Rapid Breach Response

Details
Content
Dependencies
Version History

This content Pack helps you collect, investigate, and remediate incidents related to major breaches.

Header Image

This pack has a collection of playbooks to rapidly respond to high profile breaches with existing deployed tools in your enterprise.
The playbooks in this pack can also be used as a template to hunt and block these indicators using additional tools in your environment.
This pack contains the response playbooks for the following breaches:

How to enable it?

Install the pack.
Check if the pack has the steps that are relevant to the tools used in your environment.
Create a job that will run this playbook on a periodic basis.

HAFNIUM - Exchange 0-day exploits

Incident Types

Name	Description
Rapid Breach Response

Incident Fields

Name	Description
Playbook Description
Eradication Task Count
Hunting Task Count
Mitigation Task Count
Total Indicator Count
Source Of Indicators
Remediation Task Count
Total Task Count
Completed Task Count
Remaining Task Count

Automations

Name	Description
RapidBreachResponseParseBlog	Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog.
RapidBreachResponse-RemediationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remediation tasks.
RapidBreachResponse-MitigationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of mitigation tasks.
RapidBreachResponse-TotalIndicatorCount-Widget	Rapid Breach Response dynamic section, will show the updated number of indicators found.
RapidBreachResponse-EradicationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of eradication tasks.
RapidBreachResponse-HuntingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of hunting tasks.
RapidBreachResponse-TotalTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of tasks to complete.
RapidBreachResponse-CompletedTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of completed tasks.
RapidBreachResponse-RemainingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remaining tasks.

Layouts

Name	Description
Rapid Breach Response

Playbooks

Name	Description
NOBELIUM - wide scale APT29 spear-phishing	On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ This playbook includes the following tasks: Collect IOCs to be used in your threat hunting process Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts Block known indicators ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
SolarStorm and SUNBURST Hunting and Response Playbook	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin). Retrieve C2 domains and URLs associated with Sunburst. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the SUNBURST backdoor Query firewall logs to detect network activity. Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found: Notify security team to review and trigger remediation response actions. Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
CVE-2021-22893 - Pulse Connect Secure RCE	On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs and Malware Hashes used by the suspected APT actor. Search for unpatched endpoints vulnerable to the exploits. Search network facing system using Expanse for relevant issues. Indicators and known webshells hunting using SIEM products. Block indicators automatically or manually. Provide different mitigations that has been publicly published such as: Patches Workarounds Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Exploitation of Pulse Connect Secure Vulnerabilities
SolarStorm Activity Behavior Hunting playbook	This manual playbook should be used as a sub-playbook in the 'SolarStorm and SUNBURST Hunting and Response' playbook and it helps you hunt for suspicious behavior related to SolarStorm activity. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
FireEye Red Team Tools Investigation and Response	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of FireEye red team tools. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the indicators Search endpoints with the FireEye red team tools CVEs. Search endpoint logs for FireEye red team tools hashes. Search and link previous incidents with the FireEye hashes. If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
HAFNIUM - Exchange 0-day exploits	This playbook includes the following tasks: Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
CVE-2021-34527 \| CVE-2021-1675 - PrintNightmare	The playbook can be triggered manually or automatically by setting up a reoccurring job. Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task. This playbook includes the following tasks: Manual actions to mitigate the exploit Search Vulnerable Devices using the CVE Query SIEM, FW, XDR to detect malicious activity and compromised hosts Run Dedicated Detection and Response playbook for Cortex XDR More details on the vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Codecov Breach - Bash Uploader	This playbook includes the following tasks: Search for the Security Notice email sent from Codecov. Collect indicators to be used in your threat hunting process. Query network logs to detect related activity. Search for the use of Codecov bash uploader in GitHub repositories Query Panorama to search for logs with related anti-spyware signatures Data Exfiltration Traffic Detection Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Codecov Security Notice
Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack	On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. Splunk advanced queries can be modified through the playbook inputs. QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook Search for internet facing Kaseya VSA servers using Xpanse. Block indicators automatically or manually. Provide advanced hunting and detection capabilities. Mitigation using Kaseya On-Premises and SaaS patch. More information: Kaseya Incident Overview & Technical Details Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Rapid Breach Response - Set Incident Info	This playbook is responsible for setting up the Rapid Breach Response Incident Info tab in the layout.

