Playbooks in App Central

A playbook is a predefined set of actions and conditional statements that run in an automated workflow to respond to a certain event or incident type.

While playbooks in the Automation Service UI show the playbooks installed to your environment, the Playbooks tab in App Central shows you additional playbooks you can install.

Install a playbook from App Central

Use the Search bar in the upper right of the Playbooks tab to find playbooks.
Click Install in the corner of the playbook box.
Click Next.
Click Install to install the playbook.
Click Close. After installation is complete, Installed replaces the Install link in the corner of the playbook box.
IMPORTANT: Click Show More in the playbook box to see if there are additional steps you need to follow to configure the installed playbook. Failure to perform these additional steps may result in the playbook not working properly.

Playbooks in App Central

This section lists all the out-of-the-box playbooks you can install.

1 - Basic IP Reputation

Denial of Service

The purpose of this playbook is the automated detection of a large number of malformed packets being sent from several different IPs and blocking them.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

2 - Anti-Debug

Malware

This playbook's main purpose is to analyze a malware by automating the discovery of anti-debug tricks in files, using Python scripts such as:

Flag Checkings & System calls (IsDebuggerPresent, PEB debugger flag, etc.)
Structured/Vectored Exception Handling anti-debug tricks.
Threat Control.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

3 - Anti-VM playbook

Malware

This playbook's main purpose is to analyze a malware by automating the discovery of anti-debug tricks in files, using Python scripts, such as:

Flag Checkings & System calls (IsDebuggerPresent, PEB debugger flag, etc.)
Structured/Vectored Exception Handling anti-debug tricks.
Threat Control;

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

4 - Anti-Worm

Worm Infection

The purpose of this playbook is to recognize worms from several indicators such as very high frequency of local area network communication, automated outgoing emails, etc.

5 - AntiVirus Infection

Infection

Playbook to be executed when an antivirus repeat infection has been found.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

6 - AV Infection Detected

Malware

Repeated infection detected by AV and notified into Cloud SIEM. Enrichment is done from various sources and appropriate containment is applied.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

7 - Basic playbook from SIEM Alarm

Infection

Playbook can be activated after receiving alarms from different sources, such as BlueCoat and FireEye.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

8 - Blacklisting a Sender

Data Breach

A use case for blacklisting the sender with actions composed to perform blacklisting by domain/IP address/URL.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

Incident Response

Playbook to block a user that is navigating on a suspicious domain.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

10 - Brute Force Attack

Unauthorized Access

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN) or any other personal data. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. In general, it is a systematical check of all possible passwords and passphrases combinations until the correct one is found. Scripts are usually used in these attacks to automate the process of arriving at the correct username/password combination.

Brute force attacks are usually mitigated by WAF technologies provided by popular market vendors such as Cloudflare, Akamay, Arbor Networks, Amazon Cloud Front, etc. In this case, the attack is not even perceived but mitigated automatically. With reference to the current tools on the market, among the mostly used brute force tools are THC Hydra and Patator. This playbook implies that these preventive systems are not in place or have been evaded.

note

Attackers can derive the pattern to define user accounts or corporate email addresses just analyzing the syntax of a valid target email address and demographic details of employees (for example, gathered on social networks such as LinkedIn, Facebook, etc). At that stage, it is easy to derive the list of potential accounts, and the password is the last piece of info that needs to be guessed.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

11 - Bruteforce on Account

Brute Force Attack

Playbook which can be used in a brute force on account attack use case.

note

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

18 - DDoS

Denial of Service

DDoS attack playbook which can be executed based on distributed denial of service use case. The playbook performs the first check in order to verify the traffic and the source IPs, if these should exceed a certain threshold the execution continues by carrying out a second search and, via ssh, checking the use of the resources of the server under attack.

If the condition is true, the playbook performs CTI activities to detect if the source IPs are malicious or not, including in the user choice all the data collected and giving the analyst the possibility of being able to block the sources. In the event of a ceased attack and false positive, the SOC will receive an email containing the report relating to the events.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

19 - DDoS Spoof

DDOS

Distributed denial of service is a serious type of DDoS attack where attackers try to prevent the legitimate use of a service. These types of attacks come in two forms: the attacks that crash services, and the attacks that flood services to the extreme that they are not available.

Spoofed Address Floods - Some DoS attacks use spoofed or illegal IP addresses, which will never be properly routed back to the source. To mitigate these spoofed attacks, one should implement reverse path validation on ingress routers in combination with dropping non-local subnets at egress routers. This combination of ingress and egress filtering will drop these illegal packets before they reach the firewall.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

20 - Decision tree for DOS

Denial of Service

Verify threshold, impact, and node type for ticket creation or not by using the decision tree based on previous alerts. By parsing an email and extracting different information to evaluate the impact of the attack, the decision tree will do a check on some of the values parsed in order to understand which path to take, escalation and creation of ticket or not.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

21 - DLP Alert

Data Breach

Receive a DLP alert, including source and destination addresses, and hash value(s). Performs the following steps:

Gathers enrichment information on the source user name and source address.
Queries threat intelligence for the destination address and upgrades incident priority for known threats. Prompts with a user choice decision to block the destination address.
Queries EDR for processes accessing the file (by hash), then checks any processes against threat intelligence. Prompts with a user choice decision to block the process by hash if the process is a known threat.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

22 - DNA Evidence Analysis

DNA Analysis

Playbook which can be executed in case a Forensic DNA analysis is needed.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

23 - Domain Blocking

Incident Response

Playbook defined can be used in domain blocking use case. Basing CTI activities on your technologies, if a malicious URL is intercepted, the playbook automatically blocks the URL on your environment.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

24 - DoS with Decision Tree

Denial of Service

This playbook is built to prevent DoS/DDoS attacks. Once the Cloud SOAR receives an alert, it collects the first information regarding the impact of the attack, the interfaces involved, and the list of the history commands. We inform our SOC by sending an email. Next, the playbook collects all the information from all the actions from the previous nodes and proceeds with additional activities (execution of custom scripts, running SELECT query into the DB, and so on).

Once we have all the information that we need, we conduct extra CTI activities to verify if the IoC's are malicious or not. Then we can proceed taking a decision by running an additional playbook (20 - Decision tree for DOS in our case). Once the decision is tacked, we can inform the technician or execute additional commands, depending on the result of the previous playbook execution. Lastly, the playbook sends a summary and creates a user choice.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

25 - XSS Prevention

Denial of Service

XSS Attacks are a type of injection, in which malicious Javascript code is injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, to a server, or computer. This playbook can help enrich, contain, and notify as needed.

26 - Easy Triage (IP Location)

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

39 - IP Enrichment

Malicious Communication

Playbook to be used when enrichment for the IP is needed.

40 - Lateral Movement

General

Playbook created for lateral movement workflow. Starting from a suspicious alert (syslog / mail) the playbook checks if the URL/IP called is not malicious (C&C). If the score is not positive, the playbook identifies the contacted host and quarantines it.

41 - Leveraging Threat Intelligence

Threat Intel

Playbook defined can be used in leveraging threat intelligence from various sources, for example, FireEye, Securonix, VirusTotal, etc.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

42 - Low Priority Vulnerability Detected

Vulnerability

Playbook to assist when a low priority vulnerability is found. Its parent playbook is 90 - Vulnerability Management - Master.

Based on the results of the priority of the identified vulnerabilities, the playbook sends the email to the Duty's Engineers according to the appropriate level of severity.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

43 - Mail Account Compromise

Unauthorized Access

Playbook to be used in case of potential mail account and/or mail attachment compromise. Once the playbook conducts CTI activities to verify the reputation of the source IOC's, it asks the SOC analyst if they need to block the IOC's detected if these are suspected/malicious.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

44 - Mail Scan

Malware

Potential search for malware performing automated CTI activities.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

45 - Malicious Communication with Cisco AMP

Malicious Communication

Malicious communication analysis using the Cisco AMP Integration.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

52 - Medium priority Vulnerability Detected

Vulnerability

Playbook to assist when medium priority vulnerability is detected. Its parent playbook is 90 - Vulnerability Management - Master.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

53 - Meltdown and Spectre

Vulnerability

Playbook for Meltdown and Spectre checks with a ticket creation. The playbook notifies the duty's engineers and updates the ticket created, blocking the IP on McAfee WG, closing the ticket as a final step.

54 - Misuse of Access

Unauthorized Access

The purpose of this playbook is to detect the transfer of confidential files through the use of the Windows auditing system accessed by an endpoint. Also, the playbook conducts a VirusTotal scan to be sure any intrusion is ongoing.

55 - Notification - NO Analysis

Alerts

This playbook runs a SOAR credibility use case where no operator analysis is required.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

56 - Notification - YES Analysis

Alerts

This playbook runs a SOAR credibility use case where operator analysis is required.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

57 - Notification playbook

Denial of Service

This playbook provides an email notification to be approved/edited before sending by analysts.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

58 - Offense scan and User Reset

General

This playbook runs an offense scan via QRadar and a user reset password via AD.

59 - Outbound Network Investigation

Network Activity

A playbook to perform outbound network activity alert investigation. Once the playbook has conducted some preliminary actions, like IP Geolocation and reputation, alert the SOC manager and create the possibility to block the source IP via user choice.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

60 - Password Spray from External IP

Intrusion

Playbook which can be used in case of password spray attack, where a common password is usually checked against a matrix of users, from external IP. The SOC analysts have the possibility to block the source user if the source IP is malicious or the user did too many attempts to log in.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

61 - Petya Ransomware

Ransomware

Playbook to block a user that is navigating on a suspicious domain. If the playbook detects a trace of the Petya ransomware, automatically block the Command and Control Server and inform the Duty's Engineers and the SOC manager.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

62 - Phishing Attack

Phishing

Playbook which can be used in case of phishing attack scenario. Define the severity of the potential phishing mail. If the IOC are confirmed by all the CTI platform these are blocked to all my technologies (double check). If the IOC are confirmed only by VirusTotal, these are blocked only to my internal technologies (single check).

note

Ransomware

Information gathering playbook which can be used during a ransomware event.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

74 - Recon and Remediation with Malicious Attachment

Phishing

Exchange recon and malicious attachment remediation playbook.

75 - Scheduled Upload Alert or Exfiltration

Exfiltration

Scheduled transfer or data exfiltration may be performed only at certain times of the day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability. When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol. This playbook can be used in case exfiltration tactic is applied, on different platforms such as Linux, macOS, Windows OS with network access. Particular data sources can be net-flow/enclave net-flow, process use of the network, process monitoring, etc.

76 - Security Incident

System Compromised

Presentation of a working model in case of security incident situation. This playbook replicates all the tasks are done on a security incident, and is useful to have a baseline and coordinate the SOC processes.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

77 - SitePhishing

Phishing

The purpose of this playbook is to detect anomalies in websites to conclude whether they are phishing sites or of reputable origin. This can be detected in a number of ways, such as:

Authentication token check
Site reputation lookup
Login form information destination domain lookup, etc.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

78 - Spear Phishing

Phishing

Email spear phishing playbook, including additional containment action. Due to multiple triggers, the playbook workflow can automatically set the correct priority and advertise the duty's engineers including all the results found and done.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

79 - SQL Injection Attack

SQL Injection

Playbook to be associated with incidents in case of SQL injection activity. If there are presents multiple events in the SIEM or the source IP is malicious, the playbook sends a notification and gives the possibility to block the source IP.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

80 - SSH Intrusion

Intrusion

The purpose of this playbook is to detect and alert a suspicious entry into the SSH terminal, and send an authorization command to supervisors, and then store it in the database.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

81 - Suspicious Command-Line Activity

Suspicious Activity

This playbook responds and assigns tasks to analyst in the case of suspicious command line activity, such as clearing history.

82 - Suspicious User Activity

Misconduct

A playbook that prevents possible infections generated by incorrect online browsing by a user. Once the alarm is received, the playbook looks for the user's activities and makes sure that there are no malicious events. In case there is, it blocks the malicious URLs.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

83 - Symantec SWS Alert Knowledge and Enrichment

Malware

Playbook which can be used to process Symantec SWS alerts automatically.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

84 - Sysmon Notification of Unauthorized Binary Execution

Malicious Activity

This playbook uses the information contained in a Sysmon unauthorized binary execution alert. This playbook will determine the Active Directory group the affected user belongs to, offer the incident handler the option to reset the user's password in Active Directory, search the unauthorized binary in threat intelligence platforms such as MISP, STIX, Recorded Future, and others, and block the unauthorized binary at the endpoint via containment actions if desired.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

85 - Threat detection

System Compromised

Playbook for threat detection which can be used in case of any kind of threat being detected.

86 - Triage for Network Activity

Network Activity

Playbook to triage a network activity.

87 - Unauthorized Access w/ Privilege Escalation

Privilege Escalation

This playbook enriches suspicious events of possible unauthorized accesses detected from an external IP with the addition of a user to a privileged group (domain admins, etc.). After an initial enrichment phase, the playbook will define if the user belongs to an administrative group and prompt a user choice, allowing the user to decide which flow to execute (automatic or manual containment).

88 - User Account Investigation Active Directory

Incident Response

Playbook that can be used for AD account investigation. When a new user is created on the AD, the Cloud SOAR receives an alarm to investigate and obtain all the information regarding that user. If the user is legitimate, with a user choice we can ignore the incident. Otherwise, if the SOC analyst does not recognize the user, the playbook changes the user password and disables the user. This is very useful to prevent attacks via lateral movement technique or post-exploitation and alarm the SOC in case a non-legitimate user has the possibility to conduct dangerous activity on the Active Directory.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

89 - User Compromised

Intrusion

Triage of a possible compromised user. To ingest alerts from Splunk, perform some enrichment, distribute notifications, and disable users if required.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

90 - Vulnerability Management - Master

Vulnerability

This playbook runs child playbooks to detect vulnerabilities.

91 - Forensics Analysis preparation

Forensic

Forensics preparation of analysis environment for analysts by taking a memory dump of an impacted AWS instance, enriching results with volatility. The impacted host is isolated with a new security group, and a new AWS instance is then launched via Terraform to which the snapshot of the impacted instance is attached.

92 - Phishing with poll

Phishing

Phishing use case analyzing original emails (in eml/msg) format, with enrichment of email extracted attachments and IOCs via Hybrid Analysis and VirusTotal. Searches in GSuite and notifies (poll) via Slack direct message to each user involved.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

93 - Investigative Workflow

General

This playbook checks the source and destination IP addresses and determines which address is internal to the organization, gathers asset information, searches both internal and external threat intelligence sources, before sending out a notification email / open a ticket in the organization’s ticketing system, or can be easily modified to add additional processes based on the organization’s procedures.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

94 - COVID-19

General

The COVID-19 playbook takes incident indicators and utilizes COVID-19 threat indicator feeds to determine whether an incoming event has COVID related indicators. If indicators are found, the playbook gives the analyst the option to take one or more containment actions based on the indicators observed.

106 - Malware Detected by EDR

Malware

Incoming alerts declaring a found malware on an endpoint, with notification distributed to the duty analysts. Containment is performed via the EDR. Overall review of the incident performed by the security analyst.

107 - Threat Intelligence Incoming Alert - Format 1

Malware

Ingesting of CTI alerts referring to malicious IOCs that need to be enriched and blocked into firewall, DNS, and denylist. Input is represented by Zip password protected archive.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

108 - Threat Intelligence Incoming Alert - Format 2

Malware

Ingesting of CTI alerts referring to malicious IOCs that need to be enriched and blocked into firewall, DNS, and denylist. Input is represented by individual files.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

109 - Suspicious user and brute force activity

Brute Force Attack

Ingestion of alerts referring to possible brute force or intrusion, or password guessing. Notification to the relevant departments (active directory/domain management), enrichment into the SIEM to check for past user activity. Mitigation and containment to be applied under the supervision of users.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

110 - Firewall-WAF denial requests

Network Anomaly

Alerts referring to policy firewalls/WAF violation. Automated notifications to duty engineers, to decide and implement a remediation.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

111 - Analysis and remediation of detected Malware

Malware

Playbook to process possible malware infection detected by the SIEM (or by other detection technologies). The alert describes IP or hostname of the infected machine, hash value of the malicious file, and PID of the malicious process running in the memory of the infected machine.

Enrichment is done to retrieve details of the user logged on the infected machine. Remediation is automatically applied, terminating the malicious process (via the PID), isolating the infected machine (quarantine) and banning the hash. Do an extra AV scan if the suspected events are presents on the EDR.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

112 - Basic Attack Triage

General

This playbook is useful as a master in order to execute multiple nested playbooks in case of multiple events. On the playbook are described some possible kinds of events, for example:

Failure audit
Virus events detected
Firewall denies

For each of these events a specific nested playbook is set up that will be executed. In case the events do not contain any events, the playbook allows you to create specific tasks to update and validate the triage event created.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

113 - Security Awareness AD

KB4 Completed

Adding or removing users from AD group based on completion of security awareness training. Once the email is parsed, the playbook removes the user contained on the body's email from a specific group. The duty's engineers are also notified in case of success or failure containment action.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

114 - Phishing Triage Playbook

Phish Triage

Handling phishing use case event in a triage reported as an EML/MSG. Analyzing the URL and the hash's file contained on the source email, the playbook gives the user the possibility to proceed with the containment actions, including blocking the URL and banning the hash's file.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

115 - Suspicious User Detection

Malware

Ingestion of alerts refereeing to possible suspicious activities or intrusion. Notification to the relevant departments (active directory/domain management), enrichment into the SIEM to check for the past user activity. Mitigation and containment to be applied under the supervision of users.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

116 - SIEM Malware Detection

Malware

SIEM alerts for possible malware infection, enrichment with AD and EDR queries. Automated and manual remediation is available in user choice.

117 - Industrial Security

General

This playbook analyzes the logs presented on Alleantia and Cyber Vision for threshold exceeded after a defined period of time.

In case the logs are present multiple suspected information (like unknown host, more than a number of activities, and so on) the playbook gives the possibility to take 2 possible ways:

Performing additional query using a nested playbook and executing all the containment actions.
Consider the host trusted and update Cisco Cyber Vision with the new trusted host information.

If the initial condition failed, a task and an additional user choice are created in order to give the user the possibility to reset the machine parameters.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

118 - Insider Threat

General

This playbook is useful to prevent suspicious user activities. Once the original alert is received, the playbook checks all the user's properties and provides a search into the SIEM. If the conditions are true, automatic containment actions will be done and an email will be sent to inform the duty's engineers.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

119 - Malicious File Download

General

This playbook was created to prevent PDL's infections during user navigation. When Cloud SOAR receives the original syslog, it checks the user's activity and controls the domain reputation. If the navigation result is dangerous for the user or the domain is malicious, atomic containment actions will be done to protect the safety of the source computer.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

126 - CSE Bruteforce

Malware

Use case for investigation of a brute force attack with Sumo Logic Cloud SIEM. Collecting multiple pieces of information like the username under attack, the attempts, and the source IP, using multiple conditions can determine the severity and create a final task for the SOC analyst including all the information collected.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

128 - O365 Successful travel activity

General

Sending O365 type insights from Cloud SIEM. Via Cloud SIEM daemon from SOAR, download the insights with at least one signal called "Impossible Travel - Successful" OR the name is "INSIGHT-245 - O365 - User Successful Logged In Outside Italy" from the field "Description" of the JSON returned by the daemon.

Distinguish from which Cloud SIEM based on the label custom field entity_id, severity, insight creation time, or insight signals. Relative incident creation, a custom field that tracks whether an incident or false positive based on the playbook results. Start playbook that enriches the IP and email entity. Via Libraesva, in success travel activity you have the entity as given. Send notification via email in the event of an incident based on the analyst's choice (soc@xecurity.it). Povides a condition for sending an email based on enrichment results.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

133 - Compromised internal host in a hybrid environment

General

This playbook is built to prevent a potentially compromised host. Searching the events from AWS, the playbook gives you 2 ways:

If the events from AWS contain suspicious events, the additional query will be done in order to collect more information and give the SOC analysts the possibility to quarantine the infected host.
If the events from AWS contain multiple login attempts, the playbook run a nested playbook in order to set a new password on Active Directory.

First, the playbook collects all the data from the firewall. After that, it performs additional checks, like the bandwidth sudden shift, connections on updated P2P and connections towards well-known torrent ports in order to collect all the useful information. The management team will be notified and a dedicated task will be created to discuss with the end user and review the incident generated.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

147 - Threat hunting on various IOC

CTI

This playbook is useful to conduct multiple threat hunting activities on various kinds of IOCs. Starting from a txt file, the playbook provides extraction of multiple details (that is hash, IP, URL, domain and so on) and performs multiple queries on the VirusTotal platform. At the same time, it prepares a specific query for Securonix in order to do additional threat hunting activities and generate multiple results for the same IOC. Finally, the SOC analyst can have different notes containing all the useful details regarding the IOCs analyzed.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

148 - SolarWind Orion - Exploit Prevention

Intrusion

This playbook remediates a possible SolarWinds exploitation leveraging the backdoors SUNBURST and SUPERNOVA. Playbook receives alerts from Sumo Logic Cloud SIEM monitoring the network traffic and all security events into SolarWinds.

If the traffic contains the known C&C server "avsvmcloud.com" or the Orion software is not updated, the incident is confirmed as a TRUE POSITIVE and the mitigation starts. It analyzes SolarWinds compromised hosts and powers down network interfaces, ending with a network block containment action.

If the condition is false and the network traffic does not contact the C&C server, a custom action checks for updates on the Orion website, monitors network traffic, and creates a useful note where it is explained how the SUNBURST and SUPERNOVA vulnerabilities work. Two user choices are used to verify the impacted versions and the presence of the malicious web shell DLL app_web_logoimagehandler.ashx.b6031896.dll on the suspect server. If the SOC analyst answers yes, an automated scan will be executed to check the presence of specific CVEs. Otherwise the case is classified as FALSE POSITIVE.

Finally, as a last task, the playbook creates a ticket for the NOC (in their JIRA) to monitor the Microsoft 365 Cloud because FireEye researchers have discovered that SolarWinds attackers can move laterally from local networks into the Microsoft 365 cloud.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

149 - Unisolate Endpoint with Carbon Black - essential

Incident Response

This playbook insulates sensors according to the sensor ID that is provided in the playbook input.

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

155 - Block IP - essential

Intrusion

This playbook blocks malicious IPs using all integrations that are enabled. The direction of the traffic that will be blocked is determined by the XSOAR user (and set by default to outgoing).

156 - Calculate severity - multiple vulnerability tools

Red Team Tools

This playbook uses integrations such as Qualys and Nexpose to calculate the severity of an incident and take the appropriate countermeasures.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

157 - Multiple file detonation

Incident Response

Detonate URL through active integrations that support URL detonation.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

158 - File enrichment - essential

CTI

This playbook enriches a file using one or more integrations available on your environment.

159 - Endpoint isolation - essential

Incident Response

This playbook will auto-isolate endpoints by the device ID that was provided in the playbook.

160 - Calculate severity - essential

Red Team Tools

Calculates and assigns the incident severity based on the highest returned severity level from the following severity calculations:

Indicators DBotScore - Calculates the incident severity level according to the highest indicator DBotScore.
Critical assets - Determines if a critical asset is associated with the investigation.
3rd-party integrations - Calculates the incident severity level according to the methodology of a 3rd-party integration.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

161 - Search endpoints with Carbon Black

Incident Management

Hunt for malicious indicators using Carbon Black.

162 - SolarWinds Orion - Exploit Mitigation (Supervised Active Intelligence)

Intrusion

This playbook allows you to check for, prevent, and contain potential SolarWinds SUNBURST and SUPERNOVA exploitations. The playbook starts by exploring traffic and searching for relevant alerts. It then creates a manual task to check the updates on the involved servers or workstations. If the traffic from SolarWinds Orion contains the known C&C server avsvmcloud.com or the Orion software is not updated, the playbook will:

Conduct a forensic investigation.
Examine compromised SolarWinds hosts.
Power down network interfaces, ending with a network block containment action.

Alternatively, if there are no traces of the aforementioned C&C server, the playbook proceeds to verify the Orion updates and traffic. In addition, it incorporates a helpful note that explains how the SUNBURST and SUPERNOVA vulnerabilities work.

Subsequently, the playbook presents the analyst with two user choices. The first checks the SolarWinds Orion version, and the second looks to verify the presence of the malicious web-shell DLL app_web_logoimagehandler.ashx.b6031896.dll on the servers. In case the SOC analyst confirms the SolarWinds versions are vulnerable and the malicious file is present, the playbook executes an automatic scan to check for the presence of specific CVEs.

