Proactive Threat Hunting

What does this pack do?

The "Proactive Threat Hunting" pack for Cortex XSOAR enables users to initiate threat hunting sessions with the primary goal of identifying undetected threats within their environment. Hunting session summary will be displayed in the new "Threat Hunting" dashboard. This pack supports two distinct hunting methods:

SDO Hunting: Users can build hypotheses around specific STIX Data Object (SDO) indicators such as Campaigns, Intrusion Sets, or Malware. The pack allows for the search of Indicators of Compromise (IOCs) related to the selected SDO indicator, as well as the identification of tools and tactics used in the corresponding attack pattern.
Freestyle Hunt: This method empowers threat hunters to execute custom queries, upload their own IOCs, and conduct comprehensive searches and data enrichment on entities within the environment.
Additionally, both hunting methods in the pack offer the capability to take remediation actions directly from the hunting session layout. This includes the ability to block IOCs, isolate endpoints, block accounts, and quarantine files, providing a holistic approach to threat hunting and response.
Overall, the "Proactive Threat Hunting" pack enhances Cortex XSOAR's capabilities by allowing security teams to proactively explore and identify potential threats, providing a powerful toolset to enhance the organization's cybersecurity posture.

Name	Description
HuntingFromIndicatorLayout	This automation creates an incident from the indicator layouts Malware, Campaign and Intrusion set, with the following parameters: Name: Threat Hunting Session - <Indicator Value> Type: Proactive Threat Hunting sdoname: <Indicator Value>.

Name

Description

HuntingFromIndicatorLayout

This automation creates an incident from the indicator layouts Malware, Campaign and Intrusion set, with the following parameters:

Name: Threat Hunting Session - <Indicator Value>
Type: Proactive Threat Hunting
sdoname: <Indicator Value>.

Name	Description
Threat Hunting

Name

Description

Threat Hunting

Name	Description
Choose SDO To Hunt for
Hunting Endpoint Enrichment
Cheat Sheet
SDO Feed
Hunting Session Status
SDO Name
Freestyle Hunt
Campaign to hunt
Tools To Hunt For

Name

Description

Choose SDO To Hunt for

Hunting Endpoint Enrichment

Cheat Sheet

SDO Feed

Hunting Session Status

SDO Name

Freestyle Hunt

Campaign to hunt

Tools To Hunt For

Name	Description
Proactive Threat Hunting

Name

Description

Proactive Threat Hunting

Name	Description
Proactive Threat Hunting

Name

Description

Proactive Threat Hunting

Name	Description
Proactive Threat Hunting - Endpoint Isolation	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of isolating a host specified by the analyst.
Proactive Threat Hunting - Block Account	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking a user specified by the analyst.
Proactive Threat Hunting - Execute Query	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of executing a query that will be provided by the analyst. The playbook supports executing a query using the following integrations: Cortex XDR XQL Engine Microsoft Defender For Endpoint
Proactive Threat Hunting - Quarantine File	This playbook will be executed from the “Proactive Threat Hunting” layout button with the objective of quarantining a file specified by the analyst. The following integration is supported: Cortex XDR IR
Proactive Threat Hunting - Block Indicators	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking indicators specified by the analyst.
Proactive Threat Hunting - Entity Enrichment	This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of enriching information on hosts and users specified by the analyst.
Proactive Threat Hunting	This playbook is the main playbook of the 'Proactive Threat Hunting' pack. It automatically runs during a new hunting session and guides the threat hunter through the session based on the selected hunting method. The available hunting methods are: SDO Hunt: Constructs the hunting hypothesis based on SDO indicators (Campaign, Malware, Intrusion Set). Freestyle Hunt: Allows the threat hunter to provide their own queries and IOCs for hunting.
Proactive Threat Hunting - SDO Threat Hunting	This playbook will be executed when the analyst chooses to perform SDO hunting. The playbook receives an SDO type indicator and executes the following steps: Searches IOCs related to the SDO indicator - IPs, Hashes, Domains, URLs. Hunts for the found IOCs using the "Threat Hunting - Generic" sub-playbook. Searches attack patterns that are related to the SDO indicator. Searches LOLBAS tools that are related to the found attack patterns. Hunts for LOLBin executions command-line arguments that are similar to LOLBAS malicious commands patterns.

Name

Description

Proactive Threat Hunting - Endpoint Isolation

This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of isolating a host specified by the analyst.

Proactive Threat Hunting - Block Account

This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking a user specified by the analyst.

Proactive Threat Hunting - Execute Query

This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of executing a query that will be provided by the analyst. The playbook supports executing a query using the following integrations:

Cortex XDR XQL Engine
Microsoft Defender For Endpoint

Proactive Threat Hunting - Quarantine File

This playbook will be executed from the “Proactive Threat Hunting” layout button with the objective of quarantining a file specified by the analyst. The following integration is supported:

Cortex XDR IR

Proactive Threat Hunting - Block Indicators

This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of blocking indicators specified by the analyst.

Proactive Threat Hunting - Entity Enrichment

This playbook will be executed from the "Proactive Threat Hunting" layout button with the objective of enriching information on hosts and users specified by the analyst.

Proactive Threat Hunting

This playbook is the main playbook of the 'Proactive Threat Hunting' pack. It automatically runs during a new hunting session and guides the threat hunter through the session based on the selected hunting method. The available hunting methods are:

SDO Hunt: Constructs the hunting hypothesis based on SDO indicators (Campaign, Malware, Intrusion Set).
Freestyle Hunt: Allows the threat hunter to provide their own queries and IOCs for hunting.

Proactive Threat Hunting - SDO Threat Hunting

This playbook will be executed when the analyst chooses to perform SDO hunting.
The playbook receives an SDO type indicator and executes the following steps:

Searches IOCs related to the SDO indicator - IPs, Hashes, Domains, URLs.
Hunts for the found IOCs using the "Threat Hunting - Generic" sub-playbook.
Searches attack patterns that are related to the SDO indicator.
Searches LOLBAS tools that are related to the found attack patterns.
Hunts for LOLBin executions command-line arguments that are similar to LOLBAS malicious commands patterns.

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
LOLBAS Feed	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
TIM - Indicator Auto-Processing	By: Cortex XSOAR

Pack Name	Pack By
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Unit 42 ATOMs Feed	By: Cortex XSOAR
Microsoft Defender for Endpoint	By: Cortex XSOAR
Windows Defender Advanced Threat Protection (Deprecated)	By: Cortex XSOAR

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
LOLBAS Feed	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
TIM - Indicator Auto-Processing	By: Cortex XSOAR

Certification	Certified	Read more
Supported By	Cortex
Created	November 19, 2023
Last Release	January 24, 2024

Proactive Threat Hunting

What does this pack do?

Playbooks

Proactive Threat Hunting

Scripts

HuntingFromIndicatorLayout

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER