Rapid Breach Response

Details
Content
Dependencies
Version History

This content Pack helps you collect, investigate, and remediate incidents related to major breaches.

Header Image

This pack has a collection of playbooks to rapidly respond to high profile breaches with existing deployed tools in your enterprise.
The playbooks in this pack can also be used as a template to hunt and block these indicators using additional tools in your environment.
This pack contains the response playbooks for the following breaches:

More playbooks are available in the following packs:

How to enable it?

Install the pack.
Check if the pack has the steps that are relevant to the tools used in your environment.
Create a job that will run this playbook on a periodic basis.

HAFNIUM - Exchange 0-day exploits

Header Image

More playbooks are available in the following packs:

How to enable it?

Install the pack.
Check if the pack has the steps that are relevant to the tools used in your environment.
Create a job that will run this playbook on a periodic basis.

HAFNIUM - Exchange 0-day exploits

Automations

Name	Description
RapidBreachResponse-MitigationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of mitigation tasks.
RapidBreachResponseParseBlog	Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog.
RapidBreachResponse-CompletedTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of completed tasks.
RapidBreachResponse-RemainingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remaining tasks.
RapidBreachResponse-TotalTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of tasks to complete.
RapidBreachResponse-HuntingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of hunting tasks.
RapidBreachResponse-RemediationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remediation tasks.
RapidBreachResponse-TotalIndicatorCount-Widget	Rapid Breach Response dynamic section, will show the updated number of indicators found.
RapidBreachResponse-EradicationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of eradication tasks.

Incident Fields

Name	Description
Remaining Task Count
Completed Task Count
Total Indicator Count
Eradication Task Count
Playbook Description
Remediation Task Count
Mitigation Task Count
Hunting Task Count
Total Task Count
Source Of Indicators

Incident Types

Name	Description
Rapid Breach Response

Layouts

Name	Description
Rapid Breach Response

Playbooks

Name	Description
SolarStorm and SUNBURST Hunting and Response Playbook	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin). Retrieve C2 domains and URLs associated with Sunburst. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the SUNBURST backdoor Query firewall logs to detect network activity. Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found: Notify security team to review and trigger remediation response actions. Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
SolarStorm Activity Behavior Hunting playbook	This manual playbook should be used as a sub-playbook in the 'SolarStorm and SUNBURST Hunting and Response' playbook and it helps you hunt for suspicious behavior related to SolarStorm activity. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
CVE-2021-22893 - Pulse Connect Secure RCE	On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs and Malware Hashes used by the suspected APT actor. Search for unpatched endpoints vulnerable to the exploits. Search network facing system using Expanse for relevant issues. Indicators and known webshells hunting using SIEM products. Block indicators automatically or manually. Provide different mitigations that has been publicly published such as: Patches Workarounds Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Exploitation of Pulse Connect Secure Vulnerabilities
Rapid Breach Response - Set Incident Info	This playbook is responsible for setting up the Rapid Breach Response Incident Info tab in the layout.
Codecov Breach - Bash Uploader	This playbook includes the following tasks: Search for the Security Notice email sent from Codecov. Collect indicators to be used in your threat hunting process. Query network logs to detect related activity. Search for the use of Codecov bash uploader in GitHub repositories Query Panorama to search for logs with related anti-spyware signatures Data Exfiltration Traffic Detection Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Codecov Security Notice
NOBELIUM - wide scale APT29 spear-phishing	On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ This playbook includes the following tasks: Collect IOCs to be used in your threat hunting process Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts Block known indicators ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
HAFNIUM - Exchange 0-day exploits	This playbook includes the following tasks: Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
FireEye Red Team Tools Investigation and Response	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of FireEye red team tools. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the indicators Search endpoints with the FireEye red team tools CVEs. Search endpoint logs for FireEye red team tools hashes. Search and link previous incidents with the FireEye hashes. If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack	On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. Splunk advanced queries can be modified through the playbook inputs. QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook Search for internet facing Kaseya VSA servers using Xpanse. Block indicators automatically or manually. Provide advanced hunting and detection capabilities. Mitigation using Kaseya On-Premises and SaaS patch. More information: Kaseya Incident Overview & Technical Details Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
CVE-2021-34527 \| CVE-2021-1675 - PrintNightmare	The playbook can be triggered manually or automatically by setting up a reoccurring job. Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task. This playbook includes the following tasks: Manual actions to mitigate the exploit Search Vulnerable Devices using the CVE Query SIEM, FW, XDR to detect malicious activity and compromised hosts Run Dedicated Detection and Response playbook for Cortex XDR More details on the vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Automations

Name	Description
RapidBreachResponse-RemainingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remaining tasks.
RapidBreachResponse-HuntingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of hunting tasks.
RapidBreachResponse-TotalIndicatorCount-Widget	Rapid Breach Response dynamic section, will show the updated number of indicators found.
RapidBreachResponse-CompletedTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of completed tasks.
RapidBreachResponseParseBlog	Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog.
RapidBreachResponse-RemediationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remediation tasks.
RapidBreachResponse-EradicationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of eradication tasks.
RapidBreachResponse-MitigationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of mitigation tasks.
RapidBreachResponse-TotalTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of tasks to complete.

Incident Fields

Name	Description
Hunting Task Count
Total Task Count
Eradication Task Count
Total Indicator Count
Completed Task Count
Source Of Indicators
Playbook Description
Remediation Task Count
Mitigation Task Count
Remaining Task Count

Incident Types

Name	Description
Rapid Breach Response

Playbooks

Name	Description
SolarStorm and SUNBURST Hunting and Response Playbook	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin). Retrieve C2 domains and URLs associated with Sunburst. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the SUNBURST backdoor Query firewall logs to detect network activity. Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found: Notify security team to review and trigger remediation response actions. Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
CVE-2021-22893 - Pulse Connect Secure RCE	On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs and Malware Hashes used by the suspected APT actor. Search for unpatched endpoints vulnerable to the exploits. Search network facing system using Expanse for relevant issues. Indicators and known webshells hunting using SIEM products. Block indicators automatically or manually. Provide different mitigations that has been publicly published such as: Patches Workarounds Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Exploitation of Pulse Connect Secure Vulnerabilities
CVE-2021-34527 \| CVE-2021-1675 - PrintNightmare	The playbook can be triggered manually or automatically by setting up a reoccurring job. Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task. This playbook includes the following tasks: Manual actions to mitigate the exploit Search Vulnerable Devices using the CVE Query SIEM, FW, XDR to detect malicious activity and compromised hosts Run Dedicated Detection and Response playbook for Cortex XDR More details on the vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack	On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. Splunk advanced queries can be modified through the playbook inputs. QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook Search for internet facing Kaseya VSA servers using Xpanse. Block indicators automatically or manually. Provide advanced hunting and detection capabilities. Mitigation using Kaseya On-Premises and SaaS patch. More information: Kaseya Alert Overview & Technical Details Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
HAFNIUM - Exchange 0-day exploits	This playbook includes the following tasks: Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Rapid Breach Response - Set Alert Info	This playbook is responsible for setting up the Rapid Breach Response Alert Info tab in the layout.
Codecov Breach - Bash Uploader	This playbook includes the following tasks: Search for the Security Notice email sent from Codecov. Collect indicators to be used in your threat hunting process. Query network logs to detect related activity. Search for the use of Codecov bash uploader in GitHub repositories Query Panorama to search for logs with related anti-spyware signatures Data Exfiltration Traffic Detection Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Codecov Security Notice
NOBELIUM - wide scale APT29 spear-phishing	On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ This playbook includes the following tasks: Collect IOCs to be used in your threat hunting process Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts Block known indicators ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
SolarStorm Activity Behavior Hunting playbook	This manual playbook should be used as a sub-playbook in the 'SolarStorm and SUNBURST Hunting and Response' playbook and it helps you hunt for suspicious behavior related to SolarStorm activity. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
FireEye Red Team Tools Investigation and Response	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of FireEye red team tools. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the indicators Search endpoints with the FireEye red team tools CVEs. Search endpoint logs for FireEye red team tools hashes. Search and link previous alerts with the FireEye hashes. If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

