What are two issues cortex Xsoar can alleviate for security operations teams?

This is the modified version where a new command "akamai-update-network-list-elements" was added by the SA.

This integration uses Endace APIs to search, archive and download PCAP file from either a single EndaceProbe or many via the InvestigationManager and enables integration of full historical packet capture into security automation workflows.

This service is available for free (with a throttle) - or paid.

The first implemented command can be used to create an entry on any investigation; playground by default. An example use-case could be debugging a pre-process script. (Call demisto.execute_command("xsoar-create-entry",{arguments})

The idea is to use the same code to test from a local machine.
python3 Xsoar_Utils.py xsoar-create-entry '{"data":"# testapi4","inv_id":"122c7bff-feae-4177-867e-37e2096cd7d9"}'

Read the code to understand more.

The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.

The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.

Used Sub-playbooks:
Enrichment for Verdict
Block IP - Generic v3

To link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers:
Alert Source = Correlation
Alert Name = Alibaba ActionTrail - multiple unauthorized action attempts detected by a user

TCA-0403
TCA-0402

You can update the playbook input with a different search query, if required. Will branch if there are no incidents that match the query and no users on call.

Cases will not be assigned to users that defined OOO (by OutOfOffice automation).

This playbook implements polling by continuously running the command in Step #2 until the operation completes.
The remote action should have the following structure:

1. Initiate the operation.
2. Poll to check if the operation completed.
3. (optional) Get the results of the operation.

Supported integrations for this playbook:
Active Directory
PAN-OS - This requires PAN-OS 9.1 or higher.

Supported integrations for this playbook:
Active Directory
PAN-OS - This requires PAN-OS 9.1 or higher.
SailPoint
PingOne
AWS IAM
Clarizen IAM
Envoy IAM
ExceedLMS IAM
* Okta

Supported integrations for this playbook:
Zscaler
Symantec Messaging Gateway
FireEye EX
Trend Micro Apex One
* Proofpoint Threat Response

Supported integrations for this playbook:
Zscaler
Symantec Messaging Gateway
FireEye EX
Trend Micro Apex One
Proofpoint Threat Response
Cisco Stealthwatch Cloud

Supported integrations for this playbook:
Mimecast
FireEye Email Security (EX)
Cisco Email Security
Symantec Email Security

If the integration is disabled at the time of running, or if the hash is already on the block list, no action is taken on the MD5.

Supported integrations for this playbook:
Active Directory
Check Point Firewall
Palo Alto Networks Minemeld
Palo Alto Networks Panorama
Zscaler
Carbon Black Enterprise Response

- Block URL - Generic
- Block Account - Generic
- Block IP - Generic v2
- Block File - Generic v2
- Block Email - Generic
- Block Domain - Generic

- Block URL - Generic v2
- Block Account - Generic v2
- Block IP - Generic v3
- Block File - Generic v2
- Block Email - Generic
- Block Domain - Generic

Supported integrations for this playbook:
Check Point Firewall
Palo Alto Networks Minemeld
Palo Alto Networks Panorama
Zscaler

Supported integrations for this playbook:
Check Point Firewall
Palo Alto Networks Minemeld
Palo Alto Networks PAN-OS
Zscaler
* FortiGate

Supported integrations for this playbook [Network security products such as FW/WAF/IPs/etc.]:

Check Point Firewall
Palo Alto Networks PAN-OS
Zscaler
FortiGate
Aria Packet Intelligence
Cisco Firepower
Cisco Secure Cloud Analytics
Cisco ASA
Akamai WAF
F5 SilverLine
ThreatX
Signal Sciences WAF
* Sophos Firewall

Supported integrations for this playbook:
Palo Alto Networks Minemeld
Palo Alto Networks PAN-OS
* Zscaler

Supported integrations for this playbook:
Palo Alto Networks PAN-OS
Zscaler
Sophos
Forcepoint
Checkpoint
Netcraft

The playbook handles the following use-cases:

Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins.
Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time.
* Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login.

Used Sub-playbooks:
- IP Enrichment - Generic v2
- Account Enrichment - Generic v2.1
- Calculate Severity - Critical Assets v2
- Isolate Endpoint - Generic
- Block Indicators - Generic v2

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

The playbook handles the following use-cases:

Brute Force IP Detected - A detection of source IPs that are exceeding a high threshold of rejected and/or invalid logins.
Brute Force Increase Percentage - A detection of large increase percentages in various brute force statistics over different periods of time.
* Brute Force Potentially Compromised Accounts - A detection of accounts that have shown high amount of failed logins with one successful login.

Used Sub-playbooks:
- IP Enrichment - Generic v2
- Account Enrichment - Generic v2.1
- Calculate Severity - Critical Assets v2
- Isolate Endpoint - Generic
- Block Indicators - Generic v2
- SANS - Lessons Learned

***Disclaimer: This playbook does not ensure compliance to SANS regulations.

Indicators DBotScore - Calculates the incident severity level according to the highest indicator DBotScore.
Critical assets - Determines if a critical assest is associated with the invesigation.
* 3rd-party integrations - Calculates the incident severity level according to the methodology of a 3rd-party integration.

