diff --git a/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole.yml b/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole.yml new file mode 100644 index 000000000000..f8e018a1770e --- /dev/null +++ b/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole.yml @@ -0,0 +1,1524 @@ +id: PAN-OS - Job - Add Malicious Domains To Sinkhole +version: -1 +name: PAN-OS - Job - Add Malicious Domains To Sinkhole +description: |- + This TIM playbook should be run as a job. The playbook runs on domain indicators and performs various checks to decide if they should be sinkholed. + + If a domain is related to a campaign or a threat actor, or if it resolves to a malicious IP or has malware-related tags, the playbook will add a new tag to it in order to sinkhole that domain. + + The playbook assumes that the user is exporting indicators with the sinkhole tag to an EDL (External Dynamic List) using the Export Generic Indicators Service integration in Cortex XSOAR. That EDL should be connected to PAN-OS. It also assumes that a DNS sinkhole is configured in the PAN-OS firewall. However, these are not required for the sole purpose of tagging the domains. + + Note: This playbook has inputs from both the "From context data" tab and the "From indicators" tab. +tags: +- Job +- PAN-OS +- Sinkhole +- TIM +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 9d9d8637-a6b6-4b84-8419-a17c24bb6cbb + type: start + task: + id: 9d9d8637-a6b6-4b84-8419-a17c24bb6cbb + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "30" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 35 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 4f5db42a-566e-4942-80e1-e22b509c1cca + type: condition + task: + id: 4f5db42a-566e-4942-80e1-e22b509c1cca + version: -1 + name: Enrich domains with inconclusive verdict? + description: Checks whether to enrich unknown or suspicious domains. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "14" + "yes": + - "23" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.EnrichUnknownDomains + iscontext: true + right: + value: + simple: "True" + ignorecase: true + - operator: isEqualString + left: + value: + complex: + root: inputs.EnrichSuspiciousDomains + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 425 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "8": + id: "8" + taskid: c28fefe5-54d5-4992-8187-e8f6c47f8c1d + type: title + task: + id: c28fefe5-54d5-4992-8187-e8f6c47f8c1d + version: -1 + name: Review Evidence + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "26" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 780, + "y": 2860 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "9": + id: "9" + taskid: c7e98784-57a4-4135-8245-787d6bdcbabc + type: regular + task: + id: c7e98784-57a4-4135-8245-787d6bdcbabc + version: -1 + name: Add sinkhole tag (exports to EDL) + description: Tags the malicious domains with a sinkhole tag to export them to an EDL using the Generic Export Indicators Service. + script: Builtin|||appendIndicatorField + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "29" + scriptarguments: + field: + simple: tags + fieldValue: + complex: + root: inputs.SinkholeTagForEDL + indicatorsValues: + complex: + root: DomainsRelatedToMaliciousIPs + transformers: + - operator: AppendIfNotEmpty + args: + item: + value: + simple: DomainsRelatedToCampaigns + iscontext: true + raw: {} + - operator: AppendIfNotEmpty + args: + item: + value: + simple: DomainsRelatedToThreatActors + iscontext: true + raw: {} + - operator: AppendIfNotEmpty + args: + item: + value: + simple: DomainsWithMaliciousTags + iscontext: true + raw: {} + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1060, + "y": 3200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "10": + id: "10" + taskid: 4a600ff4-a8c9-4641-8b1a-2bc7a7a2bb65 + type: regular + task: + id: 4a600ff4-a8c9-4641-8b1a-2bc7a7a2bb65 + version: -1 + name: Save domains with tags + description: Saves domains that have a "c2", "c&c" or "command and control" tag, in a separate context key. + scriptName: SetAndHandleEmpty + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + key: + simple: DomainsWithMaliciousTags + value: + complex: + root: playbookQuery + filters: + - - operator: containsGeneral + left: + value: + simple: playbookQuery.CustomFields.tags + iscontext: true + right: + value: + simple: c2 + ignorecase: true + - operator: containsGeneral + left: + value: + simple: playbookQuery.CustomFields.tags + iscontext: true + right: + value: + simple: c&c + ignorecase: true + - operator: containsGeneral + left: + value: + simple: playbookQuery.CustomFields.tags + iscontext: true + right: + value: + simple: command and control + ignorecase: true + - operator: containsGeneral + left: + value: + simple: playbookQuery.CustomFields.tags + iscontext: true + right: + value: + simple: malicious-activity + ignorecase: true + - operator: containsGeneral + left: + value: + simple: playbookQuery.CustomFields.tags + iscontext: true + right: + value: + simple: malware + - - operator: isEqualString + left: + value: + simple: playbookQuery.score + iscontext: true + right: + value: + simple: "2" + - operator: isEqualString + left: + value: + simple: playbookQuery.score + iscontext: true + right: + value: + simple: "3" + accessor: value + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 1775 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "14": + id: "14" + taskid: f44e61a7-9bb5-416e-858a-31eb8ba2a445 + type: title + task: + id: f44e61a7-9bb5-416e-858a-31eb8ba2a445 + version: -1 + name: Check Domains + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "42" + - "45" + - "44" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1460 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "15": + id: "15" + taskid: 24318345-a6a8-471a-809e-381c6f5e0df3 + type: condition + task: + id: 24318345-a6a8-471a-809e-381c6f5e0df3 + version: -1 + name: Are there suspicious domains? + description: Checks whether there are domains with a score of 2 (suspicious). + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "14" + "yes": + - "24" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: playbookQuery + filters: + - - operator: isEqualString + left: + value: + simple: playbookQuery.score + iscontext: true + right: + value: + simple: "2" + accessor: value + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1200, + "y": 770 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: 1aa825ef-89e2-4462-898a-4fae4ea7dada + type: condition + task: + id: 1aa825ef-89e2-4462-898a-4fae4ea7dada + version: -1 + name: Are there unknown domains? + description: Checks whether there are domains with a score of 0 (unknown). + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "14" + "yes": + - "18" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: playbookQuery + filters: + - - operator: isEqualString + left: + value: + simple: playbookQuery.score + iscontext: true + right: + value: + simple: "0" + accessor: value + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 760, + "y": 770 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 0916bfab-a760-49c1-80d0-60d083652675 + type: condition + task: + id: 0916bfab-a760-49c1-80d0-60d083652675 + version: -1 + name: Enrich unknown domains? + description: Checks whether domains with a score of 0 (unknown) should be enriched, according to the playbook inputs. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "14" + "yes": + - "19" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.EnrichUnknownDomains + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 760, + "y": 980 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: 8f7c32a7-aa3f-463d-81ea-37cdf67bc84d + type: regular + task: + id: 8f7c32a7-aa3f-463d-81ea-37cdf67bc84d + version: -1 + name: Enrich unknown domains + description: Enriches domains with a score of 0. + script: Builtin|||enrichIndicators + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "14" + scriptarguments: + indicatorsValues: + complex: + root: playbookQuery + filters: + - - operator: isEqualString + left: + value: + simple: playbookQuery.score + iscontext: true + right: + value: + simple: "0" + accessor: value + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 760, + "y": 1180 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "20": + id: "20" + taskid: 8b2768fa-0314-49dc-8519-1929a7a6cf5f + type: regular + task: + id: 8b2768fa-0314-49dc-8519-1929a7a6cf5f + version: -1 + name: Enrich suspicious domains + description: Enriches domains with a score of 2. + script: Builtin|||enrichIndicators + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "14" + scriptarguments: + indicatorsValues: + complex: + root: playbookQuery + filters: + - - operator: isEqualString + left: + value: + simple: playbookQuery.score + iscontext: true + right: + value: + simple: "2" + accessor: value + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1200, + "y": 1180 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "23": + id: "23" + taskid: 1fe0d61d-484d-4240-83db-e351d48cc50c + type: title + task: + id: 1fe0d61d-484d-4240-83db-e351d48cc50c + version: -1 + name: Domain Enrichment + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "17" + - "15" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 980, + "y": 625 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "24": + id: "24" + taskid: a4654cde-af5b-49ae-84e8-89392e42ea29 + type: condition + task: + id: a4654cde-af5b-49ae-84e8-89392e42ea29 + version: -1 + name: Enrich suspicious domains? + description: Checks whether domains with a score of 2 (suspicious) should be enriched, according to the playbook inputs. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "14" + "yes": + - "20" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + complex: + root: inputs.EnrichSuspiciousDomains + iscontext: true + right: + value: + simple: "True" + ignorecase: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 1200, + "y": 980 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "26": + id: "26" + taskid: 74c8c67d-5934-496c-869b-dd9e6242c732 + type: condition + task: + id: 74c8c67d-5934-496c-869b-dd9e6242c732 + version: -1 + name: Any domains to sinkhole? + description: Checks whether any domains should be sinkholed according to the tags and relationships. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "29" + "yes": + - "9" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: DomainsRelatedToMaliciousIPs + iscontext: true + right: + value: {} + - operator: isNotEmpty + left: + value: + simple: DomainsRelatedToCampaigns + iscontext: true + - operator: isNotEmpty + left: + value: + simple: DomainsRelatedToThreatActors + iscontext: true + - operator: isNotEmpty + left: + value: + simple: DomainsWithMaliciousTags + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 780, + "y": 3000 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "29": + id: "29" + taskid: eb2a3ed3-53d9-4380-8ac0-a125c7e507df + type: title + task: + id: eb2a3ed3-53d9-4380-8ac0-a125c7e507df + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 680, + "y": 3370 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "30": + id: "30" + taskid: c3d17149-69cf-4860-897b-420823294552 + type: condition + task: + id: c3d17149-69cf-4860-897b-420823294552 + version: -1 + name: Are there domains to check? + description: Checks whether there are new domains to check for whether they should be sinkholed. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "31" + "yes": + - "4" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: playbookQuery + accessor: value + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 190 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "31": + id: "31" + taskid: 9d7ecc51-3594-48f6-87db-49fc0297ecf5 + type: title + task: + id: 9d7ecc51-3594-48f6-87db-49fc0297ecf5 + version: -1 + name: No Domains + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "29" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -990, + "y": 2135 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "34": + id: "34" + taskid: 89f224e9-5579-4c4b-8f1a-f1cbff179416 + type: regular + task: + id: 89f224e9-5579-4c4b-8f1a-f1cbff179416 + version: -1 + name: Check for resolved IPs + description: Searches the relationships of the domains to check if any of them resolves to a malicious IP address. + scriptName: SearchIndicatorRelationships + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "35" + scriptarguments: + entities: + complex: + root: playbookQuery + accessor: value + extend-context: + simple: RelationshipsWithIPs= + ignore-outputs: + simple: "true" + relationships: + simple: resolves-to + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -340, + "y": 1750 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "35": + id: "35" + taskid: d6a02cf5-a9ed-40d5-837a-8f3bf0c52d96 + type: condition + task: + id: d6a02cf5-a9ed-40d5-837a-8f3bf0c52d96 + version: -1 + name: Any IPs found? + description: Checks whether any IP addresses that the domains resolve to were found. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "36" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + simple: RelationshipsWithIPs.EntityB + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": -340, + "y": 1930 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "36": + id: "36" + taskid: 236a5077-cf02-4331-8964-77c441c179fa + type: regular + task: + id: 236a5077-cf02-4331-8964-77c441c179fa + version: -1 + name: Get IP scores + description: Gets the DBotScores of the IP addresses that the domains resolve to. + scriptName: GetIndicatorDBotScoreFromCache + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "37" + scriptarguments: + value: + complex: + root: RelationshipsWithIPs + accessor: EntityB + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -520, + "y": 2120 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "37": + id: "37" + taskid: c732f3b0-c0b2-4650-81b9-f463c8d68f58 + type: condition + task: + id: c732f3b0-c0b2-4650-81b9-f463c8d68f58 + version: -1 + name: Any malicious IPs? + description: Checks whether any IP found is malicious. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "41" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: DBotScoreCache + filters: + - - operator: isEqualString + left: + value: + simple: DBotScoreCache.Score + iscontext: true + right: + value: + simple: "3" + accessor: Indicator + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": -340, + "y": 2300 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "40": + id: "40" + taskid: f0844f55-7269-48ce-8368-306957b45da7 + type: regular + task: + id: f0844f55-7269-48ce-8368-306957b45da7 + version: -1 + name: Save their corresponding domains in a new key + description: Saves the domains that resolved to the malicious IPs in a new key. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + key: + simple: DomainsRelatedToMaliciousIPs + value: + complex: + root: RelationshipsWithIPs + filters: + - - operator: in + left: + value: + simple: RelationshipsWithIPs.EntityB + iscontext: true + right: + value: + simple: MaliciousIPs + iscontext: true + accessor: EntityA + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -340, + "y": 2680 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "41": + id: "41" + taskid: ecdcf14b-afbf-480d-80be-8ab3586e5e93 + type: regular + task: + id: ecdcf14b-afbf-480d-80be-8ab3586e5e93 + version: -1 + name: Save malicious IPs in a new key + description: Saves the malicious IPs in a new key. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "40" + scriptarguments: + key: + simple: MaliciousIPs + value: + complex: + root: DBotScoreCache + filters: + - - operator: isEqualString + left: + value: + simple: DBotScoreCache.Score + iscontext: true + right: + value: + simple: "3" + accessor: Indicator + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -520, + "y": 2500 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "42": + id: "42" + taskid: de617776-2de6-43b8-841b-c91b9010ffc9 + type: title + task: + id: de617776-2de6-43b8-841b-c91b9010ffc9 + version: -1 + name: Check Resolution to Malicious IPs + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "34" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -340, + "y": 1615 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "43": + id: "43" + taskid: ec96c0d0-95fa-436b-8334-d74cacdcb475 + type: regular + task: + id: ec96c0d0-95fa-436b-8334-d74cacdcb475 + version: -1 + name: 'Check for related threat actors / campaigns ' + description: Searches the domains for relationships with threat actors or campaigns. + scriptName: SearchIndicatorRelationships + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "46" + - "49" + scriptarguments: + entities: + complex: + root: playbookQuery + accessor: value + extend-context: + simple: RelationshipsWithCampaigns= + ignore-outputs: + simple: "true" + relationships: + simple: indicated-by,part-of,related-to,attributed-to + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 770, + "y": 1775 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "44": + id: "44" + taskid: 38c32ca9-470f-47be-8973-c21e004ae23e + type: title + task: + id: 38c32ca9-470f-47be-8973-c21e004ae23e + version: -1 + name: Check Domain Tags + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "10" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1770, + "y": 1615 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "45": + id: "45" + taskid: 30a42f79-4e4f-4ac5-8966-af9095bcd943 + type: title + task: + id: 30a42f79-4e4f-4ac5-8966-af9095bcd943 + version: -1 + name: Check Relation To Threat Actors / Campaigns + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "43" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 770, + "y": 1615 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "46": + id: "46" + taskid: 40407e32-a7d7-4695-856b-1cc103213827 + type: condition + task: + id: 40407e32-a7d7-4695-856b-1cc103213827 + version: -1 + name: Any campaigns found? + description: Checks whether any relationships to campaigns were found. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "48" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: RelationshipsWithCampaigns + filters: + - - operator: isEqualString + left: + value: + simple: RelationshipsWithCampaigns.EntityBType + iscontext: true + right: + value: + simple: Campaign + ignorecase: true + accessor: EntityB + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 500, + "y": 1960 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "48": + id: "48" + taskid: b4d7e5ad-3c4c-49f1-80f8-db5550640f8e + type: regular + task: + id: b4d7e5ad-3c4c-49f1-80f8-db5550640f8e + version: -1 + name: Save their corresponding domains in a new key + description: Saves the domains that have relationships to campaigns in a new key. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + key: + simple: DomainsRelatedToCampaigns + value: + complex: + root: RelationshipsWithCampaigns + filters: + - - operator: isEqualString + left: + value: + simple: RelationshipsWithCampaigns.EntityBType + iscontext: true + right: + value: + simple: Campaign + ignorecase: true + accessor: EntityA + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 330, + "y": 2150 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "49": + id: "49" + taskid: da487d6f-a8b1-4f7a-8c79-e1e7caac3da9 + type: condition + task: + id: da487d6f-a8b1-4f7a-8c79-e1e7caac3da9 + version: -1 + name: Any threat actors found? + description: Checks whether any relationships to threat actors were found. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "8" + "yes": + - "50" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: RelationshipsWithCampaigns + filters: + - - operator: isEqualString + left: + value: + simple: RelationshipsWithCampaigns.EntityBType + iscontext: true + right: + value: + simple: Threat Actor + ignorecase: true + accessor: EntityB + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 1000, + "y": 1960 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "50": + id: "50" + taskid: 666a7f2c-1788-4595-8b56-04f9da182103 + type: regular + task: + id: 666a7f2c-1788-4595-8b56-04f9da182103 + version: -1 + name: Save their corresponding domains in a new key + description: Saves the domains that have relationships to threat actors in a new key. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + key: + simple: DomainsRelatedToThreatActors + value: + complex: + root: RelationshipsWithCampaigns + filters: + - - operator: isEqualString + left: + value: + simple: RelationshipsWithCampaigns.EntityBType + iscontext: true + right: + value: + simple: Threat Actor + ignorecase: true + accessor: EntityA + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 1170, + "y": 2150 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": { + "15_14_#default#": 0.2, + "15_24_yes": 0.35, + "17_14_#default#": 0.33, + "17_18_yes": 0.54, + "18_14_#default#": 0.44, + "24_14_#default#": 0.24, + "24_20_yes": 0.47, + "26_29_#default#": 0.16, + "30_31_#default#": 0.24, + "30_4_yes": 0.4, + "35_36_yes": 0.5, + "35_8_#default#": 0.16, + "37_41_yes": 0.47, + "37_8_#default#": 0.2, + "46_48_yes": 0.4, + "46_8_#default#": 0.1, + "49_50_yes": 0.35, + "49_8_#default#": 0.1, + "4_14_#default#": 0.1 + }, + "paper": { + "dimensions": { + "height": 3400, + "width": 3140, + "x": -990, + "y": 35 + } + } + } +inputs: +- key: "" + value: {} + required: false + description: All domain indicators. In the playbook, the domains will be filtered by those used for malicious communication, and tagged to be sinkholed. + playbookInputQuery: + query: type:Domain + queryEntity: indicators + results: + daterange: + fromdate: 0001-01-01T00:00:00Z + todate: 0001-01-01T00:00:00Z + period: + by: "" + byto: "" + byfrom: "" + tovalue: + fromvalue: + field: "" + fromdatelicenseval: 0001-01-01T00:00:00Z + runFromLastJobTime: true +- key: SinkholeTagForEDL + value: + simple: to_sinkhole + required: true + description: The tag that should be applied to the domain so that it will be exported to the EDL using the Generic Export Indicators Service integration in Cortex XSOAR. + playbookInputQuery: +- key: EnrichUnknownDomains + value: + simple: "False" + required: false + description: |- + Whether to enrich unknown domains. Enriching domains can be useful to gain additional information regarding reputation for domains from your feed which will help identify domains used in C2 communication, but may consume more API quota from your threat intelligence integrations. + Can be True or False. + playbookInputQuery: +- key: EnrichSuspiciousDomains + value: + simple: "False" + required: false + description: |- + Whether to enrich suspicious domains. Enriching domains can be useful to gain additional information regarding reputation for domains from your feed which will help identify domains used in C2 communication, but may consume more API quota from your threat intelligence integrations. + Can be True or False. + playbookInputQuery: +outputs: [] +quiet: true +tests: +- No tests (auto formatted) +fromversion: 6.9.0 diff --git a/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole_README.md b/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole_README.md new file mode 100644 index 000000000000..7a3cae148044 --- /dev/null +++ b/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole_README.md @@ -0,0 +1,53 @@ +This TIM playbook should be run as a job. The playbook runs on domain indicators and performs various checks to decide if they should be sinkholed. + +If a domain is related to a campaign or a threat actor, or if it resolves to a malicious IP or has malware-related tags, the playbook will add a new tag to it in order to sinkhole that domain. + +The playbook assumes that the user is exporting indicators with the sinkhole tag to an EDL (External Dynamic List) using the Export Generic Indicators Service integration in Cortex XSOAR. That EDL should be connected to PAN-OS. It also assumes that a DNS sinkhole is configured in the PAN-OS firewall. However, these are not required for the sole purpose of tagging the domains. + +Note: This playbook has inputs from both the "From context data" tab and the "From indicators" tab. + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +* GetIndicatorDBotScoreFromCache +* Set +* SetAndHandleEmpty +* SearchIndicatorRelationships + +### Commands + +* enrichIndicators +* appendIndicatorField + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| Indicator Query | All domain indicators. In the playbook, the domains will be filtered by those used for malicious communication, and tagged to be sinkholed. | type:Domain | Optional | +| SinkholeTagForEDL | The tag that should be applied to the domain so that it will be exported to the EDL using the Generic Export Indicators Service integration in Cortex XSOAR. | to_sinkhole | Required | +| EnrichUnknownDomains | Whether to enrich unknown domains. Enriching domains can be useful to gain additional information regarding reputation for domains from your feed which will help identify domains used in C2 communication, but may consume more API quota from your threat intelligence integrations.