Required Content Packs (7)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Splunk	By: Cortex XSOAR

Optional Content Packs (30)

Pack Name	Pack By
3CXDesktopApp Supply Chain Attack	By: Cortex XSOAR
CVE-2021-40444 - MSHTML RCE	By: Cortex XSOAR
CVE-2021-44228 - Log4j RCE	By: Cortex XSOAR
CVE-2022-26134 - Confluence RCE	By: Cortex XSOAR
CVE-2022-30190 - MSDT RCE	By: Cortex XSOAR
CVE-2022-3786 & CVE-2022-3602 - OpenSSL X.509 Buffer Overflows	By: Cortex XSOAR
CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell	By: Cortex XSOAR
CVE-2023-23397 - Microsoft Outlook EoP	By: Cortex XSOAR
CVE-2023-34362 - MOVEit Transfer SQL Injection	By: Cortex XSOAR
CVE-2023-36884 - Microsoft Office and Windows HTML RCE	By: Cortex XSOAR
CVE-2024-47575 - FortiManager Authentication Bypass	By: Cortex XSOAR
CVE-2025-31324 - SAP NetWeaver Visual Composer	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
Cloaked Ursa Diplomatic Phishing Campaign	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
GitHub	By: Cortex XSOAR
Google SecOps	By: Google
Identity	By: Cortex XSOAR
Ivanti Critical Vulnerabilities	By: Cortex XSOAR
Microsoft Exchange On-Premise	By: Cortex XSOAR
Microsoft Exchange Online	By: Cortex XSOAR
NIST	By: Cortex XSOAR
Office 365 and Azure (Audit Log)	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
Comprehensive Investigation by Palo Alto Networks	By: Cortex XSOAR
IoT by Palo Alto Networks	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
SANS	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR

All level dependencies (14)

Pack Name	Pack By
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

1.6.46 - 7827247 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43566

Download

1.6.45 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.6.44 - 4856079 (September 11, 2025)

Playbooks

HAFNIUM - Exchange 0-day exploits

Updated the input description "AutoBlockIndicators".

NOBELIUM - wide scale APT29 spear-phishing

Updated the input description "AutoBlockIndicators".

Related pull requests:
- 41245

Download

1.6.43 - 4583601 (August 20, 2025)

Scripts

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40710

Download

1.6.42 - 4029801 (July 1, 2025)

CVE-2025-31324 - SAP NetWeaver Visual Composer

New pack which handles the CVE-2025-31324 - SAP NetWeaver Visual Composer vulnerability.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

Related pull requests:
- 40401

Download

1.6.41 - R3980324 (June 26, 2025)

Scripts

Metadata and documentation improvements.

Metadata and documentation improvements.

Metadata and documentation improvements.

Metadata and documentation improvements.

Metadata and documentation improvements.

Metadata and documentation improvements.

Metadata and documentation improvements.

Metadata and documentation improvements.

Related pull requests:
- 39133

Download

1.6.40 - R2989425 (March 26, 2025)

Scripts

Updated the Docker image to: demisto/python3:3.11.10.115186.

Updated the Docker image to: demisto/python3:3.11.10.115186.

Updated the Docker image to: demisto/python3:3.11.10.115186.

Updated the Docker image to: demisto/python3:3.11.10.115186.

Updated the Docker image to: demisto/python3:3.11.10.115186.

Updated the Docker image to: demisto/python3:3.11.10.115186.

Updated the Docker image to: demisto/python3:3.11.10.115186.

