FireEye Red Team Tools Investigation and Response
This playbook does the following: Collect indicators to aid in your threat hunting process. - Retrieve IOCs of FireEye red team tools. - Discover IOCs of associated activity related to the infection. - Generate an indicator list to block indicators with SUNBURST tags. Hunt for the indicators - Search endpoints with the FireEye red team tools CVEs. - Search endpoint logs for FireEye red team tools hashes. - Search and link previous incidents with the FireEye hashes. If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
Rapid Breach Response · 27 tasks · 3 inputs · 0 outputs
Inputs
FireEyeToolsCVE— CVE-2019-0708 ,CVE-2017-11774FireEyeRedTeamToolsCVEsURL— The URL of FireEye red team tools CVEsIsolateEndpointAutomatically— Whether to automatically isolate endpoints, or opt for manual user approval. True means isolation will be done automatically.
Commands used
appendIndicatorField
closeInvestigation
createNewIndicator
cve
enrichIndicators
extractIndicators
linkIncidents