PaloAlto Potential C2 Connection - Main

PaloAlto Potential C2 Connection playbook investigates an incident triggered by an IP address that is suspected to be a C2 server.

Trigger - retrieves information from SIEM incident and starts the investigation.

Script - uses Python script to split the query and removes the chart count() by from the query.

Query - takes the query from Script and runs it in Logpoint SIEM.

For Each - loops the query results from the Query action block through each element and feeds them into the sub-playbook.

Playbook - runs a sub-playbook PaloAlto Potential C2 Investigation that further investigates the suspicious login attempt.

End - eturns the results and ends the playbook.