Skip to main content

Get entity alerts by MITRE tactics

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

This playbook searches XDR alerts related to specific entities , on a given timeframe, based on MITRE tactics. Note: The playbook's inputs enable manipulating the execution flow. Read the input descriptions for details.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

This playbook does not use any integrations.

Scripts#

  • SearchAlertsV2

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueRequired
HuntReconnaissanceTechniquesSet to True to hunt for identified alerts with MITRE Reconnaissance techniques.Optional
HuntInitialAccessTechniquesSet to True to hunt for identified alerts with MITRE Initial Access techniques.Optional
HuntExecutionTechniquesSet to True to hunt for identified alerts with MITRE Execution techniques.Optional
HuntPersistenceTechniquesSet to True to hunt for identified alerts with MITRE Persistence techniques.Optional
HuntPrivilegeEscalationTechniquesSet to True to hunt for identified alerts with MITRE Privilege Escalation techniques.Optional
HuntDefenseEvasionTechniquesSet to True to hunt for identified alerts with MITRE Defense Evasion techniques.Optional
HuntDiscoveryTechniquesSet to True to hunt for identified alerts with MITRE Discovery techniques.Optional
HuntLateralMovementTechniquesSet to True to hunt for identified alerts with MITRE Lateral Movement techniques.Optional
HuntCollectionTechniquesSet to True to hunt for identified alerts with MITRE Collection techniques .Optional
HuntCnCTechniquesSet to True to hunt for identified alerts with MITRE Command and Control techniques.Optional
HuntImpactTechniquesSet to True to hunt for identified alerts with MITRE Impact techniques.Optional
HuntCredentialAccessTechniquesSet to True to hunt for identified alerts with MITRE Credential Access techniques.Optional
timeRangeA time range to execute the hunting in.
The input should be in the following format:
* 1 day
* 2 minutes
* 4 hours
* 8 days
20 daysRequired
RunAllWhether to run all the sub-tasks for Mitre Tactics.trueOptional
EntityTypeEntity type to search. Entity type can be username, hostname, or any other element that exists in the alert.hostnameRequired
EntityIDEntity value.NoneRequired

Playbook Outputs#


PathDescriptionType
foundIncidentsAlerts foundunknown

Playbook Image#


Get entity alerts by MITRE tactics