PaloAlto Potential C2 Investigation

PaloAlto Potential C2 Investigation playbook investigates an incident triggered by an IP address that is suspected to be a C2 server.

Trigger - retrieves the information and starts the investigation.

Script - uses Python script to extract information from the incident details. It also extracts a short description of the incident.

API - uses API to extract active incidents with specific short descriptions.

Filter - filters all the closed tickets.

Filter - filters all the open tickets.

Script - uses Python script to extract all the closed and open tickets.

Format - formats the investigation details in a specific format.

If Then - checks for active tickets. If found, it adds information to an existing ticket. If not, it creates a new ticket.

API - uses ServiceNow API to create a new ticket about the incident.

Format - formats the ticket message to a specific syntax.

Script - uses Python script to extract the sys_id.

Parameters - sets the global parameter sys_id to active ticket.

Parameters - sets the global parameter sys_id to new ticket.

API - uses ServiceNow API to update the ticket with new information.

Script - uses Python script to extract the sys_id.

Playbook - runs a sub-playbook MalwareByte Run Scan that investigates IP for malware.

Playbook - runs a sub-playbook IP Reputation Status - Multi Vendor that gives risk score for IP.

Playbook - runs a sub-playbook Set URL Threat Score that gives a risk score for IP.

Playbook - runs a sub-playbook Microsoft Defender Investigation that gives a risk score for IP.

End - returns the investigation result and ends the playbook.