Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook handles all the endpoint investigation actions available with Cortex XSIAM, including the following tasks:
- Pre-defined MITRE Tactics
- Host fields (host ID)
- Attacker fields (attacker IP, external host)
- MITRE techniques
- File hash (currently, the playbook supports only SHA256)
The playbook inputs enable manipulating the execution flow; read the input descriptions for details.
This playbook uses the following sub-playbooks, integrations, and scripts.
This playbook does not use any sub-playbooks.
This playbook does not use any scripts.
|HuntReconnaissanceTechniques||Whether to hunt for identified alerts with MITRE Reconnaissance techniques.||True||Optional|
|HuntInitialAccessTechniques||Whether to hunt for identified alerts with MITRE Access techniques.||True||Optional|
|HuntExecutionTechniques||Whether to hunt for identified alerts with MITRE Execution techniques.||True||Optional|
|HuntPersistenceTechniques||Whether to hunt for identified alerts with MITRE Persistence techniques.||True||Optional|
|HuntPrivilegeEscalationTechniques||Whether to hunt for identified alerts with MITRE Privilege Escalation techniques.||True||Optional|
|HuntDefenseEvasionTechniques||Whether to hunt for identified alerts with MITRE Defense Evasion techniques.||True||Optional|
|HuntDiscoveryTechniques||Whethere to hunt for identified alerts with MITRE Discovery techniques.||True||Optional|
|HuntLateralMovementTechniques||Whether to hunt for identified alerts with MITRE Lateral Movement techniques.||True||Optional|
|HuntCollectionTechniques||Whether to hunt for MITRE Collection techniques identified alerts.||True||Optional|
|HuntCnCTechniques||Whether to hunt for identified alerts with MITRE Command and Control techniques.||True||Optional|
|HuntImpactTechniques||Whether to hunt for identified alerts with MITRE Impact techniques.||True||Optional|
|HuntAttacker||Whether to hunt the attacker IP address or external hostname.||Optional|
|HuntByTechnique||Whether to hunt by a specific MITRE technique.||Optional|
|HuntByHost||Whether to hunt by the endpoint ID. The agentID input must be provided as well.||Optional|
|HuntByFile||Whether to hunt by a specific file hash.|
|agentID||The agent ID.||incident.agentsid||Optional|
|attackerRemoteIP||The IP address of the attacker. The 'HuntAttacker' inputs should also be set to True.||Optional|
|attackerExternalHost||The external host used by the attacker. The 'HuntAttacker' inputs should also be set to True.||Optional|
|mitreTechniqueID||A MITRE technique identifier. The 'HuntByTechnique' inputs should also be set to True.||Optional|
|FileSHA256||The file SHA256. The 'HuntByFile' inputs should also be set to True.||File.SHA256||Optional|
|timeRange||A time range to execute the hunting in.|
The input should be in the following format:
* 1 day ago
* 2 minutes ago
* 4 hours ago
* 8 days ago
|2 hours ago||Optional|
|RunAll||Whether to run all the sub-tasks for Mitre Tactics.||True||Optional|
There are no outputs for this playbook.