Common Playbooks

This playbook is used to block files from running on endpoints.
This playbook supports the following integrations:

• Palo Alto Networks Traps
• Palo Alto Networks Cortex XDR
• Cybereason
• Carbon Black Enterprise Response
• Cylance Protect v2
• Crowdstrike Falcon
• Microsoft Defender for Endpoint.

This playbook retrieves a specified EML/MSG file directly from the email security gateway product.

This playbook provides a generic enrichment of AWS, GCP, and Azure compute resources.

This playbook executes one sub-playbook and one automation to check the email headers:

• Process Microsoft's Anti-Spam Headers - This playbook stores the SCL, BCL and PCL scores if they exist to the relevant alert fields (Phishing SCL Score, Phishing PCL Score, Phishing BCL Score).
• CheckEmailAuthenticity - This automation checks email authenticity based on its SPF, DMARC, and DKIM.

This playbook polls a field to check if a specific value exists.

This playbook identifies duplicate alerts using the Cortex machine learning method (script).
In this playbook, you can choose fields and/or indicators to be compared against other alerts in the Cortex database.

Note: To identify similar alerts you must properly define the playbook inputs.

This playbook checks prior alert closing reasons and performs enrichment and prevalence checks on different IOC types. It then returns the information needed to establish the alert's verdict.

This playbook isolates a given endpoint using various endpoint product integrations.
Make sure to provide valid playbook inputs for the integration you are using.

Deprecated. Use 'Block Domain - Generic v2' instead. This playbook blocks malicious Domains using all integrations that are enabled.

Supported integrations for this playbook:

• Zscaler
• Symantec Messaging Gateway
• FireEye EX
• Trend Micro Apex One
• Proofpoint Threat Response

Generic Cloud Enrichment Playbook

The Cloud Enrichment - Generic Playbook is designed to unify all the relevant playbooks concerning the enrichment of information in the cloud. It provides a standardized approach to enriching information in cloud environments.

Supported Blocks

1. Cloud IAM Enrichment - Generic

   • Enriches information related to Identity and Access Management (IAM) in the cloud.

2. Cloud Compute Enrichment - Generic

   • Enriches information related to cloud compute resources.

The playbook supports a single CSP enrichment at a time.

This playbook checks the file reputation and sets the verdict as a new context key.

The verdict is composed by 3 main components:

• VirusTotal detection rate
• Digital certificate signers
• NSRL DB

Note: a user can provide a list of trusted signers of his own using the playbook inputs

This playbook is one of the sub-playbooks in the eradication plan.
This playbook executes actions of file deletion, which is a crucial step in the eradication process.

Enrich domains using one or more integrations.
Domain enrichment includes:

• Threat information
• Domain reputation using !domain command

Enrich IP addresses using one or more integrations.

• Resolve IP addresses to hostnames (DNS).
• Provide threat information.
• IP address reputation using !ip command.
• Separate internal and external addresses.

This playbook searches for failed logon on a specific user by querying logs from different sources.

Supported Integrations:
-Splunk
-QRadar
-Azure Log Analytics.

Containment Plan - Isolate Device

This playbook is a sub-playbook within the containment plan playbook.
The playbook isolates devices using core commands.

This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
The following integrations are supported:

• Cortex XDR XQL Engine
• Microsoft Defender For Endpoint

The playbook enables you to get all of the corresponding file hashes for a file even if there is only one hash type available.
For example, if we have only the SHA256 hash, the playbook will get the SHA1 and MD5 hashes as long as the
original searched hash is recognized by any our the threat intelligence integrations.

This playbook handles all the eradication actions available with Cortex XSIAM, including the following sub-playbooks:

• Eradication Plan - Reset user password
• Eradication Plan - Delete file
• Eradication Plan - Kill process (currently, the playbook supports terminating a process by name)

Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.

This playbook extracts indicators from a file.
Supported file types:

• CSV
• PDF
• TXT
• HTM, HTML
• DOC, DOCX
• PPT
• PPTX
• RTF
• XLS
• XLSX
• XML
• XLSM
• DOCM
• PPTM
• DOTM
• XLSB
• DOT
• PPSM
• PNG
• JPG/JPEG
• GIF (when Image OCR is enabled).
  In addition, the playbook supports QR codes.
  The playbook does not support encrypted / password-protected files such as XLSB. Such files will be skipped.

Deprecated. Use Get File Sample By Hash - Generic v3 instead. This playbook returns a file sample correlating to a hash in the war-room using the following sub-playbooks:

• Get File Sample By Hash - Carbon Black Enterprise Response
• Get File Sample By Hash - Cylance Protect v2

This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:

• Cortex XDR XQL Engine
• Cortex XDR IR(Search executions inside XDR alerts)
• Microsoft Defender For Endpoint

Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:

• value: process name
• commands: command-line arguments

This playbook is responsible for collecting and enriching data on Identity Access Management (IAM) in cloud environments (AWS, Azure, and GCP).

Deprecated. Use Retrieve File from Endpoint - Generic V3 instead.
This playbook retrieves a file sample from an endpoint using the following playbooks:

• Get File Sample From Path - Generic
• Get File Sample By Hash - Generic v2

This playbook performs an investigation on a specific user in cloud environments, using queries and logs from Azure Log Analytics, AWS CloudTrail, G Suite Auditor, and GCP Logging.

Deprecated. Use the Dedup - Generic v4 playbook instead. This playbook identifies duplicate alerts using one of the supported methods.
Select one of the following methods to identify duplicate alerts in Cortex.

• ml: Machine learning model, which is trained mostly on phishing alerts.
  -rules: Rules help identify duplicate alerts when the logic is well defined, for example, the same label or custom fields.
  -text: Statistics algorithm that compares text, which is generally useful for phishing alerts.
  For each method, the playbook will search for the oldest similar alert. when there is a match for a similar alert the playbook will close the current alert and will link it to the older alert.

This playbook is one of the sub-playbooks in the eradication plan.
This playbook handles the termination of the processes as a crucial step in the eradication action.
The playbook executes actions of process termination, which is a crucial step in the eradication process.
The process termination can be performed based on either the process ID or the process name.

Deprecated. Use the Endpoint Enrichment - Generic v2.1 playbook instead.
This playbook uses the generic command !endpoint to retrieve details on a specific endpoint.
This command currently supports the following integrations:

• Palo Alto Networks Cortex XDR - Investigation and Response.
• CrowdStrike Falcon.

This playbook handles all the recovery actions available with Cortex XSIAM, including the following tasks:

• Unisolate endpoint
• Restore quarantined file

Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

Deprecated. Use 'Block URL - Generic v2' instead.

Enrich accounts using one or more integrations.
Supported integrations:

• Active Directory
• Microsoft Graph User
• SailPoint IdentityNow
• SailPoint IdentityIQ
• PingOne
• Okta
• AWS IAM
• Cortex XDR (account enrichment and reputation)

Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations.

Retrieves files from endpoints by the file hash or the file path.

This playbook retrieves information on all of the associated user devices.
In order to get a generic output, the following information on all of the retrieved devices will be saved under the UserDevices context key:

• Name
• Serial Number
• ID
• Model
• MAC Address
• OS
• Integration

Note that not all of the supported integrations will be able to retrieve this information.

In order to get the full list of supported integrations, read the following sub-playbooks descriptions:

• Get User Devices by Username - Generic
• Get User Devices by Email Address - Generic

This playbook handles the main containment actions available with Cortex XSIAM, including the following sub-playbooks:

• Containment Plan - Isolate endpoint
• Containment Plan - Disable account
• Containment Plan - Quarantine file
• Containment Plan - Block indicators
• Containment Plan - Clear user session (currently, the playbook supports only Okta)

Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.

Deprecated. Use the "Get Original Email - Generic v2" playbook under the "Phishing" pack instead.

Enrich Internal IP addresses using one or more integrations.

• Resolve IP address to hostname (DNS)
• Separate internal and external IP addresses
• Get host information for IP addresses.

Containment Plan - Disable Account

This playbook is a sub-playbook within the containment plan playbook.
The playbook disables users by utilizing the sub-playbook "Block Account - Generic v2"

This playbook polls a context key to check if a specific value exists.

Deprecated. Use the Dedup Generic v3 playbook instead. This playbook identifies duplicate alerts using one of the supported methods.

This playbook returns a file sample correlating to a hash in the War Room using the following sub-playbooks:

• Get binary file by MD5 hash from Carbon Black telemetry data - VMware Carbon Black EDR v2.
• Get the threat (file) associated with a specific SHA256 hash - Cylance Protect v2.
• Get the file associated with a specific MD5 or SHA256 hash - Code42.

This playbook performs CVE Enrichment using the following integrations:

• VulnDB
• CVE Search
• IBM X-Force Exchange

Enrich URLs using one or more integrations.

URL enrichment includes:

• SSL verification for URLs.
• Threat information.
• Providing of URL screenshots.
• URL Reputation using !url.

This playbook takes a command line from the alert and performs the following actions:

• Checks for base64 string and decodes if exists
• Extracts and enriches indicators from the command line
• Checks specific arguments for malicious usage

At the end of the playbook, it sets a possible verdict for the command line, based on the finding:

1. Indicators found in the command line
2. Found AMSI techniques
3. Found suspicious parameters
4. Usage of malicious tools
5. Indication of network activity
6. Indication of suspicious LOLBIN execution
7. Suspicious path and arguments in the command line

Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input".

Ticket Management - Generic allows you to open new tickets or update comments to the existing ticket in the following ticketing systems:
-ServiceNow
-Zendesk
using the following sub-playbooks:
-ServiceNow - Ticket Management
-Zendesk - Ticket Management

This playbook iterates over closed alerts, generates a summary report for each closed alert, and emails the reports to specified users.

Deprecated. Use Retrieve File from Endpoint - Generic V3 instead.
'This playbook retrieves a file sample from an endpoint using the following playbooks:'

• Get File Sample From Path - Generic v2.
• Get File Sample By Hash - Generic v3.

Deprecated. Use Detonate URL - Generic v1.5 playbook instead. Detonate URL through active integrations that support URL detonation.

Calculates the alert severity level according to the methodology of a 3rd-party integration.

This playbook polls all indicators to check if they exist.

'This playbook retrieves a file sample from an endpoint using the following playbooks:'

• Get File Sample From Path - Generic v2.
• Get File Sample By Hash - Generic v3.

This playbook handles false positive alerts.
It creates an alert exclusion or alert exception, or adds a file to an allow list based on the alert fields and playbook inputs.

Enrich email addresses.

• Get information from Active Directory for internal addresses
• Get the domain-squatting reputation for external addresses
• Email address reputation using !email command.

This playbook checks whether a file has an extension that supports unzipping, and unzips the file.

Calculates the alert severity level according to the highest DBotScore.

Enrich IP addresses using one or more integrations.

• Resolve IP addresses to hostnames (DNS)
• Provide threat information
• Determine IP address reputation using the !ip command
• Separate internal and external IP addresses
• For internal IP addresses, get host information.

When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance.

Pauses execution until the date and time that was specified in the plabyook input is reached.

This playbook retrieves information on all of the associated user devices, based on the user's username.
In order to get a generic output, the following information on all of the retrieved devices will be saved under the UserDevices context key:

• Name
• Serial Number
• ID
• Model
• MAC Address
• OS
• Integration

Note that not all of the supported integrations will be able to retrieve this information.

Supported integrations:

• jamf v2
• Microsoft Defender for Endpoint
• Cortex XDR IR
• ServiceNow v2
• Google Workspace (Gsuite)
• Active Directory Query v2.

Get indicators internal Dbot score

Deprecated. Use the Block Indicators - Generic V3 playbook instead.
This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks:

• Block URL - Generic
• Block Account - Generic
• Block IP - Generic v2
• Block File - Generic v2
• Block Email - Generic
• Block Domain - Generic

This playbook blocks malicious Domains using all integrations that are enabled.

Supported integrations for this playbook:

• Zscaler
• Symantec Messaging Gateway
• FireEye EX
• Trend Micro Apex One
• Proofpoint Threat Response
• Cisco Stealthwatch Cloud

Containment Plan - Quarantine File

This playbook is a sub-playbook within the containment plan playbook.
The playbook quarantines files using core commands.

Retrieves the owners of a cloud account based on account ID.
Current supported platforms:

• GCP
• Prisma Cloud.

Enrich entities using one or more integrations.

Deprecated. Use 'Block Email - Generic v2' instead. This playbook will block emails at your mail relay integration.

This playbook blocks malicious usernames using all integrations that you have enabled.

Supported integrations for this playbook:

• Active Directory
• PAN-OS - This requires PAN-OS 9.1 or higher.
• SailPoint
• PingOne
• AWS IAM
• Clarizen IAM
• Envoy IAM
• ExceedLMS IAM
• Okta
• Microsoft Graph User (Azure Active Directory Users)
• Google Workspace Admin
• Slack IAM
• ServiceNow IAM
• Prisma Cloud IAM
• Zoom IAM
• Atlassian IAM
• GitHub IAM.

This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations:

• Splunk
• Qradar
• Pan-os
• Cortex Data Lake
• Autofocus
• Microsoft 365 Defender

Enrich an endpoint by hostname using one or more integrations.
Supported integrations:

• Active Directory Query v2
• McAfee ePO v2
• VMware Carbon Black EDR v2
• Cylance Protect v2
• CrowdStrike Falcon
• ExtraHop Reveal(x)
• Cortex XDR / Core (endpoint enrichment, reputation and risk)
• Endpoint reputation using !endpoint command.

Deprecated. Use Get File Sample From Path - Generic V3 instead.
This playbook returns a file sample correlating to a path into the War Room using the following sub-playbooks:
inputs:
1) Get File Sample From Path - D2.
2) Get File Sample From Path - VMware Carbon Black EDR (Live Response API).

This playbook blocks malicious URLs using all integrations that are enabled.

Supported integrations for this playbook:

• Palo Alto Networks PAN-OS
• Zscaler
• Sophos
• Forcepoint
• Checkpoint
• Netcraft.

This playbook handles all the endpoint investigation actions by performing the following tasks on every alert associated with the alert:

• Pre-defined MITRE Tactics
• Host fields (Host ID)
• Attacker fields (Attacker IP, External host)
• MITRE techniques
• File hash (currently, the playbook supports only SHA256)

Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

This playbook will block emails at your mail relay integration.

Supported integrations for this playbook:

• Mimecast
• FireEye Email Security (EX)
• Cisco Email Security
• Symantec Email Security

Detonate URL through one or more active integrations that support URL detonation.
Supported integrations:

• SecneurX Analysis
• ANY.RUN
• McAfee Advanced Threat Defense
• WildFire
• Lastline
• Cuckoo Sandbox
• Cisco Secure Malware Analytics (ThreatGrid)
• JoeSecurity
• CrowdStrike Falcon Sandbox
• FireEye AX
• VMRay Analyzer
• Polygon
• CrowdStrike Falcon Intelligence Sandbox
• OPSWAT Filescan
• ANYRUN
• VirusTotal
• Anomali ThreatStream
• Hatching Triage
• ThreatGrid

Containment Plan - Clear User Sessions

This playbook is a sub-playbook within the containment plan playbook.
The playbook uses the 'Okta v2' and 'MSGraph User' integrations to clear user sessions.

Use this playbook as a sub-playbook to block execution of the master playbook until a remote action is complete.
This playbook implements polling by continuously running the command in Step #2 until the operation completes.
The remote action should have the following structure:

1. Initiate the operation.
2. Poll to check if the operation completed.
3. (optional) Get the results of the operation.

NOTE: This playbook should be run only when the playbook's context is using the "Private to sub-playbook" option.

Calculate and assign the alert severity based on the highest returned severity level from the following calculations:

• DBotScores of indicators
• Critical assets
• Email authenticity
• Current alert severity
• Microsoft Headers
• Risky users (XDR)
• Risky hosts (XDR).

Get file reputation using one or more integrations

This playbook is one of the sub-playbooks in the eradication plan.
The playbook executes actions to reset the user's passwords, which is a crucial step in the eradication process.

Hunt using available tools

Calculates and sets the alert severity based on the combination of the current alert severity, and the severity returned from the Calculate Severity By Highest DBotScore playbook.

Deprecated. Use the Block IP - Generic v3 playbook instead.
This playbook blocks malicious IPs using all integrations that are enabled.

Supported integrations for this playbook:

• Check Point Firewall
• Palo Alto Networks Minemeld
• Palo Alto Networks PAN-OS
• Zscaler
• FortiGate

Deprecated. Use Get File Sample From Path - Generic V3 instead. Returns a file sample to the war-room from a path on an endpoint using one or more integrations

inputs:

• UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False)

This playbook blocks malicious IP addresses using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing)
Note the following:

• some of those integrations require specific parameters to run, which are based on the playbook inputs. Also, certain integrations use FW rules or appended network objects.
• Note that the appended network objects should be specified in blocking rules inside the system later on.

Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]:

• Check Point Firewall
• Palo Alto Networks PAN-OS
• Zscaler
• FortiGate
• Aria Packet Intelligence
• Cisco Firepower
• Cisco Secure Cloud Analytics
• Cisco ASA
• Akamai WAF
• F5 SilverLine
• ThreatX
• Signal Sciences WAF
• Sophos Firewall.

Containment Plan - Block Indicators

This playbook is a sub-playbook within the containment plan playbook.

Indicator Blocking

The playbook block indicators by two methods:

1. It adds the malicious hashes into the XSIAM hash block list
2. It utilizes the sub-playbook "Block Indicators - Generic v3"

This playbook blocks malicious indicators using all integrations that are enabled, using the following sub-playbooks:

• Block URL - Generic v2
• Block Account - Generic v2
• Block IP - Generic v3
• Block File - Generic v2
• Block Email - Generic v2
• Block Domain - Generic v2.

This playbook returns a file sample from a specified path and host that you input in the following playbooks:

• PS Remote Get File Sample From Path
• Get File Sample From Path - VMware Carbon Black EDR (Live Response API)
• CrowdStrike Falcon - Retrieve File
• MDE - Retrieve File
• Cortex XDR - Retrieve File V2

This playbook uploads, detonates, and analyzes files for supported sandboxes. Currently supported sandboxes are Falcon Intelligence Sandbox, JoeSecurity, and Wildfire.

This playbook unisolates endpoints according to the endpoint ID or host name provided in the playbook.
It currently supports the following integrations:

• Carbon Black Response
• Cortex XDR
• Crowdstrike Falcon
• FireEye HX
• Cybereason
• Microsoft Defender For Endpoint.

Cloud Credentials Rotation - Generic

This comprehensive playbook combines the remediation steps from AWS, Azure, and GCP sub-playbooks into a single, cohesive guide. Regardless of which Cloud Service Provider (CSP) you're working with, this playbook will direct you to the relevant steps, ensuring swift and effective response.

