Skip to main content

Threat Hunting - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations:

  • Splunk
  • Qradar
  • Pan-os
  • Cortex data lake
  • Autofocus
  • Microsoft 365 Defender

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Microsoft 365 Defender - Threat Hunting Generic
  • Splunk Indicator Hunting
  • Palo Alto Networks - Hunting And Threat Detection
  • QRadar Indicator Hunting V2

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueRequired
MD5The MD5 hash file or an array of hashes to search.Optional
SHA256The SHA256 hash file or an array of hashes to search.Optional
SHA1The SHA1 hash file or an array of hashes to search.Optional
IPAddressThe source or destination IP address to search. Can be a single address or an array of list of addresses.
Optional
URLDomainDomain or URL to search. Can be a single domain or URL or an array of domains or URLs to search. By default, the LIKE clause is used.Optional
InternalRangeA comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, uses the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
InternalDomainNameThe organization's internal domain name. This is provided for the script IsInternalHostName that checks if the detected hostnames are internal or external, if the hosts contain the internal domains suffix. For example, paloaltonetworks.com. If there is more than one domain, use the | character to separate values such as (paloaltonetworks.com|test.com).Optional
InternalHostRegexProvided for the script IsInternalHostName that checks if the detected host names are internal or external, if the hosts match the organization's naming convention. For example, the host testpc1 will have the following regex \w{6}\d{1}Optional
QRadarTimeFrameThe time frame to search in QRadar.LAST 7 DAYSOptional
SplunkEarliestTimeThe earliest time to search in Splunk.-7d@dOptional
SplunkLatestTimeThe latest time to search in Splunk.nowOptional
MessageIDThis input will be used in the "Microsoft 365 Defender - Get Email URL clicks" playbook. MessageID of the email from which the URL was clicked. Please note that this can be either of the following 2 values:
- The value of the header "Message-ID".
- The internal ID of the message within Microsoft's products (e.g.
NetworkMessageId).

Can be a single MessageID or an array of MessageIDs to search.
Optional

Playbook Outputs#


PathDescriptionType
Splunk.DetectedUsersUsers detected based on the username field in your search.string
Splunk.DetectedInternalIPsInternal IP addresses detected by your search.string
Splunk.DetectedExternalIPsExternal IP addresses detected by your search.string
Splunk.DetectedInternalHostsInternal hostnames detected based on the fields in your search.string
Splunk.DetectedExternalHostsExternal hostnames detected based on the fields in your search.string
PANWHunting.DetectedUsersUser or array of users that were detected during hunting.string
PANWHunting.DetectedInternalIPsInternal IP addresses detected based on fields and inputs in your search.string
PANWHunting.DetectedExternalIPsExternal IP addresses detected based on fields and inputs in your search.string
PANWHunting.DetectedInternalHostsInternal hostnames detected based on fields and inputs in your search.string
PANWHunting.DetectedExternalHostsExternal hostnames detected based on fields and inputs in your search.string
QRadar.DetectedUsersUsers detected based on the username field in your search.string
QRadar.DetectedInternalIPsInternal IP addresses detected based on fields and inputs in your search.string
QRadar.DetectedExternalIPsExternal IP addresses detected based on fields and inputs in your search.string
QRadar.DetectedInternalHostsInternal host names detected based on hosts in your assets table. Note that the data accuracy depends on how the asset mapping is configured in QRadar.string
QRadar.DetectedExternalHostsExternal host names detected based on hosts in your assets table. Note that the data accuracy depends on how the asset mapping is configured in QRadar.string
Microsoft365Defender.RetrievedEmailsEmail objects containing relevant fields.string
Microsoft365Defender.RetrievedEmails.InternetMessageIdInternet Message ID of the email.string
Microsoft365Defender.RetrievedEmails.SenderFromDomainSender domain.string
Microsoft365Defender.RetrievedEmails.EmailDirectionEmail direction (inbound/outbound).string
Microsoft365Defender.RetrievedEmails.DeliveryLocationDelivery location.string
Microsoft365Defender.RetrievedEmails.AuthenticationDetailsAuthentication details (SPF, DKIM, DMARC, CompAuth).string
Microsoft365Defender.RetrievedEmails.DeliveryActionEmail subject.string
Microsoft365Defender.RetrievedEmails.AttachmentCountNumber of attachments.string
Microsoft365Defender.RetrievedEmails.ThreatNamesThreat names.string
Microsoft365Defender.RetrievedEmails.RecipientEmailAddressRecipient email address.string
Microsoft365Defender.RetrievedEmails.EmailActionEmail action.string
Microsoft365Defender.RetrievedEmails.EmailLanguageEmail language.string
Microsoft365Defender.RetrievedEmails.SenderFromAddressSender address.string
Microsoft365Defender.RetrievedEmails.TimestampTimestamp.string
Microsoft365Defender.RetrievedEmails.SenderDisplayNameSender display name.string
Microsoft365Defender.RetrievedEmails.SenderIPv4Sender IPv4.string
Microsoft365Defender.RetrievedEmails.ConfidenceLevelThreat types.string
Microsoft365Defender.RetrievedEmails.SHA256SHA256 of the attachments (if exist in the email).string
Microsoft365Defender.RetrievedEmails.UrlURLs found in the email's body.string
Microsoft365Defender.RetrievedEmails.UrlCountNumber of URLs found in the email's body.string
Microsoft365Defender.RetrievedEmails.SenderIPv6Sender IPv6.string
Microsoft365Defender.RetrievedEmails.AccountUpnUser principal name (UPN) of the account.string
Microsoft365Defender.RetrievedEmails.IsClickedThroughIndicates whether the user was able to click through to the original URL or not.number
Microsoft365Defender.RetrievedEmails.BulkComplaintLevelThreshold assigned to email from bulk mailers, a high bulk complain level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam.string
Microsoft365Defender.RetrievedEmails.IPAddressIP address assigned to the device during communication.string
Microsoft365Defender.RetrievedEmails.DetectionMethodsMethods used to detect whether the URL contains or leads to malware, phishing, or other threats.string
Microsoft365Defender.RetrievedEmails.ActionTypeType of activity that triggered the event.string
Microsoft365Defender.RetrievedEmails.UrlChainList of URLs in the redirection chain.string
Microsoft365Defender.RetrievedEmails.NetworkMessageIdUnique identifier for the email, generated by Office 365.string
Microsoft365Defender.RetrievedEmails.DisplayNameName of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname.string
Microsoft365Defender.RetrievedEmails.SenderMailFromDomainSender domain in the MAIL FROM header, also known as the envelope sender or the Return-Path address.string
Microsoft365Defender.RetrievedEmails.SenderMailFromAddressSender email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address.string
Microsoft365Defender.RetrievedEmails.SubjectSubject of the email.string
Microsoft365Defender.RetrievedEmails.ThreatTypesVerdict from the email filtering stack on whether the email contains malware, phishing, or other threats.unknown

Playbook Image#


Threat Hunting - Generic