Skip to main content

Cortex XDR - Endpoint Investigation

This Playbook is part of the Palo Alto Networks Cortex XDR - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook handles all the endpoint investigation actions available with Cortex XSIAM, including the following tasks:

  • Pre-defined MITRE Tactics
  • Host fields (host ID)
  • Attacker fields (attacker IP, external host)
  • MITRE techniques
  • File hash (currently, the playbook supports only SHA256)

Note:
The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

CortexXDRIR

Scripts#

This playbook does not use any scripts.

Commands#

xdr-get-alerts

Playbook Inputs#


NameDescriptionDefault ValueRequired
HuntReconnaissanceTechniquesWhether to hunt for identified alerts with MITRE Reconnaissance techniques.TrueOptional
HuntInitialAccessTechniquesWhether to hunt for identified alerts with MITRE Access techniques.TrueOptional
HuntExecutionTechniquesWhether to hunt for identified alerts with MITRE Execution techniques.TrueOptional
HuntPersistenceTechniquesWhether to hunt for identified alerts with MITRE Persistence techniques.TrueOptional
HuntPrivilegeEscalationTechniquesWhether to hunt for identified alerts with MITRE Privilege Escalation techniques.TrueOptional
HuntDefenseEvasionTechniquesWhether to hunt for identified alerts with MITRE Defense Evasion techniques.TrueOptional
HuntDiscoveryTechniquesWhethere to hunt for identified alerts with MITRE Discovery techniques.TrueOptional
HuntLateralMovementTechniquesWhether to hunt for identified alerts with MITRE Lateral Movement techniques.TrueOptional
HuntCollectionTechniquesWhether to hunt for MITRE Collection techniques identified alerts.TrueOptional
HuntCnCTechniquesWhether to hunt for identified alerts with MITRE Command and Control techniques.TrueOptional
HuntImpactTechniquesWhether to hunt for identified alerts with MITRE Impact techniques.TrueOptional
HuntAttackerWhether to hunt the attacker IP address or external hostname.Optional
HuntByTechniqueWhether to hunt by a specific MITRE technique.Optional
HuntByHostWhether to hunt by the endpoint ID. The agentID input must be provided as well.Optional
HuntByFileWhether to hunt by a specific file hash.
Supports SHA256.
Optional
agentIDThe agent ID.incident.agentsidOptional
attackerRemoteIPThe IP address of the attacker. The 'HuntAttacker' inputs should also be set to True.Optional
attackerExternalHostThe external host used by the attacker. The 'HuntAttacker' inputs should also be set to True.Optional
mitreTechniqueIDA MITRE technique identifier. The 'HuntByTechnique' inputs should also be set to True.Optional
FileSHA256The file SHA256. The 'HuntByFile' inputs should also be set to True.File.SHA256Optional
timeRangeA time range to execute the hunting in.
The input should be in the following format:
* 1 day ago
* 2 minutes ago
* 4 hours ago
* 8 days ago
2 hours agoOptional
RunAllWhether to run all the sub-tasks for Mitre Tactics.TrueOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR - Endpoint Investigation