From f36e7fd1f6f715303ac4d52569fc58ae1e92d949 Mon Sep 17 00:00:00 2001 From: ArikDay <115150768+ArikDay@users.noreply.github.com> Date: Sun, 19 Nov 2023 10:46:28 +0200 Subject: [PATCH] Proactive threat hunting pack latest (#28853) * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Script Test * Readme fix * dependencies fix * Readme fix * Indicator Layout Fix * playbook fix * Playbook fixes * Release-note fix * Release-note fix * vix validation * Resolve conflicts * Resolve conflicts * Resolve conflicts * Resolve conflicts * Resolve conflicts * Add no indicator unittest * Add no indicator unittest * Add no indicator unittest * Add no indicator unittest * Add no indicator unittest * Add no indicator unittest * Fix readme * Script review fixes * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.2. * Wizard Trial * delete wizard * Bump pack from version CortexXDR to 5.0.8. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.3. * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Update Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software.yml Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * fix docker image * Bump pack from version CommonPlaybooks to 2.3.90. * Bump pack from version CommonPlaybooks to 2.3.91. * Bump pack from version CommonPlaybooks to 2.3.92. * Bump pack from version CommonPlaybooks to 2.3.93. * Bump pack from version CortexXDR to 5.0.9. * Bump pack from version FeedLOLBAS to 1.0.7. * Bump pack from version CommonPlaybooks to 2.3.94. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.4. * Bump pack from version CortexXDR to 5.0.10. * Bump pack from version CommonPlaybooks to 2.3.95. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.5. * Bump pack from version CortexXDR to 5.0.11. * Bump pack from version CommonPlaybooks to 2.3.96. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.6. * Bump pack from version CortexXDR to 5.1.1. * Bump pack from version CommonPlaybooks to 2.3.97. * Bump pack from version CortexXDR to 5.1.2. * Bump pack from version CommonPlaybooks to 2.3.98. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.7. * Bump pack from version CommonPlaybooks to 2.3.99. * Bump pack from version CortexXDR to 5.1.3. * Bump pack from version FeedLOLBAS to 1.0.8. * Docker * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.8. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.9. * Bump pack from version CommonTypes to 3.3.85. * Bump pack from version CortexXDR to 5.1.4. * fixes * fixes * fixes * fixes * Bump pack from version CommonPlaybooks to 2.4.2. * Bump pack from version CommonTypes to 3.3.86. * Bump pack from version CortexXDR to 5.1.5. * Bump pack from version CommonPlaybooks to 2.4.3. * Bump pack from version CommonPlaybooks to 2.4.4. * Bump pack from version CommonTypes to 3.3.87. * Bump pack from version CommonTypes to 3.3.88. * Bump pack from version CortexXDR to 5.1.6. * updated docker * fix * fix * Bump pack from version CortexXDR to 5.1.7. * Bump pack from version CortexXDR to 5.1.8. * Add ons * input fix * FieldToPackIgnore * add fromversion * Cheat Sheet Fix * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.10. * Bump pack from version CommonPlaybooks to 2.4.5. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.11. * Bump pack from version FeedLOLBAS to 1.0.9. * Bump pack from version CommonPlaybooks to 2.4.6. * Bump pack from version CortexXDR to 5.1.9. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.12. * Bump pack from version CommonPlaybooks to 2.4.7. * Bump pack from version CortexXDR to 5.1.10. * Bump pack from version CommonPlaybooks to 2.4.8. * Bump pack from version CommonPlaybooks to 2.4.9. * Bump pack from version CommonPlaybooks to 2.4.10. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.13. * Bump pack from version CommonPlaybooks to 2.4.11. * Bump pack from version CommonPlaybooks to 2.4.12. * Bump pack from version CortexXDR to 5.2.1. * Bump pack from version CortexXDR to 5.2.2. * Bump pack from version FeedLOLBAS to 1.0.10. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.14. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.15. * Bump pack from version CommonPlaybooks to 2.4.13. * Bump pack from version CommonPlaybooks to 2.4.14. * Bump pack from version CortexXDR to 5.2.3. * Bump pack from version MicrosoftDefenderAdvancedThreatProtection to 1.16.16. * Bump pack from version CortexXDR to 5.2.4. * Review Fixes * Review Fixes * bump * fix * Fixes * fix README * bump * fix * fixes * fix * fix * Bump pack from version CommonPlaybooks to 2.4.18. * fix * fix rn * Bump pack from version CommonPlaybooks to 2.4.19. * Bump pack from version CommonPlaybooks to 2.4.20. * fix * rn * Bump pack from version CortexXDR to 6.0.2. * Bump pack from version CommonPlaybooks to 2.4.21. * Bump pack from version CommonPlaybooks to 2.4.22. * Bump pack from version CommonPlaybooks to 2.4.23. * add video * Bump pack from version CommonPlaybooks to 2.4.24. * udpatedockerimage --------- Co-authored-by: Content Bot Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> --- ...ok-Search_And_Block_Software_-_Generic.yml | 536 +++++++ ...rch_And_Block_Software_-_Generic_README.md | 47 + ...d_Compare_Process_Executions_-_Generic.yml | 283 ++++ ...are_Process_Executions_-_Generic_README.md | 57 + Packs/CommonPlaybooks/ReleaseNotes/2_4_24.md | 21 + .../Search_And_Block_Software_-_Generic.png | Bin 0 -> 97951 bytes ...d_Compare_Process_Executions_-_Generic.png | Bin 0 -> 48927 bytes Packs/CommonPlaybooks/pack_metadata.json | 2 +- Packs/CommonTypes/.pack-ignore | 13 +- .../incidentfield-Affected_Hosts.json | 27 + .../incidentfield-Affected_Users.json | 27 + .../incidentfield-Attack_Patterns.json | 27 + ...incidentfield-Block_Indicators_Status.json | 27 + .../incidentfield-Campaign_Name.json | 27 + .../incidentfield-Custom_Query_Results.json | 27 + .../incidentfield-Endpoints_Details.json | 27 + .../incidentfield-Related_Alerts.json | 27 + .../incidentfield-Report_Name.json | 27 + ...cidentfield-String_Similarity_Results.json | 27 + .../incidentfield-Suspicious_Executions.json | 99 ++ ...dentfield-Suspicious_Executions_Found.json | 27 + .../incidentfield-Tool_Usage_Found.json | 27 + .../IncidentFields/incidentfield-Tools.json | 27 + .../incidentfield-Users_Details.json | 27 + .../Layouts/layoutscontainer-CampaignV2.json | 19 +- .../layoutscontainer-Intrusion_SetV2.json | 17 +- .../Layouts/layoutscontainer-MalwareV2.json | 75 +- Packs/CommonTypes/ReleaseNotes/3_3_91.md | 30 + Packs/CommonTypes/pack_metadata.json | 2 +- ...Search_And_Block_Software_-_XQL_Engine.yml | 1017 ++++++++++++ ..._And_Block_Software_-_XQL_Engine_README.md | 43 + ...ompare_Process_Executions_-_XDR_Alerts.yml | 546 +++++++ ..._Process_Executions_-_XDR_Alerts_README.md | 53 + ...ompare_Process_Executions_-_XQL_Engine.yml | 577 +++++++ ..._Process_Executions_-_XQL_Engine_README.md | 52 + Packs/CortexXDR/ReleaseNotes/6_0_2.md | 20 + ...Search_And_Block_Software_-_XQL_Engine.png | Bin 0 -> 297439 bytes ...ompare_Process_Executions_-_XDR_Alerts.png | Bin 0 -> 137850 bytes ...ompare_Process_Executions_-_XQL_Engine.png | Bin 0 -> 139172 bytes Packs/CortexXDR/pack_metadata.json | 2 +- .../playbook-Search_LOLBAS_Tools_By_Name.yml | 445 ++++++ ...book-Search_LOLBAS_Tools_By_Name_README.md | 45 + Packs/FeedLOLBAS/ReleaseNotes/1_0_11.md | 6 + .../doc_files/Search_LOLBAS_Tools_By_Name.png | Bin 0 -> 127889 bytes Packs/FeedLOLBAS/pack_metadata.json | 2 +- ...aybook-MDE_-_Search_And_Block_Software.yml | 941 +++++++++++ ...-MDE_-_Search_And_Block_Software_README.md | 46 + ..._Search_and_Compare_Process_Executions.yml | 570 +++++++ ...h_and_Compare_Process_Executions_README.md | 52 + .../ReleaseNotes/1_16_18.md | 13 + .../MDE_-_Search_And_Block_Software.png | Bin 0 -> 306629 bytes ..._Search_and_Compare_Process_Executions.png | Bin 0 -> 134461 bytes .../pack_metadata.json | 4 +- Packs/ProactiveThreatHunting/.pack-ignore | 29 + Packs/ProactiveThreatHunting/.secrets-ignore | 0 .../Dashboards/dashboard-Threat_Hunting.json | 518 ++++++ .../incidentfield-Campaign_to_hunt.json | 27 + .../incidentfield-Cheat_Sheet.json | 28 + .../incidentfield-Choose_SDO_To_Hunt_for.json | 27 + .../incidentfield-Freestyle_Hunt.json | 27 + ...dentfield-Hunting_Endpoint_Enrichment.json | 27 + .../incidentfield-Hunting_Session_Status.json | 27 + .../incidentfield-SDO_Feed.json | 27 + .../incidentfield-SDO_Name.json | 27 + .../incidentfield-Tools_To_Hunt_For.json | 27 + ...incidenttype-Proactive_Threat_Hunting.json | 28 + ...utscontainer-Proactive_Threat_Hunting.json | 1386 ++++++++++++++++ .../playbook-Proactive_Threat_Hunting.yml | 557 +++++++ ...oactive_Threat_Hunting_-_Block_Account.yml | 406 +++++ ...e_Threat_Hunting_-_Block_Account_README.md | 37 + ...tive_Threat_Hunting_-_Block_Indicators.yml | 847 ++++++++++ ...hreat_Hunting_-_Block_Indicators_README.md | 39 + ...ve_Threat_Hunting_-_Endpoint_Isolation.yml | 406 +++++ ...eat_Hunting_-_Endpoint_Isolation_README.md | 38 + ...ive_Threat_Hunting_-_Entity_Enrichment.yml | 1241 +++++++++++++++ ...reat_Hunting_-_Entity_Enrichment_README.md | 42 + ...oactive_Threat_Hunting_-_Execute_Query.yml | 754 +++++++++ ...e_Threat_Hunting_-_Execute_Query_README.md | 44 + ...ctive_Threat_Hunting_-_Quarantine_File.yml | 326 ++++ ...Threat_Hunting_-_Quarantine_File_README.md | 38 + ...ve_Threat_Hunting_-_SDO_Threat_Hunting.yml | 1402 +++++++++++++++++ ...eat_Hunting_-_SDO_Threat_Hunting_README.md | 59 + ...laybook-Proactive_Threat_Hunting_README.md | 45 + Packs/ProactiveThreatHunting/README.md | 7 + .../HuntingFromIndicatorLayout.py | 44 + .../HuntingFromIndicatorLayout.yml | 22 + .../HuntingFromIndicatorLayout_test.py | 63 + .../HuntingFromIndicatorLayout/README.md | 0 .../doc_files/Proactive_Threat_Hunting.png | Bin 0 -> 129022 bytes ...oactive_Threat_Hunting_-_Block_Account.png | Bin 0 -> 82453 bytes ...tive_Threat_Hunting_-_Block_Indicators.png | Bin 0 -> 142932 bytes ...ve_Threat_Hunting_-_Endpoint_Isolation.png | Bin 0 -> 83280 bytes ...ive_Threat_Hunting_-_Entity_Enrichment.png | Bin 0 -> 301920 bytes ...oactive_Threat_Hunting_-_Execute_Query.png | Bin 0 -> 181423 bytes ...ctive_Threat_Hunting_-_Quarantine_File.png | Bin 0 -> 64560 bytes ...ve_Threat_Hunting_-_SDO_Threat_Hunting.png | Bin 0 -> 359053 bytes .../ProactiveThreatHunting/pack_metadata.json | 65 + 97 files changed, 14657 insertions(+), 43 deletions(-) create mode 100644 Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic.yml create mode 100644 Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic_README.md create mode 100644 Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic.yml create mode 100644 Packs/CommonPlaybooks/Playbooks/playbook-Search_and_Compare_Process_Executions_-_Generic_README.md create mode 100644 Packs/CommonPlaybooks/ReleaseNotes/2_4_24.md create mode 100644 Packs/CommonPlaybooks/doc_files/Search_And_Block_Software_-_Generic.png create mode 100644 Packs/CommonPlaybooks/doc_files/Search_and_Compare_Process_Executions_-_Generic.png create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Affected_Hosts.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Affected_Users.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Attack_Patterns.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Block_Indicators_Status.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Campaign_Name.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Custom_Query_Results.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Endpoints_Details.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Related_Alerts.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Report_Name.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-String_Similarity_Results.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Suspicious_Executions.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Suspicious_Executions_Found.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Tool_Usage_Found.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Tools.json create mode 100644 Packs/CommonTypes/IncidentFields/incidentfield-Users_Details.json create mode 100644 Packs/CommonTypes/ReleaseNotes/3_3_91.md create mode 100644 Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine.yml create mode 100644 Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine_README.md create mode 100644 Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts.yml create mode 100644 Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts_README.md create mode 100644 Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine.yml create mode 100644 Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine_README.md create mode 100644 Packs/CortexXDR/ReleaseNotes/6_0_2.md create mode 100644 Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_And_Block_Software_-_XQL_Engine.png create mode 100644 Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XDR_Alerts.png create mode 100644 Packs/CortexXDR/doc_files/Cortex_XDR_-_Search_and_Compare_Process_Executions_-_XQL_Engine.png create mode 100644 