Threat Hunting - Chronicle

Use this playbook to investigate and remediate suspicious IOC domain matches with recent activity found in the enterprise. This playbook also creates indicators for the entities fetched, as well as investigating and enriching them. Supported Integrations:

  • Chronicle
  • Whois

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Domain Enrichment - Generic v2
  • Endpoint Enrichment - Generic v2.1
  • Block URL - Generic
  • URL Enrichment - Generic v2
  • IP Enrichment - Generic v2
  • PAN-OS - Block Domain - External Dynamic List

Integrations#

  • Chronicle
  • Whois

Scripts#

  • ExtractDomainFromIOCDomainMatchRes
  • Print
  • ConvertDomainToURLs
  • ChronicleAssetIdentifierScript

Commands#

  • domain
  • whois
  • gcb-assets
  • createNewIndicator
  • closeInvestigation

Playbook Inputs#


NameDescriptionDefault ValueRequired
auto_block_entitiesAutoblock the detected suspicious Domain(s) and URL(s). You can set this as 'Yes' or 'No' manually here or you can set it into a custom incident field 'Chronicle Auto Block Entities' using mapping classification from integration configuration.incident.chronicleautoblockentitiesOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Threat Hunting - Chronicle