Skip to main content

Threat Hunting - Generic

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

This playbook enables threat hunting for IOCs in your enterprise. It currently supports the following integrations:

  • Splunk
  • Qradar
  • Pan-os
  • Cortex data lake
  • Autofocus
  • Microsoft 365 Defender

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • QRadar Indicator Hunting V2
  • Palo Alto Networks - Hunting And Threat Detection
  • Splunk Indicator Hunting
  • Microsoft 365 Defender - Emails Indicators Hunt

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueRequired
MD5The MD5 hash file or an array of hashes to search.Optional
SHA256The SHA256 hash file or an array of hashes to search.Optional
HostnameThe hostname of the machine on which the file is located.Optional
SHA1The SHA1 hash file or an array of hashes to search.Optional
IPAddressThe source or destination IP address to search. Can be a single address or an array of IP addresses.
Optional
URLDomainDomain or URL to search. Can be a single domain or URL or an array of domains or URLs to search. By default, the LIKE clause is used.Optional
InternalRangeA comma-separated list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation. An example of a list of ranges is: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, uses the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
InternalDomainNameThe organization's internal domain name. This is provided for the script IsInternalHostName that checks if the detected hostnames are internal or external, if the hosts contain the internal domains suffix. For example, paloaltonetworks.com. If there is more than one domain, use the | character to separate values such as (paloaltonetworks.com|test.com).Optional
InternalHostRegexProvided for the script IsInternalHostName that checks if the detected host names are internal or external, if the hosts match the organization's naming convention. For example, the host testpc1 will have the following regex \w{6}\d{1}Optional
QRadarTimeFrameThe time frame to search in QRadar.LAST 7 DAYSOptional
SplunkEarliestTimeThe earliest time to search in Splunk.-7d@dOptional
SplunkLatestTimeThe latest time to search in Splunk.nowOptional

Playbook Outputs#


PathDescriptionType
Splunk.DetectedUsersUsers detected based on the username field in your search.string
Splunk.DetectedInternalIPsInternal IP addresses detected by your search.string
Splunk.DetectedExternalIPsExternal IP addresses detected by your search.string
Splunk.DetectedInternalHostsInternal hostnames detected based on the fields in your search.string
Splunk.DetectedExternalHostsExternal hostnames detected based on the fields in your search.string
PANWHunting.DetectedUsersUser or array of users that were detected during hunting.string
PANWHunting.DetectedInternalIPsInternal IP addresses detected based on fields and inputs in your search.string
PANWHunting.DetectedExternalIPsExternal IP addresses detected based on fields and inputs in your search.string
PANWHunting.DetectedInternalHostsInternal hostnames detected based on fields and inputs in your search.string
PANWHunting.DetectedExternalHostsExternal hostnames detected based on fields and inputs in your search.string
QRadar.DetectedUsersUsers detected based on the username field in your search.string
QRadar.DetectedInternalIPsInternal IP addresses detected based on fields and inputs in your search.string
QRadar.DetectedExternalIPsExternal IP addresses detected based on fields and inputs in your search.string
QRadar.DetectedInternalHostsInternal host names detected based on hosts in your assets table. Note that the data accuracy depends on how the asset mapping is configured in QRadar.string
QRadar.DetectedExternalHostsExternal host names detected based on hosts in your assets table. Note that the data accuracy depends on how the asset mapping is configured in QRadar.string
Microsoft365Defender.RetrievedEmailsEmail objects containing relevant fields.string
Microsoft365Defender.RetrievedEmails.InternetMessageIdInternet Message ID of the email.string
Microsoft365Defender.RetrievedEmails.SenderFromDomainSender domain.string
Microsoft365Defender.RetrievedEmails.EmailDirectionEmail direction (inbound/outbound).string
Microsoft365Defender.RetrievedEmails.DeliveryLocationDelivery location.string
Microsoft365Defender.RetrievedEmails.AuthenticationDetailsAuthentication details (SPF, DKIM, DMARC, CompAuth).string
Microsoft365Defender.RetrievedEmails.DeliveryActionEmail subject.string
Microsoft365Defender.RetrievedEmails.AttachmentCountNumber of attachments.string
Microsoft365Defender.RetrievedEmails.ThreatNamesThreat names.string
Microsoft365Defender.RetrievedEmails.RecipientEmailAddressRecipient email address.string
Microsoft365Defender.RetrievedEmails.EmailActionEmail action.string
Microsoft365Defender.RetrievedEmails.EmailLanguageEmail language.string
Microsoft365Defender.RetrievedEmails.SenderFromAddressSender address.string
Microsoft365Defender.RetrievedEmails.TimestampTimestamp.string
Microsoft365Defender.RetrievedEmails.SenderDisplayNameSender display name.string
Microsoft365Defender.RetrievedEmails.SenderIPv4Sender IPv4.string
Microsoft365Defender.RetrievedEmails.ConfidenceLevelThreat types.string
Microsoft365Defender.RetrievedEmails.SHA256SHA256 of the attachments (if exist in the email).string
Microsoft365Defender.RetrievedEmails.UrlURLs found in the email's body.string
Microsoft365Defender.RetrievedEmails.UrlCountNumber of URLs found in the email's body.string
Microsoft365Defender.RetrievedEmails.SenderIPv6Sender IPv6.string

Playbook Image#


Threat Hunting - Generic