Packs/FeedLOLBAS/Playbooks/playbook-Search_LOLBAS_Tools_By_Name.yml create mode 100644 Packs/FeedLOLBAS/Playbooks/playbook-Search_LOLBAS_Tools_By_Name_README.md create mode 100644 Packs/FeedLOLBAS/ReleaseNotes/1_0_11.md create mode 100644 Packs/FeedLOLBAS/doc_files/Search_LOLBAS_Tools_By_Name.png create mode 100644 Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software.yml create mode 100644 Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_And_Block_Software_README.md create mode 100644 Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_and_Compare_Process_Executions.yml create mode 100644 Packs/MicrosoftDefenderAdvancedThreatProtection/Playbooks/playbook-MDE_-_Search_and_Compare_Process_Executions_README.md create mode 100644 Packs/MicrosoftDefenderAdvancedThreatProtection/ReleaseNotes/1_16_18.md create mode 100644 Packs/MicrosoftDefenderAdvancedThreatProtection/doc_files/MDE_-_Search_And_Block_Software.png create mode 100644 Packs/MicrosoftDefenderAdvancedThreatProtection/doc_files/MDE_-_Search_and_Compare_Process_Executions.png create mode 100644 Packs/ProactiveThreatHunting/.pack-ignore create mode 100644 Packs/ProactiveThreatHunting/.secrets-ignore create mode 100644 Packs/ProactiveThreatHunting/Dashboards/dashboard-Threat_Hunting.json create mode 100644 Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Campaign_to_hunt.json create mode 100644 Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Cheat_Sheet.json create mode 100644 Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Choose_SDO_To_Hunt_for.json create mode 100644 Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Freestyle_Hunt.json create mode 100644 Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Hunting_Endpoint_Enrichment.json create mode 100644 Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Hunting_Session_Status.json create mode 100644 Packs/ProactiveThreatHunting/IncidentFields/incidentfield-SDO_Feed.json create mode 100644 Packs/ProactiveThreatHunting/IncidentFields/incidentfield-SDO_Name.json create mode 100644 Packs/ProactiveThreatHunting/IncidentFields/incidentfield-Tools_To_Hunt_For.json create mode 100644 Packs/ProactiveThreatHunting/IncidentTypes/incidenttype-Proactive_Threat_Hunting.json create mode 100644 Packs/ProactiveThreatHunting/Layouts/layoutscontainer-Proactive_Threat_Hunting.json create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting.yml create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Account.yml create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Account_README.md create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Indicators.yml create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Block_Indicators_README.md create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Endpoint_Isolation.yml create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Endpoint_Isolation_README.md create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Entity_Enrichment.yml create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Entity_Enrichment_README.md create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Execute_Query.yml create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Execute_Query_README.md create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Quarantine_File.yml create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_Quarantine_File_README.md create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_SDO_Threat_Hunting.yml create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_-_SDO_Threat_Hunting_README.md create mode 100644 Packs/ProactiveThreatHunting/Playbooks/playbook-Proactive_Threat_Hunting_README.md create mode 100644 Packs/ProactiveThreatHunting/README.md create mode 100644 Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout.py create mode 100644 Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout.yml create mode 100644 Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/HuntingFromIndicatorLayout_test.py create mode 100644 Packs/ProactiveThreatHunting/Scripts/HuntingFromIndicatorLayout/README.md create mode 100644 Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting.png create mode 100644 Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Block_Account.png create mode 100644 Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Block_Indicators.png create mode 100644 Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Endpoint_Isolation.png create mode 100644 Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Entity_Enrichment.png create mode 100644 Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Execute_Query.png create mode 100644 Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_Quarantine_File.png create mode 100644 Packs/ProactiveThreatHunting/doc_files/Proactive_Threat_Hunting_-_SDO_Threat_Hunting.png create mode 100644 Packs/ProactiveThreatHunting/pack_metadata.json diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic.yml b/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic.yml new file mode 100644 index 000000000000..aa2d41da72b1 --- /dev/null +++ b/Packs/CommonPlaybooks/Playbooks/playbook-Search_And_Block_Software_-_Generic.yml @@ -0,0 +1,536 @@ +id: Search And Block Software - Generic +version: -1 +name: Search And Block Software - Generic +description: "This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.\nThe following integrations are supported:\n\n- Cortex XDR XQL Engine \n- Microsoft Defender For Endpoint" +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: db561466-7b5a-4cea-8350-4a871a84518c + type: start + task: + id: db561466-7b5a-4cea-8350-4a871a84518c + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "7" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": -120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: c1f24703-cccd-4aa8-894a-24936aeccb8f + type: condition + task: + id: c1f24703-cccd-4aa8-894a-24936aeccb8f + version: -1 + name: Has filename and timeframe from inputs? + type: condition + iscommand: false + brand: "" + description: '' + nexttasks: + '#default#': + - "2" + "yes": + - "3" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.FileName + iscontext: true + - - operator: isNotEmpty + left: + value: + complex: + root: inputs.TimeFrame + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 180 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "2": + id: "2" + taskid: 1d034069-83cc-4e4b-8d6c-d2faec53535a + type: collection + task: + id: 1d034069-83cc-4e4b-8d6c-d2faec53535a + version: -1 + name: Please provide a software name to block and a timeframe + type: collection + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "3" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 60, + "y": 350 + } + } + note: false + timertriggers: [] + ignoreworker: false + message: + to: + subject: + body: + methods: [] + format: "" + bcc: + cc: + timings: + retriescount: 2 + retriesinterval: 360 + completeafterreplies: 1 + completeafterv2: true + completeaftersla: false + form: + questions: + - id: "0" + label: "" + labelarg: + simple: Please provide a software image file name + required: true + gridcolumns: [] + defaultrows: [] + type: shortText + options: [] + optionsarg: [] + fieldassociated: "" + placeholder: name.exe + tooltip: the software file name. NOTICE - name case is insensitive and it searches every file that contains the given image name + readonly: false + - id: "1" + label: "" + labelarg: + simple: Please provide a timeframe + required: true + gridcolumns: [] + defaultrows: [] + type: shortText + options: [] + optionsarg: [] + fieldassociated: "" + placeholder: 7 days + tooltip: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.' + readonly: false + title: Please provide a software name to block and a timeframe + description: "" + sender: "" + expired: false + totalanswers: 0 + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 7b4a666f-b896-4219-81f5-6af0f8aed8f6 + type: title + task: + id: 7b4a666f-b896-4219-81f5-6af0f8aed8f6 + version: -1 + name: Search And Block Software + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "4" + - "6" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 520 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 51fcc25e-607e-43af-899b-d4e19570ddd0 + type: playbook + task: + id: 51fcc25e-607e-43af-899b-d4e19570ddd0 + version: -1 + name: Cortex XDR - Search And Block Software - XQL Engine + description: This playbook will search a file or process activity of a software by a given image file name using Cortex XDR XQL Engine. The analyst can then choose the files to block. + playbookName: Cortex XDR - Search And Block Software - XQL Engine + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + Filename: + complex: + root: inputs.FileName + transformers: + - operator: append + args: + item: + value: + simple: Please provide a software name to block and a timeframe.Answers.0 + iscontext: true + - operator: StringifyArray + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: '"' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: '[' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ']' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ',' + - operator: uniq + TimeFrame: + complex: + root: inputs.TimeFrame + transformers: + - operator: append + args: + item: + value: + simple: Please provide a software name to block and a timeframe.Answers.1 + iscontext: true + - operator: StringifyArray + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: '"' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: '[' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ']' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ',' + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 200, + "y": 660 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: 72d74415-fffc-4a35-88cc-2c11c3955b0c + type: title + task: + id: 72d74415-fffc-4a35-88cc-2c11c3955b0c + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 830 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 6c6d4e63-db04-452b-8862-29e7093753f5 + type: playbook + task: + id: 6c6d4e63-db04-452b-8862-29e7093753f5 + version: -1 + name: MDE - Search And Block Software + description: This playbook will search a file or process activity of a software by a given image file name using Microsoft Defender For Endpoint. The analyst can then choose the files to block. + playbookName: MDE - Search And Block Software + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + Defender Indicator Title: + simple: XSOAR Software Block + Filename: + complex: + root: inputs.FileName + transformers: + - operator: append + args: + item: + value: + simple: Please provide a software name to block and a timeframe.Answers.0 + iscontext: true + - operator: StringifyArray + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: '"' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: '[' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ']' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ',' + - operator: uniq + Indicator Expiration: + complex: + root: inputs.Indicator Expiration + TimeFrame: + complex: + root: inputs.TimeFrame + transformers: + - operator: append + args: + item: + value: + simple: Please provide a software name to block and a timeframe.Answers.1 + iscontext: true + - operator: StringifyArray + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: '"' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: '[' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ']' + - operator: replace + args: + limit: {} + replaceWith: {} + toReplace: + value: + simple: ',' + separatecontext: true + continueonerrortype: "" + loop: + iscommand: false + exitCondition: "" + wait: 1 + max: 100 + view: |- + { + "position": { + "x": 700, + "y": 660 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: true + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "7": + id: "7" + taskid: 11d21beb-8d7b-44c3-8b16-22a685bd134d + type: regular + task: + id: 11d21beb-8d7b-44c3-8b16-22a685bd134d + version: -1 + name: Delete Context + description: |- + Delete field from context. + + This automation runs using the default Limited User role, unless you explicitly change the permissions. + For more information, see the section about permissions here: + https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + scriptarguments: + key: + simple: Please provide a software name to block and a timeframe + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 10 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +system: true +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1015, + "width": 1020, + "x": 60, + "y": -120 + } + } + } +inputs: +- key: FileName + value: {} + required: false + description: File name to search + playbookInputQuery: +- key: TimeFrame + value: {} + required: false + description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.' + playbookInputQuery: +- key: Indicator Expiration + value: {} + required: false + description: 'DateTime string indicating when the indicator expires. Format: (