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

1.6.39 - 1554247 (October 28, 2024)

CVE-2024-47575 - FortiManager Authentication Bypass

New pack which handles CVE-2024-47575 - FortiManager Authentication Bypass vulnerability
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

Related pull requests:
- 36847

Download

1.6.38 - 897231 (March 18, 2024)

Playbooks

HAFNIUM - Exchange 0-day exploits

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Codecov Breach - Bash Uploader

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

SolarStorm and SUNBURST Hunting and Response Playbook

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

1.6.37 - 836299 (February 18, 2024)

Scripts

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32446

Download

1.6.36 - 831507 (February 15, 2024)

Ivanti Critical Vulnerabilities

A new pack that handles the recently disclosed vulnerabilities of Ivanti Policy Secure and Connect Secure gateways. The official CVEs are CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via our Marketplace.

Related pull requests:
- 32775

Download

1.6.35 - R5866730 (July 25, 2023)

CVE-2023-36884 - Microsoft Office and Windows HTML RCE

New pack which handles the CVE-2023-36884 - Microsoft Office and Windows HTML RCE.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

Related pull requests:
- 28201

Download

1.6.34 - 5782177 (July 16, 2023)

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Removed the PAN-OS - Block Domain - External Dynamic List sub-playbook. This playbook is deprecated and has reached its end of life (EOL) and is no longer supported.

HAFNIUM - Exchange 0-day exploits

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).

NOBELIUM - wide scale APT29 spear-phishing

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Replaced the command RapidBreachResponseParseBlog with command ParseHTMLIndicators.

SolarStorm and SUNBURST Hunting and Response Playbook

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added input AutoBlockIndicators - This input determines if to block the indicators automatically or manually using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
Added input UserVerification - This input determines if blocking IPs is should be done with or without user verification. The IPs blocking is done by using the sub-playbook Block Indicators - Generic v3. (Available from Cortex XSOAR 6.5.0).
The commands expanse-get-risky-flows and expanse-list-risk-rules have been removed as they are no longer supported, and there is no alternative available.

Related pull requests:
- 26581

Download

1.6.33 - 5760561 (July 13, 2023)

Scripts

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28121

Download

1.6.31 - R5692327 (July 5, 2023)

CVE-2023-34362 - MOVEit Transfer SQL Injection

New pack which handles CVE-2023-34362 - MOVEit Transfer SQL Injection investigation and response.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

Related pull requests:
- 27225

Download

1.6.30 - R5170573 (May 2, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 25711

Download

1.6.29 - R4954430 (April 2, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 25379

Download

1.6.28 - 4797511 (March 12, 2023)

Playbooks

FireEye Red Team Tools Investigation and Response

Switch usage of deprecated Isolate Endpoint - Generic playbook with the Isolate Endpoint - Generic V2 playbook.

Related pull requests:
- 24517

Download

1.6.27 - R4718798 (March 1, 2023)

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

Switch usage of deprecated Isolate Endpoint - Generic playbook with the Isolate Endpoint - Generic V2 playbook.

Related pull requests:
- 24603

Download

1.6.26 - R4646022 (February 19, 2023)

Layouts

Rapid Breach Response
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

1.6.25 - 3957612 (November 2, 2022)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 21979

Download

1.6.24 - R3917401 (October 26, 2022)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 21587

Download

1.6.23 - 3056265 (June 8, 2022)

Packs

CVE-2022-30190 - MSDT RCE

New pack which handles the new Microsoft MSDT RCE vulnerability, CVE-2022-30190.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

CVE-2022-26134 - Confluence RCE

New pack which handles the new Confluence RCE vulnerability, CVE-2022-26134.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

Related pull requests:
- 19434

Download

1.6.22 - R3024435 (June 2, 2022)

Incident Fields

Total Indicator Count fixed typo in fromversion.

Related pull requests:
- 16333

Download

1.6.21 - 2091528 (December 11, 2021)

Incident Fields

Total Indicator Count

Playbooks

Rapid Breach Response - Set Incident Info

Added transformer 'StringToArray' to sourceofindicators Set task.

Certification	Certified	Read more
Supported By	Cortex
Created	December 17, 2020
Last Release	March 22, 2026

Rapid Breach Response

How to enable it?

How to enable it?

Playbooks

HAFNIUM - Exchange 0-day exploits

NOBELIUM - wide scale APT29 spear-phishing

Scripts

RapidBreachResponse-RemediationTasksCount-Widget

RapidBreachResponse-RemainingTasksCount-Widget

RapidBreachResponse-TotalIndicatorCount-Widget

RapidBreachResponse-MitigationTasksCount-Widget

RapidBreachResponse-EradicationTasksCount-Widget

RapidBreachResponse-TotalTasksCount-Widget

RapidBreachResponse-CompletedTasksCount-Widget

RapidBreachResponse-HuntingTasksCount-Widget

CVE-2025-31324 - SAP NetWeaver Visual Composer

Scripts

RapidBreachResponse-TotalTasksCount-Widget

RapidBreachResponse-RemainingTasksCount-Widget

RapidBreachResponse-EradicationTasksCount-Widget

RapidBreachResponse-CompletedTasksCount-Widget

RapidBreachResponse-MitigationTasksCount-Widget

RapidBreachResponse-RemediationTasksCount-Widget

RapidBreachResponse-TotalIndicatorCount-Widget

RapidBreachResponse-HuntingTasksCount-Widget

Scripts

RapidBreachResponse-RemediationTasksCount-Widget

RapidBreachResponse-RemainingTasksCount-Widget

RapidBreachResponse-EradicationTasksCount-Widget

RapidBreachResponse-HuntingTasksCount-Widget

RapidBreachResponse-CompletedTasksCount-Widget

RapidBreachResponse-TotalTasksCount-Widget

RapidBreachResponse-MitigationTasksCount-Widget

RapidBreachResponse-TotalIndicatorCount-Widget

CVE-2024-47575 - FortiManager Authentication Bypass

Playbooks

HAFNIUM - Exchange 0-day exploits

Codecov Breach - Bash Uploader

SolarStorm and SUNBURST Hunting and Response Playbook

Scripts

RapidBreachResponse-MitigationTasksCount-Widget

RapidBreachResponse-CompletedTasksCount-Widget

RapidBreachResponse-RemediationTasksCount-Widget

RapidBreachResponse-HuntingTasksCount-Widget

RapidBreachResponse-TotalIndicatorCount-Widget

RapidBreachResponse-EradicationTasksCount-Widget

RapidBreachResponse-RemainingTasksCount-Widget

RapidBreachResponse-TotalTasksCount-Widget

Ivanti Critical Vulnerabilities

CVE-2023-36884 - Microsoft Office and Windows HTML RCE

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

HAFNIUM - Exchange 0-day exploits

NOBELIUM - wide scale APT29 spear-phishing

SolarStorm and SUNBURST Hunting and Response Playbook

Scripts

RapidBreachResponse-TotalIndicatorCount-Widget

RapidBreachResponse-EradicationTasksCount-Widget

RapidBreachResponse-CompletedTasksCount-Widget

RapidBreachResponse-HuntingTasksCount-Widget

RapidBreachResponse-RemediationTasksCount-Widget

RapidBreachResponse-MitigationTasksCount-Widget

RapidBreachResponse-TotalTasksCount-Widget

RapidBreachResponse-RemainingTasksCount-Widget

CVE-2023-34362 - MOVEit Transfer SQL Injection

Playbooks

FireEye Red Team Tools Investigation and Response

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

Layouts

Packs

CVE-2022-30190 - MSDT RCE

CVE-2022-26134 - Confluence RCE

Incident Fields

Incident Fields

Playbooks

Rapid Breach Response - Set Incident Info

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack