Skip to main content

Cortex XDR - PrintNightmare Detection and Response

This Playbook is part of the Palo Alto Networks Cortex XDR - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

The playbook targets specific PrintNightmare rules written by Cortex XDR for both vulnerabilities: CVE-2021-1675 LPE CVE-2021-34527 RCE

This playbook includes the following tasks:

  • Containment of files, endpoints, users and IP Addresses
  • Enrichment of indicators
  • Data acquisition of system info and files using Cortex XDR
  • Eradicating compromised user credentials

** Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Account Enrichment - Generic v2.1
  • Cortex XDR - Isolate Endpoint
  • Endpoint Enrichment - Generic v2.1
  • Block IP - Generic v2
  • Threat Hunting - Generic

Integrations#

  • CortexXDRIR

Scripts#

  • SearchIncidentsV2

Commands#

  • enrichIndicators
  • xdr-get-incident-extra-data
  • ad-disable-account

Playbook Inputs#


NameDescriptionDefault ValueRequired
IsolateEndpointAutomaticallyWhether to isolate the endpoint automaticallyFalseOptional
DisableAccountAutomaticallyWhether to disable the account automaticallyTrueOptional
BlockIPAutomaticallyWhether to block the IP Address automaticallyTrueOptional
EnrichAutomaticallyWhether to run indicators auto enrichment automaticallyTrueOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR - PrintNightmare Detection and Response