Cortex XDR - Endpoint Investigation
Palo Alto Networks Cortex XDR - Investigation and Response Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook handles all the endpoint investigation actions available with Cortex XSIAM, including the following tasks:
- Pre-defined MITRE Tactics
- Host fields (host ID)
- Attacker fields (attacker IP, external host)
- MITRE techniques
- File hash (currently, the playbook supports only SHA256)
Note:
The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooksThis playbook does not use any sub-playbooks.
#
IntegrationsCortexXDRIR
#
ScriptsThis playbook does not use any scripts.
#
Commandsxdr-get-alerts
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
HuntReconnaissanceTechniques | Whether to hunt for identified alerts with MITRE Reconnaissance techniques. | True | Optional |
HuntInitialAccessTechniques | Whether to hunt for identified alerts with MITRE Access techniques. | True | Optional |
HuntExecutionTechniques | Whether to hunt for identified alerts with MITRE Execution techniques. | True | Optional |
HuntPersistenceTechniques | Whether to hunt for identified alerts with MITRE Persistence techniques. | True | Optional |
HuntPrivilegeEscalationTechniques | Whether to hunt for identified alerts with MITRE Privilege Escalation techniques. | True | Optional |
HuntDefenseEvasionTechniques | Whether to hunt for identified alerts with MITRE Defense Evasion techniques. | True | Optional |
HuntDiscoveryTechniques | Whethere to hunt for identified alerts with MITRE Discovery techniques. | True | Optional |
HuntLateralMovementTechniques | Whether to hunt for identified alerts with MITRE Lateral Movement techniques. | True | Optional |
HuntCollectionTechniques | Whether to hunt for MITRE Collection techniques identified alerts. | True | Optional |
HuntCnCTechniques | Whether to hunt for identified alerts with MITRE Command and Control techniques. | True | Optional |
HuntImpactTechniques | Whether to hunt for identified alerts with MITRE Impact techniques. | True | Optional |
HuntAttacker | Whether to hunt the attacker IP address or external hostname. | Optional | |
HuntByTechnique | Whether to hunt by a specific MITRE technique. | Optional | |
HuntByHost | Whether to hunt by the endpoint ID. The agentID input must be provided as well. | Optional | |
HuntByFile | Whether to hunt by a specific file hash. Supports SHA256. | Optional | |
agentID | The agent ID. | incident.agentsid | Optional |
attackerRemoteIP | The IP address of the attacker. The 'HuntAttacker' inputs should also be set to True. | Optional | |
attackerExternalHost | The external host used by the attacker. The 'HuntAttacker' inputs should also be set to True. | Optional | |
mitreTechniqueID | A MITRE technique identifier. The 'HuntByTechnique' inputs should also be set to True. | Optional | |
FileSHA256 | The file SHA256. The 'HuntByFile' inputs should also be set to True. | File.SHA256 | Optional |
timeRange | A time range to execute the hunting in. The input should be in the following format: * 1 day ago * 2 minutes ago * 4 hours ago * 8 days ago | 2 hours ago | Optional |
RunAll | Whether to run all the sub-tasks for Mitre Tactics. | True | Optional |
#
Playbook OutputsThere are no outputs for this playbook.