Core - Investigation and Response

Details
Content
Dependencies
Version History

Automates incident response

Cortex XSIAM is an intelligent data foundation, where high-quality telemetry across the security infrastructure, threat intelligence, external attack surface data and user response actions are ingested and integrated automatically. Unlike SIEM, Cortex XSIAM ingests granular data – not just alerts and logs – to fuel many layers of machine learning that automate critical threat detection and remediation steps downstream.

What does this pack do?

The playbooks included in this pack help you respond to Cortex XSIAM alerts in a timely manner. They also help automate repetitive tasks associated with Cortex XSIAM alerts:

Syncs and updates Cortex XSIAM alerts.
Triggers a sub-playbook to handle each alert by type.
Extracts and enriches all relevant indicators from the source alert.
Hunts for related IOCs.
Calculates the severity of the alert.
Interacts with the analyst to choose a remediation path or close the incident as a false positive based on the gathered information and incident severity.
Remediates the incident by blocking malicious indicators and isolating infected endpoints.
Run XQL Queries as part of an automation, or in a playbook (consumes compute units).

Cortex XSIAM Video

T1036 - Masquerading

Automations

Name	Description
impossibleTravelerGetDistance	Computes the distance between two sets of coordinates, in miles.

Integrations

Name	Description
XQL Query Engine	XQL Query Engine enables you to run XQL queries on your data sources.
Investigation & Response	The Cortex Core IR integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks.
Indicators detection	The Cortex Core - IOCs integration uses the Cortex API for detection and response, by natively integrating network, endpoint, and cloud data to stop sophisticated attacks.

Layoutrule

Name	Description
Identity Analytics Alerts Layout Rule

Layouts

Name	Description
Default
Default XSIAM incident layout	Default layout
Identity Analytics Alerts
Default XDR Alert

Lists

Name	Description
CIDR - Allowedlist

Playbooks

Name	Description
Unprivileged process opened a registry hive	This playbook is designed to handle the 'Unprivileged process opened a registry hive' alert. Playbook Stages: Investigation: During the alert investigation, the playbook will perform the following: Checks the prevalence of the unprivileged process that triggered the alert. Checks the prevalence of the command line used by the unprivileged process. Searches for additional suspicious Cortex XSIAM alerts within the same alert in order to determine whether a remediation measure is required. Remediation: To prevent malicious activity from continuing, the playbook terminates the causality processes that triggered the alert.
AWS IAM User Access Investigation	Deprecated. Use `Cloud IAM User Access Investigation` instead. Investigate and respond to Cortex XSIAM alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content.
Unsigned and unpopular process performed an injection	This playbook addresses the following alerts: Unsigned and unpopular process performed injection into a commonly abused process Unsigned and unpopular process performed process hollowing injection Unsigned and unpopular process performed queue APC injection Unsigned and unpopular process performed injection into a sensitive process Unsigned and unpopular process performed injection into svchost.exe Playbook Stages: Triage: Retrieve all alerts associated with the case for initial analysis. Early Containment: Identify whether an agent prevention rule was triggered for the same process ID. If so, there is high confidence that the alert is malicious. If triggered in prevent mode: This indicates a high-confidence verdict and the playbook proceeds with endpoint isolation. If triggered in report mode: This also indicates a high-confidence verdict. The playbook will notify the customer, advise an update to prevent mode for better protection in the future, and proceed with the investigation. If no rule is triggered: The playbook will continue with additional checks to ensure thorough assessment. Investigation: Check for commonly triggered alerts that often precede process injection: If found, initiate containment. If not found, proceed with additional checks. Analyze if any alerts align with MITRE ATT&CK tactics TA0004 (Privilege Escalation) and TA0005 (Defense Evasion): If matching tactics are found, initiate containment. If not, proceed with further investigation. Determine if the causality (parent) process is signed: If signed by a trusted authority, close the alert. If unsigned, escalate for manual approval for containment. Containment: For alerts validated as threats, execute the following actions: Terminate the causality process (CGO) if deemed malicious. Isolate the endpoint in high-risk scenarios to prevent further compromise. Requirements: For response actions, you need the following integrations: Cortex Core - Investigation and Response.
Scheduled task created with HTTP or FTP reference	This playbook is designed to handle the alert "Scheduled task created with HTTP or FTP reference". The playbook executes the following stages: Investigation: During the alert investigation, the playbook will perform the following: Checks the IP and the URL reputation. Checks the CGO process signature. Searches for related XDR agent alerts to determine if the creation of the scheduled task is part of an attack pattern. Remediation: Remediation actions will be taken if the CGO process is unsigned, the IP or URL has a malicious reputation, or a related alert is detected. In these cases, the playbook will disable the scheduled task, block the malicious indicators, and close the alert. Requires: To block the malicious URL and IP, configure 'Palo Alto Networks PAN-OS' integration.
Remote PsExec with LOLBIN command execution alert	The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. The playbook aims to efficiently: Check if the execution is blocked. If not will terminate the process (Manually by default). Enrich any entities and indicators from the alert and find any related campaigns. Perform command analysis to provide insights and verdict for the executed command. Perform further endpoint investigation using XDR. Checks for any malicious verdict found to raise the severity of the alert. Perform Automatic/Manual remediation response by blocking any malicious indicators found. The playbook is designed to run as a sub-playbook in ‘Cortex XDR Alert Handling - v3 & Cortex XDR Alerts Handling’. It depends on the data from the parent playbooks and can not be used as a standalone version.
NGFW Internal Scan	This playbook investigates a scan where the source is an internal IP address. An attacker might initiate an internal scan for discovery, lateral movement and more. Attacker's Goals: An attacker can leverage a scan for open ports and vulnerable systems on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services. Investigative Actions: Endpoint Investigation Plan playbook Response Actions The playbook's response actions are based on the Endpoint Investigation Plan playbook results. In that phase, the playbook will execute: Auto endpoint isolation Manual block indicators Manual file quarantine
Impossible Traveler - Enrichment	This playbook get as an input all of the involved IP addresses and identities from the Impossible Traveler playbook alert, and enriches them based on the following: Geo location Active Directory IP enrichment e.g. VirusTotal, AbuseIPDB, etc.
A successful SSO sign-in from TOR	This playbook is designed to handle the following alerts: A successful SSO sign-in from TOR A successful SSO sign-in from TOR via a mobile device The playbook executes the following stages: Early Containment: The playbooks will perform early containment actions by clearing\revoking user sessions and enforcing re-authentication to terminate the connection from the Tor exit node and verify the user's identity. Depending on the alert source, the playbook will use either Azure Active Directory Users or Okta v2 integrations to clear the user sessions. Investigation: During the alert investigation, the playbook will perform the following: Checks the user's risk score. Search for suspicious user agent usage within the alert. Search for related XDR alerts using the following MITRE techniques to identify any malicious activity: T1566 - Phishing T1621 - Multi-Factor Authentication Request Generation T1110 - Brute Force T1556 - Modify Authentication Process Remediation: Remediation actions will be taken if the user’s risk score is high, a suspicious user agent is detected, or a related alert is found. In such cases, the playbook will disable the account. By default, account disabling requires analyst approval. Requires: For any response action, you will need one of the following integrations: Azure Active Directory Users / Okta v2.
AWS IAM User Access Investigation - Remediation	Deprecated. Use `Cloud IAM User Access Investigation` instead. Respond to Cortex XDR Cloud alerts where an AWS IAM user`s access key is used suspiciously to access the cloud environment. The following alerts are supported for AWS environments. Penetration testing tool attempt Penetration testing tool activity Suspicious API call from a Tor exit node This is a beta playbook, which lets you implement and test pre-release software. Although AWS is supported, we are working towards multi-cloud support. As the playbook is beta, it might contain bugs. Updates to the playbook during the beta phase might include non-backward compatible features. We encourage your feedback on the quality and usability of the content to help us identify and fix issues, so we can continually improve the content.
Possible External RDP Brute-Force	This playbook investigates a “Possible External RDP Brute Force” XDR Alert by gathering user, IP, and hostname information, and investigating if the following suspicious elements exists: "IP Reputation" - DBot Score is 2-3 "Source geolocation" - RDP Connection made from rare geo-location Related to campaign - IP address is related to campaign, based on TIM module Hunting results - the hunt for indicators related to the source IP and the related campaign returned results XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found. Risky User - The user that was identified in the attack was given a medium or high score by the Core integration's ITDR module. Risky Host - The destination host that was identified in the attack was given a medium or high score by the Core integration's ITDR module. Set verdict method: Critical Element - The "Critical Element" input allows you to select a specific element that, if identified as suspicious, the investigation's final verdict will be deemed a "True Positive". Final Verdict - Each suspicious element is being added to an array called "Suspicious Elements", which is used to count potential security threats. The array size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive". User Engagement - The "UserEngagementThreshold" input allows you to set the number of suspicious elements that trigger user engagement. When this threshold is met, an email will be sent to the user and their manager asking for authorization of RDP activity. If the RDP activity is not authorized by the user, the investigation's final verdict will be deemed a "True Positive".
Identity Analytics - Alert Handling	The `Identity Analytics - Alert Handling` playbook is designed to handle Identity Analytics alerts and executes the following: Analysis: Enriches the IP and the account, providing additional context and information about these indicators. Verdict: Determines the appropriate verdict based on the data collected from the enrichment phase. Investigation: Checks for related XDR alerts to the user by Mitre tactics to identify malicious activity. Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook. Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook. Verdict Handling: Handles malicious alerts by initiating appropriate response actions, including blocking malicious IP and revoking or clearing user's sessions. Handles non-malicious alerts identified during the investigation.
SSO Password Spray	This playbook is designed to handle the following alerts: SSO Password Spray Threat Detected SSO Password Spray Activity Observed SSO Password Spray Involving a Honey User Playbook Stages: Triage: The playbook checks the IP reputation and fetches the events related to the SSO login attempts. Early Containment: The playbook checks if the IP is suspicious. If it is, the playbook suggests blocking the IP. Investigation: The playbook assess the risk score of the user who successfully logged in and examines the legitimacy of the user agent. It verifies if the user has MFA configured and analyzes the timestamps of the login attempts to detect potential malicious automated patterns. Containment: If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals were automated, the playbook clears the user's session. If the user doesn't have MFA, the playbook recommends expiring the user's password. Requirements: For any response action, you need one of the following integrations: Microsoft Graph User Okta
Large Upload Alert	The playbook investigates Cortex XDR alerts involving large upload alerts. The playbook consists of the following procedures: Searches for similar previous alerts that were closed as false positives. Enrichment and investigation of the initiator and destination hostname and IP address. Enrichment and investigation of the initiator user, process, file, or command if it exists. Detection of related indicators and analysis of the relationship between the detected indicators. Utilize the detected indicators to conduct threat hunting. Blocks detected malicious indicators. Endpoint isolation. This playbook supports the following Cortex XDR alert names: Large Upload (Generic) Large Upload (SMTP) Large Upload (FTP) Large Upload (HTTPS)
NGFW Scan	This playbook handles external and internal scanning alerts. Attacker's Goals: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. Investigative Actions: Investigate the scanner IP address using: IP enrichment: NGFW Internal Scan playbook Endpoint Investigation Plan playbook Entity enrichment Response Actions The playbook's response actions are based on the initial data provided within the alert. In that phase, the playbook will execute: Automatically block IP address Report IP address (If configured as true in the playbook inputs) When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes the Containment Plan playbook, is executed. This phase will execute the following containment actions: Automatically isolate involved endpoint Manual block indicators Manual file quarantine Manual disable user External resources: Mitre technique T1046 - Network Service Scanning Port Scan
Ransomware Response	This playbook handles ransomware alerts based on the Cortex XDR Traps module signature 'Suspicious File Modification' Attacker’s Goals: An attacker is attempting to encrypt the victim files for either extortion or destruction purposes. Investigative Actions: Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB Response Actions: The playbook’s first response action is a remediation plan which includes two sub-playbooks, Containment Plan and Eradication Plan, which is based on the initial data provided within the alert. In that phase, the playbooks will execute: Auto endpoint isolation Auto block indicators Auto file quarantine Auto user disable Auto process termination Next, the playbook executes an enrichment and response phase which includes two sub-playbooks, Ransomware Enrich and Contain & Account Enrichment - Generic v2.1. The Ransomware Enrich and Contain playbook does the following: 1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible. 2.Retrieves the WildFire sandbox report and extracts the indicators within it. * The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation. 3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints. Next, an advanced analysis playbook, which is currently done mostly manually, will be executed. This sub-playbook, Ransomware Advanced Analysis allows the analyst to upload the ransomware note and for the ransomware identification. Using the ID-Ransomware service, the analyst will be able to get the ransomware type and the decryptor if available. When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes the Containment Plan sub-playbook, is executed. This phase will execute the following containment actions: Manual block indicators Manual file quarantine Auto endpoint isolation Finally, the recovery phase is executed. If the analysts decides to continue with the investigation rather than recover and close the alert, a manual task with CISA official ransomware investigation checklist is provided for further investigation. External resources: MITRE Technique T1486 CISA Ransomware Guide
Credential Dumping using a known tool	This playbook is designed to handle the following alerts: Command-line arguments match Mimikatz execution Mimikatz command-line arguments Credential dumping via wce.exe Credential dumping via gsecdump.exe PowerShell runs with known Mimikatz arguments Hash cracking using Hashcat tool Credential dumping via fgdump.exe Credential dumping via LaZagne Credential dumping via pwdumpx.exe Dumping lsass.exe memory for credential extraction Memory dumping with comsvcs.dll The playbook executes the following stages: Early Containment: Handles malicious alerts by terminating the causality process. Remediation: Handles malicious alerts by suggesting the analyst to isolate the endpoint.
Suspicious Hidden User Created	This playbook addresses the following alerts: Suspicious Hidden User Created Playbook Stages: Triage: Retrieve event information about the created user Investigation: Check if the user is local or domain. For domain users: Retrieve AD attributes, including password expiration. For local users: Run a Powershell command to get "Password Expires" attribute of the local user. Get risk level for the affected host. Search for related Script Engine Activity alerts in the alert. Containment: For alerts determined to be true positives, suggest to the analyst to disable the user. Upon analyst approval: Disable the suspicious user account (domain or local). If a related alert about malicious activity exists, kill the Causality Group Owner (CGO) process that created the suspicious user. Requirements: For response actions, you need the following integrations: Cortex Core - Investigation and Response Active Directory Query v2 (for domain user actions).
A Successful login from TOR	This playbook is designed to handle the following alert: A successful login from TOR The playbook executes the following stages: Triage: The playbook will fetch the user identity details. Remediation & Eradication: The playbooks will suggest several actions for the analyst to take: disabling the user account using Active Directory or Azure Active Directory, expiring the user password using Active Directory, or blocking traffic from TOR exit nodes using PAN-OS and Palo Alto Networks' predefined EDL. The analyst can select multiple actions, which will then be executed by the playbook based on the analyst's choices. Requirements: For any response action, you will need one of the following integrations: Azure Active Directory Users / Active Directory Users.
T1059 - Command and Scripting Interpreter	This playbook handles command and scripting interpreter alerts based on the MITRE T1059 technique. An attacker might abuse command and script interpreters to execute commands, scripts, or binaries. Most systems come with some kind of built-in command line interface and scripting capabilities. For example, macOS and Linux distributions include some form of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. Attacker's Goals: An attacker can abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in initial access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. An attacker may also execute commands through interactive terminals/shells, as well as utilize various remote services to achieve remote execution. Analysis Due to the nature of this technique and the usage of built-in command line interfaces, the first step of the playbook is to analyze the command line. The command line analysis does the following: Checks and decodes base64 Extracts and enriches indicators from the command line Checks specific arguments for malicious usage Investigative Actions: The playbook checks for additional activity using the 'Endpoint Investigation Plan' playbook and utilizes the power of insight alerts. Response Actions After analyzing the data, the playbook's first response action is to contain the threat based on the initial data provided within the alert. In this phase, the playbook will: Isolate the endpoint based on playbook inputs. When the playbook proceeds, it checks for additional activity using the 'Endpoint Investigation Plan' playbook. It then continues with the next stage, which includes, containment and eradication. This phase executes the following containment actions: Automatically isolates the endpoint It then continues with the following eradication actions: process termination
Get entity alerts by MITRE tactics	This playbook searches XDR alerts related to specific entities, on a given timeframe, based on MITRE tactics. Note: The playbook's inputs enable manipulating the execution flow. Read the input descriptions for details.
Suspicious LDAP search query	This playbook is designed to handle the following alerts: Possible LDAP enumeration by unsigned process. Suspicious LDAP search query executed. The playbook executes the following stages: Investigation: Check the following parameters to determine if remediation actions are needed: Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity. Whether the Actor Process Command line contains suspicious arguments. Checks for prevalence of the Actor Process Name and Actor Process CMD. Host risk score is "Medium" or "High". User risk score is "High". Remediation: Handles malicious alerts by terminating the causality process. Handles non-malicious alerts identified during the investigation.
Event Log Was Cleared	This playbook is designed to handle the following alerts: Windows Event Log was cleared using wevtutil.exe Security Event Log was cleared using wevtutil.exe A Sensitive Windows Event Log was cleared using wevtutil.exe Windows event logs were cleared with PowerShell Suspicious clear or delete security provider event logs with PowerShell Suspicious clear or delete default providers event logs with PowerShell Windows event logs cleared using wmic.exe The playbook executes the following stages: Investigation: Check the following parameters to determine if remediation actions are needed: Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity. Whether the CGO or the OSParent process is unsigned. The prevalence of the OSParent process. Remediation: Handles malicious alerts by terminating the relevant processes. Handles non-malicious alerts identified during the investigation.
Netcat Makes or Gets Connections	This playbook is designed to handle the following alerts: Netcat makes or gets connections The playbook executes the following stages: Analysis: Investigate the IP and Domain reputation Search previous similar alerts Remediation: Handles malicious alerts by terminating the causality process.
Ransomware Enrich and Contain	This playbook is responsible for ransomware alert data enrichment and response. The playbook executes the following: 1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible. 2.Retrieves the WildFire sandbox report and extract the indicators within it. * The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation. 3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints.
Compromise Accounts - User rejected numerous SSO MFA attempts	This playbook addresses the following alerts: User rejected numerous SSO MFA attempts Multiple SSO MFA attempts were rejected by a user with suspicious characteristics Playbook Stages: Triage: The playbook checks the IP address reputation associated with the MFA attempts and gathers related login events. Early Containment: If the IP address is identified as malicious, the playbook blocks the IP. The investigation continues in parallel to this phase. Investigation: The playbook performs an in-depth analysis, including: Assessing the user's risk score to identify potentially compromised accounts. Checking for an unusually high number of invalid credential attempts, which may indicate brute-force or credential-stuffing activity. Verifying whether Okta logs indicate a malicious source IP based on Okta's threat intelligence. Reviewing whether there have been an excessive number of MFA rejections from the user, suggesting potentially compromised behavior. Looking for abnormal user agent patterns that may indicate suspicious or compromised access methods. Investigating previous failed Okta login attempts within a specified timeframe to identify patterns. Containment: If suspicious activity is confirmed, the playbook initiates the following containment actions: Clears the user's active sessions and expires their password to prevent further unauthorized access. If a successful login attempt was also detected, the playbook prompts a manual task for an analyst to review and decide on further action. Requirements: For any response actions, the following integration is required: Okta v2 For early containment actions, the following integration is required: Palo Alto Networks PAN-OS.
WildFire Malware	This playbook handles WildFire Malware alerts. It performs enrichment on the different alert entities and establishes a verdict. For a possible true positive alert, the playbook performs further investigation for related IOCs and executes a containment plan.
Ransomware Advanced Analysis	This playbook detects the ransomware type and searches for available decryptors. The playbook uses the ID-Ransomware service, which allows you to detect the ransomware using multiple methods.
A mail forwarding rule was configured in Google Workspace	This playbook addresses the following alerts: A mail forwarding rule was configured in Google Workspace. A mail forwarding rule was configured in Google Workspace to an uncommon domain. Playbook Stages: Triage: The playbook retrieves the caller's IP, the forwarding email address, and associated filters. Early Containment: The playbook checks if the IP or domain of the forwarding email address is malicious. If so, it suggests blocking the IP using PAN-OS while continuing the investigation in parallel. Investigation: The playbook verifies if the rule was created outside of working hours or from an unusual geolocation and extracts suspicious keywords from the forwarding rules. It then aggregates all evidence collected during the investigation. Containment: If only one suspicious evidence is found, the playbook executes soft response actions, including signing the user out and deleting the forwarding email address from the user account mailbox. The user will be notified of these actions via email. If multiple suspicious evidences are found, the playbook executes both soft and hard response actions, recommending the analyst suspend the user account. Requirements: For any response action, you need one of the following integrations: Gmail integration to fetch filters and remove the forwarding email address. Google Workspace Admin access to sign out and suspend the user account.
Possible External RDP Brute-Force - Set Verdict	This playbook creating an array called "Suspicious Elements", which is used to count potential security threats. The following elements can be added to the array: "IP Reputation" - DBot Score is 2-3 "Source geolocation" - RDP Connection made from rare geo-location Related to campaign - IP address is related to campaign, based on TIM module Hunting results - the hunt for indicators related to the source IP and the related campaign returned results XDR Alert search - XDR Alerts that related to the same username and endpoint, and to the MITRE tactics that comes after "Credential Access", were found. Risky User - one or more risky users are involved in the alert, as identified by the Cortex Core - IR integration's ITDR module. Risky Host - one or more risky hosts are involved in the alert, as identified by the Cortex Core - IR integration's ITDR module. The array will then be outputted and its size will be compared to a final threshold. If the size is greater than or equal to the threshold, the investigation's final verdict will be deemed a "True Positive."
Impossible Traveler Response	This playbook handles impossible traveler alerts. An Impossible Traveler event occurs when multiple login attempts seen for a user from multiple remote countries in a short period of time, which shouldn't be possible. This may indicate the account is compromised. Attacker's Goals: Gain user-account credentials. Investigative Actions: Investigate the IP addresses and identities involved in the detected activity using: Impossible Traveler - Enrichment playbook CalculateGeoDistance automation Response Actions The playbook's first response actions are based on the data available within the alert. In that phase, the playbook will execute: Manual block indicators if the IP address found malicious Manual disable user Manual clear of the user’s sessions (Okta) When the playbook continues, after validating the activity with the user’s manager, another phase of response actions is being executed, which includes: Auto block indicators External Resources: Impossible traveler alert
External Login Password Spray	This playbook is designed to handle the following alerts: External Login Password Spray Successful External Login Password Spray External Login Password Spray on a Domain Controller External Login Password Spray Involving a Honey User Successful External Login Password Spray on a Domain Controller Successful External Login Password Spray on a sensitive server The playbook is designed to investigate and respond to external login password sprays. It enriches the external IP to enable early containment, retrieves event information, and determines how the attack was carried out and whether it was successful. Playbook Stages: Early Containment: With analyst approval, the playbook will block the malicious external IP address involved in the password spray attack, limiting the attacker's ability to continue their actions. Investigation: The playbook analyzes the timestamps of the login attempts to detect patterns, checks whether any logons were successful, and retrieves the Risk Score for users who successfully logged in as part of the attack. Containment: Based on the user’s risk level, the playbook will expire the user’s password to prevent further unauthorized access and terminate any active RDP sessions for the affected user. Requirements: For response actions, the following integrations are required: Active Directory (AD), PAN-OS, Core - IR.
Uncommon remote scheduled task created	This playbook handles "Uncommon remote scheduled task created" alerts. Playbook Stages: Analysis: The playbook checks if the remote IP is external or has a bad reputation. Investigation: During the alert investigation, the playbook will perform the following: Searches for related XSIAM alerts on the endpoint that use the following MITRE techniques to identify malicious activity: T1202 - Indirect Command Execution, T1021 - Remote Services. Searches for related XSIAM agent alerts on the remote endpoint, to determine if the creation of the scheduled task is part of an attack pattern. Searches for suspicious command-line parameters indicating a malicious scheduled task. Remediation: Automatically disable the malicious scheduled task. Block the malicious IP (requires analyst approval). Automatically Close the alert. Requirements: For response actions, the following integrations are required: PAN-OS.
IOC Alert	IOCs provide the ability to alert on known malicious objects on endpoints across the organization. Analysis Actions: The playbook will use several enrichment sources to determine the IOC verdict. Additionally, will use the Analytics module to run a prevalence check for the IOC. Response Actions: The playbook's first response action is a containment plan that is based on the playbook input. In that phase, the playbook will execute endpoint isolation Investigative Actions: When the playbook executes, it checks for additional abnormal activity using the Endpoint Investigation Plan playbook that can indicate the endpoint might be compromised. Remediation Actions: In case results are found within the investigation phase, the playbook will execute remediation actions that include containment and eradication. This phase will execute the following containment actions: File quarantine Endpoint isolation And the following eradication actions: Manual process termination Manual file deletion
User added to local administrator group using a PowerShell command	This playbook is designed to handle the alert 'User added to local administrator group using a PowerShell command' The playbook executes the following stages: Investigation: Check the following parameters to determine if remediation actions are needed: Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity. Whether the process is unsigned. Remediation: Handles malicious alerts by terminating the relevant processes and requesting the analyst's approval to remove the user from the local Administrators group. Handles non-malicious alerts identified during the investigation.
SSO Brute Force	This playbook addresses the following alerts: SSO Brute Force Threat Detected SSO Brute Force Activity Observed Playbook Stages: Triage: The playbook checks the IP reputation and fetches the events related to the brute force login attempts. Early Containment: The playbook checks if the IP is suspicious. If it is, the playbook suggests blocking the IP using PAN-OS. The investigation continues in parallel to this phase. Investigation: The playbook assesses the risk score of the user who successfully logged in after a brute force attempt, examines the legitimacy of the user agent and if the brute force attempt is likely automated based on the timestamp interval. It also verifies if the user has MFA configured when the alert source is Okta. Containment: If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals indicates that the login attempts is likely automated, the playbook clears the user's session. If the user doesn't have MFA configured, the playbook recommends expiring the user's password. If there is no successful login detected, no action is taken. Requirements: For any response action, you need one of the following integrations: Microsoft Graph User Okta v2 For eradication step, you need the following integration: Palo Alto Networks PAN-OS.
T1036 - Masquerading	This playbook handles masquerading alerts based on the MITRE T1036 technique. An attacker might leverage Microsoft Windows well-known image names to run malicious processes without being caught. Attacker's Goals: An attacker is attempting to masquerade as standard windows images by using a trusted name to execute malicious code. Investigative Actions: Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB Response Actions The playbook's first response action is a containment plan which is based on the initial data provided within the alert. In that phase, the playbook will execute: Auto block indicators Auto file quarantine Manual endpoint isolation When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed. This phase will execute the following containment actions: Manual block indicators Manual file quarantine Auto endpoint isolation And the following eradication actions: Manual process termination Manual file deletion Manual reset of the user’s password External resources: MITRE Technique T1036 Possible Microsoft process masquerading
Suspicious SaaS Access From a TOR Exit Node	This playbook is designed to handle the following alerts: Suspicious SaaS API call from a Tor exit node Suspicious SaaS API call from a Tor exit node via a mobile device Suspicious API call from a Tor exit node Suspicious Kubernetes API call from a Tor exit node Playbook Stages: Early Containment: To terminate the connection from the Tor exit node, the playbook will clear/revoke the user's sessions and force re-authentication. Depending on the alert source, the playbook will use either MS-Graph or G-Suite to clear the user sessions. Investigation: The playbook will assess the risk score of the user connected from the Tor exit node and examine the legitimacy of the user agent. Containment: If the user's risk score is high or the user agent is detected as suspicious, the playbook will recommend blocking the account connected from the Tor exit node. The playbook will use MS-Graph, G-Suite, or AWS-IAM, depending on the alert source. Eradication: For users with PAN-OS enabled, the playbook will recommend blocking all IPs from the Palo Alto Intelligence-based external dynamic list that contains Tor exit nodes. The goal is to prevent the use of Tor within the organization. Requirements: For any response action, you will need one of the following integrations: Microsoft Graph User G-Suite Admin AWS-IAM.
Local Analysis alert Investigation	When an unknown executable, DLL, or macro attempts to run on a Windows or Mac endpoint, the Cortex XDR agent uses local analysis to determine if it is likely to be malware. Local analysis uses a static set of pattern-matching rules that inspect multiple file features and attributes, and a statistical model that was developed with machine learning on WildFire threat intelligence. Investigative Actions: Investigate the executed process image and verify if it is malicious using: XDR trusted signers VT trusted signers VT detection rate NSRL DB Response Actions The playbook's first response action is a containment plan that is based on the initial data provided within the alert. In that phase, the playbook will execute: Auto block indicators Auto file quarantine Manual endpoint isolation When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed. This phase will execute the following containment actions: Manual block indicators Manual file quarantine Auto endpoint isolation And the following eradication actions: Manual process termination Manual file deletion Manual reset of the user’s password External resources: Malware Protection Flow

Trigger

Name	Description
WildFire and Wildfire Post detection	This trigger is responsible for handling WildFire Malware alerts
Netcat Makes or Gets Connections	This trigger is responsible for handling `Netcat Makes or Gets Connections` alert
IOC Alert	This trigger is responsible for XDR IOC alerts
T1059 - Command and Scripting Interpreter	This trigger is responsible for handling T1059 - Command and Scripting Interpreter alerts
Unprivileged process opened a registry hive	This trigger is responsible for handling the 'Unprivileged process opened a registry hive' alert
Remote PsExec with LOLBIN command execution alert	This trigger is responsible for handling Remote PsExec with LOLBIN command execution alerts
SSO Brute Force	This trigger is responsible for handling the 'SSO Brute Force Threat Detected' and 'SSO Brute Force Activity Observed' alerts
A Successful login from TOR	This trigger is responsible for handling the 'A Successful login from TOR' alert
Suspicious SaaS Access From a TOR Exit Node	This trigger is responsible for handling Suspicious SaaS Access From a TOR Exit Node
Scheduled task created with HTTP or FTP reference	This trigger is responsible for handling 'Scheduled task created with HTTP or FTP reference' alert
Identity Analytics Alerts	This trigger is responsible for handling Identity Analytics alerts
Event Log Was Cleared	This trigger is responsible for handling the 'Windows Event Log Was Cleared' alerts
Alert Trigger - Suspicious Hidden User Created	This trigger is responsible for handling alerts where a suspicious hidden user is created.
SSO Password Spray	This trigger is responsible for handling SSO Password Spray alerts
External Login Password Spray	This trigger is responsible for handling External Login Password Spray attacks.
A successful SSO sign-in from TOR	This trigger is responsible for handling the 'A successful SSO sign-in from TOR' and the 'A successful SSO sign-in from TOR via a mobile device' alerts
T1036 - Masquerading	This trigger is responsible for handling T1036 - Masquerading alerts
Credential Dumping using a known tool	This trigger is responsible for handling the 'Credential Dumping using a known tool' alerts
User added to local administrator group using a PowerShell command	This trigger is responsible for handling 'User added to local administrator group using a PowerShell command' alert
Large Upload Alert	This trigger is responsible for handling "core - Large Upload" alerts
Compromise Accounts - User has rejected numerous SSO MFA attempts	This trigger is responsible for handling Compromise Accounts alerts where user rejected MFA attempts.
A mail forwarding rule was configured in Google Workspace	This trigger runs the A mail forwarding rule was configured in Google Workspace playbook, which handles the A mail forwarding rule was configured in Google Workspace and A mail forwarding rule was configured in Google Workspace to an uncommon domain alerts.
Possible External RDP Brute-Force	This trigger is responsible for handling External RDP Brute-Force alerts
Impossible Traveler	This trigger is responsible for handling Impossible Traveler alerts
NGFW Scanning Alerts	This trigger is responsible for handling alerts involving scanning activity identified by our NGFW
Unsigned and unpopular process performed an injection	This trigger is responsible for handling several the 'Unsigned and unpopular process performed an injection' alerts
Suspicious LDAP search query	This trigger is responsible for handling the 'Suspicious LDAP search query executed' and 'Possible LDAP enumeration by unsigned process' alerts via the 'Suspicious LDAP search query' playbook
Uncommon remote scheduled task created	This trigger is responsible for handling 'Uncommon remote scheduled task created
Ransomware Response	This trigger is responsible for handling ransomware alerts

3.0.95 - 1653861 (November 15, 2024)

Playbooks

New: Unsigned and unpopular process performed an injection

This playbook addresses the following process injection alerts:

Injection into commonly abused, sensitive, or system processes (e.g., svchost.exe)
Process hollowing and queue APC injection by unsigned processes
Key Stages:
Triage: Collect and assess related alerts.
Early Containment: Check agent prevention rule status and isolate endpoints if needed.
Investigation: Identify commonly triggered alerts, analyze MITRE ATT&CK tactics, and validate process signatures.
Containment: Terminate malicious processes and isolate high-risk endpoints.
Requirements:
Cortex Core - Investigation and Response

Triggers Recommendations

New: Unsigned and unpopular process performed an injection

New: This trigger calls the Unsigned and unpopular process performed an injection playbook, which handles these types of alerts. (Available from Cortex XSIAM 2.4).

Related pull requests:
- 36892

3.0.94 - 1627458 (November 12, 2024)

Playbooks

New: A mail forwarding rule was configured in Google Workspace

This playbook addresses the following alerts:

A mail forwarding rule was configured in Google Workspace.
A mail forwarding rule was configured in Google Workspace to an uncommon domain.
Playbook Stages:

Triage:

The playbook retrieves the caller's IP, the forwarding email address, and associated filters.
Early Containment:
The playbook checks if the IP or domain of the forwarding email address is malicious. If so, it suggests blocking the IP using PAN-OS while continuing the investigation in parallel.
Investigation:
The playbook verifies if the rule was created outside of working hours or from an unusual geolocation and extracts suspicious keywords from the forwarding rules. It then aggregates all evidence collected during the investigation.
Containment:
If only one suspicious evidence is found, the playbook executes soft response actions, including signing the user out and deleting the forwarding email address from the user account mailbox. The user will be notified of these actions via email.
If multiple suspicious evidences are found, the playbook executes both soft and hard response actions, recommending the analyst suspend the user account.
Requirements:
For any response action, you need one of the following integrations:
Gmail integration to fetch filters and remove the forwarding email address.
Google Workspace Admin access to sign out and suspend the user account.

Triggers Recommendations

New: A mail forwarding rule was configured in Google Workspace

New: This trigger runs the A mail forwarding rule was configured in Google Workspace playbook, which handles the A mail forwarding rule was configured in Google Workspace and A mail forwarding rule was configured in Google Workspace to an uncommon domain alerts.

Related pull requests:
- 36795

3.0.93 - 1621428 (November 11, 2024)

Playbooks

Scheduled task created with HTTP or FTP reference

Added new tasks to verify if the script successfully disabled the scheduled task.

New: Uncommon remote scheduled task created

New: This playbook handles "Uncommon remote scheduled task created" alerts.
Playbook Stages:
Analysis:
The playbook checks if the remote IP is external or has a bad reputation.
Investigation:
During the alert investigation, the playbook will perform the following:
Searches for related XSIAM alerts on the endpoint that use the following MITRE techniques to identify malicious activity: T1202 - Indirect Command Execution, T1021 - Remote Services.
Searches for related XSIAM agent alerts on the remote endpoint, to determine if the creation of the scheduled task is part of an attack pattern.
Searches for suspicious command-line parameters indicating a malicious scheduled task.
Remediation:
Remediation actions will disable the scheduled task, block the malicious IP, and close the alert.
Requirements:
For response actions, the following integrations are required:
PAN-OS.

New: Suspicious Hidden User Created

New: This playbook addresses the following alerts:

Suspicious Hidden User Created
Playbook Stages:
Triage:
Retrieve event information about the created user
Investigation:
Check if the user is local or domain.
For domain users: Retrieve AD attributes, including password expiration.
For local users: Run a Powershell command to get "Password Expires" attribute of the local user.
Get risk level for the affected host.
Search for related Script Engine Activity alerts in the incident.
Containment:
For alerts determined to be true positives, suggest to the analyst to disable the user.
Upon analyst approval: Disable the suspicious user account (domain or local).
If a related alert about malicious activity exists, kill the Causality Group Owner (CGO) process that created the suspicious user.
Requirements:
For response actions, you need the following integrations:
Cortex Core - Investigation and Response
Active Directory Query v2 (for domain user actions)

Scripts

impossibleTravelerGetDistance

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

Triggers Recommendations

New: Uncommon remote scheduled task created

New: This trigger is responsible for handling 'Uncommon remote scheduled task created.

New: Alert Trigger - Suspicious Hidden User Created

New: This trigger is responsible for handling alerts where a suspicious hidden user is created.

Related pull requests:
- 37106

3.0.89 - 1609112 (November 7, 2024)

Integrations

Investigation & Response

Updated the error message on the alert_id input when the core-get-cloud-original-alerts command fails while using the playbook debugger.

Indicators detection

Updated the error message on the alert_id input when the core-get-cloud-original-alerts command fails while using the playbook debugger.

Layouts

New: Default XSIAM incident layout
New default layout for XSIAM incident (Available from Cortex XSIAM 2.3).

Playbooks

New: Compromise Accounts - User rejected numerous SSO MFA attempts

New: This playbook addresses the following alerts:
User rejected numerous SSO MFA attempts
Multiple SSO MFA attempts were rejected by a user with suspicious characteristics
Playbook Stages:
Triage:
The playbook checks the IP address reputation associated with the MFA attempts and gathers related login events.
Early Containment:
If the IP address is identified as malicious, the playbook blocks the IP. The investigation continues in parallel to this phase.
Investigation:
The playbook performs an in-depth analysis, including:
- Assessing the user's risk score to identify potentially compromised accounts.
- Checking for an unusually high number of invalid credential attempts, which may indicate brute-force or credential-stuffing activity.
- Verifying whether Okta logs indicate a malicious source IP based on Okta's threat intelligence.
- Reviewing whether there have been an excessive number of MFA rejections from the user, suggesting potentially compromised behavior.
- Looking for abnormal user agent patterns that may indicate suspicious or compromised access methods.
- Investigating previous failed Okta login attempts within a specified timeframe to identify patterns.
  Containment:
If suspicious activity is confirmed, the playbook initiates the following containment actions:
- Clears the user's active sessions and expires their password to prevent further unauthorized access.
- If a successful login attempt was also detected, the playbook prompts a manual task for an analyst to review and decide on further action.
  Requirements:
  For any response actions, the following integrations is required:
Okta v2
For early containment actions, the following integration is required:
Palo Alto Networks PAN-OS. (Available from Cortex XSIAM 2.4).

Triggers Recommendations

New: Compromise Accounts - User has rejected numerous SSO MFA attempts

New: This trigger is responsible for handling Compromise Accounts alerts where user rejected MFA attempts. (Available from Cortex XSIAM 2.4).

Related pull requests:
- 37027

3.0.86 - 1602991 (November 6, 2024)

Playbooks

Unprivileged process opened a registry hive

Added a new task for manual process termination in case automatic Terminate Causality (CGO) failed.

Related pull requests:
- 37030

3.0.85 - 1574765 (October 31, 2024)

Playbooks

New: Unprivileged process opened a registry hive

This playbook is designed to handle the 'Unprivileged process opened a registry hive' alert.
Playbook Stages:
Investigation:
The playbook is designed to investigate and respond to unprivileged processes opening registry hives. It examines the unprivileged process that triggered the alert, the command line, and searches for additional suspicious Cortex XSIAM alerts within the same incident in order to determine whether a remediation measure is required.
Remediation:
To prevent malicious activity from continuing, the playbook terminates the causality processes that triggered the alert. (Available from Cortex XSOAR 8.8.0).

Related pull requests:
- 36781

3.0.84 - 1569341 (October 30, 2024)

Integrations

Investigation & Response

Added support for returning all endpoints and outputting human-readable timestamps to the command xdr-get-endpoints.

Related pull requests:
- 36829
- 36469

3.0.83 - 1563308 (October 29, 2024)

Playbooks

SSO Password Spray

In the risky user score task changed from Core.RiskyUser.score to Core.RiskyUser.risk_level.

Related pull requests:
- 36881

3.0.82 - 1537605 (October 22, 2024)

Playbooks

New: Netcat Makes or Gets Connections

New: This playbook is designed to handle the following alerts:

Netcat makes or gets connections
The playbook executes the following stages:
Investigation:
Check the following parameters to determine if remediation actions are needed:
IP and Domain reputation
IP and Command-line prevalence
Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity.
Remediation:
Handles malicious alerts terminating the causality process.
Handles non-malicious alerts identified during the investigation. (Available from Cortex XSIAM 2.4).

Related pull requests:
- 36721

3.0.81 - 1512684 (October 15, 2024)

Playbooks

Updated the playbook description and README file.

New: Suspicious LDAP search query

New: This playbook is designed to handle the following alerts:

Possible LDAP enumeration by unsigned process (medium severity)
Suspicious LDAP search query executed (High severity)
The playbook executes the following stages:
Investigation:
Check the following parameters to determine if remediation actions are needed:
Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity.
Whether the Actor Process Command line contains suspicious arguments.
Host risk score is "Medium" or "High".
User risk score is "High".
Remediation:
Handles malicious alerts terminating the causality process.
Handles non-malicious alerts identified during the investigation. (Available from Cortex XSIAM 2.4).

Related pull requests:
- 36707

3.0.79 - 1509958 (October 15, 2024)

Playbooks

This playbook is designed to handle the following alert:

A successful login from TOR
The playbook executes the following stages:
Triage:
The playbook will fetch the user identity details.
Remediation & Eradication:
The playbooks will suggest several actions for the analyst to take: disabling the user account using Active Directory or Azure Active Directory, expiring the user password using Active Directory, or blocking traffic from TOR exit nodes using PAN-OS and Palo Alto Networks' predefined EDL.
The analyst can select multiple actions, which will then be executed by the playbook based on the analyst's choices.
Requirements:
For any response action, you will need one of the following integrations: Azure Active Directory Users / Active Directory Users.

Related pull requests:
- 36687

3.0.78 - 1507818 (October 14, 2024)

Playbooks

New: User added to local administrator group using a PowerShell command

New: This playbook is designed to handle the alert
'User added to local administrator group using a PowerShell command'
The playbook executes the following stages:
Investigation:
Check the following parameters to determine if remediation actions are needed:
Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity.
Whether the process is unsigned.
Remediation:
Handles malicious alerts by terminating the relevant processes and requesting the analyst's approval to remove the user from the local Administrators group.
Handles non-malicious alerts identified during the investigation.

New: Event Log Was Cleared

New: This playbook is designed to handle the following alerts:

Windows Event Log was cleared using wevtutil.exe
Security Event Log was cleared using wevtutil.exe
A Sensitive Windows Event Log was cleared using wevtutil.exe
Windows event logs were cleared with PowerShell
Suspicious clear or delete security provider event logs with PowerShell
Suspicious clear or delete default providers event logs with PowerShell
Windows event logs cleared using wmic.exe
The playbook executes the following stages:
Investigation:
Check the following parameters to determine if remediation actions are needed:
Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity.
Whether the CGO or the OSParent process is unsigned.
The prevalence of the OSParent process.
Remediation:
Handles malicious alerts by terminating the relevant processes.
Handles non-malicious alerts identified during the investigation.

New: Credential Dumping using a known tool

New: This playbook is designed to handle the following alerts:

Command-line arguments match Mimikatz execution
Mimikatz command-line arguments
Credential dumping via wce.exe
Credential dumping via gsecdump.exe
PowerShell runs with known Mimikatz arguments
Hash cracking using Hashcat tool
Credential dumping via fgdump.exe
Credential dumping via LaZagne
Credential dumping via pwdumpx.exe
Dumping lsass.exe memory for credential extraction
Memory dumping with comsvcs.dll
The playbook executes the following stages:
Early Containment:
Handles malicious alerts by terminating the causality process.
Remediation:
Handles malicious alerts by suggesting the analyst to isolate the endpoint.

Related pull requests:
- 36614

3.0.75 - 1487718 (October 9, 2024)

Playbooks

New: SSO Brute Force

New: This playbook addresses the following alerts:

SSO Brute Force Threat Detected
SSO Brute Force Activity Observed
Playbook Stages:
Triage:
The playbook checks the IP reputation and fetches the events related to the brute force login attempts.
Early Containment:
The playbook checks if the IP is suspicious. If it is, the playbook suggests blocking the IP using PAN-OS. The investigation continues in parallel to this phase.
Investigation:
The playbook assesses the risk score of the user who successfully logged in after a brute force attempt, examines the legitimacy of the user agent and if the brute force attempt is likely automated based on the timestamp interval. It also verifies if the user has MFA configured when the alert source is Okta.
Containment:
If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals indicates that the login attempts is likely automated, the playbook clears the user's session. If the user doesn't have MFA configured, the playbook recommends expiring the user's password. If there is no successful login detected, no action is taken.

Requirements:
For any response action, you need one of the following integrations:

Microsoft Graph User
Okta v2
For eradication step, you need the following integration:
Palo Alto Networks PAN-OS.

Related pull requests:
- 36618

3.0.74 - 1482667 (October 9, 2024)

Integrations

Investigation & Response

Fixed the minimal server version required for running the commands core-terminate-process and core-terminate-causality.

Related pull requests:
- 36636

3.0.73 - 1480610 (October 8, 2024)

Playbooks

Large Upload Alert

Fixed an issue which caused the ‘Calculate Verdict’ task to fail due to incorrect context keys used in benign conditions of the ‘Calculate Verdict’ playbook task.

Related pull requests:
- 36535

3.0.72 - 1477969 (October 8, 2024)

Playbooks

New: SSO Password Spray

This playbook is designed to handle the following alerts:

SSO Password Spray Threat Detected
SSO Password Spray Activity Observed
SSO Password Spray Involving a Honey User
Playbook Stages:
Triage:
The playbook checks the IP reputation and fetches the events related to the SSO login attempts.
Early Containment:
The playbook checks if the IP is suspicious. If it is, the playbook suggests blocking the IP.
Investigation:
The playbook assess the risk score of the user who successfully logged in and examines the legitimacy of the user agent. It verifies if the user has MFA configured and analyzes the timestamps of the login attempts to detect patterns.
Containment:
If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals were automated, the playbook clears the user's session. If the user doesn't have MFA, the playbook recommends expiring the user's password.
Requirements:
For any response action, you need one of the following integrations:
Microsoft Graph User
Okta

Related pull requests:
- 36548

3.0.71 - 1475337 (October 7, 2024)

Playbooks

New: Scheduled task created with HTTP or FTP reference

New: This playbook is designed to handle the alert "Scheduled task created with HTTP or FTP reference".
The playbook executes the following stages:
Investigation:
During the alert investigation, the playbook will perform the following:
Checks the IP and the URL reputation.
Checks the CGO process signature.
Searches for related XDR agent alerts to determine if the creation of the scheduled task is part of an attack pattern.
Remediation:
Remediation actions will be taken if the CGO process is unsigned, the IP or URL has a malicious reputation, or a related alert is detected.
In these cases, the playbook will disable the scheduled task, block the malicious indicators, and close the alert.
Requires: To block the malicious URL and IP, configure 'Palo Alto Networks PAN-OS' integration.

Related pull requests:
- 36572

3.0.70 - 1472173 (October 7, 2024)

Playbooks

New: Added a new playbook for investigation and response to external login password spray attacks. The playbook checks the logon type, the outcome, the timestamps, the users, and the IP, to decide on the correct remediation plan, prompted by user approval.

Related pull requests:
- 36536

3.0.69 - 1457639 (October 1, 2024)

Integrations

Investigation & Response

Added the following commands:

core-terminate-process
- core-terminate-causality

Related pull requests:
- 35226
- 34695
- 35004
- 35201
- 35200
- 34659
- 35177
- 35199
- 35181
- 35208
- 35136
- 35197
- 35209
- 35211
- 35220
- 35133
- 35030
- 35221
- 34874
- 35222
- 33954
- 35227
- 35183
- 138
- 35206
- 35175
- 35182
- 35112
- 35225
- 35034
- 35162
- 35223

3.0.68 - 1429144 (September 24, 2024)

Integrations

Investigation & Response

Added a polling command core-script-run.
Deprecated the core-run-script command- Use core-script-run instead.

Playbooks

Large Upload Alert

Added transformers to the conditions within the 'Calculate Verdict' task to obtain the highest or lowest score in cases where an array of results was returned.
Fixed an issue which caused the 'Calculate Verdict' task to fail due to an incorrect filter being used in certain conditions of the 'Calculate Verdict' playbook task.
Fixed the context path for risk scores of risky hosts and users within the 'malicious' condition of the 'Calculate Verdict' task.
Updated task numbers 32 and 48's descriptions and names.
Updated the sub-playbooks' context configurations so that they can be shared globally.

Related pull requests:
- 36413

3.0.66 - 1425722 (September 24, 2024)

Playbooks

Suspicious SaaS Access From a TOR Exit Node

Playbook description minor fixes.
AWS response logic fix.
Added "Continue on error" function to the MS-Graph and G-Suite early containment tasks.

Related pull requests:
- 36349

3.0.65 - 1403239 (September 18, 2024)

Playbooks

Fixed an issue when no user agent exists by adding a new task to extract only suspicious user agents.

Related pull requests:
- 36382

3.0.64 - 1398165 (September 17, 2024)

Playbooks

Large Upload Alert

Fixed the regex expression in the ‘Check Uploaded Data Volume’ task’s transformer.

Related pull requests:
- 36368

3.0.63 - R1389438 (September 16, 2024)

Integrations

Investigation & Response

Fixed an issue where an error was not logged correctly.

Indicators detection

Fixed an issue where an error was not logged correctly.

Playbooks

Large Upload Alert

Fixed an issue with empty context values by replacing 'Set' automation with 'SetAndHandleEmpty' in specific tasks.
Fixed an issue that caused the 'Check Uploaded Data Volume' task to fail due to a missing 'sumlist' transformer.

Related pull requests:
- 36294

3.0.61 - 1373264 (September 11, 2024)

Integrations

Investigation & Response

Documentation and metadata improvements.

Related pull requests:
- 36240

3.0.60 - 1370357 (September 11, 2024)

Layouts

Identity Analytics Alerts
Updated layout with canvas tab.
Default
Updated layout with canvas tab.
Default XDR Alert
Updated layout with canvas tab.

Related pull requests:
- 36021

3.0.59 - 1350055 (September 5, 2024)

Integrations

Indicators detection

Updated the CoreIRApiModule to support status resolved_auto_resolve close-reason in XSOAR-XDR close-reasons mapping.

Investigation & Response

Updated the CoreIRApiModule to support status resolved_auto_resolve close-reason in XSOAR-XDR close-reasons mapping.

Related pull requests:
- 36028

3.0.58 - 1345259 (September 4, 2024)

Integrations

New: XQL Query Engine

New: This is an XQL Query Engine integration, now a part of the Core pack (Available from Version 8.7.0-1247804).
Added the following new commands:
- xdr-xql-generic-query
- xdr-xql-get-quota
- xdr-xql-get-query-results
- xdr-xql-file-event-query
- xdr-xql-process-event-query
- xdr-xql-dll-module-query
- xdr-xql-network-connection-query
- xdr-xql-registry-query
- xdr-xql-event-log-query
- xdr-xql-dns-query
- xdr-xql-file-dropper-query
- xdr-xql-process-instance-network-activity-query
- xdr-xql-process-causality-network-activity-query

Related pull requests:
- 35749

3.0.57 - R1324639 (August 29, 2024)

Playbooks

New: This playbook is designed to handle the following alerts:
A successful SSO sign-in from TOR
A successful SSO sign-in from TOR via a mobile device
The playbook executes the following stages:
Early Containment:
Clear/revoke the user sessions and force re-authentication.
Investigation:
Checks the user's risk score.
Checks for suspicious user agent usage within the alert.
Checks for related XDR alerts using MITRE tactics to identify any malicious activity.
Remediation:
Based on the user's risk score and related alerts, the playbook will disable the account if any malicious parameters are found. By default, account disabling requires analyst approval.
Requires:
Integrations - Microsoft Graph User / Okta v2.

New: Suspicious SaaS Access From a TOR Exit Node

New: Playbook Overview:
This playbook is designed to handle the following alerts:
Suspicious SaaS API call from a Tor exit node
Suspicious SaaS API call from a Tor exit node via a mobile device
Suspicious API call from a Tor exit node
Suspicious Kubernetes API call from a Tor exit node
Playbook Stages:
Early Containment:
To terminate the connection from the Tor exit node, the playbook will clear/revoke the user's sessions and force re-authentication. Depending on the alert source, the playbook will use either MS-Graph or G-Suite to clear the user sessions.
Investigation:
The playbook will assess the risk score of the user connected from the Tor exit node and examine the legitimacy of the user agent.
Containment:
If the user's risk score is high or the user agent is detected as suspicious, the playbook will recommend blocking the account connected from the Tor exit node. The playbook will use MS-Graph, G-Suite, or AWS-IAM, depending on the alert source.
Eradication:
For users with PAN-OS enabled, the playbook will recommend blocking all IPs from the Palo Alto Intelligence-based external dynamic list that contains Tor exit nodes. The goal is to prevent the use of Tor within the organization.
Requirements:
For any response action, you will need one of the following integrations: Microsoft Graph User / G-Suite Admin / AWS-IAM.

Related pull requests:
- 35941

3.0.55 - 1317860 (August 28, 2024)

Integrations

Investigation & Response

Added the alter_events_from_decider argument, use this argument to obtain events_from_decider context path as a list (for improved for playbook automation) rather than a dictionary (The original API raw response).

Related pull requests:
- 36022

3.0.54 - 1284734 (August 18, 2024)

Integrations

Investigation & Response

Fixed an issue where the get-endpoint and endpoint commands failed when the endpoint did not include an IP field.

Related pull requests:
- 35892

3.0.53 - 1277948 (August 15, 2024)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 35630

3.0.52 - 1249898 (August 7, 2024)

Integrations

Indicators detection

Updated the CoreIRApiModule with support for getting binary data from server.

Related pull requests:
- 35515

3.0.51 - R1212834 (July 25, 2024)

Integrations

Investigation & Response

Fixed an issue in the core-blocklist-files and core-allowlist-files commands where an error was returned when all of the hashes had already been added to the blocklist or the allowlist.

Related pull requests:
- 35560

3.0.50 - 1162940 (July 9, 2024)

Integrations

Indicators detection

Updated the CoreIRApiModule with support for custom XSOAR close-reasons in XSOAR-XDR close-reason mapping.

Investigation & Response

Updated the CoreIRApiModule with support for custom XSOAR close-reasons in XSOAR-XDR close-reason mapping.

Related pull requests:
- 35038

3.0.49 - 1149551 (July 4, 2024)

Integrations

Indicators detection

Fixed an issue where the integration commands failed due to a change in the API request process.

Investigation & Response

Fixed an issue where the integration commands failed due to a change in the API request process.

Related pull requests:
- 35206

3.0.48 - 1137281 (July 1, 2024)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 34933
- 34979
- 34921
- 34990
- 34896
- 34966
- 34985
- 34983
- 34255
- 35023
- 34776

3.0.47 - 1135833 (June 30, 2024)

Playbooks

IOC Alert

Internal code improvements.

Local Analysis alert Investigation

Organized the playbook tasks.

Related pull requests:
- 35073

3.0.45 - 1129454 (June 27, 2024)

Playbooks

Impossible Traveler Response

Updated the 'EndpointID' playbook input value within the 'Containment Plan' sub-playbook.

Related pull requests:
- 35067

3.0.44 - 1124076 (June 26, 2024)

Playbooks

Get entity alerts by MITRE tactics

Updated the alert field where MITRE tactics are searched.

Related pull requests:
- 34545

3.0.43 - 1122733 (June 25, 2024)

Playbooks

Impossible Traveler - Enrichment

Internal code improvements.

Identity Analytics - Alert Handling

Internal code improvements.

Related pull requests:
- 34698

3.0.41 - 1118790 (June 24, 2024)

Playbooks

NGFW Internal Scan

Deleted an unnecessary manual task titled 'Manual Review Internal Scan' to optimize playbook flow.

Possible External RDP Brute-Force - Set Verdict

Updated the alert field configuration within the mapping rule of the 'Set related alerts' playbook task.

Related pull requests:
- 34779

3.0.39 - 1112736 (June 23, 2024)

Integrations

Investigation & Response

Fixed an issue in CoreIRApiModule where it was failing to parse a response.

Related pull requests:
- 34975

3.0.38 - R1104278 (June 19, 2024)

Integrations

Investigation & Response

Fixed an issue in CoreIRApiModule regarding close reason resolution.

Related pull requests:
- 34877

3.0.37 - 1082615 (June 10, 2024)

Core - Investigation and Response

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34804

3.0.36 - 1081587 (June 9, 2024)

Playbooks

IOC Alert

Deleted two unnecessary manual tasks titled 'Should continue with the investigation?' and 'Continue with the alert investigation' to optimize playbook flow.

Identity Analytics - Alert Handling

Updated the mapping rule for the 'Failed Logon Events' alert field in the 'Set Number of Related Alerts' playbook task.

Related pull requests:
- 34777

3.0.34 - 1070867 (June 5, 2024)

Playbooks

Identity Analytics - Alert Handling

Updated the output value for the 'Number Of Found Related Alerts' alert field mapping rule in the 'Set Number of Related Alerts' task.

Related pull requests:
- 34696

3.0.33 - 1059388 (May 31, 2024)

Integrations

Investigation & Response

Improved implementation of the authorization process.
Updated the Docker image to: demisto/google-cloud-storage:1.0.0.96060.

Indicators detection

Improved implementation of the authorization process.
Updated the Docker image to: demisto/google-cloud-storage:1.0.0.96060.

Related pull requests:
- 34620
- 34568
- 34511
- 33494
- 34621
- 34622

3.0.32 - 1026664 (May 19, 2024)

Integrations

Investigation & Response

Improved implementation for xdr-remove-blocklist-files command in the CoreIRApiModule.

Related pull requests:
- 34408

3.0.31 - 1012872 (May 12, 2024)

Integrations

Investigation & Response

Fixed an issue where running the core-get-incidents command with starred="false" returned starred incidents.

Related pull requests:
- 34307

3.0.30 - 1005026 (May 8, 2024)

Integrations

Investigation & Response

Fixed an issue where core-report-incorrect-wildfire command failed due to a missing argument.
Updated the Docker image to: demisto/python3:3.10.14.92207.

Related pull requests:
- 34268

3.0.29 - 998827 (May 6, 2024)

Core - Investigation and Response

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34212

3.0.28 - 975934 (April 24, 2024)

Playbooks

T1059 - Command and Scripting Interpreter

Added a new conditional task to verify the existence of a command line parameter.

New: Large Upload Alert

The playbook investigates Cortex XDR incidents involving large upload alerts.
The playbook consists of the following procedures:
Searches for similar previous incidents that were closed as false positives.
Enrichment and investigation of the initiator and destination hostname and IP address.
Enrichment and investigation of the initiator user, process, file, or command if it exists.
Detection of related indicators and analysis of the relationship between the detected indicators.
Utilize the detected indicators to conduct threat hunting.
Blocks detected malicious indicators.
Endpoint isolation.
This playbook supports the following Cortex XDR alert names:
Large Upload (Generic)
Large Upload (SMTP)
Large Upload (FTP)
Large Upload (HTTPS)

Triggers Recommendations

New: Large Upload Alert

Related pull requests:
- 33657

3.0.26 - 974548 (April 24, 2024)

Integrations

Investigation & Response

Fixed an issue in CoreIRApiModule where closing an incident in XDR with 'duplicate' close reason, would not be closed in XSOAR.

Related pull requests:
- 34082

3.0.25 - 970211 (April 21, 2024)

Layouts

Identity Analytics Alerts
Updated the layout to utilize the 'VerdictResult' script.

Related pull requests:
- 34048

3.0.24 - 953931 (April 14, 2024)

Integrations

Investigation & Response

Fixed an issue in CoreIRApiModule regarding close reason resolution.

Related pull requests:
- 33867

3.0.23 - 916317 (March 26, 2024)

Scripts

impossibleTravelerGetDistance

Updated the Docker image to: demisto/py3-tools:1.0.0.90842.

Related pull requests:
- 33514
- 33458
- 33455
- 33501
- 33509
- 33490
- 33477
- 33461
- 33365
- 33315
- 33454

3.0.22 - 873658 (March 6, 2024)

Integrations

Investigation & Response

Added support for flexible close-reason mapping in handle_outgoing_issue_closure in CoreIRApiModule. Does not affect this module.

Related pull requests:
- 33140

3.0.21 - 865088 (March 3, 2024)

Layouts

Identity Analytics Alerts
Added a new button to the Identity Analytics layout for resetting a user's password.

Playbooks

Identity Analytics - Alert Handling

Updated task name 'Analyst Decision'.

Related pull requests:
- 32470

3.0.20 - 833530 (February 17, 2024)

Integrations

Investigation & Response

Fixed an issue where the 'Resolved - Security Testing' close reason was not mirrored properly.

Related pull requests:
- 32856

3.0.19 - 829761 (February 15, 2024)

Integrations

Investigation & Response

Updated the outgoing mirroring process to also check the close reason of the incident, if needed.

Related pull requests:
- 32359

3.0.18 - 819156 (February 11, 2024)

Playbooks

Ransomware Response

Removed the unnecessary input timeRange used by the sub-playbook Endpoint Investigation Plan.

T1059 - Command and Scripting Interpreter

Removed the unnecessary input timeRange used by the sub-playbook Endpoint Investigation Plan.

IOC Alert

Removed the unnecessary input timeRange used by the sub-playbook Endpoint Investigation Plan.

NGFW Scan

Removed the unnecessary input timeRange used by the sub-playbook Endpoint Investigation Plan.

NGFW Internal Scan

Removed the unnecessary input timeRange used by the sub-playbook Endpoint Investigation Plan.

Local Analysis alert Investigation

Removed the unnecessary input timeRange used by the sub-playbook Endpoint Investigation Plan.

T1036 - Masquerading

Removed the unnecessary input timeRange used by the sub-playbook Endpoint Investigation Plan.

WildFire Malware

Removed the unnecessary input timeRange used by the sub-playbook Endpoint Investigation Plan.

Related pull requests:
- 32007

3.0.17 - 801044 (February 2, 2024)

Playbooks

Local Analysis alert Investigation

Fixed the WildFire verdict decision tas number 14 to handle correctly Benign and Malware verdicts

Related pull requests:
- 32513

3.0.16 - 784509 (January 25, 2024)

Integrations

Investigation & Response

Removed the core-list-roles and the core-set-user-role commands.
Updated the Docker image to: demisto/python3:3.10.13.85667.

Related pull requests:
- 32382

3.0.15 - 778227 (January 22, 2024)

Core - Investigation and Response

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

3.0.14 - 775948 (January 21, 2024)

Playbooks

IOC Alert

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

WildFire Malware

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

NGFW Internal Scan

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).
Added a conditional task to check if the input SOCEmailAddress is not empty before notify the SOC via email.

T1059 - Command and Scripting Interpreter

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

Impossible Traveler Response

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

Local Analysis alert Investigation

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

T1036 - Masquerading

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

NGFW Scan

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

Possible External RDP Brute-Force

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

Ransomware Response

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

Ransomware Enrich and Contain

Updated the default value of IAMUserDomain used by the Containment Plan sub-playbook.

Related pull requests:
- 32125

3.0.13 - 774340 (January 21, 2024)

Integrations

Investigation & Response

Added the core-get-incidents command.
Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 31333

3.0.12 - 769959 (January 18, 2024)

Playbooks

Get entity alerts by MITRE tactics

Updated the command SearchIncidentsV2 to SearchAlertsV2.

Related pull requests:
- 31904

3.0.11 - 768818 (January 17, 2024)

Playbooks

Identity Analytics - Alert Handling

Updated the task 'Set Number of Related Alerts' to count related alerts include low-severity alerts and above.

Triggers Recommendations

New: Remote PsExec with LOLBIN command execution alert

Related pull requests:
- 32205

3.0.9 - 757686 (January 11, 2024)

Playbooks

New: Remote PsExec with LOLBIN command execution alert

New: The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source.
The playbook aims to efficiently:
Check if the execution is blocked. If not will terminate the process (Manually by default).
Enrich any entities and indicators from the alert and find any related campaigns.
Perform command analysis to provide insights and verdict for the executed command.
Perform further endpoint investigation using XDR.
Checks for any malicious verdict found to raise the severity of the alert.
Perform Automatic/Manual remediation response by blocking any malicious indicators found.
The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’.
It depends on the data from the parent playbooks and can not be used as a standalone version. (Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 31748
- 31197
- 30641
- 31213
- 30647
- 31225
- 30873
- 31168
- 31228
- 31226
- 31236
- 30393
- 31233
- 31242
- 31183
- 31245
- 31254
- 30525
- 30501
- 31268
- 31179
- 31170
- 31247
- 31084
- 30663
- 31190
- 30712
- 31252
- 30493
- 25523
- 31144
- 31265
- 31253
- 31262
- 31154
- 30959
- 31234
- 31276
- 31286
- 31264
- 31272
- 31287
- 31288
- 31290
- 31289
- 31291
- 31292
- 31293
- 31295
- 31294
- 31256
- 31189
- 31296
- 31271
- 31314
- 31166
- 31101
- 31220
- 31021
- 31308
- 31311
- 31269
- 31312
- 31297
- 31315
- 31192
- 31267
- 31232
- 31310
- 31246
- 31300
- 31273
- 31322
- 31320
- 31324
- 29092
- 31299
- 31251
- 31319
- 30783
- 30940
- 31334
- 31337
- 30110
- 31340
- 31331
- 31343
- 31148
- 31124
- 31327
- 31281
- 31350
- 31028
- 31230
- 31346
- 30990
- 30819
- 31373
- 31372
- 31352
- 31212
- 30981
- 31349
- 31362
- 31368
- 31376
- 31369
- 31370
- 31385
- 31123
- 31342
- 31347
- 31363
- 30637
- 31371
- 31097
- 31387
- 31386
- 30787
- 31378
- 31155
- 31357
- 31223
- 31159
- 31330
- 29709
- 31401
- 31237
- 31392
- 31403
- 31339
- 30694
- 31399
- 31410
- 31414
- 31302
- 31406
- 31329
- 31420
- 31419
- 31065
- 1
- 31318
- 31062
- 31417
- 31431
- 31427
- 31418
- 31323
- 31361
- 30157
- 31398
- 31428
- 31434
- 31439
- 31377
- 31446
- 31459
- 31433
- 31355
- 31451
- 31442
- 31471
- 31473
- 31229
- 31326
- 31146
- 31448
- 31470
- 31394
- 31472
- 31457
- 31475
- 31476
- 31474
- 31485
- 31140
- 31458
- 31460
- 31194
- 31481
- 31507
- 31328
- 31402
- 31510
- 31019
- 31482
- 31411
- 31483
- 31461
- 31136
- 31393
- 31520
- 31523
- 31099
- 31514
- 31522
- 31404
- 31517
- 31512
- 31167
- 31531
- 31533
- 31565
- 31496
- 31537
- 31479
- 31487
- 31535
- 31557
- 31421
- 31558
- 31550
- 31560
- 31562
- 31555
- 31554
- 31552
- 31556
- 31551
- 31553
- 31559
- 30983
- 31568
- 31547
- 31478
- 31573
- 31436
- 31518
- 31224
- 31495
- 31563
- 31574
- 31388
- 31191
- 31579
- 31536
- 31572
- 31527
- 31578
- 31438
- 31583

3.0.8 - 755215 (January 10, 2024)

Integrations

Investigation & Response

Fixed an issue where the following polling commands retrieved partial results when a list of arguments was provided:
- core-run-script-kill-process
- core-run-script-file-exists
- core-run-script-delete-file

Playbooks

Local Analysis alert Investigation

Updated the input Query to search for alerts on the endpoint by agent ID instead of host IP, used by the sub-playbook "Enrichment for verdict".
Updated the default value of the input ShouldOpenTicket to 'False'.

Related pull requests:
- 31956

3.0.6 - 753737 (January 10, 2024)

Playbooks

Identity Analytics - Alert Handling

Added playbook input sections to organize the inputs into related categories, which simplifies the playbook input visibility. (Available from Cortex XSIAM 2.0).

Related pull requests:
- 31893

3.0.5 - 721233 (December 27, 2023)

Integrations

Investigation & Response

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31808

3.0.4 - 7254058 (December 24, 2023)

Layout Rules

New: Identity Analytics Alerts Layout Rule

New: Identity Analytics Alerts

Layouts

New: Identity Analytics Alerts
New: Identity Analytics Alerts

Playbooks

New: Identity Analytics - Alert Handling

New: The Identity Analytics - Alert Handling playbook is designed to handle Identity Analytics alerts and executes the following:
Analysis:
Enriches the IP and the account, providing additional context and information about these indicators.
Verdict:
Determines the appropriate verdict based on the data collected from the enrichment phase.
Investigation:

Checks for related Cortex XDR alerts to the user by Mitre tactics to identify malicious activity.
Checks for specific arguments for malicious usage from Okta using the 'Okta User Investigation' sub-playbook.
Checks for specific arguments for malicious usage from Azure using the 'Azure User Investigation' sub-playbook.
Verdict Handling:
Handles malicious alerts by initiating appropriate response actions, including blocking malicious IP and revoking or clearing user's sessions.
Handles non-malicious alerts identified during the investigation.

Triggers Recommendations

New: Identity Analytics Alerts

Related pull requests:
- 31441

3.0.3 - 7132024 (December 11, 2023)

Playbooks

Ransomware Enrich and Contain

Changed the sub-playbook Detonate File - WildFire to a new version.

Related pull requests:
- 31330

3.0.2 - 7076512 (December 5, 2023)

Playbooks

Get entity alerts by MITRE tactics

Rewrote the playbook to create only 1 search request instead of a request for each tactic. The performance of the playbook has been significantly improved.
Fixed an issue where the time range for hunting was set to 20 days.

Related pull requests:
- 31232

3.0.1 - 7033788 (November 30, 2023)

Playbooks

NGFW Internal Scan

Replaced the deprecated 'Get endpoint details - Generic' sub-playbook with the 'Get endpoint details - Generic'.

Related pull requests:
- 31197

3.0.0 - 6887992 (November 14, 2023)

Important Note: The following playbook: Cloud IAM User Access Investigation moved to the 'Cloud Incident Response' pack. The 'Cloud Incident Response' pack will be installed as a dependency of the 'Core' pack.

Related pull requests:
- 28650

2.1.2 - 6883610 (November 14, 2023)

Integrations

Investigation & Response

Updated the Docker image to: demisto/python3:3.10.13.80014.
Added the public_ip_list argument for the core-get-endpoints command.

Related pull requests:
- 30662
- 30308

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	February 17, 2022
Last Release	November 15, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Core - Investigation and Response

What does this pack do?

Playbooks

New: Unsigned and unpopular process performed an injection

Triggers Recommendations

New: Unsigned and unpopular process performed an injection

Playbooks

New: A mail forwarding rule was configured in Google Workspace

Triggers Recommendations

New: A mail forwarding rule was configured in Google Workspace

Playbooks

Scheduled task created with HTTP or FTP reference

New: Uncommon remote scheduled task created

New: Suspicious Hidden User Created

Scripts

impossibleTravelerGetDistance

Triggers Recommendations

New: Uncommon remote scheduled task created

New: Alert Trigger - Suspicious Hidden User Created

Integrations

Investigation & Response

Indicators detection

Layouts

Playbooks

New: Compromise Accounts - User rejected numerous SSO MFA attempts

Triggers Recommendations

New: Compromise Accounts - User has rejected numerous SSO MFA attempts

Playbooks

Unprivileged process opened a registry hive

Playbooks

New: Unprivileged process opened a registry hive

Integrations

Investigation & Response

Playbooks

SSO Password Spray

Playbooks

New: Netcat Makes or Gets Connections

Playbooks

External Login Password Spray

New: Suspicious LDAP search query

Playbooks

New: A Successful login from TOR

Playbooks

New: User added to local administrator group using a PowerShell command

New: Event Log Was Cleared

New: Credential Dumping using a known tool

Playbooks

New: SSO Brute Force

Integrations

Investigation & Response

Playbooks

Large Upload Alert

Playbooks

New: SSO Password Spray

Playbooks

New: Scheduled task created with HTTP or FTP reference

Playbooks

New: External Login Password Spray

Integrations

Investigation & Response

Integrations

Investigation & Response

Playbooks

Large Upload Alert

Playbooks

Suspicious SaaS Access From a TOR Exit Node

Playbooks

A successful SSO sign-in from TOR

Playbooks

Large Upload Alert

Integrations

Investigation & Response

Indicators detection

Playbooks

Large Upload Alert

Integrations

Investigation & Response

Layouts

Integrations

Indicators detection