Skip to main content

Strata Logging Service - Indicators Hunting

This Playbook is part of the Strata Logging Service by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

The playbook facilitates threat hunting and detection of IOCs within Strata Logging Service logs. The playbook and sub-playbooks query Strata Logging Service for files, traffic, HTTP requests, and execution flows indicators.

Note that multiple search values should be separated by commas only (without spaces or any special characters).

Supported IOCs for this playbook:

  • SHA256
  • IP Addresses
  • Geolocation
  • URLDomain
  • Port Number
  • File Name
  • File Type
  • URI
  • Application

Separate searches are conducted for each type of indicator in the playbook.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Strata Logging Service - File Indicators Hunting
  • Strata Logging Service - Traffic Indicators Hunting

Integrations#

  • Strata Logging Service

Scripts#

  • IsIntegrationAvailable
  • SetAndHandleEmpty

Commands#

  • cdl-query-url-logs
  • cdl-query-file-data

Playbook Inputs#


NameDescriptionDefault ValueRequired
IPAddressesA single or multiple IP addresses to search for within Strata Logging Service. Used for both source and destination IP addresses.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
URLDomainSingle or multiple URLs and/or domains to search for within Strata Logging Service.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
GeolocationA single or multiple country names or codes to search for within Strata Logging Service. Used for both source and destination geolocations.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
PortNumberA single or multiple IP addresses to search for within Strata Logging Service. Used for both source and destination ports.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
SHA256A single or multiple SHA256 file hashes to search for within Strata Logging Service.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
FilenameA single or multiple file names to search for within Strata Logging Service.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
FileTypeA single or multiple file types to search for within Strata Logging Service.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
ApplicationSingle or multiple application names or codes to search for within Strata Logging Service.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
URIA single or multiple URIs to search for within Strata Logging Service.
By default, a 'LIKE' search is used.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
start_timeSpecify the query start time at which to perform a search within Strata Logging Service.

For example, start_time="2018-04-26 00:00:00"
Optional
end_timeSpecify the query end time at which to perform a search within Strata Logging Service.

For example, end_time="2018-04-26 00:00:00"
Optional
time_rangeAn alternative to the 'start_time' and 'end_time' inputs that indicates the timeframe for the search, e.g. 1 week, 1 day, 30 minutes.

When the time_range input is specified, the 'start_time' and 'end_time' inputs should not be used.
Optional
limitThe maximum number of logs to return.
Default is 10.
Optional
fieldsSelect the fields you wish to be included in the query results.
Selection can be "all" (same as *) or a comma-separated list of specific fields in the table.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
FirewallActionFilter network traffic logs that should be retrieved from Strata Logging Service based on firewall action.

Separate multiple search values by commas only (without spaces or any special characters).
Optional
rule_matchedFilter network traffic logs to be retrieved from Strata Logging Service based on security policy rule names that the network traffic matches.

Separate multiple search values by commas only (without spaces or any special characters).
Optional

Playbook Outputs#


PathDescriptionType
CDL.HuntingResultsEvent log objects and fields that were retrieved from Strata Logging Service (SLS).string
CDL.HuntingResults.TimeGeneratedTime when the log was generated on the firewall's data plane.number
CDL.HuntingResults.LogTimeTime the log was received in Strata Logging Service.number
CDL.HuntingResults.IngestionTimeIngestion time of the log.number
CDL.HuntingResults.AppThe application associated with the network traffic.string
CDL.HuntingResults.AppCategoryIdentifies the high-level family of the application.string
CDL.HuntingResults.RiskOfAppIndicates how risky the application is from a network security perspective.string
CDL.HuntingResults.CharacteristicOfAppIdentifies the behavioral characteristic of the application associated with the network traffic.string
CDL.HuntingResults.SessionIDIdentifies the firewall's internal identifier for a specific network session.string
CDL.HuntingResults.ActionIdentifies the action that the firewall took for the network traffic.string
CDL.HuntingResults.ProtocolThe IP protocol associated with the session.string
CDL.HuntingResults.RefererProtocolThe protocol used in the HTTP Referer header field.string
CDL.HuntingResults.DestinationPortThe network traffic's destination port. If this value is 0, then the app is using its standard port.number
CDL.HuntingResults.SourcePortThe source port utilized by the session.number
CDL.HuntingResults.RefererPortThe port used in the HTTP Referer header field.number
CDL.HuntingResults.DestinationIPThe original destination IP address.string
CDL.HuntingResults.SourceIPThe original source IP address.string
CDL.HuntingResults.UsersSource/Destination user. If neither is available, source_ip is used.string
CDL.HuntingResults.SrcUserThe username that initiated the network traffic.string
CDL.HuntingResults.SrcUserInfoThe information for the initiated user.string
CDL.HuntingResults.DstUserThe username to which the network traffic was destined.string
CDL.HuntingResults.DstUserInfoThe destination user information.string
CDL.HuntingResults.UserAgentThe web browser that the user
used to access the URL.
string
CDL.HuntingResults.IsPhishingIndicates whether enterprise credentials were submitted by an end user.string
CDL.HuntingResults.SourceLocationThe source country or internal region for private addresses.string
CDL.HuntingResults.DestinationLocationThe destination country or internal region for private addresses.string
CDL.HuntingResults.RuleMatchedThe unique identifier for the security policy rule that the network traffic matched.string
CDL.HuntingResults.ThreatNameThe name of the detected threat.string
CDL.HuntingResults.LogSourceNameThe name of the source of the log.string
CDL.HuntingResults.DirectionIndicates the direction of the attack.string
CDL.HuntingResults.DirectionOfAttackIndicates the direction of the attack.string
CDL.HuntingResults.FileNameThe name of the file that is blocked.string
CDL.HuntingResults.FileSHA256The binary hash (SHA256) of the file.string
CDL.HuntingResults.FileTypePalo Alto Networks textual identifier for the threat.string
CDL.HuntingResults.UrlThe name of the internet domain that was visited in this session.string
CDL.HuntingResults.UriThe address of the URI.string
CDL.HuntingResults.RefererURLThe URL used in the HTTP Referer header field.string
CDL.HuntingResults.RefererFQDNThe full domain name used in the HTTP Referer
header field.
string
CDL.HuntingResults.URLCategoryThe URL category.string
CDL.HuntingResults.URLDomainThe name of the internet domain that was visited in this session.string
CDL.HuntingResults.IsUrlDeniedIndicates whether the session was denied due to a URL filtering rule.string
CDL.HuntingResults.SourceDeviceHostHostname of the device from which the session originated.string
CDL.HuntingResults.DestDeviceHostHostname of the device session destination.string
CDL.HuntingResults.ContentTypeThe content type of the HTTP response data.string
CDL.HuntingResults.HTTPMethodThe HTTP Method used
in the web request
string

Playbook Image#


Strata Logging Service - Indicators Hunting