NOTE: the new severity level overwrites the previous severity level even if the previous severity level was more severe.

- DBotScores of indicators
- Critical assets
- Email authenticity
- Current incident severity
- Microsoft Headers

- DBotScores of indicators
- Current incident severity

Can be used as a default playbook to ingest new Incidents, or for manually created Incidents.

The response actions available are:
- Terminate/Shut down/Power off an instance
- Delete/Disable a user
- Delete/Revoke/Disable credentials
- Block indicators

At the end of the playbook, it sets a possible verdict for the command line, based on the finding:
1. Indicators found in the command line
2. Found AMSI techniques
3. Found suspicious parameters
4. Usage of malicious tools
5. Indication of network activity

Note: In case you are wishing to run this playbook with a list of command lines, set this playbook to be running in a loop. To do so, navigate to the 'Loop' and check "For Each Input".

Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

- Cloud enrichment:
- Collects info about the involved resources
- Collects info about the involved identities
- Collects info about the involved IPs
- Verdict decision tree
- Verdict handling:
- Handle False Positives
- Handle True Positives
- Cloud Response - Generic sub-playbook.
- Notifies the SOC if a malicious verdict was found

The playbook collects or enriches the following data:
- Resource enrichment
- Previous activity seen in the specified region or project
- Account enrichment
- Network enrichment
- Attacker IP
- Geolocation
- ASN

If none of the conditions is true, the playbook will wait for an analyst's decision.

The playbook is used as a sub- playbook in ‘Cortex XDR Incident Handling - v2’

The playbook is designed to run as a sub-playbook in 'Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling'.
It depends on the data from the parent playbooks and can not be used as a standalone version.

*** Note - The XDRSyncScript used by this playbook sets data in the XDR incident fields that were released to content from the Demisto server version 5.0.0.
For Demisto versions under 5.0.0, please follow the 'Palo Alto Networks Cortex XDR' documentation to upload the new fields manually.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Techniques Handled:
- T1005 - Data from Local System
- Kill Chain phase:
- Collection

MITRE ATT&CK Description:
The adversary is attempting to gather data of interest to accomplish their goal.

Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0011: command and control

MITRE ATT&CK Description:
The adversary is trying to communicate with compromised systems to control them.

Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0006: Credential Access

MITRE ATT&CK Description:
The adversary is trying to steal account names and passwords.

Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0005: Defense Evasion

MITRE ATT&CK Description:
The adversary is trying to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0007: Discovery

MITRE ATT&CK Description:
The adversary is trying to figure out your environment.

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0002: Execution

MITRE ATT&CK Description:
The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0010: Exfiltration

MITRE ATT&CK Description:
The adversary is trying to steal data.

Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0040: Impact

MITRE ATT&CK Description:
The adversary is trying to manipulate, interrupt, or destroy your systems and data.

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0001: Initial Access

MITRE ATT&CK Description:
The adversary is trying to get into your network.

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0008: Lateral Movement

MITRE ATT&CK Description:
The adversary is trying to move through your environment.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0003: Persistence

MITRE ATT&CK Description:
The adversary is trying to maintain their foothold.

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

Tactic:
- TA0004: Privilege Escalation

MITRE ATT&CK Description:
The adversary is trying to gain higher-level permissions.

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: • SYSTEM/root level• local administrator• user account with admin-like access • user accounts with access to specific system or perform specific functionThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

Possible playbook triggers:
- The playbook can be used as a part of the “Courses of Action - Collection” playbook to remediate techniques based on kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, that can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

When creating Jira issues through XSOAR, using the mirroring function, make sure that you exclude those issues when fetching incidents. To exclude these issues, tag the relevant issues with a dedicated label and exclude that label from the JQL query (Labels!=).

Enrich related known CVEs and Malware Hashes used by the suspected APT actor.
Search for unpatched endpoints vulnerable to the exploits.
Search network facing system using Expanse for relevant issues.
Indicators and known webshells hunting using SIEM products.
Block indicators automatically or manually.
Provide different mitigations that has been publicly published such as:
Patches
Workarounds
* Yara and Snort Rules

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information:
Exploitation of Pulse Connect Secure Vulnerabilities

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

Collect detection rules.
Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
Cortex XDR BIOCs coverage.
Provides Microsoft workarounds and detection capabilities.

More information:

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Used Sub-playbooks:
Enrichment for Verdict
Block IP - Generic v3
* Block Account - Generic v2

If you wish to link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers: Alert Source = Correlation AND Alert Name = CyberArk Failed Logins

Input:
Hostname (default: ${Endpoint.Hostname})
OS (default: windows)
Credentials (default: Admin)
Path (default: None)

Note: To identify similar incidents you must must properly define the playbook inputs.

