: + - - operator: lessThan left: - iscontext: true value: - simple: alert.targetprocessname - operator: containsGeneral + simple: CommandLineAnalysis.score + iscontext: true right: value: - simple: ntdsutil.exe - - ignorecase: true + simple: "15" + - - operator: containsGeneral left: - iscontext: true value: - simple: alert.targetprocessname - operator: containsGeneral + simple: foundIncidents.CustomFields.action + iscontext: true right: value: - simple: rundll32.exe - - - ignorecase: true + simple: BLOCKED + ignorecase: true + - operator: isEqualString left: - iscontext: true value: - simple: alert.targetprocesscmd - operator: notContainsGeneral + simple: foundIncidents.CustomFields.action + iscontext: true right: value: - simple: C:\Windows\CCM - label: 'yes' - continueonerrortype: '' - id: '25' + simple: REPORTED + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 780 + } + } + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: d7ea9ec9-e8b0-4c5f-8ecf-84dcbb2b422a + type: condition + task: + id: d7ea9ec9-e8b0-4c5f-8ecf-84dcbb2b422a + version: -1 + name: Check for medium-confidence and request remediation approval + description: |- + This task identifies medium-risk cases based on the score received from the command line analysis script. + + **Conditions:** + + If the score is in the range of **10–25**, mark the result as **Suspicious**. + type: condition + iscommand: false + brand: "" nexttasks: '#default#': - - '16' - 'yes': - - '10' - note: false - quietmode: 0 + - "25" + "yes": + - "10" separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: InRange + left: + value: + simple: CommandLineAnalysis.score + iscontext: true + right: + value: + simple: 10,25 + continueonerrortype: "" + view: |- + { + "position": { + "x": 830, + "y": 960 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: b5b70f92-16a9-4883-ba8c-720d18105221 + type: condition task: - brand: '' - description: Checks if a suspicious process execution chain was detected. This - Indicates a high probability of malicious behavior. - id: d5bfd9fb-9daf-442c-8107-77255db16b94 - iscommand: false - name: Check for suspicious process tree - type: condition + id: b5b70f92-16a9-4883-ba8c-720d18105221 version: -1 - taskid: d5bfd9fb-9daf-442c-8107-77255db16b94 + name: 'Approval Required: Medium Confidence Detection' + description: |- + **Approval Required: Suspicious Activity Detection** + + The detection does not meet the thresholds for a definitive malicious verdict. It falls into a suspicious category based on the following conditions: + + **One of the following supporting evidences** + + * Command Line Analysis score is in range 10 to 25 + * Command Line Analysis score below 15 with a prevention rule in the same incident. + * Suspicious process tree detected + + **Unmatched Verdicts:** + * No matches for high-risk command line analysis profiles. + * No malicious IP address detected. + * The command line analysis score is below 15 with high-confidence indicators. + + Analyst approval is required to proceed with further containment or escalation. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "16" + Approved: + - "11" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 830, + "y": 1350 + } + } + note: false timertriggers: [] - type: condition - view: "{\n \"position\": {\n \"x\": 1140,\n \"y\": 1150\n }\n}" - '26': - continueonerrortype: '' - id: '26' ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "11": + id: "11" + taskid: 0a1c5a5b-8df2-4b95-8fbe-d1d655f55346 + type: title + task: + id: 0a1c5a5b-8df2-4b95-8fbe-d1d655f55346 + version: -1 + name: Containment + type: title + iscommand: false + brand: "" + description: '' nexttasks: '#none#': - - '1' - - '6' - note: false - quietmode: 0 - scriptarguments: - alert_ids: - simple: ${alert.id} - filter_alert_fields: - simple: 'false' + - "28" separatecontext: false - skipunavailable: false - task: - brand: '' - description: Returns information about each alert ID. - id: f0b93f7f-3f2c-4141-8de9-78fa361a7597 - iscommand: true - name: Get the attacker's remote host IP address - script: '|||core-get-cloud-original-alerts' - type: regular - version: -1 - taskid: f0b93f7f-3f2c-4141-8de9-78fa361a7597 + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1530 + } + } + note: false timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 93\n }\n}" - '27': - continueonerrortype: '' - id: '27' ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "12": + id: "12" + taskid: cd768fe6-4308-492c-8f3f-02d4d77daf5d + type: regular + task: + id: cd768fe6-4308-492c-8f3f-02d4d77daf5d + version: -1 + name: Terminate target process + description: Terminate a process by its instance ID. Available only for Cortex XSIAM 2.4 and above. + script: '|||core-terminate-process' + type: regular + iscommand: true + brand: "" nexttasks: + '#error#': + - "13" '#none#': - - '19' - note: false - quietmode: 0 + - "27" scriptarguments: - endpoint_id_list: + agent_id: simple: ${alert.agentid} + instance_id: + simple: ${alert.actionprocessinstanceid} + timeout_in_seconds: + simple: "180" separatecontext: false - skipunavailable: false - task: - brand: '' - description: Gets a list of endpoints, according to the passed filters. If there - are no filters, all endpoints are returned. Filtering by multiple fields will - be concatenated using AND condition (OR is not supported). Maximum result - set size is 100. Offset is the zero-based number of the endpoint from the - start of the result set (start by counting from 0). - id: de317f0e-4b02-4628-81fa-134576939a13 - iscommand: true - name: Get endpoint status - script: '|||core-get-endpoints' - type: regular - version: -1 - taskid: de317f0e-4b02-4628-81fa-134576939a13 + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 70, + "y": 1840 + } + } + note: false timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 451,\n \"y\": 2140\n }\n}" - '28': - conditions: - - condition: - - - ignorecase: true - left: - iscontext: true - value: - simple: alert.cgoname - operator: containsGeneral - right: - value: - simple: WmiPrvSE.exe - - ignorecase: true - left: - iscontext: true - value: - simple: alert.cgoname - operator: containsGeneral - right: - value: - simple: WMIC.exe - - ignorecase: true - left: - iscontext: true - value: - simple: alert.cgoname - operator: containsGeneral - right: - value: - simple: WMICodeCreator.exe - label: WMI - continueonerrortype: '' - id: '28' ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - '29' - WMI: - - '12' - note: false - quietmode: 0 - separatecontext: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: be6e0678-b817-46a9-8a0d-f6b2ac546436 + type: regular task: - brand: '' - description: Check if the causality process image name is WMI. - id: 894c36a0-db47-468b-887c-79316156c692 - iscommand: false - name: Check if the causality is WMI - type: condition + id: be6e0678-b817-46a9-8a0d-f6b2ac546436 version: -1 - taskid: 894c36a0-db47-468b-887c-79316156c692 + name: Terminate Process Manually + description: |- + Dear Analyst, + + During the containment phase, the playbook couldn’t terminate the process: ${Core.OriginalAlert.event.action_process_image_name} + + Please terminate the process manually if possible. + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "27" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 2007 + } + } + note: false timertriggers: [] - type: condition - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 1643\n }\n}" - '29': - continueonerror: true - continueonerrortype: errorPath - id: '29' ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: b9bddcb7-e2bf-4cb6-8ccf-9a10b71ffb8a + type: regular + task: + id: b9bddcb7-e2bf-4cb6-8ccf-9a10b71ffb8a + version: -1 + name: Close the Alert as True Positive + description: commands.local.cmd.close.inv + script: Builtin|||closeInvestigation + type: regular + iscommand: true + brand: Builtin nexttasks: - '#error#': - - '13' '#none#': - - '27' - note: false - quietmode: 0 + - "15" scriptarguments: - agent_id: - simple: ${alert.agentid} - causality_id: - simple: ${alert.cid} - timeout_in_seconds: - simple: '180' + closeNotes: + simple: The alert has been resolved. Confirmed as a True Positive by the playbook "WmiPrvSe.exe Rare Child Command Line" + closeReason: + simple: Resolved - True Positive + id: + simple: ${alert.id} separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 172, + "y": 3007 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 7f02a14e-8ff0-4bb6-860b-17d2471ce868 + type: title task: - brand: '' - description: Terminate a process tree by its causality ID. Available only for - Cortex XSIAM 2.4 and above. - id: 2aabb75e-d911-4d92-8974-0891c6156934 - iscommand: true - name: Terminate causality process - script: '|||core-terminate-causality' - type: regular + id: 7f02a14e-8ff0-4bb6-860b-17d2471ce868 version: -1 - taskid: 2aabb75e-d911-4d92-8974-0891c6156934 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 172, + "y": 3177 + } + } + note: false timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 819,\n \"y\": 1840\n }\n}" - '3': - continueonerrortype: '' - id: '3' ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "16": + id: "16" + taskid: 7122a5a1-429a-4ba1-8069-c7d736845fa1 + type: regular + task: + id: 