Proactive threat hunting pack latest (#28853)

* Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Readme fix * dependencies fix * Readme fix * Indicator Layout Fix * playbook fix * Playbook fixes * Release-note fix * Release-note fix * vix validation * Resolve conflicts * Resolve conflicts * Resolve conflicts * Resolve conflicts * Resolve conflicts * Add no indicator unittest * Add no indicator unittest * Add no indicator unittest * Add no indicator unittest * Add no indicator unittest * Add no indicator unittest * Fix readme * Script review fixes * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.2. * Wizard Trial * delete wizard * Bump pack from version CortexXDR to 5.0.8. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.3. * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * fix docker image * Bump pack from version CommonPlaybooks to 2.3.90. * Bump pack from version CommonPlaybooks to 2.3.91. * Bump pack from version CommonPlaybooks to 2.3.92. * Bump pack from version CommonPlaybooks to 2.3.93. * Bump pack from version CortexXDR to 5.0.9. * Bump pack from version FeedLOLBAS to 1.0.7. * Bump pack from version CommonPlaybooks to 2.3.94. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.4. * Bump pack from version CortexXDR to 5.0.10. * Bump pack from version CommonPlaybooks to 2.3.95. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.5. * Bump pack from version CortexXDR to 5.0.11. * Bump pack from version CommonPlaybooks to 2.3.96. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.6. * Bump pack from version CortexXDR to 5.1.1. * Bump pack from version CommonPlaybooks to 2.3.97. * Bump pack from version CortexXDR to 5.1.2. * Bump pack from version CommonPlaybooks to 2.3.98. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.7. * Bump pack from version CommonPlaybooks to 2.3.99. * Bump pack from version CortexXDR to 5.1.3. * Bump pack from version FeedLOLBAS to 1.0.8. * Docker * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.8. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.9. * Bump pack from version CommonTypes to 3.3.85. * Bump pack from version CortexXDR to 5.1.4. * fixes * fixes * fixes * fixes * Bump pack from version CommonPlaybooks to 2.4.2. * Bump pack from version CommonTypes to 3.3.86. * Bump pack from version CortexXDR to 5.1.5. * Bump pack from version CommonPlaybooks to 2.4.3. * Bump pack from version CommonPlaybooks to 2.4.4. * Bump pack from version CommonTypes to 3.3.87. * Bump pack from version CommonTypes to 3.3.88. * Bump pack from version CortexXDR to 5.1.6. * updated docker * fix * fix * Bump pack from version CortexXDR to 5.1.7. * Bump pack from version CortexXDR to 5.1.8. * Add ons * input fix * FieldToPackIgnore * add fromversion * Cheat Sheet Fix * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.10. * Bump pack from version CommonPlaybooks to 2.4.5. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.11. * Bump pack from version FeedLOLBAS to 1.0.9. * Bump pack from version CommonPlaybooks to 2.4.6. * Bump pack from version CortexXDR to 5.1.9. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.12. * Bump pack from version CommonPlaybooks to 2.4.7. * Bump pack from version CortexXDR to 5.1.10. * Bump pack from version CommonPlaybooks to 2.4.8. * Bump pack from version CommonPlaybooks to 2.4.9. * Bump pack from version CommonPlaybooks to 2.4.10. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.13. * Bump pack from version CommonPlaybooks to 2.4.11. * Bump pack from version CommonPlaybooks to 2.4.12. * Bump pack from version CortexXDR to 5.2.1. * Bump pack from version CortexXDR to 5.2.2. * Bump pack from version FeedLOLBAS to 1.0.10. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.14. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.15. * Bump pack from version CommonPlaybooks to 2.4.13. * Bump pack from version CommonPlaybooks to 2.4.14. * Bump pack from version CortexXDR to 5.2.3. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.16. * Bump pack from version CortexXDR to 5.2.4. * Review Fixes * Review Fixes * bump * fix * Fixes * fix README * bump * fix * fixes * fix * fix * Bump pack from version CommonPlaybooks to 2.4.18. * fix * fix rn * Bump pack from version CommonPlaybooks to 2.4.19. * Bump pack from version CommonPlaybooks to 2.4.20. * fix * rn * Bump pack from version CortexXDR to 6.0.2. * Bump pack from version CommonPlaybooks to 2.4.21. * Bump pack from version CommonPlaybooks to 2.4.22. * Bump pack from version CommonPlaybooks to 2.4.23. * add video * Bump pack from version CommonPlaybooks to 2.4.24. * udpatedockerimage --------- Co-authored-by: Content Bot <bot@demisto.com> Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
demisto · Nov 19, 2023 · f36e7fd · f36e7fd
1 parent 928386a
commit f36e7fd
Show file tree

