Cortex XDR - Endpoint Investigation
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles all the endpoint investigation actions available with Cortex XSOAR, including the following tasks: * Pre-defined MITRE Tactics * Host fields (Host ID) * Attacker fields (Attacker IP, External host) * MITRE techniques * File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
Cortex XDR by Palo Alto Networks · 57 tasks · 22 inputs · 14 outputs
Inputs
HuntReconnaissanceTechniques— Set to True to hunt for identified alerts with MITRE Reconnaissance techniques.HuntInitialAccessTechniques— Set to True to hunt for identified alerts with MITRE Access techniques.HuntExecutionTechniques— Set to True to hunt for identified alerts with MITRE Execution techniques.HuntPersistenceTechniques— Set to True to hunt for identified alerts with MITRE Persistence techniques.HuntPrivilegeEscalationTechniques— Set to True to hunt for identified alerts with MITRE Privilege Escalation techniques.HuntDefenseEvasionTechniques— Set to True to hunt for identified alerts with MITRE Defense Evasion techniques.HuntDiscoveryTechniques— Set to True to hunt for identified alerts with MITRE Discovery techniques.HuntLateralMovementTechniques— Set to True to hunt for identified alerts with MITRE Lateral Movement techniques.HuntCollectionTechniques— Set to True to hunt for MITRE Collection techniques identified alerts.HuntCnCTechniques— Set to True to hunt for identified alerts with MITRE Command and Control techniques.HuntImpactTechniques— Set to True to hunt for identified alerts with MITRE Impact techniques.HuntAttacker— Set to True to hunt the attacker IP address or external host name.HuntByTechnique— Set to True to hunt by a specific MITRE technique.HuntByHost— Set to True to hunt by the endpoint ID. The agentID input must be provided as well.HuntByFile— Boolean. Set to True to hunt by a specific file hash. Supports SHA256.agentID— The agent ID.attackerRemoteIP— The IP address of the attacker. The 'HuntAttacker' inputs should also be set to True.attackerExternalHost— The external host used by the attacker. The 'HuntAttacker' inputs should also be set to True.mitreTechniqueID— A MITRE technique identifier. The 'HuntByTechnique' inputs should also be set to True.FileSHA256— The file SHA256. The 'HuntByFile' inputs should also be set to True.timeRange— A time range to execute the hunting in. The input should be in the following format: * 1 day ago * 2 minutes ago * 4 hours ago * 8 days agoRunAll— Whether to run all the sub-tasks for Mitre Tactics.
Outputs
PaloAltoNetworksXDR.Alert— Alerts retrieved from Cortex XDRPaloAltoNetworksXDR.Alert.internal_id— The unique ID of the alert.PaloAltoNetworksXDR.Alert.source_insert_ts— The detection timestampPaloAltoNetworksXDR.Alert.alert_name— The name of the alert.PaloAltoNetworksXDR.Alert.severity— The severity of the alert.PaloAltoNetworksXDR.Alert.alert_category— The category of the alert.PaloAltoNetworksXDR.Alert.alert_action_status— The alert action. Possible values. DETECTED: detected DETECTED_0: detected (allowed the session) DOWNLOAD: detected (download) DETECTED_19: detected (forward) POST_DETECTED: detected (post detected) PROMPT_ALLOW: detected (prompt allow) DETECTED_4: detected (raised an alert) REPORTED: detected (reported) REPORTED_TRIGGER_4: detected (on write) SCANNED: detected (scanned) DETECTED_23: detected (sinkhole) DETECTED_18: detected (syncookie sent) DETECTED_21: detected (wildfire upload failure) DETECTED_20: detected (wildfire upload success) DETECTED_22: detected (wildfire upload skip) DETECTED_MTH: detected (xdr managed threat hunting) BLOCKED_25: prevented (block) BLOCKED: prevented (blocked) BLOCKED_14: prevented (block-override) BLOCKED_5: prevented (blocked the url) BLOCKED_6: prevented (blocked the ip) BLOCKED_13: prevented (continue) BLOCKED_1: prevented (denied the session) BLOCKED_8: prevented (dropped all packets) BLOCKED_2: prevented (dropped the session) BLOCKED_3: prevented (dropped the session and sent a tcp reset) BLOCKED_7: prevented (dropped the packet) BLOCKED_16: prevented (override) BLOCKED_15: prevented (override-lockout) BLOCKED_26: prevented (post detected) PROMPT_BLOCK: prevented (prompt block) BLOCKED_17: prevented (random-drop) BLOCKED_24: prevented (silently dropped the session with an icmp unreachable message to the host or application) BLOCKED_9: prevented (terminated the session and sent a tcp reset to both sides of the connection) BLOCKED_10: prevented (terminated the session and sent a tcp reset to the client) BLOCKED_11: prevented (terminated the session and sent a tcp reset to the server) BLOCKED_TRIGGER_4: prevented (on write)PaloAltoNetworksXDR.Alert.alert_action_status_readable— The alert action.PaloAltoNetworksXDR.Alert.alert_description— The alert description.PaloAltoNetworksXDR.Alert.agent_ip_addresses— The host IP.PaloAltoNetworksXDR.Alert.agent_hostname— The host name.PaloAltoNetworksXDR.Alert.mitre_tactic_id_and_name— The MITRE attack tactic.PaloAltoNetworksXDR.Alert.mitre_technique_id_and_name— The MITRE attack technique.PaloAltoNetworksXDR.Alert.starred— Whether the alert is starred or not.
Commands used
xdr-get-alerts