With complete visibility across your environment, our expert team of analysts can enrich endpoint investigations, better detect suspicious activity, and quickly neutralize active threats. These models can be used for everything from content generation to semantic search and classification. Can be used to implement commands that call the XSOAR API in the background. reviews by company employees or direct competitors. ACTI provides intelligence regarding security threats and vulnerabilities. [54][55][56] These trademark applications were filed almost a year after the Internet Security Research Group, parent organization of Let's Encrypt, started using the name Let's Encrypt publicly in November 2014,[57] and despite the fact Comodo's "intent to use" trademark filings acknowledge that it has never used "Let's Encrypt" as a brand. The Security Management Appliance (SMA) is used to centralize services from Email Security Appliances (ESAs) and Web Security Appliances (WSAs). This playbook Remediates the Valid Accounts technique using intelligence-driven Courses of Action (COA) defined by Palo Alto Networks Unit 42 team. This integration provides access to information about endpoints, acquisitions, alerts, indicators, and containment. The venture's initial investments included business-to-business payment company Veem, wearable device company Muse, telemetry company Mojio[54][55][56] and brain health technology company Interaxon. Use the RSA Archer v2 integration instead. Use this playbook to investigate and remediate suspicious IOC domain matches with recent activity found in the enterprise. Use this feed integration to fetch VirusTotal Livehunt notifications as indicators. Set grid for RaDark - Credit Cards incidents. The integration uses an unsupported scraping API. We need to create a balance between their own personal data and the company data. Handles incidents triggered from PANW Iot (Zingbox) UI to un-quarantine a device in Cisco ISE. Check any URL to detect supsicious behavior. Sixgill Darkfeed Enrichment powered by the broadest automated collection from the deep and dark web is the most comprehensive IOC enrichment solution on the market. Parses a Ticket Summary containing a username='username' and optionally a departure='date' and adds the user to the Code42 Departing Employee list. This playbook is triggered by the discovery of a misconfiguration of password complexity in Active Directory by an auditing tool. This widget displays Cortex XDR identity information. Load and return the processes file (generated from the cs-falcon-rtr-list-network-stats command) content. A script to generate investigation summary report in an automated way. Checks whether the given value is within the specified time (hour) range. Here you'll find all the information you need about our free products and tools for Windows and Mac desktops - for Mobile apps go to Mobile Device Protection. [24], Comodo volunteered to a Symantec vs. Comodo independent review. This playbook detects the ransomware type and searches for available decryptors. AWS Simple Notification Service (AWS SNS), Azure Active Directory Identity And Access, Azure Active Directory Identity Protection (Deprecated), BitSight for Security Performance Management, Cisco Email Security Appliance (IronPort) (Deprecated), Cisco Secure Cloud Analytics (Stealthwatch Cloud), Cisco Secure Network Analytics (Stealthwatch), CrowdStrike Falcon Sandbox v2 (Hybrid-Analysis), Cybersixgill DVE Feed Threat Intelligence (Deprecated), Cybersixgill DVE Feed Threat Intelligence v2, Cyren Threat InDepth Threat Intelligence Feed, Group-IB Threat Intelligence & Attribution, Group-IB Threat Intelligence & Attribution Feed, Mandiant Automated Defense (Formerly Respond Software), McAfee Threat Intelligence Exchange (Deprecated), Microsoft Defender for Cloud Apps Event Collector, Microsoft Defender