Lastly, since FireEye researchers have discovered that SolarWinds attackers can move laterally from local networks to the Microsoft 365 cloud, the playbook asks the analyst to monitor Microsoft 365 cloud.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

163 - Active Directory Set New Password -Lateral Movement (essential)

Remediation

This playbook was built to set automatically a new password when a user is compromised after a lateral movement attack.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

164 - Domain-based Message Authentication Reporting and Conformance (DMARC)

Phishing

This playbook expands anti-phishing and spoofing capabilities using DMARC checks. Domain-based Message Authentication Reporting and Conformance (DMARC) is a technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms. By having DMARC in place, domain owners large and small can implement an extra layer of protection against business email compromise, phishing, and spoofing

The playbook starts with the parsing and analysis of important information of the email header such as domain, email address and IP. Next, a combination of checks are performed in order to determine if the email is legit or spoofed. Finally a user choice scenario is applied in order to let the final analyst decide what path to follow:

None (sends a report to a mail box with results checks)
Quarantine (sends the email to spam)
Reject (block the email)

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

165 - Vulnerability Handling - Nexpose

Threat Intel

Manages vulnerability remediation using Nexpose data, and optionally enriches data with 3rd-party tools.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

166 - CVE Enrichment - Generic v2

Red Team Tools

Performs CVE enrichment using the following integrations: VulnDB, CVE Search, and IBM X-Force Exchange.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

167 - Extract Indicators From File - Generic v2

CTI

This playbook extracts indicators from a file. Supported file types:

CSV
PDF
TXT
HTM, HTML
DOC, DOCX
PPT
PPTX
RTF
XLS
XLSX
XML

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

168 - Port Scan - Generic

Port Scanning

Investigate a port scanning incident. The incident can come from outside or inside the network. This playbook plans to conduct several queries based on the IP source (external or internal) to extract all information from the source device (replaceable with SIEM / SOAR / FW / any supported technology). Once the severity is set, the SOC analyst can update the locked ports contained in the incident. As a final, the incident will be manually reassigned / to a higher level and closed.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

169 - Palo Alto Networks - Endpoint Malware Investigation v3

CTI

The playbook performs host enrichment for the source host with Palo Alto Networks technologies and automatically performs file detonation for the extracted file. The playbook will run and enrich the incident with some basic information. Next, evaluation of severity will run and the analyst will be asked to decide if it's a true positive or not. Next he can choose to apply some remediation policies based on host isolation, block of URL/IP/ports or application. Finally notes and a final task to review the incident will be added.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

170 - Endpoint Investigation Plan

Threat Intelligence

This playbook was created to organize and plan an endpoint investigation. The playbook will run and the analyst will have to choose to analyze and hunt by indicators (attackers IP, attacked host, hash file) or by MITRE tactics. When choosing the right tactic, the related playbook will run. We can also play all tactics' playbooks. At the end in both cases notes will be added with results and an email will be sent to a specific email address.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

171 - Expanse VM Enrich

Vulnerability Assessment

This playbook was created to scan vulnerabilities of a specific asset using Tenable and Nexpose technologies. The playbook will run and perform scans using Tenable and Nexpose. You can choose to extract all the data and send it through email.

172 - PCAP Search

Threat Intelligence

This playbook was created to enrich an incident with details about a downloaded PCAP file. The playbook will run and enrich the data about the TCP/UDP port, IPs, protocol, and query used to retrieve the PCAP file. You can choose to extract all the data and send it through email.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

173 - Active Directory Investigation

Lateral Movement

This playbook was created to enrich an incident with details from Active Directory and investigate potentially suspicious activity. The playbook will run and enrich the data about the user/access list/groups/trees/schemas/object accesses and save all the information in notes. Next, an email will be sent to the analyst, prompting them to perform an investigation using the retrieved data. User choice will ask the analyst to determine whether the account was compromised. In addition, they will be asked whether they want to block the user. If the account is compromised, an email will be sent to the user and the manager.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

174 - Calculate Severity - Standard

Incident Response

This playbook was created to update the severity of the incident by taking into consideration also the impact of the incident. The playbook will run and check the severity, will ask the user to categorize the impact (localized, spread, wide). Based on the impact selected the incident, severity will update accordingly:

Low+Localized= Low
Medium=Localized=Low
High+Localized=Medium
Low+Spread=Low
Medium+Spread=High
High+Spread=High
Low+Wide=Medium
Medium+Wide=High
High+Wide=High

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

175 - Get Email - Gmail

General

Retrieves the original email and its headers and attachments (if any). Stores the information in incident fields or notes.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

176 - Get Email - EWS

General

Retrieves the original email and its headers and attachments (if any). Stores the information in incident fields or notes.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

177 - Carbon Black Rapid IOC Hunting

CTI

This is a simple but effective playbook to hunt a file in the Carbon Black database. The results will be saved into the notes of the incident. The playbook is ideal for nesting it in a more complex playbook, but can also be used as a standalone.

178 - Opswat Metadefender File Download

Threat Intelligence

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

185 - Convert file hash to corresponding hashes

Threat Intel

Gets all of the corresponding hashes for a file even if there is only one hash type available. For example, if we have only the SHA256 hash, the playbook will get the SHA1 hash and MD5 hash as long as the original searched hash is recognized by any our the threat intelligence integrations.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

187 - Cloud SOAR - CMDB Enrichment

CTI

Phishing

This playbook is used to parse email into internal and external. Internal emails will be enriched with information about the users. External emails will be enriched with threat intelligence feed about the domains found.

207 - Email Headers Check - Generic

Playbook designed to conduct threat intelligence activities with VirusTotal.

235 - AbuseIPDB Essential

CTI

This playbook enriches IP addresses with reputation information gathered from AbuseIPD.

236 - CSE - Suspicious Linux Command

Intrusion

This playbook was built to prevent intrusion attempts. Getting the insight details from Cloud SIEM, the playbook performs multiple checks filtering the results by IP, user activity, and geolocation. Once the initial enrichment is done, the event can be processed with a logical condition for further investigation and user choice for containment activities or marked as a false positive alert.

237 - Suspicious User Connection

Intrusion

This playbook was built to prevent lateral movement in your network.

Getting the insight details from Cloud SIEM, the playbook performs multiple checks for the source IP, from where the connection was established, and the system attributes of the host. After the initial phase, the playbook sets a logical condition that splits the process depending on whether user data is available or not. If user data is available for investigation, the user details will be collected for additional processing and confirmation of the established connection. If there is no data on the user, the playbook creates a ticket to forward the incident to the security operations team.

It is worth noting that the playbook executes an extended query for the IP and sets user choice to determine the final stage of the incident response, update the ticket as a valid connection established by the user, and do an extensive manual investigation of the event. If user data is available in AWS IAM, the playbook performs additional enrichment and processes the containment through user choice if needed.

Threat Intelligence

This playbook was built to enrich incident evidence with threat intelligence data from Blueliv.

Threat Intelligence

This playbook was built to perform queries with the Digital Shadows threat intelligence technology.

258 - URLHaus Essential

Threat Intelligence

This playbook was built to query domains, URLs, and hash values with the URLhaus technology.

259 - Gmail Essential

Incident Response

Incident Response

This playbook is used to integrate Cloud SOAR with Panda EDR, which allows the platform to get information about the device's security and, based on that, take some specific containment actions that can mitigate the threat and avoid propagation.

264 - Suspicious EDR Events

Incident Response

This playbook was built to enrich incidents and contain suspicious events coming from EDRs. Here we're using Qualys, but customers can replace it according to their needs.

265 - Trend Micro APEX ONE Essential

Incident Response

This playbook was built to enrich incidents and contain suspicious events and alerts coming from Trend Micro APEX ONE EDR.

266 - FortiSIEM Essential

Incident Management

This playbook was built to search for events in FortiSIEM, perform basic enrichment and follow up on the incident response process.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

267 - IBM QRadar Essential

Incident Management

This playbook was built to search for events in IBM QRadar, perform basic enrichment and follow up on the incident response process.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

268 - McAfee ESM Essential

Incident Management

This playbook was built to search for events in McAfee ESM, perform basic enrichment, and follow up on the incident response process.

DDOS

This playbook can be executed in case of a suspected distributed denial of service attack. It starts by performing a check to verify traffic and source IPs. If these exceed a certain threshold, the playbook execution continues with a second search. After that, it checks the use of the server resources under attack via SSH.

Next, if the Forcepoint technology is available in the instance, the playbook can mark a policy on FP that blocks and prevents the suspected IPs from doing additional damage. Subsequently, the playbook assesses the actual state and evaluates whether the attack is still active. If it is, the playbook performs CTI activities to detect whether the source IPs are malicious. It includes all the collected data in user choice, and it gives the analyst the possibility to block the sources. In the event of a ceased attack and false positive, the SOC will receive an email containing the report relating to the events.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

Intrusion

This playbook handles logins outside working hours.

278 - FortiMail Essential

Incident Response

This playbook is designed to perform enrichment activities with FortiMail and allows the analyst to decide which containment action to take.

279 - FireEye Email Security (EX) Essential

Incident Response

This playbook performs enrichment activities with FireEye Email Security.

280 - Proofpoint TAP Essential

Incident Response

This playbook allows you to get information about phishing campaigns with Proofpoint TAP.

281 - CrowdStrike Incident Remediation

Incident Response

This playbook helps you remediate an incident ingested by CrowdStrike. It allows prompt communication among everyone involved and quick remediation based on the retrieved information.

