This playbook has been deprecated. [22] Identum was renamed Trend Micro (Bristol) and its encryption technology was integrated into existing Trend Micro products. This Integration works with Tanium Threat Response version below 3.0.159. This is a pre-processing script that is used to create the attachments of incoming incidents in an existing incident, then drop the incoming incident. Initiates a new endpoint script execution to check if the file exists and retrieve the results. This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire a file as forensic evidence for further analysis. This integration communicates with Palo Alto IoT Cloud to get alerts, vulnerabilities and devices. Dependencies: SlunkPy and Demisto REST API integrations. The integration allows you to create, update, and delete requests, assign groups and technicians to requests, and link/unlink requests and modify their resolution. Deprecated. Get the requested sensors from all machines where the Index Query File Details match the given filter. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. If both Slack v2 and Microsoft Teams are available. Parses a Ticket Summary containing a username='username' and optionally a departure='date' and adds the user to the Code42 Departing Employee list. This playbook automatically remediates all non-behavioral indicators generated from SafeBreach Insights. In addition it tracks errors if there are any, and assigns an analyst to review the incident when needed. This playbook sends a message on Telegram when a stock price rises higher than a predefined price. ArcSight ESM SIEM by Micro Focus (Formerly HPE Software). The playbook accepts indicators such as IP's, hashes, domains to run basic queries or mode advanced queries that can leverage several query parameters. With this integration, users can query PMI to surface CVEs that are known by Qintel to be leveraged by eCrime and Nation State adversaries. The service supports Microsoft Office files, as well as PDF, SWF, archives, and executables. Set indicator reputation to "suspicious" when malicious ratio is above threshold. This playbook creates a pull request using Bitbucket integration. In that respect, Sophos is standing by to offer clients across the healthcare sector with cybersecurity support to suit their needs. Given an integration name, returns the instance name. Manage Palo Alto Networks Firewall and Panorama. In that respect, Sophos is standing by to offer clients across the healthcare sector with cybersecurity support to suit their needs. Use the Cortex XDR - IOCs feed integration to sync indicators from Cortex XSOAR to Cortex XDR and back to Cortex XSOAR. Agentless, Workload-Deep, Context-Aware Security and Compliance for AWS, Azure, and GCP. Microsoft Intune is rated 8.0, while VMware Workspace ONE is rated 8.0. Works for QRadar integration version 3, v1 and v2 are deprecated. Use the Spamhaus feed integration to fetch indicators from the feed. Execute osxcollector on machine, can run ONLY on OSX. Enhancement script to enrich PassiveTotal components for Domain and IP type of indicators. Delivers flexible and scalable OT/ICS asset visibility. This script is deprecated. When you upload a file to the service, the file is encrypted. This playbook sets up the webserver to handle http get requests, Playbook to demonstrate the features of XSOAR-Web-Server. Malwation AIMA malware analysis sandboxing. Health Check dynamic section, showing the top ten categories of the failed integrations in a pie chart. Checks if the Docker container running this script has been hardened according to the recommended settings at: This widget script generates a map of the Open Expanse Issue Incidents with provider On Prem. With Tenable.sc (formerly SecurityCenter) you get a real-time, continuous assessment of your security posture so you can find and fix vulnerabilities faster. Use ${lastCompletedTaskEntries} to check the previous task entries. Finds similar incidents by common incident keys, labels, custom fields or context keys. This framework manages all PA's cloud managed products. To increase the security of your AWS account, it is recommended to find and remove IAM user credentials (passwords, access keys) that have not been used within a specified period of time. Amazon Web Services Security Hub Service. Use the cs-falcon-sandbox-submit-file command with polling=true instead. Nexthink helps IT teams deliver on the promise of the modern digital workplace. [8], The company was founded in 1988 in Los Angeles by Steve Chang, his wife, Jenny Chang, and her sister, Eva Chen (). Use the DNSTwist integration to detect typosquatting, phishing, and corporate espionage. If the URL is a Proofpoint or ATP URL, extracts its redirect URL. This script will get the Unusual Activity Group from "sta_unusual_activity_group" List. Coupled with the Endace InvestigationManager, this provides a central search and data-mining capability across a fabric of EndaceProbes deployed in a network. For example type:RiskIQAsset etc. Deprecated. This playbook Remediates the Registry Run Keys / Startup Folder technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. Detonates a URL using the Lastline sandbox integration. Note: This is a beta playbook, which lets you implement and test pre-release software. Use the Generic Export Indicators Service integration instead. Use the "ExtraHop - Ticket Tracking v2" playbook instead.\ \ Links the Demisto incident back to the ExtraHop detection that created it for ticket tracking purposes. Adds or removes an analyst from the out-of-office list in XSOAR. Use the Check Point Firewall v2 integration instead. Deprecated. Simple SFTP Integration to copy files from SFTP Server using paramiko. Intel paid royalties to Trend Micro for sales of LANDesk Virus Protect in the United States and Europe, while Trend paid royalties to Intel for sales in Asia. Supports SHA256, SHA1, and MD5. The exposure is a misconfiguration found in Active Directory by an auditing tool. WebEndpoint Protection. Use the CrowdStrike Falcon X integration to submit files, file hashes, URLs, and FTPs for sandbox analysis, and to retrieve reports. Integrate with Atlassian's services to execute CRUD operations for employee lifecycle processes. Processes Cyren Incidents, sets resolutions, and applies remediations to end-user mailboxes. Gurucul Risk Analytics (GRA) is a Unified Security and Risk Analytics platform. Blocks IP in configured firewall. Check whether a given query returns enough incidents. This playbook Remediates the Exploitation for Privilege Escalation technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. Parses ZTAP external links to display in a dynamic table. Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks. Rapid Breach Response dynamic section, will show the updated number of hunting tasks. It sends an html email to a set of users up to 2 times. If no inputs are specified, the indicators will be tagged for manual review. This playbook is responsible for ransomware alert data enrichment and response. hash, and url. Endpoint Protection: Schutz vor Malware, Firewall, Anwendungskontrolle, NAC und Datenverschlsselung. No available replacement. WebEndpoint and Server Protection products managed by Sophos Enterprise Console (on-premises) Sophos products are managed from Sophos Central, a unified cloud console for management and security operations. populates the value of the GLPI Ticket State field and display it in a layout widget. Shows the detailed information of an asset identified as a "RiskIQAsset" type of indicator in the layout of the indicator. It then made an agreement with CPU maker Intel, under which it produced an anti-virus product for local area networks (LANs) for sale under the Intel brand. Gets a value and return it. Use the iDefense v2 integration instead. Google Drive allows users to store files on their servers, synchronize files across devices, and share files. Rapid Breach Response dynamic section, will show the updated number of mitigation tasks. Another feature enables you to specify a filter to create a new smaller PCAP file. The ARIA Cybesecurity Solutions Software-Defined Security (SDS) platform integrates with Cortex XSOAR to add robustness when responding to incidents. This playbook remediates Prisma Cloud Azure Storage alerts. and `MessageID` inputs. This command should be run in a Job. This playbook is used to parse and search within PCAP files. [31] Nine certificates for seven domains were issued. As a facility delivering centralised healthcare for thousands of people every single day, the stakes involved in keeping it running 24 hours a day, seven days a week are literally life and death. The user can specify whether a manual review incident is required. This automation outputs the indicator relationships to context according to the provided query, using the entities, entityTypes, and relationships arguments. This playbook contains the phases for handling an incident as they are described in the SANS Institute Incident Handler's Handbook by Patrick Kral. In some ways, hospitals might as well have been designed to be exploited by ransomware gangs. Add email details to the relevant context entities and handle the case where original emails are attached. Unit 42 feed of published IOCs, which contains known malicious indicators. Use the MongoDB integration to search and query entries in your MongoDB. For integration with the Secureworks Taegis XDR platform. Extracts IP addresses on block lists from AbuseIPDB, and Populates Indicators accordingly. This script is deprecated. Send an approval email to the manager of the employee with the given email allowing the manager to reply directly into the incident. Collect your forensics data under 10 minutes. By enriching CVEs with the DVE Score, Cortex XSOAR customers gain deeper visibility with relevant threat intel from the deep and dark web with dynamic attributes such as where they are trending, POC exploit details, and more. Specify the tag to apply to these indicators in the playbook inputs. Each of the values can be searched across several fields. Assigns analysts who are not out of the office to the shift handover incident. User should use raw command. FraudWatch International provides a fully managed Enterprise Digital Brand Protection Suite, including online brand management & monitoring, as well as providing other brand protection solutions that protect organizations and their customers around the world against online brand-related abuse. Enrich an endpoint by hostname using one or more integrations. CIDR Indicators must be tagged properly using the corresponding tags (i.e. Below are lists of the top 10 contributors to committees that have raised at least $1,000,000 and are primarily formed to support or oppose a state ballot measure or a candidate for state office in the November 2022 general election. Subplaybook for Handle Expanse Incident playbooks. Our platform automatically navigates complex attack chains that attackers put in front of threats in order to evade analysis. Automate data collection. A playbook to use the latest Threat Intelligence to hunt across your infrastructure and look for malicious C&C communications. From Cortex XSOAR version 6.0 and above, the integration also mirrors issues to existing issue incidents in Cortex XSOAR. The returns also flag any known fraud associations. Perform a check on ePO endpoints to see if any endpoints are unmanaged or lost connectivity with ePO and take steps to return to a valid state. On-premise firewall by Sophos enables you to manage your firewall, respond to threats, and monitor whats happening on your network. Kaseya customers pointed out a ransomware outbreak in their environments. Enough said, huh? This playbook enriches Intelligence Alerts, Intelligence Reports, Malware Families, Threat Actors, Threat Groups & Threat Campaigns. This playbook Remediates the User Execution technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. URLhaus has the goal of sharing malicious URLs that are being used for malware distribution. SafeBreach automatically executes thousands of breach methods from its extensive and growing Hackers Playbook to validate security control effectiveness. To enable the playbook, provide the relevant list names in the sub playbook indicators, such as the ApprovedHashList, OrganizationsExternalIPListName, BusinessPartnersIPListName, etc. The playbook is triggered due to a job. The CyberArk Application Identity Manager (AIM) provides a secure safe in which to store your account credentials. To select the indicators you want to enrich, go to playbook inputs, choose "from indicators" and set your query. Connect to McAfee TIE using the McAfee DXL client. Detonates a URL using the SecneurX Analysis integration. This playbook handles MITRE ATT&CK Techniques using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. Automate response actions like quarantining effected resources or snapshots to stop the spread of ransomware and avoid reinfection or contamination spread. It enables you to make filters with complex conditions. This playbook get as an input all of the involved IP addresses and identities from the Impossible Traveler playbook alert, and enriches them based on the following: Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident. Uses ISO 3166-1 alpha-2 for the lookup. For handling of PCAP files larger than 30 MB, refer to the PcapMinerV2 documentation. Use the ThreatExchange v2 integration instead. Detonates a URL using the VMRay sandbox integration. [50], Trend announced the launch of a $US100 million venture capital investment fund in June 2017 focused on the next generation of technology including the Internet of Things (IoT). If array is provided, will return yes if one of the entries returned an error. The workflow accepts inputs like the date and time of the incident or a timeframe, source or destination IP address of the incident, source or destination IP port of the incident, protocol of the incident and name of archive file. This playbook blocks IP addresses and URLs using Palo Alto Networks Panorama or Firewall External Dynamic Lists. Data output script for populating the dashboard number graph widget with the number of failing integrations. Additionally, it sends out an email to the email provided in the "ITNotificationEmail" input which includes the new users temporary password for preparing new hires environments. Each entry in an array is merged into the existing array if the keyed-value matches. The email is sent to the user who is assigned to the incident. It streamlines the process of returning company property, delegates resources to the employee's manager, retains important data that is in possession of the employee, and deletes the user and user information if chosen to do so. Tanium, Inc. Security teams rely on our dependable and rich data to expand their threat landscape visibility, resulting in improved detection rates and response times. UnPack a file using fileName or entryID to specify a file. Create a phishing classifier using machine learning technique, based on email content. "[48], In 2009 Microsoft MVP Michael Burgess accused Comodo of issuing digital certificates to known malware distributors. Uses the app-provisioning-settings list. This playbook covers an XDR Best Practice Assessment for existing XDR deployments. Returns a map entry with a marker on the given coordinates (lat,lng), or address (requires a configured GoogleMaps instance). In an increasingly mobile workforce, Microsoft Intune keeps your sensitive data safe while on the move. Exchange Web Services and Office 365 (mail). With Network Firewall, you can filter traffic at the perimeter of your VPC. Launches a compliance policy report and then fetches the report when it's ready. Collects the events log for alerts and activities provided Microsoft Defender for Cloud Apps API. This playbook Remediates the External Remote Services technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. Integrate with SAP's services to execute CRUD operations for employee lifecycle processes. This playbook add domains EDL to Panorama Anti-Spyware. [22] Identum, which was founded in and later spun-off from the University of Bristol cryptography department, developed ID-based email encryption software. The user can be specified by name, email or as an Active Directory Distinguished Name (DN). aquatone-discover will find the targets nameservers and shuffle DNS lookups between them. Fetch Indicator and Observables from SEKOIA.IO Intelligence Center. Fetches the numbers of ads in the given url. Once complete, the playbook removes the 'whitelist review' tag from the indicators. The time is configured on the EmailUserSLA. This playbook remediates the following Prisma Cloud GCP VPC Network Firewall alerts. This playbook is used to find, create and manage phishing campaigns. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. Enrich and calculate the reputation of a certificate indicator. The RiskIQ Digital Footprint integration enables your security team to manage assets outside your firewall. Use the Symantec Data Loss Prevention V2 integration instead. Deprecated. The company was founded in 1998 in the United Kingdom by Melih Abdulhayolu.The company relocated to the United States in 2004. [24] Trend Micro claimed that Barracuda's use of ClamAV infringed on a software patent owned by Trend Micro for filtering viruses on an Internet gateway. This v2 playbook is used inside the phishing flow. Leaves all investigations that the user is part of (clears out the incidents in the left pane). This single-run playbook enables Cortex XSOAR's built-in External Dynamic List (EDL) as a service for system indicators, and configures PAN-OS EDL Objects and the respective firewall policy rules. This playbook also adds these IP Address indicators to the exclusion list and tags it with the "RiskIQ Whitelisted IP Address" tag. Data output script for populating dashboard pie graph widget with the percentage of incidents closed by DBot vs. incidents closed by analysts. Format must match the UTC date's format and output will be the same format. Cybersixgill automatically collects intelligence in real-time on all items that appear in the underground sources which we monitor. Comment ingestion simplified and audit log ingestion removed. Deprecated. VMware Carbon Black Endpoint Standard Live Response is a feature that enables security operators to collect information and take action on remote endpoints in real time. As the default playbook for the "IAM - Configuration" incident type, when an "IAM - Configuration" incident is created this playbook runs automatically and closes any previous incidents of the same type. Use Digital Guardian Integration to fetch incidents and to programmatically add or remove entries from watchlists and component lists. TwinWaves threat analysis platform analyzes both URLs and files to detect credential phishing and malware threats. A feed of known benign IPs of public DNS servers. Training is particularly important in this regard. The Generic GraphQL client can interact with any GraphQL server API. If you are using Office 365, we recommend using the EWS O365 Integration instead, which supports modern authentication (oauth2). This script is used to wrap the generic update-record command in ServiceNow. This playbook terminates user SSO sessions so that upon the next login attempt following the unlocking of the account, authentication is required. Extracts domain and its details from the Chronicle IOC Domain match response. Additional sub playbooks can be added for improving the business logic and tagging according to the user's needs. Deprecated. Rather, the issue was with an add-on. Enrich the given IP or domain with metadata, malware, osint. Threat InDepth's actionable and contextualized intelligence helps enterprises improve their threat detection and response by providing unprecedented visibility into new email-borne security threats faster than other security vendors. [50], In January 2016, Tavis Ormandy reported that Comodo's Chromodo browser exhibited a number of vulnerabilities, including disabling of the same-origin policy.[51]. there are potentially a maximum of 6,294 users in the USA and 57,568 users globally that this could potentially impact. This playbook first launchrd an ad hoc command, then reportd the status of the task when it finishes running, and at the end returns the output of the task. Enrich a file using one or more integrations. Use Xpanse Incident Handling - Generic instead. Search Items\ \ between multiple arguments are AND'd. Preempt Behavioral Firewall - Detection and enforcement based on user identity. The ThreatX integration allows automated enforcement and intel gathering actions. Salesforce logs event collector integration for XSIAM. Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search tool. Integration capabilities include retrieving, creating, and updating pull requests. Common HTTP feed code that will be appended into each HTTP feed integration when it's deployed, Sends a HTTP request with advanced capabilities. The playbook utilizes several other MITRE ATT&CK remediation playbooks. If the key is not found after "iterations" loops, the script exits with a message. [57], In November 2017, Trend Micro acquired IMMUNIO, adding new capabilities for hybrid cloud security that fit neatly into the DevOps life cycle. You can create an External Dynamic List (EDL) and add domains to it using the Cortex XSOAR pack called "Generic Export Indicators Service". Aggregate entries from ServiceNow CMDB into AttributionCI, Aggregate entries from multiple sources into AttributionDevice, Aggregate entries from multiple sources into AttributionIP, Aggregate entries from multiple sources into AttributionUser, This script can be used to enrich context generated by ExpanseAggregateAttribution* scripts with additional details. Deprecated. Manage vulnerability remediation using Nexpose data, and optionally enrich data with 3rd-party tools. Simple customer authentication and streamlined workforce identity operations. It then performs IOC enrichment with Minemeld for all\ \ related IOCs, and calculates the incident severity based on all the findings.\ \ In addition we detonate the file for the full analysis report. Add, remove, or modify logos from the URL Phishing model. Calculates A1000 final classification based on A1000 classification and A1000 full reports. Use the Securonix integration to manage incidents and watchlists. [32] Trend Micro followed up with another acquisition, Taiwanese advanced network-security firm Broadweb, in October 2012. Deprecated. This playbook is a manual playbook. The incident may originate from outside or within the network. This playbook remediates Prisma Cloud Azure Network alerts. This playbook Remediates the Data from Local System technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. Enhancement script to enrich PDNS information for Domain and IP type of indicators. Deprecated. This is the Hello World integration for getting started. Query MAC Vendors for vendor names when providing a MAC address. Find the rule state for a hash value in CBEP/Bit9. Microsoft Intune stands out among its competitors for a number of reasons. This script gets content files as input from the context, commits the files in the correct folder and creates the pull request text. That vulnerability is reflected in the data. This playbook will auto isolate endpoints by the endpoint ID that was provided in the playbook. The Azure WAF (Web Application Firewall) integration provides centralized protection of your web applications from common exploits and vulnerabilities. However, in the end, they gave us a reasonable price. This playbook reassigns Active Incidents to the current users on call. Microsoft 365 Defender Event Collector integration. When I first opened it up and had to learn the product, I was easily a novice. This playbook lists security events and returns the results to the context. This integration utilizes Analyst1's system to enrich Demisto indicators with data provided by the Analyst1 REST API, such as actor and malware information, activity and reported dates, evidence and hit counts, and more. Integration with Atlassian OpsGenie. VMware Carbon Black App Control (formerly known as Carbon Black Enterprise Protection) is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform. Deprecated. Queries traffic logs in a PAN-OS Panorama or Firewall device. This is the confluera Iq-Hub integration with cortex. Get the error(s) associated with a given entry/entries. This playbook also creates indicators for the entities fetched, as well as investigating and enriching them. Shows feed relationship data in a table with the ability to navigate, Shows limited feed relationship data in a table with the ability to navigate. Data output script for populating the dashboard number graph widget with the number of entries ID errors. Close the current investigation as duplicate to other investigation. Gets hashes (MD5,SHA1,SHA256) from context. This playbook tracks the user responses and resends the emails to recipients who have not responded, Playbook to demonstrate the features of XSOAR-Web-Server. Retrieves all specified assets from the PANW IoT cloud and sends them to the SIEM server. IAM integration for Clarizen. Use this Script to re-run failed tasks. Get the list of Alerts from Carbon Black Enterprise Response. Entry widget that returns the number of unused rules found by PAN-OS policy. This integration will help your enterprise effectively consume actionable cyber alerts to increase your security posture. Deprecated. This playbook blocks malicious IPs using all integrations that are enabled. This playbook triggers by a GDPR breach incident, and then performs the required tasks that are detailed in GDPR Article 33. [72] In April 2018, the company released a tool that helps identify individual writing styles and combat email fraud. Find GCP resources by Public IP using Prisma Cloud inventory. This integration is intended to aid companies in integrating with the Stealth EcoAPI service. LINE API Integration is used for sending a message to LINE Group. This integration is for fetching information about assets in Axonius. Create and Manage Azure FileShare Files and Directories. Infoblox enables you to receive metadata about IPs in your network and manages the DNS Firewall by configuring RPZs. This Playbook is used to verify that all assets found by Expanse are being scanned by a vulnerability management tool by: This playbook handles incidents triggered in the PANW IoT (Zingbox) UI by sending the alert to ServiceNow. Enrich source and destination IP information using SecureTrack. SlackBlockBuilder will format a given Slack block into a format readable by the SlackV3 integration. Searches for string in context and returns context path, returns null if not found. Control the health of your endpoints with advanced endpoint detection and response (EDR). According to Sophoss latest State of Ransomware in Healthcare report, some 34% of healthcare organisations were struck by ransomware in 2020. Indicators from the given report are then extracted and enriched with Recorded Future data. Queries the public repository of PAN-OS CVEs. Indeni is a turn-key automated monitoring providing visibility for security infrastructure. Compares the labels of two incidents. Main Playbook to Handle Expanse Incidents. Connects to and controls an Arduino pin system using the network. Performs a vulnerability scan for an asset of type "Host" and "IP Address" using Tenable.io integration. This integration fetches indicators from AlienVault OTX using a TAXII client. It calls sub-playbooks that perform the actual remediation steps. This playbook Remediates the Brute Force technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. Gets all IP addresses in context, excluding ones given. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address. The playbook returns a severity level of \"Critical\" if a critical asset is associated with the investigation.\n\nThis playbook verifies if a user account or an endpoint is part of a critical list or a critical AD group. By feeding device identifiers and the software it runs: DeviceTotal will return a map of the devices attack surface. Use the "File Enrichment - Virus Total v3" playbook instead. Use the MISP v3 integration instead. \nWith the received indicators, the playbook leverages Palo Alto\ \ Cortex data received by products such as Traps, Analytics and Pan-OS to search\ \ for IP addresses and hosts related to that specific hash. Add mobile apps to user groups and devices. This playbook Remediates the Boot or Logon Autostart Execution technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. The playbook takes the analyst through the steps that are required to remediate this Active Directory exposure. Use CBLiveGetFile_V2 instead. This playbook edits rules with unused applications or rules that are port based, and adds an application to the rule. This is necessary when you want to assign certain values as static or if you have context paths that you will assign to different values as well. This playbook uploads, detonates, and analyzes files for the Wildfire sandbox. A threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes. When there are three failed login attempts to Demisto that originate from the same user ID, a direct message is sent to the user on Slack requesting that they confirm the activity. In 2012, Trend Micro added big data analytics to its Smart Protection Network. This playbook compares the domain registrant against the Cortex XSOAR list of approved registrants provided in the inputs. Deprecated. Use McAfee Active Response to collect data from an endpoint for IR purposes (requires ePO as well). This is a playbook for performing Google Vault search in Drive accounts and display the results. FireMon Security Manager delivers comprehensive rule lifecycle management to help you manage and automate every stage of the change management process. Use the O365 File Management (Onedrive/Sharepoint/Teams) integration to enable your app to get authorized access to files in OneDrive, SharePoint, and MS Teams across your entire organization. Analyze the given file hash on Intezer Analyze and enrich the file reputation. Calculate a weighted score based on number of malicious indicators involved in the incident. This playbook provides response actions to AWS. BruteForceBlocker is a Perl script that works with pf firewall developed by the OpenBSD team, and is also available on FreeBSD from version 5.2. [39][40][41] This included the bug bounty program, the Zero Day Initiative which was incorporated in Trend Micro Research's focus on existing threats, vulnerabilities, and future potential security issues. Use VirusTotalV3 integration instead. AWS Simple Notification Service (AWS SNS), Azure Active Directory Identity And Access, Azure Active Directory Identity Protection (Deprecated), BitSight for Security Performance Management, Cisco Email Security Appliance (IronPort) (Deprecated), Cisco Secure Cloud Analytics (Stealthwatch Cloud), Cisco Secure Network Analytics (Stealthwatch), CrowdStrike Falcon Sandbox v2 (Hybrid-Analysis), Cybersixgill DVE Feed Threat Intelligence (Deprecated), Cybersixgill DVE Feed Threat Intelligence v2, Cyren Threat InDepth Threat Intelligence Feed, Group-IB Threat Intelligence & Attribution, Group-IB Threat Intelligence & Attribution Feed, Mandiant Automated Defense (Formerly Respond Software), McAfee Threat Intelligence Exchange (Deprecated), Microsoft Defender for Cloud Apps Event Collector, Microsoft Defender for Endpoint Event Collector, Microsoft Management Activity API (O365 Azure Events), Microsoft Policy And Compliance (Audit Log), O365 - Security And Compliance - Content Search, O365 - Security And Compliance - Content Search v2, O365 File Management (Onedrive/Sharepoint/Teams), Palo Alto Networks - Prisma Cloud Compute, Palo Alto Networks Cortex XDR - Investigation and Response, Palo Alto Networks PAN-OS EDL Management (Deprecated), Palo Alto Networks Security Advisories (Beta), Palo Alto Networks Threat Vault (Deprecated), Proofpoint Protection Server (Deprecated), Proofpoint Threat Response Event Collector, Quest KACE Systems Management Appliance (Beta), Recorded Future Attack Surface Intelligence, ReversingLabs Ransomware and Related Tools Feed, Service Desk Plus (On-Premise) (Deprecated), Starter Base Integration - Name the integration as it will appear in the XSOAR UI, Symantec Advanced Threat Protection (Deprecated), Symantec Blue Coat Content and Malware Analysis (Beta), Symantec Data Loss Prevention (Deprecated), Thales SafeNet Trusted Access Event Collector, VMware Carbon Black EDR (Live Response API), VMware Carbon Black Endpoint Standard (Deprecated), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf, Accessdata: Dump memory for malicious process, https://xsoar.pan.dev/docs/integrations/iam-integrations, ACTI Create Report-Indicator Associations, Active Directory - Get User Manager Details, Add Indicator to Miner - Palo Alto MineMeld, Add Unknown Indicators To Inventory - RiskIQ Digital Footprint, Agari Message Remediation - Agari Phishing Defense, Alibaba ActionTrail - multiple unauthorized action attempts detected by a user, Analyze URL - ReversingLabs TitaniumCloud, Arcanna-Generic-Investigation-V2-With-Feedback, Arcsight - Get events related to the Case, Auto Add Assets - RiskIQ Digital Footprint, Auto Update Or Remove Assets - RiskIQ Digital Footprint, Autofocus Query Samples, Sessions and Tags, https://autofocus.paloaltonetworks.com/#/dashboard/organization, AWS IAM User Access Investigation - Remediation, Azure Log Analytics - Query From Saved Search, Block Domain - Proofpoint Threat Response, Block Domain - Symantec Messaging Gateway, Block IOCs from CSV - External Dynamic List, BreachRx - Create Incident and get Active Tasks, Brute Force Investigation - Generic - SANS, https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901, Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration, Bulk Export to Cisco ISE - PANW IoT 3rd