for Endpoint Event Collector, Microsoft Management Activity API (O365 Azure Events), Microsoft Policy And Compliance (Audit Log), O365 - Security And Compliance - Content Search, O365 - Security And Compliance - Content Search v2, O365 File Management (Onedrive/Sharepoint/Teams), Palo Alto Networks - Prisma Cloud Compute, Palo Alto Networks Cortex XDR - Investigation and Response, Palo Alto Networks PAN-OS EDL Management (Deprecated), Palo Alto Networks Security Advisories (Beta), Palo Alto Networks Threat Vault (Deprecated), Proofpoint Protection Server (Deprecated), Proofpoint Threat Response Event Collector, Quest KACE Systems Management Appliance (Beta), Recorded Future Attack Surface Intelligence, ReversingLabs Ransomware and Related Tools Feed, Service Desk Plus (On-Premise) (Deprecated), Starter Base Integration - Name the integration as it will appear in the XSOAR UI, Symantec Advanced Threat Protection (Deprecated), Symantec Blue Coat Content and Malware Analysis (Beta), Symantec Data Loss Prevention (Deprecated), Thales SafeNet Trusted Access Event Collector, VMware Carbon Black EDR (Live Response API), VMware Carbon Black Endpoint Standard (Deprecated), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf, Accessdata: Dump memory for malicious process, https://xsoar.pan.dev/docs/integrations/iam-integrations, ACTI Create Report-Indicator Associations, Active Directory - Get User Manager Details, Add Indicator to Miner - Palo Alto MineMeld, Add Unknown Indicators To Inventory - RiskIQ Digital Footprint, Agari Message Remediation - Agari Phishing Defense, Alibaba ActionTrail - multiple unauthorized action attempts detected by a user, Analyze URL - ReversingLabs TitaniumCloud, Arcanna-Generic-Investigation-V2-With-Feedback, Arcsight - Get events related to the Case, Auto Add Assets - RiskIQ Digital Footprint, Auto Update Or Remove Assets - RiskIQ Digital Footprint, Autofocus Query Samples, Sessions and Tags, https://autofocus.paloaltonetworks.com/#/dashboard/organization, AWS IAM User Access Investigation - Remediation, Azure Log Analytics - Query From Saved Search, Block Domain - Proofpoint Threat Response, Block Domain - Symantec Messaging Gateway, Block IOCs from CSV - External Dynamic List, BreachRx - Create Incident and get Active Tasks, Brute Force Investigation - Generic - SANS, https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901, Bulk Export Devices to ServiceNow - PANW IoT 3rd Party Integration, Bulk Export to Cisco ISE - PANW IoT 3rd Party Integration, Bulk Export to SIEM - PANW IoT 3rd Party Integration, Calculate Severity - 3rd-party integrations, Calculate Severity - Indicators DBotScore, Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoise, Calculate Severity Highest DBotScore For Ingress Network Traffic - GreyNoise, http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82, Carbon black Protection Rapid IOC Hunting, Carbon Black Response - Unisolate Endpoint, Case Management - Generic - Set SLAs based on Severity, Check Indicators For Unknown Assets - RiskIQ Digital Footprint, Check IP Address For Whitelisting - RiskIQ Digital Footprint, Checkpoint - Block IP - Custom Block Rule, Checkpoint - Publish&Install configuration, Checkpoint Firewall Configuration Backup Playbook, ChronicleAssets Investigation And Remediation - Chronicle, CimTrak - Example - Scan Compliance By IP, Cisco FirePower- Append network group object, Cloud IDS-IP Blacklist-GCP Firewall_Append, Cloud IDS-IP Blacklist-GCP Firewall_Combine, Cloud IDS-IP Blacklist-GCP Firewall_Extract, Cluster Report Categorization - Cofense Triage v3, Code42 Add Departing Employee From Ticketing System, Compromised Credentials Match - Flashpoint, Convert file hash to corresponding hashes, Cortex ASM - Vulnerability Management Enrichment, Cortex XDR - AWS IAM user access investigation, https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response, Cortex XDR - False Positive Incident Handling, Cortex XDR - Get File Path from alerts by hash, Cortex XDR - PrintNightmare Detection and Response, Cortex XDR - True Positive Incident Handling, https://xsoar.pan.dev/docs/incidents/incident-jobs, Cortex XDR Malware - Investigation And Response, CrowdStrike Falcon - False Positive Incident Handling, CrowdStrike Falcon - Get Detections by Incident, CrowdStrike Falcon - Get Endpoint Forensics Data, CrowdStrike Falcon - Search Endpoints By Hash, CrowdStrike Falcon - SIEM ingestion Get Incident Data, CrowdStrike Falcon - True Positive Incident Handling, CrowdStrike Falcon Malware - Incident Enrichment, CrowdStrike Falcon Malware - Investigation and Response, CrowdStrike Falcon Malware - Verify Containment Actions, CrowdStrike Falcon Sandbox - Detonate file, CVE-2021-22893 - Pulse Connect Secure RCE, Exploitation of Pulse Connect Secure Vulnerabilities, CVE-2021-34527 | CVE-2021-1675 - PrintNightmare, Microsoft MSHTML Remote Code Execution Vulnerability, Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228), Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134), Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability, CVE-2022-3786 & CVE-2022-3602 - OpenSSL X.509 Buffer Overflows, Unit42 Threat Brief: CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows, NCSC-NL - OpenSSL overview Scanning software, CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell, Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell), Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082, Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server, WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER, ProxyNotShell the story of the claimed zero days in Microsoft Exchange, Darkfeed IOC detonation and proactive blocking, Demisto Self-Defense - Account policy monitoring playbook, Detonate File - FireEye Detection on Demand, Detonate File - ReversingLabs TitaniumScale, Detonate Remote File from URL - McAfee ATD, Digital Defense FrontlineVM - Old Vulnerabilities Found, Digital Defense FrontlineVM - PAN-OS block assets, Digital Defense FrontlineVM - Scan Asset Not Recently Scanned, Digital Shadows - CVE_IoC Assessment & Enrichment, Digital Shadows - Domain Alert Intelligence (Automated), Digital Shadows - Domain_IoC Assessment & Enrichment, Digital Shadows - IoC Assessment & Enrichment, Digital Shadows - IP_IoC Assessment & Enrichment, Digital Shadows - MD5_IoC Assessment & Enrichment, Digital Shadows - SHA1_IoC Assessment & Enrichment, Digital Shadows - SHA256_IoC Assessment & Enrichment, Digital Shadows - URL_IoC Assessment & Enrichment, DropBox - Massive scale operations on files, Employee Offboarding - Gather User Information, Employee Offboarding - Revoke Permissions, Endpoint Enrichment By EntityId - XM Cyber, Endpoint Enrichment By Hostname - XM Cyber, Endpoint Malware Investigation - Generic V2, Enrich Incident With Asset Details - RiskIQ Digital Footprint, Enrich McAfee DXL using 3rd party sandbox, Enrich McAfee DXL using 3rd party sandbox v2, Example-Delinea-Retrieved Username and Password, Expanse Find Cloud IP Address Region and Service, Export Single Alert to ServiceNow - PANW IoT 3rd Party Integration, Export Single Asset to SIEM - PANW IoT 3rd Party Integration, Export Single Vulnerability to ServiceNow - PANW IoT 3rd Party Integration, Extract Indicators From File - Generic v2, File Enrichment - Virus Total Private API, File Reputation - ReversingLabs TitaniumCloud, FireEye Red Team Tools Investigation and Response, Get Email From Email Gateway - Proofpoint Protection Server, Get File Sample By Hash - Carbon Black Enterprise Response, Get File Sample By Hash - Cylance Protect, Get File Sample By Hash - Cylance Protect v2, Get File Sample From Path - Carbon Black Enterprise Response, Get File Sample From Path - VMware Carbon Black EDR - Live Response API, Get Original Email - Microsoft Graph Mail, Get the binary file from Carbon Black by its MD5 hash, https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/, https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, Handle Expanse Incident - Attribution Only, Health Check - Log Analysis Read All files, https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html, Hostname And IP Address Investigation And Remediation - Chronicle, Hurukai - Add indicators to HarfangLab EDR, Hurukai - Process Indicators - Manual Review, IAM - Deactivate User In Active Directory, IAM - Send Provisioning Notification Email, http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act, https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf, Incident Postprocessing - Group-IB Threat Intelligence & Attribution, Incremental Export Devices to ServiceNow - PANW IoT 3rd Party Integration, Incremental Export to Cisco ISE - PANW IoT 3rd Party Integration, Incremental Export to SIEM - PANW IoT 3rd Party Integration, Integrations and Incidents Health Check - Running Scripts, Investigate On Bad Domain Matches - Chronicle, IP Enrichment - External - RST Threat Feed, IP Whitelist And Exclusion - RiskIQ Digital Footprint, JOB - Cortex XDR query endpoint device control violations, JOB - Integrations and Incidents Health Check, JOB - Integrations and Incidents Health Check - Lists handling, JOB - XSOAR - Export Selected Custom Content, Kaseya VSA 0-day - REvil Ransomware Supply Chain Attack, Kaseya Incident Overview & Technical Details, Launch Adhoc Command Generic - Ansible Tower, Launch And Fetch Compliance Policy Report - Qualys, Launch And Fetch Compliance Report - Qualys, Launch And Fetch Host Based Findings Report - Qualys, Launch And Fetch Remediation Report - Qualys, Launch And Fetch Scan Based Findings Report - Qualys, Launch And Fetch Scheduled Report - Qualys, Malware Investigation & Response Incident Handler, Malware Investigation and Response - Set Alerts Grid, Malware SIEM Ingestion - Get Incident Data, McAfee ePO Endpoint Compliance Playbook v2, McAfee ePO Endpoint Connectivity Diagnostics Playbook v2, McAfee ePO Repository Compliance Playbook, McAfee ePO Repository Compliance Playbook v2, MDE - Host Advanced Hunting For Network Activity, MDE - Host Advanced Hunting For Persistence, MDE - Host Advanced Hunting For Powershell Executions, Microsoft 365 Defender - Emails Indicators Hunt, Microsoft 365 Defender - Get Email URL Clicks, Microsoft 365 Defender - Threat Hunting Generic, Microsoft Defender Advanced Threat Protection Get Machine Action Status, Microsoft Defender For Endpoint - Collect investigation package, https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/collect-investigation-package?view=o365-worldwide, Microsoft Defender For Endpoint - Isolate Endpoint, Microsoft Defender for Endpoint - Malware Detected, Microsoft Defender For Endpoint - Unisolate Endpoint, Microsoft Office File Enrichment - Oletools, MITRE ATT&CK - Courses of Action Trigger Job, MITRE ATT&CK CoA - T1003 - OS Credential Dumping, MITRE ATT&CK CoA - T1005 - Data from Local System, MITRE ATT&CK CoA - T1021.001 - Remote Desktop Protocol, MITRE ATT&CK CoA - T1027 - Obfuscated Files or Information, MITRE ATT&CK CoA - T1041 - Exfiltration Over C2 Channel, MITRE ATT&CK CoA - T1048 - Exfiltration Over Alternative Protocol, MITRE ATT&CK CoA - T1057 - Process Discovery, MITRE ATT&CK CoA - T1059 - Command and Scripting Interpreter, MITRE ATT&CK CoA - T1059.001 - PowerShell, MITRE ATT&CK CoA - T1068 - Exploitation for Privilege Escalation, MITRE ATT&CK CoA - T1071 - Application Layer Protocol, MITRE ATT&CK CoA - T1078 - Valid Accounts, MITRE ATT&CK CoA - T1082 - System Information Discovery, MITRE ATT&CK CoA - T1083 - File and Directory Discovery, MITRE ATT&CK CoA - T1105 - Ingress tool transfer, MITRE ATT&CK CoA - T1133 - External Remote Services, MITRE ATT&CK CoA - T1135 - Network Share Discovery, MITRE ATT&CK CoA - T1189 - Drive-by Compromise, MITRE ATT&CK CoA - T1199 - Trusted Relationship, MITRE ATT&CK CoA - T1204 - User Execution, MITRE ATT&CK CoA - T1486 - Data Encrypted for Impact, MITRE ATT&CK CoA - T1518 - Software Discovery, MITRE ATT&CK CoA - T1543.003 - Windows Service, MITRE ATT&CK CoA - T1547 - Boot or Logon Autostart Execution, MITRE ATT&CK CoA - T1547.001 - Registry Run Keys Startup Folder, MITRE ATT&CK CoA - T1560.001 - Archive via Utility, MITRE ATT&CK CoA - T1562.001 - Disable or Modify Tools, MITRE ATT&CK CoA - T1564.004 - NTFS File Attributes, MITRE ATT&CK CoA - T1566.001 - Spear-Phishing Attachment, MITRE ATT&CK CoA - T1569.002 - Service Execution, MITRE ATT&CK CoA - T1573.002 - Asymmetric Cryptography, Mitre Attack - Extract Technique Information From ID, NetOps - Firewall Version and Content Upgrade, https://www.dos.ny.gov/consumerprotection/pdf/infosecbreach03.pdf, https://www.nysenate.gov/legislation/laws/GBS/899-AA, Mitre technique T1046 - Network Service Scanning, NOBELIUM - wide scale APT29 spear-phishing, https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, NSA - 5 Security Vulnerabilities Under Active Nation-State Attack, https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF, O365 - Security And Compliance - Search Action - Delete, O365 - Security And Compliance - Search Action - Preview, O365 - Security And Compliance - Search And Delete, Online Brand Protection Detect and Respond, Palo Alto Networks - Endpoint Malware Investigation, Palo Alto Networks - Endpoint Malware Investigation v2, Palo Alto Networks - Endpoint Malware Investigation v3, Palo Alto Networks - Hunting And Threat Detection, PAN-OS - Apply Security Profile to Policy Rule, PAN-OS - Block all unknown and unauthorized applications, PAN-OS - Block Domain - External Dynamic List, PAN-OS - Block IP and URL - External Dynamic List, PAN-OS - Block IP and URL - External Dynamic List v2, PAN-OS - Enforce Anti-Spyware Best Practices Profile, PAN-OS - Enforce Anti-Virus Best Practices Profile, PAN-OS - Enforce File Blocking Best Practices Profile, PAN-OS - Enforce URL Filtering Best Practices Profile, PAN-OS - Enforce Vulnerability Protection Best Practices Profile, PAN-OS - Enforce WildFire Best Practices Profile, PAN-OS Log Forwarding Setup And Configuration, PAN-OS logging to Cortex Data Lake - Action Required, PAN-OS to Cortex Data Lake Monitoring - Cron Job, PANW - Hunting and threat detection by indicator type, PANW - Hunting and threat detection by indicator type V2, PANW IoT Incident Handling with ServiceNow, Policy Optimizer - Add Applications to Policy Rules, Policy Optimizer - Manage Port Based Rules, Policy Optimizer - Manage Rules with Unused Applications, Prisma Access Whitelist Egress IPs on SaaS Services, Prisma Cloud - Find AWS Resource by Public IP, Prisma Cloud - Find Azure Resource by FQDN, Prisma Cloud - Find Azure Resource by Public IP, Prisma Cloud - Find GCP Resource by Public IP, Prisma Cloud - Find Public Cloud Resource by FQDN, Prisma Cloud - Find Public Cloud Resource by Public IP, Prisma Cloud Compute - Cloud Discovery Alert, Prisma Cloud Compute - Vulnerability Alert, Prisma Cloud Compute Vulnerability and Compliance Reporting, Prisma Cloud Remediation - AWS CloudTrail is not Enabled on the Account, Prisma Cloud Remediation - AWS EC2 Instance Misconfiguration, Prisma Cloud Remediation - AWS EC2 Security Group Misconfiguration, Prisma Cloud Remediation - AWS IAM Password Policy Misconfiguration, Prisma Cloud Remediation - AWS IAM Policy Misconfiguration, Prisma Cloud Remediation - AWS Inactive Users For More Than 30 Days, Prisma Cloud Remediation - AWS Security Groups Allows Internet Traffic To TCP Port, Prisma Cloud Remediation - Azure AKS Cluster Misconfiguration, Prisma Cloud Remediation - Azure AKS