Used Sub-playbooks:
Enrichment for Verdict
Block Indicators - Generic v3
Block IP - Generic v3
Block Account - Generic v2

If you wish to link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers: Alert Source = Correlation
Alert Name = DropBox - Massive File Alterations, DropBox - Massive File Downloads

The Workflow in this playbook :
1. Finds the packet history related to the search items. Multiple Search Items in an argument field are OR'd. Search Items between multiple arguments are AND'd.
2. A successful Search is followed by an auto archival process of matching packets on EndaceProbe which can be accessed from an investigation link on the Evidence Board and/or War Room board that can be used to start forensic analysis of the packets history on EndaceProbe.
3. Finally Download the archived PCAP file to XSOAR system provided the file size is less than a user defined threshold say 10MB. Files greater than this threshold can be accessed or analyzed on EndaceProbe via "Download PCAP link" or "Endace PivotToVision link" displayed on Evidence Board.

Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

This playbook provides a framework for handling malware investigation through all essential steps. The playbook consists of 7 stages. Each stage contains the relevant playbook or tasks.
This playbook auto extracts indicators from incidents using indicator extraction rules of the malware incident type.
To use Illusive integration in the `Forensics - Generic` playbook, note that you will be able to set the forensic timeline by editing the `Forensics - Generic` playbook inputs.

Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

MITIGATION OPTIONS
- Disable Remote Desktop Services if they are not required
- Implement Network Level Authentication (NLA) on systems running supported versions of Windows 7, Windows Server 2008, and Windows Server 2008 R2
- Configure firewalls to block traffic on TCP port 3389

File enrichment includes:
File history
Threat information
* File reputation

- Provide threat information

The verdict is composed by 3 main components:

VirusTotal detection rate
Digital certificate signers
* NSRL DB

Note: a user can provide a list of trusted signers of his own using the playbook inputs

TCA-0101

Collect indicators to aid in your threat hunting process.
- Retrieve IOCs of FireEye red team tools.
- Discover IOCs of associated activity related to the infection.
- Generate an indicator list to block indicators with SUNBURST tags.

Hunt for the indicators
- Search endpoints with the FireEye red team tools CVEs.
- Search endpoint logs for FireEye red team tools hashes.
- Search and link previous incidents with the FireEye hashes.

If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

1. Initiate the operation.
2. Poll to check if the operation completed.
3. (optional) Get the results of the operation.

Input:
Credentials - credentials to use when trying to deploy Demisto Dissolvable Agent (D2) (default: Admin)
${Endpoint.Hostname} - deploy agent on target endpoint
* ${File.Path} - file's path to collect

inputs:
* UseD2 - if "True", use Demisto Dissolvable Agent (D2) to return the file (default: False)

You must have the necessary permissions in your email service to execute global search.

- EWS: eDiscovery
- Gmail: Google Apps Domain-Wide Delegation of Authority

To retrieve the email files directly from the email service providers, use one of the provided inputs (Agari Phishing Defense customers should also use the following):
- EWS: eDiscovery
- Gmail: Google Apps Domain-Wide Delegation of Authority
- MSGraph: As described in the message-get API and the user-list-messages API
- EmailSecurityGateway retrieves EML files from:
FireEye EX
FireEye CM
Proofpoint Protection Server
Mimecast

You must have the necessary permissions in your Gmail service to execute global search: Google Apps Domain-Wide Delegation of Authority

Supported IOC:
- Process by SHA256
- Process by file name
- IP
- Domain
- CMD
- Registry (require key and value)

Used Sub-playbooks:
Enrichment for Verdict
Block IP - Generic v3
* Block Account - Generic v2

There are several phases:
1. Enrichment: all the related information from the incident is extracted, and related indicators (IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched.
2. Validation: the found IP and FQDN are correlated with the information available in other products:
- Firewall logs from Cortex Data Lake, Panorama, and Splunk.
- User information from Active Directory.
- Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and service (i.e., us-west-1 on AWS EC2).
- IP and FQDN from Prisma Cloud inventory.
3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e., there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the company).
4. Attribution: based on the information collected above, the analyst is prompted to assign this issue to an Organization Unit, which is a group within the company with a specific owner. The analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one.
5. Response: depending on the issue type, several remediation actions can be automatically and manually performed, such as:
- Tagging the asset in Expanse with a specific Organization Unit tag.
- Blocking the service on PAN-OS (if a firewall is deployed in front of the service).
- Creating a new Shadow IT issue (if the asset is detected to be Shadow IT and the analyst confirms it)
- Adding the service to a Vulnerability Management system
- Linking the incident to a related Prisma Cloud alert for the asset (if the asset is found under Prisma Cloud inventory)
- Bringing rogue cloud accounts under management

There are several phases:
1. Enrichment: all the related information from the incident is extracted and related Indicators (of types IP, CIDR, Domain, DomainGlob, Certificate) are created and enriched.
2. Validation: the found IP and FQDN are correlated with the information available in other products:
- Firewall logs from Cortex Data Lake, Panorama and Splunk
- User information from Active Directory
- Public IP address from AWS/GCP/Azure public IP feeds to identify the Public Cloud region and Service (i.e. us-west-1 on AWS EC2)
- IP and FQDN from Prisma Cloud inventory
3. Shadow IT check: based on the information found, the playbook can suggest whether the discovered issue corresponds to an asset that is known to the InfoSec team (i.e. there are firewall logs present, or the asset is protected by Prisma Cloud, or is part of an IP range associated to the Company).
4. Attribution: based on the information collected above, the Analyst is prompted to assign this issue to an Organization Unit, that is a group within the Company with a specific owner. The Analyst can choose from existing Organization Units (stored in an XSOAR list) or define a new one.