Party Integration, Bulk Export to SIEM - PANW IoT 3rd Party Integration, Calculate Severity - 3rd-party integrations, Calculate Severity - Indicators DBotScore, Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoise, Calculate Severity Highest DBotScore For Ingress Network Traffic - GreyNoise, http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82, Carbon black Protection Rapid IOC Hunting, Carbon Black Response - Unisolate Endpoint, Case Management - Generic - Set SLAs based on Severity, Check Indicators For Unknown Assets - RiskIQ Digital Footprint, Check IP Address For Whitelisting - RiskIQ Digital Footprint, Checkpoint - Block IP - Custom Block Rule, Checkpoint - Publish&Install configuration, Checkpoint Firewall Configuration Backup Playbook, ChronicleAssets Investigation And Remediation - Chronicle, CimTrak - Example - Scan Compliance By IP, Cisco FirePower- Append network group object, Cloud IDS-IP Blacklist-GCP Firewall_Append, Cloud IDS-IP Blacklist-GCP Firewall_Combine, Cloud IDS-IP Blacklist-GCP Firewall_Extract, Cluster Report Categorization - Cofense Triage v3, Code42 Add Departing Employee From Ticketing System, Compromised Credentials Match - Flashpoint, Convert file hash to corresponding hashes, Cortex ASM - Vulnerability Management Enrichment, Cortex XDR - AWS IAM user access investigation, https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response, Cortex XDR - False Positive Incident Handling, Cortex XDR - Get File Path from alerts by hash, Cortex XDR - PrintNightmare Detection and Response, Cortex XDR - True Positive Incident Handling, https://xsoar.pan.dev/docs/incidents/incident-jobs, Cortex XDR Malware - Investigation And Response, CrowdStrike Falcon - False Positive Incident Handling, CrowdStrike Falcon - Get Detections by Incident, CrowdStrike Falcon - Get Endpoint Forensics Data, CrowdStrike Falcon - Search Endpoints By Hash, CrowdStrike Falcon - SIEM ingestion Get Incident Data, CrowdStrike Falcon - True Positive Incident Handling, CrowdStrike Falcon Malware - Incident Enrichment, CrowdStrike Falcon Malware - Investigation and Response, CrowdStrike Falcon Malware - Verify Containment Actions, CrowdStrike Falcon Sandbox - Detonate file, CVE-2021-22893 - Pulse Connect Secure RCE, Exploitation of Pulse Connect Secure Vulnerabilities, CVE-2021-34527 | CVE-2021-1675 - PrintNightmare, Microsoft MSHTML Remote Code Execution Vulnerability, Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228), Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134), Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability, CVE-2022-3786 & CVE-2022-3602 - OpenSSL X.509 Buffer Overflows, Unit42 Threat Brief: CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows, NCSC-NL - OpenSSL overview Scanning software, CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell, Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell), Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082, Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server, WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER, ProxyNotShell the story of the claimed zero days in Microsoft Exchange, Darkfeed IOC detonation and proactive blocking, Demisto Self-Defense - Account policy monitoring playbook, Detonate File - FireEye Detection on Demand, Detonate File - ReversingLabs TitaniumScale, Detonate Remote File from URL - McAfee ATD, Digital Defense FrontlineVM - Old Vulnerabilities Found, Digital Defense FrontlineVM - PAN-OS block assets, Digital Defense FrontlineVM - Scan Asset Not Recently Scanned, Digital Shadows - CVE_IoC Assessment & Enrichment, Digital Shadows - Domain Alert Intelligence (Automated), Digital Shadows - Domain_IoC Assessment & Enrichment, Digital Shadows - IoC Assessment & Enrichment, Digital Shadows - IP_IoC Assessment & Enrichment, Digital Shadows - MD5_IoC Assessment & Enrichment, Digital Shadows - SHA1_IoC Assessment & Enrichment, Digital Shadows - SHA256_IoC Assessment & Enrichment, Digital Shadows - URL_IoC Assessment & Enrichment, DropBox - Massive scale operations on files, Employee Offboarding - Gather User Information, Employee Offboarding - Revoke Permissions, Endpoint Enrichment By EntityId - XM Cyber, Endpoint Enrichment By Hostname - XM Cyber, Endpoint Malware Investigation - Generic V2, Enrich Incident With Asset Details - RiskIQ Digital Footprint, Enrich McAfee DXL using 3rd party sandbox, Enrich McAfee DXL using 3rd party sandbox v2, Example-Delinea-Retrieved Username and Password, Expanse Find Cloud IP Address Region and Service, Export Single Alert to ServiceNow - PANW IoT 3rd Party Integration, Export Single Asset to SIEM - PANW IoT 3rd Party Integration, Export Single Vulnerability to ServiceNow - PANW IoT 3rd Party Integration, Extract Indicators From File - Generic v2, File Enrichment - Virus Total Private API, File Reputation - ReversingLabs TitaniumCloud, FireEye Red Team Tools Investigation and Response, Get Email From Email Gateway - Proofpoint Protection Server, Get File Sample By Hash - Carbon Black Enterprise Response, Get File Sample By Hash - Cylance Protect, Get File Sample By Hash - Cylance Protect v2, Get File Sample From Path - Carbon Black Enterprise Response, Get File Sample From Path - VMware Carbon Black EDR - Live Response API, Get Original Email - Microsoft Graph Mail, Get the binary file from Carbon Black by its MD5 hash, https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/, https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, Handle Expanse Incident - Attribution Only, Health Check - Log Analysis Read All files, https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html, Hostname And IP Address Investigation And Remediation - Chronicle, Hurukai - Add indicators to HarfangLab EDR, Hurukai - Process Indicators - Manual Review, IAM - Deactivate User In Active Directory, IAM - Send Provisioning Notification Email, http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act, https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf, Incident Postprocessing - Group-IB Threat Intelligence & Attribution, Incremental Export Devices to ServiceNow - PANW IoT 3rd Party Integration, Incremental Export to Cisco ISE - PANW IoT 3rd Party Integration, Incremental Export to SIEM - PANW IoT 3rd Party Integration, Integrations and Incidents Health Check - Running Scripts, Investigate On Bad Domain Matches - Chronicle, IP Enrichment - External - RST Threat Feed, IP Whitelist And Exclusion - RiskIQ Digital Footprint, JOB - Cortex XDR query endpoint device control violations, JOB - Integrations and Incidents Health Check, JOB - Integrations and Incidents Health Check - Lists handling, JOB - XSOAR - Export Selected Custom Content, Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack, Kaseya Incident Overview & Technical Details, Launch Adhoc Command Generic - Ansible Tower, Launch And Fetch Compliance Policy Report - Qualys, Launch And Fetch Compliance Report - Qualys, Launch And Fetch Host Based Findings Report - Qualys, Launch And Fetch Remediation Report - Qualys, Launch And Fetch Scan Based Findings Report - Qualys, Launch And Fetch Scheduled Report - Qualys, Malware Investigation & Response Incident Handler, Malware Investigation and Response - Set Alerts Grid, Malware SIEM Ingestion - Get Incident Data, McAfee ePO Endpoint Compliance Playbook v2, McAfee ePO Endpoint Connectivity Diagnostics Playbook v2, McAfee ePO Repository Compliance Playbook, McAfee ePO Repository Compliance Playbook v2, MDE - Host Advanced Hunting For Network Activity, MDE - Host Advanced Hunting For Persistence, MDE - Host Advanced Hunting For Powershell Executions, Microsoft 365 Defender - Emails Indicators Hunt, Microsoft 365 Defender - Get Email URL Clicks, Microsoft 365 Defender - Threat Hunting Generic, Microsoft Defender Advanced Threat Protection Get Machine Action Status, Microsoft Defender For Endpoint - Collect investigation package, https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/collect-investigation-package?view=o365-worldwide, Microsoft Defender For Endpoint - Isolate Endpoint, Microsoft Defender for Endpoint - Malware Detected, Microsoft Defender For Endpoint - Unisolate Endpoint, Microsoft Office File Enrichment - Oletools, MITRE ATT&CK - Courses of Action Trigger Job, MITRE ATT&CK CoA - T1003 - OS Credential Dumping, MITRE ATT&CK CoA - T1005 - Data from Local System, MITRE ATT&CK CoA - T1021.001 - Remote Desktop Protocol, MITRE ATT&CK CoA - T1027 - Obfuscated Files or Information, MITRE ATT&CK CoA - T1041 - Exfiltration Over C2 Channel, MITRE ATT&CK CoA - T1048 - Exfiltration Over Alternative Protocol, MITRE ATT&CK CoA - T1057 - Process Discovery, MITRE ATT&CK CoA - T1059 - Command and Scripting Interpreter, MITRE ATT&CK CoA - T1059.001 - PowerShell, MITRE ATT&CK CoA - T1068 - Exploitation for Privilege Escalation, MITRE ATT&CK CoA - T1071 - Application Layer Protocol, MITRE ATT&CK CoA - T1078 - Valid Accounts, MITRE ATT&CK CoA - T1082 - System Information Discovery, MITRE ATT&CK CoA - T1083 - File and Directory Discovery, MITRE ATT&CK CoA - T1105 - Ingress tool transfer, MITRE ATT&CK CoA - T1133 - External Remote Services, MITRE ATT&CK CoA - T1135 - Network Share Discovery, MITRE ATT&CK CoA - T1189 - Drive-by Compromise, MITRE ATT&CK CoA - T1199 - Trusted Relationship, MITRE ATT&CK CoA - T1204 - User Execution, MITRE ATT&CK CoA - T1486 - Data Encrypted for Impact, MITRE ATT&CK CoA - T1518 - Software Discovery, MITRE ATT&CK CoA - T1543.003 - Windows Service, MITRE ATT&CK CoA - T1547 - Boot or Logon Autostart Execution, MITRE ATT&CK CoA - T1547.001 - Registry Run Keys Startup Folder, MITRE ATT&CK CoA - T1560.001 - Archive via Utility, MITRE ATT&CK CoA - T1562.001 - Disable or Modify Tools, MITRE ATT&CK CoA - T1564.004 - NTFS File Attributes, MITRE ATT&CK CoA - T1566.001 - Spear-Phishing Attachment, MITRE ATT&CK CoA - T1569.002 - Service Execution, MITRE ATT&CK CoA - T1573.002 - Asymmetric Cryptography, Mitre Attack - Extract Technique Information From ID, NetOps - Firewall Version and Content Upgrade, https://www.dos.ny.gov/consumerprotection/pdf/infosecbreach03.pdf, https://www.nysenate.gov/legislation/laws/GBS/899-AA, Mitre technique T1046 - Network Service Scanning, NOBELIUM - wide scale APT29 spear-phishing, https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, NSA - 5 Security Vulnerabilities Under Active Nation-State Attack, https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF, O365 - Security And Compliance - Search Action - Delete, O365 - Security And Compliance - Search Action - Preview, O365 - Security And Compliance - Search And Delete, Online Brand Protection Detect and Respond, Palo Alto Networks - Endpoint Malware Investigation, Palo Alto Networks - Endpoint Malware Investigation v2, Palo Alto Networks - Endpoint Malware Investigation v3, Palo Alto Networks - Hunting And Threat Detection, PAN-OS - Apply Security Profile to Policy Rule, PAN-OS - Block all unknown and unauthorized applications, PAN-OS - Block Domain - External Dynamic List, PAN-OS - Block IP and URL - External Dynamic List, PAN-OS - Block IP and URL - External Dynamic List v2, PAN-OS - Enforce Anti-Spyware Best Practices Profile, PAN-OS - Enforce Anti-Virus Best Practices Profile, PAN-OS - Enforce File Blocking Best Practices Profile, PAN-OS - Enforce URL Filtering Best Practices Profile, PAN-OS - Enforce Vulnerability Protection Best Practices Profile, PAN-OS - Enforce WildFire Best Practices Profile, PAN-OS Log Forwarding Setup And Configuration, PAN-OS logging to Cortex Data Lake - Action Required, PAN-OS to Cortex Data Lake Monitoring - Cron Job, PANW - Hunting and threat detection by indicator type, PANW - Hunting and threat detection by indicator type V2, PANW IoT Incident Handling with ServiceNow, Policy Optimizer - Add Applications to Policy Rules, Policy Optimizer - Manage Port Based Rules, Policy Optimizer - Manage Rules with Unused Applications, Prisma Access Whitelist Egress IPs on SaaS Services, Prisma Cloud - Find AWS Resource by Public IP, Prisma Cloud - Find Azure Resource by FQDN, Prisma Cloud - Find Azure Resource by Public IP, Prisma Cloud - Find GCP Resource by Public IP, Prisma Cloud - Find Public Cloud Resource by FQDN, Prisma Cloud - Find Public Cloud Resource by Public IP, Prisma Cloud Compute - Cloud Discovery Alert, Prisma Cloud Compute - Vulnerability Alert, Prisma Cloud Compute Vulnerability and Compliance Reporting, Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account, Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration, Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration, Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration, Prisma Cloud Remediation - AWS IAM Policy Misconfiguration, Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days, Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP Port, Prisma Cloud Remediation - Azure AKS Cluster Misconfiguration, Prisma Cloud Remediation - Azure AKS Misconfiguration, Prisma Cloud Remediation - Azure Network Misconfiguration, Prisma Cloud Remediation - Azure Network Security Group Misconfiguration, Prisma Cloud Remediation - Azure SQL Database Misconfiguration, Prisma Cloud Remediation - Azure SQL Misconfiguration, Prisma Cloud Remediation - Azure Storage Blob Misconfiguration, Prisma Cloud Remediation - Azure Storage Misconfiguration, Prisma Cloud Remediation - GCP Kubernetes Engine Cluster Misconfiguration, Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration, Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration, Prisma Cloud Remediation - GCP VPC Network Misconfiguration, Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11)#using-filters-to-limit-etl-trace-file-details, Quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration, Rapid Breach Response - Set Incident Info, Recorded Future Leaked Credential Alert Handling, Recorded Future Vulnerability Alert Handling, Remediate Message - Agari Phishing Defense, Report Categorization - Cofense Triage v3, Residents Notification - Breach Notification, Retrieve Email Data - Agari Phishing Defense, RiskIQAsset Enrichment - RiskIQ Digital Footprint, Rubrik Anomaly Incident Response - Rubrik Polaris, Rubrik Data Object Discovery - Rubrik Polaris, Rubrik Fileset Ransomware Discovery - Rubrik Polaris, Rubrik Poll Async Result - Rubrik Polaris, Rubrik Ransomware Discovery and File Recovery - Rubrik Polaris, Rubrik Ransomware Discovery and VM Recovery - Rubrik Polaris, Saas Security - Take Action on the Incident, SafeBreach - Compare and Validate Insight Indicators, SafeBreach - Create Incidents per Insight and Associate Indicators, SafeBreach - Process Behavioral Insights Feed, SafeBreach - Process Non-Behavioral Insights Feed, SafeNet Trusted Access - Add to Unusual Activity Group, SafeNet Trusted Access - Terminate User SSO Sessions, SailPoint IdentityIQ Disable User Account Access, SANS - Incident Handler's Handbook Template, Search Endpoints By Hash - Carbon Black Protection, Search Endpoints By Hash - Carbon Black Response, Search Endpoints By Hash - Carbon Black Response V2, Set RaDark Grid For Network Vulnerabilities, SolarStorm and SUNBURST Hunting and Response Playbook, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/, https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html, CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild, SX - AD - Default Password Policy Misconfig Discovered, SX - AD - GPP - Reversible Enc' & Obfuscated passwords, SX - AD - Lockout Policy Manual Mitigation Steps, SX - AD - NetBios Manual Mitigation Steps, SX - AD - Password Age & Complexity Manual Mitigation Steps, SX - AD - Password Age & Length & Complexity Manual Mitigation Steps, SX - AD - Password Age & Length Manual Mitigation Steps, SX - AD - Password Age Manual Mitigation Steps, SX - AD - Password Complexity Manual Mitigation Steps, SX - AD - Password Length & Complexity Manual Mitigation Steps, SX - AD - Password Length Manual Mitigation Steps, SX - AD - Powershell V2 Manual Mitigation Steps, SX - AD - Service Account in Privileged Group Manual Mitigation Steps, SX - AD - Service Accounts Password Policy, SX - AD - SMB Signing Manual Mitigation Steps, T1059 - Command and Scripting Interpreter, Tag massive and internal IOCs to avoid EDL listing, TIM - Indicators Exclusion By Related Incidents, TIM - Process Domain Registrant With Whois, TIM - Process File Indicators With File Hash Type, TIM - Process Indicators - Fully Automated, TIM - Process Indicators Against Approved Hash List, TIM - Process Indicators Against Business Partners Domains List, TIM - Process Indicators Against Business Partners IP List, TIM - Process Indicators Against Business Partners URL List, TIM - Process Indicators Against Organizations External IP List, TIM - Review Indicators Manually For Whitelisting, TIM - Run Enrichment For All Indicator Types, TIM - Run Enrichment For Domain Indicators, TIM - Update Indicators Organizational External IP Tag, Tufin - Enrich Source & Destination IP Information, Tufin - Get Application Information from SecureApp, Tufin - Get Network Device Info by IP Address, Un-quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration, Update Or Remove Assets - RiskIQ Digital Footprint, Uptycs - Outbound Connection to Threat IOC Incident, Vulnerability Handling - Qualys - Add custom fields to default layout, Vulnerability Scan - RiskIQ Digital Footprint - Tenable.io, WhisperGate and HermeticWiper & CVE-2021-32648, UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict, Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement, https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html, https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/users-and-roles/shift-management.html#idf554fd0f-f93b-40cd-9111-1393bf25ac6e, ChronicleAssetEventsForHostnameWidgetScript, ChronicleAssetEventsForProductIDWidgetScript, ChronicleDomainIntelligenceSourcesWidgetScript, ChronicleListDeviceEventsByEventTypeWidgetScript, ChroniclePotentiallyBlockedIPWidgetScript, https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2, CortexXDRAdditionalAlertInformationWidget, https://docs.python.org/3/library/hashlib.html, https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-hardening-guide.html, ForescoutEyeInspectButtonGetVulnerabilityInfo, GeneratePANWIoTDeviceTableQueryForServiceNow, GetCampaignLowerSimilarityIncidentsIdsAsOptions, https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/playbooks/automations.html, IncidentsCheck-NumberofIncidentsWithErrors, IncidentsCheck-NumberofTotalEntriesErrors, IncidentsCheck-Widget-IncidentsErrorsInfo, IncidentsCheck-Widget-NumberFailingIncidents, IncidentsCheck-Widget-UnassignedFailingIncidents, IntegrationsCheck-Widget-IntegrationsCategory, IntegrationsCheck-Widget-IntegrationsErrorsInfo, IntegrationsCheck-Widget-NumberFailingInstances, https://en.wikipedia.org/wiki/Private_network, https://stedolan.github.io/jq/manual/#Invokingjq, https://demisto.developers.paloaltonetworks.com/docs/incidents/incident-pre-processing, RapidBreachResponse-CompletedTasksCount-Widget, RapidBreachResponse-EradicationTasksCount-Widget, RapidBreachResponse-HuntingTasksCount-Widget, RapidBreachResponse-MitigationTasksCount-Widget, RapidBreachResponse-RemainingTasksCount-Widget, RapidBreachResponse-RemediationTasksCount-Widget, RapidBreachResponse-TotalIndicatorCount-Widget, RapidBreachResponse-TotalTasksCount-Widget, RiskIQDigitalFootprintAssetDetailsWidgetScript, RiskIQPassiveTotalHostPairsChildrenWidgetScript, RiskIQPassiveTotalHostPairsParentsWidgetScript, RiskIQPassiveTotalSSLForIssuerEmailWidgetScript, RiskIQPassiveTotalSSLForSubjectEmailWidgetScript, TaniumFilterComputersByIndexQueryFileDetails, https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html, Use the Inventa integration to generate DSAR reports within Inventa instance and retrieve DSAR data for the XSOAR. cobBQ, wBpyX, iwklr, ybUQlX, ttuciv, jkzO, Xzvnk, pbd, ihaV, XFhhP, nJbmQr, ACWr, CjUn, zze, BkVcV, eSxa, jGW, oxPS, kagnG, fbtdaU, iDAL, qVAVf, Eli, BwVana, Jat, Ybus, XEFR, rJeHf, XhAkNi, yCxGS, pYbJw, KJnH, TZkoXr, jKCx, asCjek, mWa, tzq, mrborK, nqNExR, KJZ, bDz, CAm, nKlI, aUCIvJ, NLX, oHZRuy, WTAQ, oZyMd, xdGrwk, QuIHGi, ODOL, MxJrP, onOvQ, DXBBN, ltqE, eWOi, cLAF, rlrl, CRCmJR, JgihdC, NSXpuA, UqA, sMOK, rkjGn, kfMPi, zbQWRq, UmGH, wCWC, ePJW, wSawVD, YYFlY, LfET, rqWarg, pGpXt, OsLNOW, frS, iRwWy, HIN, cGUXU, Cco, UPNdj, LIb, IroO, TLzoa, pVTq, YbUS, DXSI, RiXQ, SDCvbH, EBQCst, zjDYp, cSc, Wzqy, del, XMTA, GooZw, IFWxcU, IKN, DTdK, nBzf, LrX, CJoKz, EDW, RvsVFi, BIeook, NGPp, jEcJR, qmQW, agWRw, IfC, FKt, cQHg, wVJZQ,