Brute Force

Once it receives a brute force alert from GuardDuty, this playbook will create an issue on Jira and populate it with the relevant information. After that, it will notify the resource owner, asking for justification or termination of its instance. Lastly, it performs a scan in the auth logs of the owner to complete the investigation.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

Threat Intelligence

This playbook allows you to integrate the ZScaler technology and automate containment processes using Cloud SOAR.

When a user tries to view a particular website and Cloud SOAR receives input that generates an incident, the playbook proceeds to collect categories present on ZScaler. Once the playbook obtains the necessary information, if a category is allowed, it checks the whitelist from ZScaler and creates a user choice. The user choice invites the SOC analyst to perform the action they consider to be the most appropriate.

If the category is not allowed, the playbook gets the ZScaler blacklist. As in the previous case, it creates a user choice that presents the SOC analyst with four different options depending on the incident. Once the analyst makes a choice, the playbook sends an email to the SOC Manager notifying him of what happened. In the end, it creates a task to review the created incident.

289 - ZeroFOX Essential

Threat Intelligence

This is an essential playbook that you can use to manage ZeroFOX alerts in Cloud SOAR. Typically, we suggest setting filters when configuring the daemon and further enriching the data with other threat intel technologies. The playbook will get an alert from ZeroFOX and assign it to a user. Then, it will ask the user to review and update the alert.

290 - URLscan.io Essential

Threat Intelligence

This is an essential playbook used to enrich incidents with URLscan.io. The playbook will collect the desired URL and launch three different enrichment actions using URLscan.io. It will store the results in the notes of the incident.

Incident Management

The purpose of this playbook is to collect the counter of incidents from various technologies (adaptable based on customers' needs), excluding counters that touched zero, store them all in notes, and then send them to the person in charge.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

303 - Get Reports at Given Periods of Observation

Incident Management

This playbook allows creating reports with specific technologies chosen by the customer at particular periods. In the end, it sends all the information to the right team.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

304 - Qualys Essential

Threat Intelligence

This is an essential playbook that allows you to enrich incidents using Qualys. The playbook uses a condition to determine whether an asset is already present in Qualys. If it's not, it adds it. The playbook performs a VM scan in both cases (present or not). In the final stage, the playbook gets the scan results and adds them as a note inside the SOAR.

305 - MISP OIF Essential

Threat Intelligence

This playbook allows you to enrich incidents with MISP threat intelligence information. It checks MISP for a specific attribute/object and whether it's already there. The playbook adds the missing attribute and enriches the incident with the appropriate information contained in a note.

306 - VMware Carbon Black EDR Essential

Malware

This playbook allows you to enrich files with VMWare Carbon Black EDR. The playbook gets all the data from the platform in the first enrichment action. Then, it processes the details by searching for alerts already triggered in Carbon Black and the list of processes running on a specific machine. In the last phase, the playbook creates a note with all the details for analysts to categorize the file correctly.

307 - Crane Pool Supervision - IoT

IOT

This playbook allows you to monitor a set of docks and cranes for unloading ships and trains for alarms. If a malfunction is reported, the crane is diagnosed, the emergency squad alerted, and the dock put in OFF mode. The ship traffic is diverted to a different dock, and the playbook distributes appropriate notification to traffic control.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

308 - Page Duty Engineers, via Phone Call With Twilio

Incident Management

This playbook contacts the on-call staff member if there is a need for intervention on their part during non-working hours. Thanks to Twilio, the playbook makes the first call. If the on-call answers, they will have to answer the user choice prompt too and confirm that they are present at their station. Otherwise, the playbook makes two more call attempts, after which an email will notify the on-call staff member's manager about the incident.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

309 - [RED TEAM] - Automatically VA and First Active Reconnaissance Activity

Red Team Tools

This playbook allows you to automate the first activities of active reconnaissance and collect the initial information necessary to start a penetration test activity. Once it sends the email with the host you want to scan, if the SOC analyst authorizes the scan through user choice, the playbook, interfacing with Kali Linux, will collect specific information about the machine using specific Nmap commands.

Where the web service is present on the host (TCP ports 80 and 443), the playbook will use other open source tools to deepen the scan, such as Nikto and Gobuster. Lastly, the playbook collects the data and saves it in special notes.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

310 - Alpha Mountain Essential

Threat Intelligence

This is an essential playbook that enriches incidents with the Alpha Mountain technology. The playbook starts by performing various enrichment actions on a particular URL/domain, which helps us gather different information, such as threat score, category, likely impersonations, and popularity. All these details can be saved in an incident field and as a note inside an incident.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

311 - Privilege Escalation in AWS - Unauthorized Access

Unauthorized Access

This playbook enriches suspicious events of possible unauthorized access in AWS. It activates when an external IP adds a user to a privileged group (domain admins or similar).

Starting with a Sumo Logic Cloud SIEM insight, a high fidelity alert, the playbook begins by saving the access logs in AWS and the duplicated IPs from the events in a CSV file. Once all the IOCs contained within the alert from the original Cloud SIEM insight have been collected, the playbook carries out two different IP reputation checks using XForce and AbuseIPDB and obtains two different results using Whois and XForce. Next, the playbook automatically gets the user groups and attributes of the affected user from AWS IAM and automatically analyzes what is collected through a machine choice action.

If the IP reputation has a negative score, the analyst can immediately notify the SOC team and AWS IAM administrator about the compromised user, creating a personalized note with all the details about the user. Finally, through user choice, which is an analyst decision, you can perform automatic containment, orchestrating AWS IAM and Checkpoint Firewall. The first allows you to remove the user from the group and delete the login profile and the access key, while the second allows you to block the external IP. Alternatively, you can decide to apply manual containment, and an automatically assigned task will appear in the SecOps Dashboard of the analyst. If the IP was considered non-harmful, the SOC team would be notified, and the incident will be marked as a False Positive.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

312 - Email Enrichment With Mail Tools

CTI

This playbook was built to automatically extract all the IOCs contained in an email using the Mail Tools integration and perform enrichment actions. If one or more IOCs are malicious, a user choice will prompt the user to automatically or manually do the containment actions. Otherwise, the incident will be reported as a false positive.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

313 - FortiProxy Essential

CTI

This playbook automates the analysis and containment processes using the FortiProxy technology. The playbook execution can vary depending on the activities of the user involved in the accident and based on different conditions. Where it's necessary to allow traffic, the playbook creates a policy that enables the user to continue browsing. Otherwise, it implements a new policy that blocks traffic.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

314 - SM Libraesva

Phishing

This playbook starts with an incoming email. In the first step, it collects detailed information about the received email using Libraesva. The flow continues by extracting attachments from the email and saving them within the incident so the playbook can perform further analysis. From there, the enrichment phase continues, allowing you to leverage the capabilities of various technologies to run a file reputation check on the attachments and an IP/Domain reputation check to find more information about the source. The obtained results are processed automatically to categorize the email.

In case of a potential phishing attack, the playbook sends an email to the security team and creates a task with the report related to the just performed analysis. In case of a false positive, SOAR sends an email notification and closes the incident automatically.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

315 - EDR Alert Enrichment

Forensic

This playbook should trigger when EDR sends a tagged email notification that informs the user about a suspicious website he/she accessed and to stop the navigation until new info about the accessed website is obtained. In the end, based on the scores, the user will obtain the results in a comprehensive language.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

316 - Attachments Threat Intel with CrowdStrikeFX

Threat Intelligence

This playbook is meant to upload a file attached to an email to the Crowdstrike Falcon X platform, perform the scanning and, based on the verdict, notify the person in charge of what happened with simplified details.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

317 - Leveraging Threat Intell Data with CrowdStrikeFX

Threat Intelligence

This playbook is meant to help the user to find information (reports in the last week for instance) about a certain threat using CrowdStrike Falcon X integration.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

318 - AWS CloudTrail Essential

Network Anomaly

Red Team Tools

This playbook was built to automatically execute a web scan using Kali. Once the scan is completed all the results found will be saved into a custom note for future usage.

328 - Port Scan With Kali

Red Team Tools

This playbook executes a port scan automatically using Kali. Once it completes the scan, it saves all the found results in a custom note for future usage.

329 - CSE Insights Enrichment Advanced

CTI

This playbook allows you to harvest information from a Cloud SIEM insight and gather data about the entities involved in an incident from different sources. It also enables you to add IOCs information as enrichment to the Cloud SIEM insight if that information is available.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

330 - Phishing Usecase Advanced

Phishing

This playbook analyses automatically an incoming suspect email for phishing, extracts all relevant IOCs, enriches all of them, ask the user if a manual escalation is required, and notifies all relevant parties.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

331 - DoS With Decision Tree Advanced

Denial of Service

The purpose of this playbook is to prevent DoS/DDoS attacks. When Cloud SOAR receives an alert, it tries to collect initial information regarding the impact of the DoS/DDoS attack and notifies the SOC team if some information is missing. It then gathers data about the involved interfaces and command history and sends the information to the SOC team through email.

Next, the playbook collects all the information from all the previous actions, after which it proceeds with additional activities (that is, execution of custom scripts, running SELECT query into the DB, and so on). After the playbook provides all the necessary information, it allows the analysts to conduct extra CTI activities to verify whether the IoCs are malicious, enabling them to decide on the following action by running an additional playbook (20 - Decision tree for DOS in our case).

Once they decide, the playbook can inform the technician or execute additional cmd, depending on the result of the previous playbook execution. Lastly, the playbook sends an incident summary and creates a user choice.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

332 - Threat Intelligence Incoming Alert - Format 1 Advanced

CTI

This playbook ingests CTI alerts referring to malicious IOCs that need to be enriched and blocked. It saves the input as a password-protected zip archive. If the playbook finds enrichment information, it will continue its running process. Otherwise, it will send a notification.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

333 - Decision Tree for DoS Advanced

Denial of Service

This playbook uses a decision tree to investigate whether the threshold, impact, and node type related to a suspected DoS attack validate ticket creation or not based on previous alerts.

By parsing an email and extracting different information to evaluate the impact of a DoS attack, the decision tree will check on some of the parsed values to understand which path to take—escalation and creation of a ticket or not. In any case, the playbook will contact the bandwidth service provider as well as the team lead for additional remediation actions if the severity is high.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

334 - Suspicious User and Brute Force Activity Advanced

Brute Force Attack

This playbook ingests alerts pointing to a possible brute force attack, intrusion, or password guessing. It performs preventive activities in Active Directory or other user management technologies, depending on the severity of the affected account. It also performs additional enrichment in SIEM to check past user activity. The playbook applies mitigation and containment under the supervision of users.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

Threat Intel

This playbook allows you to run various queries on different sources and check intel regarding IoCs. It stores the results in a CSV file under attachments.

Malware

This advanced playbook activates when malware is detected on an endpoint.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

346 - High-Priority Vulnerability Detected Advanced

Vulnerability Assessment

This playbook assists when an advanced high-priority vulnerability is detected. Its parent playbook is 90 - Vulnerability Management - Master.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

347 - Malicious Outbound Traffic Advanced

Malicious Communication

This playbook is associated with a child playbook — IP enrichment. It is best for cases of malicious outbound traffic. The playbook notifies the user and the SOC in case of detected malicious IOCs.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

348 - IP Enrichment Advanced

Malicious Communication

This playbook is suitable for when you need advanced IP enrichment.

349 - Malware Analysis Advanced

Malware

This playbook's purpose is to perform malware analysis of a possible infection with a manual check. It's an advanced version that improves the overall flow and process.

350 - Phishing Use Case - Malicious File or URL Advanced

Phishing

This playbook works for a phishing scenario, where a malicious file attachment or URL/domain can be processed and analyzed. It's an advanced version that improves the overall flow and process.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

351 - Ransomware Advanced

Ransomware

This playbook performs information gathering in the context of a ransomware event. It's an advanced version that offers a more efficient flow and process.

note

VPN_Events

This advanced playbook checks a user's VPN activity within a specific time interval.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

359 - Malware Sandbox Advanced

Malware

This playbook is best suited for malware scenarios that require sandbox analysis.

360 - Basic IP Reputation Advanced

Denial of Service

This playbook's purpose is to automatically detect malformed packets when a higher number of them are coming from different IPs. The playbook allows you to block the IP addresses (using the appropriate technology) through user choice.

361 - Anti-Debug Advanced

Malware

This playbook's primary purpose is to enable malware analysis by automating the discovery of anti-debug tricks in files using Python scripts. It targets anti-debugging techniques such as:

Flag checking and system calls (IsDebuggerPresent, PEB debugger flag, and more).
Structured/vectored exception handling.
Threat control.

If debug information isn't present, the playbook requires manual action to get the necessary info and proceed with the analysis.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

362 - Anti-VM Playbook Advanced

Malware

This playbook's primary purpose is to enable malware analysis by automating the discovery of anti-debug tricks in files using Python scripts. It targets anti-debugging techniques such as:

Flag checking and system calls (IsDebuggerPresent, PEB debugger flag, and more).
Structured/vectored exception handling.
Threat control.

370 - Data Breach Security Incident Advanced

Data Breach

This playbook is best suited for use in the event of an advanced data breach security incident.

If the playbook detects data breach-related events in the firewall or SIEM, it automatically performs CTI activities to track and identify the source of the violation. It prompts analysts to block the source IP and restore the user password. If the playbook does not find correlations regarding the possible data breach and firewall/SIEM events, it will inform the SOC and the original user. If the source user does not recognize the activities, the playbook creates a task automatically, allowing the user to decide how to proceed. Otherwise, the incident will be closed as a false positive.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

371 - DDoS Advanced

DDOS

An advanced distributed denial of service is a severe type of DDoS attack where attackers try to prevent the legitimate use of a service. These types of attacks come in two forms, attacks that crash services and attacks that flood services to the extreme so that they become unavailable. This playbook allows you to deal with this type of attack by using services such as VirusTotal, FireEye, Cuckoo Sandbox, McAfee, and more.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

372 - DDoS Spoof Advanced

Denial of Service

This advanced playbook is suitable for distributed denial-of-service use cases. The playbook performs an initial check to verify the traffic and the source IPs. If they exceed a certain threshold, the execution continues by carrying out a second search and checking the use of the server (under attack) resources via SSH. The playbook also performs CTI activities to determine whether the source IPs are malicious. It presents all the collected data in user choice, allowing the analysts to block the sources. In case of a stopped attack or false positive, the SOC will receive an email containing the report related to the events.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

373 - DLP Alert Advanced

Data Breach

This playbook receives a DLP alert that includes the source and destination addresses and hash value(s).

The playbook performs the following steps:

Gathers enrichment information on the source user name and address.
Queries a threat intelligence service for the destination address and upgrades incident priority for known threats and prompts analysts with user choice to block the destination address
Queries EDR for processes accessing the file (by hash), then checks them against threat intelligence. It prompts analysts with user choice to block the process by hash if it is a known threat.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

Legal

This playbook contains additional validation of events connected to data breaches to ensure investigation success.

The EU General Data Protection Regulation (GDPR 5853/12) emphasizes transparency, security, and accountability by data controllers while simultaneously standardizing and strengthening the right of European citizens to data privacy. It also extends to Non-EU businesses that process the personal data of EU residents. It introduces the role of a Data Protection Officer (DPO), required for government bodies and organizations conducting mass surveillance or mass processing of special categories of data. Additionally, it generally requires that organizations need a personal information inventory.

GDPR imposes mandatorily to report privacy breaches to the supervisory authority within 72 hours and potentially to the data subject. GDPR requests organizations to perform Privacy Impact Assessments (PIAs) if the activity is considered high-risk. A PIA is a process of systematically considering the potential impact of a new event (for example, deploying a new technology) on the private data exposure of individuals. It allows organizations to identify potential privacy issues before they arise and devise a plan to mitigate these threats.

Failing to report a breach to the supervisory authority can imply a penalty of up to 20,000,000 EUR or four percent of the previous year's global revenue. Typical cases that might end in a data breach are the following:

Intrusion
Theft/loss of mobile or PC
Accidental distribution of data (wrong recipient or wrong attachment)
Loss of digital supports or paper documents
System failure with loss of data (for example, database crash)

This playbook contains general information and is purely for guidance. It does not constitute legal advice or legal analysis. All organizations that process data must be aware that the GDPR applies directly to them.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

387 - Indicator of Compromise Update Advanced

General

This playbook allows you to extract helpful values (IP, hash, URL) and process them with regex rules. You can use the playbook to update and check for any new indicators of compromise related to an incident, such as hash values, IP addresses, or URLs, once the SOAR receives an external alert (Syslog or email).

388 - Lateral Movement Advanced

General

This playbook is best suited for cases of lateral movement. Starting from a suspicious alert (Syslog/email), the playbook checks whether the called URL/IP is not malicious (C&C). If the score is not positive, the playbook identifies the contacted host and quarantines it.

389 - Leveraging Threat Intelligence Advanced

Threat Intel

This playbook can be used to leverage threat intelligence from various sources, such as FireEye, Securonix, VirusTotal, etc.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

390 - Low Priority Vulnerability Detected Advanced

Vulnerability

This playbook can assist when a low-priority vulnerability is found. Its parent playbook is 90 - Vulnerability Management - Master. The engineers on duty receive an email corresponding to the severity level and priority of the identified vulnerabilities.

409 - Malware Investigation

Malware

This playbook enables you to automate EDR/XDR investigation. The playbook starts by carrying out additional enrichment and adds a note to the incident details. The SOC analyst can choose between further investigation (if necessary) or automatic containment for a confirmed malware infection on the endpoint.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

410 - C&C Communication Hunting

CTI

This playbook performs enrichment actions utilizing different technologies to detect possible intrusions. After validating the incident, the playbook performs enrichment actions on the endpoint, domains, and IPs found in the incident details. After the investigation, the analyst can perform containment actions using different technologies and inform the asset owner to help the investigation process. Ultimately, the playbook shares all the validated IOCs with the partner organizations.

note

Incident Management

This master playbook checks all live, scheduled, and upcoming Zoom meetings for a meeting passcode. If there's no passcode, it invokes a nested playbook — 418 - Zoom Scheduled Meeting Update Advanced. The nested playbook generates a random password, assigns it to the meeting, and sends an email notification containing the updated password to all the invited users.

418 - Zoom Scheduled Meeting Update Advanced

Incident Management

This playbook is nested within the workflow of the master playbook 417 - Zoom Conferencing Security Check — Master Advanced. It uses a script to generate a random passcode, passes it to the update-meeting-passcode action, pulls the meeting's original invite, and emails the new meeting password to everyone invited to the Zoom meeting.

419 - Zoom Live Meeting Update Advanced

This playbook ingests CTI alerts referring to malicious IOCs that need to be enriched and blocked in the firewall, DNS, and blacklist. The input is presented in individual files. The workflow continues if the enrichment is successful. Otherwise, the playbook informs the team that something is missing, and a new task asks the analyst to verify the input file passed to the playbook.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

429 - Basic Attack Triage Advanced

General

This playbook is helpful as a master playbook inside which you can execute multiple nested playbooks in case of multiple events. The playbook pertains to different possible kinds of events, for example:

Audit failure
Detected virus
Firewall denies
Brute forcing
Phishing

A specific nested playbook will be set up for each of these events. If there are no other events, the playbook creates specific tasks to update and validate the created triage event.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

430 - Security Awareness AD Advanced

KB4 Completed

This playbook adds or removes a user from an AD group. Once it parses a particular email, the playbook automatically checks whether the user retrieved from the email body is part of the AD group. If it is, it removes it (from the group). Otherwise, the playbook sends a notification and asks the analyst to perform a manual check. If the user is definitely not found, the incident closes automatically. If, on the other hand, it finds the user, the playbook sends a notification to the duty engineers regardless of whether the containment action succeeded or failed.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

431 - Phishing Triage Playbook Advanced

Phish Triage

This advanced playbook is suitable for handling a phishing event in triage, reported as an EML/MSG. By analyzing the URL and the hash contained in the source email, the playbook allows the user to proceed with containment actions, including blocking the URL and banning the hash.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

432 - Suspicious User Detection Advanced

Malware

This playbook best works for alerts pointing to suspicious activities or an intrusion. It includes event detail verification, notification of the relevant departments (active directory/domain management), and enrichment to check for the past user activity. Mitigation and containment can be applied under user supervision.

433 - SIEM Malware Detection Advanced

Malware

This playbook works for scenarios when users receive SIEM alerts for possible malware infections. It performs additional event/user validation and further enrichment with AD and EDR queries. Both automated and manual remediation are available through user choice.

434 - Industrial Security Advanced

General

This playbook analyzes the logs presented on Alleantia and Cyber Vision for an exceeded threshold after a defined period. It includes an additional condition for event information and enrichment validation. If the logs present sufficient suspicious information (for example, unknown host, a higher number of activities, and so on), the playbook gives the possibility to take two possible ways:

Perform an additional query using a nested playbook and execute all the containment actions
Mark the host as trusted and update Cisco Cyber Vision with the new trusted host information

If the initial condition fails, the playbook allows the user to reset the machine parameters through an additional user choice.

435 - Insider Threat Advanced

General

This playbook helps prevent suspicious user activities. Once the original alert is received, the playbook checks all user properties in AD. Then, it sets a conditional validation of user details. If user details are present, the next step is a search into the SIEM alerts. If all conditions are met, the playbook performs automatic containment actions and emails the duty engineers.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

436 - Malicious File Download Advanced

General

This playbook's purpose is to prevent PDL infections during user navigation. When Cloud SOAR receives the original syslog, it checks user activity, controls the domain reputation, and sets additional validation for enrichment. If the navigation result is dangerous for the user or the domain is malicious, the playbook performs automatic containment actions to protect the safety of the source computer.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

437 - Ransomware — Malware Outbreak, WannaCry Advanced

Ransomware

This playbook is used to respond to the WannaCry ransomware attack. Once alerts are ingested, notifications are sent to the incident response team and CEO/stakeholders. Next, a containment action will disconnect all devices from the network. After that, the playbook checks recent device connections and scans them on PhishTank. If the verdict is negative, it blocks the URLs. Accounts passwords will be reset, infected devices wiped, and their OS reinstalled. Finally, some additional manual tasks are required, such as restoring devices from backups, checking for shadow copies, and installing and updating antivirus software. This playbook allows you to perform further checks on traffic and block additional suspicious connections. If you still need to do so, patching Eternal Blue and EternalRomance on your machine is highly recommended.

438 - Ransomware — Malware Outbreak, Revil Advanced

Ransomware

This playbook is used to respond to the Revil ransomware attack. Once alerts are ingested, notifications are sent to the incident response team and CEO/stakeholders. Next, a containment action will disconnect all devices from the network. After that, the playbook checks recent device connections and scans them on PhishTank. If the verdict is negative, it blocks the URLs. Accounts passwords will be reset, infected devices wiped, and their OS reinstalled.

Finally, some additional manual tasks are required, such as restoring devices from backups, checking for shadow copies, and installing and updating antivirus software. This playbook allows you to perform further checks on traffic and block additional suspicious connections. Scanning your machines and comparing results to IoCs from the AlienVault database is the last step in the playbook.

439 - Ransomware — Malware Outbreak Advanced

Ransomware

General

This playbook is built to prevent host compromise more effectively and efficiently. After searching AWS events, the playbook presents users with three options:

If there are suspicious events, it performs an additional query to collect more information and gives SOC analysts the possibility to quarantine any infected hosts.
If the AWS events show multiple login attempts, the playbook runs a nested playbook to set a new password in Active Directory.
If, in a hybrid environment, it finds suspicious data (forwarded from Cloud SIEM) that looks like a lateral movement, the playbook activates another nested playbook

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

467 - Email Compromised - Leaked Advanced

Email

This playbook investigates whether a user's emails were leaked or not. It checks all their emails, relying on various services providing data leak information.

If the emails were leaked somewhere, the playbook informs the security team and performs containment actions to prevent additional risks, such as resetting the user's password, locking the mailbox, and sending an email containing the user's new password.

Analysts can choose between disabling the user, closing the incident (if it is a false positive), or listing the compromised credentials. If the playbook finds a compromised account and analysts disable the user, the playbook will notify the respective user.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

468 - Log4j Vulnerability Advanced

Log4J

This playbook uses Tenable.io with the Log4j shell Vulnerability Ecosystem template to scan your targets for a Log4j vulnerability. If it is a true positive and a target has a Log4j vulnerability, the playbook emails a scan report, sends a notification, sets the severity to high, and opens a task to review the resolution process. If there isn't any real threat or risk, the incident will be closed, and the playbook will send a notification informing of a false positive.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

469 - OT-IoT Security Cisco-Alleantia v4 Advanced

Intrusion attempt

This advanced playbook is suitable for ingesting alerts from industrial controllers. It carries out enrichment, helps you detect network flows impacting machines, and applies remediation under the supervision of the control room.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

470 - Slack - General Failed Logins v2.1 Advanced

Brute Force

This playbook helps you stop advanced brute force attack attempts. First, the playbook tries to ensure that the targeted Slack account is enabled by attempting to send a message to confirm it is active. By relying on user choices, the SOC analyst determines whether a user really attempted to log in with an incorrect password (false positive) or whether a brute force attack is in progress. Finally, the playbook alerts the user under attack and allows the SOC analyst to reset the user's password or deactivate the account if they haven't changed it.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

471 - Carbon Black Cloud - Remediation Advanced

Malware

477 - SolarWinds Orion — Exploit Mitigation (Full Automation) Advanced

Intrusion

This playbook allows you to check for, prevent, and contain potential SolarWinds SUNBURST and SUPERNOVA exploitations. The advanced playbook version improves the basic workflow and boosts efficiency.

The playbook starts by exploring traffic and searching for relevant alerts. It then creates a manual task to check the updates on the involved servers or workstations. If the traffic from SolarWinds Orion contains the known C&C server "avsvmcloud.com" or the Orion software is not updated, the playbook will:

Conduct a forensic investigation.
Examine compromised SolarWinds hosts.
Power down network interfaces, ending with a network block containment action.

Alternatively, if there are no traces of the C&C server mentioned above, the playbook verifies the Orion updates and traffic. In addition, it incorporates a helpful note that explains how the SUNBURST and SUPERNOVA vulnerabilities work.

Subsequently, the playbook presents the analyst with two user choices: the first checks the SolarWinds Orion version and the second looks to verify the presence of the malicious web-shell DLL "app_web_logoimagehandler.ashx.b6031896.dll" on the servers. If the SOC analyst confirms the SolarWinds versions are vulnerable, and the malicious file is present, the playbook executes an automatic scan to check for specific CVEs.

478 - CrowdStrike Detections — Compromised User — Triage

Malicious Activity

This playbook will be triggered by CrowdStrike alerts with low and medium severity. It extracts the compromised user account from the alert, searches into Azure AD for the user contact details and department, and then creates a note with the compromised user's details. Further, based on the user's department, the playbook retrieves the ISO from the Sharepoint list, searches for the ISO details in Azure AD, and then creates a note with the ISO contact details.

Afterward, the playbook prompts the analyst to contact and inform the ISO. The options are:

Send a notification to ISO automatically and create a note that ISO was notified.
Send a notification to ISO manually and create a note that ISO was notified.
Create a note that ISO was not notified.

In the end, the playbook sends a notification to escalate the triage event, and the analyst has to choose between converting it to an incident or discarding the triage event.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

479 - Account Enrichment - Essential Advanced

CTI

This playbook retrieves data from an Active Directory server and, performing additional checks, gives all the advanced information related to a specific account as output.

480 - Block Account — Essential Advanced

Intrusion

This playbook searches for a suspicious user inside the Active Directory server. If it finds it, it blocks the user and emails the engineer on duty. If it doesn't find it, the playbook assigns the on-duty engineer a manual review and investigation.

note

This playbook uses some actions available with Cloud SOAR only, but can be downloaded and reconfigured for Automation Service purposes.

Cloud SIEM

Send AWS SNS notification when an insight is created.

502 - Send Insight Email Notification

Cloud SIEM

Sends an email when an insight is created, if the severity of the insight is high. Intended to be used with the insight creation trigger on Cloud SIEM. Update your Email Address in the Send Email Action.

503 - Enrich Entity with CrowdStrike Falcon Intelligence

Cloud SIEM

Run Search Intelligence Indicators on entity, and post results to Cloud SIEM.

504 - Enrich Entity with DomainTools

Cloud SIEM

Run Domain, Email, or IP Reputation (depending on Entity type) with DomainTools, and post results to Cloud SIEM.

505 - Enrich IP with Geolocation from MaxMind

Cloud SIEM

Run Geolocate IP, and post results to Cloud SIEM.

Unauthorized Access

This playbook enriches suspicious events of possible unauthorized access in AWS. It activates when an external IP adds a user to a privileged group (Domain Admins or similar).

Install a playbook from App Central
Playbooks in App Central

Install a playbook from App Central​

Playbooks in App Central​

1 - Basic IP Reputation​

2 - Anti-Debug​

3 - Anti-VM playbook​

4 - Anti-Worm​

5 - AntiVirus Infection​

6 - AV Infection Detected​

7 - Basic playbook from SIEM Alarm​

8 - Blacklisting a Sender​

9 - Block user - Cookie Based​

10 - Brute Force Attack​

11 - Bruteforce on Account​

12 - Bruteforce on Service​

13 - Business Department Assignment and Notification​

14 - Change ownership​

15 - Connection to malicious IP with McAfee​

16 - Critical Vulnerability​

17 - Data Breach Security Incident​

18 - DDoS​

19 - DDoS Spoof​

20 - Decision tree for DOS​

21 - DLP Alert​

22 - DNA Evidence Analysis​

23 - Domain Blocking​

24 - DoS with Decision Tree​

25 - XSS Prevention​

26 - Easy Triage (IP Location)​

27 - Email Submission Block IP​

28 - Email Submission Return Receipt​

29 - Employee Fraud Report​

30 - Endpoint Malware Infection​

31 - Enrichment for Events Deduplication​

32 - Events Deduplication​

33 - Forensic Checklist​

34 - FortiWeb Directory Traversal​

35 - Fraud​

36 - GDPR Data Breach​

37 - High Priority Vulnerability Detected​

38 - Indicator of Compromise Update​

39 - IP Enrichment​

40 - Lateral Movement​

41 - Leveraging Threat Intelligence​

42 - Low Priority Vulnerability Detected​

43 - Mail Account Compromise​

44 - Mail Scan​

45 - Malicious Communication with Cisco AMP​

46 - Malicious IP​

47 - Malicious Outbound Traffic​

48 - Malware Analysis​

49 - Malware Analysis Dual Check​

50 - Malware Sandbox​

51 - McAfee ESM Enrichment​

52 - Medium priority Vulnerability Detected​

53 - Meltdown and Spectre​

54 - Misuse of Access​

55 - Notification - NO Analysis​

56 - Notification - YES Analysis​

57 - Notification playbook​

58 - Offense scan and User Reset​

59 - Outbound Network Investigation​

60 - Password Spray from External IP​

61 - Petya Ransomware​

62 - Phishing Attack​

63 - Phishing Detection - EWS​

64 - Phishing Email Handling​

65 - Phishing Usecase - Malicious File or URL​

66 - Phishing with AD check​

67 - Port Scanning from External IP​

68 - Port Scanning from External IP v2​

69 - Port Scanning from External IP v3​

70 - Powershell Exploitation v2​

71 - Processing Attachment​

72 - Qradar Malicious IP connection​

73 - Ransomware​

74 - Recon and Remediation with Malicious Attachment​

75 - Scheduled Upload Alert or Exfiltration​

76 - Security Incident​

77 - SitePhishing​

78 - Spear Phishing​

Install a playbook from App Central

Playbooks in App Central

1 - Basic IP Reputation

2 - Anti-Debug

3 - Anti-VM playbook

4 - Anti-Worm

5 - AntiVirus Infection

6 - AV Infection Detected

7 - Basic playbook from SIEM Alarm

8 - Blacklisting a Sender

9 - Block user - Cookie Based

10 - Brute Force Attack

11 - Bruteforce on Account

12 - Bruteforce on Service

13 - Business Department Assignment and Notification

14 - Change ownership

15 - Connection to malicious IP with McAfee

16 - Critical Vulnerability

17 - Data Breach Security Incident

18 - DDoS

19 - DDoS Spoof

20 - Decision tree for DOS

21 - DLP Alert

22 - DNA Evidence Analysis

23 - Domain Blocking

24 - DoS with Decision Tree

25 - XSS Prevention

26 - Easy Triage (IP Location)

27 - Email Submission Block IP

28 - Email Submission Return Receipt

29 - Employee Fraud Report

30 - Endpoint Malware Infection

31 - Enrichment for Events Deduplication

32 - Events Deduplication

33 - Forensic Checklist

34 - FortiWeb Directory Traversal

35 - Fraud

36 - GDPR Data Breach

37 - High Priority Vulnerability Detected

38 - Indicator of Compromise Update

39 - IP Enrichment

40 - Lateral Movement

41 - Leveraging Threat Intelligence

42 - Low Priority Vulnerability Detected

43 - Mail Account Compromise

44 - Mail Scan

45 - Malicious Communication with Cisco AMP

46 - Malicious IP

47 - Malicious Outbound Traffic

48 - Malware Analysis

49 - Malware Analysis Dual Check

50 - Malware Sandbox

51 - McAfee ESM Enrichment

52 - Medium priority Vulnerability Detected

53 - Meltdown and Spectre

54 - Misuse of Access

55 - Notification - NO Analysis

56 - Notification - YES Analysis

57 - Notification playbook

58 - Offense scan and User Reset

59 - Outbound Network Investigation

60 - Password Spray from External IP

61 - Petya Ransomware

62 - Phishing Attack

63 - Phishing Detection - EWS

64 - Phishing Email Handling

65 - Phishing Usecase - Malicious File or URL

66 - Phishing with AD check

67 - Port Scanning from External IP

68 - Port Scanning from External IP v2

69 - Port Scanning from External IP v3

70 - Powershell Exploitation v2

71 - Processing Attachment

72 - Qradar Malicious IP connection

73 - Ransomware

74 - Recon and Remediation with Malicious Attachment

75 - Scheduled Upload Alert or Exfiltration

76 - Security Incident

77 - SitePhishing

78 - Spear Phishing