MITRE ATT&CK - Courses of Action v1.0.11
Looking for actionable intelligence? This intelligence-driven Pack provides manual or automated remediation of MITRE ATT&CK techniques.
- Author:
- Cortex XSOAR
- Support:
- xsoar
Incident fields (49)
- Anti-Spyware Profile Name
- Anti-Spyware Profile Status
- Anti-Spyware Rules
- Anti-Virus Profile Name
- Anti-Virus Profile Status
- Anti-Virus Rules
- BPA Failed Checks - Anti-Spyware
- BPA Failed Checks - Anti-Virus
- BPA Failed Checks - File Blocking
- BPA Failed Checks - URL Filtering
- BPA Failed Checks - Vulnerability Protection
- BPA Failed Checks - WildFire
- BPA Passed Checks - Anti-Spyware
- BPA Passed Checks - Anti-Virus
- BPA Passed Checks - File Blocking
- BPA Passed Checks - URL Filtering
- BPA Passed Checks - Vulnerability Protection
- BPA Passed Checks - WildFire
- Best Practices Description
- Collection Remediation Products
- Command and Control Remediation Products
- Credential Access Remediation Products
- Defense Evasion Remediation Products
- Discovery Remediation Products
- Executed Remediation Summary Description
- Execution Remediation Products
- Exfiltration Remediation Products
- File Blocking Profile Name
- File Blocking Profile Status
- File Blocking Rules
- Handled Techniques
- Impact Remediation Products
- Initial Access Remediation Products
- Lateral Movement Remediation Products
- Persistence Remediation Products
- Privilege Escalation Remediation Products
- Remediated Techniques
- Techniques List
- Techniques to Handle
- URL Filtering Profile Name
- URL Filtering Profile Status
- URL Filtering Rules
- Unhandled Techniques
- Vulnerability Protection Profile Name
- Vulnerability Protection Profile Status
- Vulnerability Protection Rules
- WildFire Profile Name
- WildFire Profile Status
- WildFire Rules
Incident types (1)
Layouts (1)
Playbooks (55)
- Courses of Action - Collection
- Courses of Action - Command and Control
- Courses of Action - Credential Access
- Courses of Action - Defense Evasion
- Courses of Action - Discovery
- Courses of Action - Execution
- Courses of Action - Exfiltration
- Courses of Action - Impact
- Courses of Action - Initial Access
- Courses of Action - Lateral Movement
- Courses of Action - Persistence
- Courses of Action - Privilege Escalation
- MITRE ATT&CK - Courses of Action
- MITRE ATT&CK CoA - T1003 - OS Credential Dumping
- MITRE ATT&CK CoA - T1005 - Data from Local System
- MITRE ATT&CK CoA - T1021.001 - Remote Desktop Protocol
- MITRE ATT&CK CoA - T1027 - Obfuscated Files or Information
- MITRE ATT&CK CoA - T1041 - Exfiltration Over C2 Channel
- MITRE ATT&CK CoA - T1048 - Exfiltration Over Alternative Protocol
- MITRE ATT&CK CoA - T1057 - Process Discovery
- MITRE ATT&CK CoA - T1059 - Command and Scripting Interpreter
- MITRE ATT&CK CoA - T1059.001 - PowerShell
- MITRE ATT&CK CoA - T1068 - Exploitation for Privilege Escalation
- MITRE ATT&CK CoA - T1071 - Application Layer Protocol
- MITRE ATT&CK CoA - T1078 - Valid Accounts
- MITRE ATT&CK CoA - T1082 - System Information Discovery
- MITRE ATT&CK CoA - T1083 - File and Directory Discovery
- MITRE ATT&CK CoA - T1105 - Ingress tool transfer
- MITRE ATT&CK CoA - T1110 - Brute Force
- MITRE ATT&CK CoA - T1133 - External Remote Services
- MITRE ATT&CK CoA - T1135 - Network Share Discovery
- MITRE ATT&CK CoA - T1189 - Drive-by Compromise
- MITRE ATT&CK CoA - T1199 - Trusted Relationship
- MITRE ATT&CK CoA - T1204 - User Execution
- MITRE ATT&CK CoA - T1486 - Data Encrypted for Impact
- MITRE ATT&CK CoA - T1518 - Software Discovery
- MITRE ATT&CK CoA - T1543.003 - Windows Service
- MITRE ATT&CK CoA - T1547 - Boot or Logon Autostart Execution
- MITRE ATT&CK CoA - T1547.001 - Registry Run Keys Startup Folder
- MITRE ATT&CK CoA - T1560.001 - Archive via Utility
- MITRE ATT&CK CoA - T1562.001 - Disable or Modify Tools
- MITRE ATT&CK CoA - T1564.004 - NTFS File Attributes
- MITRE ATT&CK CoA - T1566 - Phishing
- MITRE ATT&CK CoA - T1566.001 - Spear-Phishing Attachment
- MITRE ATT&CK CoA - T1569.002 - Service Execution
- MITRE ATT&CK CoA - T1573.002 - Asymmetric Cryptography
- PAN-OS - Apply Security Profile to Policy Rule
- PAN-OS - Block all unknown and unauthorized applications
- PAN-OS - Enforce Anti-Spyware Best Practices Profile
- PAN-OS - Enforce Anti-Virus Best Practices Profile
- PAN-OS - Enforce File Blocking Best Practices Profile
- PAN-OS - Enforce URL Filtering Best Practices Profile
- PAN-OS - Enforce Vulnerability Protection Best Practices Profile
- PAN-OS - Enforce WildFire Best Practices Profile
- Palo Alto Networks BPA - Submit Scan
Scripts (2)
README
The process of ingesting quality threat intelligence, mapping the intelligence reports into MITRE ATT&CK tactics and techniques, and then translating this information into reliable and usable remediation steps can be tedious and very time consuming. This MITRE ATT&CK - Courses of Action Pack contains intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team, that will enable you to handle MITRE ATT&CK techniques and sub-techniques in an organized and automated manner. This will make sure your organization is not only blocking specific reported IOCs but also taking a more holistic approach to prevent future attacks.
Using this content Pack, you can automate this whole process and have all of the information gathered in one place to help you keep your organization protected.
Each technique is mapped out-of-the-box into the specific Courses of Action that your organization needs in order to stay protected, using Palo Alto Networks products.
With this Pack, you can reduce the time your teams spend on consuming threat intelligence and translating the reports into action items, and on sustaining best practices policies for your security products.
What does this Pack do?
- Automatically maps MITRE ATT&CK Techniques into Courses of Action playbooks.
- Takes action to remediate the techniques throughout Palo Alto Networks security products, following the MITRE ATT&CK kill chain.
- Checks existing profiles against best practices and suggests manual or automated policy changes.
- The playbooks in the Pack can be triggered manually, by a job, by an incident, or by any threat intelligence feed.
- MITRE ATT&CK techniques are the playbook inputs and therefore playbooks can be triggered by any 3-rd party tools mapping to this framework.
- When used with Unit 42 feed ingesting Actionable Threat Objects and Mitigations (ATOMs) - get notified as soon as there is a new threat actor report and take action immediately.
For more information, please refer to the MITRE ATT&CK - Courses of Action article.
MITRE ATT&CK Dashboard

Unit 42 STIX Report Indicators

MITRE ATT&CK - Courses of Action Sample Playbook
