Common Playbooks Pack.#This Playbook is part of the
Supported Cortex XSOAR versions: 6.0.0 and later.
This playbook takes a command line from the alert and performs the following actions:
- Checks for base64 string and decodes if exists
- Extracts and enriches indicators from the command line
- Checks specific arguments for malicious usage
At the end of the playbook, it sets a possible verdict for the command line, based on the finding:
- Indicators found in the command line
- Found AMSI techniques
- Found suspicious parameters
- Usage of malicious tools
- Indication of network activity
- Indication of suspicious LOLBIN execution
Note: In case you are wishing to run this playbook with a list of command lines, set this playbook to be running in a loop. To do so, navigate to the 'Loop' and check "For Each Input".
This playbook uses the following sub-playbooks, integrations, and scripts.
- Compare Process Execution Arguments To LOLBAS Patterns
This playbook does not use any integrations.
|Commandline||The command line.||Optional|
|StringSimilarityThreshold||StringSimilarity automation threshold. Used by the Compare "Process Execution Arguments To LOLBAS Patterns" sub-playbook. This input controls the StringSimilarity automation threshold.||0.5||Optional|
|MatchRegex||The regex found in the command line||unknown|
|Indicators||Indicators extracted from the command line||unknown|
|commandline.original||The original command line||unknown|
|commandline.decoded||The decoded command line||unknown|
|CommandlineVerdict||The command line verdict||unknown|
|IP||The IP object.||unknown|
|URL||The URL object.||uknown|
|File||The file object.||unknown|
|Domain||The domain object.||unknown|