demisto · ArikDay · Nov 19, 2023 · Aug 8, 2023 · Aug 8, 2023 · Aug 8, 2023
@@ -0,0 +1,47 @@
+This playbook will search a file or process activity of a software by a given image file name. The analyst can then choose the files to block.
+The following integrations are supported:
+
+- Cortex XDR XQL Engine 
+- Microsoft Defender For Endpoint
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* MDE - Search And Block Software
+* Cortex XDR - Search And Block Software - XQL Engine
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+* DeleteContext
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| FileName | File name to search |  | Optional |
+| TimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. |  | Optional |
+| Indicator Expiration | DateTime string indicating when the indicator expires. Format: \(&lt;number&gt; &lt;time unit&gt;, e.g., 12 hours, 7 days\). |  | Optional |
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Search And Block Software - Generic](../doc_files/Search_And_Block_Software_-_Generic.png)
@@ -0,0 +1,283 @@
+id: Search and Compare Process Executions - Generic
+version: -1
+name: Search and Compare Process Executions - Generic
+description: |-
+  This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
+
+  - Cortex XDR XQL Engine
+  - Cortex XDR IR(Search executions inside XDR alerts)
+  - Microsoft Defender For Endpoint
+
+  Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+  - value: *process name*
+  - commands: *command-line arguments*
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: e4d8d0c7-56ec-4b27-8fbb-ae3a02490091
+    type: start
+    task:
+      id: e4d8d0c7-56ec-4b27-8fbb-ae3a02490091
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "15"
+      - "16"
+      - "17"
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 80
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "14":
+    id: "14"
+    taskid: 6511abc4-4a61-4657-86b8-3809cbcc5dae
+    type: title
+    task:
+      id: 6511abc4-4a61-4657-86b8-3809cbcc5dae
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    continueonerrortype: ""
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 400
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "15":
+    id: "15"
+    taskid: 0c2ea311-165b-48ae-8f5f-92cb5ec5e81b
+    type: playbook
+    task:
+      id: 0c2ea311-165b-48ae-8f5f-92cb5ec5e81b
+      version: -1
+      name: MDE - Search and Compare Process Executions
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Microsoft Defender For Endpoint" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+        Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: MDE - Search and Compare Process Executions
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: inputs.Processes
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 450,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "16":
+    id: "16"
+    taskid: 936cbb1b-fc14-42e0-80e4-9ca0bbec9f10
+    type: playbook
+    task:
+      id: 936cbb1b-fc14-42e0-80e4-9ca0bbec9f10
+      version: -1
+      name: Cortex XDR - Search and Compare Process Executions - XDR Alerts
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument.  It uses the "Cortex XDR IR" integration to search for the given process executions inside XDR alerts and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+        Note: Under the "Processes" input  the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: Cortex XDR - Search and Compare Process Executions - XDR Alerts
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: inputs.Processes
+      SearchXDRAlerts:
+        complex:
+          root: inputs.SearchXDRAlerts
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+      forEach: true
+    view: |-
+      {
+        "position": {
+          "x": 40,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "17":
+    id: "17"
+    taskid: 6246b45d-476d-4e3d-8c6a-6eccafe838ef
+    type: playbook
+    task:
+      id: 6246b45d-476d-4e3d-8c6a-6eccafe838ef
+      version: -1
+      name: Cortex XDR - Search and Compare Process Executions - XQL Engine
+      description: |-
+        This playbook is a generic playbook that receives a process name and a command-line argument. It uses the "Cortex XDR - XQL Engine" integration to search for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input.
+
+        Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+        - value: *process name*
+        - commands: *command-line arguments*
+      playbookName: Cortex XDR - Search and Compare Process Executions - XQL Engine
+      type: playbook
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "14"
+    scriptarguments:
+      HuntingTimeFrame:
+        complex:
+          root: inputs.HuntingTimeFrame
+      Processes:
+        complex:
+          root: inputs.Processes
+      StringSimilarityThreshold:
+        complex:
+          root: inputs.StringSimilarityThreshold
+    separatecontext: true
+    continueonerrortype: ""
+    loop:
+      iscommand: false
+      exitCondition: ""
+      wait: 1
+      max: 100
+    view: |-
+      {
+        "position": {
+          "x": 870,
+          "y": 220
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: true
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+view: |-
+  {
+    "linkLabelsPosition": {},
+    "paper": {
+      "dimensions": {
+        "height": 385,
+        "width": 1210,
+        "x": 40,
+        "y": 80
+      }
+    }
+  }
+inputs:
+- key: Processes
+  value: {}
+  required: false
+  description: |-
+    Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:
+    - value: *process name*
+    - commands: *command-line arguments*
+  playbookInputQuery:
+- key: HuntingTimeFrame
+  value:
+    simple: 7 days
+  required: false
+  description: 'Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours.'
+  playbookInputQuery:
+- key: StringSimilarityThreshold
+  value:
+    simple: "0.5"
+  required: false
+  description: StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold.
+  playbookInputQuery:
+- key: SearchXDRAlerts
+  value: {}
+  required: false
+  description: Set to "True" if you want to hunt for processes that are part of XDR alerts
+  playbookInputQuery:
+outputs:
+- contextPath: StringSimilarity
+  description: StringSimilarity automation results.
+  type: unknown
+- contextPath: Findings
+  description: Suspicious process executions found.
+  type: unknown
+tests:
+- No tests (auto formatted)
+fromversion: 6.9.0
@@ -0,0 +1,57 @@
+This playbook is a generic playbook that receives a process name and a command-line argument. It searches for the given process executions and compares the command-line argument from the results to the command-line argument received from the playbook input. The playbook supports searching process executions using the following integrations:
+
+- Cortex XDR XQL Engine
+- Cortex XDR IR(Search executions inside XDR alerts)
+- Microsoft Defender For Endpoint
+
+Note: Under the "Processes" input, the playbook should receive an array that contains the following keys:
+- value: *process name*
+- commands: *command-line arguments*
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* MDE - Search and Compare Process Executions
+* Cortex XDR - Search and Compare Process Executions - XQL Engine
+* Cortex XDR - Search and Compare Process Executions - XDR Alerts
+
+### Integrations
+
+This playbook does not use any integrations.
+
+### Scripts
+
+This playbook does not use any scripts.
+
+### Commands
+
+This playbook does not use any commands.
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| Processes | Process name to search and command-line argument to compare. This input should receive an array that contains the following keys:<br/>- value: \*process name\*<br/>- commands: \*command-line arguments\* |  | Optional |
+| HuntingTimeFrame | Time in relative date or range format \(for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 \+02:00 and 2021-02-01 12:34:56 \+02:00"\). The default is the last 24 hours. | 7 days | Optional |
+| StringSimilarityThreshold | StringSimilarity automation threshold. A number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. | 0.5 | Optional |
+| SearchXDRAlerts | Set to "True" if you want to hunt for processes that are part of XDR alerts |  | Optional |
+
+## Playbook Outputs
+
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| StringSimilarity | StringSimilarity automation results. | unknown |
+| Findings | Suspicious process executions found. | unknown |
+
+## Playbook Image
+
+---
+
+![Search and Compare Process Executions - Generic](../doc_files/Search_and_Compare_Process_Executions_-_Generic.png)