Core v3.5.68
Automates incident response
- Author:
- Cortex XSOAR
- Support:
- xsoar
exposure_managementcloudcloud_runtime_securityagentixcloud_posturexsiamEDR
Endpoint
Integrations (4)
Layout rules (1)
- Identity Analytics Alerts Layout Rule
Layouts (5)
Lists (1)
- CIDR - Allowedlist
Playbooks (20)
- AWS IAM User Access Investigation Deprecated
- AWS IAM User Access Investigation - Remediation Deprecated
- IOC Alert
- Identity Analytics - Alert Handling
- Impossible Traveler - Enrichment
- Impossible Traveler Response
- Issue Exception Approval
- Large Upload Alert
- Local Analysis alert Investigation
- NGFW Internal Scan
- NGFW Scan
- Possible External RDP Brute-Force
- Possible External RDP Brute-Force - Set Verdict
- Ransomware Advanced Analysis
- Ransomware Enrich and Contain
- Ransomware Response
- Remote PsExec with LOLBIN command execution alert
- T1036 - Masquerading
- T1059 - Command and Scripting Interpreter
- WildFire Malware
Scripts (10)
Triggers (11)
- Trigger_-_IOC_Alert
- Trigger_-_Identity_Analytics_Alerts
- Trigger_-_Impossible_Traveler
- Trigger_-_Large_Upload_Alert
- Trigger_-_NGFW_Scan
- Trigger_-_Possible_External_RDP_Brute-Force
- Trigger_-_Ransomware_Response
- Trigger_-_Remote_PsExec_with_LOLBIN_command_execution_alert
- Trigger_-_T1036_-_Masquerading
- Trigger_-_T1059_-_Command_and_Scripting_Interpreter
- Trigger_-_WildFire_and_Wildfire_Post_detection
README
Cortex XSIAM is an intelligent data foundation, where high-quality telemetry across the security infrastructure, threat intelligence, external attack surface data and user response actions are ingested and integrated automatically. Unlike SIEM, Cortex XSIAM ingests granular data – not just alerts and logs – to fuel many layers of machine learning that automate critical threat detection and remediation steps downstream.
What does this pack do?
The playbooks included in this pack help you respond to Cortex XSIAM alerts in a timely manner. They also help automate repetitive tasks associated with Cortex XSIAM alerts:
- Syncs and updates Cortex XSIAM alerts.
- Triggers a sub-playbook to handle each alert by type.
- Extracts and enriches all relevant indicators from the source alert.
- Hunts for related IOCs.
- Calculates the severity of the alert.
- Interacts with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
- Remediates the incident by blocking malicious indicators and isolating infected endpoints.
- Run XQL Queries as part of an automation, or in a playbook (consumes compute units).

