Skip to main content

Cortex XDR - Endpoint Investigation

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles all the endpoint investigation actions available with Cortex XSOAR, including the following tasks:

  • Pre-defined MITRE Tactics

  • Host fields (Host ID)

  • Attacker fields (Attacker IP, External host)

  • MITRE techniques

  • File hash (currently, the playbook supports only SHA256)

    Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • CortexXDRIR

Scripts#

This playbook does not use any scripts.

Commands#

  • xdr-get-alerts

Playbook Inputs#


NameDescriptionDefault ValueRequired
HuntReconnaissanceTechniquesSet to True to hunt for identified alerts with MITRE Reconnaissance techniques.TrueOptional
HuntInitialAccessTechniquesSet to True to hunt for identified alerts with MITRE Access techniques.TrueOptional
HuntExecutionTechniquesSet to True to hunt for identified alerts with MITRE Execution techniques.TrueOptional
HuntPersistenceTechniquesSet to True to hunt for identified alerts with MITRE Persistence techniques.TrueOptional
HuntPrivilegeEscalationTechniquesSet to True to hunt for identified alerts with MITRE Privilege Escalation techniques.TrueOptional
HuntDefenseEvasionTechniquesSet to True to hunt for identified alerts with MITRE Defense Evasion techniques.TrueOptional
HuntDiscoveryTechniquesSet to True to hunt for identified alerts with MITRE Discovery techniques.TrueOptional
HuntLateralMovementTechniquesSet to True to hunt for identified alerts with MITRE Lateral Movement techniques.TrueOptional
HuntCollectionTechniquesSet to True to hunt for MITRE Collection techniques identified alerts.TrueOptional
HuntCnCTechniquesSet to True to hunt for identified alerts with MITRE Command and Control techniques.TrueOptional
HuntImpactTechniquesSet to True to hunt for identified alerts with MITRE Impact techniques.TrueOptional
HuntAttackerSet to True to hunt the attacker IP address or external host name.Optional
HuntByTechniqueSet to True to hunt by a specific MITRE technique.Optional
HuntByHostSet to True to hunt by the endpoint ID. The agentID input must be provided as well.Optional
HuntByFileBoolean. Set to True to hunt by a specific file hash.
Supports SHA256.
Optional
agentIDThe agent ID.incident.agentsidOptional
attackerRemoteIPThe IP address of the attacker. The 'HuntAttacker' inputs should also be set to True.Optional
attackerExternalHostThe external host used by the attacker. The 'HuntAttacker' inputs should also be set to True.Optional
mitreTechniqueIDA MITRE technique identifier. The 'HuntByTechnique' inputs should also be set to True.Optional
FileSHA256The file SHA256. The 'HuntByFile' inputs should also be set to True.File.SHA256Optional
timeRangeA time range to execute the hunting in.
The input should be in the following format:
* 1 day ago
* 2 minutes ago
* 4 hours ago
* 8 days ago
2 hours agoOptional
RunAllWhether to run all the sub-tasks for Mitre Tactics.TrueOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR - Endpoint Investigation