Proactive Threat Hunting - SDO Threat Hunting
This playbook will be executed when the analyst chooses to perform SDO hunting. The playbook receives an SDO type indicator and executes the following steps: - Searches IOCs related to the SDO indicator - IPs, Hashes, Domains, URLs. - Hunts for the found IOCs using the "Threat Hunting - Generic" sub-playbook. - Searches attack patterns that are related to the SDO indicator. - Searches LOLBAS tools that are related to the found attack patterns. - Hunts for LOLBin executions command-line arguments that are similar to LOLBAS malicious commands patterns.
Proactive Threat Hunting · 26 tasks · 4 inputs · 0 outputs
Inputs
SDOName— The SDO name.SDOType— The SDO type.HuntingTimeFrame— Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.StringSimilarityThreshold— StringSimilarity automation threshold. StringSimilarity is being used in this playbook to compare between pattern of malicious use in a tool and command-line arguments found in the environment. Please provide number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.
Commands used
appendIndicatorField
associateIndicatorsToIncident
setIncident