Incident Types

Name	Description
Rapid Breach Response

Incident Fields

Name	Description
Playbook Description
Eradication Task Count
Hunting Task Count
Mitigation Task Count
Total Indicator Count
Source Of Indicators
Remediation Task Count
Total Task Count
Completed Task Count
Remaining Task Count

Automations

Name	Description
RapidBreachResponseParseBlog	Deprecated. Use "ParseHTMLIndicators" instead. Parse Volexity request blog.
RapidBreachResponse-RemediationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remediation tasks.
RapidBreachResponse-MitigationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of mitigation tasks.
RapidBreachResponse-TotalIndicatorCount-Widget	Rapid Breach Response dynamic section, will show the updated number of indicators found.
RapidBreachResponse-EradicationTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of eradication tasks.
RapidBreachResponse-HuntingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of hunting tasks.
RapidBreachResponse-TotalTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of tasks to complete.
RapidBreachResponse-CompletedTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of completed tasks.
RapidBreachResponse-RemainingTasksCount-Widget	Rapid Breach Response dynamic section, will show the updated number of remaining tasks.

Playbooks

Name	Description
NOBELIUM - wide scale APT29 spear-phishing	On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ This playbook includes the following tasks: Collect IOCs to be used in your threat hunting process Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts Block known indicators ** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
SolarStorm and SUNBURST Hunting and Response Playbook	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin). Retrieve C2 domains and URLs associated with Sunburst. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the SUNBURST backdoor Query firewall logs to detect network activity. Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found: Notify security team to review and trigger remediation response actions. Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
CVE-2021-22893 - Pulse Connect Secure RCE	On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0. This playbook should be trigger manually and includes the following tasks: Enrich related known CVEs and Malware Hashes used by the suspected APT actor. Search for unpatched endpoints vulnerable to the exploits. Search network facing system using Expanse for relevant issues. Indicators and known webshells hunting using SIEM products. Block indicators automatically or manually. Provide different mitigations that has been publicly published such as: Patches Workarounds Yara and Snort Rules Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Exploitation of Pulse Connect Secure Vulnerabilities
SolarStorm Activity Behavior Hunting playbook	This manual playbook should be used as a sub-playbook in the 'SolarStorm and SUNBURST Hunting and Response' playbook and it helps you hunt for suspicious behavior related to SolarStorm activity. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
FireEye Red Team Tools Investigation and Response	This playbook does the following: Collect indicators to aid in your threat hunting process. Retrieve IOCs of FireEye red team tools. Discover IOCs of associated activity related to the infection. Generate an indicator list to block indicators with SUNBURST tags. Hunt for the indicators Search endpoints with the FireEye red team tools CVEs. Search endpoint logs for FireEye red team tools hashes. Search and link previous incidents with the FireEye hashes. If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
HAFNIUM - Exchange 0-day exploits	This playbook includes the following tasks: Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSIAM 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
CVE-2021-34527 \| CVE-2021-1675 - PrintNightmare	The playbook can be triggered manually or automatically by setting up a reoccurring job. Microsoft has released a security update in June 2021 Patch Tuesday for CVE-2021-1675, a Local Privilege Escalation vulnerability in the Print Spooler Service. Later that month, researchers found another method to exploit the Print Spooler service remotely, which raised the severity of the vulnerability due to the fact that the new method allows Remote Code Execution, a new ID was given to the critical vulnerability - CVE-2021-34527. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. Update 7.8.2021 - Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in "Install Microsoft spooler service patches" task. This playbook includes the following tasks: Manual actions to mitigate the exploit Search Vulnerable Devices using the CVE Query SIEM, FW, XDR to detect malicious activity and compromised hosts Run Dedicated Detection and Response playbook for Cortex XDR More details on the vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Codecov Breach - Bash Uploader	This playbook includes the following tasks: Search for the Security Notice email sent from Codecov. Collect indicators to be used in your threat hunting process. Query network logs to detect related activity. Search for the use of Codecov bash uploader in GitHub repositories Query Panorama to search for logs with related anti-spyware signatures Data Exfiltration Traffic Detection Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: Codecov Security Notice
Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack	On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers pointed out a ransomware outbreak in their environments. Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints. This playbook should be trigger manually and includes the following tasks: Collect related known indicators from several sources. Indicators, PS commands, Registry changes and known HTTP requests hunting using PAN-OS, Cortex XDR and SIEM products. Splunk advanced queries can be modified through the playbook inputs. QRadar query is done using Reference Set and "QRadar Indicator Hunting V2" playbook Search for internet facing Kaseya VSA servers using Xpanse. Block indicators automatically or manually. Provide advanced hunting and detection capabilities. Mitigation using Kaseya On-Premises and SaaS patch. More information: Kaseya Incident Overview & Technical Details Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Rapid Breach Response - Set Incident Info	This playbook is responsible for setting up the Rapid Breach Response Incident Info tab in the layout.

Required Content Packs (7)

Pack Name	Pack By
Splunk	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR

Optional Content Packs (19)

Pack Name	Pack By
Phishing	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
NIST	By: Cortex XSOAR
Microsoft Exchange Online	By: Cortex XSOAR
Phishing Campaign	By: Cortex XSOAR
CVE-2021-44228 - Log4j RCE	By: Cortex XSOAR
Microsoft Exchange On-Premise	By: Cortex XSOAR
SANS	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
GitHub	By: Cortex XSOAR
CVE-2021-40444 - MSHTML RCE	By: Cortex XSOAR
Chronicle	By: Chronicle
Office 365 and Azure (Audit Log)	By: Cortex XSOAR
Comprehensive Investigation by Palo Alto Networks	By: Cortex XSOAR
Identity	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR
Cortex Xpanse by Palo Alto Networks	By: Cortex XSOAR
IoT by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (35)

Pack Name	Pack By
FortiGate	By: Cortex XSOAR
ThreatX	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Cisco ASA	By: Cortex XSOAR
Cylance Protect	By: Cortex XSOAR
Image OCR	By: Cortex XSOAR
Zscaler Internet Access	By: Cortex XSOAR
Ransomware	By: Cortex XSOAR
Kenna	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
ARIAPacketIntelligence	By: ARIA Cybersecurity Solutions
Cisco Secure Cloud Analytics (Stealthwatch Cloud)	By: Cortex XSOAR
Check Point Firewall	By: Cortex XSOAR
VirusTotal - Private API (Deprecated)	By: VirusTotal
Akamai WAF	By: Cortex XSOAR
CrowdStrike Falcon Intelligence Sandbox	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Google Maps	By: Cortex XSOAR
Cisco Firepower	By: Cortex XSOAR
Remote Access	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Cisco Umbrella Investigate	By: Cortex XSOAR
Active Directory Query	By: Cortex XSOAR
Sophos XG Firewall	By: Cortex XSOAR
CVE Search	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Palo Alto Networks PAN-OS EDL Management (Deprecated)	By: Cortex XSOAR
Signal Sciences WAF	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Slack	By: Cortex XSOAR
VulnDB	By: Cortex XSOAR
F5 Silverline	By: Cortex XSOAR

1.6.26 - 4514603 (February 1, 2023)

Layouts

Rapid Breach Response
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

1.6.25 - 3957612 (November 2, 2022)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 21979

Download

1.6.24 - R3917401 (October 26, 2022)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 21587

Download

1.6.23 - 3056265 (June 8, 2022)

Packs

CVE-2022-30190 - MSDT RCE

New pack which handles the new Microsoft MSDT RCE vulnerability, CVE-2022-30190.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

CVE-2022-26134 - Confluence RCE

New pack which handles the new Confluence RCE vulnerability, CVE-2022-26134.
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
our Marketplace.

Related pull requests:
- 19434

Download

1.6.22 - R3024435 (June 2, 2022)

Incident Fields

Total Indicator Count fixed typo in fromversion.

Related pull requests:
- 16333

Download

1.6.21 - 2091528 (December 11, 2021)

Incident Fields

Total Indicator Count

Playbooks

Rapid Breach Response - Set Incident Info

Added transformer 'StringToArray' to sourceofindicators Set task.

Download

1.6.20 - 2042391 (December 2, 2021)

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Documentation fixes

Download

1.6.19 - 2009340 (November 25, 2021)

Incident Fields

Remaining Task Count
Total Task Count
Playbook Description
Hunting Task Count
Source Of Indicators
Mitigation Task Count
Completed Task Count
Total Indicator Count
Eradication Task Count
Remediation Task Count

Incident Types

Rapid Breach Response

Layouts

New: Rapid Breach Response

The new layout includes: Incident Info, IR Procedures Tracking and Hunting Results tabs.(Available from Cortex XSOAR 6.0.0).

Playbooks

New: Rapid Breach Response - Set Incident Info

This playbook is responsible for setting up the Rapid Breach Response Incident Info tab. (Available from Cortex XSOAR 6.0.0).

Scripts

Rapid Breach Response dynamic section, will show the updated number of remaining tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of remediation tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of completed tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of mitigation tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of tasks to complete. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of hunting tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of eradication tasks. (Available from Cortex XSOAR 5.5.0).