The primary objective is to offer an efficient way to address compromised credentials across different cloud platforms. By consolidating the key steps from AWS, Azure, and GCP, it minimizes the time spent searching for platform-specific procedures and accelerates the remediation process, ensuring the highest level of security for your cloud environments.

Integrations for Each Sub-Playbook

In order to seamlessly execute the actions mentioned in each sub-playbook, specific integrations are essential. These integrations facilitate the automated tasks and processes that the playbook carries out. Here are the required integrations for each sub-playbook:

AWS Sub-Playbook:

1. AWS - IAM: Used to manage AWS Identity and Access Management.
2. AWS - EC2: Essential for managing Amazon Elastic Compute Cloud (EC2) instances.

GCP Sub-Playbook:

1. Google Workspace Admin: Manages users, groups, and other entities within Google Workspace.
2. GCP-IAM: Ensures management and control of GCP's Identity and Access Management.

Azure Sub-Playbook:

1. Microsoft Graph Users: Manages users and related entities in Microsoft Graph.
2. Microsoft Graph Applications: Manages applications within Microsoft Graph.

This playbook retrieves information on all of the associated user devices, based on the user email.
In order to get a generic output, the following information on all of the retrieved devices will be saved under the UserDevices context key:

• Name
• Serial Number
• ID
• Model
• MAC Address
• OS
• Integration

Note that not all of the supported integrations will be able to retrieve this information.

Supported integrations:

• jamf v2
• Google Workspace (Gsuite)
• ServiceNow v2
• Active Directory Query v2
• Microsoft Graph API (In order to get devices details, provide the permissions as mentioned here: https://learn.microsoft.com/en-us/graph/api/user-list-owneddevices?view=graph-rest-1.0&tabs=http )

Deprecated. Use 'Block Account - Generic v2' instead. This playbook blocks malicious usernames using all integrations that you have enabled.

Supported integrations for this playbook:

• Active Directory
• PAN-OS - This requires PAN-OS 9.1 or higher.

This playbook performs an investigation on a specific user, using queries and logs from SIEM, Identity management systems, XDR, and firewalls.

Supported Integrations:
-Okta
-Splunk
-QRadar
-Azure Log Analytics
-PAN-OS
-XDR / Core By Palo Alto Networks.

Deprecated. Use Search And Delete Emails - Generic v2 instead. This playbook searches and delete emails with similar attributes of a malicious email.

Determines if a critical assest is associated with the invesigation. The playbook returns a severity level of "Critical" if at least one critical asset is associated with the investigation.
Critical assets refer to: users, user groups, endpoints and endpoint groups.

The playbook queries the analytics module to receive the prevalence of an IOC.

Supported IOC:

• Process by SHA256
• Process by file name
• IP
• Domain
• CMD
• Registry (require key and value)

Hunt for assets with a given CVE using available tools

Enrich a file using one or more integrations.

• Provide threat information
• Determine file reputation using the !file command

Enrich entities using one or more integrations

This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Office 365 * Gmail * Agari Phishing Defense.

This playbook retrieves forensics from hosts for the following integrations:

• Illusive Networks
• Microsoft Defender For Endpoint.

Detonate files through one or more active integrations that support file detonation.
Supported integrations:

• SecneurX Analysis
• ANY.RUN
• McAfee Advanced Threat Defense
• WildFire
• Lastline
• Cuckoo Sandbox
• Cisco Secure Malware Analytics (ThreatGrid)
• JoeSecurity
• CrowdStrike Falcon Sandbox
• FireEye AX
• VMRay Analyzer
• Polygon
• CrowdStrike Falcon Intelligence Sandbox
• OPSWAT Filescan.

This playbook provides response playbooks for:

• AWS
• Azure
• GCP

The response actions available are:

• Terminate/Shut down/Power off an instance
• Delete/Disable a user
• Delete/Revoke/Disable credentials
• Block indicators

Deprecated. Use the "Isolate Endpoint - Generic V2" playbook instead.

Calculates the alert severity level according to the highest indicator DBotScore.