Scheduled task created with HTTP or FTP reference
#
This Playbook is part of the Cortex Response And Remediation Pack.Supported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
This playbook is designed to handle the alert "Scheduled task created with HTTP or FTP reference".
The playbook executes the following stages:
Analysis:
- Extracts indicators from the action command line
- Checks the IP and the URL reputation.
Investigation: During the alert investigation, the playbook will perform the following:
- Checks if the IP and the URL reputation are malicious.
- Checks if the CGO process is unsigned.
- Searches for related alerts to determine if the creation of the scheduled task is part of an attack pattern.
Remediation:
- Remediation actions will be taken if the CGO process is unsigned, the IP or URL has a malicious reputation, or a related alert is detected. In these cases, the playbook will disable the scheduled task, block the malicious indicators, and close the alert.
Requires: To block the malicious URL, configure 'Palo Alto Networks PAN-OS' integration.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooks- PAN-OS - Block URL - Custom URL Category
#
IntegrationsThis playbook does not use any integrations.
#
Scripts- SearchAlertsV2
- Set
- SetAndHandleEmpty
- block-external-ip
- ip-enrichment
- url-enrichment
#
Commands- closeInvestigation
- core-execute-command
- extractIndicators
#
Playbook InputsThere are no inputs for this playbook.
#
Playbook OutputsThere are no outputs for this playbook.