Deprecated
Use the "PANW - Hunting and threat detection by indicator type V2" playbook instead.
This playbook uses the following sub-playbooks, integrations, and scripts.
- Autofocus Query Samples, Sessions and Tags
- PAN-OS Query Logs For Indicators
- Convert file hash to corresponding hashes
This playbook does not use any integrations.
- Set
- cortex-query-analytics-logs
- cortex-query-traps-logs
- cortex-query-threat-logs
- cortex-query-traffic-logs
| Name | Description | Default Value | Source | Required |
|---|---|---|---|---|
| SHA256 | The SHA256 hash for indicator to hunt. | SHA256 | File | Optional |
| MD5 | The MD5 hash for indicator to hunt. | MD5 | File | Optional |
| SHA1 | The SHA1 hash for indicator to hunt. | SHA1 | File | Optional |
| IP addresses | The list of IP addresses. | ${IP.Address} | - | Optional |
| Domain | The list of domains or URLs. | ${Domain.Name} | - | Optional |
| Path | Description | Type |
|---|---|---|
| detectedips | The IP address or array of IP addresses that were detected during hunting. | string |
| detectedhosts | The Host or array of hosts that were detected during hunting. | string |
| detectedusers | The User or array of users that were detected during hunting. | string |
| trapsid | The ID or array of IDs for traps hosts detected in the searches. | string |