Hide file tree

Showing 97 changed files with 14,657 additions and 43 deletions.
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic.yml
diff --git a/...ommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic_README.md b/...ommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic_README.md
@@ -0,0 +1,47 @@
+This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
+The following integrations are supported:
+
+- Cortex XDR XQL Engine 
+- Microsoft Defender For Endpoint
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* MDE - Search And Block Software
+* Cortex XDR - Search And Block Software - XQL Engine
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* DeleteContext
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| FileName | File name to search |  | Optional |
+| TimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. |  | Optional |
+| Indicator Expiration | DateTime string indicating when the indicator expires. Format: \(&lt;number&gt; &lt;time unit&gt;, e.g., 12 hours, 7 days\). |  | Optional |
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Search And Block Software - Generic](../doc_files/Search_And_Block_Software_-_Generic.png)
diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic.yml
@@ -0,0 +1,283 @@
+id: Search and Compare Process Executions - Generic
+version: -1
+name: Search and Compare Process Executions - Generic
+description: |-
+  This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
+
+  - Cortex XDR XQL Engine
+  - Cortex XDR IR(Search executions inside XDR alerts)
+  - Microsoft Defender For Endpoint
+
+  Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+  - value: *process name*
+  - commands: *command-line arguments*
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: e4d8d0c7-56ec-4b27-8fbb-ae3a02490091
+    type: start
+    task:
+      id: e4d8d0c7-56ec-4b27-8fbb-ae3a02490091
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "15"
+      - "16"
+      - "17"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 80
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: 6511abc4-4a61-4657-86b8-3809cbcc5dae
+    type: title
+    task:
+      id: 6511abc4-4a61-4657-86b8-3809cbcc5dae
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 400
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: 0c2ea311-165b-48ae-8f5f-92cb5ec5e81b
+    type: playbook
+    task:
+      id: 0c2ea311-165b-48ae-8f5f-92cb5ec5e81b
+      version: -1
+      name: MDE - Search and Compare Process Executions
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+        Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: MDE - Search and Compare Process Executions
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: inputs.Processes
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "16":
+    id: "16"
+    taskid: 936cbb1b-fc14-42e0-80e4-9ca0bbec9f10
+    type: playbook
+    task:
+      id: 936cbb1b-fc14-42e0-80e4-9ca0bbec9f10
+      version: -1
+      name: Cortex XDR - Search and Compare Process Executions - XDR Alerts
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument.  It uses the "Cortex XDR IR" integration to search for the given process executions inside XDR alerts and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+        Note: Under the "Processes" input  the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: Cortex XDR - Search and Compare Process Executions - XDR Alerts
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: inputs.Processes
+      SearchXDRAlerts:
+        complex:
+          root: inputs.SearchXDRAlerts
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+      forEach: true
+    view: |-
+      {
+        "position": {
+          "x": 40,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "17":
+    id: "17"
+    taskid: 6246b45d-476d-4e3d-8c6a-6eccafe838ef
+    type: playbook
+    task:
+      id: 6246b45d-476d-4e3d-8c6a-6eccafe838ef
+      version: -1
+      name: Cortex XDR - Search and Compare Process Executions - XQL Engine
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Cortex XDR - XQL Engine" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+        Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: Cortex XDR - Search and Compare Process Executions - XQL Engine
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: inputs.Processes
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 870,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {},
+    "paper": {
+      "dimensions": {
+        "height": 385,
+        "width": 1210,
+        "x": 40,
+        "y": 80
+      }
+    }
+  }
+inputs:
+- key: Processes
+  value: {}
+  required: false
+  description: |-
+    Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:
+    - value: *process name*
+    - commands: *command-line arguments*
+  playbookInputQuery:
+- key: HuntingTimeFrame
+  value:
+    simple: 7 days
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+- key: StringSimilarityThreshold
+  value:
+    simple: "0.5"
+  required: false
+  description: StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.
+  playbookInputQuery:
+- key: SearchXDRAlerts
+  value: {}
+  required: false
+  description: Set to "True" if you want to hunt for processes that are part of XDR alerts
+  playbookInputQuery:
+outputs:
+- contextPath: StringSimilarity
+  description: StringSimilarity automation results.
+  type: unknown
+- contextPath: Findings
+  description: Suspicious process executions found.
+  type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
diff --git a/...ks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic_README.md b/...ks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic_README.md
@@ -0,0 +1,57 @@
+This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
+
+- Cortex XDR XQL Engine
+- Cortex XDR IR(Search executions inside XDR alerts)
+- Microsoft Defender For Endpoint
+
+Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+- value: *process name*
+- commands: *command-line arguments*
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* MDE - Search and Compare Process Executions
+* Cortex XDR - Search and Compare Process Executions - XQL Engine
+* Cortex XDR - Search and Compare Process Executions - XDR Alerts
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+This playbook does not use any scripts.
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Processes | Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:<br/>- value: \*process name\*<br/>- commands: \*command-line arguments\* |  | Optional |
+| HuntingTimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. | 7 days | Optional |
+| StringSimilarityThreshold | StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. | 0.5 | Optional |
+| SearchXDRAlerts | Set to "True" if you want to hunt for processes that are part of XDR alerts |  | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| StringSimilarity | StringSimilarity automation results. | unknown |
+| Findings | Suspicious process executions found. | unknown |
+
+## Playbook Image
+
+---
+
+![Search and Compare Process Executions - Generic](../doc_files/Search_and_Compare_Process_Executions_-_Generic.png)