Can be True or False. | False | Optional | +| EnrichSuspiciousDomains | Whether to enrich suspicious domains. Enriching domains can be useful to gain additional information regarding reputation for domains from your feed which will help identify domains used in C2 communication, but may consume more API quota from your threat intelligence integrations.
Can be True or False. | False | Optional | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![PAN-OS - Job - Add Malicious Domains To Sinkhole](../doc_files/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole.png) diff --git a/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole.yml b/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole.yml new file mode 100644 index 000000000000..87bde8e3469d --- /dev/null +++ b/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole.yml @@ -0,0 +1,508 @@ +id: PAN-OS - Job - Remove Malicious Domains From Sinkhole +version: -1 +name: PAN-OS - Job - Remove Malicious Domains From Sinkhole +description: |- + This playbook should be run as a job. It is used to periodically remove the specified tag from domain indicators. It should be used in conjunction with the "PAN-OS - Job - Add Malicious Domains To Sinkhole" playbook, to stop domains from being sinkholed after a certain amount of time. + The idea is that traffic to malicious domains will not be redirected to a sinkhole address forever, as malicious domains tend to lose their malicious properties (become inactive, get taken down, or the malware using them is no longer used or maintained). +tags: +- TIM +- Sinkhole +- PAN-OS +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 59964f1b-d04b-4ede-8fbe-3c5d81afe4b1 + type: start + task: + id: 59964f1b-d04b-4ede-8fbe-3c5d81afe4b1 + version: -1 + name: "" + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "1" + - "3" + - "6" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 50 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "1": + id: "1" + taskid: 2bc6fde6-29d1-40dc-82ed-e11d5dfe55ef + type: regular + task: + id: 2bc6fde6-29d1-40dc-82ed-e11d5dfe55ef + version: -1 + name: Get domains with sinkhole tag + description: Gets all the domains that have the sinkhole tag. + script: Builtin|||findIndicators + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "13" + scriptarguments: + extend-context: + simple: indicators= + query: + complex: + root: inputs.SinkholeTag + transformers: + - operator: concat + args: + prefix: + value: + simple: tags:" + suffix: + value: + simple: '" and type:Domain' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "3": + id: "3" + taskid: 7c1c7038-aaa1-4b07-8677-4921ab9077f5 + type: regular + task: + id: 7c1c7038-aaa1-4b07-8677-4921ab9077f5 + version: -1 + name: Get the oldest decay date + description: Gets the oldest date and time according to the decay period configured in the playbook input. Domains that have not been tagged since the decay time will be untagged. + scriptName: GetTime + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "13" + scriptarguments: + contextKey: + simple: MinimumTime + dateFormat: + simple: ISO + daysAgo: + complex: + root: inputs.DaysTaggedBeforeRemoval + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": -10, + "y": 200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "4": + id: "4" + taskid: 1f109241-f295-4231-8a78-ae89b78d98e1 + type: regular + task: + id: 1f109241-f295-4231-8a78-ae89b78d98e1 + version: -1 + name: Remove tags from the decayed domains + description: Removes the sinkhole tag from the domains that reached the decay period according to the playbook input. + script: Builtin|||removeIndicatorField + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "5" + scriptarguments: + field: + simple: tags + fieldValue: + complex: + root: inputs.SinkholeTag + indicatorsValues: + complex: + root: indicators.value + filters: + - - operator: notIn + left: + value: + simple: indicators.value + iscontext: true + right: + value: + simple: DomainsRecentlyTagged + iscontext: true + ignorecase: true + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 680, + "y": 1090 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "5": + id: "5" + taskid: e35a4a0b-aca0-4f03-8572-d70614c500e5 + type: title + task: + id: e35a4a0b-aca0-4f03-8572-d70614c500e5 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + description: '' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 1330 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "6": + id: "6" + taskid: 70f7905f-7f25-44de-8f4c-d4adc31a80ff + type: regular + task: + id: 70f7905f-7f25-44de-8f4c-d4adc31a80ff + version: -1 + name: Save the name of the tagging event to search in history + description: Saves the name of the event that appears in the indicator timeline section, so that it can be used when filtering past tag events and deciding whether to remove the tag from the indicator. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "13" + scriptarguments: + key: + simple: TagEventName + value: + complex: + root: inputs.SinkholeTag + transformers: + - operator: concat + args: + prefix: + value: + simple: 'The value ' + suffix: + value: + simple: ' was added to field Tags' + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 970, + "y": 200 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "13": + id: "13" + taskid: 91bb4e5f-5008-4f03-8449-b3238c8025e3 + type: title + task: + id: 91bb4e5f-5008-4f03-8449-b3238c8025e3 + version: -1 + name: Filter Domains + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "17" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 385 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "17": + id: "17" + taskid: b12a2bae-cb41-4c91-833c-9151d0c41f96 + type: condition + task: + id: b12a2bae-cb41-4c91-833c-9151d0c41f96 + version: -1 + name: Has any of the tagged domains been recently tagged? + description: |- + Checks whether any of the checked domains was tagged *after* the oldest decay date and time. If they were, they will not be considered in the decay time period, and will not be untagged. + They will be untagged when the playbook re-runs and the time window changes in a way that their tagging activity is not present in the decay time window. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "19" + "yes": + - "18" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: indicators + filters: + - - operator: isEqualString + left: + value: + simple: indicators.comments.content + iscontext: true + right: + value: + simple: TagEventName + iscontext: true + - - operator: isAfter + left: + value: + simple: indicators.comments.created + iscontext: true + right: + value: + simple: MinimumTimeTimeNow + iscontext: true + accessor: value + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 530 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "18": + id: "18" + taskid: 4ea6f022-63b6-4742-83d8-b92a67862e9e + type: regular + task: + id: 4ea6f022-63b6-4742-83d8-b92a67862e9e + version: -1 + name: Save newly tagged domains + description: Saves the domains that were tagged since the decay period. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "19" + scriptarguments: + key: + simple: DomainsRecentlyTagged + value: + complex: + root: indicators + filters: + - - operator: isEqualString + left: + value: + simple: indicators.comments.content + iscontext: true + right: + value: + simple: TagEventName + iscontext: true + - - operator: isAfter + left: + value: + simple: indicators.comments.created + iscontext: true + right: + value: + simple: MinimumTimeTimeNow + iscontext: true + accessor: value + transformers: + - operator: uniq + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 160, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "19": + id: "19" + taskid: ed078f6d-529e-4243-8d35-a03182bdd5ad + type: condition + task: + id: ed078f6d-529e-4243-8d35-a03182bdd5ad + version: -1 + name: Any domains have NOT been tagged recently? + description: Checks whether any of the checked domains was not tagged within the decay period. If domains have been recently tagged (e.g., after the date derived from the decay period input), they will not be untagged. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "5" + "yes": + - "4" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isNotEmpty + left: + value: + complex: + root: indicators + filters: + - - operator: notIn + left: + value: + simple: indicators.value + iscontext: true + right: + value: + simple: DomainsRecentlyTagged + iscontext: true + accessor: value + iscontext: true + right: + value: {} + continueonerrortype: "" + view: |- + { + "position": { + "x": 450, + "y": 900 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1345, + "width": 1360, + "x": -10, + "y": 50 + } + } + } +inputs: +- key: SinkholeTag + value: + simple: to_sinkhole + required: true + description: |- + The tag that will be removed from the tagged domain indicators. + This should be the tag that was used to export the domains to the EDL using the Generic Export Indicators Service integration, which is used by the firewall's sinkhole configuration. + playbookInputQuery: +- key: DaysTaggedBeforeRemoval + value: + simple: "14" + required: true + description: |- + The "decay period" - how many days should pass since the domains were tagged, before removing the sinkhole tag from those domains. + The value should be a number of days. For example: 14. + + Technical details: When specifying the decay period, the playbook will take into account multiple tagging/untagging activities in the domain indicator in Cortex XSOAR. This means that if you specified a value of "14" and a domain was tagged 15 days ago, but also untagged and then tagged again 10 days ago - it will not be untagged by the playbook, as tagging activity happened 10 days ago. It will, however, be untagged when the playbook runs 5 days afterwards, since at that time the domain will have reached the decay period again. + playbookInputQuery: +outputs: [] +quiet: true +tests: +- No tests (auto formatted) +fromversion: 6.9.0 diff --git a/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole_README.md b/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole_README.md new file mode 100644 index 000000000000..a87a11c13a4b --- /dev/null +++ b/Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole_README.md @@ -0,0 +1,44 @@ +This playbook should be run as a job. It is used to periodically remove the specified tag from domain indicators. It should be used in conjunction with the "PAN-OS - Job - Add Malicious Domains To Sinkhole" playbook, to stop domains from being sinkholed after a certain amount of time. +The idea is that traffic to malicious domains will not be redirected to a sinkhole address forever, as malicious domains tend to lose their malicious properties (become inactive, get taken down, or the malware using them is no longer used or maintained). + +## Dependencies + +This playbook uses the following sub-playbooks, integrations, and scripts. + +### Sub-playbooks + +This playbook does not use any sub-playbooks. + +### Integrations + +This playbook does not use any integrations. + +### Scripts + +* GetTime +* Set + +### Commands + +* findIndicators +* removeIndicatorField + +## Playbook Inputs + +--- + +| **Name** | **Description** | **Default Value** | **Required** | +| --- | --- | --- | --- | +| SinkholeTag | The tag that will be removed from the tagged domain indicators.
This should be the tag that was used to export the domains to the EDL using the Generic Export Indicators Service integration, which is used by the firewall's sinkhole configuration. | to_sinkhole | Required | +| DaysTaggedBeforeRemoval | The "decay period" - how many days should pass since the domains were tagged, before removing the sinkhole tag from those domains.
The value should be a number of days. For example: 14.

Technical details: When specifying the decay period, the playbook will take into account multiple tagging/untagging activities in the domain indicator in Cortex XSOAR. This means that if you specified a value of "14" and a domain was tagged 15 days ago, but also untagged and then tagged again 10 days ago - it will not be untagged by the playbook, as tagging activity happened 10 days ago. It will, however, be untagged when the playbook runs 5 days afterwards, since at that time the domain will have reached the decay period again. | 14 | Required | + +## Playbook Outputs + +--- +There are no outputs for this playbook. + +## Playbook Image + +--- + +![PAN-OS - Job - Remove Malicious Domains From Sinkhole](../doc_files/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole.png) diff --git a/Packs/PAN-OS/ReleaseNotes/2_1_0.md b/Packs/PAN-OS/ReleaseNotes/2_1_0.md new file mode 100644 index 000000000000..835662b351c4 --- /dev/null +++ b/Packs/PAN-OS/ReleaseNotes/2_1_0.md @@ -0,0 +1,9 @@ + +#### Playbooks + +##### New: PAN-OS - Job - Add Malicious Domains To Sinkhole + +New: This playbook should be run as a job. The playbook runs on domain indicators and performs various checks to decide if they should be sinkholed. Domains that should be sinkholed will be tagged accordingly, and it is expected that the user configures an EDL to sinkhole the tagged domains. (Available from Cortex XSOAR 6.9.0). +##### New: PAN-OS - Job - Remove Malicious Domains From Sinkhole + +New: This playbook should be run as a job. It is used to periodically remove the specified tag from domain indicators. It should be used in conjunction with the "PAN-OS - Job - Add Malicious Domains To Sinkhole" playbook, to stop domains from being sinkholed after a specified amount of time. (Available from Cortex XSOAR 6.9.0). diff --git a/Packs/PAN-OS/doc_files/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole.png b/Packs/PAN-OS/doc_files/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole.png new file mode 100644 index 000000000000..7bee3c285e71 Binary files /dev/null and b/Packs/PAN-OS/doc_files/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole.png differ diff --git a/Packs/PAN-OS/doc_files/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole.png b/Packs/PAN-OS/doc_files/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole.png new file mode 100644 index 000000000000..cb9ceed2d1a9 Binary files /dev/null and b/Packs/PAN-OS/doc_files/PAN-OS_-_Job_-_Remove_Malicious_Domains_From_Sinkhole.png differ diff --git a/Packs/PAN-OS/pack_metadata.json b/Packs/PAN-OS/pack_metadata.json index 4a5cd3b1dba0..d78cc97a10e8 100644 --- a/Packs/PAN-OS/pack_metadata.json +++ b/Packs/PAN-OS/pack_metadata.json @@ -2,7 +2,7 @@ "name": "PAN-OS by Palo Alto Networks", "description": "Manage Palo Alto Networks Firewall and Panorama. Use this pack to manage Prisma Access through Panorama. For more information see Panorama documentation.", "support": "xsoar", - "currentVersion": "2.0.0", + "currentVersion": "2.1.0", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",