Rapid Breach Response

Details
Content
Dependencies
Version History

This content Pack helps you collect, investigate, and remediate incidents related to major breaches.

Header Image

This pack has a collection of playbooks to rapidly respond to high profile breaches with existing deployed tools in your enterprise.
The playbooks in this pack can also be used as a template to hunt and block these indicators using additional tools in your environment.
This pack contains the response playbooks for the following breaches:

More playbooks are available in the following packs:

How to enable it?

Install the pack.
Check if the pack has the steps that are relevant to the tools used in your environment.
Create a job that will run this playbook on a periodic basis.

HAFNIUM - Exchange 0-day exploits

Header Image

More playbooks are available in the following packs:

How to enable it?

Install the pack.
Check if the pack has the steps that are relevant to the tools used in your environment.
Create a job that will run this playbook on a periodic basis.

HAFNIUM - Exchange 0-day exploits

Automations

Name	Description
RapidBreachResponse-TotalIndicatorCount-Widget	Rapid Breach Response dynamic section, will show the updated number of indicators found.
RapidBreachResponse-CompletedTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of completed tasks.
RapidBreachResponse-MitigationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of mitigation tasks.
RapidBreachResponse-RemainingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remaining tasks.
RapidBreachResponse-EradicationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of eradication tasks.
RapidBreachResponse-HuntingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of hunting tasks.
RapidBreachResponse-TotalTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of tasks to complete.
RapidBreachResponseParseBlog	Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog.
RapidBreachResponse-RemediationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remediation tasks.

Incident Fields

Name	Description
Completed Task Count
Mitigation Task Count
Total Task Count
Total Indicator Count
Playbook Description
Source Of Indicators
Remediation Task Count
Eradication Task Count
Hunting Task Count
Remaining Task Count

Incident Types

Name	Description
Rapid Breach Response

Layouts

Name	Description
Rapid Breach Response

Playbooks

Name	Description
Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack	On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. Splunk advanced queries can be modified through the playbook inputs. QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook Search for internet facing Kaseya VSA servers using Xpanse. Block indicators automatically or manually. Provide advanced hunting and detection capabilities. Mitigation using Kaseya On-Premises and SaaS patch. More information: Kaseya Incident Overview & Technical Details Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
FireEye Red Team Tools Investigation and Response	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of FireEye red team tools. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the indicators Search endpoints with the FireEye red team tools CVEs. Search endpoint logs for FireEye red team tools hashes. Search and link previous incidents with the FireEye hashes. If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
SolarStorm and SUNBURST Hunting and Response Playbook	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin). Retrieve C2 domains and URLs associated with Sunburst. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the SUNBURST backdoor Query firewall logs to detect network activity. Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found: Notify security team to review and trigger remediation response actions. Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
Rapid Breach Response - Set Incident Info	This playbook is responsible for setting up the Rapid Breach Response Incident Info tab in the layout.
CVE-2021-34527 \| CVE-2021-1675 - PrintNightmare	The playbook can be triggered manually or automatically by setting up a reoccurring job. Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task. This playbook includes the following tasks: Manual actions to mitigate the exploit Search Vulnerable Devices using the CVE Query SIEM, FW, XDR to detect malicious activity and compromised hosts Run Dedicated Detection and Response playbook for Cortex XDR More details on the vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
HAFNIUM - Exchange 0-day exploits	This playbook includes the following tasks: Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
SolarStorm Activity Behavior Hunting playbook	This manual playbook should be used as a sub-playbook in the 'SolarStorm and SUNBURST Hunting and Response' playbook and it helps you hunt for suspicious behavior related to SolarStorm activity. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
CVE-2021-22893 - Pulse Connect Secure RCE	On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs and Malware Hashes used by the suspected APT actor. Search for unpatched endpoints vulnerable to the exploits. Search network facing system using Expanse for relevant issues. Indicators and known webshells hunting using SIEM products. Block indicators automatically or manually. Provide different mitigations that has been publicly published such as: Patches Workarounds Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Exploitation of Pulse Connect Secure Vulnerabilities
NOBELIUM - wide scale APT29 spear-phishing	On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ This playbook includes the following tasks: Collect IOCs to be used in your threat hunting process Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts Block known indicators ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Codecov Breach - Bash Uploader	This playbook includes the following tasks: Search for the Security Notice email sent from Codecov. Collect indicators to be used in your threat hunting process. Query network logs to detect related activity. Search for the use of Codecov bash uploader in GitHub repositories Query Panorama to search for logs with related anti-spyware signatures Data Exfiltration Traffic Detection Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Codecov Security Notice

Automations

Name	Description
RapidBreachResponse-MitigationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of mitigation tasks.
RapidBreachResponse-HuntingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of hunting tasks.
RapidBreachResponse-RemainingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remaining tasks.
RapidBreachResponseParseBlog	Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog.
RapidBreachResponse-EradicationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of eradication tasks.
RapidBreachResponse-CompletedTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of completed tasks.
RapidBreachResponse-RemediationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remediation tasks.
RapidBreachResponse-TotalTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of tasks to complete.
RapidBreachResponse-TotalIndicatorCount-Widget	Rapid Breach Response dynamic section, will show the updated number of indicators found.

Incident Fields

Name	Description
Mitigation Task Count
Eradication Task Count
Completed Task Count
Remediation Task Count
Source Of Indicators
Total Task Count
Hunting Task Count
Playbook Description
Remaining Task Count
Total Indicator Count

Incident Types

Name	Description
Rapid Breach Response

Playbooks

Name	Description
Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack	On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. Splunk advanced queries can be modified through the playbook inputs. QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook Search for internet facing Kaseya VSA servers using Xpanse. Block indicators automatically or manually. Provide advanced hunting and detection capabilities. Mitigation using Kaseya On-Premises and SaaS patch. More information: Kaseya Alert Overview & Technical Details Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
SolarStorm and SUNBURST Hunting and Response Playbook	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin). Retrieve C2 domains and URLs associated with Sunburst. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the SUNBURST backdoor Query firewall logs to detect network activity. Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found: Notify security team to review and trigger remediation response actions. Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
Codecov Breach - Bash Uploader	This playbook includes the following tasks: Search for the Security Notice email sent from Codecov. Collect indicators to be used in your threat hunting process. Query network logs to detect related activity. Search for the use of Codecov bash uploader in GitHub repositories Query Panorama to search for logs with related anti-spyware signatures Data Exfiltration Traffic Detection Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Codecov Security Notice
HAFNIUM - Exchange 0-day exploits	This playbook includes the following tasks: Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSIAM 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
NOBELIUM - wide scale APT29 spear-phishing	On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ This playbook includes the following tasks: Collect IOCs to be used in your threat hunting process Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts Block known indicators ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
FireEye Red Team Tools Investigation and Response	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of FireEye red team tools. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the indicators Search endpoints with the FireEye red team tools CVEs. Search endpoint logs for FireEye red team tools hashes. Search and link previous alerts with the FireEye hashes. If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
CVE-2021-22893 - Pulse Connect Secure RCE	On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs and Malware Hashes used by the suspected APT actor. Search for unpatched endpoints vulnerable to the exploits. Search network facing system using Expanse for relevant issues. Indicators and known webshells hunting using SIEM products. Block indicators automatically or manually. Provide different mitigations that has been publicly published such as: Patches Workarounds Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Exploitation of Pulse Connect Secure Vulnerabilities
Rapid Breach Response - Set Alert Info	This playbook is responsible for setting up the Rapid Breach Response Alert Info tab in the layout.
CVE-2021-34527 \| CVE-2021-1675 - PrintNightmare	The playbook can be triggered manually or automatically by setting up a reoccurring job. Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task. This playbook includes the following tasks: Manual actions to mitigate the exploit Search Vulnerable Devices using the CVE Query SIEM, FW, XDR to detect malicious activity and compromised hosts Run Dedicated Detection and Response playbook for Cortex XDR More details on the vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
SolarStorm Activity Behavior Hunting playbook	This manual playbook should be used as a sub-playbook in the 'SolarStorm and SUNBURST Hunting and Response' playbook and it helps you hunt for suspicious behavior related to SolarStorm activity. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

Required Content Packs (7)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Splunk	By: Cortex XSOAR

Optional Content Packs (29)

Pack Name	Pack By
3CXDesktopApp Supply Chain Attack	By: Cortex XSOAR
CVE-2021-40444 - MSHTML RCE	By: Cortex XSOAR
CVE-2021-44228 - Log4j RCE	By: Cortex XSOAR
CVE-2022-26134 - Confluence RCE	By: Cortex XSOAR
CVE-2022-30190 - MSDT RCE	By: Cortex XSOAR
CVE-2022-3786 & CVE-2022-3602 - OpenSSL X.509 Buffer Overflows	By: Cortex XSOAR
CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell	By: Cortex XSOAR
CVE-2023-23397 - Microsoft Outlook EoP	By: Cortex XSOAR
CVE-2023-34362 - MOVEit Transfer SQL Injection	By: Cortex XSOAR
CVE-2023-36884 - Microsoft Office and Windows HTML RCE	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Cloaked Ursa Diplomatic Phishing Campaign	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Cortex Xpanse by Palo Alto Networks	By: Cortex XSOAR
GitHub	By: Cortex XSOAR
Chronicle	By: Chronicle
Identity	By: Cortex XSOAR
Ivanti Critical Vulnerabilities	By: Cortex XSOAR
Microsoft Exchange On-Premise	By: Cortex XSOAR
Microsoft Exchange Online	By: Cortex XSOAR
NIST	By: Cortex XSOAR
Office 365 and Azure (Audit Log)	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
Comprehensive Investigation by Palo Alto Networks	By: Cortex XSOAR
IoT by Palo Alto Networks	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
SANS	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR

All level dependencies (13)

Pack Name	Pack By
Malware Core	By: Cortex XSOAR
Asset	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

1.6.38 - 897231 (March 18, 2024)

Playbooks

HAFNIUM - Exchange 0-day exploits

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Codecov Breach - Bash Uploader

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

SolarStorm and SUNBURST Hunting and Response Playbook

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

1.6.37 - 836299 (February 18, 2024)

Scripts

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32446

Download

1.6.36 - 831507 (February 15, 2024)

Ivanti Critical Vulnerabilities

A new pack that handles the recently disclosed vulnerabilities of Ivanti Policy Secure and Connect Secure gateways. The official CVEs are CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via our Marketplace.

Related pull requests:
- 32775

Download

1.6.35 - R5866730 (July 25, 2023)

CVE-2023-36884 - Microsoft Office and Windows HTML RCE

New pack which handles the CVE-2023-36884 - Microsoft Office and Windows HTML RCE.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

Related pull requests:
- 28201

Download

1.6.34 - 5782177 (July 16, 2023)

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Removed the PAN-OS - Block Domain - External Dynamic List sub-playbook. This playbook is deprecated and has reached its end of life (EOL) and is no longer supported.

HAFNIUM - Exchange 0-day exploits

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).

NOBELIUM - wide scale APT29 spear-phishing

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Replaced the command RapidBreachResponseParseBlog with command ParseHTMLIndicators.

SolarStorm and SUNBURST Hunting and Response Playbook

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
The commands expanse-get-risky-flows and expanse-list-risk-rules have been removed as they are no longer supported, and there is no alternative available.

Related pull requests:
- 26581

Download

1.6.33 - 5760561 (July 13, 2023)

Scripts

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28121

Download

1.6.31 - R5692327 (July 5, 2023)

CVE-2023-34362 - MOVEit Transfer SQL Injection

New pack which handles CVE-2023-34362 - MOVEit Transfer SQL Injection investigation and response.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

Related pull requests:
- 27225

Download

1.6.30 - R5170573 (May 2, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 25711

Download

1.6.29 - R4954430 (April 2, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 25379

Download

1.6.28 - 4797511 (March 12, 2023)

Playbooks

FireEye Red Team Tools Investigation and Response

Switch usage of deprecated Isolate Endpoint - Generic playbook with the Isolate Endpoint - Generic V2 playbook.

Related pull requests:
- 24517

Download

1.6.27 - R4718798 (March 1, 2023)

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

Switch usage of deprecated Isolate Endpoint - Generic playbook with the Isolate Endpoint - Generic V2 playbook.

Related pull requests:
- 24603

Download

1.6.26 - R4646022 (February 19, 2023)

Layouts

Rapid Breach Response
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

1.6.25 - 3957612 (November 2, 2022)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 21979

Download

1.6.24 - R3917401 (October 26, 2022)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 21587

Download

1.6.23 - 3056265 (June 8, 2022)

Packs

CVE-2022-30190 - MSDT RCE

New pack which handles the new Microsoft MSDT RCE vulnerability, CVE-2022-30190.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

CVE-2022-26134 - Confluence RCE

New pack which handles the new Confluence RCE vulnerability, CVE-2022-26134.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

Related pull requests:
- 19434

Download

1.6.22 - R3024435 (June 2, 2022)

Incident Fields

Total Indicator Count fixed typo in fromversion.

Related pull requests:
- 16333

Download

1.6.21 - 2091528 (December 11, 2021)

Incident Fields

Total Indicator Count

Playbooks

Rapid Breach Response - Set Incident Info

Added transformer 'StringToArray' to sourceofindicators Set task.

Download

1.6.20 - 2042391 (December 2, 2021)

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Documentation fixes

Download

1.6.19 - 2009340 (November 25, 2021)

Incident Fields

Remaining Task Count
Total Task Count
Playbook Description
Hunting Task Count
Source Of Indicators
Mitigation Task Count
Completed Task Count
Total Indicator Count
Eradication Task Count
Remediation Task Count

Incident Types

Rapid Breach Response

Layouts

New: Rapid Breach Response

The new layout includes: Incident Info, IR Procedures Tracking and Hunting Results tabs.(Available from Cortex XSOAR 6.0.0).

Playbooks

New: Rapid Breach Response - Set Incident Info

This playbook is responsible for setting up the Rapid Breach Response Incident Info tab. (Available from Cortex XSOAR 6.0.0).

Scripts

Rapid Breach Response dynamic section, will show the updated number of remaining tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of remediation tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of completed tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of mitigation tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of tasks to complete. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of hunting tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of eradication tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of indicators found. (Available from Cortex XSOAR 5.5.0).

Download

1.6.18 - 7259008 (August 25, 2021)

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

Updated Office 365 and Azure sub-playbooks

Download

1.6.17 - 400846 (July 21, 2021)

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Added the patch released by Kaseya to mitigations
Added fixes to QRadar indicators hunting and link incidents

Download

1.6.16 - 398533 (July 15, 2021)

Playbooks

CVE-2021-34527 | CVE-2021-1675 - PrintNightmare

Added Point&Print mitigation task
Changed tasks execution order
Added Cortex XDR - PrintNightmare Detection and Response playbook

Download

1.6.15 - 398245 (July 15, 2021)

Playbooks

CVE-2021-34527 | CVE-2021-1675 - PrintNightmare

Added Splunk and QRadar detection queries.
Changed playbook display name.

Download

1.6.14 - 397182 (July 13, 2021)

Playbooks

CVE-2021-1675 - PrintNightmare

Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in the playbook.

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Added Xpanse issue search
Added link incidents for related XDR and Xpanse incidents
Added Kaseya VSA patch release preparation runbooks instructions

Download

1.6.12 - 394234 (July 7, 2021)

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Added additional XDR signatures to search for relevant XDR incidents

Download

1.6.11 - 393823 (July 6, 2021)

Playbooks

New: Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers reports pointed out a ransomware outbreak in their environment.
Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints.

This playbook should be trigger manually and includes the following tasks:

Collect related known indicators from several sources.
Indicators, PS commands, Registry changes and known HTTP requests hunting using SIEM products.
- Splunk advanced queries can be modified through the playbook inputs.
Block indicators automatically or manually.
Provide advanced hunting and detection capabilities.

More information:
Kaseya Incident Overview & Technical Details

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. (Available from Cortex XSOAR 6.0.0).

Download

1.6.10 - 393444 (July 6, 2021)

Scripts

RapidBreachResponseParseBlog

Deprecated. Use ParseHTMLIndicators instead.

Download

1.6.9 - R392850 (July 5, 2021)

Playbooks

CVE-2021-1675 - PrintNightmare

The playbook will also query FW and the XDR to detect malicious activity and compromised hosts

Download

1.6.8 - 392011 (July 1, 2021)

Playbooks

New: CVE-2021-1675 - PrintNightmare

CVE-2021-1675 is a vulnerability dubbed “PrintNightmare” which allows remote code execution on Windows Print Spooler. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. This playbook includes the following tasks:

Manual actions to mitigate the exploit
Search Vulnerable Devices using the CVE
Search Vulnerable Devices using the SIEM

More details on the vulnerability
** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Download

1.6.7 - 390600 (June 28, 2021)

Playbooks

HAFNIUM - Exchange 0-day exploits

Removed duplicated playbook tasks related to indicators.

Download

1.6.6 - 376375 (June 3, 2021)

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

Added validation if playbooks or integration available

HAFNIUM - Exchange 0-day exploits

Added validation if playbooks or integration available

SolarStorm and SUNBURST Hunting and Response Playbook

Added validation if playbooks or integration available

NOBELIUM - wide scale APT29 spear-phishing

Added validation if playbooks or integration available

Codecov Breach - Bash Uploader

Added validation if playbooks or integration available

Download

1.6.5 - 369639 (May 29, 2021)

Playbooks

NOBELIUM - wide scale APT29 spear-phishing

Tag related indicators as NOBELIUM and APT29.
Updated EWS search query.

Scripts

New: RapidBreachResponseParseBlog

Parse Volexity blog to extract indicators

Download

1.6.4 - 369519 (May 29, 2021)

Playbooks

New: NOBELIUM - wide scale APT29 spear-phishing

On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations.
Microsoft blog.

This playbook includes the following tasks:

Collect IOCs to be used in your threat hunting process
Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts
Block known indicators
** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. (Available from Cortex XSOAR 5.5.0).

Download

1.6.3 - 346806 (May 5, 2021)

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0.
This playbook should be trigger manually and includes the following tasks:

Enrich related known CVEs and Malware Hashes used by the suspected APT actor.
Search for unpatched endpoints vulnerable to the exploits.
Search network facing system using Expanse for relevant issues.
Indicators and known webshells hunting using SIEM products.
Block indicators automatically or manually.
Provide different mitigations that has been publicly published such as:
- Patches
- Workarounds
- Yara and Snort Rules

More information:
Exploitation of Pulse Connect Secure Vulnerabilities

Download

1.6.2 - 343491 (May 2, 2021)

Playbooks

Codecov Breach - Bash Uploader

Added task to find any use of Codecov bash uploader in specified Github repositories.

Download

1.6.1 - 331662 (April 20, 2021)

Playbooks

Codecov Breach - Bash Uploader

Added panorama query to search for logs with related anti-spyware signatures
- Data Exfiltration Traffic Detection
- Malicious Modified Shell Script Detection

Download

1.6.0 - 330975 (April 20, 2021)

Playbooks

New: Codecov Breach - Bash Uploader

This playbook includes the following tasks:

Search for the Security Notice email sent from Codecov.
Collect indicators to be used in your threat hunting process.
Query network logs to detect related activity.
Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information:
Codecov Security Notice

Download

1.5.1 - 312966 (March 25, 2021)

Playbooks

SolarStorm Activity Behavior Hunting playbook

Updated playbook description.

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	December 17, 2020
Last Release	March 18, 2024

Malware

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

EWS Extension Online Powershell v2 (Deprecated)

O365 - Security And Compliance - Content Search

O365 - Security And Compliance - Content Search (Deprecated)

O365 - Security And Compliance - Content Search v2

Microsoft Policy And Compliance (Audit Log)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Rapid Breach Response

How to enable it?

How to enable it?

Playbooks

HAFNIUM - Exchange 0-day exploits

Codecov Breach - Bash Uploader

SolarStorm and SUNBURST Hunting and Response Playbook

Scripts

RapidBreachResponse-MitigationTasksCount-Widget

RapidBreachResponse-CompletedTasksCount-Widget

RapidBreachResponse-RemediationTasksCount-Widget

RapidBreachResponse-HuntingTasksCount-Widget

RapidBreachResponse-TotalIndicatorCount-Widget

RapidBreachResponse-EradicationTasksCount-Widget

RapidBreachResponse-RemainingTasksCount-Widget

RapidBreachResponse-TotalTasksCount-Widget

Ivanti Critical Vulnerabilities

CVE-2023-36884 - Microsoft Office and Windows HTML RCE

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

HAFNIUM - Exchange 0-day exploits

NOBELIUM - wide scale APT29 spear-phishing

SolarStorm and SUNBURST Hunting and Response Playbook

Scripts

RapidBreachResponse-TotalIndicatorCount-Widget

RapidBreachResponse-EradicationTasksCount-Widget

RapidBreachResponse-CompletedTasksCount-Widget

RapidBreachResponse-HuntingTasksCount-Widget

RapidBreachResponse-RemediationTasksCount-Widget

RapidBreachResponse-MitigationTasksCount-Widget

RapidBreachResponse-TotalTasksCount-Widget

RapidBreachResponse-RemainingTasksCount-Widget

CVE-2023-34362 - MOVEit Transfer SQL Injection

Playbooks

FireEye Red Team Tools Investigation and Response

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

Layouts

Packs

CVE-2022-30190 - MSDT RCE

CVE-2022-26134 - Confluence RCE

Incident Fields

Incident Fields

Playbooks

Rapid Breach Response - Set Incident Info

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Incident Fields

Incident Types

Layouts

New: Rapid Breach Response

Playbooks

New: Rapid Breach Response - Set Incident Info

Scripts

New: RapidBreachResponse-RemainingTasksCount-Widget

New: RapidBreachResponse-RemediationTasksCount-Widget

New: RapidBreachResponse-CompletedTasksCount-Widget

New: RapidBreachResponse-MitigationTasksCount-Widget

New: RapidBreachResponse-TotalTasksCount-Widget

New: RapidBreachResponse-HuntingTasksCount-Widget

New: RapidBreachResponse-EradicationTasksCount-Widget

New: RapidBreachResponse-TotalIndicatorCount-Widget

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Playbooks

CVE-2021-34527 | CVE-2021-1675 - PrintNightmare

Playbooks

CVE-2021-34527 | CVE-2021-1675 - PrintNightmare

Playbooks

CVE-2021-1675 - PrintNightmare

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Playbooks

New: Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Scripts

RapidBreachResponseParseBlog