7122a5a1-429a-4ba1-8069-c7d736845fa1 + version: -1 + name: Close the Alert as False Positive + description: commands.local.cmd.close.inv + script: Builtin|||closeInvestigation + type: regular + iscommand: true + brand: Builtin nexttasks: '#none#': - - '5' - note: false - quietmode: 0 + - "15" scriptarguments: - command_line: - complex: - accessor: targetprocesscmd - root: alert - transformers: - - args: - item: - iscontext: true - value: - simple: alert.initiatorcmd - operator: append + closeNotes: + simple: The alert has been resolved. Confirmed as a False Positive by the playbook "WmiPrvSe.exe Rare Child Command Line" + closeReason: + simple: Resolved - False Positive + id: + simple: ${alert.id} separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1140, + "y": 3007 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: 095c11b6-e83f-49f8-8761-24fe79b5d968 + type: condition task: - brand: '' - description: 'This script evaluates command-line threats by analyzing both original - and decoded inputs. It assigns weighted scores to detected patterns, such - as AMSI bypass or credential dumping, and applies risk combination bonuses - for multiple detections. The total score is normalized to a 0-100 scale, with - risk levels categorized as follows: - - - * 0-25: Low Risk + id: 095c11b6-e83f-49f8-8761-24fe79b5d968 + version: -1 + name: Approval Required – Malicious Activity Detected + description: |- + **Recommendation: Isolation Required – Malicious Activity Detected** - * 26-50: Medium Risk + The detection meets high-confidence criteria for malicious activity based on the following conditions: - * 51-90: High Risk + **Matched Verdicts:** + * Matches for high-risk command line analysis profiles: mixed_case_powershell, double_encoding, amsi_techniques, malicious_commands, or powershell_suspicious_network_patterns. - * 91-100: Critical Risk + * Score >= 25, indicating high confidence probability for malicious behavior. + **Action Required:** - The scoring mechanism provides a comprehensive risk assessment, considering - both the severity and frequency of malicious behaviors.' - id: e6a68fa1-07fe-477e-839b-e34f1ea94317 + * Isolate the remote host: ${Endpoint.Hostname} + type: condition iscommand: false - name: Analyze command line - scriptName: CommandLineAnalysis - type: regular - version: -1 - taskid: e6a68fa1-07fe-477e-839b-e34f1ea94317 + brand: "" + nexttasks: + '#default#': + - "14" + Isolate: + - "18" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 451, + "y": 2670 + } + } + note: false timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 478\n }\n}" - '4': - continueonerrortype: '' - id: '4' ignoreworker: false - isautoswitchedtoquietmode: false + message: + to: + subject: + body: + methods: [] + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + replyOptions: + - Isolate + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 7df12c62-a960-428c-8e0f-dccf404b63e0 + type: regular + task: + id: 7df12c62-a960-428c-8e0f-dccf404b63e0 + version: -1 + name: Isolate endpoint + description: Isolates the specified endpoint. + script: '|||core-isolate-endpoint' + type: regular + iscommand: true + brand: "" nexttasks: '#none#': - - '3' - note: false - quietmode: 0 + - "14" + scriptarguments: + endpoint_id: + simple: ${Endpoint.ID} + incident_id: + complex: + root: alert + accessor: parentXDRIncident + transformers: + - operator: Cut + args: + delimiter: + value: + simple: '-' + fields: + value: + simple: "2" separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 451, + "y": 2865 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: aa59de8b-dca5-485b-90db-49fc8bad71dc + type: condition task: - brand: '' - description: '' - id: 2bc56cd9-7962-499b-8b89-2c1019c24e51 - iscommand: false - name: Investigation - type: title + id: aa59de8b-dca5-485b-90db-49fc8bad71dc version: -1 - taskid: 2bc56cd9-7962-499b-8b89-2c1019c24e51 - timertriggers: [] - type: title - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 365\n }\n}" - '5': + name: Should proceed to isolate the endpoint? + description: If the condition "Check for high-confidence evidence" was matched and the endpoint ID is available, an endpoint isolation is suggested. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "14" + "Yes": + - "23" + separatecontext: false conditions: - - condition: - - - ignorecase: true + - label: "Yes" + condition: + - - operator: AnyMatch left: - iscontext: true value: simple: CommandLineAnalysis.findings - operator: AnyMatch + iscontext: true right: value: - simple: mixed case powershell, reversed command, powershell suspicious - patterns, credential dumping, double encoding, amsi techniques, malicious - commands - - left: - iscontext: true + simple: mixed case powershell, reversed command, powershell suspicious patterns, credential dumping, double encoding, amsi techniques, malicious commands + ignorecase: true + - operator: greaterThanOrEqual + left: value: - complex: - accessor: Score - filters: - - - ignorecase: true - left: - iscontext: true - value: - simple: DBotScore.Type - operator: isEqualString - right: - value: - simple: IP - root: DBotScore - operator: isEqualString + simple: CommandLineAnalysis.score + iscontext: true right: value: - simple: '3' - - left: - iscontext: true + simple: "25" + - - operator: isEqualString + left: value: - simple: CommandLineAnalysis.score - operator: greaterThanOrEqual + simple: Core.Endpoint.is_isolated + iscontext: true right: value: - simple: '25' - label: Malicious - continueonerrortype: '' - id: '5' + simple: AGENT_UNISOLATED + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 451, + "y": 2310 + } + } + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "22": + id: "22" + taskid: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f + type: title + task: + id: 7ae38b7e-4c38-4c10-8cd6-1e935e4e0e4f + version: -1 + name: Analysis + type: title + iscommand: false + brand: "" + description: '' nexttasks: - '#default#': - - '8' - Malicious: - - '11' - note: false - quietmode: 0 + '#none#': + - "26" separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -20 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: c5470fce-c24b-4768-844b-ce10abd9c6ba + type: condition task: - brand: '' - description: 'This task evaluates the command line analysis results and checks - if the profile matches one or more high-risk categories or if the overall - score indicates a critical risk. - - - **Conditions:** - - - - A profile matches one or more of the following categories: **mixed case - PowerShell, reversed command, PowerShell suspicious patterns, credential dumping, - double encoding, AMSI techniques, or malicious commands.** - - - OR the score is **greater than or equal to 25**. - - - OR an **IP address** involved in the alert is flagged as **malicious**. - - - If any condition is met, mark the result as **Malicious**.' - id: e3a5f626-810e-4be2-814a-4e7e39a901b6 - iscommand: false - name: Check for high-confidence evidence or malicious IP address - type: condition + id: c5470fce-c24b-4768-844b-ce10abd9c6ba version: -1 - taskid: e3a5f626-810e-4be2-814a-4e7e39a901b6 + name: Check if the endpoint is workstation or a server + description: Checks whether the endpoint is a workstation or a server. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "24" + WORKSTATION: + - "17" + separatecontext: false + conditions: + - label: WORKSTATION + condition: + - - operator: containsString + left: + value: + simple: Core.Endpoint.endpoint_type + iscontext: true + right: + value: + simple: WORKSTATION + ignorecase: true + - - operator: isEqualString + left: + value: + simple: Core.Endpoint.endpoint_status + iscontext: true + right: + value: + simple: CONNECTED + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 451, + "y": 2490 + } + } + note: false timertriggers: [] - type: condition - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 602\n }\n}" - '6': - continueonerrortype: '' - id: '6' ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: dc9a785d-392b-4233-89ad-b308d3412477 + type: regular + task: + id: dc9a785d-392b-4233-89ad-b308d3412477 + version: -1 + name: Manual remediation actions for a server or a disconnected endpoint + description: "Dear Analyst,\n\nPlease note that during the remediation process, the playbook didn't isolate the following host: ${Endpoint.Hostname} \n\nThis is due to one of the following reasons:\n- The device disconnected.\n- The device has been identified as a server.\n\nPlease take manual action to contain the attack and prevent the attacker from executing lateral movement before closing this alert." + type: regular + iscommand: false + brand: "" nexttasks: '#none#': - - '4' - note: false - quietmode: 0 - scriptarguments: - query: - complex: - accessor: parentXDRIncident - root: alert - transformers: - - args: - delimiter: - value: - simple: '-' - fields: - value: - simple: '2' - operator: Cut - - args: - prefix: - value: - simple: 'caseid:' - suffix: {} - operator: concat + - "14" separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 891, + "y": 2670 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "25": + id: "25" + taskid: d5bfd9fb-9daf-442c-8107-77255db16b94 + type: condition task: - brand: '' - description: This task searches for Cortex XSIAM alerts related to the current - incident. - id: 19cbb840-f9a2-4334-8050-ea85ec73736a - iscommand: false - name: Retrieve all incident alerts - scriptName: SearchIncidentsV2 - type: regular + id: d5bfd9fb-9daf-442c-8107-77255db16b94 version: -1 - taskid: 19cbb840-f9a2-4334-8050-ea85ec73736a - timertriggers: [] - type: regular - view: "{\n \"position\": {\n \"x\": 230,\n \"y\": 221\n }\n}" - '8': + name: Check for suspicious process tree + description: Checks if a suspicious process execution chain was detected. This Indicates a high probability of malicious behavior. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "16" + "yes": + - "10" + separatecontext: false conditions: - - condition: - - - left: - iscontext: true + - label: "yes" + condition: + - - operator: containsGeneral + left: value: - simple: CommandLineAnalysis.score - operator: greaterThanOrEqual + simple: alert.initiatedby + iscontext: true right: value: - simple: '15' - - - ignorecase: true + simple: WmiPrvSE.exe + ignorecase: true + - operator: containsGeneral left: - iscontext: true value: - simple: foundIncidents.CustomFields.action - operator: containsGeneral + simple: alert.initiatedby + iscontext: true right: value: - simple: BLOCKED - - left: - iscontext: true + simple: WMIC.exe + ignorecase: true + - operator: containsGeneral + left: value: - simple: foundIncidents.CustomFields.action - operator: isEqualString + simple: alert.initiatedby + iscontext: true right: value: - simple: REPORTED - label: Malicious - - condition: - - - left: - iscontext: true + simple: WMICodeCreator.exe + ignorecase: true + - - operator: containsGeneral + left: value: - simple: CommandLineAnalysis.score - operator: lessThan + simple: alert.targetprocessname + iscontext: true right: value: - simple: '15' - - - ignorecase: true + simple: powershell.exe + ignorecase: true + - operator: containsGeneral left: + value: + simple: alert.targetprocessname iscontext: true + right: value: - simple: foundIncidents.CustomFields.action - operator: containsGeneral + simple: cmd.exe + ignorecase: true + - operator: containsGeneral + left: + value: + simple: alert.targetprocessname + iscontext: true right: value: - simple: BLOCKED - - left: + simple: ntdsutil.exe + ignorecase: true + - operator: containsGeneral + left: + value: + simple: alert.targetprocessname iscontext: true + right: value: - simple: foundIncidents.CustomFields.action - operator: isEqualString + simple: rundll32.exe + ignorecase: true + - - operator: notContainsGeneral + left: + value: + simple: alert.targetprocesscmd + iscontext: true right: value: - simple: REPORTED - label: Medium Confidence - continueonerrortype: '' - id: '8' + simple: C:\Windows\CCM + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1140, + "y": 1150 + } + } + note: false + timertriggers: [] ignoreworker: false - isautoswitchedtoquietmode: false + skipunavailable: false + quietmode: 0 isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: f0b93f7f-3f2c-4141-8de9-78fa361a7597 + type: regular + task: + id: f0b93f7f-3f2c-4141-8de9-78fa361a7597 + version: -1 + name: Get the attacker's remote host IP address + description: Returns information about each alert ID. + script: '|||core-get-cloud-original-alerts' + type: regular + iscommand: true + brand: "" nexttasks: - '#default#': - - '9' - Malicious: - - '11' - Medium Confidence: - - '10' - note: false - quietmode: 0 + '#none#': + - "1" + - "6" + scriptarguments: + alert_ids: + simple: ${alert.id} + filter_alert_fields: + simple: "false" separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 93 + } + } + note: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "27": + id: "27" + taskid: de317f0e-4b02-4628-81fa-134576939a13 + type: regular task: - brand: '' - description: 'This task identifies the risk level by considering the score and - whether a prevention rule is present in the same alert. - - - **Conditions:** - - - - If Score is **greater than or equal to 15** AND a **prevention rule exists** - in the same alert, classify the result as **Malicious**. - - - Else, if Score is **less than 15** AND a **prevention rule exists** in the - same alert, classify the result as **Suspicious**. - - - High-risk behavior with prevention rule: **Malicious**. - - Low-risk behavior with prevention rule: **Suspicious**. - - ' - id: 80d9b967-a4d6-46a5-814a-06d806805237 - iscommand: false - name: Check for medium-confidence threshold with a prevention alert - type: condition + id: de317f0e-4b02-4628-81fa-134576939a13 version: -1 - taskid: 80d9b967-a4d6-46a5-814a-06d806805237 + name: Get endpoint status + description: Gets a list of endpoints, according to the passed filters. If there are no filters, all endpoints are returned. Filtering by multiple fields will be concatenated using AND condition (OR is not supported). Maximum result set size is 100. Offset is the zero-based number of the endpoint from the start of the result set (start by counting from 0). + script: '|||core-get-endpoints' + type: regular + iscommand: true + brand: "" + nexttasks: + '#none#': + - "19" + scriptarguments: + endpoint_id_list: + simple: ${alert.agentid} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 451, + "y": 2140 + } + } + note: false timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "28": + id: "28" + taskid: 894c36a0-db47-468b-887c-79316156c692 type: condition - view: "{\n \"position\": {\n \"x\": 450,\n \"y\": 780\n }\n}" - '9': + task: + id: 894c36a0-db47-468b-887c-79316156c692 + version: -1 + name: Check if the causality is WMI + description: Check if the causality process image name is WMI. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "29" + WMI: + - "12" + separatecontext: false conditions: - - condition: - - - left: + - label: WMI + condition: + - - operator: containsGeneral + left: + value: + simple: alert.cgoname iscontext: true + right: value: - simple: CommandLineAnalysis.score - operator: InRange + simple: WmiPrvSE.exe + ignorecase: true + - operator: containsGeneral + left: + value: + simple: alert.cgoname + iscontext: true right: value: - simple: 10,25 - label: 'yes' - continueonerrortype: '' - id: '9' - ignoreworker: false - isautoswitchedtoquietmode: false - isoversize: false - nexttasks: - '#default#': - - '25' - 'yes': - - '10' + simple: WMIC.exe + ignorecase: true + - operator: containsGeneral + left: + value: + simple: alert.cgoname + iscontext: true + right: + value: + simple: WMICodeCreator.exe + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1643 + } + } note: false - quietmode: 0 - separatecontext: false + timertriggers: [] + ignoreworker: false skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: 2aabb75e-d911-4d92-8974-0891c6156934 + type: regular task: - brand: '' - description: "This task identifies medium-risk cases based on the score received\ - \ from the command line analysis script.\n\n**Conditions:**\n\nIf the score\ - \ is in the range of **10\u201325**, mark the result as **Suspicious**." - id: d7ea9ec9-e8b0-4c5f-8ecf-84dcbb2b422a - iscommand: false - name: Check for medium-confidence and request remediation approval - type: condition + id: 2aabb75e-d911-4d92-8974-0891c6156934 version: -1 - taskid: d7ea9ec9-e8b0-4c5f-8ecf-84dcbb2b422a + name: Terminate causality process + description: Terminate a process tree by its causality ID. Available only for Cortex XSIAM 2.4 and above. + script: '|||core-terminate-causality' + type: regular + iscommand: true + brand: "" + nexttasks: + '#error#': + - "13" + '#none#': + - "27" + scriptarguments: + agent_id: + simple: ${alert.agentid} + causality_id: + simple: ${alert.cid} + timeout_in_seconds: + simple: "180" + separatecontext: false + continueonerror: true + continueonerrortype: errorPath + view: |- + { + "position": { + "x": 819, + "y": 1840 + } + } + note: false timertriggers: [] - type: condition - view: "{\n \"position\": {\n \"x\": 830,\n \"y\": 960\n }\n}" + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "10_11_Approved": 0.38, + "10_16_#default#": 0.1, + "12_13_#error#": 0.64, + "17_14_#default#": 0.43, + "17_18_Isolate": 0.4, + "19_14_#default#": 0.21, + "19_23_Yes": 0.37, + "23_17_WORKSTATION": 0.46, + "23_24_#default#": 0.62, + "25_10_yes": 0.55, + "25_16_#default#": 0.1, + "28_12_WMI": 0.59, + "28_29_#default#": 0.6, + "29_13_#error#": 0.63, + "5_11_Malicious": 0.4, + "5_8_#default#": 0.42, + "8_10_Medium Confidence": 0.82, + "8_11_Malicious": 0.8, + "8_9_#default#": 0.64, + "9_10_yes": 0.25, + "9_25_#default#": 0.48 + }, + "paper": { + "dimensions": { + "height": 3387, + "width": 1451, + "x": 70, + "y": -150 + } + } + } +inputs: [] +outputs: [] tests: - No tests (auto formatted) -fromversion: 8.9.0 +fromversion: 8.9.0 \ No newline at end of file From 61cec62948373f05d5a6c939761c1dfff016e713 Mon Sep 17 00:00:00 2001 From: ArikDay Date: Tue, 4 Mar 2025 08:52:44 +0200 Subject: [PATCH 14/14] fix --- Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md index 724a98578202..f4302cbb63df 100644 --- a/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md +++ b/Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_19.md @@ -1 +1 @@ -## Documentation and metadata improvements. +## Documentation and metadata improvements. \ No newline at end of file