Core v3.5.68

Automates incident response

Author:
Cortex XSOAR
Support:
xsoar
URL:
https://www.paloaltonetworks.com/cortex
exposure_managementcloudcloud_runtime_securityagentixcloud_posturexsiamEDR
Endpoint

Layout rules (1)

  • Identity Analytics Alerts Layout Rule

Lists (1)

  • CIDR - Allowedlist

Triggers (11)

  • Trigger_-_IOC_Alert
  • Trigger_-_Identity_Analytics_Alerts
  • Trigger_-_Impossible_Traveler
  • Trigger_-_Large_Upload_Alert
  • Trigger_-_NGFW_Scan
  • Trigger_-_Possible_External_RDP_Brute-Force
  • Trigger_-_Ransomware_Response
  • Trigger_-_Remote_PsExec_with_LOLBIN_command_execution_alert
  • Trigger_-_T1036_-_Masquerading
  • Trigger_-_T1059_-_Command_and_Scripting_Interpreter
  • Trigger_-_WildFire_and_Wildfire_Post_detection

README

Cortex XSIAM is an intelligent data foundation, where high-quality telemetry across the security infrastructure, threat intelligence, external attack surface data and user response actions are ingested and integrated automatically. Unlike SIEM, Cortex XSIAM ingests granular data – not just alerts and logs – to fuel many layers of machine learning that automate critical threat detection and remediation steps downstream.

What does this pack do?

The playbooks included in this pack help you respond to Cortex XSIAM alerts in a timely manner. They also help automate repetitive tasks associated with Cortex XSIAM alerts:

  • Syncs and updates Cortex XSIAM alerts.
  • Triggers a sub-playbook to handle each alert by type.
  • Extracts and enriches all relevant indicators from the source alert.
  • Hunts for related IOCs.
  • Calculates the severity of the alert.
  • Interacts with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
  • Remediates the incident by blocking malicious indicators and isolating infected endpoints.
  • Run XQL Queries as part of an automation, or in a playbook (consumes compute units).

Cortex XSIAM Video

T1036 - Masquerading