Cortex Response And Remediation

Details
Content
Dependencies
Version History

The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes. Built to support an Autonomous SOC vision.

The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes, built to support an Autonomous SOC vision.
The playbooks in this pack are tightly coupled to Issues, leveraging detector logic to provide highly accurate and context-aware responses. This ensures seamless integration with Cortex XSIAM, enabling SOC teams to focus on high-priority threats while automating repetitive tasks.

Response & Remediation Pack playbooks Key Principles

Focused Security Response: Playbooks prioritize high-quality security responses while delegating organizational tasks to incident-level or sub-playbooks.
Research-Based Design: The playbooks in the Response & Remediation pack are designed by the Cortex & Prisma Research team with extensive expertise and knowledge in responding to incidents and alerts.
Detector Alignment: Playbooks are tailored to specific Cortex and Prisma issues, ensuring precision by aligning with detector logic.
Cortex Analytics Integration: Playbooks leverage Cortex analytics capabilities to derive precise verdicts for accurate and effective remediation.
AI-Driven Investigations: Advanced AI capabilities enrich investigations by providing deeper insights and contextual data to improve decision-making.
Clear Design: Understandable within minutes.

Playbook Features

Prebuilt: Use out-of-the-box (OOTB) playbooks to ensure rapid deployment and reliable functionality.
Context-aware Actions: Implement responsive actions based on alert triggers.
Seamless Integrations: Fully compatible with Palo Alto Networks products and compatible also with third-party solutions.
Granular Monitoring: Provides detailed logs for tracking execution.

Playbooks

Name	Description
Exchange forwarding rule configured	This playbook addresses the following alerts: External Exchange inbox forwarding rule configured. Suspicious Exchange inbox forwarding rule configured. Suspicious Exchange email-hiding inbox rule. Possible BEC Exchange email-hiding inbox rule. Exchange email-hiding transport rule based on message keywords. Suspicious Exchange email-hiding transport rule. Exchange transport forwarding rule configured. Suspicious Exchange transport forwarding rule configured. Playbook Stages: Triage: The playbook retrieves the caller's IP, the forwarding email address, and the domain. Early Containment: The playbook checks if the IP or domain of the forwarding email address is malicious. If so, it suggests blocking the IP using PAN-OS while continuing the investigation in parallel. Investigation: The playbook checks for suspicious behaviors, including whether an Exchange admin created the rule outside of working hours, from unusual geolocation, or if the user who created the rule has a high-risk score. It then aggregates all evidence collected during the investigation. Containment: Soft Response Actions: If at least two suspicious pieces of evidence are identified, the playbook will execute soft response actions. These actions include signing the user out and disabling the forwarding rule configured in the user's account mailbox. Hard Response Actions: If more than two suspicious pieces of evidence are identified, the playbook escalates to hard response actions. These actions include disabling the user account upon analyst decision and removing the forwarding rule from the user's account mailbox. Requirements: For any response action, you need the following integrations: EWS Extension Online Powershell v3 integration. Azure Active Directory Users.
Suspicious process execution by scheduled task on a sensitive server	This playbook handles "Suspicious process execution by scheduled task on a sensitive server" alerts. Playbook Stages: Analysis: Checks the suspicious process reputation. Investigation: Searches for related XSIAM agent alerts to identify any malicious activity on the server. Remediation: If the suspicious process reputation is malicious, or if a related alert is found, the following remediation actions will be taken: Disable the scheduled task responsible for executing the process. Terminate the malicious process. Automatically Close the alert.
Successful guest user invitation	This playbook addresses the following alert: Rare successful guest invitation in the organization Playbook Stages: Triage: Gather initial information about the invited user and associated alerts. Investigation: Check IOCs Reputation: Analyze the reputation of IP addresses, email addresses, and domains related to the alert. Check for Azure Alerts: Retrieve user Principal Name (UPN). Extract recent Azure security alerts for the inviting user. Check if User is Risky: Assess the risk score of the inviting user based on Core and Azure risk indicators. Investigate reasons behind any identified risks, including recent detections. Containment: Provide a manual task for an analyst to review the findings and decide the next steps. Possible actions: Disable the invited user. Disable the inviting user. Disable both users. Take no action. If users are disabled, revoke their active sessions to ensure immediate containment. Requirements: For the best results, it's recommended to ensure these integrations are configured and working: `Cortex Core - Investigation and Response` for Core user risk evaluation. `Azure Risky Users` for retrieving user risk scores. `Microsoft 365 Defender` for advanced hunting queries and Azure security alerts. `Microsoft Graph User` for disabling accounts and revoking sessions.
SSO Password Spray	This playbook is designed to handle the following alerts: SSO Password Spray Threat Detected SSO Password Spray Activity Observed SSO Password Spray Involving a Honey User Playbook Stages: Triage: The playbook checks the IP reputation and fetches the events related to the SSO login attempts. Early Containment: The playbook checks if the IP is suspicious. If it is, the playbook suggests blocking the IP. Investigation: The playbook assess the risk score of the user who successfully logged in and examines the legitimacy of the user agent. It verifies if the user has MFA configured and analyzes the timestamps of the login attempts to detect potential malicious automated patterns. Containment: If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals were automated, the playbook clears the user's session. If the user doesn't have MFA, the playbook recommends expiring the user's password. Requirements: For any response action, you need one of the following integrations: Microsoft Graph User Okta
Suspicious LDAP search query	This playbook is designed to handle the following alerts: Possible LDAP enumeration by unsigned process. Suspicious LDAP search query executed. The playbook executes the following stages: Investigation: Check the following parameters to determine if remediation actions are needed: Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity. Whether the Actor Process Command line contains suspicious arguments. Checks for prevalence of the Actor Process Name and Actor Process CMD. Host risk score is "Medium" or "High". User risk score is "High". Remediation: Handles malicious alerts by terminating the causality process. Handles non-malicious alerts identified during the investigation.
Uncommon creation or access operation of sensitive shadow copy by a high-risk process	This playbook addresses the following alerts: Uncommon creation or access operation of sensitive shadow copy by a high-risk process Playbook Stages: Triage: Check if the causality process image (CGO) is signed or not Investigation: If CGO is unsigned: Check the CGO process prevalence Check if the process image path is common If CGO is signed: Check process image name Check initiating process image name Check if username is SYSTEM Check if host is a server Check for previous similar alert closed as False Positive Containment: Terminate causality process (CGO) process - when a signed high-risk process or an unsigned process from an uncommon path attempting to create or access sensitive shadow copy data.
