Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add / Remove Malicious Domains From Sinkhole #28197

Merged
merged 22 commits into from Aug 9, 2023
Merged

Add / Remove Malicious Domains From Sinkhole #28197

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
7dfa744
Add / remove domains from sinkhole
idovandijk Jul 16, 2023
c98da91
Merge branch 'master' of github.com:demisto/content into add-domains-…
idovandijk Jul 17, 2023
79078c6
Added playbooks, readmes and playbook images
idovandijk Jul 17, 2023
5615f27
Added RN and bumped version
idovandijk Jul 17, 2023
bd97b97
Changed version and updated RN, and merged from master
idovandijk Jul 17, 2023
8636388
Merge branch 'master' of github.com:demisto/content into add-domains-…
idovandijk Jul 17, 2023
6034af2
Updated playbooks
idovandijk Jul 17, 2023
c2f95ee
Updated playbooks and readme files
idovandijk Jul 17, 2023
4ed9fff
Updated playbook name and all references. New name: "PAN-OS - Extract…
idovandijk Jul 17, 2023
cf2c06c
Merged master into current branch.
Jul 19, 2023
0b67a0a
Bump pack from version PAN-OS to 1.17.16.
Jul 19, 2023
a28cad7
Merge remote-tracking branch 'origin/add-domains-to-sinkhole' into ad…
idovandijk Jul 17, 2023
e6efdc4
Fixed conflicts from master
idovandijk Aug 8, 2023
a6395fe
After review - updated playbooks, playbook images and playbook READMEs
idovandijk Aug 8, 2023
833a2b7
Merge branch 'master' of github.com:demisto/content into add-domains-…
idovandijk Aug 8, 2023
23375d2
Apply suggestions from tech docs
idovandijk Aug 9, 2023
bfb63d0
Merge branch 'master' into add-domains-to-sinkhole
idovandijk Aug 9, 2023
e033c12
Update Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To…
idovandijk Aug 9, 2023
c55d7df
Update Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To…
idovandijk Aug 9, 2023
121b491
Update Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To…
idovandijk Aug 9, 2023
b7d4402
Update Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Remove_Malicious_Domains…
idovandijk Aug 9, 2023
a882b69
Update Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Remove_Malicious_Domains…
idovandijk Aug 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1,524 changes: 1,524 additions & 0 deletions Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole.yml
View file
Open in desktop

Large diffs are not rendered by default.

53 changes: 53 additions & 0 deletions Packs/PAN-OS/Playbooks/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole_README.md
View file
Open in desktop
@@ -0,0 +1,53 @@
This TIM playbook should be run as a job. The playbook runs on domain indicators and performs various checks to decide if they should be sinkholed.

If a domain is related to a campaign or a threat actor, or if it resolves to a malicious IP or has malware-related tags, the playbook will add a new tag to it in order to sinkhole that domain.

The playbook assumes that the user is exporting indicators with the sinkhole tag to an EDL (External Dynamic List) using the Export Generic Indicators Service integration in XSOAR. That EDL should be connected to PAN-OS. It also assumes that a DNS sinkhole is configured in the PAN-OS firewall. However, these are not required for the sole purpose of tagging the domains.
idovandijk marked this conversation as resolved.
Show resolved Hide resolved

Note: this playbook has inputs for both the "From context data" tab and for the "From indicators" tab.
idovandijk marked this conversation as resolved.
Show resolved Hide resolved

## Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

### Sub-playbooks

This playbook does not use any sub-playbooks.

### Integrations

This playbook does not use any integrations.

### Scripts

* GetIndicatorDBotScoreFromCache
* Set
* SetAndHandleEmpty
* SearchIndicatorRelationships

### Commands

* enrichIndicators
* appendIndicatorField

## Playbook Inputs

---

| **Name** | **Description** | **Default Value** | **Required** |
| --- | --- | --- | --- |
| Indicator Query | All domain indicators. In the playbook, the domains will be filtered by those used for malicious communication, and tagged to be sinkholed. | type:Domain | Optional |
| SinkholeTagForEDL | The tag that should be applied to the domain so that it will be exported to the EDL using the Generic Export Indicators Service integration in XSOAR. | to_sinkhole | Required |
idovandijk marked this conversation as resolved.
Show resolved Hide resolved
| EnrichUnknownDomains | Whether to enrich unknown domains. Enriching domains can be useful to gain additional information regarding reputation for domains from your feed which will help identify domains used in C2 communication, but may consume more API quota from your threat intelligence integrations.<br/>Can be True or False. | False | Optional |
| EnrichSuspiciousDomains | Whether to enrich suspicious domains. Enriching domains can be useful to gain additional information regarding reputation for domains from your feed which will help identify domains used in C2 communication, but may consume more API quota from your threat intelligence integrations.<br/>Can be True or False. | False | Optional |

## Playbook Outputs

---
There are no outputs for this playbook.

## Playbook Image

---

![PAN-OS - Job - Add Malicious Domains To Sinkhole](../doc_files/PAN-OS_-_Job_-_Add_Malicious_Domains_To_Sinkhole.png)