Skip to main content

Proactive Threat Hunting - SDO Threat Hunting

This Playbook is part of the Proactive Threat Hunting Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

This playbook will be executed when the analyst chooses to perform SDO hunting. The playbook receives an SDO type indicator and executes the following steps:

  • Searches IOCs related to the SDO indicator - IPs, Hashes, Domains, URLs.
  • Hunts for the found IOCs using the "Threat Hunting - Generic" sub-playbook.
  • Searches attack patterns that are related to the SDO indicator.
  • Searches LOLBAS tools that are related to the found attack patterns.
  • Hunts for LOLBin executions command-line arguments that are similar to LOLBAS malicious commands patterns.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Threat Hunting - Generic
  • Search LOLBAS Tools By Name
  • TIM - Indicator Relationships Analysis
  • Search and Compare Process Executions - Generic


This playbook does not use any integrations.


  • SearchIndicatorRelationships
  • Print
  • Set
  • SearchIndicator
  • JsonToTable


  • setIncident
  • appendIndicatorField
  • associateIndicatorsToIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
SDONameThe SDO name.Optional
SDOTypeThe SDO type.CampaignOptional
HuntingTimeFrameTime in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.30 daysOptional
StringSimilarityThresholdStringSimilarity automation threshold. StringSimilarity is being used in this playbook to compare between pattern of malicious use in a tool and command-line arguments found in the environment. Please provide number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Proactive Threat Hunting - SDO Threat Hunting