Endpoint Investigation Plan

This playbook handles all the endpoint investigation actions by performing the following tasks on every alert associated with the incident: * Pre-defined MITRE Tactics * Host fields (Host ID) * Attacker fields (Attacker IP, External host) * MITRE techniques * File hash (currently, the playbook supports only SHA256) Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

Common Playbooks · 53 tasks · 20 inputs · 0 outputs

Inputs

  • HuntReconnaissanceTechniques — Set to True to hunt for identified alerts with MITRE Reconnaissance techniques.
  • HuntInitialAccessTechniques — Set to True to hunt for identified alerts with MITRE Access techniques.
  • HuntExecutionTechniques — Set to True to hunt for identified alerts with MITRE Execution techniques.
  • HuntPersistenceTechniques — Set to True to hunt for identified alerts with MITRE Persistence techniques.
  • HuntPrivilegeEscalationTechniques — Set to True to hunt for identified alerts with MITRE Privilege Escalation techniques.
  • HuntDefenseEvasionTechniques — Set to True to hunt for identified alerts with MITRE Defense Evasion techniques.
  • HuntDiscoveryTechniques — Set to True to hunt for identified alerts with MITRE Discovery techniques.
  • HuntLateralMovementTechniques — Set to True to hunt for identified alerts with MITRE Lateral Movement techniques.
  • HuntCollectionTechniques — Set to True to hunt for MITRE Collection techniques identified alerts.
  • HuntCnCTechniques — Set to True to hunt for identified alerts with MITRE Command and Control techniques.
  • HuntImpactTechniques — Set to True to hunt for identified alerts with MITRE Impact techniques.
  • HuntAttacker — Set to True to hunt the attacker IP address or external hostname.
  • HuntByTechnique — Set to True to hunt by a specific MITRE technique.
  • HuntByHost — Set to True to hunt by the endpoint ID. The agentID input must be provided as well.
  • HuntByFile — Boolean. Set to True to hunt by a specific file hash. Supports SHA256.
  • agentID — The agent ID.
  • attackerRemoteIP — The IP address of the attacker. The 'HuntAttacker' inputs should also be set to True.
  • attackerExternalHost — The external host used by the attacker. The 'HuntAttacker' inputs should also be set to True.
  • mitreTechniqueID — A MITRE technique identifier. The 'HuntByTechnique' inputs should also be set to True.
  • FileSHA256 — The file SHA256. The 'HuntByFile' inputs should also be set to True.

Flowchart

yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes Start Start Should hunt for Discovery techniques? Should hunt for Discovery... Should hunt for Persistence techniques? Should hunt for Persisten... Should hunt for Initial Access techniques? Should hunt for Initial A... Should hunt for Privilege Escalation techniques? Should hunt for Privilege... Should hunt for Defense Evasion techniques? Should hunt for Defense E... Should hunt for Execution techniques? Should hunt for Execution... Should hunt for Lateral Movement techniques? Should hunt for Lateral M... Should hunt for Collection techniques? Should hunt for Collectio... Should investigate by attacker source IP? Should investigate by att... Should hunt by host fields? Should hunt by host fields? Should investigate by MITRE techniques? Should investigate by MIT... Should investigate by file hash? Should investigate by fil... Done Done Persistence Persistence Hunt Persistence techniques - SearchIncidentsV2 Hunt Persistence techniques SearchIncidentsV2 Initial Access Initial Access Execution Execution Privilege Escalation Privilege Escalation Defense Evasion Defense Evasion Discovery Discovery Lateral Movement Lateral Movement Collection Collection Should hunt for CnC techniques? Should hunt for CnC techn... Should hunt for Impact techniques? Should hunt for Impact te... Command and Control Command and Control Impact Impact Should hunt for suspicious Reconnaissance techniques? Should hunt for suspiciou... Reconnaissance Reconnaissance Hunt Reconnaissance techniques - SearchIncidentsV2 Hunt Reconnaissance techn... SearchIncidentsV2 Hunt Initial Access techniques - SearchIncidentsV2 Hunt Initial Access techn... SearchIncidentsV2 Hunt Execution techniques - SearchIncidentsV2 Hunt Execution techniques SearchIncidentsV2 Hunt Privilege Escalation techniques - SearchIncidentsV2 Hunt Privilege Escalation... SearchIncidentsV2 Hunt Defense Evasion techniques - SearchIncidentsV2 Hunt Defense Evasion tech... SearchIncidentsV2 Hunt Discovery techniques - SearchIncidentsV2 Hunt Discovery techniques SearchIncidentsV2 Hunt Lateral Movement techniques - SearchIncidentsV2 Hunt Lateral Movement tec... SearchIncidentsV2 Hunt Collection techniques - SearchIncidentsV2 Hunt Collection techniques SearchIncidentsV2 Hunt Command and Control techniques - SearchIncidentsV2 Hunt Command and Control ... SearchIncidentsV2 Hunt Impact techniques - SearchIncidentsV2 Hunt Impact techniques SearchIncidentsV2 Host activity Host activity Hunt by host ID - SearchIncidentsV2 Hunt by host ID SearchIncidentsV2 Attacker network activity Attacker network activity Hunt by attacker source IP - SearchIncidentsV2 Hunt by attacker source IP SearchIncidentsV2 MITRE Techniques MITRE Techniques Hunt by technique ID - SearchIncidentsV2 Hunt by technique ID SearchIncidentsV2 Hunt File Hash Hunt File Hash Hunt by file hash - SearchIncidentsV2 Hunt by file hash SearchIncidentsV2 Hunt by MITRE Tactics Hunt by MITRE Tactics Hunt by Indicators Hunt by Indicators Done Done Should investigate by attacker's external host? Should investigate by att... Attacker network activity Attacker network activity Hunt by attacker source external host - SearchIncidentsV2 Hunt by attacker source e... SearchIncidentsV2