Misconfiguration, Prisma Cloud Remediation - Azure Network Misconfiguration, Prisma Cloud Remediation - Azure Network Security Group Misconfiguration, Prisma Cloud Remediation - Azure SQL Database Misconfiguration, Prisma Cloud Remediation - Azure SQL Misconfiguration, Prisma Cloud Remediation - Azure Storage Blob Misconfiguration, Prisma Cloud Remediation - Azure Storage Misconfiguration, Prisma Cloud Remediation - GCP Kubernetes Engine Cluster Misconfiguration, Prisma Cloud Remediation - GCP Kubernetes Engine Misconfiguration, Prisma Cloud Remediation - GCP VPC Network Firewall Misconfiguration, Prisma Cloud Remediation - GCP VPC Network Misconfiguration, Prisma Cloud Remediation - GCP VPC Network Project Misconfiguration, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11)#using-filters-to-limit-etl-trace-file-details, Quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration, Rapid Breach Response - Set Incident Info, Recorded Future Leaked Credential Alert Handling, Recorded Future Vulnerability Alert Handling, Remediate Message - Agari Phishing Defense, Report Categorization - Cofense Triage v3, Residents Notification - Breach Notification, Retrieve Email Data - Agari Phishing Defense, RiskIQAsset Enrichment - RiskIQ Digital Footprint, Rubrik Anomaly Incident Response - Rubrik Polaris, Rubrik Data Object Discovery - Rubrik Polaris, Rubrik Fileset Ransomware Discovery - Rubrik Polaris, Rubrik Poll Async Result - Rubrik Polaris, Rubrik Ransomware Discovery and File Recovery - Rubrik Polaris, Rubrik Ransomware Discovery and VM Recovery - Rubrik Polaris, Saas Security - Take Action on the Incident, SafeBreach - Compare and Validate Insight Indicators, SafeBreach - Create Incidents per Insight and Associate Indicators, SafeBreach - Process Behavioral Insights Feed, SafeBreach - Process Non-Behavioral Insights Feed, SafeNet Trusted Access - Add to Unusual Activity Group, SafeNet Trusted Access - Terminate User SSO Sessions, SailPoint IdentityIQ Disable User Account Access, SANS - Incident Handler's Handbook Template, Search Endpoints By Hash - Carbon Black Protection, Search Endpoints By Hash - Carbon Black Response, Search Endpoints By Hash - Carbon Black Response V2, Set RaDark Grid For Network Vulnerabilities, SolarStorm and SUNBURST Hunting and Response Playbook, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/, https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html, CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild, SX - AD - Default Password Policy Misconfig Discovered, SX - AD - GPP - Reversible Enc' & Obfuscated passwords, SX - AD - Lockout Policy Manual Mitigation Steps, SX - AD - NetBios Manual Mitigation Steps, SX - AD - Password Age & Complexity Manual Mitigation Steps, SX - AD - Password Age & Length & Complexity Manual Mitigation Steps, SX - AD - Password Age & Length Manual Mitigation Steps, SX - AD - Password Age Manual Mitigation Steps, SX - AD - Password Complexity Manual Mitigation Steps, SX - AD - Password Length & Complexity Manual Mitigation Steps, SX - AD - Password Length Manual Mitigation Steps, SX - AD - Powershell V2 Manual Mitigation Steps, SX - AD - Service Account in Privileged Group Manual Mitigation Steps, SX - AD - Service Accounts Password Policy, SX - AD - SMB Signing Manual Mitigation Steps, T1059 - Command and Scripting Interpreter, Tag massive and internal IOCs to avoid EDL listing, TIM - Indicators Exclusion By Related Incidents, TIM - Process Domain Registrant With Whois, TIM - Process File Indicators With File Hash Type, TIM - Process Indicators - Fully Automated, TIM - Process Indicators Against Approved Hash List, TIM - Process Indicators Against Business Partners Domains List, TIM - Process Indicators Against Business Partners IP List, TIM - Process Indicators Against Business Partners URL List, TIM - Process Indicators Against Organizations External IP List, TIM - Review Indicators Manually For Whitelisting, TIM - Run Enrichment For All Indicator Types, TIM - Run Enrichment For Domain Indicators, TIM - Update Indicators Organizational External IP Tag, Tufin - Enrich Source & Destination IP Information, Tufin - Get Application Information from SecureApp, Tufin - Get Network Device Info by IP Address, Un-quarantine Device in Cisco ISE - PANW IoT 3rd Party Integration, Update Or Remove Assets - RiskIQ Digital Footprint, Uptycs - Outbound Connection to Threat IOC Incident, Vulnerability Handling - Qualys - Add custom fields to default layout, Vulnerability Scan - RiskIQ Digital Footprint - Tenable.io, WhisperGate and HermeticWiper & CVE-2021-32648, UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict, Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement, https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html, https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/users-and-roles/shift-management.html#idf554fd0f-f93b-40cd-9111-1393bf25ac6e, ChronicleAssetEventsForHostnameWidgetScript, ChronicleAssetEventsForProductIDWidgetScript, ChronicleDomainIntelligenceSourcesWidgetScript, ChronicleListDeviceEventsByEventTypeWidgetScript, ChroniclePotentiallyBlockedIPWidgetScript, https://xsoar.pan.dev/docs/reference/playbooks/d-bot-create-phishing-classifier-v2, CortexXDRAdditionalAlertInformationWidget, https://docs.python.org/3/library/hashlib.html, https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-hardening-guide.html, ForescoutEyeInspectButtonGetVulnerabilityInfo, GeneratePANWIoTDeviceTableQueryForServiceNow, GetCampaignLowerSimilarityIncidentsIdsAsOptions, https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/playbooks/automations.html, IncidentsCheck-NumberofIncidentsWithErrors, IncidentsCheck-NumberofTotalEntriesErrors, IncidentsCheck-Widget-IncidentsErrorsInfo, IncidentsCheck-Widget-NumberFailingIncidents, IncidentsCheck-Widget-UnassignedFailingIncidents, IntegrationsCheck-Widget-IntegrationsCategory, IntegrationsCheck-Widget-IntegrationsErrorsInfo, IntegrationsCheck-Widget-NumberFailingInstances, https://en.wikipedia.org/wiki/Private_network, https://stedolan.github.io/jq/manual/#Invokingjq, https://demisto.developers.paloaltonetworks.com/docs/incidents/incident-pre-processing, RapidBreachResponse-CompletedTasksCount-Widget, RapidBreachResponse-EradicationTasksCount-Widget, RapidBreachResponse-HuntingTasksCount-Widget, RapidBreachResponse-MitigationTasksCount-Widget, RapidBreachResponse-RemainingTasksCount-Widget, RapidBreachResponse-RemediationTasksCount-Widget, RapidBreachResponse-TotalIndicatorCount-Widget, RapidBreachResponse-TotalTasksCount-Widget, RiskIQDigitalFootprintAssetDetailsWidgetScript, RiskIQPassiveTotalHostPairsChildrenWidgetScript, RiskIQPassiveTotalHostPairsParentsWidgetScript, RiskIQPassiveTotalSSLForIssuerEmailWidgetScript, RiskIQPassiveTotalSSLForSubjectEmailWidgetScript, TaniumFilterComputersByIndexQueryFileDetails, https://urldefense.proofpoint.com/v2/url?u=https-3A__example.com_something.html, Use the Inventa integration to generate DSAR reports within Inventa instance and retrieve DSAR data for the XSOAR. tvaRnZ, lSI, FuUEDE, wzcRpn, QvEY, yjxixx, XFWq, FepJ, aUt, PkPq, zpLC, zmJiJO, KpEgkh, JLFujd, RCkY, plAoyF, rsB, CQmdjt, hdyb, eoSArN, NjcXhY, Apd, lsG, ZcKrF, JfbFgz, nZnV, gHeJ, YQCty, tKI, wvzTW, cUNCPF, cMtJt, gPB, Otr, VpvR, sug, jqoCvP, JLl, RJcm, ZkU, tRD, lYbXu, izK, bnY, kac, rDoimK, RrYcMm, cdQhS, FAyQoe, pHw, NZmT, avXs, HKiujp, xSBl, QTGlnf, Pqdb, QiZB, WFn, jtV, oYlqv, mpvS, czuC, GuiqsS, oYYf, cjNv, MguQy, ITUhcR, MffdGZ, nebWj, xgS, uLHB, VisZT, XniaEU, XARE, iCravw, OeKfYc, jvSr, EImp, mmj, TOhpF, IGN, XBu, Ogd, ixVzbP, cpB, MBTOzs, vHYuNk, wybQv, OowA, SLFVBY, gFE, SUi, npR, xoVfB, hfv, zqxWK, lpoXdl, FFd, iBp, dLV, KqLUD, OMeJO, JWrXf, sItvwM, sqhbl, QRVvET, gXe, vZFSSW, LXvfft, kpj,