Rapid Breach Response dynamic section, will show the updated number of indicators found. (Available from Cortex XSOAR 5.5.0).

Download

1.6.18 - 7259008 (August 25, 2021)

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

Updated Office 365 and Azure sub-playbooks

Download

1.6.17 - 400846 (July 21, 2021)

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Added the patch released by Kaseya to mitigations
Added fixes to QRadar indicators hunting and link incidents

Download

1.6.16 - 398533 (July 15, 2021)

Playbooks

CVE-2021-34527 | CVE-2021-1675 - PrintNightmare

Added Point&Print mitigation task
Changed tasks execution order
Added Cortex XDR - PrintNightmare Detection and Response playbook

Download

1.6.15 - 398245 (July 15, 2021)

Playbooks

CVE-2021-34527 | CVE-2021-1675 - PrintNightmare

Added Splunk and QRadar detection queries.
Changed playbook display name.

Download

1.6.14 - 397182 (July 13, 2021)

Playbooks

CVE-2021-1675 - PrintNightmare

Microsoft has released an emergency patch for the PrintNightmare. A reference for the patch can be found in the playbook.

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Added Xpanse issue search
Added link incidents for related XDR and Xpanse incidents
Added Kaseya VSA patch release preparation runbooks instructions

Download

1.6.12 - 394234 (July 7, 2021)

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Added additional XDR signatures to search for relevant XDR incidents

Download

1.6.11 - 393823 (July 6, 2021)

Playbooks

New: Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

On July 2nd, Kaseya company has experienced an attack against the VSA (Virtual System/Server Administrator) product. Kaseya customers reports pointed out a ransomware outbreak in their environment.
Further investigation revealed that REvil group exploited VSA zero-day vulnerabilities for authentication bypass and arbitrary command execution. This allowed the attacker to deploy ransomware on Kaseya customers' endpoints.

This playbook should be trigger manually and includes the following tasks:

Collect related known indicators from several sources.
Indicators, PS commands, Registry changes and known HTTP requests hunting using SIEM products.
- Splunk advanced queries can be modified through the playbook inputs.
Block indicators automatically or manually.
Provide advanced hunting and detection capabilities.

More information:
Kaseya Incident Overview & Technical Details

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. (Available from Cortex XSOAR 6.0.0).

Download

1.6.10 - 393444 (July 6, 2021)

Scripts

RapidBreachResponseParseBlog

Deprecated. Use ParseHTMLIndicators instead.

Download

1.6.9 - R392850 (July 5, 2021)

Playbooks

CVE-2021-1675 - PrintNightmare

The playbook will also query FW and the XDR to detect malicious activity and compromised hosts

Download

1.6.8 - 392011 (July 1, 2021)

Playbooks

New: CVE-2021-1675 - PrintNightmare

CVE-2021-1675 is a vulnerability dubbed “PrintNightmare” which allows remote code execution on Windows Print Spooler. Microsoft patched the vulnerability in June but an exploit POC and complete technical analysis were made publicly available online. This playbook includes the following tasks:

Manual actions to mitigate the exploit
Search Vulnerable Devices using the CVE
Search Vulnerable Devices using the SIEM

More details on the vulnerability
** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Download

1.6.7 - 390600 (June 28, 2021)

Playbooks

HAFNIUM - Exchange 0-day exploits

Removed duplicated playbook tasks related to indicators.

Download

1.6.6 - 376375 (June 3, 2021)

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

Added validation if playbooks or integration available

HAFNIUM - Exchange 0-day exploits

Added validation if playbooks or integration available

SolarStorm and SUNBURST Hunting and Response Playbook

Added validation if playbooks or integration available

NOBELIUM - wide scale APT29 spear-phishing

Added validation if playbooks or integration available

Codecov Breach - Bash Uploader

Added validation if playbooks or integration available

Download

1.6.5 - 369639 (May 29, 2021)

Playbooks

NOBELIUM - wide scale APT29 spear-phishing

Tag related indicators as NOBELIUM and APT29.
Updated EWS search query.

Scripts

New: RapidBreachResponseParseBlog

Parse Volexity blog to extract indicators

Download

1.6.4 - 369519 (May 29, 2021)

Playbooks

New: NOBELIUM - wide scale APT29 spear-phishing

On May 27, 2021, Microsoft reported a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named SolarStorm. This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations.
Microsoft blog.