Suspicious Hidden User Created	This playbook addresses the following alerts: Suspicious Hidden User Created Playbook Stages: Triage: Retrieve event information about the created user Investigation: Check if the user is local or domain. For domain users: Retrieve AD attributes, including password expiration. For local users: Run a Powershell command to get "Password Expires" attribute of the local user. Get risk level for the affected host. Search for related Script Engine Activity alerts in the alert. Containment: For alerts determined to be true positives, suggest to the analyst to disable the user. Upon analyst approval: Disable the suspicious user account (domain or local). If a related alert about malicious activity exists, kill the Causality Group Owner (CGO) process that created the suspicious user. Requirements: For response actions, you need the following integrations: Cortex Core - Investigation and Response Active Directory Query v2 (for domain user actions).
Endpoint initiated uncommon remote scheduled task creation	This playbook handles "Uncommon remote scheduled task creation" alert, which is generated on the source host that created the remote scheduled task. Playbook Stages: Analysis: The playbook verifies whether the causality process is signed and prevalent. If the process is not signed and not prevalent, it proceeds with remediation actions; otherwise, it continues investigating the alert. Investigation: During the alert investigation, the playbook will perform the following: Searches for related Cortex XSIAM alerts on the endpoint that use the following MITRE techniques to identify malicious activity: T1202 - Indirect Command Execution, T1021 - Remote Services. Searches for related Cortex XSIAM agent alerts on the remote endpoint, to determine if the creation of the scheduled task is part of an attack pattern. Searches for suspicious command-line parameters indicating a malicious scheduled task. Remediation: Automatically disable the malicious scheduled task on the remote host. Automatically terminate the causality process. Automatically close the alert.
Credential Dumping using a known tool	This playbook is designed to handle the following alerts: Command-line arguments match Mimikatz execution Mimikatz command-line arguments Credential dumping via wce.exe Credential dumping via gsecdump.exe PowerShell runs with known Mimikatz arguments Hash cracking using Hashcat tool Credential dumping via fgdump.exe Credential dumping via LaZagne Credential dumping via pwdumpx.exe Dumping lsass.exe memory for credential extraction Memory dumping with comsvcs.dll The playbook executes the following stages: Early Containment: Handles malicious alerts by terminating the causality process. Remediation: Handles malicious alerts by suggesting the analyst to isolate the endpoint.
Msiexec execution of an executable from an uncommon remote location	This playbook addresses the following alerts: Msiexec execution of an executable from an uncommon remote location with a specific port Msiexec execution of an executable from an uncommon remote location without properties Playbook Stages: Analysis: Check extracted URL reputation: Determine if the MSI package was installed from a malicious source If the URL is found to be malicious, the playbook will proceed directly to remediation steps Investigation: Check extracted domain's prevalence and causality process signature status: Evaluate the prevalence of the domain from which the MSI package was downloaded Verify if the causality process (CGO) is signed or unsigned If the domain is found malicious and the causality process is unsigned, the playbook will proceed directly to remediation steps Check for the following related alerts: Local Analysis Malware Mitre Techniques: T1140 - Deobfuscate/Decode Files or Information T1059 - Command and Scripting Interpreter Analyze CGO command line for defense evasion techniques: Evaluate the command line for suspicious patterns which indicates attempts to bypass security controls If the command line contains suspicious patterns or related alerts are found, the playbook will proceed directly to remediation steps Containment: Terminate causality process Block maliciou URL (Manual approval) Implement URL blocking using PAN-OS through Custom URL Categories Isolate endpoint (Manual approval) Requirements: For any response action, you need the following integration: PAN-OS.
Suspicious SaaS Access From a TOR Exit Node	This playbook is designed to handle the following alerts: Suspicious SaaS API call from a Tor exit node Suspicious SaaS API call from a Tor exit node via a mobile device Suspicious API call from a Tor exit node Suspicious Kubernetes API call from a Tor exit node Playbook Stages: Early Containment: To terminate the connection from the Tor exit node, the playbook will clear/revoke the user's sessions and force re-authentication. Depending on the alert source, the playbook will use either MS-Graph or G-Suite to clear the user sessions. Investigation: The playbook will assess the risk score of the user connected from the Tor exit node and examine the legitimacy of the user agent. Containment: If the user's risk score is high or the user agent is detected as suspicious, the playbook will recommend blocking the account connected from the Tor exit node. The playbook will use MS-Graph, G-Suite, or AWS-IAM, depending on the alert source. Eradication: For users with PAN-OS enabled, the playbook will recommend blocking all IPs from the Palo Alto Intelligence-based external dynamic list that contains Tor exit nodes. The goal is to prevent the use of Tor within the organization. Requirements: For any response action, you will need one of the following integrations: Microsoft Graph User G-Suite Admin AWS-IAM.
Excessive User Account Lockouts	This playbook addresses the following alerts: Excessive user account lockouts Excessive account lockouts on suspicious users Excessive user account lockouts from a suspicious source The playbook investigates and responds to excessive user account lockout alerts. It gathers information about the alert, enriches relevant host data, and analyzes event patterns. This analysis helps distinguish between benign lockouts and lockouts caused by brute-force or password spray attacks. Playbook Stages: Triage: The playbook enriches the alert with details about the lockout events. Investigation: Analyzes the lockout event timestamps to detect patterns. Checks for related medium severity brute-force alerts in the alert. Retrieves the Risk Score for the Caller Computer that caused the lockouts. Containment: With analyst approval, the playbook can isolate the endpoint (either the Caller Computer or the target host) if it's determined to be a true positive and not a server. Requirements: For response actions, the following integration is required: Core - IR.
Suspicious Local Administrator Login	This playbook addresses the following alerts: Suspicious local administrator login Playbook Stages: Investigation: Retrieves the name of the process image involved in the alert. Checks for related Powershell/Command and Scripting/WMI alerts in the alert. Retrieves the host risk score. Containment: Provide a manual task for an analyst to review the findings and decide the next steps. Possible actions: Disable User. Take no action. Requirements: For response actions, the following integration is required: Core - IR.
Scheduled task created with HTTP or FTP reference	This playbook is designed to handle the alert "Scheduled task created with HTTP or FTP reference". The playbook executes the following stages: Investigation: During the alert investigation, the playbook will perform the following: Checks the IP and the URL reputation. Checks the CGO process signature. Searches for related XDR agent alerts to determine if the creation of the scheduled task is part of an attack pattern. Remediation: Remediation actions will be taken if the CGO process is unsigned, the IP or URL has a malicious reputation, or a related alert is detected. In these cases, the playbook will disable the scheduled task, block the malicious indicators, and close the alert. Requires: To block the malicious URL and IP, configure 'Palo Alto Networks PAN-OS' integration.
A mail forwarding rule was configured in Google Workspace	This playbook addresses the following alerts: A mail forwarding rule was configured in Google Workspace. A mail forwarding rule was configured in Google Workspace to an uncommon domain. Playbook Stages: Triage: The playbook retrieves the caller's IP, the forwarding email address, and associated filters. Early Containment: The playbook checks if the IP or domain of the forwarding email address is malicious. If so, it suggests blocking the IP using PAN-OS while continuing the investigation in parallel. Investigation: The playbook verifies if the rule was created outside of working hours or from an unusual geolocation and extracts suspicious keywords from the forwarding rules. It then aggregates all evidence collected during the investigation. Containment: If only one suspicious evidence is found, the playbook executes soft response actions, including signing the user out and deleting the forwarding email address from the user account mailbox. The user will be notified of these actions via email. If multiple suspicious evidences are found, the playbook executes both soft and hard response actions, recommending the analyst suspend the user account. Requirements: For any response action, you need one of the following integrations: Gmail integration to fetch filters and remove the forwarding email address. Google Workspace Admin access to sign out and suspend the user account.
A Successful login from TOR	This playbook is designed to handle the following alert: A successful login from TOR The playbook executes the following stages: Triage: The playbook will fetch the user identity details. Remediation & Eradication: The playbooks will suggest several actions for the analyst to take: disabling the user account using Active Directory or Azure Active Directory, expiring the user password using Active Directory, or blocking traffic from TOR exit nodes using PAN-OS and Palo Alto Networks' predefined EDL. The analyst can select multiple actions, which will then be executed by the playbook based on the analyst's choices. Requirements: For any response action, you will need one of the following integrations: Azure Active Directory Users / Active Directory Users.
SSO Brute Force	This playbook addresses the following alerts: SSO Brute Force Threat Detected SSO Brute Force Activity Observed Playbook Stages: Triage: The playbook checks the IP reputation and fetches the events related to the brute force login attempts. Early Containment: The playbook checks if the IP is suspicious. If it is, the playbook suggests blocking the IP using PAN-OS. The investigation continues in parallel to this phase. Investigation: The playbook assesses the risk score of the user who successfully logged in after a brute force attempt, examines the legitimacy of the user agent and if the brute force attempt is likely automated based on the timestamp interval. It also verifies if the user has MFA configured when the alert source is Okta. Containment: If there is a successful login attempt and the user's risk score is high, or if the user agent is detected as suspicious, or if the time intervals indicates that the login attempts is likely automated, the playbook clears the user's session. If the user doesn't have MFA configured, the playbook recommends expiring the user's password. If there is no successful login detected, no action is taken. Requirements: For any response action, you need one of the following integrations: Microsoft Graph User Okta v2 For eradication step, you need the following integration: Palo Alto Networks PAN-OS.
Unsigned and unpopular process performed an injection	This playbook addresses the following alerts: Unsigned and unpopular process performed injection into a commonly abused process Unsigned and unpopular process performed process hollowing injection Unsigned and unpopular process performed queue APC injection Unsigned and unpopular process performed injection into a sensitive process Unsigned and unpopular process performed injection into svchost.exe Playbook Stages: Triage: Retrieve all alerts associated with the case for initial analysis. Early Containment: Identify whether an agent prevention rule was triggered for the same process ID. If so, there is high confidence that the alert is malicious. If triggered in prevent mode: This indicates a high-confidence verdict and the playbook proceeds with endpoint isolation. If triggered in report mode: This also indicates a high-confidence verdict. The playbook will notify the customer, advise an update to prevent mode for better protection in the future, and proceed with the investigation. If no rule is triggered: The playbook will continue with additional checks to ensure thorough assessment. Investigation: Check for commonly triggered alerts that often precede process injection: If found, initiate containment. If not found, proceed with additional checks. Analyze if any alerts align with MITRE ATT&CK tactics TA0004 (Privilege Escalation) and TA0005 (Defense Evasion): If matching tactics are found, initiate containment. If not, proceed with further investigation. Determine if the causality (parent) process is signed: If signed by a trusted authority, close the alert. If unsigned, escalate for manual approval for containment. Containment: For alerts validated as threats, execute the following actions: Terminate the causality process (CGO) if deemed malicious. Isolate the endpoint in high-risk scenarios to prevent further compromise. Requirements: For response actions, you need the following integrations: Cortex Core - Investigation and Response.
Event Log Was Cleared	This playbook is designed to handle the following alerts: Windows Event Log was cleared using wevtutil.exe Security Event Log was cleared using wevtutil.exe A Sensitive Windows Event Log was cleared using wevtutil.exe Windows event logs were cleared with PowerShell Suspicious clear or delete security provider event logs with PowerShell Suspicious clear or delete default providers event logs with PowerShell Windows event logs cleared using wmic.exe The playbook executes the following stages: Investigation: Check the following parameters to determine if remediation actions are needed: Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity. Whether the CGO or the OSParent process is unsigned. The prevalence of the OSParent process. Remediation: Handles malicious alerts by terminating the relevant processes. Handles non-malicious alerts identified during the investigation.
Unprivileged process opened a registry hive	This playbook is designed to handle the 'Unprivileged process opened a registry hive' alert. Playbook Stages: Investigation: During the alert investigation, the playbook will perform the following: Checks the prevalence of the unprivileged process that triggered the alert. Checks the prevalence of the command line used by the unprivileged process. Searches for additional suspicious Cortex XSIAM alerts within the same alert in order to determine whether a remediation measure is required. Remediation: To prevent malicious activity from continuing, the playbook terminates the causality processes that triggered the alert.
Exchange User Mailbox Forwarding	This playbook addresses the following alerts: Exchange user mailbox forwarding. Suspicious Exchange user mailbox forwarding. Playbook Stages: Triage: Collect initial information about the internal user and the associated external forwarding address. Investigation: Check IOCs Reputation: Analyze the reputation of IP addresses, email addresses, and domains associated with the alert. Get External Email Statistics: Retrieve statistics of email interactions between the internal user and the external forwarding address over the last 2 days, including: Number of emails sent to and received from the external address. Number of users interacting with the external address. Check if User is Risky: Assess the internal user's risk score using: Core Risk Evaluation: Identify high-risk users and extract reasons behind elevated risk levels. Azure Risk Indicators: Retrieve Azure risk scores, detections, and recent security alerts for the internal user. Check for Azure Alerts: Perform an advanced hunting query in Microsoft 365 Defender to extract recent Azure alerts associated with the internal user. Containment: Provide a manual task for an analyst to review the findings and determine the appropriate response. Possible actions: Disable the user in Azure AD to prevent further unauthorized actions. Disable mailbox forwarding for the user in Exchange Online. Disable both user and forwarding. Take no action. If the user is disabled, revoke active sessions to ensure immediate containment. Requirements: For the best results, it's recommended to ensure these integrations are configured and working: `Cortex Core - Investigation and Response` for Core user risk evaluation. `Azure Risky Users` for retrieving Azure-based user risk scores and detections. `Microsoft 365 Defender` for advanced hunting queries and extracting Azure alerts. `Microsoft Graph User` for disabling user accounts and revoking active sessions. `Exchange Online EWS` for disabling mailbox forwarding. `Security And Compliance V2` for fetching email interaction statistics.
External Login Password Spray	This playbook is designed to handle the following alerts: External Login Password Spray Successful External Login Password Spray External Login Password Spray on a Domain Controller External Login Password Spray Involving a Honey User Successful External Login Password Spray on a Domain Controller Successful External Login Password Spray on a sensitive server The playbook is designed to investigate and respond to external login password sprays. It enriches the external IP to enable early containment, retrieves event information, and determines how the attack was carried out and whether it was successful. Playbook Stages: Early Containment: With analyst approval, the playbook will block the malicious external IP address involved in the password spray attack, limiting the attacker's ability to continue their actions. Investigation: The playbook analyzes the timestamps of the login attempts to detect patterns, checks whether any logons were successful, and retrieves the Risk Score for users who successfully logged in as part of the attack. Containment: Based on the user’s risk level, the playbook will expire the user’s password to prevent further unauthorized access and terminate any active RDP sessions for the affected user. Requirements: For response actions, the following integrations are required: Active Directory (AD), PAN-OS, Core - IR.
Compromise Accounts - User rejected numerous SSO MFA attempts	This playbook addresses the following alerts: User rejected numerous SSO MFA attempts Multiple SSO MFA attempts were rejected by a user with suspicious characteristics Playbook Stages: Triage: The playbook checks the IP address reputation associated with the MFA attempts and gathers related login events. Early Containment: If the IP address is identified as malicious, the playbook blocks the IP. The investigation continues in parallel to this phase. Investigation: The playbook performs an in-depth analysis, including: Assessing the user's risk score to identify potentially compromised accounts. Checking for an unusually high number of invalid credential attempts, which may indicate brute-force or credential-stuffing activity. Verifying whether Okta logs indicate a malicious source IP based on Okta's threat intelligence. Reviewing whether there have been an excessive number of MFA rejections from the user, suggesting potentially compromised behavior. Looking for abnormal user agent patterns that may indicate suspicious or compromised access methods. Investigating previous failed Okta login attempts within a specified timeframe to identify patterns. Containment: If suspicious activity is confirmed, the playbook initiates the following containment actions: Clears the user's active sessions and expires their password to prevent further unauthorized access. If a successful login attempt was also detected, the playbook prompts a manual task for an analyst to review and decide on further action. Requirements: For any response actions, the following integration is required: Okta v2 For early containment actions, the following integration is required: Palo Alto Networks PAN-OS.
Office process creates a scheduled task via file access	This playbook handles "Office process creates a scheduled task via file access" alerts. Playbook Stages: Analysis: During the analysis, the playbook will perform the following: Checks the Office file path for any suspicious locations. Checks the initiator process prevalence. Checks the initiator process reputation. Extracts the local path of the Office file and runs a script to calculate the Office file hash. Checks if the hash of the Office file identified as malicious. Checks if the initiator process is non-prevalent with suspicious reputation or path. Investigation: During the alert investigation, the playbook will perform the following: Searches for related Cortex XSIAM alerts and insights on the endpoint by specific alert names or by the following MITRE techniques to identify malicious activity: T1055 - Process Injection, T1566 - Phishing. If related alerts are found, the playbook will automatically disable the malicious scheduled task. Remediation: Automatically disable the malicious scheduled task. Automatically terminate the causality process. Quarantine the Office file (requires analyst approval). Automatically close the alert.
Uncommon remote scheduled task created	This playbook handles "Uncommon remote scheduled task created" alerts. Playbook Stages: Analysis: The playbook checks if the remote IP is external or has a bad reputation. Investigation: During the alert investigation, the playbook will perform the following: Searches for related XSIAM alerts on the endpoint that use the following MITRE techniques to identify malicious activity: T1202 - Indirect Command Execution, T1021 - Remote Services. Searches for related XSIAM agent alerts on the remote endpoint, to determine if the creation of the scheduled task is part of an attack pattern. Searches for suspicious command-line parameters indicating a malicious scheduled task. Remediation: Automatically disable the malicious scheduled task. Block the malicious IP (requires analyst approval). Automatically Close the alert. Requirements: For response actions, the following integrations are required: PAN-OS.
Remote WMI Process Execution	This playbook addresses the following alerts: Remote WMI process execution Suspicious remote WMI process execution Playbook Stages: Enrichment: Enrich the attacker’s IP address to identify any known malicious activity. Retrieve all alert-related alerts to consolidate context for further analysis. Investigation: Analyze command-line activity to assess risks based on suspicious patterns. Check for high-confidence evidence, such as malicious IP addresses or suspicious command-line activity, to determine the next course of action. Evaluate medium-confidence detections and request analyst approval for further containment if required. Containment: Attempt to terminate the malicious process tree using its causality ID. Provide guidance for manual process termination if the automated action fails. Propose endpoint isolation to prevent further compromise if malicious activity is confirmed.
A successful SSO sign-in from TOR	This playbook is designed to handle the following alerts: A successful SSO sign-in from TOR A successful SSO sign-in from TOR via a mobile device The playbook executes the following stages: Early Containment: The playbooks will perform early containment actions by clearing\revoking user sessions and enforcing re-authentication to terminate the connection from the Tor exit node and verify the user's identity. Depending on the alert source, the playbook will use either Azure Active Directory Users or Okta v2 integrations to clear the user sessions. Investigation: During the alert investigation, the playbook will perform the following: Checks the user's risk score. Search for suspicious user agent usage within the alert. Search for related XDR alerts using the following MITRE techniques to identify any malicious activity: T1566 - Phishing T1621 - Multi-Factor Authentication Request Generation T1110 - Brute Force T1556 - Modify Authentication Process Remediation: Remediation actions will be taken if the user’s risk score is high, a suspicious user agent is detected, or a related alert is found. In such cases, the playbook will disable the account. By default, account disabling requires analyst approval. Requires: For any response action, you will need one of the following integrations: Azure Active Directory Users / Okta v2.
User added to local administrator group using a PowerShell command	This playbook is designed to handle the alert 'User added to local administrator group using a PowerShell command' The playbook executes the following stages: Investigation: Check the following parameters to determine if remediation actions are needed: Cortex XSIAM alerts related to the hostname by MITRE tactics indicating malicious activity. Whether the process is unsigned. Remediation: Handles malicious alerts by terminating the relevant processes and requesting the analyst's approval to remove the user from the local Administrators group. Handles non-malicious alerts identified during the investigation.

Trigger

Name	Description
Uncommon remote scheduled task created	This trigger is responsible for handling 'Uncommon remote scheduled task created
A mail forwarding rule was configured in Google Workspace	This trigger runs the A mail forwarding rule was configured in Google Workspace playbook, which handles the A mail forwarding rule was configured in Google Workspace and A mail forwarding rule was configured in Google Workspace to an uncommon domain alerts.
Credential Dumping using a known tool	This trigger is responsible for handling the 'Credential Dumping using a known tool' alerts
Unprivileged process opened a registry hive	This trigger is responsible for handling the 'Unprivileged process opened a registry hive' alert
SSO Brute Force	This trigger is responsible for handling the 'SSO Brute Force Threat Detected' and 'SSO Brute Force Activity Observed' alerts
Compromise Accounts - User has rejected numerous SSO MFA attempts	This trigger is responsible for handling Compromise Accounts alerts where user rejected MFA attempts.
Unsigned and unpopular process performed an injection	This trigger is responsible for handling several the 'Unsigned and unpopular process performed an injection' alerts
User added to local administrator group using a PowerShell command	This trigger is responsible for handling 'User added to local administrator group using a PowerShell command' alert
A Successful login from TOR	This trigger is responsible for handling the 'A Successful login from TOR' alert
Alert Trigger - Suspicious Hidden User Created	This trigger is responsible for handling alerts where a suspicious hidden user is created.
External Login Password Spray	This trigger is responsible for handling External Login Password Spray attacks.
Scheduled task created with HTTP or FTP reference	This trigger is responsible for handling 'Scheduled task created with HTTP or FTP reference' alert
Exchange User Mailbox Forwarding	This trigger is responsible for handling Exchange User Mailbox Forwarding alerts.
SSO Brute Force Activity	This trigger is responsible for handling the 'SSO Brute Force Threat Detected' and 'SSO Brute Force Activity Observed' alerts
Remote WMI Process Execution	This trigger is responsible for handling Remote WMI Process Execution alerts
Suspicious LDAP search query	This trigger is responsible for handling the 'Suspicious LDAP search query executed' and 'Possible LDAP enumeration by unsigned process' alerts via the 'Suspicious LDAP search query' playbook
Exchange forwarding rule configured	This trigger runs the Exchange forwarding rule alerts playbook, which handles the External Exchange inbox forwarding rule configured, Suspicious Exchange inbox forwarding rule configured and Suspicious Exchange email-hiding inbox rule alerts.
A successful SSO sign-in from TOR	This trigger is responsible for handling the 'A successful SSO sign-in from TOR' and the 'A successful SSO sign-in from TOR via a mobile device' alerts
Endpoint initiated uncommon remote scheduled task creation	This trigger is responsible for handling 'Uncommon remote scheduled task creation' alerts
Suspicious local administrator login	This trigger is responsible for handling alerts for Suspicious local administrator login.
Excessive User Account Lockouts	This trigger is responsible for handling excessive user account lockouts.
Suspicious SaaS Access From a TOR Exit Node	This trigger is responsible for handling Suspicious SaaS Access From a TOR Exit Node
Msiexec execution of an executable from an uncommon remote location	This trigger is responsible for handling the 'Msiexec execution of an executable from an uncommon remote location with a specific port' and 'Msiexec execution of an executable from an uncommon remote location without properties' alerts via the 'Msiexec_execution_of_an_executable_from_an_uncommon_remote_location' playbook
SSO Password Spray	This trigger is responsible for handling SSO Password Spray alerts
Uncommon creation or access operation of sensitive shadow copy by a high-risk process	This trigger is responsible for handling 'Uncommon creation or access operation of sensitive shadow copy by a high-risk process
Event Log Was Cleared	This trigger is responsible for handling the 'Windows Event Log Was Cleared' alerts
Suspicious process execution by scheduled task on a sensitive server	This trigger is responsible for handling 'Suspicious process execution by scheduled task on a sensitive server' alert
Successful guest user invitation	This trigger is responsible for handling Valid Accounts alerts related to successful guest user invitations.
Office process creates a scheduled task via file access	This trigger is responsible for handling 'Office process creates a scheduled task via file access' alerts

1.0.6 - 1977897 (January 13, 2025)

Playbooks

Exchange forwarding rule configured

Added support for the following detectors:

Exchange email-hiding transport rule based on message keywords
Suspicious Exchange email-hiding transport rule
Exchange transport forwarding rule configured
Suspicious Exchange transport forwarding rule configured
Possible BEC Exchange email-hiding inbox rule

Triggers Recommendations

Exchange forwarding rule configured

Added new detectors to the "Exchange forwarding rule configured" trigger.

Related pull requests:
- 38063

1.0.5 - 1973041 (January 13, 2025)

Playbooks

Msiexec execution of an executable from an uncommon remote location

Added ExtractIndicators task

Related pull requests:
- 38047

1.0.4 - 1970497 (January 12, 2025)

Playbooks

New: This playbook addresses the following alerts:
Suspicious local administrator login.

Playbook Stages:

Investigation:

Retrieves the name of the process image involved in the alert.
Checks for related Powershell/Command and Scripting/WMI alerts in the incident.
Retrieves the Risk Score for the host.

Containment:

Provide a manual task for an analyst to review the findings and decide the next steps.
Possible actions:
- Disable User.
- Take no action.
Upon analyst decision: Disable the local user account.

Requirements:
For response actions, the following integration is required: Core - IR.

Triggers Recommendations

New: This trigger is responsible for handling alerts for Suspicious local administrator login.

Related pull requests:
- 37933

1.0.3 - 1950870 (January 8, 2025)

Playbooks

Added new tags for Mitre ATT&CK Tactic and Technique.

New: Office process creates a scheduled task via file access

New: This playbook handles "Office process creates a scheduled task via file access" alerts.
Playbook Stages:
Analysis:
During the analysis, the playbook will perform the following:

Checks the Office file path for any suspicious locations.
Checks the initiator process prevalence.
Checks the initiator process reputation.
Extracts the local path of the Office file and runs a script to calculate the Office file hash.
Checks if the hash of the Office file identified as malicious.
Checks if the initiator process is non-prevalent with suspicious reputation or path.
Investigation:
During the alert investigation, the playbook will perform the following:
Searches for related Cortex XSIAM alerts and insights on the endpoint by specific alert names or by the following MITRE techniques to identify malicious activity: T1055 - Process Injection, T1566 - Phishing. If related alerts are found, the playbook will automatically disable the malicious scheduled task.
Remediation:
Automatically disable the malicious scheduled task.
Automatically terminate the causality process.
Quarantine the Office file (requires analyst approval).
Automatically close the alert.

Office process creates a scheduled task via file access

Added the 'continue on error' option when the regex for the suspicious Office path did not match.

Triggers Recommendations

New: Office process creates a scheduled task via file access

New: This trigger is responsible for handling 'Office process creates a scheduled task via file access' alerts.

Related pull requests:
- 38049

1.0.1 - 1935630 (January 6, 2025)

Playbooks

New: Exchange User Mailbox Forwarding

New: This playbook addresses the following alerts:
Exchange user mailbox forwarding.
Suspicious Exchange user mailbox forwarding.
Playbook Stages:
Triage:
Collect initial information about the internal user and the associated external forwarding address.
Investigation:
Check IOCs Reputation:
- Analyze the reputation of IP addresses, email addresses, and domains associated with the alert.
Get External Email Statistics:
- Retrieve statistics of email interactions between the internal user and the external forwarding address over the last 2 days, including:
- Number of emails sent to and received from the external address.
- Number of users interacting with the external address.
Check if User is Risky:
- Assess the internal user's risk score using:
- Core Risk Evaluation: Identify high-risk users and extract reasons behind elevated risk levels.
- Azure Risk Indicators: Retrieve Azure risk scores, detections, and recent security alerts for the internal user.
Check for Azure Alerts:
- Perform an advanced hunting query in Microsoft 365 Defender to extract recent Azure alerts associated with the internal user.
  Containment:
Provide a manual task for an analyst to review the findings and determine the appropriate response.
Possible actions:
- Disable the user in Azure AD to prevent further unauthorized actions.
- Disable mailbox forwarding for the user in Exchange Online.
- Disable both user and forwarding.
- Take no action.
If the user is disabled, revoke active sessions to ensure immediate containment.
Requirements:
For the best results, it's recommended to ensure these integrations are configured and working:
Cortex Core - Investigation and Response for Core user risk evaluation.
Azure Risky Users for retrieving Azure-based user risk scores and detections.
Microsoft 365 Defender for advanced hunting queries and extracting Azure alerts.
Microsoft Graph User for disabling user accounts and revoking active sessions.
Exchange Online EWS for disabling mailbox forwarding.
Security And Compliance V2 for fetching email interaction statistics. (Available from Cortex XSIAM 2.4).

Triggers Recommendations

New: Exchange User Mailbox Forwarding

New: This trigger is responsible for handling Exchange User Mailbox Forwarding alerts. (Available from Cortex XSIAM 2.4).

Related pull requests:
- 37941

1.0.0 - 1928124 (January 5, 2025)

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	January 5, 2025
Last Release	January 13, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

EWS Extension Online Powershell v2 (Deprecated)

O365 - Security And Compliance - Content Search

O365 - Security And Compliance - Content Search (Deprecated)

O365 - Security And Compliance - Content Search v2

O365 Defender SafeLinks - Single User (Deprecated)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Cortex Response And Remediation

Response & Remediation Pack playbooks Key Principles

Playbook Features

Playbooks

Exchange forwarding rule configured

Triggers Recommendations

Exchange forwarding rule configured

Playbooks

Msiexec execution of an executable from an uncommon remote location

Playbooks

New: Suspicious Local Administrator Login

Triggers Recommendations

New: Suspicious local administrator login

Playbooks

A successful SSO sign-in from TOR

New: Office process creates a scheduled task via file access

Office process creates a scheduled task via file access

Triggers Recommendations

New: Office process creates a scheduled task via file access

Playbooks

New: Exchange User Mailbox Forwarding

Triggers Recommendations

New: Exchange User Mailbox Forwarding

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER