Endpoint Investigation Plan
This playbook handles all the endpoint investigation actions by performing the following tasks on every alert associated with the incident: * Pre-defined MITRE Tactics * Host fields (Host ID) * Attacker fields (Attacker IP, External host) * MITRE techniques * File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
Common Playbooks · 53 tasks · 20 inputs · 0 outputs
Inputs
HuntReconnaissanceTechniques— Set to True to hunt for identified alerts with MITRE Reconnaissance techniques.HuntInitialAccessTechniques— Set to True to hunt for identified alerts with MITRE Access techniques.HuntExecutionTechniques— Set to True to hunt for identified alerts with MITRE Execution techniques.HuntPersistenceTechniques— Set to True to hunt for identified alerts with MITRE Persistence techniques.HuntPrivilegeEscalationTechniques— Set to True to hunt for identified alerts with MITRE Privilege Escalation techniques.HuntDefenseEvasionTechniques— Set to True to hunt for identified alerts with MITRE Defense Evasion techniques.HuntDiscoveryTechniques— Set to True to hunt for identified alerts with MITRE Discovery techniques.HuntLateralMovementTechniques— Set to True to hunt for identified alerts with MITRE Lateral Movement techniques.HuntCollectionTechniques— Set to True to hunt for MITRE Collection techniques identified alerts.HuntCnCTechniques— Set to True to hunt for identified alerts with MITRE Command and Control techniques.HuntImpactTechniques— Set to True to hunt for identified alerts with MITRE Impact techniques.HuntAttacker— Set to True to hunt the attacker IP address or external hostname.HuntByTechnique— Set to True to hunt by a specific MITRE technique.HuntByHost— Set to True to hunt by the endpoint ID. The agentID input must be provided as well.HuntByFile— Boolean. Set to True to hunt by a specific file hash. Supports SHA256.agentID— The agent ID.attackerRemoteIP— The IP address of the attacker. The 'HuntAttacker' inputs should also be set to True.attackerExternalHost— The external host used by the attacker. The 'HuntAttacker' inputs should also be set to True.mitreTechniqueID— A MITRE technique identifier. The 'HuntByTechnique' inputs should also be set to True.FileSHA256— The file SHA256. The 'HuntByFile' inputs should also be set to True.