This playbook includes the following tasks:

Collect IOCs to be used in your threat hunting process
Query FW, SIEMs, EDR, XDR to detect malicious hashes, network activity and compromised hosts
Block known indicators
** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. (Available from Cortex XSOAR 5.5.0).

Download

1.6.3 - 346806 (May 5, 2021)

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

On April 20th, a new Remote Code Execution vulnerability in Pulse Connect Secure was disclosed. The reference number for the vulnerability is CVE-2021-22893 with the CVSS Score of 10.0.
This playbook should be trigger manually and includes the following tasks:

Enrich related known CVEs and Malware Hashes used by the suspected APT actor.
Search for unpatched endpoints vulnerable to the exploits.
Search network facing system using Expanse for relevant issues.
Indicators and known webshells hunting using SIEM products.
Block indicators automatically or manually.
Provide different mitigations that has been publicly published such as:
- Patches
- Workarounds
- Yara and Snort Rules

More information:
Exploitation of Pulse Connect Secure Vulnerabilities

Download

1.6.2 - 343491 (May 2, 2021)

Playbooks

Codecov Breach - Bash Uploader

Added task to find any use of Codecov bash uploader in specified Github repositories.

Download

1.6.1 - 331662 (April 20, 2021)

Playbooks

Codecov Breach - Bash Uploader

Added panorama query to search for logs with related anti-spyware signatures
- Data Exfiltration Traffic Detection
- Malicious Modified Shell Script Detection

Download

1.6.0 - 330975 (April 20, 2021)

Playbooks

New: Codecov Breach - Bash Uploader

This playbook includes the following tasks:

Search for the Security Notice email sent from Codecov.
Collect indicators to be used in your threat hunting process.
Query network logs to detect related activity.
Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information:
Codecov Security Notice

Download

1.5.1 - 312966 (March 25, 2021)

Playbooks

SolarStorm Activity Behavior Hunting playbook

Updated playbook description.

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	December 17, 2020
Last Release	February 1, 2023

Malware

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

Microsoft Policy And Compliance (Audit Log)

O365 - Security And Compliance - Content Search (Deprecated)

O365 - Security And Compliance - Content Search v2

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Rapid Breach Response

How to enable it?

Layouts

Packs

CVE-2022-30190 - MSDT RCE

CVE-2022-26134 - Confluence RCE

Incident Fields

Incident Fields

Playbooks

Rapid Breach Response - Set Incident Info

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Incident Fields

Incident Types

Layouts

New: Rapid Breach Response

Playbooks

New: Rapid Breach Response - Set Incident Info

Scripts

New: RapidBreachResponse-RemainingTasksCount-Widget

New: RapidBreachResponse-RemediationTasksCount-Widget

New: RapidBreachResponse-CompletedTasksCount-Widget

New: RapidBreachResponse-MitigationTasksCount-Widget

New: RapidBreachResponse-TotalTasksCount-Widget

New: RapidBreachResponse-HuntingTasksCount-Widget

New: RapidBreachResponse-EradicationTasksCount-Widget

New: RapidBreachResponse-TotalIndicatorCount-Widget

Playbooks

SolarStorm and SUNBURST Hunting and Response Playbook

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Playbooks

CVE-2021-34527 | CVE-2021-1675 - PrintNightmare

Playbooks

CVE-2021-34527 | CVE-2021-1675 - PrintNightmare

Playbooks

CVE-2021-1675 - PrintNightmare

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Playbooks

Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Playbooks

New: Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack

Scripts

RapidBreachResponseParseBlog

Playbooks

CVE-2021-1675 - PrintNightmare

Playbooks

New: CVE-2021-1675 - PrintNightmare

Playbooks

HAFNIUM - Exchange 0-day exploits

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

HAFNIUM - Exchange 0-day exploits

SolarStorm and SUNBURST Hunting and Response Playbook

NOBELIUM - wide scale APT29 spear-phishing

Codecov Breach - Bash Uploader

Playbooks

NOBELIUM - wide scale APT29 spear-phishing

Scripts

New: RapidBreachResponseParseBlog

Playbooks

New: NOBELIUM - wide scale APT29 spear-phishing

Playbooks

CVE-2021-22893 - Pulse Connect Secure RCE

Playbooks

Codecov Breach - Bash Uploader

Playbooks

Codecov Breach - Bash Uploader

Playbooks

New: Codecov Breach - Bash Uploader

Playbooks

SolarStorm Activity Behavior Hunting playbook

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER