Cortex XDR - Endpoint Investigation

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles all the endpoint investigation actions available with Cortex XSOAR, including the following tasks: * Pre-defined MITRE Tactics * Host fields (Host ID) * Attacker fields (Attacker IP, External host) * MITRE techniques * File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

Cortex XDR by Palo Alto Networks · 57 tasks · 22 inputs · 14 outputs

Inputs

  • HuntReconnaissanceTechniques — Set to True to hunt for identified alerts with MITRE Reconnaissance techniques.
  • HuntInitialAccessTechniques — Set to True to hunt for identified alerts with MITRE Access techniques.
  • HuntExecutionTechniques — Set to True to hunt for identified alerts with MITRE Execution techniques.
  • HuntPersistenceTechniques — Set to True to hunt for identified alerts with MITRE Persistence techniques.
  • HuntPrivilegeEscalationTechniques — Set to True to hunt for identified alerts with MITRE Privilege Escalation techniques.
  • HuntDefenseEvasionTechniques — Set to True to hunt for identified alerts with MITRE Defense Evasion techniques.
  • HuntDiscoveryTechniques — Set to True to hunt for identified alerts with MITRE Discovery techniques.
  • HuntLateralMovementTechniques — Set to True to hunt for identified alerts with MITRE Lateral Movement techniques.
  • HuntCollectionTechniques — Set to True to hunt for MITRE Collection techniques identified alerts.
  • HuntCnCTechniques — Set to True to hunt for identified alerts with MITRE Command and Control techniques.
  • HuntImpactTechniques — Set to True to hunt for identified alerts with MITRE Impact techniques.
  • HuntAttacker — Set to True to hunt the attacker IP address or external host name.
  • HuntByTechnique — Set to True to hunt by a specific MITRE technique.
  • HuntByHost — Set to True to hunt by the endpoint ID. The agentID input must be provided as well.
  • HuntByFile — Boolean. Set to True to hunt by a specific file hash. Supports SHA256.
  • agentID — The agent ID.
  • attackerRemoteIP — The IP address of the attacker. The 'HuntAttacker' inputs should also be set to True.
  • attackerExternalHost — The external host used by the attacker. The 'HuntAttacker' inputs should also be set to True.
  • mitreTechniqueID — A MITRE technique identifier. The 'HuntByTechnique' inputs should also be set to True.
  • FileSHA256 — The file SHA256. The 'HuntByFile' inputs should also be set to True.
  • timeRange — A time range to execute the hunting in. The input should be in the following format: * 1 day ago * 2 minutes ago * 4 hours ago * 8 days ago
  • RunAll — Whether to run all the sub-tasks for Mitre Tactics.

Outputs

  • PaloAltoNetworksXDR.Alert — Alerts retrieved from Cortex XDR
  • PaloAltoNetworksXDR.Alert.internal_id — The unique ID of the alert.
  • PaloAltoNetworksXDR.Alert.source_insert_ts — The detection timestamp
  • PaloAltoNetworksXDR.Alert.alert_name — The name of the alert.
  • PaloAltoNetworksXDR.Alert.severity — The severity of the alert.
  • PaloAltoNetworksXDR.Alert.alert_category — The category of the alert.
  • PaloAltoNetworksXDR.Alert.alert_action_status — The alert action. Possible values. DETECTED: detected DETECTED_0: detected (allowed the session) DOWNLOAD: detected (download) DETECTED_19: detected (forward) POST_DETECTED: detected (post detected) PROMPT_ALLOW: detected (prompt allow) DETECTED_4: detected (raised an alert) REPORTED: detected (reported) REPORTED_TRIGGER_4: detected (on write) SCANNED: detected (scanned) DETECTED_23: detected (sinkhole) DETECTED_18: detected (syncookie sent) DETECTED_21: detected (wildfire upload failure) DETECTED_20: detected (wildfire upload success) DETECTED_22: detected (wildfire upload skip) DETECTED_MTH: detected (xdr managed threat hunting) BLOCKED_25: prevented (block) BLOCKED: prevented (blocked) BLOCKED_14: prevented (block-override) BLOCKED_5: prevented (blocked the url) BLOCKED_6: prevented (blocked the ip) BLOCKED_13: prevented (continue) BLOCKED_1: prevented (denied the session) BLOCKED_8: prevented (dropped all packets) BLOCKED_2: prevented (dropped the session) BLOCKED_3: prevented (dropped the session and sent a tcp reset) BLOCKED_7: prevented (dropped the packet) BLOCKED_16: prevented (override) BLOCKED_15: prevented (override-lockout) BLOCKED_26: prevented (post detected) PROMPT_BLOCK: prevented (prompt block) BLOCKED_17: prevented (random-drop) BLOCKED_24: prevented (silently dropped the session with an icmp unreachable message to the host or application) BLOCKED_9: prevented (terminated the session and sent a tcp reset to both sides of the connection) BLOCKED_10: prevented (terminated the session and sent a tcp reset to the client) BLOCKED_11: prevented (terminated the session and sent a tcp reset to the server) BLOCKED_TRIGGER_4: prevented (on write)
  • PaloAltoNetworksXDR.Alert.alert_action_status_readable — The alert action.
  • PaloAltoNetworksXDR.Alert.alert_description — The alert description.
  • PaloAltoNetworksXDR.Alert.agent_ip_addresses — The host IP.
  • PaloAltoNetworksXDR.Alert.agent_hostname — The host name.
  • PaloAltoNetworksXDR.Alert.mitre_tactic_id_and_name — The MITRE attack tactic.
  • PaloAltoNetworksXDR.Alert.mitre_technique_id_and_name — The MITRE attack technique.
  • PaloAltoNetworksXDR.Alert.starred — Whether the alert is starred or not.

Commands used

xdr-get-alerts

Flowchart

true true true true true true true true true true true true true true true true true true true true true true true true true true Start Start Should hunt for Discovery techniques? Should hunt for Discovery... Should hunt for Persistence techniques? Should hunt for Persisten... Should hunt for Initial Access techniques? Should hunt for Initial A... Should hunt for Privilege Escalation techniques? Should hunt for Privilege... Should hunt for Defense Evasion techniques? Should hunt for Defense E... Should hunt for Execution techniques? Should hunt for Execution... Should hunt for Lateral Movement techniques? Should hunt for Lateral M... Should hunt for Collection techniques? Should hunt for Collectio... Should investigate by attacker fields? Should investigate by att... Should hunt by host fields? Should hunt by host fields? Should investigate by MITRE techniques? Should investigate by MIT... Should investigate by file hash? Should investigate by fil... Done Done Persistence Persistence Hunt Persistence techniques - xdr-get-alerts Hunt Persistence techniques xdr-get-alerts Initial Access Initial Access Execution Execution Privilege Escalation Privilege Escalation Defense Evasion Defense Evasion Discovery Discovery Lateral Movement Lateral Movement Collection Collection Should hunt for CnC techniques? Should hunt for CnC techn... Should hunt for Impact techniques? Should hunt for Impact te... Command and Control Command and Control Impact Impact Should hunt for suspicious Reconnaissance techniques? Should hunt for suspiciou... Reconnaissance Reconnaissance Hunt Reconnaissance techniques - xdr-get-alerts Hunt Reconnaissance techn... xdr-get-alerts Hunt Initial Access techniques - xdr-get-alerts Hunt Initial Access techn... xdr-get-alerts Hunt Execution techniques - xdr-get-alerts Hunt Execution techniques xdr-get-alerts Hunt Privilege Escalation techniques - xdr-get-alerts Hunt Privilege Escalation... xdr-get-alerts Hunt Defense Evasion techniques - xdr-get-alerts Hunt Defense Evasion tech... xdr-get-alerts Hunt Discovery techniques - xdr-get-alerts Hunt Discovery techniques xdr-get-alerts Hunt Lateral Movement techniques - xdr-get-alerts Hunt Lateral Movement tec... xdr-get-alerts Hunt Collection techniques - xdr-get-alerts Hunt Collection techniques xdr-get-alerts Hunt Command and Control techniques - xdr-get-alerts Hunt Command and Control ... xdr-get-alerts Hunt Impact techniques - xdr-get-alerts Hunt Impact techniques xdr-get-alerts Host activity Host activity Attacker network activity Attacker network activity Hunt by attacker external host - xdr-get-alerts Hunt by attacker external... xdr-get-alerts MITRE Techniques MITRE Techniques Hunt by technique ID - xdr-get-alerts Hunt by technique ID xdr-get-alerts Hunt File Hash Hunt File Hash Hunt by causality actor process image hash - xdr-get-alerts Hunt by causality actor p... xdr-get-alerts Hunt by MITRE Tactics Hunt by MITRE Tactics Hunt by Indicators Hunt by Indicators Done Done Hunt by host ID - xdr-get-alerts Hunt by host ID xdr-get-alerts Run all Hunting Queries on Mitre Tactics? Run all Hunting Queries o... Hunt by destination attacker external host - xdr-get-alerts Hunt by destination attac... xdr-get-alerts Hunt by remote attacker IP - xdr-get-alerts Hunt by remote attacker IP xdr-get-alerts Hunt by local attacker IP - xdr-get-alerts Hunt by local attacker IP xdr-get-alerts Hunt by action file image hash - xdr-get-alerts Hunt by action file image... xdr-get-alerts Hunt by action process image hash - xdr-get-alerts Hunt by action process im... xdr-get-alerts Hunt by actor process image hash - xdr-get-alerts Hunt by actor process ima... xdr-get-alerts