Skip to main content

NSA - 5 Security Vulnerabilities Under Active Nation-State Attack

This Playbook is part of the Cortex Xpanse by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Russian Foreign Intelligence Service (SVR) actors (also known as APT29, Cozy Bear, and The Dukes) frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation. This playbook should be trigger manually and includes the following tasks:

  • Enrich related known CVEs reported in the US agencies alert
  • Search for unpatched endpoints vulnerable to the exploits.
  • Search for vulnerable assets facing the internet using Expanse.

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information: [Cyber Security Advisory] (


This playbook uses the following sub-playbooks, integrations, and scripts.


  • CVE Enrichment - Generic v2
  • Search Endpoint by CVE - Generic


  • ExpanseV2


  • SearchIncidentsV2


  • linkIncidents
  • extractIndicators
  • expanse-get-issues

Playbook Inputs#

NameDescriptionDefault ValueRequired
Related_CVEsKnown related CVEs to huntCVE-2018-13379, CVE-2019-9670, CVE-2019-11510, CVE-2019-19781, CVE-2020-4006Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

NSA - 5 Security Vulnerabilities Under Active Nation-State Attack