This playbook handles the incident by helping the analyst to find the owner of the resource based on existing evidence. The playbook also marks the service indicators (IP or FQDN) with a Shadow IT tag. The possible owner and their manager are notified and onboarding of the asset on Prisma Cloud is triggered through a manual process.

Other inputs include the report output format (JSON context or File attached), and the Interval/Timeouts to use for polling the scan status until it's complete.

DISCLAIMER: Please consult with your legal team before implementing this playbook.

** Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance
in the amount of time determined. Also, it takes steps to remediate the incident by blocking the offending IPs and disabling the user account, if chosen to do so.

Analysis Actions:
The playbook will use several enrichment sources to determine the IOC verdict. Additionally, will use the Analytics module to run a prevalence check for the IOC.

Response Actions:
The playbook's first response action is a containment plan that is based on the playbook input. In that phase, the playbook will execute endpoint isolation

Investigative Actions:
When the playbook executes, it checks for additional abnormal activity using the Endpoint Investigation Plan playbook that can indicate the endpoint might be compromised.

Remediation Actions:
In case results are found within the investigation phase, the playbook will execute remediation actions that include containment and eradication.

This phase will execute the following containment actions:

File quarantine
Endpoint isolation

And the following eradication actions:

Manual process termination
Manual file deletion

- Resolve IP addresses to hostnames (DNS).
- Provide threat information.
- Separate internal and external addresses.

- Resolve IP addresses to hostnames (DNS)
- Provide threat information
- Separate internal and external addresses

IP enrichment includes:
Resolve IP to Hostname (DNS)
Threat information
Separate internal and external addresses
IP reputation
* For internal addresses, get host information

- Resolve IP addresses to hostnames (DNS)
- Provide threat information
- Separate internal and external IP addresses
- For internal IP addresses, get host information

- Resolve IP address to hostname (DNS)
- Separate internal and external IP addresses
- Get host information for IP addresses

Input:
* Hostname (Default: ${Endpoint.Hostname})

URLDomain - If the “URLDomain” value is found as a substring of the URL(s) in the body of the email, the email is retrieved.

MessageID - The message ID of the email from which the URL was clicked. Note that this can be either of the following 2 values:
- The value of the header "Message-ID".
- The internal ID of the message within Microsoft's products (e.g., NetworkMessageId).

Can be a single MessageID or an array of MessageIDs to search.

- Microsoft 365 Defender - Get Email URL clicks:
Retrieves data based on URL click events.

- Microsoft 365 Defender - Emails Indicators Hunt:
Retrieves data based on several different email events.

Read the playbook's descriptions in order to get the full details.

The playbook receives information about the target devices (host name, IP, and device ID), validates the devices exist, and retrieves the collection package from those machines into the Cortex XSOAR console.
Note: This action may take time, the average package size is around ~15 MB.

Used Sub-playbooks:
* Enrichment for Verdict

To link this playbook to the relevant alerts automatically, we recommend using the following filters when configuring the playbook triggers: Alert Source = Correlation AND Alert Name = Malware detected by Microsoft Defender for Endpoint

To enable OOTB mirroring, use the ServiceNow Create ticket - common mappers for incoming and outgoing mirroring.

FieldPolling - You can the FieldPolling value to true if you only want to be informed when the ticket is resolved or closed. If FieldPolling is set to true, the FieldPolling Playbook will poll for the state(ServiceNow State field) of the ServiceNow ticket until it marks as either resolved or closed.

In Addition to the playbook, we recommend that you use the included layout for ServiceNow Ticket, which helps visualize ServiceNow ticket information in Cortex xSOAR.
You can add the new layout as a tab to existing layouts using the Edit Layout page.

The playbook follows the MITRE ATT&CK kill chain phases and takes action to protect the organization from the inputted techniques, displaying and implementing security policy recommendations for Palo Alto Networks products.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Possible playbook triggers:
- The playbook can be triggered by a feed integration fetching indicators that contain MITRE ATT&CK techniques as “Feed Related Indicators”, using the "MITRE ATT&CK - Courses of Action - Job" playbook.
- The playbook can be triggered manually for specific MITRE ATT&CK techniques using the ‘techniqueByIncident’ playbook input.
- An incident that contains MITRE ATT&CK technique IDs using the ‘techniqueByIncident’ playbook input.

Possible playbook triggers:
- Through a job, by a feed integration fetching indicators that contain MITRE ATT&CK techniques as “Feed Related Indicators”, or with custom inputs.
- Through an incident, using custom playbook inputs.

Once triggered, the playbook will create a new incident from type "MITRE ATT&CK CoA". The incident will trigger the playbook "MITRE ATT&CK - Courses of Action",
which contains all phases and remediates MITRE ATT&CK techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team.

***Disclaimer: This playbook does not simulate an attack using the specified techniques, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1003: OS Credential Dumping

Kill Chain phases:
- Defense Evasion

MITRE ATT&CK Description:
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and to access restricted information.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1005: Data from Local System

Kill Chain phases:
- Collection

MITRE ATT&CK Description:
Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1021.001: Remote Desktop Protocol

Kill Chain phases:
- Lateral Movement

MITRE ATT&CK Description:

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1027: Obfuscated Files or Information

Kill Chain phases:
- Defense Evasion

MITRE ATT&CK Description:

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1041: Exfiltration Over C2 Channel

Kill Chain phases:
- Exfiltration

MITRE ATT&CK Description:
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1048: Exfiltration Over Alternative Protocol

Kill Chain phases:
- Exfiltration

MITRE ATT&CK Description:
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.
Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1057: Process Discovery

Kill Chain phases:
- Discovery

MITRE ATT&CK Description:

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1059: Command and Scripting Interpreter

Kill Chain phases:
- Execution

MITRE ATT&CK Description:

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript/JScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1059.001: Command and Scripting Interpreter: PowerShell

Kill Chain phases:
- Execution

MITRE ATT&CK Description:

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. [1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1068: Exploitation for Privilege Escalation

Kill Chain phases:
- Privilege Escalation

MITRE ATT&CK Description:
Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1071: Application Layer Protocol

Kill Chain phases:
- Command And Control

MITRE ATT&CK Description:

Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1078: Valid Accounts

Kill Chain phases:
- Defense Evasion
- Persistence
- Privilege Escalation
- Initial Access

MITRE ATT&CK Description:

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1082: System Information Discovery

Kill Chain phases:
- Discovery

MITRE ATT&CK Description:

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1083: File and Directory Discovery

Kill Chain phases:
- Discovery

MITRE ATT&CK Description:

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. Custom tools may also be used to gather file and directory information and interact with the Native API.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1105: Ingress tool transfer

Kill Chain phases:
- Command And Control

MITRE ATT&CK Description:
Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1110 : Brute Force

Kill Chain phases:
- Credential Access

MITRE ATT&CK Description:

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1133: External Remote Services

Kill Chain phases:
- Persistence
- Initial Access

MITRE ATT&CK Description:

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1135: Network Share Discovery

Kill Chain phases:
- Discovery

MITRE ATT&CK Description:

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

File sharing over a Windows network occurs over the SMB protocol. [1][2] Net can be used to query a remote system for available shared drives using the net view \remotesystem command. It can also be used to query shared drives on the local system using net share.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1189: Drive-by Compromise

Kill Chain phases:
- Initial Access

MITRE ATT&CK Description:

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1199: Trusted Relationship

Kill Chain phases:
- Initial Access

MITRE ATT&CK Description:

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.

Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1204: User Execution

Kill Chain phases:
- Execution

MITRE ATT&CK Description:

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1486: Data Encrypted for Impact

Kill Chain phases:
- Impact

MITRE ATT&CK Description:

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[1][2][3][4] In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1518: Software Discovery

Kill Chain phases:
- Discovery

MITRE ATT&CK Description:

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1543.003: Create or Modify System Process: Windows Service

Kill Chain phases:
- Persistence
- Privilege Escalation

MITRE ATT&CK Description:
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.[1] Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.

Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1547: Boot or Logon Autostart Execution

Kill Chain phases:
- Persistence
- Privilege Escalation

MITRE ATT&CK Description:

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.[1][2][3][4][5] These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1560.001: Archive Collected Data: Archive via Utility

Kill Chain phases:
- Exfiltration

MITRE ATT&CK Description:

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip[1], WinRAR[2], and WinZip[3]. Most utilities include functionality to encrypt and/or compress data.

Some 3rd party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1562.001: Impair Defenses: Disable or Modify Tools

Kill Chain phases:
- Defense Evasion

MITRE ATT&CK Description:
Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1564.004: NTFS File Attributes

Kill Chain phases:
- Defense Evasion

MITRE ATT&CK Description:

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. [1] Within MFT entries are file attributes, [2] such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files).

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1566: Phishing

Kill Chain phases:
- Initial Access

MITRE ATT&CK Description:

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of Valid Accounts. Phishing may also be conducted via third-party services, like social media platforms.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1566.001: Spear-Phishing Attachment

Kill Chain phases:
- Initial Access

MITRE ATT&CK Description:

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- T1569.002: System Services: Service Execution

Kill Chain phases:
- Execution

MITRE ATT&CK Description:
Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.[1] The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.
PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.[2]
Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

***Disclaimer: This playbook does not simulate an attack using the specified technique, but follows the steps to remediation as defined by Palo Alto Networks Unit 42 team’s Actionable Threat Objects and Mitigations (ATOMs).
Techniques Handled:
- 1573.002: Encrypted Channel: Asymmetric Cryptography

Kill Chain phases:
- Command And Control

MITRE ATT&CK Description:
Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.

For efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as Asymmetric Cryptography.

Possible playbook uses:
- The playbook can be used independently to handle and remediate the specific technique.
- The playbook can be used as a part of the “Courses of Action - Defense Evasion” playbook to remediate techniques based on the kill chain phase.
- The playbook can be used as a part of the “MITRE ATT&CK - Courses of Action” playbook, which can be triggered by different sources and accepts the technique MITRE ATT&CK ID as an input.

Incident fields that control the behavior of this playbook:
- EDL Action: Whether to add or remove EDL indicators.
- EDL Indicators List: Input list of indicators to add to or remove from EDL (according to the value of EDL Action).
- EDL Tag: Tag value in the Generic Export Indicators Service integration instance Indicator Query, which controls which indicators are on the EDL.
- EDL Indicator Type: (Only relevant if adding to EDL) Type of indicators to add to EDL.

1. Initiate the operation - insert the type of the report (sites, scan, or assets) and it's additional arguments if required.
2. Poll to check if the operation completed.
3. Get the results of the operation.

An attacker might initiate an internal scan for discovery, lateral movement and more.

Attacker's Goals:

An attacker can leverage a scan for open ports and vulnerable systems on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.

Investigative Actions:

Endpoint Investigation Plan playbook

Response Actions

The playbook's response actions are based on the Endpoint Investigation Plan playbook results. In that phase, the playbook will execute:

***Note - The playbook does not block the address group communication using a policy block rule. This step will be taken once outside of the playbook.

The playbook checks if the given tag already exists. If the tag exists, then the IP address is added to the tag.

If the tag does not exist, a new address group is created with the given tag and a matching rule, and the configuration is committed.

This updated playbook uses:
1) Incident fields instead of labels
2) The "Process Email - Core v2" playbook

Note:
- Final remediation tasks are always decided by a human analyst.
- Please do not rerun this playbook inside a phishing incident since it can produce an unexpected result. Create a new incident instead if needed.

The final remediation tasks are always decided by a human analyst.

If you're using one or more of the following products, make sure to configure their corresponding playbook inputs, respectively:
Splunk - "Splunk Indicator Hunting"
QRadar - "QRadar Indicator Hunting v2"
Palo Alto Networks Cortex Data Lake/Panorma/Autofocus/Analytics - "PANW - Hunting and threat detection by indicator type V2"

- Encrypted file owner investigation
- Endpoint forensic investigation
- Active Directory investigation
- Timeline of the breach investigation
- Indicator and account enrichment

Playbook settings and mapping:
For the full operation of the playbook, the following data should be mapped to the relevant incident fields.
Username - Usernames (common incident field)
Hostname - Hostnames (common incident field)

Prisma Cloud policies remediated:
- AWS IAM password policy allows password reuse
- AWS IAM password policy does not expire in 90 days
- AWS IAM password policy does not have a lowercase character
- AWS IAM password policy does not have a minimum of 14 characters
- AWS IAM password policy does not have a number
- AWS IAM password policy does not have a symbol
- AWS IAM password policy does not have a uppercase character
- AWS IAM password policy does not have password expiration period
- AWS IAM Password policy is insecure

To remediate Prisma Cloud Alert Inactive users for more than 30 days, this playbook deactivates the user by disabling the access keys (marking them as inactive) as well as resetting the user console password.

Prisma Cloud policies remediated:

- Azure AKS cluster monitoring not enabled
- Azure AKS cluster HTTP application routing enabled

Remediation:
- Azure AKS cluster monitoring not enabled
- Azure AKS cluster HTTP application routing enabled

Remediation:

- Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol
- Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on TCP protocol
- Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on UDP protocol
- Azure Network Security Group (NSG) allows SSH traffic from internet on port 22
- Azure Network Security Group (NSG) allows traffic from internet on port 3389
- Azure Network Security Group allows DNS (TCP Port 53)
- Azure Network Security Group allows FTP (TCP Port 21)
- Azure Network Security Group allows FTP-Data (TCP Port 20)
- Azure Network Security Group allows MSQL (TCP Port 4333)
- Azure Network Security Group allows MySQL (TCP Port 3306)
- Azure Network Security Group allows Windows RPC (TCP Port 135)
- Azure Network Security Group allows Windows SMB (TCP Port 445)
- Azure Network Security Group allows PostgreSQL (TCP Port 5432)
- Azure Network Security Group allows SMTP (TCP Port 25)
- Azure Network Security Group allows SqlServer (TCP Port 1433)
- Azure Network Security Group allows Telnet (TCP Port 23)
- Azure Network Security Group allows VNC Listener (TCP Port 5500)
- Azure Network Security Group allows all traffic on ICMP (Ping)
- Azure Network Security Group allows CIFS (UDP Port 445)
- Azure Network Security Group allows NetBIOS (UDP Port 137)
- Azure Network Security Group allows NetBIOS (UDP Port 138)
- Azure Network Security Group allows SQLServer (UDP Port 1434)
- Azure Network Security Group allows DNS (UDP Port 53)

Prisma Cloud policies remediated:

- Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on any protocol
- Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on TCP protocol
- Azure Network Security Group (NSG) having Inbound rule overly permissive to allow all traffic from any source on UDP protocol
- Azure Network Security Group (NSG) allows SSH traffic from internet on port 22
- Azure Network Security Group (NSG) allows traffic from internet on port 3389
- Azure Network Security Group allows DNS (TCP Port 53)
- Azure Network Security Group allows FTP (TCP Port 21)
- Azure Network Security Group allows FTP-Data (TCP Port 20)
- Azure Network Security Group allows MSQL (TCP Port 4333)
- Azure Network Security Group allows MySQL (TCP Port 3306)
- Azure Network Security Group allows Windows RPC (TCP Port 135)
- Azure Network Security Group allows Windows SMB (TCP Port 445)
- Azure Network Security Group allows PostgreSQL (TCP Port 5432)
- Azure Network Security Group allows SMTP (TCP Port 25)
- Azure Network Security Group allows SqlServer (TCP Port 1433)
- Azure Network Security Group allows Telnet (TCP Port 23)
- Azure Network Security Group allows VNC Listener (TCP Port 5500)
- Azure Network Security Group allows all traffic on ICMP (Ping)
- Azure Network Security Group allows CIFS (UDP Port 445)
- Azure Network Security Group allows NetBIOS (UDP Port 137)
- Azure Network Security Group allows NetBIOS (UDP Port 138)
- Azure Network Security Group allows SQLServer (UDP Port 1434)
- Azure Network Security Group allows DNS (UDP Port 53)

Prisma Cloud policies remediated:

- Azure SQL database auditing is disabled
- Azure SQL Database with Auditing Retention less than 90 days
- Azure Threat Detection on SQL databases is set to Off
- Azure SQL Database with Threat Retention less than or equals to 90 days

Remediation:

- Azure SQL database auditing is disabled
- Azure SQL Database with Auditing Retention less than 90 days
- Azure Threat Detection on SQL databases is set to Off
- Azure SQL Database with Threat Retention less than or equals to 90 days

Prisma Cloud policies remediated:

- Azure storage account has a blob container with public access
- Azure storage account logging for blobs is disabled

Remediation:

- Azure storage account has a blob container with public access
- Azure storage account logging for blobs is disabled
- Azure Storage Accounts without Secure transfer enabled
- Azure storage account logging for queues is disabled
- Azure storage account logging for tables is disabled #95

Prisma Cloud policies remediated:

GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled
GCP Kubernetes Engine Clusters have HTTP load balancing disabled
GCP Kubernetes Engine Clusters have Legacy Authorization enabled
GCP Kubernetes Engine Clusters have Master authorized networks disabled
GCP Kubernetes Engine Clusters have Network policy disabled
GCP Kubernetes Engine Clusters have Stackdriver Logging disabled
GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled
GCP Kubernetes Engine Clusters have binary authorization disabled
GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled
GCP Kubernetes cluster intra-node visibility disabled

Remediation:
GCP Kubernetes Engine Clusters Basic Authentication is set to Enabled
GCP Kubernetes Engine Clusters have HTTP load balancing disabled
GCP Kubernetes Engine Clusters have Legacy Authorization enabled
GCP Kubernetes Engine Clusters have Master authorized networks disabled
GCP Kubernetes Engine Clusters have Network policy disabled
GCP Kubernetes Engine Clusters have Stackdriver Logging disabled
GCP Kubernetes Engine Clusters have Stackdriver Monitoring disabled
GCP Kubernetes Engine Clusters have binary authorization disabled
GCP Kubernetes Engine Clusters web UI/Dashboard is set to Enabled
GCP Kubernetes cluster intra-node visibility disabled

Prisma Cloud policies remediated:

- GCP Firewall rule allows internet traffic to FTP port (21)
- GCP Firewall rule allows internet traffic to HTTP port (80)
- GCP Firewall rule allows internet traffic to MongoDB port (27017)
- GCP Firewall rule allows internet traffic to MySQL DB port (3306)
- GCP Firewall rule allows internet traffic to Oracle DB port (1521)
- GCP Firewall rule allows internet traffic to PostgreSQL port (5432)
- GCP Firewall rule allows internet traffic to RDP port (3389)
- GCP Firewall rule allows internet traffic to SSH port (22)
- GCP Firewall rule allows internet traffic to Telnet port (23)
- GCP Firewall rule allows internet traffic to DNS port (53)
- GCP Firewall rule allows internet traffic to Microsoft-DS port (445)
- GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139)
- GCP Firewall rule allows internet traffic to POP3 port (110)
- GCP Firewall rule allows internet traffic to SMTP port (25)
- GCP Default Firewall rule should not have any rules (except http and https)
- GCP Firewall with Inbound rule overly permissive to All Traffic

Remediation:

- GCP project is using the default network
- GCP Firewall rule allows internet traffic to FTP port (21)
- GCP Firewall rule allows internet traffic to HTTP port (80)
- GCP Firewall rule allows internet traffic to MongoDB port (27017)
- GCP Firewall rule allows internet traffic to MySQL DB port (3306)
- GCP Firewall rule allows internet traffic to Oracle DB port (1521)
- GCP Firewall rule allows internet traffic to PostgreSQL port (5432)
- GCP Firewall rule allows internet traffic to RDP port (3389)
- GCP Firewall rule allows internet traffic to SSH port (22)
- GCP Firewall rule allows internet traffic to Telnet port (23)
- GCP Firewall rule allows internet traffic to DNS port (53)
- GCP Firewall rule allows internet traffic to Microsoft-DS port (445)
- GCP Firewall rule allows internet traffic to NetBIOS-SSN port (139)
- GCP Firewall rule allows internet traffic to POP3 port (110)
- GCP Firewall rule allows internet traffic to SMTP port (25)
- GCP Default Firewall rule should not have any rules (except http and https)
- GCP Firewall with Inbound rule overly permissive to All Traffic

Prisma Cloud policies remediated:

- GCP project is using the default network

The v2 playbook enables parsing email artifacts more efficiently, including:
- Using incident fields and not incident labels.
- Providing separate paths to "Phishing Alerts".
- Using the new "Get Original Email - Generic v2" playbook to retrieve original emails as EML files from the following integrations:
EWS v2
Microsoft Graph Mail integration
Gmail
FireEye EX and FireEye CM
Proofpoint Protection Server
Agari Phishing Defense (EWS v2, MSGraph Mail, Gmail)
* Mimecast

Get all correlations relevant to the offense
Get all logs relevant to the correlations (not done by default - set "GetCorrelationLogs" to "True")

Inputs:
GetCorrelationLogs (default: False)
MaxLogsCount (default: 20)

Note: You can use the integration to fetch the events with the offense however it will fetch the events according to the specified limit defined in the instance settings. By using this playbook you can define an additional search to query a larger number of logs.

Default playbook inputs use the QRadar incident fields such as idoffense, starttime. These fields can be replaced but need to point to relevant offense ID and starttime fields.

The playbook supports 3 separate conditions to be evaluated.
For example, in the first condition, inputs will evaluate several user names that may or may not exist in several fields. The second input, can for example, evaluate for IP addresses in several fields that may or may not exist in several fields, and a third value can search for an event ID that may or may not exist in several fields. The results of all of the inputs will create an AQL query that covers all of the inputs combining all of the different conditions.

Each of the inputs is validated so in case the inputs are not set correctly, the user can review and run them again.
Also, populated inputs will be combined, meaning by populating the first and second values the resulting AQL query will be a combination of all of the values and not 3 separate searches. In addition, make sure to populate the inputs in order according to the indexed fields in QRadar (indexed fields should be provided before non indexed ones).

The playbook uses the ID-Ransomware service, which allows you to detect the ransomware using multiple methods.

1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible.

2.Retrieves the WildFire sandbox report and extract the indicators within it.
* The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation.

3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints.

Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

Cortex XSOAR recommends that you configure a job to execute this playbook.

1. Configure a job that will run the RSS Create Indicators From Report playbook.
1. Select the Triggered by delta in feed option.
2. Select the feed on which to run the job.

2. Configure input to the RSS Create Indicators From Report playbook:

- From the context data input: Tag name - the indicator will be tagged with this value when the playbook finishes processing and all the indicators are extracted and relationships created.

- From the indicators: Create a query to include only new report indicators that were not processed yet. Recommended query: "type:Report -tags:{Tag name configured from the context data input} -tags:in_process".
The playbook tags all indicators with the "in_process" tag when it starts running, and removes the tag when the playbook ends.
If you want the playbook to run on a specific instance (a specific feed), add the following filter to the query: sourceInstances:"{the selected instance}".

Note that if you selected the Triggered by delta in feed option when configuring the Job, the “Run only on new and modified indicators” playbook option is automatically selected.

The remote action should have the following structure:
1. Initiate the operation - provide the Asset ID and the remediation action.
2. Poll to check if the operation completed.
3. Get the results of the operation.

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

***Disclaimer: This playbook does not ensure compliance to SANS regulations.

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

***Disclaimer: This playbook does not ensure compliance to SANS regulations.

https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

***Disclaimer: This playbook does not ensure compliance to SANS regulations.

Input:
Hash (default, takes all deferent hashes from context)

Output:

Input:
* Hostname (Default: ${Endpoint.Hostname})

The playbook will determine the existing owner and ensure that they are replaced as the owner once complete.