Details
Content
Dependencies
Version History

An OT Security Automation Pack

This OT Security pack is created to help you to automate the incident response and threat hunting processes in your Operations and ICS environment.

Pack Overview

Cortex XSOAR helps to automate OT incidents and alerts response by gathering all relevant data, even from sources that may seem unrelated,
allowing for the buildout of playbooks that cater to the particular automation needs of an ICS’s operational requirements. It also provides bot-aided war rooms where
security analysts and SMEs can safely and securely collaborate on the best course of action. Most importantly, Cortex XSOAR provides automatic documentation of all steps and
processes taken to validate and resolve issues or incidents, creating a knowledge warehouse for first responders.

Pack Roadmap

Below are sample types OT investigation that his pack will focus on:

Initial Access
- Supply Chain Compromise
- Data Historian Compromise
Execution and Persistence
- Unauthorized Program State Alteration
- Project File Infection
Evasion
- Rogue Device Detected
- Rootkits Detected
Discovery
- I/O Module Discovery
- Network Service Scanning
Lateral Movement
- Default Credentials Login
- Unautherized Remote File Copy
Collection
- Process State Dump
- Unautherized Program Upload
Command and Control
- Proxied Connection Detected
- Protocol Anomaly Detected
Inhibit ICS Function
- Activate Firmware Update Mode
- Unauthorized Program State Alteration

XSOAR content included in this pack will be built based on our integrations with OT security controls that include:

Network Segmentation Firewalls From
- Palo Alto Networks
- FortiGate
- Cisco
- Calroty
Network Access Control From
- Cisco
- Forsecout
Network Visibility From
- Nozomi
- ScadaFence
Endpoint Security From
- Kaspersky
- Symantec
SIEM From
- IBM
- Logrhythem
- Splunk
Vulnerability Management From
- Tenable

XSOAR in Isolated OT Environment

XSOAR provides the ability to have a production instance running in an isolated OT environment, with a jumb host access to a local repository that stores the content updates, for more details:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Configure-a-Remote-Repository-on-a-Development-Machine

This OT Security pack is created to help you to automate the incident response and threat hunting processes in your Operations and ICS environment.

Pack Overview

Cortex XSIAM helps to automate OT incidents and alerts response by gathering all relevant data, even from sources that may seem unrelated,
allowing for the buildout of playbooks that cater to the particular automation needs of an ICS’s operational requirements. It also provides bot-aided war rooms where
security analysts and SMEs can safely and securely collaborate on the best course of action. Most importantly, Cortex XSIAM provides automatic documentation of all steps and
processes taken to validate and resolve issues or incidents, creating a knowledge warehouse for first responders.

Pack Roadmap

Below are sample types OT investigation that his pack will focus on:

Initial Access
- Supply Chain Compromise
- Data Historian Compromise
Execution and Persistence
- Unauthorized Program State Alteration
- Project File Infection
Evasion
- Rogue Device Detected
- Rootkits Detected
Discovery
- I/O Module Discovery
- Network Service Scanning
Lateral Movement
- Default Credentials Login
- Unautherized Remote File Copy
Collection
- Process State Dump
- Unautherized Program Upload
Command and Control
- Proxied Connection Detected
- Protocol Anomaly Detected
Inhibit ICS Function
- Activate Firmware Update Mode
- Unauthorized Program State Alteration

XSOAR content included in this pack will be built based on our integrations with OT security controls that include:

Network Segmentation Firewalls From
- Palo Alto Networks
- FortiGate
- Cisco
- Calroty
Network Access Control From
- Cisco
- Forsecout
Network Visibility From
- Nozomi
- ScadaFence
Endpoint Security From
- Kaspersky
- Symantec
SIEM From
- IBM
- Logrhythem
- Splunk
Vulnerability Management From
- Tenable

XSOAR in Isolated OT Environment

Classifiers

Name	Description
OTSecurity API Classifier v1	Sample API classifier of OT incidents, this classifier is included to help you test the playbook by triggering a new incident using XSOAR API, if the json payload of your request to XSOAR API includes a 'category' key with value equal to 'Rogue Device Found Incident', the classifier matches that and creates a new incident with type 'OTSecurity Rogue Device Found'
OTSecurity API Incoming Mapper v1	Sample mapper of OT Security incidents

Incident Fields

Name	Description
OTSecurity Substation Name
OTSecurity Substation Contact
OTSecurity Protocols
OTSecurity Substation Location

Incident Types

Name	Description
OTSecurity Rogue Device Found

Layouts

Name	Description
OTSecurity Rogue Device Found	OT Security Rogue Device Found Layout
MAC Indicator	MAC Indicator Layout

Playbooks

Name	Description
Cisco ISE - Block MAC Address	This Playbook Expects MAC Address and Policy Name
OTSecurity - Rogue Device Investigation	OT Security playbook to investigate rogue device incidents

Indicator Types

Name	Description
MAC Address

Classifiers

Name	Description
OTSecurity API Classifier v1	Sample API classifier of OT incidents, this classifier is included to help you test the playbook by triggering a new incident using XSOAR API, if the json payload of your request to XSOAR API includes a 'category' key with value equal to 'Rogue Device Found Incident', the classifier matches that and creates a new incident with type 'OTSecurity Rogue Device Found'
OTSecurity API Incoming Mapper v1	Sample mapper of OT Security incidents

Incident Fields

Name	Description
OTSecurity Substation Location
OTSecurity Substation Contact
OTSecurity Substation Name
OTSecurity Protocols

Incident Types

Name	Description
OTSecurity Rogue Device Found

Layouts

Name	Description
MAC Indicator	MAC Indicator Layout

Playbooks

Name	Description
Cisco ISE - Block MAC Address	This Playbook Expects MAC Address and Policy Name
OTSecurity - Rogue Device Investigation	OT Security playbook to investigate rogue device alerts

Indicator Types

Name	Description
MAC Address

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Nozomi Networks	By: Nozomi Networks
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
Cisco ISE	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

All level dependencies (9)

Pack Name	Pack By
Cisco ISE	By: Cortex XSOAR
Nozomi Networks	By: Nozomi Networks
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Supported By	Community
Created	January 5, 2022
Last Release	May 5, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

OTSecurity

Pack Overview

Pack Roadmap

XSOAR in Isolated OT Environment

Pack Overview

Pack Roadmap

XSOAR in Isolated OT Environment

OTSecurity

OTSecurity

Layouts

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER