From 78d836630fb115835703b70bd1f0c12aac751414 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 4 Nov 2025 13:10:59 -0800 Subject: [PATCH 01/44] Create response_plan directory --- response_plan/response_plan_manifest_test.json | 1 + 1 file changed, 1 insertion(+) create mode 100644 response_plan/response_plan_manifest_test.json diff --git a/response_plan/response_plan_manifest_test.json b/response_plan/response_plan_manifest_test.json new file mode 100644 index 0000000000..9459c6c86d --- /dev/null +++ b/response_plan/response_plan_manifest_test.json @@ -0,0 +1 @@ +{"response_templates": [{"name": "customer-journey-response-plan-maesasvgzj", "versions": [{"version": 3, "update_time": 1761838294.8002563}, {"version": 2, "update_time": 1761838294.8002563}], "link": "https://securitycontent.scs.splunk.com/response_templates/customer-journey-response-plan-maesasvgzj.json"}]} \ No newline at end of file From 2e9fe65d4c27dd751d267373f5f2bca199cadcc8 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 4 Nov 2025 13:38:16 -0800 Subject: [PATCH 02/44] Update directory name --- .../response_plan_manifest_test.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {response_plan => response_templates}/response_plan_manifest_test.json (100%) diff --git a/response_plan/response_plan_manifest_test.json b/response_templates/response_plan_manifest_test.json similarity index 100% rename from response_plan/response_plan_manifest_test.json rename to response_templates/response_plan_manifest_test.json From 966743c4bdd52f615cbc7c416da4dfeaf5ac8e9e Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Wed, 19 Nov 2025 14:08:44 -0800 Subject: [PATCH 03/44] Copy response_templates artifacts to dist/api --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e988f16196..e10475adc8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,6 +29,11 @@ jobs: contentctl build --enrichments --enforce_deprecation_mapping_requirement mkdir artifacts mv dist/DA-ESS-ContentUpdate-latest.tar.gz artifacts/ + cd response_templates + python template_script.py -d . -o ./merged_response_templates -m + cd .. + mkdir -p dist/api/response_templates + cp response_templates/merged_response_templates/* dist/api/response_templates/ - name: store_artifacts uses: actions/upload-artifact@v5 From a08707e5bf33552ed9f8208aff027bd9131b9674 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Wed, 19 Nov 2025 14:09:31 -0800 Subject: [PATCH 04/44] Add response-templates schema validation workflow --- .../workflows/validate-response-templates.yml | 36 + .../GenericIncidentResponse_v1.json | 1 + response_templates/SuspiciousEmail_v1.json | 1 + response_templates/TestMultiVersion_v4.json | 50 + response_templates/TestMultiVersion_v5.json | 1 + response_templates/mcopenapi_public.yaml | 4484 +++++++++++++++++ .../GenericIncidentResponse.json | 1 + .../SuspiciousEmail.json | 1 + .../TestMultiVersion.json | 1 + .../merged_response_templates/manifest.json | 1 + .../response_plan_manifest_test.json | 1 - response_templates/template_script.py | 105 + .../validate_response_templates.py | 237 + 13 files changed, 4919 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/validate-response-templates.yml create mode 100644 response_templates/GenericIncidentResponse_v1.json create mode 100644 response_templates/SuspiciousEmail_v1.json create mode 100644 response_templates/TestMultiVersion_v4.json create mode 100644 response_templates/TestMultiVersion_v5.json create mode 100644 response_templates/mcopenapi_public.yaml create mode 100644 response_templates/merged_response_templates/GenericIncidentResponse.json create mode 100644 response_templates/merged_response_templates/SuspiciousEmail.json create mode 100644 response_templates/merged_response_templates/TestMultiVersion.json create mode 100644 response_templates/merged_response_templates/manifest.json delete mode 100644 response_templates/response_plan_manifest_test.json create mode 100644 response_templates/template_script.py create mode 100644 response_templates/validate_response_templates.py diff --git a/.github/workflows/validate-response-templates.yml b/.github/workflows/validate-response-templates.yml new file mode 100644 index 0000000000..cd8b98e4ad --- /dev/null +++ b/.github/workflows/validate-response-templates.yml @@ -0,0 +1,36 @@ +name: Validate Response Templates + +on: + pull_request: + types: [opened, reopened, synchronize] + paths: + - 'response_templates/**' + - '.github/workflows/validate-response-templates.yml' + push: + branches: + - develop + paths: + - 'response_templates/**' + - '.github/workflows/validate-response-templates.yml' + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Check out the repository code + uses: actions/checkout@v5 + + - name: Set up Python + uses: actions/setup-python@v6 + with: + python-version: '3.11' + architecture: 'x64' + + - name: Install dependencies + run: | + pip install pyyaml jsonschema + + - name: Validate response templates + run: | + cd response_templates + python validate_response_templates.py -s mcopenapi_public.yaml -d . -m merged_response_templates/manifest.json --merged-dir merged_response_templates diff --git a/response_templates/GenericIncidentResponse_v1.json b/response_templates/GenericIncidentResponse_v1.json new file mode 100644 index 0000000000..ce9cbf6868 --- /dev/null +++ b/response_templates/GenericIncidentResponse_v1.json @@ -0,0 +1 @@ +{"id": "5d656a90-fe91-4c8f-8460-fa2599a17f75", "create_time": 1762280887.4139671, "update_time": 1762280887.4139671, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "2d4ceaab-2ab3-4e61-8997-2eec7b612c7b", "create_time": 1762280887.4145086, "update_time": 1762280887.414509, "name": "Detection", "order": 1, "tasks": [{"id": "8c73eaa4-8928-40de-8e3b-e130efc01bb8", "create_time": 1762280887.4141092, "update_time": 1762280887.41411, "name": "Report incident response execution", "order": 1, "tag": "e8d26ce8-a004-4621-8b40-0e95acd7638b", "description": "Alert appropriate parties that incident response is starting.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "feec4f53-67ef-405d-baf4-2c8a3ca8b486", "create_time": 1762280887.414233, "update_time": 1762280887.4142334, "name": "Document associated events", "order": 2, "tag": "afb0e39b-9bfe-4d02-a090-e3b9ca2386de", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "72a39d10-2941-4451-8973-7c82d9055cff", "create_time": 1762280887.4143443, "update_time": 1762280887.4143448, "name": "Document known attack surface and attacker information", "order": 3, "tag": "46211e09-e553-4c9f-a9a8-8383fec880a5", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5ae0daa1-b86a-4a60-93a1-20c8b5d963c2", "create_time": 1762280887.4144528, "update_time": 1762280887.4144533, "name": "Assign roles", "order": 4, "tag": "e70408a7-3062-474a-aaf0-460402f16f29", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f546ee59-0988-4b55-8166-8cac2a64b76f", "create_time": 1762280887.41606, "update_time": 1762280887.4160604, "name": "Analysis", "order": 2, "tasks": [{"id": "a8acff10-07f5-49af-a103-ce864235994b", "create_time": 1762280887.414614, "update_time": 1762280887.4146142, "name": "Research intelligence resources", "order": 1, "tag": "c291654f-4616-4cde-afcb-5f7352d3fb6c", "description": "Find out if this attacker is a known agent and gather associated tactics, techniques, and procedures (TTP) used.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4d7b78f-1cd0-47c2-b0e3-40933395688a", "create_time": 1762280887.4147215, "update_time": 1762280887.414722, "name": "Research proxy logs", "order": 2, "tag": "0c56f2ef-fa23-48f6-abe8-7e42ae12716c", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c5cee5b9-2ad7-4144-aa85-d746bae679ed", "create_time": 1762280887.41483, "update_time": 1762280887.4148307, "name": "Research firewall logs", "order": 3, "tag": "60405c0a-cbbf-4034-a4ec-d4f6f467b6e0", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92f68bd6-3b7d-4a58-ad55-4b3a36369526", "create_time": 1762280887.41496, "update_time": 1762280887.4149606, "name": "Research OS logs", "order": 4, "tag": "a8939de4-a990-4adf-83c6-d93f5b378ff1", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "61816baa-fc24-4f38-a6cd-7626561b48ff", "create_time": 1762280887.4152095, "update_time": 1762280887.41521, "name": "Research network logs", "order": 5, "tag": "027f7da1-76e1-4466-be1d-4b40771de133", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4811036e-781a-4885-bf38-32729a1a0ba1", "create_time": 1762280887.4153204, "update_time": 1762280887.4153206, "name": "Research endpoint protection logs", "order": 6, "tag": "afc28267-6231-4db6-a005-accabb008c7a", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79900180-4caf-4d96-9290-968d9f5aec84", "create_time": 1762280887.4154315, "update_time": 1762280887.415432, "name": "Determine infection vector", "order": 7, "tag": "af4db0e8-d1ac-4d98-82ec-939fa5d47a0b", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "09087e70-fd26-4484-b92a-33c8728d8719", "create_time": 1762280887.415541, "update_time": 1762280887.4155414, "name": "Document all attack targets", "order": 8, "tag": "14552467-8504-4196-9c18-46c68995c590", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a9878c0-5626-4350-a0b6-cd5fef767dda", "create_time": 1762280887.4156528, "update_time": 1762280887.4156535, "name": "Document all attacker sources and TTP", "order": 9, "tag": "9a83e045-a686-423a-b80b-1c7906d8b7b0", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3986bf6d-fc23-4296-8dbe-d2b7117c9ec3", "create_time": 1762280887.4157624, "update_time": 1762280887.415763, "name": "Document infected devices", "order": 10, "tag": "5888de1b-61c8-4ea4-90d8-aeb01ec4682f", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c7044f3e-f58b-4dcb-b1f2-c595a214ff9d", "create_time": 1762280887.4158719, "update_time": 1762280887.4158723, "name": "Determine full impact of attack", "order": 11, "tag": "b0cf76ae-1c67-4737-bf00-170971be80f3", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ca532eca-d263-4af9-9391-6d35b63c3627", "create_time": 1762280887.4160035, "update_time": 1762280887.4160042, "name": "Analyze malware samples", "order": 12, "tag": "e3b989b5-df17-4324-880d-10a5ac6c441d", "description": "Analyze discovered malware and document indicators of compromise (IOCs).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9bf6f73e-a5da-49ac-87a7-a2469155cf7b", "create_time": 1762280887.4164388, "update_time": 1762280887.4164393, "name": "Containment", "order": 3, "tasks": [{"id": "8bb468b3-8ac7-4e49-86d8-ca1513550c47", "create_time": 1762280887.4161665, "update_time": 1762280887.416167, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "28d74f7a-1aaf-4f44-8245-ed62a4720046", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d512b582-b030-486a-86b0-a8e656ea4542", "create_time": 1762280887.416276, "update_time": 1762280887.4162762, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "18ed5b52-40e5-4dc7-b3c5-09c85a8a4cca", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "002fc36e-8a96-40c9-8a1d-b38d4f57b61b", "create_time": 1762280887.416384, "update_time": 1762280887.4163842, "name": "Contain incident", "order": 3, "tag": "a34be9ce-1ac5-4b35-9720-f3d50a33243b", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f9af170b-9aa7-4914-9e7c-59ba2128d1da", "create_time": 1762280887.41683, "update_time": 1762280887.4168303, "name": "Eradication", "order": 4, "tasks": [{"id": "16fd1501-b42b-440f-a2d2-54e698e12892", "create_time": 1762280887.4165573, "update_time": 1762280887.4165576, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "d9e85137-1503-4f1f-8765-c580516814cb", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e43e6862-a78b-4eef-b5b1-63782650ea28", "create_time": 1762280887.4166672, "update_time": 1762280887.4166675, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "b6ef4c01-da86-4383-80c2-bf565a7124e3", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3b9148a5-2780-4eb9-9e21-908163e62d7a", "create_time": 1762280887.4167752, "update_time": 1762280887.4167757, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "9f3c7353-cc4b-4e1f-8f89-ccd153468278", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d9ad55cf-ece3-4090-bf43-5ef24995a891", "create_time": 1762280887.4172246, "update_time": 1762280887.4172251, "name": "Recovery", "order": 5, "tasks": [{"id": "7f3ccff8-bd53-44b4-8ef3-cc333aa1c6e1", "create_time": 1762280887.4169493, "update_time": 1762280887.4169497, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "dec11e17-d2b6-41e4-8490-a500262e1991", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0209cfd0-91b3-4d4c-a8a6-266cf0a2302d", "create_time": 1762280887.4170604, "update_time": 1762280887.4170609, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "cb1b051b-25d0-4fd3-b4bb-85c16c19d55b", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f55fd9d7-8fd5-4920-90e5-34bc82625e80", "create_time": 1762280887.4171677, "update_time": 1762280887.417168, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "59e40624-72dd-498a-bd4c-297cace98c29", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ec68a4cd-daca-4bc0-848b-b586a070c8e4", "create_time": 1762280887.4176192, "update_time": 1762280887.4176197, "name": "Post", "order": 6, "tasks": [{"id": "f6565b96-cd55-4264-b509-908e52a29e3a", "create_time": 1762280887.4173315, "update_time": 1762280887.4173317, "name": "Schedule after-action review meeting", "order": 1, "tag": "515c3f1b-d0ee-4866-8980-7704cd34c6d7", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e5e2f646-64bb-4c59-b10d-c497625327fd", "create_time": 1762280887.4174387, "update_time": 1762280887.417439, "name": "Generate incident response action report", "order": 2, "tag": "00fe59eb-19cd-45dc-ac55-66dfd78e3dbd", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d74ad240-caa8-4c00-91ab-ab033e7f38a1", "create_time": 1762280887.4175637, "update_time": 1762280887.4175642, "name": "Report incident response complete", "order": 3, "tag": "f8bfdc47-6329-4465-a93f-47e6fbadd006", "description": "Alert appropriate parties that incident response is complete.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "7bd3e9e3-414a-4075-8846-8573bc637192", "active": true, "used": false, "_user": "nobody", "_key": "5d656a90-fe91-4c8f-8460-fa2599a17f75"} \ No newline at end of file diff --git a/response_templates/SuspiciousEmail_v1.json b/response_templates/SuspiciousEmail_v1.json new file mode 100644 index 0000000000..c4c37061c4 --- /dev/null +++ b/response_templates/SuspiciousEmail_v1.json @@ -0,0 +1 @@ +{"id": "1e541fb9-a309-45f6-8593-7e6e68d934b4", "create_time": 1762280887.1842365, "update_time": 1762280887.1842365, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "4b401ecf-a89f-463d-928d-4226f8039bdb", "create_time": 1762280887.184704, "update_time": 1762280887.1847045, "name": "Ingestion", "order": 1, "tasks": [{"id": "ee54e4eb-e532-4a92-a81e-b398920e48d9", "create_time": 1762280887.1843824, "update_time": 1762280887.184383, "name": "Create ticket", "order": 1, "tag": "fb454299-42f6-4bf2-9cbc-3d48c213dbe2", "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4d5b3e5f-26fa-4fc8-a9db-c403132fddbd", "create_time": 1762280887.1845334, "update_time": 1762280887.1845338, "name": "Ingest email", "order": 2, "tag": "3bebd6f0-e226-4f1e-92b5-ae11273fb627", "description": "Identify and ingest the suspicious email into Splunk Mission Control. Actual steps vary depending on how you create the Splunk Mission Control notable and where the suspicious email resides. For example, if you had a Splunk Enterprise Security correlation search running to identify suspicious emails, and forward those notable events to Splunk Mission Control as notables, you have many of the useful artifacts needed to investigate the email. If you need additional metadata, you can run the \"get email\" action to retrieve it, or the \"extract email\" action to add the email to Splunk Mission Control if it is in the .msg or .eml format. Or for example, if you send suspicious emails to a dedicated email address for suspected phishing attempts, you can use a connector such as IMAP, EWS for Exchange, EWS for OFfice, or GSuite for GMail to poll that inbox directly and send the suspicious email to Splunk Mission Control as a notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e0c57817-caed-4f30-9123-24ea2768b208", "create_time": 1762280887.1846468, "update_time": 1762280887.1846473, "name": "Extract actionable metadata and files", "order": 3, "tag": "160eb657-d056-4b16-9ed5-1742364948b3", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f5991490-8540-4566-b7cc-6d88ad5b87cc", "create_time": 1762280887.1854346, "update_time": 1762280887.185435, "name": "External Investigation", "order": 2, "tasks": [{"id": "44bdcadb-2a0e-4b00-b4e8-5546e7ec0cc2", "create_time": 1762280887.1848118, "update_time": 1762280887.184812, "name": "Investigate URLs", "order": 1, "tag": "e0ea0bb0-f087-4d81-b2a7-a9899d287bda", "description": "Perhaps the most common email attack vector is a clickable link that brings a user to a malicious website. The malicious website might collect credentials or other confidential information, attempt to exploit the user's browser, lead the user to download a malicious file, or gather preliminary fingerprint information about the user to inform further operations. Investigate all URLs contained in the suspicious email using a mix of automated and manual techniques. Query threat intelligence services and other sources of reputation information to see if the URLs are linked to known malicious activity. Check the categorization of the URLs and their popularity using services such as Censys or Alexa. Determine whether the URL is spoofing a brand using a similar spelling, a unicode substitution, or an out-of-order domain name. Also consider using a less passive technique that analyzes the current state of the URL, such as a sandboxed URL detonation, a website scanning tool such as urlscan.io or SSL Labs, a manual inspection from a sandboxed environment, or a website screenshot engine such as Screenshot Machine. Consider that targeted attacks might only reveal the malicious behavior of a website if the user agent and/or the source address of the request matches the target environment. The output of this task might be more linked URLs, the domain names of the underlying servers responding to the request, other domain names used by the website, IP addresses, or downloadable files. All of the above should be passed on to further investigative tasks if needed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "008e7332-8c23-4b8b-961b-de2a5bee1811", "create_time": 1762280887.1849227, "update_time": 1762280887.184923, "name": "Investigate file attachments", "order": 2, "tag": "b4379132-c701-4bcc-80f0-b7a19f8b854a", "description": "Another common email attack vector is a malicious file attachment. Any file could be malicious, but most attacks involve executables, scripts, or documents. Investigate these files using either a whole copy of the file or the file hash. Query threat intelligence and reputation databases using the hash to see if the file has been seen before, to see if there is suspicious activity associated with the file, and to learn more about the file's behavior. Query for previous analyses or submit the file for examination in a dynamic or static tool to check for potentially malicious behaviors or properties. Actions used for this task might extract associated URLs, domain names, IP addresses, or secondary file hashes which can be explored further in other tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf94fe65-6dce-40d0-87bf-35c57eb93506", "create_time": 1762280887.1850498, "update_time": 1762280887.1850502, "name": "Investigate email addresses and headers", "order": 3, "tag": "4695b6fb-a152-4585-b44c-4b8d95055a25", "description": "The source email address and other headers contain a wide variety of information about the source environment of the email and the infrastructure used to send and receive it. Use a mix of automated and manual analysis to determine where the email came from and whether it uses headers in a suspicious way. Query threat intelligence and reputation databases using the \"From\", \"Sender\", and \"Reply-to\" addresses, as well as any other email addresses in the other header fields. Compare the display names of these fields to the actual values to see if misleading names are used. Check if the servers that received the email marked it with the appropriate authentication results for SPF, DKIM, and/or DMARC. If needed use Microsoft Message Header Analyzer, MxToolbox, or other tools to interpret the remaining headers. Outputs of this task such as domain names and IP addresses can be passed on to further tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "46a2ebf5-94e6-4d12-8495-fcdc7969957d", "create_time": 1762280887.1851606, "update_time": 1762280887.185161, "name": "Investigate domains", "order": 4, "tag": "cef512e6-19b6-4887-8ce0-124d69a7fde4", "description": "At this point domain names from various sources should be collected in the notable, including email sending and receiving servers, web servers from URLs in the email, domains associated to other indicators in threat intelligence databases, and domains contained in the file attachment or detected by the detonation of the file attachment. Check each of these against threat intelligence and reputation databases, passive DNS trackers, whois services, and other information services. Look for known malicious or unknown domains, focusing more on those associated to clickable URLs and file attachments. Evaluate what services are running on each suspicious domain using a scanning service such as Censys or Shodan. Check the TLS certificate (if applicable), website categorization, popularity, and any other available information. Compare this information to the expected outcome given the alleged context of the email. For unknown domains, consider the domain history, the hosting provider, and whether the domain name appears to have been dynamically generated. IP addresses currently and previously associated with the domain should be further processed elsewhere in your investigation.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6801061-372c-4e0e-9bab-009e78ea8d59", "create_time": 1762280887.1852703, "update_time": 1762280887.1852708, "name": "Investigate IP addresses", "order": 5, "tag": "6e0691b6-82b2-442c-88f8-da26f59eb8b3", "description": "IP addresses may be involved in this investigation for several reasons. Some email headers can contain IP addresses (such as X-Originating-IP), URLs can contain IP addresses instead of hostnames, file attachments can contain IP addresses or generate IP addresses and try to connect to them (like domain generation algorithms), and IP addresses can be added to the notable through association or domain name resolution in other tasks within this investigation. Consider IP addresses in URLs that are not internal IP addresses for the organization highly suspicious. Investigate all suspicious IP addresses by checking the reputation, geolocation, whois record, DNS history, and by gathering information from other available services.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ccae86ab-acd7-48bd-acf8-e823b3894fe6", "create_time": 1762280887.1853795, "update_time": 1762280887.1853797, "name": "Investigate email subject and body", "order": 6, "tag": "21c70d94-3a33-4295-8711-a272b31940d1", "description": "The subject and body of an email can be malicious without containing a single URL or file attachment. Examples include emails that ask the receiver to reply with confidential information, contain instructions to do insecure things, manipulate automated systems that are parsing the email, or prime the receiver for other interactions. Malicious emails often use current events such as tax season, a hurricane, or other publicly available information to establish a sense of trust or an illusion of urgency. Social engineering is perhaps the hardest technique to detect in an automated fashion, often requiring manual investigation. Consider the context of the message, the intended recipient, and the identity of the sender or alleged sender. It might be necessary to ask the recipient user if they think the email is legitimate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4ee204f8-d5e9-4158-9f5f-3d898dcfd32a", "create_time": 1762280887.1859224, "update_time": 1762280887.1859229, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "605d29ce-9d16-4882-ba5b-2811f6bf4efc", "create_time": 1762280887.1855412, "update_time": 1762280887.1855416, "name": "Hunt email activity", "order": 1, "tag": "efae43b9-0c49-41b5-bb71-687f359ff73f", "description": "Find other similar emails sent into the organization based on the sender address, sender domain, subject, embedded URLs, file attachments, or other similar attributes shared across multiple emails. If possible determine which emails were opened, forwarded, deleted, marked as spam, or reported as potential phishing. Consider which types of users are targeted and why. Also check whether internal users replied to the emails and what information was contained in the replies.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8dab7fc-c86f-43a0-be73-80ba587c8bdb", "create_time": 1762280887.1856506, "update_time": 1762280887.1856513, "name": "Hunt network activity", "order": 2, "tag": "c90df879-0c52-487c-9dd7-be88e7900c9c", "description": "Based on previously collected information, try to determine whether or not URLs in the email were clicked, phishing websites were visited, or other suspicious network connections were made from the computers of users who opened the email. This can be done using many types of network monitoring, including netflow, full packet capture, DNS logging, and/or endpoint monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a26c5093-d4e3-4b3a-8173-cfa05701ec2c", "create_time": 1762280887.1857598, "update_time": 1762280887.1857603, "name": "Hunt file executions", "order": 3, "tag": "a644ccc1-8034-4299-97c8-506179a3402e", "description": "If the email included a file attachment, try to determine which users downloaded the attachment and which users executed it or opened it in some other way. Use the file hash of the attachment to search across endpoint monitoring or network monitoring solutions for the transmission and/or execution of the file. If executions are detected, try to determine the behavior of the created process. If a potentially malicious document or other file type was opened, try to determine which application opened it and whether the file exploited or abused the opening application.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "48be613f-36ae-42ab-bd35-e4ec600c3c95", "create_time": 1762280887.1858678, "update_time": 1762280887.185868, "name": "Hunt user activity", "order": 4, "tag": "e541c4de-a76f-4917-b8ba-960a16653fc5", "description": "If a phishing attempt or other user account compromise attempt is suspected, investigate how the credentials or account access are being used. Enumerate resources available to the account and search the access logs for those resources, looking for anomalous usage patterns.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d7b7765f-e5b3-4122-8791-f6274f6ba85e", "create_time": 1762280887.186552, "update_time": 1762280887.1865525, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "90905d2d-4247-462b-843a-d9f4fd9ec717", "create_time": 1762280887.186041, "update_time": 1762280887.1860416, "name": "Block or monitor email activity", "order": 1, "tag": "42060fc0-5ae2-4f15-a7f4-6bf4ed364733", "description": "If specific malicious emails have been identified, delete them from any mailboxes in which they still pose a threat. Similarly, if a sender address or an entire sender domain is found to be malicious, block inbound email from that source. Set filtering rules to block inbound email or increase monitoring of email based on other detected characteristics of an email campaign or malicious technique.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0066f95-2fe4-4d25-ae51-cbc559e0cc8a", "create_time": 1762280887.1861491, "update_time": 1762280887.1861496, "name": "Block or monitor network activity", "order": 2, "tag": "1081b34c-8234-411b-b1ec-ed0205fa4eb8", "description": "Based on gathered indicators and metadata, block or increase monitoring of malicious network connections associated with the suspicious email. Prevent other receivers of similar phishing emails from accessing the clickable URL by blocking that URL itself, the underlying domain name, and/or the underlying IP addresses. If malware or unwanted software was detected, block outbound connections known to be associated with that malware based on threat intelligence or dynamic analysis. If the threat is severe enough, consider isolating entire portions of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f8575450-6ad7-4880-ae94-1792d9cc8906", "create_time": 1762280887.1862686, "update_time": 1762280887.1862693, "name": "Block or monitor file executions", "order": 3, "tag": "872a713a-a687-404f-8e12-c432c99938ab", "description": "Based on gathered indicators and metadata, block or increase monitoring of endpoint activity caused by the suspicious email. This could mean blocking the hash of the file attachment, blocking the hash of a file downloaded from a URL in an email, blocking a malicious hash associated with the email by threat intelligence, or blocking secondary executions such as dropped stages of malware identified from dynamic analysis.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d102f2c9-b977-4016-af6a-605da7a1626b", "create_time": 1762280887.1863873, "update_time": 1762280887.1863878, "name": "Contain endpoints", "order": 4, "tag": "07490733-2250-4a3e-8ba9-9107abdfa10e", "description": "If an endpoint compromise is suspected, it might be necessary to quarantine or otherwise contain that endpoint until further investigation and remediation can be done. Consider the criticality of the system and the likelihood of a compromise. In other cases, simply increasing the monitoring or scanning for more information can be prudent.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "85721cac-d2d0-4a9f-90fc-1969fb38a3b4", "create_time": 1762280887.1864965, "update_time": 1762280887.186497, "name": "Contain user accounts", "order": 5, "tag": "ae12b741-8e83-4e23-9e8c-7f461f9c891a", "description": "If a user account compromise is suspected, it might be necessary to reset the credentials, reduce the account privileges, or disable the account until further investigation is completed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "3ea7502b-d251-4562-a489-4bec4c16300d", "create_time": 1762280887.1868212, "update_time": 1762280887.1868217, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "00adbace-3659-4464-a606-85658daf13e5", "create_time": 1762280887.186658, "update_time": 1762280887.1866581, "name": "Analyze network activity", "order": 1, "tag": "6790fca4-5cf6-40bf-b425-2e9c547acb0b", "description": "Perform any resource-intensive analysis of network activity left over from the External Investigation and Internal Hunting phases. This might mean full packet capture collection and analysis, sandbox detonation of URLs, long-running queries of network history and anomalous behavior, or other similar analysis tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c9917bdc-f49f-40a3-a297-82843edcc56c", "create_time": 1762280887.1867664, "update_time": 1762280887.1867669, "name": "Analyze endpoint activity", "order": 2, "tag": "c0e4e6fc-d6a3-48a3-80ad-17e6f3d29abd", "description": "Conduct deeper analysis on remaining malware and endpoint investigation tasks not finished in the External Investigation and Internal Hunting phases. This might mean sandbox detonation of files, forensic analysis of associated devices or memory dumps, reverse engineering of suspected malware, long-running queries of endpoint activity history and anomalous behavior, or other similar analysis tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ee783e2b-62ce-4dfa-a8ac-dfd38e3336a9", "create_time": 1762280887.1876307, "update_time": 1762280887.1876311, "name": "Notification", "order": 6, "tasks": [{"id": "25cb7e69-be9d-4faf-9e4a-088b42b4788e", "create_time": 1762280887.1869273, "update_time": 1762280887.1869276, "name": "Update tickets", "order": 1, "tag": "d1644224-bfe8-4710-be7a-42b83746e870", "description": "Make sure that all the necessary outputs and status updates from the previous phases and tasks are documented in the appropriate system of record. Summarize the current state of the investigation and any remaining tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fd8e6a70-6f3b-4f12-a3d9-ced01a867591", "create_time": 1762280887.187141, "update_time": 1762280887.1871414, "name": "Notify system owners", "order": 2, "tag": "f375634e-8725-45b0-953f-913af5792047", "description": "For any systems that have been changed or need to be changed, notify the necessary system owners so the appropriate change management procedures can be followed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6df9bdea-2fdc-469e-b3de-298bac097739", "create_time": 1762280887.1872501, "update_time": 1762280887.1872506, "name": "Notify regulatory compliance team", "order": 3, "tag": "ae1e0019-56dc-4782-9efd-fad66ee54734", "description": "If appropriate, notify the regulatory compliance team to support them as they report this incident to the correct regulatory or accrediting organizations.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ca7c9e3-547b-4e44-aacb-9f8a23665d3d", "create_time": 1762280887.1873586, "update_time": 1762280887.187359, "name": "Assign additional tasks", "order": 4, "tag": "def2f366-4f31-4b7a-ba01-0fecd5bc1c9e", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4de9d9be-e269-4d03-9fe4-0496b933abe4", "create_time": 1762280887.1874657, "update_time": 1762280887.187466, "name": "Educate users", "order": 5, "tag": "94435be3-c9bb-4cb0-a298-adad4c5e685a", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3e0fb677-9a5d-48a1-a0b8-3b1b92d05efa", "create_time": 1762280887.1875756, "update_time": 1762280887.1875758, "name": "Share threat intelligence", "order": 6, "tag": "b6e77ae5-bd3b-4809-af51-3cc9d2ee35a8", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "a819ee87-e98f-4108-9554-7c167bdfeb79", "active": true, "used": false, "_user": "nobody", "_key": "1e541fb9-a309-45f6-8593-7e6e68d934b4"} \ No newline at end of file diff --git a/response_templates/TestMultiVersion_v4.json b/response_templates/TestMultiVersion_v4.json new file mode 100644 index 0000000000..cb178dfe49 --- /dev/null +++ b/response_templates/TestMultiVersion_v4.json @@ -0,0 +1,50 @@ +{ + "id": "27b78044-1eca-43c2-9207-b5afe3075a81", + "create_time": 1762292283.131341, + "update_time": 1762292294.8144422, + "name": "Test%20Multi%20Version", + "description": "", + "template_status": "published", + "creator": "zen_admin", + "updated_by": "zen_admin", + "is_default": false, + "version": 4, + "phases": [ + { + "id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", + "create_time": 1762292292.855246, + "update_time": 1762292294.7901058, + "name": "Test%20Phase", + "order": 1, + "tasks": [ + { + "id": "096e2f14-866e-404e-819b-a1155ac0084b", + "create_time": 1762292292.855151, + "update_time": 1762292294.790007, + "name": "Test%20Task", + "order": 1, + "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", + "description": "", + "owner": "", + "is_note_required": true, + "status": "Pending", + "notes": [], + "files": [], + "suggestions": { + "playbooks": [], + "actions": [], + "searches": [] + }, + "start_time": 0, + "end_time": 0, + "total_time_taken": 0 + } + ] + } + ], + "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", + "active": true, + "used": false, + "_user": "nobody", + "_key": "27b78044-1eca-43c2-9207-b5afe3075a81" +} \ No newline at end of file diff --git a/response_templates/TestMultiVersion_v5.json b/response_templates/TestMultiVersion_v5.json new file mode 100644 index 0000000000..247afe72ea --- /dev/null +++ b/response_templates/TestMultiVersion_v5.json @@ -0,0 +1 @@ +{"id": "27b78044-1eca-43c2-9207-b5afe3075a81", "create_time": 1762292283.131341, "update_time": 1762292328.3112774, "name": "Test%20Multi%20Version", "description": "", "template_status": "published", "creator": "zen_admin", "updated_by": "zen_admin", "is_default": false, "version": 5, "phases": [{"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", "create_time": 1762292328.2866068, "update_time": 1762292328.2866073, "name": "Test%20Phase", "order": 1, "tasks": [{"id": "096e2f14-866e-404e-819b-a1155ac0084b", "create_time": 1762292292.855151, "update_time": 1762292328.2865093, "name": "Test%20Task%20V3", "order": 1, "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", "description": "", "owner": "", "is_note_required": true, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", "active": true, "used": false, "_user": "nobody", "_key": "27b78044-1eca-43c2-9207-b5afe3075a81"} \ No newline at end of file diff --git a/response_templates/mcopenapi_public.yaml b/response_templates/mcopenapi_public.yaml new file mode 100644 index 0000000000..f74425db69 --- /dev/null +++ b/response_templates/mcopenapi_public.yaml @@ -0,0 +1,4484 @@ +openapi: 3.0.1 +info: + title: Splunk Enterprise Security API Reference + description: > + The Splunk Enterprise Security API allows you to use and modify findings, investigations, risk scores, assets, and identities in Splunk Enterprise Security. + version: 8.2.0 +servers: + - url: https://{stack}:{port}/servicesNS/nobody/missioncontrol + description: The production API server. + variables: + stack: + default: blueridge.splunkcloud.com + description: This value is assigned by the service provider. For example, `blueridge.splunkcloud.com`. + port: + default: '8089' + description: This value is assigned by the service provider. For example `8089`. +tags: + - name: Investigation + description: Splunk Enterprise Security Investigation Endpoints. + - name: Findings + description: Splunk Enterprise Security Finding Endpoints. + - name: Risks + description: Splunk Enterprise Security Risk Endpoints. + - name: Identity + description: Splunk Enterprise Security Identity Endpoints. + - name: Assets + description: Splunk Enterprise Security Asset Endpoints. + - name: Responseplan + description: Splunk Enterprise Security Response Plan Endpoints. + - name: Notes + description: Splunk Enterprise Security Notes Endpoints. +paths: + /public/v2/assets/{id}: + get: + x-splunk-soar-connector-gen: + displayName: "get asset" + actionName: "get asset" + supportsAutomation: true + proxyConfiguration: + proxyPath: /v1/internal/soar_proxy + actualPathParameter: X-MCProxyPath + operationId: public_v2_assets + tags: + - Assets + parameters: + - in: path + name: id + description: The ID of the asset. + required: true + schema: + type: string + example: 67bd956379ba456e810415c3 + - in: query + name: search_format + required: false + x-splunk-soar-connector-gen-parameter: + hidden: true + description: If true, the response will be formatted so that it can be used in a splunk search with the `rest` command. + schema: + type: boolean + example: true + description: Retrieve assets using the ID of the KV collection assets_by_str. Requires mc_assets_read or admin_all_objects capabilities. + summary: Retrieve assets + responses: + '200': + description: Retrieved + content: + application/json: + schema: + $ref: '#/components/schemas/AssetsGetResponse' + example: + { + "_last_updated": 1740477793.8923568726, + "_sources": ["canon_wdio_assets"], + "asset": [ "192.168.0.1", "00:1A:2B:3C:4D:5E" ], + "dns": ["test.com"], + "ip": ["0.0.0.0"], + "mac": ["00:00:00:00:00:00"], + "nt_host": ["test-host"], + "pci_domain": ["pci_domain_example"], + "id": "67bd956379ba456e810415c0", + "asset_tag": [ "tag1", "tag2" ], + "bunit": ["business_unit_example"], + "category": [ "category1", "category2" ], + "city": ["San Francisco"], + "country": ["USA"], + "is_expected": ["true"], + "lat": ["37.7749"], + "long": ["-122.4194"], + "owner": ["owner_example"], + "priority": ["high"], + "requires_av": ["true"], + "should_timesync": ["true"], + "should_update": ["true"], + "_delete": ["false"], + "cim_entity_zone": ["zone_example"], + } + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/investigations: + get: + x-splunk-soar-connector-gen: + displayName: "list investigations" + actionName: "list investigations" + supportsAutomation: true + proxyConfiguration: + proxyPath: /v1/internal/soar_proxy + actualPathParameter: X-MCProxyPath + operationId: public_v2_list_investigations + tags: + - Investigation + parameters: + - in: query + name: ids + description: A list of `id` (GUID) or `display_id` from an investigation separated by commas. + x-splunk-soar-connector-gen-parameter: + contains: ['investigation guid', 'display id'] + required: false + schema: + type: string + example: "123,ES-001,332123" + - in: query + name: limit + required: false + description: >- + Number of investigations that are returned on the page. Return value of + None displays 20 investigations on the page. A maximum limit of 100 investigations can be displayed on the page. + schema: + type: number + example: 10 + - in: query + name: offset + required: false + description: Parameter used together with the limit parameter to specify the starting point of the returned results. If offset is not set, the default value is 0. + schema: + type: number + example: 30 + - in: query + name: sort + required: false + description: Parameter used to sort investigations. The default value is `create_time:desc` that sorts the investigations in decreasing order of the creation time. When sorting on multiple fields, each item can be separated by ",". + schema: + type: string + example: "create_time:asc,status:desc" + - in: query + name: disposition + required: false + description: The disposition ID or disposition label of an investigation. + schema: + type: string + example: "disposition:1,Undetermined" + - in: query + name: status + required: false + description: The status ID or status label of an investigation. + schema: + type: string + example: New + - in: query + name: owner + required: false + description: The owner of an investigation. + schema: + type: string + example: admin + - in: query + name: urgency + required: false + description: The urgency of an investigation. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`. + schema: + type: string + example: informational + - in: query + name: sensitivity + required: false + description: The sensitivity of an investigation. Valid choices are `White`, `Green`, `Amber`, `Red`, or `Unassigned`. + schema: + type: string + example: Red + - in: query + name: create_time_min + required: false + description: The minimum time during which investigations were created. + schema: + type: number + example: 1676497520 + - in: query + name: create_time_max + required: false + description: The maximum time during which investigations were created. + schema: + type: number + example: 1676497520 + - in: query + name: update_time_min + required: false + description: The minimum time during which investigations were updated. + schema: + type: number + example: 1676497520 + - in: query + name: update_time_max + required: false + description: The maximum time during which investigations were updated. + schema: + type: number + example: 1676497520 + - in: query + name: search_format + required: false + x-splunk-soar-connector-gen-parameter: + hidden: true + description: If true, the response will be formatted so that it can be used in a splunk search with the `rest` command. + schema: + type: boolean + example: true + description: Retrieve investigations using query parameters. Requires mc_investigation_read or admin_all_objects capabilities. + summary: Retrieve investigations + responses: + '200': + description: Ok. + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/InvestigationGetResponse' + example: + [ + { + "mc_create_time": 1676497763.861311, + "create_time": 1676497520, + "update_time": 1676497800.160927, + "investigation_guid": "00000000-0000-0000-0000-000000000000", + "investigation_id": "ES-00001", + "name": "New Investigation", + "source": "Threat - Mission Control - Rule", + "incident_origin": "ES Notable Event", + "description": "Sample investigation for Mission Control", + "investigation_type": "threat investigation", + "finding_id": "A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9", + "disposition": "disposition:1", + "status": "1", + "owner": "admin", + "urgency": "informational", + "sensitivity": "Red", + "excluded_finding_ids": [ "finding1", "finding2" ], + "finding": { + "search_name": "Manual Notable Event - Rule", + "info_max_time": "+Infinity", + "info_min_time": "0.000" + }, + "custom_fields": { + "custom_field_1": "value1", + "custom_field_2": "value2" + }, + "attachments": [ "c7f677fc-8767-4b48-a29d-c28c3f979752" ], + "current_response_plan_phase": { + "phase_id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40", + "response_plan_id": "5c674507-50c2-4a94-b458-fdcb5eec333d" + }, + "response_plans": [ ], + "parent_incidents": [ ], + "findings": { + "incident_ids": [ "11111111-1111-1111-1111-111111111111", "11111111-1111-1111-1111-111111111112" ], + "field_inheritors": [ "11111111-1111-1111-1111-111111111111" ] + }, + "consolidated_findings": { + "src": "10.39.210.66", + "dest": "8.235.139.88", + "app": "splunk" + }, + "count_findings": 2, + "risk_event_count": 5, + "src": [ "10.0.0.1", "10.0.0.2" ], + "dest": [ "192.168.1.1", "192.168.1.2" ], + "dvc": [ "device1", "device2" ], + "orig_host": [ "host1", "host2" ], + "src_user": [ "user1", "user2" ], + "user": [ "user1", "user2" ], + "risk_score": 20.0, + "risk_object": [ "entity1", "entity2" ], + "risk_object_type": [ "system", "user" ], + "status_name": "New", + "disposition_name": "Undetermined" + } + ] + '400': + description: Bad Request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + post: + operationId: public_v2_create_investigation + description: Create investigations using provided fields. Requires mc_investigation_write and edit_notable_events OR admin_all_objects capabilities. + summary: Create investigations + tags: + - Investigation + requestBody: + required: true + description: Request payload to create an investigation. + content: + application/json: + schema: + $ref: '#/components/schemas/InvestigationCreatePayload' + example: + { + "name": "New Investigation", + "description": "Investigation description", + "investigation_type": "threat investigation", + "owner": "admin", + "urgency": "high", + "sensitivity": "Red" + } + responses: + '201': + description: Created. + content: + application/json: + schema: + $ref: '#/components/schemas/InvestigationCreateResponse' + example: { "investigation_guid": "00000000-0000-0000-0000-000000000000" } + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/investigations/{id}: + post: + tags: + - Investigation + parameters: + - in: path + name: id + required: true + description: The GUID or display id of an investigation. + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + description: Update the investigation by id. Requires mc_investigation_write and edit_notable_events OR admin_all_objects capabilities. + operationId: public_v2_update_investigation + summary: Update certain fields of an investigation by id + requestBody: + required: true + description: Request payload to update an investigation. + content: + application/json: + schema: + $ref: '#/components/schemas/InvestigationUpdatePayload' + example: + { + "name": "Updated Investigation", + "description": "Updated investigation description", + "owner": "admin", + "urgency": "high", + "sensitivity": "Red" + } + responses: + '200': + description: Updated. + content: + application/json: + schema: + $ref: '#/components/schemas/InvestigationUpdateResponse' + example: + { + "investigation_guid": "00000000-0000-0000-0000-000000000000" + } + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/investigations/{id}/notes: + get: + operationId: public_v2_get_notes_from_investigation + tags: + - Notes + - Investigation + parameters: + - in: path + name: id + description: The `id` (GUID) or the `display_id` of the finding or investigation that the event is associated with. + required: true + schema: + type: string + example: "00000000-0000-0000-0000-000000000000" + - in: query + name: search + description: Keywords to be searched for in the title or content of notes. + required: false + schema: + type: string + example: "investigation notes" + - in: query + name: type + description: The source type of a note. Only notes of this type will be returned. Available options are Task, Incident, or All. + required: false + schema: + type: string + enum: [ Task, Incident, All ] + example: "Task" + - in: query + name: limit + schema: + type: number + example: 10 + required: false + description: The number of notes that are returned on the page. The maximum number of notes that can be returned is 100. If the limit is not set, the default is 5. + - in: query + name: offset + schema: + type: number + example: 0 + required: false + description: Parameter used with the limit parameter to determine the range of the results. If the offset is not set, the default is 0. + - in: query + name: sort + schema: + type: string + example: "create_time:1" + required: false + description: Parameter used to sort the results. Available options are create_time:1, update_time:1, create_time:-1 and update_time:-1. + - in: query + name: search_format + required: false + description: If true, the response will be formatted so that it can be used in a splunk search with the `rest` command. + schema: + type: boolean + example: true + description: The API endpoint for getting notes from a finding or investigation. + summary: Get notes in a finding or investigation. + responses: + '200': + description: Get notes from the finding or investigation. + content: + application/json: + schema: + $ref: '#/components/schemas/NoteListResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + post: + operationId: public_v2_create_note_in_investigation + tags: + - Notes + - Investigation + parameters: + - in: path + name: id + description: The `id` (GUID) or the `display_id` of the finding or investigation that the event is associated with. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + - in: query + name: notable_time + schema: + type: string + example: '-30m' + required: false + description: Optional field denoting the `_time` that the finding was created. Value can be in relative, ISO, or epoch time. + description: The API endpoint for creating a note in a finding or investigation. + summary: Create a note in a finding or investigation. + requestBody: + description: Note to be created. + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreateNotePayload' + example: + { + "title": "Note Title", + "content": "Note content", + "type": "Task" + } + responses: + '201': + description: Created note + content: + application/json: + schema: + $ref: '#/components/schemas/Note' + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/investigations/{id}/notes/{note_id}: + post: + operationId: public_v2_update_note_in_investigation + tags: + - Notes + - Investigation + description: The API endpoint for updating a note in a finding or an investigation. + summary: Update a note in a finding or an investigation. + parameters: + - in: path + name: id + description: The `id` (GUID) or the `display_id` of the finding or investigation. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + - in: path + name: note_id + description: The ID of the note. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + requestBody: + description: Note to be updated. + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateNotePayload' + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/Note' + '400': + description: Bad format + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + delete: + operationId: public_v2_delete_note_in_investigation + tags: + - Notes + - Investigation + parameters: + - in: path + name: id + description: The `id` (GUID) or the `display_id` of the finding or investigation. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + - in: path + name: note_id + description: The ID of the note. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + description: The API endpoint for deleting a note from a finding or investigation. + summary: Delete a note from a finding or investigation. + responses: + '200': + description: Deleted. + '400': + description: Bad format + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/investigations/{id}/responseplans/{response_plan_id}/phase/{phase_id}/tasks/{task_id}/notes: + get: + operationId: public_v2_get_notes_from_task + tags: + - Notes + - Responseplan + parameters: + - in: path + name: id + description: The `id` (GUID) or the `display_id` of the investigation. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + - in: path + name: response_plan_id + description: The ID of the response plan. + required: true + schema: + type: string + example: 5c674507-50c2-4a94-b458-fdcb5eec333d + - in: path + name: phase_id + description: The ID of the phase from the response plan. + required: true + schema: + type: string + example: e4317f74-2ca2-4812-9805-07c7e9aeaa40 + - in: path + name: task_id + description: The ID of the task from the response plan. + required: true + schema: + type: string + example: 12345678-1234-1234-1234-123456789012 + - in: query + name: limit + schema: + type: number + example: 10 + required: false + description: The number of notes that are returned on the page. The maximum number of notes that can be returned is 100. If the limit is not set, the default is 5. + - in: query + name: offset + schema: + type: number + example: 0 + required: false + description: Parameter used with the limit parameter to determine the range of the results. If the offset is not set, the default is 0. + - in: query + name: sort + schema: + type: string + example: "create_time:1" + required: false + description: Parameter used to sort the results. Available options are create_time:1, update_time:1, create_time:-1 and update_time:-1. + - in: query + name: search_format + required: false + description: If true, the response will be formatted so that it can be used in a splunk search with the `rest` command. + schema: + type: boolean + example: true + description: Get the notes from a response plan task. + summary: Get notes in a task. + responses: + '200': + description: Notes from a specific response plan task. + content: + application/json: + schema: + $ref: '#/components/schemas/NoteListResponse' + '400': + description: Bad format + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + post: + operationId: public_v2_add_note_to_task + tags: + - Notes + - Responseplan + description: The API endpoint for adding a note to a task. + summary: Add a note to a task. + parameters: + - in: path + name: id + description: The `id` (GUID) or the `display_id` of the investigation. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + - in: path + name: response_plan_id + description: The ID of the response plan. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + - in: path + name: phase_id + description: The ID of the phase from the response plan. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + - in: path + name: task_id + description: The ID of the task from the response plan. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + requestBody: + content: + application/json: + schema: + $ref: "#/components/schemas/CreateNotePayload" + responses: + '201': + description: Successfully Returned Note + content: + application/json: + schema: + $ref: '#/components/schemas/Note' + '400': + description: Bad format + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + + + /public/v2/investigations/{id}/responseplans/{response_plan_id}/phase/{phase_id}/tasks/{task_id}/notes/{note_id}: + get: + operationId: public_v2_get_note_by_id_from_task + tags: + - Notes + - Responseplan + parameters: + - in: path + name: id + description: The `id` (GUID) or the `display_id` of the investigation. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + - in: path + name: response_plan_id + description: ID of Response Plan. + required: true + schema: + type: string + example: 5c674507-50c2-4a94-b458-fdcb5eec333d + - in: path + name: phase_id + description: ID of Phase from Response Plan. + required: true + schema: + type: string + example: e4317f74-2ca2-4812-9805-07c7e9aeaa40 + - in: path + name: task_id + description: ID of Task from Response Plan. + required: true + schema: + type: string + example: 12345678-1234-1234-1234-123456789012 + - in: path + name: note_id + description: ID of Note from Response Plan Task. + required: true + schema: + type: string + example: 12345678-1234-1234-1234-123456789012 + - in: query + name: search_format + required: false + description: If true, the response will be formatted so that it can be used in a splunk search with the `rest` command. + schema: + type: boolean + example: true + description: Get a note from a task. + summary: Get a note in a task + responses: + '200': + description: Successfully Returned Note + content: + application/json: + schema: + $ref: '#/components/schemas/Note' + '400': + description: Bad format + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + post: + operationId: public_v2_update_note_in_task + tags: + - Notes + - Responseplan + parameters: + - in: path + name: id + description: The `id` (GUID) or the `display_id` of the investigation. + required: true + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + - in: path + name: response_plan_id + description: The ID of the response plan. + required: true + schema: + type: string + example: 5c674507-50c2-4a94-b458-fdcb5eec333d + - in: path + name: phase_id + description: The ID of the phase from the response plan. + required: true + schema: + type: string + example: e4317f74-2ca2-4812-9805-07c7e9aeaa40 + - in: path + name: task_id + description: The ID of the task from the response plan. + required: true + schema: + type: string + example: 12345678-1234-1234-1234-123456789012 + - in: path + name: note_id + description: The ID of the note from the response plan task. + required: true + schema: + type: string + example: 12345678-1234-1234-1234-123456789012 + requestBody: + required: true + description: The request body for updating a note in a task. + content: + application/json: + schema: + $ref: '#/components/schemas/UpdateNotePayload' + responses: + '200': + description: Updated note object. + content: + application/json: + schema: + $ref: '#/components/schemas/Note' + '400': + description: Bad format + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests. + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + delete: + operationId: public_v2_delete_note_from_task + tags: + - Notes + - Responseplan + description: The API endpoint for deleting a note from a task. + summary: Delete a note from a task. + parameters: + - in: path + name: id + description: The `id` (GUID) or the `display_id` of the investigation. + required: true + schema: + type: string + example: 3fe85bc5-a550-4c0d-a61d-ff8d09f4ecb0 + - in: path + name: response_plan_id + description: The ID of the response plan. + required: true + schema: + type: string + example: 3fe85bc5-a550-4c0d-a61d-ff8d09f4ecb0 + - in: path + name: phase_id + description: The ID of the phase. + required: true + schema: + type: string + example: 3fe85bc5-a550-4c0d-a61d-ff8d09f4ecb0 + - in: path + name: task_id + description: The ID of the task. + required: true + schema: + type: string + example: 3fe85bc5-a550-4c0d-a61d-ff8d09f4ecb0 + - in: path + name: note_id + description: The ID of the note. + required: true + schema: + type: string + example: 3fe85bc5-a550-4c0d-a61d-ff8d09f4ecb0 + responses: + '200': + description: Note deleted successfully. + '400': + description: Bad format + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/investigations/{id}/findings: + post: + operationId: public_v2_add_findings_to_investigation + tags: + - Investigation + parameters: + - in: path + name: id + required: true + description: The ID of the investigation. + schema: + type: string + example: 00000000-0000-0000-0000-000000000000 + requestBody: + required: true + description: The request body for adding findings to an investigation. + content: + application/json: + schema: + $ref: '#/components/schemas/AddFindingsToInvestigationPayload' + example: + { + "finding_ids": [ + "27a81554-a0fa-42d7-8f01-36cd93612df1@@notable@@27a81554a0fa42d78f0136cd93612df1", + "c1d6e42c-a914-48bc-baf8-b21e12524669@@notable@@c1d6e42ca91448bcbaf8b21e12524669" + ], + "finding_times": [ + "2025-02-25T14:27:28.000+00:00", + "2025-02-25T14:27:29.000+00:00" + ] + } + responses: + '200': + description: Findings added to the investigation. + content: + application/json: + schema: + $ref: '#/components/schemas/AddFindingsToInvestigationResponse' + example: + { + "investigation_guid": "00000000-0000-0000-0000-000000000000" + } + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/findings: + get: + x-splunk-soar-connector-gen: + displayName: "list findings" + actionName: "list findings" + supportsAutomation: true + proxyConfiguration: + proxyPath: /v1/internal/soar_proxy + actualPathParameter: X-MCProxyPath + operationId: public_v2_get_findings + tags: + - Findings + parameters: + - in: query + name: finding_ids + description: The IDs of findings (event_id's) separated by a comma. + x-splunk-soar-connector-gen-parameter: + contains: ['finding id'] + required: false + schema: + type: string + example: 27a81554-a0fa-42d7-8f01-36cd93612df1@@notable@@27a81554a0fa42d78f0136cd93612df1, c1d6e42c-a914-48bc-baf8-b21e12524669@@notable@@c1d6e42ca91448bcbaf8b21e12524669, 9367d26f-c219-406a-b7ab-6eaa19374939@@notable@@9367d26fc219406ab7ab6eaa19374939 + - in: query + name: urgency + required: false + description: The urgency of a finding. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`. + schema: + type: string + example: informational + - in: query + name: status + required: false + description: The status of a finding. Go to the Splunk Enterprise Security app and select **Configure**. Select **Findings and Investigations** and then select **Status** to identify the status of findings. + schema: + type: string + example: In Progress + - in: query + name: owner + required: false + description: The owner of a finding. + schema: + type: string + example: admin + - in: query + name: disposition + required: false + description: The disposition of a finding. Go to the Splunk Enterprise Security app and select **Configure**. Select **Findings and Investigations** and then select **Disposition** to identify the disposition of the findings. + schema: + type: string + example: True Positive - Suspicious Activity + - in: query + name: limit + required: false + description: The number of findings that are returned on the page. The maximum number of findings that can be returned is 100. + schema: + type: number + example: 10 + - in: query + name: offset + required: false + description: Parameter used with the limit parameter to determine the range of the results. If the offset is not set, the default is 0. + schema: + type: number + example: 30 + - in: query + name: sort + description: Parameter based on which the findings are sorted. + required: false + schema: + type: string + example: "create_time:asc,status:desc" + - in: query + name: fields + description: The API will return only the fields explicitly provided by the user, excluding any unspecified fields from the response. + required: false + schema: + type: string + example: "rule_title,event_id,status,urgency" + - in: query + name: earliest + description: The earliest time defined for the findings. All findings returned have a _time greater or equal to this value. This value can be in relative time (-30m), epoch time, or ISO 8061 time. + required: false + schema: + type: string + example: 2019-04-01T22:10:21.705+0000 + - in: query + name: latest + description: The latest time defined for the findings. All findings returned have a _time less than or equal to this value. This value can be in relative time (-30m), epoch time, or ISO 8061 time. If no value is provided, the default value is to the current time - now. + required: false + schema: + type: string + example: 2019-04-01T22:10:21.705+0000 + - in: query + name: rule_title + required: false + description: The description of the rule that the search looks for and the security use case that it addresses. + schema: + type: string + example: Personally Identifiable Information Detected + - in: query + name: search_format + required: false + x-splunk-soar-connector-gen-parameter: + hidden: true + description: If true, the response will be formatted so that it can be used in a splunk search with the `rest` command. + schema: + type: boolean + example: true + description: The API for retrieving findings by the querying fields. Requires mc_investigation_read or admin_all_objects capabilities. + summary: Retrieve findings by the querying fields + responses: + '200': + description: Created + content: + application/json: + schema: + type: object + properties: + items: + type: array + items: + $ref: '#/components/schemas/FindingsGetResponse' + example: [ + { + "host": "test.splunkcloud.com", + "source": "Risk - 24 Hour Risk Threshold", + "sourcetype": "finding_sourcetype", + "detection_id": "00000000-0000-0000-0000-000000000000", + "disposition": "disposition:6", + "disposition_default": "true", + "disposition_description": "This disposition shows that there is a possibility for a false positive.", + "disposition_label": "True Positive - Suspicious Activity", + "event_id": "b8684eb9-059d-4d30-8613-f809395feda8@@notable@@b8684eb9059d4d308613f809395feda8", + "notable_type": "notable", + "rule_title": "24 hour risk threshold exceeded for user=evilsender@update.defenceonline.net", + "rule_description": "Risk Threshold Exceeded for an object over a 24 hour period", + "security_domain": "threat", + "risk_object": "bad_user@splunk.com", + "risk_object_type": "user", + "risk_score": "100", + "search_name": "Risk - 24 Hour Risk Threshold Exceeded - Rule", + "severity": "medium", + "status": "1", + "status_default": "true", + "status_description": "Finding is recent and not reviewed.", + "status_label": "New", + "urgency": "informational", + "owner": "splunk_user", + "_time": "2025-02-25T14:27:28.000+00:00" + } + ] + limit: + type: number + example: 0 + offset: + type: number + example: 0 + total: + type: number + example: 0 + example: + { + "items": [ + { + "host": ".splunkcloud.com", + "source": "Risk - 24 Hour Risk Threshold", + "sourcetype": "finding_sourcetype", + "detection_id": "00000000-0000-0000-0000-000000000000", + "disposition": "disposition:6", + "disposition_default": "true", + "disposition_description": "This disposition shows that there is a possibility for a false positive.", + "disposition_label": "True Positive - Suspicious Activity", + "event_id": "b8684eb9-059d-4d30-8613-f809395feda8@@notable@@b8684eb9059d4d308613f809395feda8", + "notable_type": "notable", + "rule_title": "24 hour risk threshold exceeded for user=evilsender@update.defenceonline.net", + "rule_description": "Risk Threshold Exceeded for an object over a 24 hour period", + "security_domain": "threat", + "risk_object": "bad_user@splunk.com", + "risk_object_type": "user", + "risk_score": "100", + "search_name": "Risk - 24 Hour Risk Threshold Exceeded - Rule", + "severity": "medium", + "status": "1", + "status_default": "true", + "status_description": "Finding is recent and not reviewed.", + "status_label": "New", + "urgency": "informational", + "owner": "splunk_user", + "_time": "2025-02-25T14:27:28.000+00:00" + } + ], + "limit": 10, + "offset": 0, + "total": 2 + } + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + post: + x-splunk-soar-connector-gen: + displayName: "create new finding" + actionName: "create new finding" + supportsAutomation: true + proxyConfiguration: + proxyPath: /v1/internal/soar_proxy + actualPathParameter: X-MCProxyPath + operationId: public_v2_create_manual_finding + description: Create a manual finding in Splunk Enterprise Security. + summary: Create a manual finding + tags: + - Findings + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreateManualFindingRequest' + responses: + '201': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/CreateManualFindingResponse' + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/findings/{id}: + get: + x-splunk-soar-connector-gen: + displayName: "get finding by id" + actionName: "get finding by id" + supportsAutomation: true + proxyConfiguration: + proxyPath: /v1/internal/soar_proxy + actualPathParameter: X-MCProxyPath + operationId: public_v2_get_finding_by_id + tags: + - Findings + description: Retrieve a finding using its ID. Requires mc_investigation_read or admin_all_objects capabilities. + summary: Retrieve findings + parameters: + - in: path + name: id + description: The ID of the finding. + x-splunk-soar-connector-gen-parameter: + contains: ['finding id'] + required: true + schema: + type: string + example: "febdbec4-d932-42d1-8917-7f9b5b5b7aea@@notable@@febdbec4d93242d189177f9b5b5b7aea" + - in: query + name: earliest + required: false + description: The earliest time specified for the findings. All the findings returned must have a _time greater or equal to this value. This value can be relative time (-30m), epoch time, or ISO 8061 time. If no value is provided, the default value is the previous 24 hours. + schema: + type: string + example: 2019-04-01T22:10:21.705+0000 + - in: query + name: latest + required: false + description: The latest time specified for the findings. All the findings returned must have a _time less than or equal to this value. This value can be relative time (-30m), epoch time, or ISO 8061 time. If no value is provided, the default value is "now". + schema: + type: string + example: 2019-04-01T22:10:21.705+0000 + - in: query + name: fields + required: false + description: Returns the fields that are provided by the user, excluding any unspecified fields from the response. + schema: + type: string + example: "name,_time,event_id,urgency,status,disposition" + - in: query + name: search_format + required: false + x-splunk-soar-connector-gen-parameter: + hidden: true + description: If true, the response will be formatted so that it can be used in a splunk search with the `rest` command. + schema: + type: boolean + example: true + responses: + '200': + description: Created + content: + application/json: + schema: + $ref: '#/components/schemas/FindingsGetResponse' + example: + { + "host": ".splunkcloud.com", + "source": "Risk - 24 Hour Risk Threshold", + "sourcetype": "finding_sourcetype", + "detection_id": "00000000-0000-0000-0000-000000000000", + "disposition": "disposition:6", + "disposition_default": "true", + "disposition_description": "This disposition shows that there is a possibility for a false positive.", + "disposition_label": "True Positive - Suspicious Activity", + "event_id": "b8684eb9-059d-4d30-8613-f809395feda8@@notable@@b8684eb9059d4d308613f809395feda8", + "notable_type": "notable", + "rule_title": "24 hour risk threshold exceeded for user=evilsender@update.defenceonline.net", + "rule_description": "Risk Threshold Exceeded for an object over a 24 hour period", + "security_domain": "threat", + "risk_object": "bad_user@splunk.com", + "risk_object_type": "user", + "risk_score": "100", + "search_name": "Risk - 24 Hour Risk Threshold Exceeded - Rule", + "severity": "medium", + "status": "1", + "status_default": "true", + "status_description": "Finding is recent and not reviewed.", + "status_label": "New", + "urgency": "informational", + "owner": "splunk_user", + "_time": "2025-02-25T14:27:28.000+00:00" + } + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '404': + description: Not Found + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/identity/{id}: + get: + x-splunk-soar-connector-gen: + displayName: "get identity" + actionName: "get identity" + supportsAutomation: true + proxyConfiguration: + proxyPath: /v1/internal/soar_proxy + actualPathParameter: X-MCProxyPath + operationId: public_v2_get_identity + tags: + - Identity + parameters: + - in: path + name: id + required: true + description: The ID of the identity. + schema: + type: string + example: 67bf51bed9f4fd2e56006970 + - in: query + name: search_format + required: false + x-splunk-soar-connector-gen-parameter: + hidden: true + description: If true, the response will be formatted so that it can be used in a splunk search with the `rest` command. + schema: + type: boolean + example: true + description: Retrieve an identity using the ID of the identity. Requires mc_identity_read or admin_all_objects capabilities. + summary: Retrieve an identity + responses: + '200': + description: OK + content: + application/json: + schema: + $ref: '#/components/schemas/IdentityGetResponse' + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + description: Unauthorized + '403': + description: Forbidden + '404': + description: Not Found + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + /public/v2/risks/risk_scores/{entity}: + post: + x-splunk-soar-connector-gen: + displayName: "create risk modifier of a risk entity" + actionName: "create risk modifier of a risk entity" + supportsAutomation: true + proxyConfiguration: + proxyPath: /v1/internal/soar_proxy + actualPathParameter: X-MCProxyPath + operationId: public_v2_risk_entity_risk_scores_update + description: Add a risk modifier to a risk entity in Splunk Enterprise Security. Requires mc_risk_score_write or admin_all_objects capabilities. + summary: Add risk modifiers + tags: + - Risks + parameters: + - in: path + name: entity + description: The risk entity to which the risk modifier is added. + required: true + schema: + type: string + example: '2.2.2.2' + requestBody: + required: true + description: The request body for updating the risk score of a risk entity. + content: + application/json: + schema: + $ref: '#/components/schemas/RiskScoreUpdatePayload' + example: { "risk_modifier": 100, "entity_type": "user" } + responses: + '201': + description: Updated the risk score of a risk entity. + content: + application/json: + schema: + $ref: '#/components/schemas/RiskScoreUpdateResponse' + example: { "risk_score": 100 } + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + get: + x-splunk-soar-connector-gen: + displayName: "get risk scores for a risk entity" + actionName: "get risk scores for a risk entity" + supportsAutomation: true + proxyConfiguration: + proxyPath: /v1/internal/soar_proxy + actualPathParameter: X-MCProxyPath + operationId: public_v2_risk_entity_risk_scores_retrieve + description: Get the risk scores for a risk entity in Splunk Enterprise Security. Requires mc_risk_score_write or admin_all_objects capabilities. + summary: Get risk scores for a risk entity + tags: + - Risks + parameters: + - in: path + name: entity + description: The entity to get risk scores for. + required: true + schema: + type: string + example: '2.2.2.2' + - in: query + name: entity_type + description: A comma separated list of entity types to query for a specific entity. + required: false + schema: + type: string + example: "user,system,hash_values,host_artifacts,tools,other" + - in: query + name: earliest + description: The earliest time specified for the search against the Risk data model to get the risk scores for the entity value. + This value can be relative time (-30m), epoch time, or ISO 8061 time. If the earliest or latest times + are not provided, risk scores will be read against the cached risk scores from the lookup cache tables that are + generated by the saved searches `Risk Correlation By User - Lookup Gen`, `Risk Correlation By System - Lookup Gen` + and `Risk Correlation By Other - Lookup Gen` if they are enabled. + required: false + schema: + type: string + example: 2019-04-01T22:10:21.705+0000 + - in: query + name: latest + description: The latest time specified for the search against the Risk data model to get the risk scores for the entity value. + This value can be relative time (-30m), epoch time, or ISO 8061 time. If the earliest or latest times + are not provided, risk scores will be read against the cached risk scores from the lookup cache tables that are + generated by the saved searches `Risk Correlation By User - Lookup Gen`, `Risk Correlation By System - Lookup Gen` + and `Risk Correlation By Other - Lookup Gen` if they are enabled. + required: false + schema: + type: string + example: 2019-04-01T22:10:21.705+0000 + - in: query + name: limit + required: false + description: Number of risk scores to be returned on the page. The default limit is 20. The limit can be a maximum of 100. + schema: + type: number + example: 10 + - in: query + name: offset + required: false + description: Used with limit to determine result range to pull from results. If the offset is not set, the default is 0. + schema: + type: number + example: 30 + - in: query + name: sort + required: false + description: The field that the list of risk scores will be sorted on. The default value is `risk_score:desc` + (Sort by risk score in decreasing order). Sorting can only be applied to the fields risk_score and entity_type. + One sort field can only be provided. + schema: + type: string + example: "risk_score:1" + - in: query + name: search_format + required: false + x-splunk-soar-connector-gen-parameter: + hidden: true + description: If true, the response will be formatted so that it can be used in a splunk search with the `rest` command. + schema: + type: boolean + example: true + responses: + '200': + description: Retrieved risk scores for a risk entity + content: + application/json: + schema: + $ref: '#/components/schemas/RiskScoreRetrieveResponse' + example: [ + { + "entity": "1.1.1.1", + "entity_type": "system", + "risk_score": "100" + }, + { + "entity": "1.1.1.1", + "entity_type": "host_artifacts", + "risk_score": "200" + } + ] + '400': + description: Bad request + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' + '401': + $ref: '#/components/schemas/401ErrorResponse' + '403': + $ref: '#/components/schemas/403ErrorResponse' + '429': + description: Too many requests + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitExceededResponse' + '500': + description: Internal server error. + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorResponse' +components: + schemas: + Searches: + description: A saved searches in Splunk. + type: object + properties: + id: + description: The ID of the search. + example: f03af0f8-2e9d-463f-a50b-790dbdd44d5d + type: string + format: uuid + name: + description: The name of the saved search. + type: string + example: Access - Access Over Time By App + spl: + description: The SPL query for the saved search. + type: string + example: "%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app" + description: + description: The description of the saved search. + type: string + example: Use Splunk searches to list the stats for app accessing + update_time: + description: The update time of the saved search. + type: number + example: 1676496024.7015831 + create_time: + description: The create time of the saved search. + type: number + example: 1676495280.719843 + example: + { + "id": "f03af0f8-2e9d-463f-a50b-790dbdd44d5d", + "name": "Access - Access Over Time By App", + "spl": "%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app", + "description": "Use Splunk searches to list the stats for app accessing", + "update_time": 1676496024.7015831, + "create_time": 1676495280.719843 + } + Playbooks: + description: A Splunk SOAR playbook. + type: object + properties: + id: + description: The ID of the Splunk SOAR playbook. + example: f18a9b47-9e34-435b-8f72-c13b82609ee6 + type: string + format: uuiid + last_job_id: + description: The last job ID of the Splunk SOAR playbook. + type: number + example: 0 + playbook_id: + description: The playbook ID of the Splunk SOAR playbook. + type: string + example: community/suspicious_email_domain_enrichment + name: + description: The name of the Splunk SOAR playbook. + type: string + example: suspicious_email_domain_enrichment + description: + description: The description of the Splunk SOAR playbook. + type: string + example: This playbook geolocates an address. + update_time: + description: The update time of the SOAR playbook. + type: number + example: 1676495407.17426 + create_time: + description: The creation time of the SOAR playbook. + type: number + example: 1676495280.719677 + example: + { + "id": "f18a9b47-9e34-435b-8f72-c13b82609ee6", + "last_job_id": 0, + "playbook_id": "community/suspicious_email_domain_enrichment", + "name": "suspicious_email_domain_enrichment", + "description": "This playbook geolocates an address.", + "update_time": 1676495407.17426, + "create_time": 1676495280.719677 + } + Action: + description: A Splunk SOAR (SOAR) action. + type: object + properties: + id: + description: The ID of the Splunk SOAR action. + type: string + example: 876ab1de-d825-43c0-8b6c-e30c959d9044 + format: uuid + name: + description: The name of the Splunk SOAR action. + type: string + example: geolocate ip - MaxMind + description: + description: The description of the action. + type: string + example: This action validates the configuration of an asset. + type: + description: The type of the Splunk SOAR action. For example, for a Splunk SOAR app, such as Maxmind, the type could be “investigate”, “generic”, “test”, “correct”, or “contain”. + type: string + example: geolocate ip + last_job_id: + description: The last job ID of the Splunk SOAR action. + type: number + example: 0 + action: + description: The action ID of the Splunk SOAR action. + type: string + example: "1394" + app_id: + description: The app ID of the Splunk SOAR action. + type: number + example: 169 + asset: + description: The asset of the Splunk SOAR action. + type: number + example: 1 + parameters: + description: 'The parameters for the Splunk SOAR action. For example, {"ip":"1.1.1.1"}.' + type: array + items: + type: object + example: { "ip": "1.1.1." } + example: [ { "ip": "1.1.1.1" } ] + update_time: + description: The time the Splunk SOAR action was updated. + type: number + example: 1676495407.1743503 + create_time: + description: The time the Splunk SOAR action was created. + type: number + example: 1676495280.719768 + example: + { + "id": "876ab1de-d825-43c0-8b6c-e30c959d9044", + "name": "geolocate ip - MaxMind", + "description": "This action validates the configuration of an asset.", + "type": "geolocate ip", + "last_job_id": 0, + "action": "1394", + "app_id": 169, + "asset": 1, + "parameters": [ { "ip": "1.1.1.1" } ], + "update_time": 1676495407.1743503, + "create_time": 1676495280.719768, + } + FileObject: + description: Information on files stored in Splunk Enterprise Security. + type: object + properties: + id: + type: string + description: The unique ID for this file. + example: c80a092f-9dca-484b-8733-9c3162ee4ab8 + format: uuid + _key: + type: string + description: The KVStore key for this file, same as ID. + example: c80a092f-9dca-484b-8733-9c3162ee4ab8 + file_name: + type: string + description: The name of the file. + example: splunk-logo-dark.svg + incident_type: + type: string + description: The investigation type of the investigation. Investigation types are used to categorize related investigations by use case or source. + example: threat investigation + incident_id: + type: string + description: The investigation ID of the object that attached this file. + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + format: uuid + response_plan_info: + nullable: true + type: object + properties: + response_plan: + type: object + properties: + id: + type: string + description: The response plan ID if this was a file uploaded from a response task. + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + format: uuid + name: + type: string + description: The name of the response plan. + example: Response Plan - 1 + example: { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + } + response_phase: + type: object + properties: + id: + type: string + description: The response phase ID if this was a file uploaded from a response task. + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + format: uuid + name: + type: string + description: The name of the response phase. + example: Response Phase - 1 + example: { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + } + response_task: + type: object + properties: + id: + type: string + description: The response task ID if this was a file uploaded from a response task. + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + format: uuid + name: + type: string + description: The name of the response task. + example: Response Task - 1 + example: { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + example: { + "response_plan": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + }, + "response_phase": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + }, + "response_task": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + } + reference_list: + description: A list of object IDs (response note, task, etc.) that uploaded this file. + type: array + items: + type: string + example: "1982c0a4-b710-4827-856d-0a9c4f77e70b" + example: ["1982c0a4-b710-4827-856d-0a9c4f77e70b"] + size: + type: number + description: The size of the file in bytes. + example: 5829 + source_type: + type: string + enum: [ "Task", "Incident", "Note" ] + description: The type of object that added this file. Available options are Task, Incident, or Note. + example: Task + source: + type: string + nullable: true + description: The ID of the object (response note, task, etc.) that added this file. + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + source_user: + type: string + description: The username of the user that added this file. + example: admin + created_on: + type: number + description: The time when this file was initially added. + example: 1676494088.786956 + file_key: + type: string + description: The sha256 hash of the contents of this file. + example: 22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46 + _user: + type: string + description: User field generated by Splunk and added to the KV Store. + example: "admin" + example: + { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8", + "_key": "c80a092f-9dca-484b-8733-9c3162ee4ab8", + "file_name": "splunk-logo-dark.svg", + "incident_type": "threat investigation", + "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "response_plan_info": { + "response_plan": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + }, + "response_phase": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + }, + "response_task": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + }, + "reference_list": [ + "1982c0a4-b710-4827-856d-0a9c4f77e70b" + ], + "size": 5829, + "source_type": "Task", + "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "source_user": "admin", + "created_on": 1676494088.786956, + "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46", + "_user": "admin" + } + CreateNotePayload: + description: The Splunk Enterprise Security create note request payload. + type: object + required: + - content + properties: + title: + description: The title of the response plan note. + type: string + example: Create ticket - Note 1 + content: + description: The data stored within the note. + type: string + example: Note Content for Create Ticket + files: + description: An array of file IDs to add to a note. + type: array + items: + type: string + example: 22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46 + example: + - 22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46 + example: + { + "title": "Create ticket - Note 1", + "content": "Note Content for Create Ticket", + "files": [ + "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46" + ] + } + UpdateNotePayload: + description: The Splunk Enterprise Security update note request payload. + type: object + properties: + title: + description: The title of the response plan note. + type: string + example: Create ticket - Note 1 + content: + description: The data stored within the note. + type: string + example: Note Content for Create Ticket + files: + description: An array of file IDs to add to a note. + type: array + items: + type: string + example: 22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46 + example: + - 22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46 + example: + { + "title": "Create ticket - Note 1", + "content": "Note Content for Create Ticket", + "files": [ + "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46" + ] + } + Note: + description: Splunk Enterprise Security Note. + type: object + required: + - id + - content + - title + - author + properties: + id: + description: The ID of the created note. + type: string + example: 2f34ab66-929e-438d-b294-7ce5ea5415d4 + format: uuid + title: + description: The title of the note. + type: string + nullable: true + example: Create ticket - Task Note - 1 + record_type: + description: Type of the record. Could be Finding, Finding Group, or Investigation. + type: string + example: Investigation + record_title: + description: The name of the finding or investigation or finding group. + type: string + example: Record Title + is_imported: + description: Whether the notes is from the included findings/finding group or from the original investigation. + type: boolean + example: true + record_time: + description: Field denoting the `_time` that the finding/finding group was created. Value in epoch time. + type: number + example: 1748370203 + author: + description: The user who created the note. + type: object + properties: + username: + description: The username of Splunk user who added the note. + type: string + example: splunk_user_name + example: { "username": admin } + last_edited_by: + nullable: true + description: The email address of the user who edited the note most recently. + type: string + example: bob@splunk.com + response_plan_info: + nullable: true + type: object + properties: + response_plan: + type: object + properties: + id: + type: string + description: The response plan ID if this was a file uploaded from a response task. + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + format: uuid + name: + type: string + description: The name of the response plan. + example: Response Plan - 1 + example: { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + } + response_phase: + type: object + properties: + id: + type: string + description: The response phase ID if this was a file uploaded from a response task. + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + format: uuid + name: + type: string + description: The name of the response phase. + example: Response Phase - 1 + example: { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + } + response_task: + type: object + properties: + id: + type: string + description: The response task ID if this was a file uploaded from a response task. + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + format: uuid + name: + type: string + description: The name of the response task. + example: Response Task - 1 + example: { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + example: { + "response_plan": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + }, + "response_phase": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + }, + "response_task": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + } + source: + nullable: true + description: The ID of the object that added this note. + type: string + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + source_type: + nullable: true + description: The type of object that added this note. Available options are Task or Incident. + type: string + enum: [ Task, Incident ] + example: Task + incident_id: + nullable: true + description: The ID of the finding or investigation that contains this note. + type: string + example: c80a092f-9dca-484b-8733-9c3162ee4ab9 + content: + description: The content of the note. + type: string + example: Note for task Create Ticket + files: + description: The list of files added to the note. + type: array + example: [ 576cddf8-f9b5-48db-b41b-cc1ea2ad4da3 ] + items: + type: string + example: 576cddf8-f9b5-48db-b41b-cc1ea2ad4da3 + description: The file IDs of the files added to the note. + create_time: + description: The time when the note was created. + type: number + example: 1676494561.553658 + update_time: + description: The time when the note was updated. + type: number + example: 1676494561.553894 + example: + { + "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4", + "title": "Create ticket - Task Note - 1", + "author": { + "username": "admin" + }, + "last_edited_by": "bob@splunk.com", + "response_plan_info": { + "response_plan": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + }, + "response_phase": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + }, + "response_task": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + }, + "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "source_type": "Task", + "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "content": "Note for task Create Ticket", + "files": [ + "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3" + ], + "create_time": 1676494561.553658, + "update_time": 1676494561.553894 + } + NoteListResponse: + description: Response of a list of notes. + type: object + properties: + items: + description: The list of notes. + type: array + items: + $ref: '#/components/schemas/Note' + example: [ + { + "id": "3aced868-5600-4b74-9ec3-61cd6728f25f", + "create_time": 1748988825.070582, + "update_time": 1748988825.070582, + "title": "note title", + "content": "note content", + "author": { + "username": "admin", + "realname": "Splunk Administrator" + }, + "files": [ ], + "source": "3fe85bc5-a550-4c0d-a61d-ff8d09f4ecb0", + "source_type": "Incident", + "incident_id": "3fe85bc5-a550-4c0d-a61d-ff8d09f4ecb0" + } + ] + offset: + description: The offset of the notes. + type: number + example: 0 + limit: + description: The limit of the notes. + type: number + example: 10 + total: + description: The total number of notes. + type: number + example: 2 + example: + { + "items": [ + { + "id": "3aced868-5600-4b74-9ec3-61cd6728f25f", + "create_time": 1748988825.070582, + "update_time": 1748988825.070582, + "title": "note title", + "content": "note content", + "author": { + "username": "admin", + "realname": "Splunk Administrator" + }, + "files": [ ], + "source": "3fe85bc5-a550-4c0d-a61d-ff8d09f4ecb0", + "source_type": "Incident", + "incident_id": "3fe85bc5-a550-4c0d-a61d-ff8d09f4ecb0" + } + ], + "offset": 0, + "limit": 10, + "total": 20 + } + TaskSuggestions: + description: Playbooks, actions or searches that were added to the task. + type: object + properties: + actions: + description: The list of Splunk SOAR (SOAR) actions added to this response task. + type: array + items: + $ref: '#/components/schemas/Action' + example: [ + { + "id": "876ab1de-d825-43c0-8b6c-e30c959d9044", + "name": "geolocate ip - MaxMind", + "description": "This action validates the configuration of an asset.", + "type": "geolocate ip", + "last_job_id": 0, + "action": "1394", + "app_id": 169, + "asset": 1, + "parameters": [ { "ip": "1.1.1.1" } ], + "update_time": 1676495407.1743503, + "create_time": 1676495280.719768, + } + ] + playbooks: + description: The list of SOAR playbooks added to this response task. + type: array + items: + $ref: '#/components/schemas/Playbooks' + example: [ + { + "id": "f18a9b47-9e34-435b-8f72-c13b82609ee6", + "last_job_id": 0, + "playbook_id": "community/suspicious_email_domain_enrichment", + "name": "suspicious_email_domain_enrichment", + "description": "This playbook geolocates an address.", + "update_time": 1676495407.17426, + "create_time": 1676495280.719677 + } + ] + searches: + description: The list of saved searches added to this response task. + type: array + items: + $ref: '#/components/schemas/Searches' + example: [ + { + "id": "f03af0f8-2e9d-463f-a50b-790dbdd44d5d", + "name": "Access - Access Over Time By App", + "spl": "%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app", + "description": "Use Splunk searches to list the stats for app accessing", + "update_time": 1676496024.7015831, + "create_time": 1676495280.719843 + } + ] + example: + { + "actions": [ + { + "id": "876ab1de-d825-43c0-8b6c-e30c959d9044", + "name": "geolocate ip - MaxMind", + "description": "This action validates the configuration of an asset.", + "type": "geolocate ip", + "last_job_id": 0, + "action": "1394", + "app_id": 169, + "asset": 1, + "parameters": [{ "ip": "1.1.1.1" }], + "update_time": 1676495407.1743503, + "create_time": 1676495280.719768 + } + ], + "playbooks": [ + { + "id": "f18a9b47-9e34-435b-8f72-c13b82609ee6", + "last_job_id": 0, + "playbook_id": "community/suspicious_email_domain_enrichment", + "name": "suspicious_email_domain_enrichment", + "description": "This playbook geolocates an address.", + "update_time": 1676495407.17426, + "create_time": 1676495280.719677 + } + ], + "searches": [ + { + "id": "f03af0f8-2e9d-463f-a50b-790dbdd44d5d", + "name": "Access - Access Over Time By App", + "spl": "%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app", + "description": "Use Splunk searches to list the stats for app accessing", + "update_time": 1676496024.7015831, + "create_time": 1676495280.719843 + } + ] + } + ResponseTask: + description: A task object in **Response Plan**. + type: object + properties: + id: + type: string + description: The ID of the response task. + format: uuid + example: 4edb5c77-0ac3-4d49-842b-19b0eff4d8fd + name: + type: string + description: The name of the task. + example: Create ticket + tag: + type: string + description: The ID of the task that maps a response plan task to its original template. + example: d81ff75d-d9fe-4618-9752-e2840e5aa147 + status: + type: string + description: The status of the task. Available options are Pending, Started, Ended, or Reopened. + enum: [ "Started", "Ended", "Reopened", "Pending" ] + example: Started + order: + type: number + description: The order of the task in respect to all tasks in the phase. + example: 1 + description: + type: string + description: The description of the task. + example: Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking. + owner: + type: string + description: The owner of the task. + example: admin + is_note_required: + type: boolean + description: Determines whether a note is required to be created in order to complete or end the task. + example: false + start_time: + type: number + description: The time at when the task was started. + example: 1676493726.238174 + end_time: + type: number + description: The time at when the task was ended. + example: 1676493727.238301 + suggestions: + $ref: '#/components/schemas/TaskSuggestions' + notes: + type: array + items: + $ref: '#/components/schemas/Note' + example: [ + { + "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4", + "title": "Create ticket - Task Note - 1", + "author": { + "username": "admin" + }, + "last_edited_by": "bob@splunk.com", + "response_plan_info": { + "response_plan": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + }, + "response_phase": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + }, + "response_task": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + }, + "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "source_type": "Task", + "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "content": "Note for task Create Ticket", + "files": [ + "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3" + ], + "create_time": 1676494561.553658, + "update_time": 1676494561.553894 + } + ] + files: + type: array + items: + $ref: '#/components/schemas/FileObject' + example: [ + { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8", + "_key": "c80a092f-9dca-484b-8733-9c3162ee4ab8", + "file_name": "splunk-logo-dark.svg", + "incident_type": "threat investigation", + "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "response_plan_info": { + "response_plan": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + }, + "response_phase": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + }, + "response_task": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + }, + "reference_list": [ + "1982c0a4-b710-4827-856d-0a9c4f77e70b" + ], + "size": 5829, + "source_type": "Task", + "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "source_user": "admin", + "created_on": 1676494088.786956, + "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46", + "_user": "admin" + } + ] + create_time: + type: number + description: The time when the task was created. + example: 1689110850.869705 + update_time: + type: number + description: The time when the task was last updated. + example: 1689110850.869705 + total_time_taken: + type: number + description: The time taken to complete a task in seconds. + example: 2.0 + required: + - name + - order + - id + example: + { + "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd", + "name": "Create ticket", + "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147", + "status": "Started", + "order": 1, + "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.", + "owner": "admin", + "is_note_required": false, + "start_time": 1676493726.238174, + "end_time": 1676493727.238301, + "suggestions": { + "actions": [ ], + "playbooks": [ ], + "searches": [ ] + }, + "notes": [ ], + "files": [ ], + "create_time": 1689110850.869705, + "update_time": 1689110850.869705, + "total_time_taken": 2.0 + } + ResponsePhase: + description: A phase object in **Response Plan**. + type: object + properties: + id: + description: The ID of the response phase. + type: string + example: e4317f74-2ca2-4812-9805-07c7e9aeaa40 + name: + description: The name of the response phase. + type: string + example: Ingestion + order: + description: The order of the response phase. + type: number + example: 1 + create_time: + description: The time when this response phase was created, as an epoch timestamp. + type: number + example: 1676492834.50028 + update_time: + description: The time when this response phase was updated, as an epoch timestamp. + type: number + example: 1676492834.500499 + tasks: + description: The list of tasks in the response template. + type: array + items: + $ref: '#/components/schemas/ResponseTask' + example: [ + { + "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd", + "name": "Create ticket", + "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147", + "status": "Started", + "order": 1, + "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.", + "owner": "admin", + "is_note_required": false, + "start_time": 1676493726.238174, + "end_time": 1676493727.238301, + "suggestions": { + "actions": [ + { + "id": "876ab1de-d825-43c0-8b6c-e30c959d9044", + "name": "geolocate ip - MaxMind", + "description": "This action validates the configuration of an asset.", + "type": "geolocate ip", + "last_job_id": 0, + "action": "1394", + "app_id": 169, + "asset": 1, + "parameters": [ { "ip": "1.1.1.1" } ], + "update_time": 1676495407.1743503, + "create_time": 1676495280.719768 + } + ], + "playbooks": [ + { + "id": "f18a9b47-9e34-435b-8f72-c13b82609ee6", + "last_job_id": 0, + "playbook_id": "community/suspicious_email_domain_enrichment", + "name": "suspicious_email_domain_enrichment", + "description": "This playbook geolocates an address.", + "update_time": 1676495407.17426, + "create_time": 1676495280.719677 + } + ], + "searches": [ + { + "id": "f03af0f8-2e9d-463f-a50b-790dbdd44d5d", + "name": "Access - Access Over Time By App", + "spl": "%7C%20%60tstats%60%20count%20from%20datamodel%3DAuthentication.Authentication%20by%20_time%2CAuthentication.app%20span%3D10m%20%7C%20timechart%20minspan%3D10m%20useother%3D%60useother%60%20count%20by%20Authentication.app", + "description": "Use Splunk searches to list the stats for app accessing", + "update_time": 1676496024.7015831, + "create_time": 1676495280.719843 + } + ] + }, + "notes": [ + { + "id": "2f34ab66-929e-438d-b294-7ce5ea5415d4", + "title": "Create ticket - Task Note - 1", + "author": { + "username": "admin" + }, + "last_edited_by": "bob@splunk.com", + "response_plan_info": { + "response_plan": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + }, + "response_phase": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + }, + "response_task": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + }, + "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "source_type": "Task", + "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "content": "Note for task Create Ticket", + "files": [ + "576cddf8-f9b5-48db-b41b-cc1ea2ad4da3" + ], + "create_time": 1676494561.553658, + "update_time": 1676494561.553894 + } + ], + "files": [ + { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab8", + "_key": "c80a092f-9dca-484b-8733-9c3162ee4ab8", + "file_name": "splunk-logo-dark.svg", + "incident_type": "threat investigation", + "incident_id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "response_plan_info": { + "response_plan": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Plan - 1" + }, + "response_phase": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Phase - 1" + }, + "response_task": { + "id": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "name": "Response Task - 1" + } + }, + "reference_list": [ + "1982c0a4-b710-4827-856d-0a9c4f77e70b" + ], + "size": 5829, + "source_type": "Task", + "source": "c80a092f-9dca-484b-8733-9c3162ee4ab9", + "source_user": "admin", + "created_on": 1676494088.786956, + "file_key": "22a2e62e186f4dc4b33edde666534b4622a2e62e186f4dc4b33edde666534b46", + "_user": "admin" + } + ], + "create_time": 1689110850.869705, + "update_time": 1689110850.869705, + "total_time_taken": 2.0 + } + ] + example: + { + "id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40", + "name": "Ingestion", + "order": 1, + "create_time": 1676492834.50028, + "update_time": 1676492834.500499, + "tasks": [ + { + "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd", + "name": "Create ticket", + "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147", + "status": "Started", + "order": 1, + "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.", + "owner": "admin", + "is_note_required": false, + "start_time": 1676493726.238174, + "end_time": 1676493727.238301, + "suggestions": { + "actions": [], + "playbooks": [], + "searches": [] + }, + "notes": [], + "files": [], + "create_time": 1689110850.869705, + "update_time": 1689110850.869705, + "total_time_taken": 2.0 + } + ] + } + ResponseTemplateVersion: + type: object + description: Version information for a response template. + properties: + version: + type: number + example: 2 + update_time: + type: number + format: double + example: 1690743671.0881049633 + example: { "version": 2, "update_time": 1690743671.0881049633 } + ResponseTemplateManifest: + type: object + description: Response template manifest. + properties: + name: + type: string + example: "Test Response plan" + versions: + type: array + items: + $ref: "#/components/schemas/ResponseTemplateVersion" + example: + [ + { "version": 1, "update_time": 1690743671.0881049633 }, + { "version": 2, "update_time": 1690743671.0881049633 }, + ] + link: + type: string + format: uri + example: "https://example.com/response-templates/d81ff75d-d9fe-4618-9752-e2840e5aa147" + example: + { + "name": "Test Response plan", + "versions": + [ + { "version": 1, "update_time": 1690743671.0881049633 }, + { "version": 2, "update_time": 1690743671.0881049633 }, + ], + "link": "https://example.com/response-templates/d81ff75d-d9fe-4618-9752-e2840e5aa147", + } + ResponseTemplateMerged: + type: array + description: Response templates merged into a single array. + items: + $ref: "#/components/schemas/ResponseTemplate" + example: + [ + { + "id": "d81ff75d-d9fe-4618-9752-e2840e5aa147", + "name": "Test Response plan", + }, + ] + ResponseTemplate: + type: object + description: Response template object. + properties: + id: + description: The ID for the response plan. + type: string + example: "d81ff75d-d9fe-4618-9752-e2840e5aa147" + x-splunk-soar-connector-gen-parameter: + contains: ["response template id"] + _key: + type: string + description: Internal use only. + example: "d81ff75d-d9fe-4618-9752-e2840e5aa147" + version: + description: The response plan version. + type: number + example: 2.0 + is_default: + description: Whether or not the response plan is a default plan. + type: boolean + example: False + name: + description: Name of the response plan. + type: string + example: "Test Response plan" + description: + description: The description of the response plan. + type: string + example: "This is a response plan created by a user" + template_status: + description: The status of the response plan, for example "Published". + type: string + example: "Published" + creator: + description: The user who created this response plan. + type: string + example: "John Doe" + updated_by: + description: The user who updated this response plan. + type: string + example: "John Doe" + create_time: + type: number + description: The time when the response plan was created, as an epoch time stamp. + example: 1690743671.0881049633 + update_time: + type: number + description: The time when the response plan was last updated, as an epoch time stamp. + example: 1690743671.0881049633 + phases: + description: A list of phases in the response plan. + type: array + items: + $ref: "#/components/schemas/ResponseTemplatePhase" + example: + [ + { + "name": "Phase 1", + "order": 1, + "create_time": 1690743671.0881049633, + "update_time": 1690743671.0881049633, + "tasks": [], + }, + ] + required: + - name + example: + { + "id": "d81ff75d-d9fe-4618-9752-e2840e5aa147", + "version": 2.0, + "is_default": false, + "name": "Test Response plan", + "description": "This is a response plan created by a user", + "template_status": "Published", + "creator": "John Doe", + "updated_by": "John Doe", + "create_time": 1690743671.0881049633, + "update_time": 1690743671.0881049633, + "phases": + [ + { + "name": "Phase 1", + "order": 1, + "create_time": 1690743671.0881049633, + "update_time": 1690743671.0881049633, + "tasks": [], + }, + ], + } + ResponseTemplatePhase: + description: Phase object in response plan. + type: object + properties: + name: + description: The name of the response phase. + type: string + example: "Phase 1" + order: + description: The order of the response phase. + type: number + example: 1 + create_time: + description: The time when the response phase was created, as an epoch time stamp. + type: number + example: 1690743671.0881049633 + update_time: + description: The time when the response phase was last updated, as an epoch time stamp. + type: number + example: 1690743671.0881049633 + tasks: + description: A list of tasks in the response phase. + type: array + items: + $ref: "#/components/schemas/ResponseTemplateTask" + example: [] + example: + { + "name": "Phase 1", + "order": 1, + "create_time": 1690743671.0881049633, + "update_time": 1690743671.0881049633, + "tasks": [], + } + ResponseTemplateTask: + description: Task Object in Response Plan. + type: object + properties: + name: + type: string + description: The name of the task. + example: Create ticket + tag: + type: string + description: The ID of the task that maps a response plan task to its original template. + example: d81ff75d-d9fe-4618-9752-e2840e5aa147 + order: + type: number + description: The order of the task in respect to all tasks in the phase. + example: 1 + description: + type: string + description: The description of the task. + example: Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking. + owner: + type: string + description: The owner of the task. + example: admin + is_note_required: + type: boolean + description: Determines whether a note is required to be created in order to complete or end the task. + example: false + start_time: + type: number + description: The time when the task was started. + example: 1676493726.238174 + end_time: + type: number + description: The time when the task ended. + example: 1676493727.238301 + suggestions: + $ref: "#/components/schemas/TaskSuggestions" + notes: + type: array + items: + $ref: "#/components/schemas/Note" + example: [] + files: + type: array + items: + $ref: "#/components/schemas/FileObject" + example: [] + required: + - name + - order + example: + { + "name": "Create ticket", + "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147", + "order": 1, + "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.", + "owner": "admin", + "is_note_required": false, + "start_time": 1676493726.238174, + "end_time": 1676493727.238301, + "suggestions": { "actions": [], "playbooks": [], "searches": [] }, + "notes": [], + "files": [], + } + ResponsePlan: + description: A response plan that can be added to an investigation. + type: object + properties: + id: + description: The unique ID for the response plan. + type: string + example: 5c674507-50c2-4a94-b458-fdcb5eec333d + format: uuid + version: + description: The version of the response plan. + type: number + example: 1 + is_default: + description: Whether or not the response plan is the default plan. + type: boolean + example: true + source_template_id: + description: The ID of the source template for this response plan. + type: string + example: 142ba3eb-1fd9-4cb3-a040-e139aac107ff + format: uuid + create_time: + description: The time the response plan was created. + type: number + example: 1676492834.50028 + update_time: + description: The time the response plan was last updated. + type: number + example: 1676492834.500499 + name: + description: The name of the response plan. + type: string + example: Suspicious Email + description: + description: The description of the response plan. + type: string + example: There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. + template_status: + description: The status of the response plan. For example, “In Progress”. + type: string + example: published + creator: + description: The person who created this plan. + type: string + example: Splunk + updated_by: + description: The person who updated the plan. + type: string + example: Splunk + phases: + type: array + items: + $ref: '#/components/schemas/ResponsePhase' + required: + - name + example: [ { "name": "Phase 1" } ] + example: + { + "id": "5c674507-50c2-4a94-b458-fdcb5eec333d", + "version": 1, + "is_default": true, + "source_template_id": "142ba3eb-1fd9-4cb3-a040-e139aac107ff", + "create_time": 1676492834.50028, + "update_time": 1676492834.500499, + "name": "Suspicious Email", + "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods.", + "template_status": "published", + "creator": "Splunk", + "updated_by": "Splunk", + "phases": [ + { + "id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40", + "name": "Ingestion", + "order": 1, + "create_time": 1676492834.50028, + "update_time": 1676492834.500499, + "tasks": [ + { + "id": "4edb5c77-0ac3-4d49-842b-19b0eff4d8fd", + "name": "Create ticket", + "tag": "d81ff75d-d9fe-4618-9752-e2840e5aa147", + "status": "Started", + "order": 1, + "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.", + "owner": "admin", + "is_note_required": false, + "start_time": 1676493726.238174, + "end_time": 1676493727.238301, + "suggestions": { + "actions": [], + "playbooks": [], + "searches": [] + }, + "notes": [], + "files": [], + "create_time": 1689110850.869705, + "update_time": 1689110850.869705, + "total_time_taken": 2.0 + } + ] + } + ] + } + InvestigationGetResponse: + description: The response of the get investigation api call. + type: object + required: ["create_time", "update_time", "investigation_guid", "investigation_id", "name", "incident_origin", + "description", "investigation_type", "disposition", "status", "urgency", "sensitivity", "excluded_finding_ids", + "finding", "custom_fields", "attachments", "response_plans", "findings", + "consolidated_findings", "count_findings", "risk_event_count", "src", "dest", "dvc", "orig_host", "src_user", "user", + "risk_object", "risk_object_type", "mc_create_time", "status_name", "disposition_name"] + properties: + mc_create_time: + description: The time when the finding or investigation was created or imported into Splunk Enterprise Security. + type: number + example: 1676497763.861311 + create_time: + description: The time when the investigation was created. + type: number + example: 1676497520 + update_time: + description: The time when the investigation was last updated. + type: number + example: 1676497800.160927 + investigation_guid: + description: The ID (GUID) of the investigation that was retrieved. + type: string + example: 00000000-0000-0000-0000-000000000000 + investigation_id: + description: The short ID of the investigation for display. + type: string + example: ES-00001 + name: + description: The name of the investigation. + type: string + example: Sample Threat Activity Detection + source: + description: The detection that generated the investigation. + type: string + nullable: true + example: Threat - Mission Control - Rule + incident_origin: + description: Identifies where the investigation came from. For example, whether the investigation came from Splunk Enterprise Security, a risk-based alerting finding, or a Splunk Enterprise Security finding. + type: string + example: ES Finding Event + description: + description: The description of the investigation. + type: string + example: Sample investigation for Mission Control + investigation_type: + description: The type of the investigation. Investigation types are used to categorize related investigations by use case or source. + type: string + example: threat investigation + finding_id: + description: The ID of the originating Splunk Enterprise Security finding. + type: string + nullable: true + example: "A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9" + disposition: + description: The disposition ID of the investigation. + type: string + example: disposition:1 + status: + description: The status ID of the investigation. + type: string + example: "1" + owner: + description: The person assigned to the investigation. + type: string + example: admin + urgency: + description: The urgency of the investigation. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`. + type: string + example: informational + sensitivity: + description: The sensitivity of the investigation. Valid choices are `White`, `Green`, `Amber`, `Red`, or `Unassigned`. + type: string + example: Red + excluded_finding_ids: + description: List of findings or intermediate findings in the finding groups that are removed from the investigation. + type: array + items: + type: string + example: "finding1" + example: ["finding1", "finding2"] + finding: + description: The raw data in a finding. + type: object + example: { "search_name": "Manual Notable Event - Rule", "info_max_time": "+Infinity", "info_min_time": "0.000" } + custom_fields: + description: Custom fields in the investigation. + type: object + example: { "custom_field_1": "value1", "custom_field_2": "value2" } + attachments: + description: Array of file IDs that are added directly to the investigation. + type: array + items: + type: string + example: "c7f677fc-1234-4b48-a29d-c28c3f979752" + example: ["c7f677fc-8767-4b48-a29d-c28c3f979752"] + notes: + description: Array of note IDs that are added directly to the finding or investigation. + type: array + items: + type: string + example: "c7f677fc-8767-4b41-a29d-c28c3f979752" + example: ["c7f677fc-8767-4b41-a29d-c28c3f979752"] + current_response_plan_phase: + description: The data surrounding the current phase of the response plan. + type: object + example: {"phase_id":"e4317f74-2ca2-4812-9805-07c7e9aeaa40", "response_plan_id": "5c674507-50c2-4a94-b458-fdcb5eec333d"} + response_plans: + description: The array of response plans added to the investigation. + type: array + items: + $ref: '#/components/schemas/ResponsePlan' + example: [{"id": "5c674507-50c2-4a94-b458-fdcb5eec333d", "name": "Response Plan - 1"}] + investigations: + description: The investigation IDs to which the investigation is added. + type: array + items: + type: string + example: "investigation1" + example: ["investigation1", "investigation2"] + findings: + description: The findings IDs that are added to the investigation. + type: object + properties: + incident_ids: + description: The added finding IDs. + type: array + items: + type: string + example: "11111111-1111-1111-1111-111111111111" + example: ["11111111-1111-1111-1111-111111111111", "11111111-1111-1111-1111-111111111112"] + field_inheritors: + description: The added finding IDs that will inherit this investigation's owner, status, urgency, sensitivity, and disposition values. + type: array + items: + type: string + example: "11111111-1111-1111-1111-111111111111" + example: ["11111111-1111-1111-1111-111111111111"] + example: {"incident_ids": ["11111111-1111-1111-1111-111111111111", "11111111-1111-1111-1111-111111111112"], "field_inheritors": ["11111111-1111-1111-1111-111111111111"]} + consolidated_findings: + description: The consolidated list of fields for the findings and all the findings that are added to this investigation. These appear on the **Overview** tab. + type: object + example: {"src": "10.39.210.66", "dest": "8.235.139.88", "app": "splunk"} + count_findings: + description: The number of findings or intermediate findings that are associated with this investigation or finding-based-detection (FBD) group. + type: number + example: 2 + risk_event_count: + description: The number of risk events that are associated with this investigation. + type: number + example: 5 + src: + description: The list of values for the `source` field. + type: array + items: + type: string + example: "1.1.1.1" + example: ["10.0.0.1", "10.0.0.2"] + dest: + description: The list of values for the `destination` field. + type: array + items: + type: string + example: "1.1.1.1" + example: ["192.168.1.1", "192.168.1.2"] + dvc: + description: The list of values for the `device` field. + type: array + items: + type: string + example: "device1" + example: ["device1", "device2"] + orig_host: + description: List of values for the `host` field. + type: array + items: + type: string + example: "host1" + example: ["host1", "host2"] + src_user: + description: The list of values for the `source user` field. + type: array + items: + type: string + example: "user1" + example: ["user1", "user2"] + user: + description: The list of values for the `user` field. + type: array + items: + type: string + example: "user1" + example: ["user1", "user2"] + risk_score: + nullable: true + description: The number that represents the maximum risk score for all the findings added to the investigation. + type: number + example: 20.0 + risk_object: + description: The list of entities for a finding, a finding group, or an investigation. + type: array + items: + type: string + example: "entity1" + example: ["entity1", "entity2"] + risk_object_type: + description: The list of risk object types for a finding, a finding group, or an investigation. + type: array + items: + type: string + example: "system" + example: [ "system", "user" ] + status_name: + description: The status name of the investigation. + type: string + example: New + disposition_name: + description: The disposition name of the investigation. + type: string + example: Undetermined + example: + { + "mc_create_time": 1676497763.861311, + "create_time": 1676497520, + "update_time": 1676497800.160927, + "investigation_guid": "00000000-0000-0000-0000-000000000000", + "investigation_id": "ES-00001", + "name": "New Investigation", + "source": "Threat - Mission Control - Rule", + "incident_origin": "ES Notable Event", + "description": "Sample investigation for Mission Control", + "investigation_type": "threat investigation", + "finding_id": "A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9", + "disposition": "disposition:1", + "status": "1", + "owner": "admin", + "urgency": "informational", + "sensitivity": "Red", + "excluded_finding_ids": [ "finding1", "finding2" ], + "finding": { + "search_name": "Manual Notable Event - Rule", + "info_max_time": "+Infinity", + "info_min_time": "0.000" + }, + "custom_fields": { + "custom_field_1": "value1", + "custom_field_2": "value2" + }, + "attachments": [ "c7f677fc-8767-4b48-a29d-c28c3f979752" ], + "current_response_plan_phase": { + "phase_id": "e4317f74-2ca2-4812-9805-07c7e9aeaa40", + "response_plan_id": "5c674507-50c2-4a94-b458-fdcb5eec333d" + }, + "response_plans": [ + { + "id": "5c674507-50c2-4a94-b458-fdcb5eec333d", + "name": "Response Plan - 1" + } + ], + "findings": { + "incident_ids": [ "11111111-1111-1111-1111-111111111111", "11111111-1111-1111-1111-111111111112" ], + "field_inheritors": [ "11111111-1111-1111-1111-111111111111" ] + }, + "consolidated_findings": { + "src": "10.39.210.66", + "dest": "8.235.139.88", + "app": "splunk" + }, + "count_findings": 2, + "risk_event_count": 5, + "src": [ "10.0.0.1", "10.0.0.2" ], + "dest": [ "192.168.1.1", "192.168.1.2" ], + "dvc": [ "device1", "device2" ], + "orig_host": [ "host1", "host2" ], + "src_user": [ "user1", "user2" ], + "user": [ "user1", "user2" ], + "risk_score": 20.0, + "risk_object": [ "entity1", "entity2" ], + "risk_object_type": [ "system", "user" ], + "status_name": "New", + "disposition_name": "Undetermined", + } + InvestigationUpdatePayload: + description: Request payload to update an investigation. + type: object + properties: + name: + description: The new name of the investigation to be created. + type: string + example: "My investigation name" + description: + description: The new description of the investigation to be created. + type: string + example: "My investigation description" + status: + description: The new status id or status label of the investigation to be created. + type: string + example: New + owner: + description: The new owner of the investigation to be created. + type: string + example: admin + urgency: + description: The new urgency of the investigation to be created. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`. + type: string + example: informational + sensitivity: + description: The new sensitivity of the investigation to be created. Valid choices are `White`, `Green`, `Amber`, `Red`, or `Unassigned`. + type: string + example: Red + investigation_type: + description: The new investigation type of the investigation to be created. + type: string + example: default + example: + { + "name": "My investigation name", + "description": "My investigation description", + "status": "New", + "owner": "admin", + "urgency": "informational", + "sensitivity": "Red", + "investigation_type": "default" + } + InvestigationCreatePayload: + description: Request payload to create an investigation. + type: object + required: ["name"] + properties: + name: + description: The name of the investigation to be created. + type: string + example: "My investigation name" + description: + description: The description of the investigation to be created. + type: string + example: "My investigation description" + investigation_type: + description: The type of the investigation to be created. + type: string + example: default + status: + description: The status ID or status label of the investigation to be created. + type: string + example: New + disposition: + description: The disposition ID or disposition label of the investigation to be created. + type: string + example: Undetermined + owner: + description: The owner of the investigation to be created. + type: string + example: admin + urgency: + description: The urgency of the investigation to be created. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`. + type: string + example: informational + sensitivity: + description: The sensitivity of the investigation to be created. Valid choices are `White`, `Green`, `Amber`, `Red`, or `Unassigned`. + type: string + example: Red + finding_ids: + description: The list of IDs (event_ids) for findings added to the investigation. + type: array + items: + type: string + example: "A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9" + example: ["A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9"] + finding_times: + description: The list of times for findings added to the investigation. Value can be in relative, ISO, or epoch time. + type: array + items: + type: string + example: "1676497520" + example: ["1676497520", "1676497800"] + example: + { + "name": "My investigation name", + "description": "My investigation description", + "investigation_type": "default", + "status": "New", + "disposition": "Undetermined", + "owner": "admin", + "urgency": "informational", + "sensitivity": "Red" + } + InvestigationCreateResponse: + description: The response of the create investigation api call. + type: object + required: ['investigation_guid'] + properties: + investigation_guid: + description: The ID (GUID) of the investigation that was created. + type: string + example: 00000000-0000-0000-0000-000000000000 + format: uuid + example: + { + "investigation_guid": "00000000-0000-0000-0000-000000000000" + } + InvestigationUpdateResponse: + description: The response of the update investigation api call. + type: object + required: [ 'investigation_guid' ] + properties: + investigation_guid: + description: The ID (GUID) of the investigation that was created. + type: string + example: 00000000-0000-0000-0000-000000000000 + format: uuid + example: + { + "investigation_guid": "00000000-0000-0000-0000-000000000000" + } + AddFindingsToInvestigationPayload: + description: Request payload to add findings to an investigation. + type: object + required: ["finding_ids", "finding_times"] + properties: + finding_ids: + description: The list of IDs (event_ids) for findings added to the investigation. + type: array + items: + type: string + example: "A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9" + example: ["A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9"] + finding_times: + description: The list of times for findings added to the investigation. Value can be in relative, ISO, or epoch time. + type: array + items: + type: string + example: "1676497520" + example: ["1676497520", "1676497800"] + example: + { + "finding_ids": ["A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9"], + "finding_times": ["1676497520", "1676497800"] + } + AddFindingsToInvestigationResponse: + description: The response of the add findings to investigation api call. + type: object + required: ['investigation_guid'] + properties: + investigation_guid: + description: The ID (GUID) of the investigation findings were added to. + type: string + example: 00000000-0000-0000-0000-000000000000 + format: uuid + example: + { + "investigation_guid": "00000000-0000-0000-0000-000000000000" + } + AssetsGetResponse: + type: object + description: The response of the get assets api call. + properties: + _last_updated: + description: The last time the asset was updated. + type: number + example: 1740477793.8923568726 + _sources: + description: The source of the asset. + type: array + items: + type: string + example: "canon_wdio_assets" + example: [ "canon_wdio_assets" ] + asset: + description: The IP address, DNS name, MAC address, and the Windows NT host field of the asset. + type: array + items: + type: string + example: "192.168.0.1" + example: [ "192.168.0.1", "00:1A:2B:3C:4D:5E" ] + dns: + description: The name of the domain name server of the asset. + type: array + items: + type: string + example: test.com + example: ["test.com"] + ip: + description: The IP address of the asset. + type: array + items: + type: string + example: "0.0.0.0" + example: ["0.0.0.0"] + mac: + description: The MAC address of the asset. + type: array + items: + type: string + example: "00:00:00:00:00:00" + example: ["00:00:00:00:00:00"] + nt_host: + description: The Windows NT host of the asset. + type: array + items: + type: string + example: test-host + example: ["test-host"] + pci_domain: + description: The domain for the asset that is related to PCI. + type: array + items: + type: string + example: pci_domain_example + example: ["pci_domain_example"] + id: + description: The ID of the asset. + type: string + example: 67bd956379ba456e810415c0 + asset_tag: + description: The tags of the asset. + type: array + items: + type: string + example: "tag1" + example: [ "tag1", "tag2" ] + bunit: + description: The business unit of the asset. Parameter used to filter by dashboards in Splunk Enterprise Security. + type: array + items: + type: string + example: business_unit_example + example: [ "business_unit_example" ] + category: + description: A pipe-delimited list of logical classifications for assets. + type: array + items: + type: string + example: "category1" + example: [ "category1", "category2" ] + city: + description: The city in which the asset is located. + type: array + items: + type: string + example: "San Francisco" + example: ["San Francisco"] + country: + description: The country in which the asset is located. + type: array + items: + type: string + example: USA + example: ["USA"] + is_expected: + description: Parameter that indicates whether events from this asset are expected. If set to true, the Expected Host Not Reporting detection performs an adaptive response action when this asset stops reporting events. + type: array + items: + type: string + example: "true" + example: ["true"] + lat: + description: The latitude of the asset in decimal degrees, using +/- to indicate direction. + type: array + items: + type: string + example: "37.7749" + example: ["37.7749"] + long: + description: The longitude of the asset in decimal degrees, using +/- to indicate direction. + type: array + items: + type: string + example: "-122.4194" + example: ["-122.4194"] + owner: + description: The user or department associated with the device. + type: array + items: + type: string + example: owner_example + example: ["owner_example"] + priority: + description: The priority assigned to the device ti calculate the **Urgency** field for findings on the analyst queue. An "unknown" priority reduces the assigned **Urgency** by default. + type: array + items: + type: string + example: high + example: ["high"] + requires_av: + description: Parameter that indicates whether this asset must have anti-virus software installed. + type: array + items: + type: string + example: "true" + example: ["true"] + should_timesync: + description: Parameter that indicates whether this asset must be monitored for time-sync events. If set to true, the Should Timesync Host Not Syncing detection performs an adaptive response action if this asset does not report any time-sync events from the past 24 hours. + type: array + items: + type: string + example: "true" + example: ["true"] + should_update: + description: Parameter indicates whether this asset must be monitored for system update events. + type: array + items: + type: string + example: "true" + example: ["true"] + _delete: + description: Parameter indicates whether this asset was deleted. + type: array + items: + type: string + example: "false" + example: ["false"] + cim_entity_zone: + description: Required parameter when entity zones are turned on. Lowercase word to use as a default zone name. Used when you have multiple private IP spaces. This parameter auto-populates in the cim_entity_zone fields if you do not specify your own values when formatting an asset or identity list as a lookup. + type: array + items: + type: string + example: zone_example + example: ["zone_example"] + example: + { + "_last_updated": 1740477793.8923568726, + "_sources": ["canon_wdio_assets"], + "asset": ["192.168.0.1", "00:1A:2B:3C:4D:5E"], + "dns": ["test.com"], + "ip": ["0.0.0.0"], + "mac": ["00:00:00:00:00:00"], + "nt_host": ["test-host"], + "pci_domain": ["pci_domain_example"], + "id": "67bd956379ba456e810415c0", + "asset_tag": ["tag1", "tag2"], + "bunit": ["business_unit_example"], + "category": ["category1", "category2"], + "city": ["San Francisco"], + "country": ["USA"], + "is_expected": ["true"], + "lat": ["37.7749"], + "long": ["-122.4194"], + "owner": ["owner_example"], + "priority": ["high"], + "requires_av": ["true"], + "should_timesync": ["true"], + "should_update": ["true"], + "_delete": ["false"], + "cim_entity_zone": ["zone_example"], + "finding_ids": ["A265ED94-AE9E-428C-91D2-64BB956EB7CB@@notable@@62eaebb8c0dd2574fc0b3503a9586cd9"], + "finding_times": ["1676497520"] + } + FindingsGetResponse: + type: object + description: The response of the get findings api call. + required: ["_time"] + properties: + host: + description: The host name of the stack from which this finding was created. + type: string + example: .splunkcloud.com + source: + description: The detection that created this finding. + type: string + example: Risk - 24 Hour Risk Threshold + sourcetype: + description: The source type of the finding. + type: string + example: finding_sourcetype + detection_id: + description: The ID of the detection used to populate the finding. + type: string + example: 00000000-0000-0000-0000-000000000000 + disposition: + description: The disposition of the finding. + type: string + example: disposition:6 + disposition_default: + description: The flag to determine whether the disposition is the default disposition. + type: string + example: "true" + disposition_description: + description: The description for the disposition value. + type: string + example: This disposition shows that there is a possibility for a false positive. + disposition_label: + description: The descriptive value for the disposition that is displayed on the Splunk Enterprise Security UI. + type: string + example: True Positive - Suspicious Activity + event_id: + description: The unique ID for this finding. + type: string + example: b8684eb9-059d-4d30-8613-f809395feda8@@notable@@b8684eb9059d4d308613f809395feda8 + notable_type: + description: The type of finding. + enum: [ + "notable", + "risk_event" + ] + type: string + example: notable + rule_title: + description: The rule title for this event. + type: string + example: 24 hour risk threshold exceeded for user=evilsender@update.defenceonline.net + rule_description: + description: The description for the rule that was used to find and create the finding. + type: string + example: Risk Threshold Exceeded for an object over a 24 hour period + security_domain: + description: The security domain for the finding. + type: string + example: threat + risk_object: + description: The risk object for which this finding was created. + type: string + example: bad_user@splunk.com + risk_object_type: + description: The type of risk object from which this finding was created. + type: string + enum: [ + "system", + "user", + "other" + ] + example: user + risk_score: + description: The risk score assigned to this risk object. + type: string + example: "10.0" + search_name: + description: The search that was used to create this finding. + type: string + example: Risk - 24 Hour Risk Threshold Exceeded - Rule + severities: + description: A list of severity values for the finding. + type: array + items: + type: string + example: "medium" + example: ["medium"] + severity: + description: The level of severity for the finding. + type: string + example: medium + status: + description: The status of the finding. + type: string + example: "1" + status_default: + description: The flag to determine whether this status is the default status set in the system configurations. + type: string + example: "true" + status_description: + description: The description for the status value. + type: string + example: Finding is recent and not reviewed. + status_label: + description: The descriptive label for the status value that is displayed on the Splunk Enterprise Security UI. + type: string + example: New + urgency: + description: The urgency value for the finding. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`. + type: string + example: informational + owner: + description: The owner of the finding. + type: string + example: splunk_user + _time: + description: The time when this finding was created. + type: string + example: "2025-02-25T14:27:28.000+00:00" + additionalProperties: true + example: + { + "host": "test.splunkcloud.com", + "source": "Risk - 24 Hour Risk Threshold", + "sourcetype": "finding_sourcetype", + "detection_id": "00000000-0000-0000-0000-000000000000", + "disposition": "disposition:6", + "disposition_default": "true", + "disposition_description": "This disposition shows that there is a possibility for a false positive.", + "disposition_label": "True Positive - Suspicious Activity", + "event_id": "b8684eb9-059d-4d30-8613-f809395feda8@@notable@@b8684eb9059d4d308613f809395feda8", + "notable_type": "notable", + "rule_title": "24 hour risk threshold exceeded for user=evilsender@update.defenceonline.net", + "rule_description": "Risk Threshold Exceeded for an object over a 24 hour period", + "security_domain": "threat", + "risk_object": "bad_user@splunk.com", + "risk_object_type": "user", + "risk_score": "100", + "search_name": "Risk - 24 Hour Risk Threshold Exceeded - Rule", + "severity": "medium", + "status": "1", + "status_default": "true", + "status_description": "Finding is recent and not reviewed.", + "status_label": "New", + "urgency": "informational", + "owner": "splunk_user", + "_time": "2025-02-25T14:27:28.000+00:00" + } + CreateManualFindingRequest: + type: object + description: The request of the create manual finding api call. + required: + - rule_title + - rule_description + - security_domain + - risk_object + - risk_object_type + - risk_score + properties: + rule_title: + type: string + description: The rule title for the manual finding. + example: 24 hour risk threshold exceeded for user=evilsender@update.defenceonline.net + rule_description: + type: string + description: The rule description for the manual finding. + example: Risk Threshold Exceeded for an object over a 24 hour period + security_domain: + type: string + description: The security domain for the manual finding to be created. + example: threat + risk_object: + type: string + description: The risk object for the manual finding to be created. + example: bad_user@splunk.com + risk_object_type: + type: string + description: The risk object type for the manual finding to be created. + example: user + risk_score: + type: number + description: The risk score for the manual finding to be created. + example: 100 + status: + type: string + description: The status id or status label of the manual finding to be created. + example: New + urgency: + type: string + description: The urgency id or urgency label of the manual finding to be created. + example: informational + owner: + type: string + description: The owner for the manual finding to be created. + example: splunk_user + disposition: + type: string + description: The disposition id or disposition label of the manual finding to be created. + example: disposition:6 + drilldown_searches: + type: array + description: The drilldown searches for the manual finding to be created. + items: + $ref: '#/components/schemas/DrilldownSearch' + example: + [ + { + "name": "drilldown_name", + "search": "index=_internal", + "earliest": "-1d@h", + "latest": "$info_max_time$" + } + ] + annotations: + type: object + description: The annotations for the manual finding to be created. + additionalProperties: + type: array + items: + type: string + example: "T1078" + example: ["T1078", "T1537"] + example: + mitre_attack: ["T1078", "T1537"] + risk_event_count: + type: number + description: The risk event count for the manual finding to be created. + example: 5 + all_risk_objects: + type: array + description: The risk objects for the manual finding to be created. + items: + type: string + example: "bad_user@splunk.com" + example: ["bad_user@splunk.com", "bad_user2@splunk.com"] + source: + type: array + description: The sources for the manual finding to be created. + items: + type: string + example: "demo_identities" + example: ["source_1", "source_2"] + exclude_map_fields: + type: array + description: The fields to exclude from the automatic 'orig_' prefix mapping. When writing data to the notable index, the backend will append 'orig_' prefix to certain fields. For fields specified in the `exclude_map_fields`, the backend will not append this prefix. To see which fields will automatically get the prefix, check the `mapfields` parameter in the definition of the notable alert action. + items: + type: string + example: "investigation_profiles" + example: ["investigation_profiles", "recommended_actions"] + example: + { + "rule_title": "24 hour risk threshold exceeded for user=evilsender@update.defenceonline.net", + "rule_description": "Risk Threshold Exceeded for an object over a 24 hour period", + "security_domain": "threat", + "risk_object": "bad_user@splunk.com", + "risk_object_type": "user", + "risk_score": 100, + "status": "New", + "urgency": "informational", + "owner": "splunk_user", + "disposition": "disposition:6", + "drilldown_searches": [ + { + "name": "drilldown_name", + "search": "index=_internal", + "earliest": "-1d@h", + "latest": "$info_max_time$" + } + ], + "exclude_map_fields": ["investigation_profiles", "recommended_actions"], + "risk_event_count": 5, + "annotations": {"mitre_attack": ["T1078", "T1537"]}, + "all_risk_objects": ["bad_user@splunk.com", "bad_user2@splunk.com"], + "sources": ["source_1", "source_2"] + } + CreateManualFindingResponse: + type: object + description: The response of the create manual finding api call. + required: ["_time", "finding_id"] + properties: + _time: + description: The time when this finding was created. + type: string + example: "2025-02-25T14:27:28.000+00:00" + finding_id: + description: The source_event_id of the finding event written to the index. + type: string + example: b8684eb9-059d-4d30-8613-f809395feda8@@notable@@b8684eb9059d4d308613f809395feda8 + risk_object: + description: The risk object for which this finding was created. + type: string + example: bad_user@splunk.com + risk_object_type: + description: The type of risk object from which this finding was created. + type: string + enum: [ + "system", + "user", + "other" + ] + example: user + risk_score: + description: The risk score assigned to this risk object. + type: string + example: "10.0" + creator: + description: The creator of this finding. + type: string + example: splunk_user + status: + description: The status of the finding. + type: string + example: "1" + urgency: + description: The urgency value for the finding. Valid choices are `informational`, `low`, `medium`, `high`, `critical`, or `unknown`. + type: string + example: informational + disposition: + description: The disposition of the finding. + type: string + example: disposition:6 + info_max_time: + description: The maximum time of the finding. + type: string + example: "2025-02-25T14:27:28.000+00:00" + drilldown_searches: + type: array + description: The drilldown searches for the finding. + items: + $ref: '#/components/schemas/DrilldownSearch' + example: + [ + { + "name": "drilldown_name", + "search": "index=_internal", + "earliest": "-1d@h", + "latest": "$info_max_time$" + } + ] + example: + { + "_time": "2025-02-25T14:27:28.000+00:00", + "finding_id": "b8684eb9-059d-4d30-8613-f809395feda8@@notable@@b8684eb9059d4d308613f809395feda8", + "risk_object": "bad_user@splunk.com", + "risk_object_type": "user", + "risk_score": "100", + "search_name": "Risk - 24 Hour Risk Threshold Exceeded - Rule", + "severities": ["medium"], + "severity": "medium", + "status": "1", + "status_default": "true", + "status_description": "Finding is recent and not reviewed.", + "status_label": "New", + "urgency": "informational", + "owner": "splunk_user", + "drilldown_searches": [ + { + "name": "drilldown_name", + "search": "index=_internal", + "earliest": "-1d@h", + "latest": "$info_max_time$" + } + ] + } + DrilldownSearch: + type: object + description: The drilldown search for the manual finding to be created. + required: + - name + - search + - earliest + - latest + properties: + name: + type: string + example: drilldown_name + search: + type: string + example: drilldown_search + earliest: + type: string + example: -1d@h + latest: + type: string + example: $info_max_time$ + example: + { + "name": "drilldown_name", + "search": "index=_internal", + "earliest": "-1d@h", + "latest": "$info_max_time$" + } + IdentityGetResponse: + description: The response of the get identity by id api call. + type: object + properties: + _last_updated: + type: number + description: The last time the identity was updated. + example: 1740591550.3531699181 + _sources: + description: The source of the identity. + type: array + items: + type: string + example: "demo_identities" + example: ["demo_identities"] + bunit: + description: The business unit of the asset. + type: array + items: + type: string + example: "americas" + example: ["americas"] + email: + description: The email address of an identity. + type: array + items: + type: string + format: email + example: "nhenderosn@acmetech.com" + example: ["nhenderosn@acmetech.com"] + first: + description: The first name of an identity. + type: array + items: + type: string + example: "nelson" + example: ["nelson"] + identity: + description: A pipe-delimited list of username strings representing the identity. + type: array + items: + type: string + example: "test@splunk.com" + example: ["test@splunk.com"] + identity_tag: + description: The tag of the identity. + type: array + items: + type: string + example: "americas" + example: ["americas"] + last: + description: The last name of an identity. + type: array + items: + type: string + example: "henderosn" + example: ["henderosn"] + phone: + description: A pipe delimited field for the telephone number of an identity. + type: array + items: + type: string + example: "+1 (800)555-6434" + example: ["+1 (800)555-6434"] + startDate: + description: The start or hire date of an identity. + type: array + items: + type: string + example: "135953520" + example: ["135953520"] + work_city: + description: The primary work site city for an identity. + type: array + items: + type: string + example: "Vancouver" + example: ["Vancouver"] + work_country: + description: The primary work site country for an identity. + type: array + items: + type: string + example: "usa" + example: ["usa"] + work_lat: + description: The latitude of the primary work site city in decimal degrees, using +/- to indicate direction. + type: array + items: + type: string + example: "37.3382" + example: ["37.3382"] + work_long: + description: The longitude of the primary work site city in decimal degrees using +/- to indicate direction. + type: array + items: + type: string + example: "121.8863" + example: ["121.8863"] + id: + type: string + description: The ID of the identity. + example: "67bf51bed9f4fd2e56006989" + example: + { + "_last_updated": 1740591550.3531699181, + "_sources": ["demo_identities"], + "bunit": ["americas"], + "email": ["nhenderosn@acmetech.com"], + "first": ["nelson"], + "identity": ["test@splunk.com"], + "identity_tag": ["americas"], + "last": ["henderosn"], + "phone": ["+1 (800)555-6434"], + "startDate": ["135953520"], + "work_city": ["Vancouver"], + "work_country": ["usa"], + "work_lat": ["37.3382"], + "work_long": ["121.8863"], + "id": "67bf51bed9f4fd2e56006989" + } + RiskScoreUpdatePayload: + description: The request body for updating the risk score of a risk entity. + type: object + properties: + risk_modifier: + description: The risk score delta to be added to the risk entity. + type: number + example: 100 + entity_type: + type: string + description: The type of the risk entity. + enum: ["user", "system", "hash_values", "host_artifacts", "tools", "others"] + example: "user" + example: + { + "risk_modifier": 100, + "entity_type": "user" + } + RiskScoreUpdateResponse: + type: object + description: The response body for updating the risk score of a risk entity. + properties: + message: + description: The message of the response. + type: string + example: The risk score of the 2.2.2.2 with type being user has been updated to 90. + example: + { + "message": "The risk score of the 2.2.2.2 with type being user has been updated to 90." + } + RiskScoreRetrieveResponse: + type: array + description: The response body for retrieving the risk scores for a risk entity. + items: + type: object + description: A risk score object. + required: ["entity", "risk_score", "entity_type"] + properties: + entity: + description: The entity value of the risk score. + type: string + example: "1.1.1.1" + risk_score: + description: The risk score for the entity value. + type: string + example: "500" + entity_type: + description: The entity type of the entity with this risk score. + type: string + example: "system" + example: {"entity": "1.1.1.1", "entity_type": "system", "risk_score": "100"} + example: [ + { + "entity": "1.1.1.1", + "entity_type": "system", + "risk_score": "100" + }, + { + "entity": "1.1.1.1", + "entity_type": "host_artifacts", + "risk_score": "200" + } + ] + RateLimitExceededResponse: + description: Splunk Enterprise Security Rate Limit Exception Response. + type: object + required: + - request_id + - code + - message + properties: + code: + description: The custom error code for the rate limit errors. + example: MC_0017 + request_id: + description: The request ID of the API call. + type: string + example: 74730fac-1d5c-4713-bef5-d30ed1c62188 + message: + description: The error message. + type: string + example: 'User has exceeded the rate limits for this API: get_identity_by_id with limit 100' + example: + code: MC_0017 + request_id: 74730fac-1d5c-4713-bef5-d30ed1c62188 + message: 'User has exceeded the rate limits for this API: get_identity_by_id with limit 100' + + ErrorResponse: + description: Splunk Enterprise Security error response. + type: object + required: + - request_id + - code + properties: + code: + description: The HTTP error code. + type: string + example: MC_0100 + request_id: + description: The request ID of the API call. + type: string + example: 74730fac-1d5c-4713-bef5-d30ed1c62188 + message: + description: The error message. + type: string + example: Oops...something went wrong. + example: + code: MC_0100 + request_id: 74730fac-1d5c-4713-bef5-d30ed1c62188 + message: Oops...something went wrong. + 401ErrorResponse: + description: Unauthorized. + 403ErrorResponse: + description: Forbidden. + securitySchemes: + BearerAuth: + description: The Bearer auth token. + type: http + scheme: bearer + BasicAuth: + description: Basic auth + type: http + scheme: basic +security: + - BearerAuth: [] + - BasicAuth: [] diff --git a/response_templates/merged_response_templates/GenericIncidentResponse.json b/response_templates/merged_response_templates/GenericIncidentResponse.json new file mode 100644 index 0000000000..f5f4b5ba62 --- /dev/null +++ b/response_templates/merged_response_templates/GenericIncidentResponse.json @@ -0,0 +1 @@ +[{"id": "5d656a90-fe91-4c8f-8460-fa2599a17f75", "create_time": 1762280887.4139671, "update_time": 1762280887.4139671, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "2d4ceaab-2ab3-4e61-8997-2eec7b612c7b", "create_time": 1762280887.4145086, "update_time": 1762280887.414509, "name": "Detection", "order": 1, "tasks": [{"id": "8c73eaa4-8928-40de-8e3b-e130efc01bb8", "create_time": 1762280887.4141092, "update_time": 1762280887.41411, "name": "Report incident response execution", "order": 1, "tag": "e8d26ce8-a004-4621-8b40-0e95acd7638b", "description": "Alert appropriate parties that incident response is starting.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "feec4f53-67ef-405d-baf4-2c8a3ca8b486", "create_time": 1762280887.414233, "update_time": 1762280887.4142334, "name": "Document associated events", "order": 2, "tag": "afb0e39b-9bfe-4d02-a090-e3b9ca2386de", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "72a39d10-2941-4451-8973-7c82d9055cff", "create_time": 1762280887.4143443, "update_time": 1762280887.4143448, "name": "Document known attack surface and attacker information", "order": 3, "tag": "46211e09-e553-4c9f-a9a8-8383fec880a5", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5ae0daa1-b86a-4a60-93a1-20c8b5d963c2", "create_time": 1762280887.4144528, "update_time": 1762280887.4144533, "name": "Assign roles", "order": 4, "tag": "e70408a7-3062-474a-aaf0-460402f16f29", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f546ee59-0988-4b55-8166-8cac2a64b76f", "create_time": 1762280887.41606, "update_time": 1762280887.4160604, "name": "Analysis", "order": 2, "tasks": [{"id": "a8acff10-07f5-49af-a103-ce864235994b", "create_time": 1762280887.414614, "update_time": 1762280887.4146142, "name": "Research intelligence resources", "order": 1, "tag": "c291654f-4616-4cde-afcb-5f7352d3fb6c", "description": "Find out if this attacker is a known agent and gather associated tactics, techniques, and procedures (TTP) used.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4d7b78f-1cd0-47c2-b0e3-40933395688a", "create_time": 1762280887.4147215, "update_time": 1762280887.414722, "name": "Research proxy logs", "order": 2, "tag": "0c56f2ef-fa23-48f6-abe8-7e42ae12716c", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c5cee5b9-2ad7-4144-aa85-d746bae679ed", "create_time": 1762280887.41483, "update_time": 1762280887.4148307, "name": "Research firewall logs", "order": 3, "tag": "60405c0a-cbbf-4034-a4ec-d4f6f467b6e0", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92f68bd6-3b7d-4a58-ad55-4b3a36369526", "create_time": 1762280887.41496, "update_time": 1762280887.4149606, "name": "Research OS logs", "order": 4, "tag": "a8939de4-a990-4adf-83c6-d93f5b378ff1", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "61816baa-fc24-4f38-a6cd-7626561b48ff", "create_time": 1762280887.4152095, "update_time": 1762280887.41521, "name": "Research network logs", "order": 5, "tag": "027f7da1-76e1-4466-be1d-4b40771de133", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4811036e-781a-4885-bf38-32729a1a0ba1", "create_time": 1762280887.4153204, "update_time": 1762280887.4153206, "name": "Research endpoint protection logs", "order": 6, "tag": "afc28267-6231-4db6-a005-accabb008c7a", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79900180-4caf-4d96-9290-968d9f5aec84", "create_time": 1762280887.4154315, "update_time": 1762280887.415432, "name": "Determine infection vector", "order": 7, "tag": "af4db0e8-d1ac-4d98-82ec-939fa5d47a0b", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "09087e70-fd26-4484-b92a-33c8728d8719", "create_time": 1762280887.415541, "update_time": 1762280887.4155414, "name": "Document all attack targets", "order": 8, "tag": "14552467-8504-4196-9c18-46c68995c590", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a9878c0-5626-4350-a0b6-cd5fef767dda", "create_time": 1762280887.4156528, "update_time": 1762280887.4156535, "name": "Document all attacker sources and TTP", "order": 9, "tag": "9a83e045-a686-423a-b80b-1c7906d8b7b0", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3986bf6d-fc23-4296-8dbe-d2b7117c9ec3", "create_time": 1762280887.4157624, "update_time": 1762280887.415763, "name": "Document infected devices", "order": 10, "tag": "5888de1b-61c8-4ea4-90d8-aeb01ec4682f", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c7044f3e-f58b-4dcb-b1f2-c595a214ff9d", "create_time": 1762280887.4158719, "update_time": 1762280887.4158723, "name": "Determine full impact of attack", "order": 11, "tag": "b0cf76ae-1c67-4737-bf00-170971be80f3", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ca532eca-d263-4af9-9391-6d35b63c3627", "create_time": 1762280887.4160035, "update_time": 1762280887.4160042, "name": "Analyze malware samples", "order": 12, "tag": "e3b989b5-df17-4324-880d-10a5ac6c441d", "description": "Analyze discovered malware and document indicators of compromise (IOCs).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9bf6f73e-a5da-49ac-87a7-a2469155cf7b", "create_time": 1762280887.4164388, "update_time": 1762280887.4164393, "name": "Containment", "order": 3, "tasks": [{"id": "8bb468b3-8ac7-4e49-86d8-ca1513550c47", "create_time": 1762280887.4161665, "update_time": 1762280887.416167, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "28d74f7a-1aaf-4f44-8245-ed62a4720046", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d512b582-b030-486a-86b0-a8e656ea4542", "create_time": 1762280887.416276, "update_time": 1762280887.4162762, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "18ed5b52-40e5-4dc7-b3c5-09c85a8a4cca", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "002fc36e-8a96-40c9-8a1d-b38d4f57b61b", "create_time": 1762280887.416384, "update_time": 1762280887.4163842, "name": "Contain incident", "order": 3, "tag": "a34be9ce-1ac5-4b35-9720-f3d50a33243b", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f9af170b-9aa7-4914-9e7c-59ba2128d1da", "create_time": 1762280887.41683, "update_time": 1762280887.4168303, "name": "Eradication", "order": 4, "tasks": [{"id": "16fd1501-b42b-440f-a2d2-54e698e12892", "create_time": 1762280887.4165573, "update_time": 1762280887.4165576, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "d9e85137-1503-4f1f-8765-c580516814cb", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e43e6862-a78b-4eef-b5b1-63782650ea28", "create_time": 1762280887.4166672, "update_time": 1762280887.4166675, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "b6ef4c01-da86-4383-80c2-bf565a7124e3", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3b9148a5-2780-4eb9-9e21-908163e62d7a", "create_time": 1762280887.4167752, "update_time": 1762280887.4167757, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "9f3c7353-cc4b-4e1f-8f89-ccd153468278", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d9ad55cf-ece3-4090-bf43-5ef24995a891", "create_time": 1762280887.4172246, "update_time": 1762280887.4172251, "name": "Recovery", "order": 5, "tasks": [{"id": "7f3ccff8-bd53-44b4-8ef3-cc333aa1c6e1", "create_time": 1762280887.4169493, "update_time": 1762280887.4169497, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "dec11e17-d2b6-41e4-8490-a500262e1991", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0209cfd0-91b3-4d4c-a8a6-266cf0a2302d", "create_time": 1762280887.4170604, "update_time": 1762280887.4170609, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "cb1b051b-25d0-4fd3-b4bb-85c16c19d55b", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f55fd9d7-8fd5-4920-90e5-34bc82625e80", "create_time": 1762280887.4171677, "update_time": 1762280887.417168, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "59e40624-72dd-498a-bd4c-297cace98c29", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ec68a4cd-daca-4bc0-848b-b586a070c8e4", "create_time": 1762280887.4176192, "update_time": 1762280887.4176197, "name": "Post", "order": 6, "tasks": [{"id": "f6565b96-cd55-4264-b509-908e52a29e3a", "create_time": 1762280887.4173315, "update_time": 1762280887.4173317, "name": "Schedule after-action review meeting", "order": 1, "tag": "515c3f1b-d0ee-4866-8980-7704cd34c6d7", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e5e2f646-64bb-4c59-b10d-c497625327fd", "create_time": 1762280887.4174387, "update_time": 1762280887.417439, "name": "Generate incident response action report", "order": 2, "tag": "00fe59eb-19cd-45dc-ac55-66dfd78e3dbd", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d74ad240-caa8-4c00-91ab-ab033e7f38a1", "create_time": 1762280887.4175637, "update_time": 1762280887.4175642, "name": "Report incident response complete", "order": 3, "tag": "f8bfdc47-6329-4465-a93f-47e6fbadd006", "description": "Alert appropriate parties that incident response is complete.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "7bd3e9e3-414a-4075-8846-8573bc637192", "active": true, "used": false, "_user": "nobody", "_key": "5d656a90-fe91-4c8f-8460-fa2599a17f75"}] \ No newline at end of file diff --git a/response_templates/merged_response_templates/SuspiciousEmail.json b/response_templates/merged_response_templates/SuspiciousEmail.json new file mode 100644 index 0000000000..dad0a9faf9 --- /dev/null +++ b/response_templates/merged_response_templates/SuspiciousEmail.json @@ -0,0 +1 @@ +[{"id": "1e541fb9-a309-45f6-8593-7e6e68d934b4", "create_time": 1762280887.1842365, "update_time": 1762280887.1842365, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "4b401ecf-a89f-463d-928d-4226f8039bdb", "create_time": 1762280887.184704, "update_time": 1762280887.1847045, "name": "Ingestion", "order": 1, "tasks": [{"id": "ee54e4eb-e532-4a92-a81e-b398920e48d9", "create_time": 1762280887.1843824, "update_time": 1762280887.184383, "name": "Create ticket", "order": 1, "tag": "fb454299-42f6-4bf2-9cbc-3d48c213dbe2", "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4d5b3e5f-26fa-4fc8-a9db-c403132fddbd", "create_time": 1762280887.1845334, "update_time": 1762280887.1845338, "name": "Ingest email", "order": 2, "tag": "3bebd6f0-e226-4f1e-92b5-ae11273fb627", "description": "Identify and ingest the suspicious email into Splunk Mission Control. Actual steps vary depending on how you create the Splunk Mission Control notable and where the suspicious email resides. For example, if you had a Splunk Enterprise Security correlation search running to identify suspicious emails, and forward those notable events to Splunk Mission Control as notables, you have many of the useful artifacts needed to investigate the email. If you need additional metadata, you can run the \"get email\" action to retrieve it, or the \"extract email\" action to add the email to Splunk Mission Control if it is in the .msg or .eml format. Or for example, if you send suspicious emails to a dedicated email address for suspected phishing attempts, you can use a connector such as IMAP, EWS for Exchange, EWS for OFfice, or GSuite for GMail to poll that inbox directly and send the suspicious email to Splunk Mission Control as a notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e0c57817-caed-4f30-9123-24ea2768b208", "create_time": 1762280887.1846468, "update_time": 1762280887.1846473, "name": "Extract actionable metadata and files", "order": 3, "tag": "160eb657-d056-4b16-9ed5-1742364948b3", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f5991490-8540-4566-b7cc-6d88ad5b87cc", "create_time": 1762280887.1854346, "update_time": 1762280887.185435, "name": "External Investigation", "order": 2, "tasks": [{"id": "44bdcadb-2a0e-4b00-b4e8-5546e7ec0cc2", "create_time": 1762280887.1848118, "update_time": 1762280887.184812, "name": "Investigate URLs", "order": 1, "tag": "e0ea0bb0-f087-4d81-b2a7-a9899d287bda", "description": "Perhaps the most common email attack vector is a clickable link that brings a user to a malicious website. The malicious website might collect credentials or other confidential information, attempt to exploit the user's browser, lead the user to download a malicious file, or gather preliminary fingerprint information about the user to inform further operations. Investigate all URLs contained in the suspicious email using a mix of automated and manual techniques. Query threat intelligence services and other sources of reputation information to see if the URLs are linked to known malicious activity. Check the categorization of the URLs and their popularity using services such as Censys or Alexa. Determine whether the URL is spoofing a brand using a similar spelling, a unicode substitution, or an out-of-order domain name. Also consider using a less passive technique that analyzes the current state of the URL, such as a sandboxed URL detonation, a website scanning tool such as urlscan.io or SSL Labs, a manual inspection from a sandboxed environment, or a website screenshot engine such as Screenshot Machine. Consider that targeted attacks might only reveal the malicious behavior of a website if the user agent and/or the source address of the request matches the target environment. The output of this task might be more linked URLs, the domain names of the underlying servers responding to the request, other domain names used by the website, IP addresses, or downloadable files. All of the above should be passed on to further investigative tasks if needed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "008e7332-8c23-4b8b-961b-de2a5bee1811", "create_time": 1762280887.1849227, "update_time": 1762280887.184923, "name": "Investigate file attachments", "order": 2, "tag": "b4379132-c701-4bcc-80f0-b7a19f8b854a", "description": "Another common email attack vector is a malicious file attachment. Any file could be malicious, but most attacks involve executables, scripts, or documents. Investigate these files using either a whole copy of the file or the file hash. Query threat intelligence and reputation databases using the hash to see if the file has been seen before, to see if there is suspicious activity associated with the file, and to learn more about the file's behavior. Query for previous analyses or submit the file for examination in a dynamic or static tool to check for potentially malicious behaviors or properties. Actions used for this task might extract associated URLs, domain names, IP addresses, or secondary file hashes which can be explored further in other tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf94fe65-6dce-40d0-87bf-35c57eb93506", "create_time": 1762280887.1850498, "update_time": 1762280887.1850502, "name": "Investigate email addresses and headers", "order": 3, "tag": "4695b6fb-a152-4585-b44c-4b8d95055a25", "description": "The source email address and other headers contain a wide variety of information about the source environment of the email and the infrastructure used to send and receive it. Use a mix of automated and manual analysis to determine where the email came from and whether it uses headers in a suspicious way. Query threat intelligence and reputation databases using the \"From\", \"Sender\", and \"Reply-to\" addresses, as well as any other email addresses in the other header fields. Compare the display names of these fields to the actual values to see if misleading names are used. Check if the servers that received the email marked it with the appropriate authentication results for SPF, DKIM, and/or DMARC. If needed use Microsoft Message Header Analyzer, MxToolbox, or other tools to interpret the remaining headers. Outputs of this task such as domain names and IP addresses can be passed on to further tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "46a2ebf5-94e6-4d12-8495-fcdc7969957d", "create_time": 1762280887.1851606, "update_time": 1762280887.185161, "name": "Investigate domains", "order": 4, "tag": "cef512e6-19b6-4887-8ce0-124d69a7fde4", "description": "At this point domain names from various sources should be collected in the notable, including email sending and receiving servers, web servers from URLs in the email, domains associated to other indicators in threat intelligence databases, and domains contained in the file attachment or detected by the detonation of the file attachment. Check each of these against threat intelligence and reputation databases, passive DNS trackers, whois services, and other information services. Look for known malicious or unknown domains, focusing more on those associated to clickable URLs and file attachments. Evaluate what services are running on each suspicious domain using a scanning service such as Censys or Shodan. Check the TLS certificate (if applicable), website categorization, popularity, and any other available information. Compare this information to the expected outcome given the alleged context of the email. For unknown domains, consider the domain history, the hosting provider, and whether the domain name appears to have been dynamically generated. IP addresses currently and previously associated with the domain should be further processed elsewhere in your investigation.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6801061-372c-4e0e-9bab-009e78ea8d59", "create_time": 1762280887.1852703, "update_time": 1762280887.1852708, "name": "Investigate IP addresses", "order": 5, "tag": "6e0691b6-82b2-442c-88f8-da26f59eb8b3", "description": "IP addresses may be involved in this investigation for several reasons. Some email headers can contain IP addresses (such as X-Originating-IP), URLs can contain IP addresses instead of hostnames, file attachments can contain IP addresses or generate IP addresses and try to connect to them (like domain generation algorithms), and IP addresses can be added to the notable through association or domain name resolution in other tasks within this investigation. Consider IP addresses in URLs that are not internal IP addresses for the organization highly suspicious. Investigate all suspicious IP addresses by checking the reputation, geolocation, whois record, DNS history, and by gathering information from other available services.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ccae86ab-acd7-48bd-acf8-e823b3894fe6", "create_time": 1762280887.1853795, "update_time": 1762280887.1853797, "name": "Investigate email subject and body", "order": 6, "tag": "21c70d94-3a33-4295-8711-a272b31940d1", "description": "The subject and body of an email can be malicious without containing a single URL or file attachment. Examples include emails that ask the receiver to reply with confidential information, contain instructions to do insecure things, manipulate automated systems that are parsing the email, or prime the receiver for other interactions. Malicious emails often use current events such as tax season, a hurricane, or other publicly available information to establish a sense of trust or an illusion of urgency. Social engineering is perhaps the hardest technique to detect in an automated fashion, often requiring manual investigation. Consider the context of the message, the intended recipient, and the identity of the sender or alleged sender. It might be necessary to ask the recipient user if they think the email is legitimate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4ee204f8-d5e9-4158-9f5f-3d898dcfd32a", "create_time": 1762280887.1859224, "update_time": 1762280887.1859229, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "605d29ce-9d16-4882-ba5b-2811f6bf4efc", "create_time": 1762280887.1855412, "update_time": 1762280887.1855416, "name": "Hunt email activity", "order": 1, "tag": "efae43b9-0c49-41b5-bb71-687f359ff73f", "description": "Find other similar emails sent into the organization based on the sender address, sender domain, subject, embedded URLs, file attachments, or other similar attributes shared across multiple emails. If possible determine which emails were opened, forwarded, deleted, marked as spam, or reported as potential phishing. Consider which types of users are targeted and why. Also check whether internal users replied to the emails and what information was contained in the replies.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8dab7fc-c86f-43a0-be73-80ba587c8bdb", "create_time": 1762280887.1856506, "update_time": 1762280887.1856513, "name": "Hunt network activity", "order": 2, "tag": "c90df879-0c52-487c-9dd7-be88e7900c9c", "description": "Based on previously collected information, try to determine whether or not URLs in the email were clicked, phishing websites were visited, or other suspicious network connections were made from the computers of users who opened the email. This can be done using many types of network monitoring, including netflow, full packet capture, DNS logging, and/or endpoint monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a26c5093-d4e3-4b3a-8173-cfa05701ec2c", "create_time": 1762280887.1857598, "update_time": 1762280887.1857603, "name": "Hunt file executions", "order": 3, "tag": "a644ccc1-8034-4299-97c8-506179a3402e", "description": "If the email included a file attachment, try to determine which users downloaded the attachment and which users executed it or opened it in some other way. Use the file hash of the attachment to search across endpoint monitoring or network monitoring solutions for the transmission and/or execution of the file. If executions are detected, try to determine the behavior of the created process. If a potentially malicious document or other file type was opened, try to determine which application opened it and whether the file exploited or abused the opening application.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "48be613f-36ae-42ab-bd35-e4ec600c3c95", "create_time": 1762280887.1858678, "update_time": 1762280887.185868, "name": "Hunt user activity", "order": 4, "tag": "e541c4de-a76f-4917-b8ba-960a16653fc5", "description": "If a phishing attempt or other user account compromise attempt is suspected, investigate how the credentials or account access are being used. Enumerate resources available to the account and search the access logs for those resources, looking for anomalous usage patterns.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d7b7765f-e5b3-4122-8791-f6274f6ba85e", "create_time": 1762280887.186552, "update_time": 1762280887.1865525, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "90905d2d-4247-462b-843a-d9f4fd9ec717", "create_time": 1762280887.186041, "update_time": 1762280887.1860416, "name": "Block or monitor email activity", "order": 1, "tag": "42060fc0-5ae2-4f15-a7f4-6bf4ed364733", "description": "If specific malicious emails have been identified, delete them from any mailboxes in which they still pose a threat. Similarly, if a sender address or an entire sender domain is found to be malicious, block inbound email from that source. Set filtering rules to block inbound email or increase monitoring of email based on other detected characteristics of an email campaign or malicious technique.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0066f95-2fe4-4d25-ae51-cbc559e0cc8a", "create_time": 1762280887.1861491, "update_time": 1762280887.1861496, "name": "Block or monitor network activity", "order": 2, "tag": "1081b34c-8234-411b-b1ec-ed0205fa4eb8", "description": "Based on gathered indicators and metadata, block or increase monitoring of malicious network connections associated with the suspicious email. Prevent other receivers of similar phishing emails from accessing the clickable URL by blocking that URL itself, the underlying domain name, and/or the underlying IP addresses. If malware or unwanted software was detected, block outbound connections known to be associated with that malware based on threat intelligence or dynamic analysis. If the threat is severe enough, consider isolating entire portions of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f8575450-6ad7-4880-ae94-1792d9cc8906", "create_time": 1762280887.1862686, "update_time": 1762280887.1862693, "name": "Block or monitor file executions", "order": 3, "tag": "872a713a-a687-404f-8e12-c432c99938ab", "description": "Based on gathered indicators and metadata, block or increase monitoring of endpoint activity caused by the suspicious email. This could mean blocking the hash of the file attachment, blocking the hash of a file downloaded from a URL in an email, blocking a malicious hash associated with the email by threat intelligence, or blocking secondary executions such as dropped stages of malware identified from dynamic analysis.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d102f2c9-b977-4016-af6a-605da7a1626b", "create_time": 1762280887.1863873, "update_time": 1762280887.1863878, "name": "Contain endpoints", "order": 4, "tag": "07490733-2250-4a3e-8ba9-9107abdfa10e", "description": "If an endpoint compromise is suspected, it might be necessary to quarantine or otherwise contain that endpoint until further investigation and remediation can be done. Consider the criticality of the system and the likelihood of a compromise. In other cases, simply increasing the monitoring or scanning for more information can be prudent.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "85721cac-d2d0-4a9f-90fc-1969fb38a3b4", "create_time": 1762280887.1864965, "update_time": 1762280887.186497, "name": "Contain user accounts", "order": 5, "tag": "ae12b741-8e83-4e23-9e8c-7f461f9c891a", "description": "If a user account compromise is suspected, it might be necessary to reset the credentials, reduce the account privileges, or disable the account until further investigation is completed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "3ea7502b-d251-4562-a489-4bec4c16300d", "create_time": 1762280887.1868212, "update_time": 1762280887.1868217, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "00adbace-3659-4464-a606-85658daf13e5", "create_time": 1762280887.186658, "update_time": 1762280887.1866581, "name": "Analyze network activity", "order": 1, "tag": "6790fca4-5cf6-40bf-b425-2e9c547acb0b", "description": "Perform any resource-intensive analysis of network activity left over from the External Investigation and Internal Hunting phases. This might mean full packet capture collection and analysis, sandbox detonation of URLs, long-running queries of network history and anomalous behavior, or other similar analysis tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c9917bdc-f49f-40a3-a297-82843edcc56c", "create_time": 1762280887.1867664, "update_time": 1762280887.1867669, "name": "Analyze endpoint activity", "order": 2, "tag": "c0e4e6fc-d6a3-48a3-80ad-17e6f3d29abd", "description": "Conduct deeper analysis on remaining malware and endpoint investigation tasks not finished in the External Investigation and Internal Hunting phases. This might mean sandbox detonation of files, forensic analysis of associated devices or memory dumps, reverse engineering of suspected malware, long-running queries of endpoint activity history and anomalous behavior, or other similar analysis tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ee783e2b-62ce-4dfa-a8ac-dfd38e3336a9", "create_time": 1762280887.1876307, "update_time": 1762280887.1876311, "name": "Notification", "order": 6, "tasks": [{"id": "25cb7e69-be9d-4faf-9e4a-088b42b4788e", "create_time": 1762280887.1869273, "update_time": 1762280887.1869276, "name": "Update tickets", "order": 1, "tag": "d1644224-bfe8-4710-be7a-42b83746e870", "description": "Make sure that all the necessary outputs and status updates from the previous phases and tasks are documented in the appropriate system of record. Summarize the current state of the investigation and any remaining tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fd8e6a70-6f3b-4f12-a3d9-ced01a867591", "create_time": 1762280887.187141, "update_time": 1762280887.1871414, "name": "Notify system owners", "order": 2, "tag": "f375634e-8725-45b0-953f-913af5792047", "description": "For any systems that have been changed or need to be changed, notify the necessary system owners so the appropriate change management procedures can be followed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6df9bdea-2fdc-469e-b3de-298bac097739", "create_time": 1762280887.1872501, "update_time": 1762280887.1872506, "name": "Notify regulatory compliance team", "order": 3, "tag": "ae1e0019-56dc-4782-9efd-fad66ee54734", "description": "If appropriate, notify the regulatory compliance team to support them as they report this incident to the correct regulatory or accrediting organizations.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ca7c9e3-547b-4e44-aacb-9f8a23665d3d", "create_time": 1762280887.1873586, "update_time": 1762280887.187359, "name": "Assign additional tasks", "order": 4, "tag": "def2f366-4f31-4b7a-ba01-0fecd5bc1c9e", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4de9d9be-e269-4d03-9fe4-0496b933abe4", "create_time": 1762280887.1874657, "update_time": 1762280887.187466, "name": "Educate users", "order": 5, "tag": "94435be3-c9bb-4cb0-a298-adad4c5e685a", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3e0fb677-9a5d-48a1-a0b8-3b1b92d05efa", "create_time": 1762280887.1875756, "update_time": 1762280887.1875758, "name": "Share threat intelligence", "order": 6, "tag": "b6e77ae5-bd3b-4809-af51-3cc9d2ee35a8", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "a819ee87-e98f-4108-9554-7c167bdfeb79", "active": true, "used": false, "_user": "nobody", "_key": "1e541fb9-a309-45f6-8593-7e6e68d934b4"}] \ No newline at end of file diff --git a/response_templates/merged_response_templates/TestMultiVersion.json b/response_templates/merged_response_templates/TestMultiVersion.json new file mode 100644 index 0000000000..3fb54f5984 --- /dev/null +++ b/response_templates/merged_response_templates/TestMultiVersion.json @@ -0,0 +1 @@ +[{"id": "27b78044-1eca-43c2-9207-b5afe3075a81", "create_time": 1762292283.131341, "update_time": 1762292294.8144422, "name": "Test%20Multi%20Version", "description": "", "template_status": "published", "creator": "zen_admin", "updated_by": "zen_admin", "is_default": false, "version": 4, "phases": [{"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", "create_time": 1762292292.855246, "update_time": 1762292294.7901058, "name": "Test%20Phase", "order": 1, "tasks": [{"id": "096e2f14-866e-404e-819b-a1155ac0084b", "create_time": 1762292292.855151, "update_time": 1762292294.790007, "name": "Test%20Task", "order": 1, "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", "description": "", "owner": "", "is_note_required": true, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", "active": true, "used": false, "_user": "nobody", "_key": "27b78044-1eca-43c2-9207-b5afe3075a81"}, {"id": "27b78044-1eca-43c2-9207-b5afe3075a81", "create_time": 1762292283.131341, "update_time": 1762292328.3112774, "name": "Test%20Multi%20Version", "description": "", "template_status": "published", "creator": "zen_admin", "updated_by": "zen_admin", "is_default": false, "version": 5, "phases": [{"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", "create_time": 1762292328.2866068, "update_time": 1762292328.2866073, "name": "Test%20Phase", "order": 1, "tasks": [{"id": "096e2f14-866e-404e-819b-a1155ac0084b", "create_time": 1762292292.855151, "update_time": 1762292328.2865093, "name": "Test%20Task%20V3", "order": 1, "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", "description": "", "owner": "", "is_note_required": true, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", "active": true, "used": false, "_user": "nobody", "_key": "27b78044-1eca-43c2-9207-b5afe3075a81"}] \ No newline at end of file diff --git a/response_templates/merged_response_templates/manifest.json b/response_templates/merged_response_templates/manifest.json new file mode 100644 index 0000000000..43cbf56a7c --- /dev/null +++ b/response_templates/merged_response_templates/manifest.json @@ -0,0 +1 @@ +{"response_templates": [{"name": "TestMultiVersion", "versions": [{"version": 4, "update_time": 1762292294.8144422}, {"version": 5, "update_time": 1762292328.3112774}], "link": "https://securitycontent.scs.splunk.com/response_templates/TestMultiVersion.json"}, {"name": "SuspiciousEmail", "versions": [{"version": 1, "update_time": 1762280887.1842365}], "link": "https://securitycontent.scs.splunk.com/response_templates/SuspiciousEmail.json"}, {"name": "GenericIncidentResponse", "versions": [{"version": 1, "update_time": 1762280887.4139671}], "link": "https://securitycontent.scs.splunk.com/response_templates/GenericIncidentResponse.json"}]} \ No newline at end of file diff --git a/response_templates/response_plan_manifest_test.json b/response_templates/response_plan_manifest_test.json deleted file mode 100644 index 9459c6c86d..0000000000 --- a/response_templates/response_plan_manifest_test.json +++ /dev/null @@ -1 +0,0 @@ -{"response_templates": [{"name": "customer-journey-response-plan-maesasvgzj", "versions": [{"version": 3, "update_time": 1761838294.8002563}, {"version": 2, "update_time": 1761838294.8002563}], "link": "https://securitycontent.scs.splunk.com/response_templates/customer-journey-response-plan-maesasvgzj.json"}]} \ No newline at end of file diff --git a/response_templates/template_script.py b/response_templates/template_script.py new file mode 100644 index 0000000000..9362c92a0b --- /dev/null +++ b/response_templates/template_script.py @@ -0,0 +1,105 @@ +import argparse +import collections +import json +from pathlib import Path + +def generate_manifest(directory, prefix, output_dir): + # Code to generate the manifest file + + response_templates = [] + res = { + "response_templates": response_templates + } + try: + template_mapping = _get_template_mapping(directory) + for template_name, template_list in template_mapping.items(): + out_template_name = f"{template_name}.json" + + templates_version= [] + for _, file in template_list: + with open(file, 'r') as in_file: + content = in_file.read() + curr_template = json.loads(content) + version = curr_template.get("version", "1.0") + update_time = curr_template.get("update_time") + curr_metadata = { + "version": version, + "update_time": update_time, + } + templates_version.append(curr_metadata) + response_templates.append({ + "name": template_name, + "versions": templates_version, + "link": f"{prefix}{out_template_name}" + }) + + with open(Path(output_dir) / "manifest.json", 'w') as out_file: + out_file.write(json.dumps(res)) + + except Exception as e: + print(f"Error during merging files: {e}") + raise + + +def _get_template_mapping(directory): + path = Path(directory) + if not path.exists() or not path.is_dir(): + raise ValueError(f"The directory {directory} does not exist or is not a directory.") + + files = [f for f in path.iterdir() if f.is_file()] + if not files: + raise ValueError(f"No files found in the directory {directory} to merge.") + + template_to_file_mapping = collections.defaultdict(list) + + for file in files: + file_name_no_ext= file.name.replace(".json", "") + name_split = file_name_no_ext.rsplit("_v", 1) + if len(name_split) != 2: + print(f"Skipping file {file.name}: does not match expected pattern '_v'") + continue + template_name = name_split[0] + version = name_split[1] + + template_to_file_mapping[template_name].append((version, file)) + + return template_to_file_mapping + +def merge_files(directory, output_dir): + try: + template_mapping = _get_template_mapping(directory) + for template_name, template_list in template_mapping.items(): + out_template_name = f"{template_name}.json" + + templates = [] + for _, file in template_list: + with open(file, 'r') as in_file: + content = in_file.read() + templates.append(json.loads(content)) + + with open(Path(output_dir) / out_template_name, 'w') as out_file: + out_file.write(json.dumps(templates)) + except Exception as e: + print(f"Error during merging files: {e}") + raise + +def main(): + parser = argparse.ArgumentParser(description="Response template file merger and manifest generator") + + parser.add_argument('-m', '--manifest', help='Generate a manifest file', action='store_true') + parser.add_argument('-d', '--directory', help='Directory containing response template files', required=True) + parser.add_argument('-o', '--output', help='Output directory for merged templates', default='output') + parser.add_argument('-p', '--prefix', help='SCS prefix', default='https://securitycontent.scs.splunk.com/response_templates/') + + args = parser.parse_args() + + output_path = Path(args.output) + output_path.mkdir(parents=True, exist_ok=True) + + merge_files(args.directory, args.output) + + if args.manifest: + generate_manifest(args.directory, args.prefix, args.output) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/response_templates/validate_response_templates.py b/response_templates/validate_response_templates.py new file mode 100644 index 0000000000..3388208007 --- /dev/null +++ b/response_templates/validate_response_templates.py @@ -0,0 +1,237 @@ +#!/usr/bin/env python3 +""" +Validate response_templates JSON files against the ResponseTemplate schema +defined in mcopenapi_public.yaml +""" +import argparse +import json +import sys +from pathlib import Path +from typing import Dict, List, Any, Tuple + +import yaml +from jsonschema import validate, ValidationError, Draft7Validator + + +def load_openapi_schema(yaml_path: Path, schema_name: str = 'ResponseTemplate') -> Dict[str, Any]: + """Load the OpenAPI YAML file and extract the specified schema.""" + with open(yaml_path, 'r') as f: + openapi_spec = yaml.safe_load(f) + + # Extract the specified schema + target_schema = openapi_spec['components']['schemas'][schema_name] + + # Resolve references to other schemas + schemas = openapi_spec['components']['schemas'] + + # We need to build a complete schema by resolving $ref + def resolve_refs(schema_obj: Any, schemas_dict: Dict) -> Any: + """Recursively resolve $ref in schema objects.""" + if isinstance(schema_obj, dict): + if '$ref' in schema_obj: + # Extract schema name from reference like "#/components/schemas/ResponseTemplatePhase" + ref_path = schema_obj['$ref'].split('/')[-1] + return resolve_refs(schemas_dict.get(ref_path, {}), schemas_dict) + else: + return {k: resolve_refs(v, schemas_dict) for k, v in schema_obj.items()} + elif isinstance(schema_obj, list): + return [resolve_refs(item, schemas_dict) for item in schema_obj] + else: + return schema_obj + + resolved_schema = resolve_refs(target_schema, schemas) + + # Add JSON Schema draft version + resolved_schema['$schema'] = 'http://json-schema.org/draft-07/schema#' + + return resolved_schema + + +def validate_json_file(json_path: Path, schema: Dict[str, Any]) -> Tuple[bool, str]: + """ + Validate a JSON file against the provided schema. + Returns (is_valid, error_message) + """ + try: + with open(json_path, 'r') as f: + json_data = json.load(f) + + # Validate against schema + validator = Draft7Validator(schema) + errors = sorted(validator.iter_errors(json_data), key=lambda e: e.path) + + if errors: + error_messages = [] + for error in errors: + path = '.'.join(str(p) for p in error.path) + error_messages.append(f" - Path '{path}': {error.message}") + return False, '\n'.join(error_messages) + + return True, "Valid" + + except json.JSONDecodeError as e: + return False, f"JSON parsing error: {e}" + except Exception as e: + return False, f"Unexpected error: {e}" + + +def main(): + parser = argparse.ArgumentParser( + description="Validate response_templates JSON files against the ResponseTemplate schema" + ) + parser.add_argument( + '-d', '--directory', + type=str, + default='.', + help='Directory containing response template JSON files' + ) + parser.add_argument( + '-s', '--schema', + type=str, + default='mcopenapi_public.yaml', + help='Path to the OpenAPI YAML schema file' + ) + parser.add_argument( + '-m', '--manifest', + type=str, + help='Path to manifest.json file to validate against ResponseTemplateManifest schema' + ) + parser.add_argument( + '--merged-dir', + type=str, + help='Directory containing merged response template JSON files to validate against ResponseTemplateMerged schema' + ) + + args = parser.parse_args() + + # Resolve paths + schema_path = Path(args.schema) + templates_dir = Path(args.directory) + + if not schema_path.exists(): + print(f"❌ Error: Schema file not found: {schema_path}") + sys.exit(1) + + if not templates_dir.exists(): + print(f"❌ Error: Templates directory not found: {templates_dir}") + sys.exit(1) + + validation_results = [] + + # Validate manifest if provided + if args.manifest: + manifest_path = Path(args.manifest) + if not manifest_path.exists(): + print(f"❌ Error: Manifest file not found: {manifest_path}") + sys.exit(1) + + print(f"📋 Loading ResponseTemplateManifest schema from {schema_path}") + try: + manifest_schema = load_openapi_schema(schema_path, 'ResponseTemplateManifest') + print(f"✅ Manifest schema loaded successfully") + except Exception as e: + print(f"❌ Error loading manifest schema: {e}") + sys.exit(1) + + print(f"\n🔍 Validating manifest file: {manifest_path.name}\n") + print(f"Validating {manifest_path.name}...", end=" ") + is_valid, message = validate_json_file(manifest_path, manifest_schema) + validation_results.append((manifest_path.name, is_valid, message)) + + if is_valid: + print("✅") + else: + print("❌") + print(message) + + # Validate merged response templates if provided + if args.merged_dir: + merged_dir = Path(args.merged_dir) + if not merged_dir.exists(): + print(f"❌ Error: Merged templates directory not found: {merged_dir}") + sys.exit(1) + + print(f"\n📋 Loading ResponseTemplateMerged schema from {schema_path}") + try: + merged_schema = load_openapi_schema(schema_path, 'ResponseTemplateMerged') + print(f"✅ ResponseTemplateMerged schema loaded successfully") + except Exception as e: + print(f"❌ Error loading merged schema: {e}") + sys.exit(1) + + # Find all JSON files in merged directory (excluding manifest.json) + merged_files = [f for f in merged_dir.glob('*.json') + if f.name != 'manifest.json'] + + if merged_files: + print(f"\n🔍 Found {len(merged_files)} merged response template file(s) to validate\n") + + for json_file in sorted(merged_files): + print(f"Validating {json_file.name}...", end=" ") + is_valid, message = validate_json_file(json_file, merged_schema) + validation_results.append((json_file.name, is_valid, message)) + + if is_valid: + print("✅") + else: + print("❌") + print(message) + else: + print(f"⚠️ No merged template JSON files found in {merged_dir}") + + # Load ResponseTemplate schema + print(f"\n📋 Loading ResponseTemplate schema from {schema_path}") + try: + schema = load_openapi_schema(schema_path, 'ResponseTemplate') + print(f"✅ ResponseTemplate schema loaded successfully") + except Exception as e: + print(f"❌ Error loading schema: {e}") + sys.exit(1) + + # Find all JSON files (excluding manifest if it's in the same directory) + json_files = [f for f in templates_dir.glob('*.json') + if not (args.manifest and f.name == Path(args.manifest).name)] + + if not json_files: + if not args.manifest: + print(f"⚠️ No JSON files found in {templates_dir}") + sys.exit(0) + else: + print(f"\n🔍 Found {len(json_files)} response template file(s) to validate\n") + + # Validate each file + for json_file in sorted(json_files): + print(f"Validating {json_file.name}...", end=" ") + is_valid, message = validate_json_file(json_file, schema) + validation_results.append((json_file.name, is_valid, message)) + + if is_valid: + print("✅") + else: + print("❌") + print(message) + + # Summary + print("\n" + "="*60) + print("VALIDATION SUMMARY") + print("="*60) + + passed = sum(1 for _, is_valid, _ in validation_results if is_valid) + failed = len(validation_results) - passed + + for filename, is_valid, message in validation_results: + status = "✅ PASS" if is_valid else "❌ FAIL" + print(f"{status}: {filename}") + + print(f"\nTotal: {len(validation_results)} | Passed: {passed} | Failed: {failed}") + + if failed > 0: + print("\n❌ Validation failed!") + sys.exit(1) + else: + print("\n✅ All files validated successfully!") + sys.exit(0) + + +if __name__ == "__main__": + main() From 59628d8a981910cb8ebbf50769b9e438f6daae32 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Wed, 19 Nov 2025 14:12:24 -0800 Subject: [PATCH 05/44] Add feature branch for testing purpose --- .github/workflows/validate-response-templates.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/validate-response-templates.yml b/.github/workflows/validate-response-templates.yml index cd8b98e4ad..397f350739 100644 --- a/.github/workflows/validate-response-templates.yml +++ b/.github/workflows/validate-response-templates.yml @@ -9,6 +9,7 @@ on: push: branches: - develop + - feature/PEX-699-response-plan paths: - 'response_templates/**' - '.github/workflows/validate-response-templates.yml' From 2714f82b3a152f5f39f0faf09fc2ed48c79383be Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Wed, 19 Nov 2025 14:37:27 -0800 Subject: [PATCH 06/44] Update endpoint to playground --- response_templates/merged_response_templates/manifest.json | 2 +- response_templates/template_script.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/response_templates/merged_response_templates/manifest.json b/response_templates/merged_response_templates/manifest.json index 43cbf56a7c..a9e45f73bf 100644 --- a/response_templates/merged_response_templates/manifest.json +++ b/response_templates/merged_response_templates/manifest.json @@ -1 +1 @@ -{"response_templates": [{"name": "TestMultiVersion", "versions": [{"version": 4, "update_time": 1762292294.8144422}, {"version": 5, "update_time": 1762292328.3112774}], "link": "https://securitycontent.scs.splunk.com/response_templates/TestMultiVersion.json"}, {"name": "SuspiciousEmail", "versions": [{"version": 1, "update_time": 1762280887.1842365}], "link": "https://securitycontent.scs.splunk.com/response_templates/SuspiciousEmail.json"}, {"name": "GenericIncidentResponse", "versions": [{"version": 1, "update_time": 1762280887.4139671}], "link": "https://securitycontent.scs.splunk.com/response_templates/GenericIncidentResponse.json"}]} \ No newline at end of file +{"response_templates": [{"name": "TestMultiVersion", "versions": [{"version": 4, "update_time": 1762292294.8144422}, {"version": 5, "update_time": 1762292328.3112774}], "link": "https://securitycontent.playground.scs.splunk.com/response_templates/TestMultiVersion.json"}, {"name": "SuspiciousEmail", "versions": [{"version": 1, "update_time": 1762280887.1842365}], "link": "https://securitycontent.playground.scs.splunk.com/response_templates/SuspiciousEmail.json"}, {"name": "GenericIncidentResponse", "versions": [{"version": 1, "update_time": 1762280887.4139671}], "link": "https://securitycontent.playground.scs.splunk.com/response_templates/GenericIncidentResponse.json"}]} \ No newline at end of file diff --git a/response_templates/template_script.py b/response_templates/template_script.py index 9362c92a0b..4b05435abd 100644 --- a/response_templates/template_script.py +++ b/response_templates/template_script.py @@ -89,7 +89,7 @@ def main(): parser.add_argument('-m', '--manifest', help='Generate a manifest file', action='store_true') parser.add_argument('-d', '--directory', help='Directory containing response template files', required=True) parser.add_argument('-o', '--output', help='Output directory for merged templates', default='output') - parser.add_argument('-p', '--prefix', help='SCS prefix', default='https://securitycontent.scs.splunk.com/response_templates/') + parser.add_argument('-p', '--prefix', help='SCS prefix', default='https://securitycontent.playground.scs.splunk.com/response_templates/') # playground endpoint for testing purpose args = parser.parse_args() From b79b51d8306eb1e7f943dd6eff54e8a9d8d2b889 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Mon, 24 Nov 2025 11:21:36 -0800 Subject: [PATCH 07/44] Revert back debug changes --- .github/workflows/validate-response-templates.yml | 1 - response_templates/merged_response_templates/manifest.json | 2 +- response_templates/template_script.py | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/validate-response-templates.yml b/.github/workflows/validate-response-templates.yml index 397f350739..cd8b98e4ad 100644 --- a/.github/workflows/validate-response-templates.yml +++ b/.github/workflows/validate-response-templates.yml @@ -9,7 +9,6 @@ on: push: branches: - develop - - feature/PEX-699-response-plan paths: - 'response_templates/**' - '.github/workflows/validate-response-templates.yml' diff --git a/response_templates/merged_response_templates/manifest.json b/response_templates/merged_response_templates/manifest.json index a9e45f73bf..43cbf56a7c 100644 --- a/response_templates/merged_response_templates/manifest.json +++ b/response_templates/merged_response_templates/manifest.json @@ -1 +1 @@ -{"response_templates": [{"name": "TestMultiVersion", "versions": [{"version": 4, "update_time": 1762292294.8144422}, {"version": 5, "update_time": 1762292328.3112774}], "link": "https://securitycontent.playground.scs.splunk.com/response_templates/TestMultiVersion.json"}, {"name": "SuspiciousEmail", "versions": [{"version": 1, "update_time": 1762280887.1842365}], "link": "https://securitycontent.playground.scs.splunk.com/response_templates/SuspiciousEmail.json"}, {"name": "GenericIncidentResponse", "versions": [{"version": 1, "update_time": 1762280887.4139671}], "link": "https://securitycontent.playground.scs.splunk.com/response_templates/GenericIncidentResponse.json"}]} \ No newline at end of file +{"response_templates": [{"name": "TestMultiVersion", "versions": [{"version": 4, "update_time": 1762292294.8144422}, {"version": 5, "update_time": 1762292328.3112774}], "link": "https://securitycontent.scs.splunk.com/response_templates/TestMultiVersion.json"}, {"name": "SuspiciousEmail", "versions": [{"version": 1, "update_time": 1762280887.1842365}], "link": "https://securitycontent.scs.splunk.com/response_templates/SuspiciousEmail.json"}, {"name": "GenericIncidentResponse", "versions": [{"version": 1, "update_time": 1762280887.4139671}], "link": "https://securitycontent.scs.splunk.com/response_templates/GenericIncidentResponse.json"}]} \ No newline at end of file diff --git a/response_templates/template_script.py b/response_templates/template_script.py index 4b05435abd..861fe53797 100644 --- a/response_templates/template_script.py +++ b/response_templates/template_script.py @@ -89,7 +89,7 @@ def main(): parser.add_argument('-m', '--manifest', help='Generate a manifest file', action='store_true') parser.add_argument('-d', '--directory', help='Directory containing response template files', required=True) parser.add_argument('-o', '--output', help='Output directory for merged templates', default='output') - parser.add_argument('-p', '--prefix', help='SCS prefix', default='https://securitycontent.playground.scs.splunk.com/response_templates/') # playground endpoint for testing purpose + parser.add_argument('-p', '--prefix', help='SCS prefix', default='https://securitycontent.scs.splunk.com/response_templates/') # playground endpoint for testing purpose args = parser.parse_args() From 9501dff9f363f92a16cf89c04f651d8de11cb1a4 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 09:30:08 -0800 Subject: [PATCH 08/44] Move scripts to workflows --- .github/workflows/build.yml | 4 +--- .../workflows/response_templates}/mcopenapi_public.yaml | 0 .../workflows/response_templates}/template_script.py | 0 .../response_templates}/validate_response_templates.py | 0 .github/workflows/validate-response-templates.yml | 3 +-- 5 files changed, 2 insertions(+), 5 deletions(-) rename {response_templates => .github/workflows/response_templates}/mcopenapi_public.yaml (100%) rename {response_templates => .github/workflows/response_templates}/template_script.py (100%) rename {response_templates => .github/workflows/response_templates}/validate_response_templates.py (100%) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e10475adc8..ffde7b1542 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,9 +29,7 @@ jobs: contentctl build --enrichments --enforce_deprecation_mapping_requirement mkdir artifacts mv dist/DA-ESS-ContentUpdate-latest.tar.gz artifacts/ - cd response_templates - python template_script.py -d . -o ./merged_response_templates -m - cd .. + python .github/workflows/response_templates/template_script.py -d ./response_templates -o ./response_templates/merged_response_templates -m mkdir -p dist/api/response_templates cp response_templates/merged_response_templates/* dist/api/response_templates/ diff --git a/response_templates/mcopenapi_public.yaml b/.github/workflows/response_templates/mcopenapi_public.yaml similarity index 100% rename from response_templates/mcopenapi_public.yaml rename to .github/workflows/response_templates/mcopenapi_public.yaml diff --git a/response_templates/template_script.py b/.github/workflows/response_templates/template_script.py similarity index 100% rename from response_templates/template_script.py rename to .github/workflows/response_templates/template_script.py diff --git a/response_templates/validate_response_templates.py b/.github/workflows/response_templates/validate_response_templates.py similarity index 100% rename from response_templates/validate_response_templates.py rename to .github/workflows/response_templates/validate_response_templates.py diff --git a/.github/workflows/validate-response-templates.yml b/.github/workflows/validate-response-templates.yml index cd8b98e4ad..61730e3303 100644 --- a/.github/workflows/validate-response-templates.yml +++ b/.github/workflows/validate-response-templates.yml @@ -32,5 +32,4 @@ jobs: - name: Validate response templates run: | - cd response_templates - python validate_response_templates.py -s mcopenapi_public.yaml -d . -m merged_response_templates/manifest.json --merged-dir merged_response_templates + python .github/workflows/response_templates/validate_response_templates.py -s .github/workflows/response_templates/mcopenapi_public.yaml -d response_templates -m response_templates/merged_response_templates/manifest.json --merged-dir response_templates/merged_response_templates From 847329699a0dbb0152df340775bcb5e8e07e7451 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 09:33:00 -0800 Subject: [PATCH 09/44] Remove manual check in --- .../merged_response_templates/GenericIncidentResponse.json | 1 - .../merged_response_templates/SuspiciousEmail.json | 1 - .../merged_response_templates/TestMultiVersion.json | 1 - response_templates/merged_response_templates/manifest.json | 1 - 4 files changed, 4 deletions(-) delete mode 100644 response_templates/merged_response_templates/GenericIncidentResponse.json delete mode 100644 response_templates/merged_response_templates/SuspiciousEmail.json delete mode 100644 response_templates/merged_response_templates/TestMultiVersion.json delete mode 100644 response_templates/merged_response_templates/manifest.json diff --git a/response_templates/merged_response_templates/GenericIncidentResponse.json b/response_templates/merged_response_templates/GenericIncidentResponse.json deleted file mode 100644 index f5f4b5ba62..0000000000 --- a/response_templates/merged_response_templates/GenericIncidentResponse.json +++ /dev/null @@ -1 +0,0 @@ -[{"id": "5d656a90-fe91-4c8f-8460-fa2599a17f75", "create_time": 1762280887.4139671, "update_time": 1762280887.4139671, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "2d4ceaab-2ab3-4e61-8997-2eec7b612c7b", "create_time": 1762280887.4145086, "update_time": 1762280887.414509, "name": "Detection", "order": 1, "tasks": [{"id": "8c73eaa4-8928-40de-8e3b-e130efc01bb8", "create_time": 1762280887.4141092, "update_time": 1762280887.41411, "name": "Report incident response execution", "order": 1, "tag": "e8d26ce8-a004-4621-8b40-0e95acd7638b", "description": "Alert appropriate parties that incident response is starting.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "feec4f53-67ef-405d-baf4-2c8a3ca8b486", "create_time": 1762280887.414233, "update_time": 1762280887.4142334, "name": "Document associated events", "order": 2, "tag": "afb0e39b-9bfe-4d02-a090-e3b9ca2386de", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "72a39d10-2941-4451-8973-7c82d9055cff", "create_time": 1762280887.4143443, "update_time": 1762280887.4143448, "name": "Document known attack surface and attacker information", "order": 3, "tag": "46211e09-e553-4c9f-a9a8-8383fec880a5", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5ae0daa1-b86a-4a60-93a1-20c8b5d963c2", "create_time": 1762280887.4144528, "update_time": 1762280887.4144533, "name": "Assign roles", "order": 4, "tag": "e70408a7-3062-474a-aaf0-460402f16f29", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f546ee59-0988-4b55-8166-8cac2a64b76f", "create_time": 1762280887.41606, "update_time": 1762280887.4160604, "name": "Analysis", "order": 2, "tasks": [{"id": "a8acff10-07f5-49af-a103-ce864235994b", "create_time": 1762280887.414614, "update_time": 1762280887.4146142, "name": "Research intelligence resources", "order": 1, "tag": "c291654f-4616-4cde-afcb-5f7352d3fb6c", "description": "Find out if this attacker is a known agent and gather associated tactics, techniques, and procedures (TTP) used.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4d7b78f-1cd0-47c2-b0e3-40933395688a", "create_time": 1762280887.4147215, "update_time": 1762280887.414722, "name": "Research proxy logs", "order": 2, "tag": "0c56f2ef-fa23-48f6-abe8-7e42ae12716c", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c5cee5b9-2ad7-4144-aa85-d746bae679ed", "create_time": 1762280887.41483, "update_time": 1762280887.4148307, "name": "Research firewall logs", "order": 3, "tag": "60405c0a-cbbf-4034-a4ec-d4f6f467b6e0", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92f68bd6-3b7d-4a58-ad55-4b3a36369526", "create_time": 1762280887.41496, "update_time": 1762280887.4149606, "name": "Research OS logs", "order": 4, "tag": "a8939de4-a990-4adf-83c6-d93f5b378ff1", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "61816baa-fc24-4f38-a6cd-7626561b48ff", "create_time": 1762280887.4152095, "update_time": 1762280887.41521, "name": "Research network logs", "order": 5, "tag": "027f7da1-76e1-4466-be1d-4b40771de133", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4811036e-781a-4885-bf38-32729a1a0ba1", "create_time": 1762280887.4153204, "update_time": 1762280887.4153206, "name": "Research endpoint protection logs", "order": 6, "tag": "afc28267-6231-4db6-a005-accabb008c7a", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79900180-4caf-4d96-9290-968d9f5aec84", "create_time": 1762280887.4154315, "update_time": 1762280887.415432, "name": "Determine infection vector", "order": 7, "tag": "af4db0e8-d1ac-4d98-82ec-939fa5d47a0b", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "09087e70-fd26-4484-b92a-33c8728d8719", "create_time": 1762280887.415541, "update_time": 1762280887.4155414, "name": "Document all attack targets", "order": 8, "tag": "14552467-8504-4196-9c18-46c68995c590", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a9878c0-5626-4350-a0b6-cd5fef767dda", "create_time": 1762280887.4156528, "update_time": 1762280887.4156535, "name": "Document all attacker sources and TTP", "order": 9, "tag": "9a83e045-a686-423a-b80b-1c7906d8b7b0", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3986bf6d-fc23-4296-8dbe-d2b7117c9ec3", "create_time": 1762280887.4157624, "update_time": 1762280887.415763, "name": "Document infected devices", "order": 10, "tag": "5888de1b-61c8-4ea4-90d8-aeb01ec4682f", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c7044f3e-f58b-4dcb-b1f2-c595a214ff9d", "create_time": 1762280887.4158719, "update_time": 1762280887.4158723, "name": "Determine full impact of attack", "order": 11, "tag": "b0cf76ae-1c67-4737-bf00-170971be80f3", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ca532eca-d263-4af9-9391-6d35b63c3627", "create_time": 1762280887.4160035, "update_time": 1762280887.4160042, "name": "Analyze malware samples", "order": 12, "tag": "e3b989b5-df17-4324-880d-10a5ac6c441d", "description": "Analyze discovered malware and document indicators of compromise (IOCs).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9bf6f73e-a5da-49ac-87a7-a2469155cf7b", "create_time": 1762280887.4164388, "update_time": 1762280887.4164393, "name": "Containment", "order": 3, "tasks": [{"id": "8bb468b3-8ac7-4e49-86d8-ca1513550c47", "create_time": 1762280887.4161665, "update_time": 1762280887.416167, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "28d74f7a-1aaf-4f44-8245-ed62a4720046", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d512b582-b030-486a-86b0-a8e656ea4542", "create_time": 1762280887.416276, "update_time": 1762280887.4162762, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "18ed5b52-40e5-4dc7-b3c5-09c85a8a4cca", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "002fc36e-8a96-40c9-8a1d-b38d4f57b61b", "create_time": 1762280887.416384, "update_time": 1762280887.4163842, "name": "Contain incident", "order": 3, "tag": "a34be9ce-1ac5-4b35-9720-f3d50a33243b", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f9af170b-9aa7-4914-9e7c-59ba2128d1da", "create_time": 1762280887.41683, "update_time": 1762280887.4168303, "name": "Eradication", "order": 4, "tasks": [{"id": "16fd1501-b42b-440f-a2d2-54e698e12892", "create_time": 1762280887.4165573, "update_time": 1762280887.4165576, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "d9e85137-1503-4f1f-8765-c580516814cb", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e43e6862-a78b-4eef-b5b1-63782650ea28", "create_time": 1762280887.4166672, "update_time": 1762280887.4166675, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "b6ef4c01-da86-4383-80c2-bf565a7124e3", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3b9148a5-2780-4eb9-9e21-908163e62d7a", "create_time": 1762280887.4167752, "update_time": 1762280887.4167757, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "9f3c7353-cc4b-4e1f-8f89-ccd153468278", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d9ad55cf-ece3-4090-bf43-5ef24995a891", "create_time": 1762280887.4172246, "update_time": 1762280887.4172251, "name": "Recovery", "order": 5, "tasks": [{"id": "7f3ccff8-bd53-44b4-8ef3-cc333aa1c6e1", "create_time": 1762280887.4169493, "update_time": 1762280887.4169497, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "dec11e17-d2b6-41e4-8490-a500262e1991", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0209cfd0-91b3-4d4c-a8a6-266cf0a2302d", "create_time": 1762280887.4170604, "update_time": 1762280887.4170609, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "cb1b051b-25d0-4fd3-b4bb-85c16c19d55b", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f55fd9d7-8fd5-4920-90e5-34bc82625e80", "create_time": 1762280887.4171677, "update_time": 1762280887.417168, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "59e40624-72dd-498a-bd4c-297cace98c29", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ec68a4cd-daca-4bc0-848b-b586a070c8e4", "create_time": 1762280887.4176192, "update_time": 1762280887.4176197, "name": "Post", "order": 6, "tasks": [{"id": "f6565b96-cd55-4264-b509-908e52a29e3a", "create_time": 1762280887.4173315, "update_time": 1762280887.4173317, "name": "Schedule after-action review meeting", "order": 1, "tag": "515c3f1b-d0ee-4866-8980-7704cd34c6d7", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e5e2f646-64bb-4c59-b10d-c497625327fd", "create_time": 1762280887.4174387, "update_time": 1762280887.417439, "name": "Generate incident response action report", "order": 2, "tag": "00fe59eb-19cd-45dc-ac55-66dfd78e3dbd", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d74ad240-caa8-4c00-91ab-ab033e7f38a1", "create_time": 1762280887.4175637, "update_time": 1762280887.4175642, "name": "Report incident response complete", "order": 3, "tag": "f8bfdc47-6329-4465-a93f-47e6fbadd006", "description": "Alert appropriate parties that incident response is complete.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "7bd3e9e3-414a-4075-8846-8573bc637192", "active": true, "used": false, "_user": "nobody", "_key": "5d656a90-fe91-4c8f-8460-fa2599a17f75"}] \ No newline at end of file diff --git a/response_templates/merged_response_templates/SuspiciousEmail.json b/response_templates/merged_response_templates/SuspiciousEmail.json deleted file mode 100644 index dad0a9faf9..0000000000 --- a/response_templates/merged_response_templates/SuspiciousEmail.json +++ /dev/null @@ -1 +0,0 @@ -[{"id": "1e541fb9-a309-45f6-8593-7e6e68d934b4", "create_time": 1762280887.1842365, "update_time": 1762280887.1842365, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "4b401ecf-a89f-463d-928d-4226f8039bdb", "create_time": 1762280887.184704, "update_time": 1762280887.1847045, "name": "Ingestion", "order": 1, "tasks": [{"id": "ee54e4eb-e532-4a92-a81e-b398920e48d9", "create_time": 1762280887.1843824, "update_time": 1762280887.184383, "name": "Create ticket", "order": 1, "tag": "fb454299-42f6-4bf2-9cbc-3d48c213dbe2", "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4d5b3e5f-26fa-4fc8-a9db-c403132fddbd", "create_time": 1762280887.1845334, "update_time": 1762280887.1845338, "name": "Ingest email", "order": 2, "tag": "3bebd6f0-e226-4f1e-92b5-ae11273fb627", "description": "Identify and ingest the suspicious email into Splunk Mission Control. Actual steps vary depending on how you create the Splunk Mission Control notable and where the suspicious email resides. For example, if you had a Splunk Enterprise Security correlation search running to identify suspicious emails, and forward those notable events to Splunk Mission Control as notables, you have many of the useful artifacts needed to investigate the email. If you need additional metadata, you can run the \"get email\" action to retrieve it, or the \"extract email\" action to add the email to Splunk Mission Control if it is in the .msg or .eml format. Or for example, if you send suspicious emails to a dedicated email address for suspected phishing attempts, you can use a connector such as IMAP, EWS for Exchange, EWS for OFfice, or GSuite for GMail to poll that inbox directly and send the suspicious email to Splunk Mission Control as a notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e0c57817-caed-4f30-9123-24ea2768b208", "create_time": 1762280887.1846468, "update_time": 1762280887.1846473, "name": "Extract actionable metadata and files", "order": 3, "tag": "160eb657-d056-4b16-9ed5-1742364948b3", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f5991490-8540-4566-b7cc-6d88ad5b87cc", "create_time": 1762280887.1854346, "update_time": 1762280887.185435, "name": "External Investigation", "order": 2, "tasks": [{"id": "44bdcadb-2a0e-4b00-b4e8-5546e7ec0cc2", "create_time": 1762280887.1848118, "update_time": 1762280887.184812, "name": "Investigate URLs", "order": 1, "tag": "e0ea0bb0-f087-4d81-b2a7-a9899d287bda", "description": "Perhaps the most common email attack vector is a clickable link that brings a user to a malicious website. The malicious website might collect credentials or other confidential information, attempt to exploit the user's browser, lead the user to download a malicious file, or gather preliminary fingerprint information about the user to inform further operations. Investigate all URLs contained in the suspicious email using a mix of automated and manual techniques. Query threat intelligence services and other sources of reputation information to see if the URLs are linked to known malicious activity. Check the categorization of the URLs and their popularity using services such as Censys or Alexa. Determine whether the URL is spoofing a brand using a similar spelling, a unicode substitution, or an out-of-order domain name. Also consider using a less passive technique that analyzes the current state of the URL, such as a sandboxed URL detonation, a website scanning tool such as urlscan.io or SSL Labs, a manual inspection from a sandboxed environment, or a website screenshot engine such as Screenshot Machine. Consider that targeted attacks might only reveal the malicious behavior of a website if the user agent and/or the source address of the request matches the target environment. The output of this task might be more linked URLs, the domain names of the underlying servers responding to the request, other domain names used by the website, IP addresses, or downloadable files. All of the above should be passed on to further investigative tasks if needed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "008e7332-8c23-4b8b-961b-de2a5bee1811", "create_time": 1762280887.1849227, "update_time": 1762280887.184923, "name": "Investigate file attachments", "order": 2, "tag": "b4379132-c701-4bcc-80f0-b7a19f8b854a", "description": "Another common email attack vector is a malicious file attachment. Any file could be malicious, but most attacks involve executables, scripts, or documents. Investigate these files using either a whole copy of the file or the file hash. Query threat intelligence and reputation databases using the hash to see if the file has been seen before, to see if there is suspicious activity associated with the file, and to learn more about the file's behavior. Query for previous analyses or submit the file for examination in a dynamic or static tool to check for potentially malicious behaviors or properties. Actions used for this task might extract associated URLs, domain names, IP addresses, or secondary file hashes which can be explored further in other tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf94fe65-6dce-40d0-87bf-35c57eb93506", "create_time": 1762280887.1850498, "update_time": 1762280887.1850502, "name": "Investigate email addresses and headers", "order": 3, "tag": "4695b6fb-a152-4585-b44c-4b8d95055a25", "description": "The source email address and other headers contain a wide variety of information about the source environment of the email and the infrastructure used to send and receive it. Use a mix of automated and manual analysis to determine where the email came from and whether it uses headers in a suspicious way. Query threat intelligence and reputation databases using the \"From\", \"Sender\", and \"Reply-to\" addresses, as well as any other email addresses in the other header fields. Compare the display names of these fields to the actual values to see if misleading names are used. Check if the servers that received the email marked it with the appropriate authentication results for SPF, DKIM, and/or DMARC. If needed use Microsoft Message Header Analyzer, MxToolbox, or other tools to interpret the remaining headers. Outputs of this task such as domain names and IP addresses can be passed on to further tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "46a2ebf5-94e6-4d12-8495-fcdc7969957d", "create_time": 1762280887.1851606, "update_time": 1762280887.185161, "name": "Investigate domains", "order": 4, "tag": "cef512e6-19b6-4887-8ce0-124d69a7fde4", "description": "At this point domain names from various sources should be collected in the notable, including email sending and receiving servers, web servers from URLs in the email, domains associated to other indicators in threat intelligence databases, and domains contained in the file attachment or detected by the detonation of the file attachment. Check each of these against threat intelligence and reputation databases, passive DNS trackers, whois services, and other information services. Look for known malicious or unknown domains, focusing more on those associated to clickable URLs and file attachments. Evaluate what services are running on each suspicious domain using a scanning service such as Censys or Shodan. Check the TLS certificate (if applicable), website categorization, popularity, and any other available information. Compare this information to the expected outcome given the alleged context of the email. For unknown domains, consider the domain history, the hosting provider, and whether the domain name appears to have been dynamically generated. IP addresses currently and previously associated with the domain should be further processed elsewhere in your investigation.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6801061-372c-4e0e-9bab-009e78ea8d59", "create_time": 1762280887.1852703, "update_time": 1762280887.1852708, "name": "Investigate IP addresses", "order": 5, "tag": "6e0691b6-82b2-442c-88f8-da26f59eb8b3", "description": "IP addresses may be involved in this investigation for several reasons. Some email headers can contain IP addresses (such as X-Originating-IP), URLs can contain IP addresses instead of hostnames, file attachments can contain IP addresses or generate IP addresses and try to connect to them (like domain generation algorithms), and IP addresses can be added to the notable through association or domain name resolution in other tasks within this investigation. Consider IP addresses in URLs that are not internal IP addresses for the organization highly suspicious. Investigate all suspicious IP addresses by checking the reputation, geolocation, whois record, DNS history, and by gathering information from other available services.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ccae86ab-acd7-48bd-acf8-e823b3894fe6", "create_time": 1762280887.1853795, "update_time": 1762280887.1853797, "name": "Investigate email subject and body", "order": 6, "tag": "21c70d94-3a33-4295-8711-a272b31940d1", "description": "The subject and body of an email can be malicious without containing a single URL or file attachment. Examples include emails that ask the receiver to reply with confidential information, contain instructions to do insecure things, manipulate automated systems that are parsing the email, or prime the receiver for other interactions. Malicious emails often use current events such as tax season, a hurricane, or other publicly available information to establish a sense of trust or an illusion of urgency. Social engineering is perhaps the hardest technique to detect in an automated fashion, often requiring manual investigation. Consider the context of the message, the intended recipient, and the identity of the sender or alleged sender. It might be necessary to ask the recipient user if they think the email is legitimate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4ee204f8-d5e9-4158-9f5f-3d898dcfd32a", "create_time": 1762280887.1859224, "update_time": 1762280887.1859229, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "605d29ce-9d16-4882-ba5b-2811f6bf4efc", "create_time": 1762280887.1855412, "update_time": 1762280887.1855416, "name": "Hunt email activity", "order": 1, "tag": "efae43b9-0c49-41b5-bb71-687f359ff73f", "description": "Find other similar emails sent into the organization based on the sender address, sender domain, subject, embedded URLs, file attachments, or other similar attributes shared across multiple emails. If possible determine which emails were opened, forwarded, deleted, marked as spam, or reported as potential phishing. Consider which types of users are targeted and why. Also check whether internal users replied to the emails and what information was contained in the replies.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8dab7fc-c86f-43a0-be73-80ba587c8bdb", "create_time": 1762280887.1856506, "update_time": 1762280887.1856513, "name": "Hunt network activity", "order": 2, "tag": "c90df879-0c52-487c-9dd7-be88e7900c9c", "description": "Based on previously collected information, try to determine whether or not URLs in the email were clicked, phishing websites were visited, or other suspicious network connections were made from the computers of users who opened the email. This can be done using many types of network monitoring, including netflow, full packet capture, DNS logging, and/or endpoint monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a26c5093-d4e3-4b3a-8173-cfa05701ec2c", "create_time": 1762280887.1857598, "update_time": 1762280887.1857603, "name": "Hunt file executions", "order": 3, "tag": "a644ccc1-8034-4299-97c8-506179a3402e", "description": "If the email included a file attachment, try to determine which users downloaded the attachment and which users executed it or opened it in some other way. Use the file hash of the attachment to search across endpoint monitoring or network monitoring solutions for the transmission and/or execution of the file. If executions are detected, try to determine the behavior of the created process. If a potentially malicious document or other file type was opened, try to determine which application opened it and whether the file exploited or abused the opening application.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "48be613f-36ae-42ab-bd35-e4ec600c3c95", "create_time": 1762280887.1858678, "update_time": 1762280887.185868, "name": "Hunt user activity", "order": 4, "tag": "e541c4de-a76f-4917-b8ba-960a16653fc5", "description": "If a phishing attempt or other user account compromise attempt is suspected, investigate how the credentials or account access are being used. Enumerate resources available to the account and search the access logs for those resources, looking for anomalous usage patterns.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d7b7765f-e5b3-4122-8791-f6274f6ba85e", "create_time": 1762280887.186552, "update_time": 1762280887.1865525, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "90905d2d-4247-462b-843a-d9f4fd9ec717", "create_time": 1762280887.186041, "update_time": 1762280887.1860416, "name": "Block or monitor email activity", "order": 1, "tag": "42060fc0-5ae2-4f15-a7f4-6bf4ed364733", "description": "If specific malicious emails have been identified, delete them from any mailboxes in which they still pose a threat. Similarly, if a sender address or an entire sender domain is found to be malicious, block inbound email from that source. Set filtering rules to block inbound email or increase monitoring of email based on other detected characteristics of an email campaign or malicious technique.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0066f95-2fe4-4d25-ae51-cbc559e0cc8a", "create_time": 1762280887.1861491, "update_time": 1762280887.1861496, "name": "Block or monitor network activity", "order": 2, "tag": "1081b34c-8234-411b-b1ec-ed0205fa4eb8", "description": "Based on gathered indicators and metadata, block or increase monitoring of malicious network connections associated with the suspicious email. Prevent other receivers of similar phishing emails from accessing the clickable URL by blocking that URL itself, the underlying domain name, and/or the underlying IP addresses. If malware or unwanted software was detected, block outbound connections known to be associated with that malware based on threat intelligence or dynamic analysis. If the threat is severe enough, consider isolating entire portions of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f8575450-6ad7-4880-ae94-1792d9cc8906", "create_time": 1762280887.1862686, "update_time": 1762280887.1862693, "name": "Block or monitor file executions", "order": 3, "tag": "872a713a-a687-404f-8e12-c432c99938ab", "description": "Based on gathered indicators and metadata, block or increase monitoring of endpoint activity caused by the suspicious email. This could mean blocking the hash of the file attachment, blocking the hash of a file downloaded from a URL in an email, blocking a malicious hash associated with the email by threat intelligence, or blocking secondary executions such as dropped stages of malware identified from dynamic analysis.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d102f2c9-b977-4016-af6a-605da7a1626b", "create_time": 1762280887.1863873, "update_time": 1762280887.1863878, "name": "Contain endpoints", "order": 4, "tag": "07490733-2250-4a3e-8ba9-9107abdfa10e", "description": "If an endpoint compromise is suspected, it might be necessary to quarantine or otherwise contain that endpoint until further investigation and remediation can be done. Consider the criticality of the system and the likelihood of a compromise. In other cases, simply increasing the monitoring or scanning for more information can be prudent.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "85721cac-d2d0-4a9f-90fc-1969fb38a3b4", "create_time": 1762280887.1864965, "update_time": 1762280887.186497, "name": "Contain user accounts", "order": 5, "tag": "ae12b741-8e83-4e23-9e8c-7f461f9c891a", "description": "If a user account compromise is suspected, it might be necessary to reset the credentials, reduce the account privileges, or disable the account until further investigation is completed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "3ea7502b-d251-4562-a489-4bec4c16300d", "create_time": 1762280887.1868212, "update_time": 1762280887.1868217, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "00adbace-3659-4464-a606-85658daf13e5", "create_time": 1762280887.186658, "update_time": 1762280887.1866581, "name": "Analyze network activity", "order": 1, "tag": "6790fca4-5cf6-40bf-b425-2e9c547acb0b", "description": "Perform any resource-intensive analysis of network activity left over from the External Investigation and Internal Hunting phases. This might mean full packet capture collection and analysis, sandbox detonation of URLs, long-running queries of network history and anomalous behavior, or other similar analysis tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c9917bdc-f49f-40a3-a297-82843edcc56c", "create_time": 1762280887.1867664, "update_time": 1762280887.1867669, "name": "Analyze endpoint activity", "order": 2, "tag": "c0e4e6fc-d6a3-48a3-80ad-17e6f3d29abd", "description": "Conduct deeper analysis on remaining malware and endpoint investigation tasks not finished in the External Investigation and Internal Hunting phases. This might mean sandbox detonation of files, forensic analysis of associated devices or memory dumps, reverse engineering of suspected malware, long-running queries of endpoint activity history and anomalous behavior, or other similar analysis tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ee783e2b-62ce-4dfa-a8ac-dfd38e3336a9", "create_time": 1762280887.1876307, "update_time": 1762280887.1876311, "name": "Notification", "order": 6, "tasks": [{"id": "25cb7e69-be9d-4faf-9e4a-088b42b4788e", "create_time": 1762280887.1869273, "update_time": 1762280887.1869276, "name": "Update tickets", "order": 1, "tag": "d1644224-bfe8-4710-be7a-42b83746e870", "description": "Make sure that all the necessary outputs and status updates from the previous phases and tasks are documented in the appropriate system of record. Summarize the current state of the investigation and any remaining tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fd8e6a70-6f3b-4f12-a3d9-ced01a867591", "create_time": 1762280887.187141, "update_time": 1762280887.1871414, "name": "Notify system owners", "order": 2, "tag": "f375634e-8725-45b0-953f-913af5792047", "description": "For any systems that have been changed or need to be changed, notify the necessary system owners so the appropriate change management procedures can be followed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6df9bdea-2fdc-469e-b3de-298bac097739", "create_time": 1762280887.1872501, "update_time": 1762280887.1872506, "name": "Notify regulatory compliance team", "order": 3, "tag": "ae1e0019-56dc-4782-9efd-fad66ee54734", "description": "If appropriate, notify the regulatory compliance team to support them as they report this incident to the correct regulatory or accrediting organizations.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ca7c9e3-547b-4e44-aacb-9f8a23665d3d", "create_time": 1762280887.1873586, "update_time": 1762280887.187359, "name": "Assign additional tasks", "order": 4, "tag": "def2f366-4f31-4b7a-ba01-0fecd5bc1c9e", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4de9d9be-e269-4d03-9fe4-0496b933abe4", "create_time": 1762280887.1874657, "update_time": 1762280887.187466, "name": "Educate users", "order": 5, "tag": "94435be3-c9bb-4cb0-a298-adad4c5e685a", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3e0fb677-9a5d-48a1-a0b8-3b1b92d05efa", "create_time": 1762280887.1875756, "update_time": 1762280887.1875758, "name": "Share threat intelligence", "order": 6, "tag": "b6e77ae5-bd3b-4809-af51-3cc9d2ee35a8", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "a819ee87-e98f-4108-9554-7c167bdfeb79", "active": true, "used": false, "_user": "nobody", "_key": "1e541fb9-a309-45f6-8593-7e6e68d934b4"}] \ No newline at end of file diff --git a/response_templates/merged_response_templates/TestMultiVersion.json b/response_templates/merged_response_templates/TestMultiVersion.json deleted file mode 100644 index 3fb54f5984..0000000000 --- a/response_templates/merged_response_templates/TestMultiVersion.json +++ /dev/null @@ -1 +0,0 @@ -[{"id": "27b78044-1eca-43c2-9207-b5afe3075a81", "create_time": 1762292283.131341, "update_time": 1762292294.8144422, "name": "Test%20Multi%20Version", "description": "", "template_status": "published", "creator": "zen_admin", "updated_by": "zen_admin", "is_default": false, "version": 4, "phases": [{"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", "create_time": 1762292292.855246, "update_time": 1762292294.7901058, "name": "Test%20Phase", "order": 1, "tasks": [{"id": "096e2f14-866e-404e-819b-a1155ac0084b", "create_time": 1762292292.855151, "update_time": 1762292294.790007, "name": "Test%20Task", "order": 1, "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", "description": "", "owner": "", "is_note_required": true, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", "active": true, "used": false, "_user": "nobody", "_key": "27b78044-1eca-43c2-9207-b5afe3075a81"}, {"id": "27b78044-1eca-43c2-9207-b5afe3075a81", "create_time": 1762292283.131341, "update_time": 1762292328.3112774, "name": "Test%20Multi%20Version", "description": "", "template_status": "published", "creator": "zen_admin", "updated_by": "zen_admin", "is_default": false, "version": 5, "phases": [{"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", "create_time": 1762292328.2866068, "update_time": 1762292328.2866073, "name": "Test%20Phase", "order": 1, "tasks": [{"id": "096e2f14-866e-404e-819b-a1155ac0084b", "create_time": 1762292292.855151, "update_time": 1762292328.2865093, "name": "Test%20Task%20V3", "order": 1, "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", "description": "", "owner": "", "is_note_required": true, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", "active": true, "used": false, "_user": "nobody", "_key": "27b78044-1eca-43c2-9207-b5afe3075a81"}] \ No newline at end of file diff --git a/response_templates/merged_response_templates/manifest.json b/response_templates/merged_response_templates/manifest.json deleted file mode 100644 index 43cbf56a7c..0000000000 --- a/response_templates/merged_response_templates/manifest.json +++ /dev/null @@ -1 +0,0 @@ -{"response_templates": [{"name": "TestMultiVersion", "versions": [{"version": 4, "update_time": 1762292294.8144422}, {"version": 5, "update_time": 1762292328.3112774}], "link": "https://securitycontent.scs.splunk.com/response_templates/TestMultiVersion.json"}, {"name": "SuspiciousEmail", "versions": [{"version": 1, "update_time": 1762280887.1842365}], "link": "https://securitycontent.scs.splunk.com/response_templates/SuspiciousEmail.json"}, {"name": "GenericIncidentResponse", "versions": [{"version": 1, "update_time": 1762280887.4139671}], "link": "https://securitycontent.scs.splunk.com/response_templates/GenericIncidentResponse.json"}]} \ No newline at end of file From a9c403087d7c5a37ad0042466d883e10ecfb6368 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 09:50:36 -0800 Subject: [PATCH 10/44] Add sorting for version and template name --- .github/workflows/response_templates/template_script.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/response_templates/template_script.py b/.github/workflows/response_templates/template_script.py index 861fe53797..00f87196d5 100644 --- a/.github/workflows/response_templates/template_script.py +++ b/.github/workflows/response_templates/template_script.py @@ -12,7 +12,7 @@ def generate_manifest(directory, prefix, output_dir): } try: template_mapping = _get_template_mapping(directory) - for template_name, template_list in template_mapping.items(): + for template_name, template_list in sorted(template_mapping.items(), key=lambda x: x[0]): out_template_name = f"{template_name}.json" templates_version= [] @@ -63,12 +63,17 @@ def _get_template_mapping(directory): template_to_file_mapping[template_name].append((version, file)) + # Sort each template's version list by version number (ascending order) + for template_name in template_to_file_mapping: + template_to_file_mapping[template_name].sort(key=lambda x: float(x[0])) + return template_to_file_mapping def merge_files(directory, output_dir): try: template_mapping = _get_template_mapping(directory) - for template_name, template_list in template_mapping.items(): + print(template_mapping) + for template_name, template_list in sorted(template_mapping.items(), key=lambda x: x[0]): out_template_name = f"{template_name}.json" templates = [] From 09aae74d78f5be80b18cdfad7d2f80ffdd54ccde Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 10:12:40 -0800 Subject: [PATCH 11/44] Raise exception when file name not match --- .github/workflows/response_templates/template_script.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/response_templates/template_script.py b/.github/workflows/response_templates/template_script.py index 00f87196d5..357d4db2f3 100644 --- a/.github/workflows/response_templates/template_script.py +++ b/.github/workflows/response_templates/template_script.py @@ -56,8 +56,7 @@ def _get_template_mapping(directory): file_name_no_ext= file.name.replace(".json", "") name_split = file_name_no_ext.rsplit("_v", 1) if len(name_split) != 2: - print(f"Skipping file {file.name}: does not match expected pattern '_v'") - continue + raise ValueError(f"File {file.name} does not match expected pattern '_v'") template_name = name_split[0] version = name_split[1] @@ -72,7 +71,7 @@ def _get_template_mapping(directory): def merge_files(directory, output_dir): try: template_mapping = _get_template_mapping(directory) - print(template_mapping) + for template_name, template_list in sorted(template_mapping.items(), key=lambda x: x[0]): out_template_name = f"{template_name}.json" From dc9cbfcf693b54765f39cc14717fa2f5844bde39 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 10:15:23 -0800 Subject: [PATCH 12/44] Add indentation for json output --- .github/workflows/response_templates/template_script.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/response_templates/template_script.py b/.github/workflows/response_templates/template_script.py index 357d4db2f3..b56df635ea 100644 --- a/.github/workflows/response_templates/template_script.py +++ b/.github/workflows/response_templates/template_script.py @@ -34,7 +34,7 @@ def generate_manifest(directory, prefix, output_dir): }) with open(Path(output_dir) / "manifest.json", 'w') as out_file: - out_file.write(json.dumps(res)) + out_file.write(json.dumps(res, indent=2)) except Exception as e: print(f"Error during merging files: {e}") @@ -82,7 +82,7 @@ def merge_files(directory, output_dir): templates.append(json.loads(content)) with open(Path(output_dir) / out_template_name, 'w') as out_file: - out_file.write(json.dumps(templates)) + out_file.write(json.dumps(templates, indent=2)) except Exception as e: print(f"Error during merging files: {e}") raise From 49f17007c94ebd5564202697505b53aecae2ea70 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 10:26:48 -0800 Subject: [PATCH 13/44] Add debug option to dump json schema --- .../validate_response_templates.py | 23 +++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/.github/workflows/response_templates/validate_response_templates.py b/.github/workflows/response_templates/validate_response_templates.py index 3388208007..ef4e8a9629 100644 --- a/.github/workflows/response_templates/validate_response_templates.py +++ b/.github/workflows/response_templates/validate_response_templates.py @@ -13,7 +13,7 @@ from jsonschema import validate, ValidationError, Draft7Validator -def load_openapi_schema(yaml_path: Path, schema_name: str = 'ResponseTemplate') -> Dict[str, Any]: +def load_openapi_schema(yaml_path: Path, schema_name: str = 'ResponseTemplate', debug: bool = False) -> Dict[str, Any]: """Load the OpenAPI YAML file and extract the specified schema.""" with open(yaml_path, 'r') as f: openapi_spec = yaml.safe_load(f) @@ -44,6 +44,16 @@ def resolve_refs(schema_obj: Any, schemas_dict: Dict) -> Any: # Add JSON Schema draft version resolved_schema['$schema'] = 'http://json-schema.org/draft-07/schema#' + # Debug: dump resolved schema to file (only once per schema) + if debug: + debug_file = Path(f"debug_{schema_name}_schema.json") + if not debug_file.exists(): + with open(debug_file, 'w') as f: + json.dump(resolved_schema, f, indent=2) + print(f"🐛 Debug: Resolved schema dumped to {debug_file}") + else: + print(f"🐛 Debug: Resolved schema already exists at {debug_file}") + return resolved_schema @@ -101,6 +111,11 @@ def main(): type=str, help='Directory containing merged response template JSON files to validate against ResponseTemplateMerged schema' ) + parser.add_argument( + '--debug', + action='store_true', + help='Dump resolved schemas to JSON files for debugging' + ) args = parser.parse_args() @@ -127,7 +142,7 @@ def main(): print(f"📋 Loading ResponseTemplateManifest schema from {schema_path}") try: - manifest_schema = load_openapi_schema(schema_path, 'ResponseTemplateManifest') + manifest_schema = load_openapi_schema(schema_path, 'ResponseTemplateManifest', debug=args.debug) print(f"✅ Manifest schema loaded successfully") except Exception as e: print(f"❌ Error loading manifest schema: {e}") @@ -153,7 +168,7 @@ def main(): print(f"\n📋 Loading ResponseTemplateMerged schema from {schema_path}") try: - merged_schema = load_openapi_schema(schema_path, 'ResponseTemplateMerged') + merged_schema = load_openapi_schema(schema_path, 'ResponseTemplateMerged', debug=args.debug) print(f"✅ ResponseTemplateMerged schema loaded successfully") except Exception as e: print(f"❌ Error loading merged schema: {e}") @@ -182,7 +197,7 @@ def main(): # Load ResponseTemplate schema print(f"\n📋 Loading ResponseTemplate schema from {schema_path}") try: - schema = load_openapi_schema(schema_path, 'ResponseTemplate') + schema = load_openapi_schema(schema_path, 'ResponseTemplate', debug=args.debug) print(f"✅ ResponseTemplate schema loaded successfully") except Exception as e: print(f"❌ Error loading schema: {e}") From ded2ba5848f160ef74f9b324d2f769bcc7af39ee Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 10:29:35 -0800 Subject: [PATCH 14/44] Generate merged templates at runtime --- .github/workflows/validate-response-templates.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/validate-response-templates.yml b/.github/workflows/validate-response-templates.yml index 61730e3303..338518e670 100644 --- a/.github/workflows/validate-response-templates.yml +++ b/.github/workflows/validate-response-templates.yml @@ -30,6 +30,10 @@ jobs: run: | pip install pyyaml jsonschema + - name: Generate merged response templates + run: | + python .github/workflows/response_templates/template_script.py -d ./response_templates -o ./response_templates/merged_response_templates -m + - name: Validate response templates run: | python .github/workflows/response_templates/validate_response_templates.py -s .github/workflows/response_templates/mcopenapi_public.yaml -d response_templates -m response_templates/merged_response_templates/manifest.json --merged-dir response_templates/merged_response_templates From 79f635f59876c93e209864c79d96fa81c9a65910 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 10:51:36 -0800 Subject: [PATCH 15/44] Rename openAPI spec yaml to yml --- .../{mcopenapi_public.yaml => mcopenapi_public.yml} | 0 .../response_templates/validate_response_templates.py | 8 ++++---- .github/workflows/validate-response-templates.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) rename .github/workflows/response_templates/{mcopenapi_public.yaml => mcopenapi_public.yml} (100%) diff --git a/.github/workflows/response_templates/mcopenapi_public.yaml b/.github/workflows/response_templates/mcopenapi_public.yml similarity index 100% rename from .github/workflows/response_templates/mcopenapi_public.yaml rename to .github/workflows/response_templates/mcopenapi_public.yml diff --git a/.github/workflows/response_templates/validate_response_templates.py b/.github/workflows/response_templates/validate_response_templates.py index ef4e8a9629..922cbe5bf1 100644 --- a/.github/workflows/response_templates/validate_response_templates.py +++ b/.github/workflows/response_templates/validate_response_templates.py @@ -1,16 +1,16 @@ #!/usr/bin/env python3 """ Validate response_templates JSON files against the ResponseTemplate schema -defined in mcopenapi_public.yaml +defined in mcopenapi_public.yml """ import argparse import json import sys from pathlib import Path -from typing import Dict, List, Any, Tuple +from typing import Dict, Any, Tuple import yaml -from jsonschema import validate, ValidationError, Draft7Validator +from jsonschema import Draft7Validator def load_openapi_schema(yaml_path: Path, schema_name: str = 'ResponseTemplate', debug: bool = False) -> Dict[str, Any]: @@ -98,7 +98,7 @@ def main(): parser.add_argument( '-s', '--schema', type=str, - default='mcopenapi_public.yaml', + default='mcopenapi_public.yml', help='Path to the OpenAPI YAML schema file' ) parser.add_argument( diff --git a/.github/workflows/validate-response-templates.yml b/.github/workflows/validate-response-templates.yml index 338518e670..442ee67ad7 100644 --- a/.github/workflows/validate-response-templates.yml +++ b/.github/workflows/validate-response-templates.yml @@ -36,4 +36,4 @@ jobs: - name: Validate response templates run: | - python .github/workflows/response_templates/validate_response_templates.py -s .github/workflows/response_templates/mcopenapi_public.yaml -d response_templates -m response_templates/merged_response_templates/manifest.json --merged-dir response_templates/merged_response_templates + python .github/workflows/response_templates/validate_response_templates.py -s .github/workflows/response_templates/mcopenapi_public.yml -d response_templates -m response_templates/merged_response_templates/manifest.json --merged-dir response_templates/merged_response_templates From 13b27d36da84a65db4a97012f8e217d91dbf1c5c Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 13:58:54 -0800 Subject: [PATCH 16/44] Move validation to build.yml --- .github/workflows/build.yml | 6 ++- .../workflows/validate-response-templates.yml | 39 ------------------- 2 files changed, 5 insertions(+), 40 deletions(-) delete mode 100644 .github/workflows/validate-response-templates.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ffde7b1542..f711d5db2c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,7 +29,10 @@ jobs: contentctl build --enrichments --enforce_deprecation_mapping_requirement mkdir artifacts mv dist/DA-ESS-ContentUpdate-latest.tar.gz artifacts/ + echo "Generate merged response templates and manifest" python .github/workflows/response_templates/template_script.py -d ./response_templates -o ./response_templates/merged_response_templates -m + echo "Run validation for response templates" + python .github/workflows/response_templates/validate_response_templates.py -s .github/workflows/response_templates/mcopenapi_public.yml -d response_templates -m response_templates/merged_response_templates/manifest.json --merged-dir response_templates/merged_response_templates mkdir -p dist/api/response_templates cp response_templates/merged_response_templates/* dist/api/response_templates/ @@ -38,4 +41,5 @@ jobs: with: name: content-latest path: | - artifacts/DA-ESS-ContentUpdate-latest.tar.gz \ No newline at end of file + artifacts/DA-ESS-ContentUpdate-latest.tar.gz + dist/api \ No newline at end of file diff --git a/.github/workflows/validate-response-templates.yml b/.github/workflows/validate-response-templates.yml deleted file mode 100644 index 442ee67ad7..0000000000 --- a/.github/workflows/validate-response-templates.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: Validate Response Templates - -on: - pull_request: - types: [opened, reopened, synchronize] - paths: - - 'response_templates/**' - - '.github/workflows/validate-response-templates.yml' - push: - branches: - - develop - paths: - - 'response_templates/**' - - '.github/workflows/validate-response-templates.yml' - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - name: Check out the repository code - uses: actions/checkout@v5 - - - name: Set up Python - uses: actions/setup-python@v6 - with: - python-version: '3.11' - architecture: 'x64' - - - name: Install dependencies - run: | - pip install pyyaml jsonschema - - - name: Generate merged response templates - run: | - python .github/workflows/response_templates/template_script.py -d ./response_templates -o ./response_templates/merged_response_templates -m - - - name: Validate response templates - run: | - python .github/workflows/response_templates/validate_response_templates.py -s .github/workflows/response_templates/mcopenapi_public.yml -d response_templates -m response_templates/merged_response_templates/manifest.json --merged-dir response_templates/merged_response_templates From a8e754ae58471406bff4bd48598c55ef284389bb Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 14:04:02 -0800 Subject: [PATCH 17/44] Use stem to get file name --- .../workflows/response_templates/template_script.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/response_templates/template_script.py b/.github/workflows/response_templates/template_script.py index b56df635ea..21660d50ee 100644 --- a/.github/workflows/response_templates/template_script.py +++ b/.github/workflows/response_templates/template_script.py @@ -46,15 +46,19 @@ def _get_template_mapping(directory): if not path.exists() or not path.is_dir(): raise ValueError(f"The directory {directory} does not exist or is not a directory.") - files = [f for f in path.iterdir() if f.is_file()] + # Check for non-JSON files + non_json_files = [f.name for f in path.iterdir() if f.is_file() and f.suffix != '.json'] + if non_json_files: + raise ValueError(f"Non-JSON files found in directory {directory}: {', '.join(non_json_files)}") + + files = [f for f in path.glob("*.json") if f.is_file()] if not files: raise ValueError(f"No files found in the directory {directory} to merge.") template_to_file_mapping = collections.defaultdict(list) for file in files: - file_name_no_ext= file.name.replace(".json", "") - name_split = file_name_no_ext.rsplit("_v", 1) + name_split = file.stem.rsplit("_v", 1) if len(name_split) != 2: raise ValueError(f"File {file.name} does not match expected pattern '_v'") template_name = name_split[0] From 16523ab91c5f5ea90e06b008882e6c4c2a246d89 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 14:09:50 -0800 Subject: [PATCH 18/44] Fix python package install --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f711d5db2c..8fd02fcff3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,7 @@ jobs: run: | echo "- Contentctl version - $(cat requirements.txt)" pip install -r requirements.txt + pip install pyyaml jsonschema git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti From 0db44fcdf68c273b157ab0a398f2a183d4217818 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 25 Nov 2025 14:43:47 -0800 Subject: [PATCH 19/44] Update version sorting using int --- .github/workflows/response_templates/template_script.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/response_templates/template_script.py b/.github/workflows/response_templates/template_script.py index 21660d50ee..2731194ae8 100644 --- a/.github/workflows/response_templates/template_script.py +++ b/.github/workflows/response_templates/template_script.py @@ -68,7 +68,10 @@ def _get_template_mapping(directory): # Sort each template's version list by version number (ascending order) for template_name in template_to_file_mapping: - template_to_file_mapping[template_name].sort(key=lambda x: float(x[0])) + try: + template_to_file_mapping[template_name].sort(key=lambda x: int(x[0])) + except ValueError: + raise ValueError(f"Template '{template_name}' has invalid version(s) that cannot be converted to integer") return template_to_file_mapping From 9cc8381119f40ea58a77390dc80c100a37b24536 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Wed, 26 Nov 2025 09:03:25 -0800 Subject: [PATCH 20/44] Update openAPI spec for version --- .../response_templates/mcopenapi_public.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/response_templates/mcopenapi_public.yml b/.github/workflows/response_templates/mcopenapi_public.yml index f74425db69..d139022a26 100644 --- a/.github/workflows/response_templates/mcopenapi_public.yml +++ b/.github/workflows/response_templates/mcopenapi_public.yml @@ -2850,7 +2850,10 @@ components: description: Version information for a response template. properties: version: - type: number + type: integer + format: int64 + minimum: 1 + maximum: 9999999999999 example: 2 update_time: type: number @@ -2915,8 +2918,11 @@ components: example: "d81ff75d-d9fe-4618-9752-e2840e5aa147" version: description: The response plan version. - type: number - example: 2.0 + type: integer + format: int64 + minimum: 1 + maximum: 9999999999999 + example: 2 is_default: description: Whether or not the response plan is a default plan. type: boolean @@ -2969,7 +2975,7 @@ components: example: { "id": "d81ff75d-d9fe-4618-9752-e2840e5aa147", - "version": 2.0, + "version": 2, "is_default": false, "name": "Test Response plan", "description": "This is a response plan created by a user", @@ -3099,7 +3105,10 @@ components: format: uuid version: description: The version of the response plan. - type: number + type: integer + format: int64 + minimum: 1 + maximum: 9999999999999 example: 1 is_default: description: Whether or not the response plan is the default plan. From 77f60a02de30e10df5bc773132d437d9a7f15d4a Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 2 Dec 2025 13:38:42 -0800 Subject: [PATCH 21/44] Move build response templates to separate workflow --- .../workflows/build-response-templates.yml | 38 +++++++++++++++++++ .github/workflows/build.yml | 7 ---- 2 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/build-response-templates.yml diff --git a/.github/workflows/build-response-templates.yml b/.github/workflows/build-response-templates.yml new file mode 100644 index 0000000000..c042c81bcd --- /dev/null +++ b/.github/workflows/build-response-templates.yml @@ -0,0 +1,38 @@ +name: build +on: + pull_request: + types: [opened, reopened, synchronize] + push: + branches: + - develop +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Check out the repository code + uses: actions/checkout@v5 + + - uses: actions/setup-python@v6 + with: + python-version: '3.11' + architecture: 'x64' + + - name: Install Python Dependencies + run: | + pip install pyyaml jsonschema + + - name: Running build for response templates + run: | + echo "Generate merged response templates and manifest" + python .github/workflows/response_templates/template_script.py -d ./response_templates -o ./response_templates/merged_response_templates -m + echo "Run validation for response templates" + python .github/workflows/response_templates/validate_response_templates.py -s .github/workflows/response_templates/mcopenapi_public.yml -d response_templates -m response_templates/merged_response_templates/manifest.json --merged-dir response_templates/merged_response_templates + mkdir -p dist/api/response_templates + cp response_templates/merged_response_templates/* dist/api/response_templates/ + + - name: store_artifacts + uses: actions/upload-artifact@v5 + with: + name: response-templates + path: | + dist/api/response_templates \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8fd02fcff3..9d4b739e4f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,6 @@ jobs: run: | echo "- Contentctl version - $(cat requirements.txt)" pip install -r requirements.txt - pip install pyyaml jsonschema git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti @@ -30,12 +29,6 @@ jobs: contentctl build --enrichments --enforce_deprecation_mapping_requirement mkdir artifacts mv dist/DA-ESS-ContentUpdate-latest.tar.gz artifacts/ - echo "Generate merged response templates and manifest" - python .github/workflows/response_templates/template_script.py -d ./response_templates -o ./response_templates/merged_response_templates -m - echo "Run validation for response templates" - python .github/workflows/response_templates/validate_response_templates.py -s .github/workflows/response_templates/mcopenapi_public.yml -d response_templates -m response_templates/merged_response_templates/manifest.json --merged-dir response_templates/merged_response_templates - mkdir -p dist/api/response_templates - cp response_templates/merged_response_templates/* dist/api/response_templates/ - name: store_artifacts uses: actions/upload-artifact@v5 From c42b590bc40110e5822f2fb5a216b3bf1eb968e1 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 2 Dec 2025 13:40:33 -0800 Subject: [PATCH 22/44] Fix naming in build-response-templates.yml --- .github/workflows/build-response-templates.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-response-templates.yml b/.github/workflows/build-response-templates.yml index c042c81bcd..bbdc3eeeef 100644 --- a/.github/workflows/build-response-templates.yml +++ b/.github/workflows/build-response-templates.yml @@ -1,4 +1,4 @@ -name: build +name: build response templates on: pull_request: types: [opened, reopened, synchronize] @@ -6,7 +6,7 @@ on: branches: - develop jobs: - build: + build-response-templates: runs-on: ubuntu-latest steps: - name: Check out the repository code @@ -21,7 +21,7 @@ jobs: run: | pip install pyyaml jsonschema - - name: Running build for response templates + - name: Running build and validation for response templates run: | echo "Generate merged response templates and manifest" python .github/workflows/response_templates/template_script.py -d ./response_templates -o ./response_templates/merged_response_templates -m From 5f1044d38ecb79a5d12cf25c39ea17aa5b491094 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 9 Dec 2025 14:18:43 -0800 Subject: [PATCH 23/44] Update response templates to the ones for first release --- response_templates/AccountCompromise.json | 1 + response_templates/DataBreach.json | 1 + .../GenericIncidentResponse_v1.json | 1 - response_templates/NIST80061.json | 1 + .../NetworkIndicatorEnrichment.json | 1 + response_templates/SuspiciousEmail.json | 1 + response_templates/SuspiciousEmail_v1.json | 1 - response_templates/TestMultiVersion_v4.json | 50 ------------------- response_templates/TestMultiVersion_v5.json | 1 - 9 files changed, 5 insertions(+), 53 deletions(-) create mode 100644 response_templates/AccountCompromise.json create mode 100644 response_templates/DataBreach.json delete mode 100644 response_templates/GenericIncidentResponse_v1.json create mode 100644 response_templates/NIST80061.json create mode 100644 response_templates/NetworkIndicatorEnrichment.json create mode 100644 response_templates/SuspiciousEmail.json delete mode 100644 response_templates/SuspiciousEmail_v1.json delete mode 100644 response_templates/TestMultiVersion_v4.json delete mode 100644 response_templates/TestMultiVersion_v5.json diff --git a/response_templates/AccountCompromise.json b/response_templates/AccountCompromise.json new file mode 100644 index 0000000000..b6d2ea8ae1 --- /dev/null +++ b/response_templates/AccountCompromise.json @@ -0,0 +1 @@ +{"id": "a0258b7f-87c3-4815-8203-b55512d7fb6c", "create_time": 1765306633.4014366, "update_time": 1765306633.4014366, "name": "Account Compromise", "description": "This response template defines a response to the potential compromise of one or more system or application accounts. Across the enterprise, user and service accounts are high-value targets that provide access to wide varieties of resources and capabilities. If an unauthorized entity gains access to an account in your organization, you can use these phases and tasks to organize the effort to investigate and respond. No two account compromises are the same, so some portions of this template might not apply to certain types of account takeovers, and in most cases there will be additional appropriate responses going beyond those listed below. The general structure of this template is based on NIST SP 800-61 Revision 2, and some of the techniques come from the Credential Access tactic in the MITRE ATT&CK framework (https://attack.mitre.org/tactics/TA0006/).", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 13, "phases": [{"id": "59f2cf8d-3c77-491f-8ff4-65ed341c7503", "create_time": 1765306633.4034715, "update_time": 1765306768.469428, "name": "Detection and Analysis", "order": 1, "tasks": [{"id": "ea986cd7-db3e-48d5-8a44-e9f0f6420d24", "create_time": 1764758755.835523, "update_time": 1765306768.467449, "name": "Contact account owner", "order": 1, "tag": "51815ce4-c186-4418-9d6c-716e101953f0", "description": "If%20situational%20awareness%20concerns%20allow%20it,%20contact%20the%20legitimate%20owner%20of%20the%20account%20to%20gather%20additional%20insight,%20rule%20out%20false%20positives,%20and%20provide%20guidance%20on%20how%20to%20cooperate.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c24b5ac1-3e44-4f91-a55e-5c93a0c17a8a", "create_time": 1764758755.8356514, "update_time": 1765306768.4677045, "name": "Determine the scope of the compromise", "order": 2, "tag": "4f6e6b64-aeec-456c-806d-d0b66c9db56c", "description": "Determine%20the%20resources%20and%20capabilities%20available%20to%20the%20compromised%20account.%20Consider%20other%20types%20of%20accounts%20that%20can%20also%20be%20accessed%20based%20on%20the%20initial%20compromise.%20Is%20this%20account%20an%20Administrative%20account?%20What%20systems%20has%20the%20account%20logged%20into?%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20trackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4b7b5058-f28e-4776-8806-c71fdfaab979", "create_time": 1764758755.8357468, "update_time": 1765306768.4679203, "name": "Analyze usage of access", "order": 3, "tag": "62fe4b55-7da1-44ba-ae88-93f42cb724c8", "description": "Query%20monitoring%20systems%20to%20determine%20which%20of%20the%20potential%20resources%20and%20capabilities%20were%20actually%20used%20by%20the%20adversary.%20Look%20for%20patterns%20in%20targeted%20resources%20and%20capabilities.%20Was%20the%20compromised%20account%20used%20to%20install%20or%20download%20something?%20Were%20credentials%20to%20other%20accounts%20collected%20and%20used?%0A%0ASuggested%20Integrations%0A1.%20%5BAccess%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_center)%0A2.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)%0A3.%20%5BAccess%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ad738c70-a259-4627-84fc-30f881b1065f", "create_time": 1764758755.835839, "update_time": 1765306768.468118, "name": "Estimate impact", "order": 4, "tag": "5abdf8e0-f364-4f39-956a-aa912e0543c0", "description": "Estimate the business impact to appropriately allocate priority and resources.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1bc12376-4d51-45ed-9e37-38abc31a497a", "create_time": 1764758755.8359327, "update_time": 1765306768.4683, "name": "Track stolen credentials", "order": 5, "tag": "b7814a6d-ac12-4936-a5ef-8e1a636a08dd", "description": "If%20compromised%20credentials%20were%20used,%20try%20to%20determine%20where%20else%20they%20may%20grant%20access%0A%0ASuggested%20Integrations%0A1.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5de28da8-76f3-4104-8d62-b44f8f46a4a4", "create_time": 1764758755.8360248, "update_time": 1765306768.468481, "name": "Investigate external communications", "order": 6, "tag": "4a46b5da-c9b9-453a-80ad-161db306822e", "description": "Look%20for%20exfiltration%20and/or%20command%20and%20control%20activity.%20Inspect%20network%20traffic%20with%20abnormal%20content,%20focusing%20on%20traffic%20to%20external%20hosts%20and%20internal%20systems%20that%20are%20not%20normally%20connected%20to%20the%20system%20under%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BPort%20and%20protocol%20tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6956c82f-6811-4b3d-975b-fe690e0b54ef", "create_time": 1764758755.836118, "update_time": 1765306768.4686725, "name": "Determine initial access mechanism", "order": 7, "tag": "3b962a5e-16da-4962-9f9f-c237e88e24a3", "description": "Attempt%20to%20trace%20activity%20back%20to%20the%20point%20of%20initial%20access.%20Consider%20phishing,%20watering%20hole%20attacks,%20public-facing%20exploits,%20supply%20chain%20compromises,%20and%20other%20common%20attack%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "62a7c0a4-1c2e-4922-8dd2-9114ef305607", "create_time": 1764758755.8362353, "update_time": 1765306768.468874, "name": "Detect persistent system access", "order": 8, "tag": "023e3b98-335b-4364-8292-e34e221dcdcd", "description": "Look%20for%20attempts%20to%20establish%20persistent%20access%20to%20one%20or%20more%20systems.%20The%20persistence%20technique%20could%20include%20an%20email%20forwarding%20rule%20for%20an%20email%20account,%20a%20scheduled%20task%20on%20an%20endpoint,%20a%20newly%20added%20login%20method%20for%20a%20business%20application,%20or%20a%20wide%20array%20of%20others.%20One%20non-exhaustive%20list%20of%20persistence%20techniques%20is%20in%20the%20MITRE%20ATT&CK%20framework%20(https://attack.mitre.org/tactics/TA0003/)%20and%20another%20for%20Windows%20endpoints%20in%20particular%20is%20within%20the%20SysInternals%20Autoruns%20tool.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0bc09ecd-b582-4b51-82bd-845113fe9025", "create_time": 1764758755.8363278, "update_time": 1765306768.4691083, "name": "Enumerate other similarly vulnerable accounts", "order": 9, "tag": "44b55fc1-e45f-46ce-82d8-d23b1392790f", "description": "If an initial attack vector or other activity pattern is found, use it to look for other similarly compromised accounts.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "60b63967-c82f-4378-80ab-7234d3b8d01a", "create_time": 1764758755.8364184, "update_time": 1765306768.4692936, "name": "Notify stakeholders", "order": 10, "tag": "6f26711e-c173-4394-91cf-f2e9c7c88d8a", "description": "Notify%20incident%20response%20leadership,%20system%20owners,%20and%20other%20stakeholders%20in%20accordance%20with%20established%20incident%20notification%20and%20escalation%20procedures.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "48075a18-75b5-45d5-9c14-c791c0975316", "create_time": 1765306633.4041102, "update_time": 1765306768.4701042, "name": "Containment, Eradication, and Recovery", "order": 2, "tasks": [{"id": "4fa28acc-820f-4b9c-8fbe-b06dc8f735bb", "create_time": 1764758755.8365533, "update_time": 1765306768.4695702, "name": "Disable account", "order": 1, "tag": "582f0358-63c7-4a15-ba9e-a42861e854b5", "description": "If%20the%20business%20risk%20is%20deemed%20acceptable,%20disable%20the%20account%20or%20reset%20credentials%20to%20prevent%20further%20malicious%20usage.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f20c28db-b508-4cce-bd08-df4a1b92b1e4", "create_time": 1764758755.836641, "update_time": 1765306768.4697595, "name": "Remove persistent system access", "order": 2, "tag": "5cfd8324-141b-407f-ac19-3ab946178fc8", "description": "If%20persistent%20access%20mechanisms%20were%20detected,%20remove%20them%20by%20uninstalling%20software,%20unhooking%20libraries,%20reimaging%20systems,%20disabling%20compromised%20credentials,%20or%20implementing%20other%20remediations.%20If%20this%20action%20will%20cause%20a%20service%20outage,%20it%20may%20be%20prudent%20to%20notify%20the%20affected%20teams%20or%20organizations.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b94cc55d-a653-466a-8faf-846f699ebb75", "create_time": 1764758755.836737, "update_time": 1765306768.4699776, "name": "Mitigate or remediate vulnerabilities", "order": 3, "tag": "25d66876-4448-420d-80b5-bc359805598b", "description": "If%20any%20vulnerabilities%20were%20used%20in%20this%20compromise,%20find%20a%20way%20to%20mitigate%20or%20remediate%20them.%20This%20could%20be%20a%20system%20update,%20a%20change%20in%20software,%20disabling%20a%20certain%20feature,%20a%20change%20in%20policy,%20or%20another%20action.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "36274751-b970-4375-85dc-b06a13d05cc2", "create_time": 1765306633.4046884, "update_time": 1765306768.4707205, "name": "Post-incident Activity", "order": 3, "tasks": [{"id": "c601515a-bbef-485f-819a-9c1e477e413e", "create_time": 1764758755.8368754, "update_time": 1765306768.4702713, "name": "Notify necessary parties", "order": 1, "tag": "6e6b6839-fced-46a4-a660-e00281118cda", "description": "Determine%20if%20a%20regulatory%20risk%20calls%20for%20a%20notification%20to%20an%20internal%20or%20external%20compliance%20organization.%20Also%20consider%20an%20informational%20notice%20to%20users%20to%20prevent%20similar%20compromises%20through%20improved%20security%20hygiene.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "33acb96f-1113-489b-8dc4-882695963f99", "create_time": 1764758755.836966, "update_time": 1765306768.4704757, "name": "Tune prevention systems", "order": 2, "tag": "47e3bd73-9fea-4f85-a805-9ebedfd000ed", "description": "Depending on the mechanism of access and the systems affected, there may be a clear next step to prevent similar compromises. This might involve deployment of strong multi-factor authentication, improved automated response, stronger application of least privilege, user training, and/or a wide array of other defensive measures. Consider using CIS Cybersecurity Best Practices (https://www.cisecurity.org/cybersecurity-best-practices/) or a similar framework to assess improvements in prevention.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0d0ded65-d9dd-497f-ab9d-f51864ad88af", "create_time": 1764758755.8370595, "update_time": 1765306768.470632, "name": "Tune detection systems", "order": 3, "tag": "9411f544-f06a-4e79-9972-3844f61cc1f7", "description": "Any of the steps taken within the Detection and Analysis phase may be candidates for automated or regularly scheduled detections to find similar activity. Focus on the most generalizable patterns that will catch high-impact compromises as early as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8b0ea69b-c29f-4a70-b58b-59164312a491", "active": true, "used": true, "_user": "nobody", "_key": "a0258b7f-87c3-4815-8203-b55512d7fb6c"} \ No newline at end of file diff --git a/response_templates/DataBreach.json b/response_templates/DataBreach.json new file mode 100644 index 0000000000..a902d3a423 --- /dev/null +++ b/response_templates/DataBreach.json @@ -0,0 +1 @@ +{"id": "b0ad7421-221a-4859-8af7-7cd8949ad10f", "create_time": 1764862877.558638, "update_time": 1764862877.558638, "name": "Data Breach", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 12, "phases": [{"id": "3864ce09-a850-44af-86ef-9ade49d18356", "create_time": 1765221299.7395632, "update_time": 1765221644.2423606, "name": "Escalate to accountable system owners", "order": 1, "tasks": [{"id": "5a3d4ceb-6a30-4aa3-8e8a-b30e3438dff4", "create_time": 1764758755.724739, "update_time": 1765221644.2419975, "name": "Identify accountable system owners", "order": 1, "tag": "f45e1890-72d0-4bdf-8932-ea8d78c2c58f", "description": "Query%20configuration%20management%20databases,%20ask%20teammates,%20and%20query%20on-call%20personnel%20directories%20to%20find%20the%20right%20people%20for%20notification%20and%20response.%0A%0ASuggested%20Integrations%0A1.%20%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8d090f83-6590-48b7-8233-db738d054005", "create_time": 1764758755.7248507, "update_time": 1765221644.2421408, "name": "Notify accountable system owners", "order": 2, "tag": "b0816205-58e4-4e29-991b-f415717d1c03", "description": "Determine%20what%20is%20needed%20from%20each%20team%20member%20and%20notify%20them%20as%20soon%20as%20possible.%20Consider%20speed,%20confidentiality,%20integrity,%20and%20availability%20when%20choosing%20a%20communication%20channel.%20The%20right%20choice%20may%20be%20an%20in-person%20meeting,%20email,%20chat,%20text,%20phone%20call,%20or%20a%20notification%20in%20Splunk%20Mission%20Control.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2950919f-a5ca-4dec-b3d0-5ef7edf213e3", "create_time": 1764758755.7249453, "update_time": 1765221644.2422879, "name": "Set up collaboration channels", "order": 3, "tag": "2b1518b8-77a6-4e03-8b50-e0a89dc40ed8", "description": "Establish%20shared%20access%20to%20the%20appropriate%20notable%20investigation%20that%20is%20tracking%20the%20data%20breach.%20If%20necessary%20establish%20an%20additional%20channel%20for%20communications%20such%20as%20a%20chat%20room,%20email%20chain,%20ticketing%20system,%20or%20VictorOps%20Incident.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "fa5bb456-dfe8-4f27-88a3-1639a35796c6", "create_time": 1765221299.7402437, "update_time": 1765221644.242738, "name": "Stop exfiltration", "order": 2, "tasks": [{"id": "3fcbd598-8be3-4c81-a89e-1896912ffea4", "create_time": 1764758755.725092, "update_time": 1765221644.2424421, "name": "Identify likely means of exfiltration", "order": 1, "tag": "b562799f-7155-43a2-a36a-e736575a6b1d", "description": "Evaluate%20likely%20means%20of%20exfiltration%20using%20the%20information%20from%20the%20initial%20detection%20and%20any%20other%20associated%20investigation%20the%20team%20can%20conduct.%20Use%20https://attack.mitre.org/wiki/Persistence%20and%20other%20open%20source%20intelligence%20to%20check%20for%20common%20exfiltration%20mechanisms.%20Consider%20the%20sophistication%20of%20the%20adversary,%20the%20data%20that%20is%20likely%20to%20be%20targeted,%20the%20systems%20that%20may%20have%20been%20breached,%20and%20any%20other%20knowledge%20from%20further%20investigation.%20Query%20the%20logs%20of%20any%20available%20systems%20around%20the%20time%20of%20the%20incident%20for%20context%20and%20additional%20leads.%20If%20possible%20analyze%20and/or%20reverse%20engineer%20any%20executables%20or%20scripts%20discovered%20in%20the%20investigation.%20Try%20to%20determine%20exfiltration%20mechanisms,%20protocols,%20ports,%20IP%20addresses,%20hostnames,%20URLs,%20and%20other%20indicators.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b7bfe3f3-8035-45bd-a16a-4d847cb74ba3", "create_time": 1764758755.725215, "update_time": 1765221644.242574, "name": "Determine mitigations and remediations", "order": 2, "tag": "2c398364-ef0f-4e7d-877e-0abfaa91d72d", "description": "Taking into account the confidentiality and availability considerations of the systems involved, determine which mitigations and remediations are appropriate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0a27527c-f0c1-4e54-a875-d110a8f71cb8", "create_time": 1764758755.7253134, "update_time": 1765221644.2426631, "name": "Stop exfiltration", "order": 3, "tag": "e80c691b-9bab-4f4d-86ca-8496300842c3", "description": "Use%20host-based%20or%20network%20controls%20to%20interrupt%20exfiltration.%20Scope%20the%20response%20according%20to%20the%20severity%20of%20the%20event.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A6.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A7.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A8.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a1d5e293-2b61-43f1-a776-f8d2126a1d7a", "create_time": 1765221299.740702, "update_time": 1765221644.2430031, "name": "Remove persistent adversaries", "order": 3, "tasks": [{"id": "fecaae1e-a6d8-47b2-8386-5af5bcac6d54", "create_time": 1764758755.7254562, "update_time": 1765221644.2428167, "name": "Identify likely means of persistence", "order": 1, "tag": "27ff7f99-5263-4a23-ba71-775e2a96ea00", "description": "Trace%20exfiltration%20as%20far%20as%20possible%20back%20toward%20a%20root%20cause.%20Look%20for%20patterns%20of%20activity%20from%20scheduled%20tasks,%20system%20restarts,%20polling%20of%20external%20systems,%20and%20other%20common%20means%20of%20persistence.%20Sysinternals%20AutoRuns%20and%20other%20similar%20tools%20can%20check%20wide%20varieties%20of%20persistence%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a951c1a1-61c6-4afa-b0c7-c721a97b5d3e", "create_time": 1764758755.7255518, "update_time": 1765221644.2429323, "name": "Remove identified persistence mechanisms", "order": 2, "tag": "3c87ad49-a462-47b1-93fa-401c82da9270", "description": "Block%20adversary%20persistence%20at%20the%20host%20and/or%20network%20level.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9577e82b-f68e-4fa7-a86b-987bbb51a504", "create_time": 1765221299.7409556, "update_time": 1765221644.2431514, "name": "Assess impact", "order": 4, "tasks": [{"id": "be68378a-13d6-499d-bc94-d7f54c51e012", "create_time": 1764758755.7256913, "update_time": 1765221644.2430809, "name": "Measure the size and scope", "order": 1, "tag": "26cca1bb-80c3-43ab-ab5b-13975111b607", "description": "Measure%20the%20impact%20of%20the%20breach%20by%20amount%20of%20data,%20importance%20of%20data,%20potential%20follow-on%20impacts,%20and%20other%20appropriate%20criteria.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20trackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "befcad6f-d66d-459c-8b71-9ac22c902c6f", "create_time": 1765221299.7413394, "update_time": 1765221644.2433846, "name": "Report to appropriate stakeholders", "order": 5, "tasks": [{"id": "aa30f51a-a2fb-4284-be1d-c8d6a0f2935b", "create_time": 1764758755.7259164, "update_time": 1765221644.2432458, "name": "Identify appropriate stakeholders", "order": 1, "tag": "4bb2a31a-ccc7-4bc3-a5b7-cf946cb10fb0", "description": "Identify who should receive which information. This may include the regulatory compliance team, all internal employees, customers, partners, appropriate government officials, the public, system vendors, open source communities, and others.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c2c0365b-7e90-4f34-a074-05b31a6bbb00", "create_time": 1764758755.7260718, "update_time": 1765221644.2433343, "name": "Send reports", "order": 2, "tag": "03fd935b-9848-4eee-8179-1d33592a2658", "description": "Send the appropriate amount of information to identified parties. If it is beneficial, give them a way to respond to the information.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "370933e2-b9c1-4de8-90bd-10477e48ed7e", "create_time": 1765221299.741549, "update_time": 1765221644.2435148, "name": "Prevent future breaches", "order": 6, "tasks": [{"id": "574bfcd8-31c3-4b51-9e73-b8a35403894c", "create_time": 1764758755.726329, "update_time": 1765221644.2434611, "name": "Prevent future breaches", "order": 1, "tag": "690e3199-c277-4a6f-8ada-9c4c5bbc3e48", "description": "Use information from this case to investigate further, apply patches, prevent behaviors, change systems, and otherwise prevent similar situations from occurring again. Setup automated checks for reinfection using similar indicators or TTP's.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "dcb047a2-c621-41c6-b3d5-acabcbb20b1d", "active": true, "used": false, "_user": "nobody", "_key": "b0ad7421-221a-4859-8af7-7cd8949ad10f"} \ No newline at end of file diff --git a/response_templates/GenericIncidentResponse_v1.json b/response_templates/GenericIncidentResponse_v1.json deleted file mode 100644 index ce9cbf6868..0000000000 --- a/response_templates/GenericIncidentResponse_v1.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "5d656a90-fe91-4c8f-8460-fa2599a17f75", "create_time": 1762280887.4139671, "update_time": 1762280887.4139671, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "2d4ceaab-2ab3-4e61-8997-2eec7b612c7b", "create_time": 1762280887.4145086, "update_time": 1762280887.414509, "name": "Detection", "order": 1, "tasks": [{"id": "8c73eaa4-8928-40de-8e3b-e130efc01bb8", "create_time": 1762280887.4141092, "update_time": 1762280887.41411, "name": "Report incident response execution", "order": 1, "tag": "e8d26ce8-a004-4621-8b40-0e95acd7638b", "description": "Alert appropriate parties that incident response is starting.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "feec4f53-67ef-405d-baf4-2c8a3ca8b486", "create_time": 1762280887.414233, "update_time": 1762280887.4142334, "name": "Document associated events", "order": 2, "tag": "afb0e39b-9bfe-4d02-a090-e3b9ca2386de", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "72a39d10-2941-4451-8973-7c82d9055cff", "create_time": 1762280887.4143443, "update_time": 1762280887.4143448, "name": "Document known attack surface and attacker information", "order": 3, "tag": "46211e09-e553-4c9f-a9a8-8383fec880a5", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5ae0daa1-b86a-4a60-93a1-20c8b5d963c2", "create_time": 1762280887.4144528, "update_time": 1762280887.4144533, "name": "Assign roles", "order": 4, "tag": "e70408a7-3062-474a-aaf0-460402f16f29", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f546ee59-0988-4b55-8166-8cac2a64b76f", "create_time": 1762280887.41606, "update_time": 1762280887.4160604, "name": "Analysis", "order": 2, "tasks": [{"id": "a8acff10-07f5-49af-a103-ce864235994b", "create_time": 1762280887.414614, "update_time": 1762280887.4146142, "name": "Research intelligence resources", "order": 1, "tag": "c291654f-4616-4cde-afcb-5f7352d3fb6c", "description": "Find out if this attacker is a known agent and gather associated tactics, techniques, and procedures (TTP) used.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4d7b78f-1cd0-47c2-b0e3-40933395688a", "create_time": 1762280887.4147215, "update_time": 1762280887.414722, "name": "Research proxy logs", "order": 2, "tag": "0c56f2ef-fa23-48f6-abe8-7e42ae12716c", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c5cee5b9-2ad7-4144-aa85-d746bae679ed", "create_time": 1762280887.41483, "update_time": 1762280887.4148307, "name": "Research firewall logs", "order": 3, "tag": "60405c0a-cbbf-4034-a4ec-d4f6f467b6e0", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92f68bd6-3b7d-4a58-ad55-4b3a36369526", "create_time": 1762280887.41496, "update_time": 1762280887.4149606, "name": "Research OS logs", "order": 4, "tag": "a8939de4-a990-4adf-83c6-d93f5b378ff1", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "61816baa-fc24-4f38-a6cd-7626561b48ff", "create_time": 1762280887.4152095, "update_time": 1762280887.41521, "name": "Research network logs", "order": 5, "tag": "027f7da1-76e1-4466-be1d-4b40771de133", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4811036e-781a-4885-bf38-32729a1a0ba1", "create_time": 1762280887.4153204, "update_time": 1762280887.4153206, "name": "Research endpoint protection logs", "order": 6, "tag": "afc28267-6231-4db6-a005-accabb008c7a", "description": "Find and document any evidence linked to attacker actions.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79900180-4caf-4d96-9290-968d9f5aec84", "create_time": 1762280887.4154315, "update_time": 1762280887.415432, "name": "Determine infection vector", "order": 7, "tag": "af4db0e8-d1ac-4d98-82ec-939fa5d47a0b", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "09087e70-fd26-4484-b92a-33c8728d8719", "create_time": 1762280887.415541, "update_time": 1762280887.4155414, "name": "Document all attack targets", "order": 8, "tag": "14552467-8504-4196-9c18-46c68995c590", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a9878c0-5626-4350-a0b6-cd5fef767dda", "create_time": 1762280887.4156528, "update_time": 1762280887.4156535, "name": "Document all attacker sources and TTP", "order": 9, "tag": "9a83e045-a686-423a-b80b-1c7906d8b7b0", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3986bf6d-fc23-4296-8dbe-d2b7117c9ec3", "create_time": 1762280887.4157624, "update_time": 1762280887.415763, "name": "Document infected devices", "order": 10, "tag": "5888de1b-61c8-4ea4-90d8-aeb01ec4682f", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c7044f3e-f58b-4dcb-b1f2-c595a214ff9d", "create_time": 1762280887.4158719, "update_time": 1762280887.4158723, "name": "Determine full impact of attack", "order": 11, "tag": "b0cf76ae-1c67-4737-bf00-170971be80f3", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ca532eca-d263-4af9-9391-6d35b63c3627", "create_time": 1762280887.4160035, "update_time": 1762280887.4160042, "name": "Analyze malware samples", "order": 12, "tag": "e3b989b5-df17-4324-880d-10a5ac6c441d", "description": "Analyze discovered malware and document indicators of compromise (IOCs).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9bf6f73e-a5da-49ac-87a7-a2469155cf7b", "create_time": 1762280887.4164388, "update_time": 1762280887.4164393, "name": "Containment", "order": 3, "tasks": [{"id": "8bb468b3-8ac7-4e49-86d8-ca1513550c47", "create_time": 1762280887.4161665, "update_time": 1762280887.416167, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "28d74f7a-1aaf-4f44-8245-ed62a4720046", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d512b582-b030-486a-86b0-a8e656ea4542", "create_time": 1762280887.416276, "update_time": 1762280887.4162762, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "18ed5b52-40e5-4dc7-b3c5-09c85a8a4cca", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "002fc36e-8a96-40c9-8a1d-b38d4f57b61b", "create_time": 1762280887.416384, "update_time": 1762280887.4163842, "name": "Contain incident", "order": 3, "tag": "a34be9ce-1ac5-4b35-9720-f3d50a33243b", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f9af170b-9aa7-4914-9e7c-59ba2128d1da", "create_time": 1762280887.41683, "update_time": 1762280887.4168303, "name": "Eradication", "order": 4, "tasks": [{"id": "16fd1501-b42b-440f-a2d2-54e698e12892", "create_time": 1762280887.4165573, "update_time": 1762280887.4165576, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "d9e85137-1503-4f1f-8765-c580516814cb", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e43e6862-a78b-4eef-b5b1-63782650ea28", "create_time": 1762280887.4166672, "update_time": 1762280887.4166675, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "b6ef4c01-da86-4383-80c2-bf565a7124e3", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3b9148a5-2780-4eb9-9e21-908163e62d7a", "create_time": 1762280887.4167752, "update_time": 1762280887.4167757, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "9f3c7353-cc4b-4e1f-8f89-ccd153468278", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d9ad55cf-ece3-4090-bf43-5ef24995a891", "create_time": 1762280887.4172246, "update_time": 1762280887.4172251, "name": "Recovery", "order": 5, "tasks": [{"id": "7f3ccff8-bd53-44b4-8ef3-cc333aa1c6e1", "create_time": 1762280887.4169493, "update_time": 1762280887.4169497, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "dec11e17-d2b6-41e4-8490-a500262e1991", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0209cfd0-91b3-4d4c-a8a6-266cf0a2302d", "create_time": 1762280887.4170604, "update_time": 1762280887.4170609, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "cb1b051b-25d0-4fd3-b4bb-85c16c19d55b", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f55fd9d7-8fd5-4920-90e5-34bc82625e80", "create_time": 1762280887.4171677, "update_time": 1762280887.417168, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "59e40624-72dd-498a-bd4c-297cace98c29", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ec68a4cd-daca-4bc0-848b-b586a070c8e4", "create_time": 1762280887.4176192, "update_time": 1762280887.4176197, "name": "Post", "order": 6, "tasks": [{"id": "f6565b96-cd55-4264-b509-908e52a29e3a", "create_time": 1762280887.4173315, "update_time": 1762280887.4173317, "name": "Schedule after-action review meeting", "order": 1, "tag": "515c3f1b-d0ee-4866-8980-7704cd34c6d7", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e5e2f646-64bb-4c59-b10d-c497625327fd", "create_time": 1762280887.4174387, "update_time": 1762280887.417439, "name": "Generate incident response action report", "order": 2, "tag": "00fe59eb-19cd-45dc-ac55-66dfd78e3dbd", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d74ad240-caa8-4c00-91ab-ab033e7f38a1", "create_time": 1762280887.4175637, "update_time": 1762280887.4175642, "name": "Report incident response complete", "order": 3, "tag": "f8bfdc47-6329-4465-a93f-47e6fbadd006", "description": "Alert appropriate parties that incident response is complete.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "7bd3e9e3-414a-4075-8846-8573bc637192", "active": true, "used": false, "_user": "nobody", "_key": "5d656a90-fe91-4c8f-8460-fa2599a17f75"} \ No newline at end of file diff --git a/response_templates/NIST80061.json b/response_templates/NIST80061.json new file mode 100644 index 0000000000..d9e0c2cb92 --- /dev/null +++ b/response_templates/NIST80061.json @@ -0,0 +1 @@ +{"id": "d081a248-71b1-49b3-8d3b-5bf932aac6ba", "create_time": 1765306151.1518192, "update_time": 1765306151.1518192, "name": "NIST 800-61: Computer Security Incident Handling Guide", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 11, "phases": [{"id": "97bc8622-69ca-48a1-bf2b-e4067281f71a", "create_time": 1765306151.1526241, "update_time": 1765306151.1526246, "name": "Detection", "order": 1, "tasks": [{"id": "9126eb2f-d5e2-48e7-a9f5-0c851f2ecc57", "create_time": 1764758755.7593036, "update_time": 1765306151.151944, "name": "Determine if an incident has occurred", "order": 1, "tag": "dd8a2e5b-9131-4321-ad10-0cef889e30f1", "description": "Suggested%20Integrations%0A1.%20%5BRisk%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d9a756c-20dc-4e2e-94e1-87f4eb164447", "create_time": 1764758755.7594106, "update_time": 1765306151.1522639, "name": "Analyze precursors and indicators", "order": 2, "tag": "cd6639cc-79b1-4f66-b03a-0b29118e9439", "description": "Suggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "974fdd62-7d20-40f3-912d-60d708146ac7", "create_time": 1764758755.7595055, "update_time": 1765306151.1523738, "name": "Look for correlating information", "order": 3, "tag": "64b3aaa7-416e-4ec2-8cc1-b54b1e0758db", "description": "Suggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8d1664e-4d06-4470-8b99-124c615500ca", "create_time": 1764758755.759612, "update_time": 1765306151.1524687, "name": "Perform research", "order": 4, "tag": "c534e89d-327c-4deb-bc29-51fb49f65af6", "description": "Use%20search%20engines,%20knowledge%20bases,%20etc..%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BRisk%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "247f8ee3-e7db-437d-9a16-07e2d19673c0", "create_time": 1764758755.7597096, "update_time": 1765306151.152571, "name": "Confirmed incident", "order": 5, "tag": "415e3412-85ed-4af6-bf6e-09e6e13542b3", "description": "For a confirmed incident, document the investigation and gather evidence. Attach all relevant information from detection steps to the notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ef47436d-de45-4aab-ba6b-736137c41076", "create_time": 1765306151.1532724, "update_time": 1765306151.1532726, "name": "Analysis and Containment", "order": 2, "tasks": [{"id": "27f4ca0d-ef69-4211-9401-34d3817e879f", "create_time": 1764758755.759852, "update_time": 1765306151.1526983, "name": "Determine functional impact", "order": 1, "tag": "58850454-d4af-4cc4-a5dd-fded4be0ff4d", "description": "Suggested categories: None, Low, Medium, High", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b298ad0a-b53c-4e4d-9e27-0307d2b49d9f", "create_time": 1764758755.759945, "update_time": 1765306151.1527815, "name": "Determine information impact", "order": 2, "tag": "1150410e-72c0-4259-a499-d632727e083b", "description": "Suggested categories: None, Privacy breach, Proprietary breach, Integrity loss", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "650388ac-fa31-48c9-8031-fab7fbc1cce8", "create_time": 1764758755.760036, "update_time": 1765306151.1528761, "name": "Determine recoverability effort", "order": 3, "tag": "d6e187c9-188c-49de-ac41-5092d7ce6435", "description": "Suggested categories: Regular, Supplemented, Extended, Not Recoverable", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ae810a6c-7314-49f2-84cb-b40557c17734", "create_time": 1764758755.7601304, "update_time": 1765306151.152965, "name": "Prioritize incident", "order": 4, "tag": "082dfce7-169c-4bd2-aa73-7d39f5e26be8", "description": "Prioritize handling the incident based on the relevant factors", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3db4552a-5c3b-46e2-8792-88f27397d5ef", "create_time": 1764758755.760304, "update_time": 1765306151.1530511, "name": "Report incident", "order": 5, "tag": "716c8ff4-f8f9-406a-aa10-871b499d0892", "description": "Report%20the%20incident%20to%20the%20the%20appropriate%20internal%20personnel%20and%20external%20organizations%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ab31b96-9544-4949-8e63-04a674e6bdb6", "create_time": 1764758755.7604578, "update_time": 1765306151.1531591, "name": "Contain incident", "order": 6, "tag": "d05de9e0-1c72-4835-874a-83f6127ef09a", "description": "Suggested%20Integrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A4.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A5.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A6.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A7.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A8.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A9.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A10.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A11.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A12.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A13.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A14.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "37031e87-5234-4694-a5d9-cff1c29f8f4d", "create_time": 1765306151.1539435, "update_time": 1765306151.153944, "name": "Eradicate", "order": 3, "tasks": [{"id": "31e6eacc-4f57-4329-b146-8d3f689e3086", "create_time": 1764758755.7606778, "update_time": 1765306151.1536345, "name": "Identify and mitigate all vulnerabilities", "order": 1, "tag": "f0381ae6-f28f-402a-9f05-3e990496dd50", "description": "Identify%20and%20mitigate%20all%20vulnerabilities%20that%20were%20exploited.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A4.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A5.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A6.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A7.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A8.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "680e54ac-3708-4d38-884f-20a1a7edf0de", "create_time": 1764758755.7608309, "update_time": 1765306151.1537821, "name": "Remove malicious content", "order": 2, "tag": "e7029c6f-cce7-4c43-9a1c-b0425432ad81", "description": "Remove%20malware,%20inappropriate%20materials%20and%20other%20components.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a41b242d-1640-4d15-8104-ec399e12d1de", "create_time": 1764758755.7609744, "update_time": 1765306151.1538804, "name": "Verify no other hosts are affected", "order": 3, "tag": "7e41266d-aa31-4b86-b2f4-47f68023fb3e", "description": "If%20more%20affected%20hosts%20are%20discovered,%20repeat%20the%20Detection%20and%20Analysis%20Steps.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BEndpoint%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A4.%20%5BMalware%20Center%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b12466ec-8616-4519-b133-f6d93f9e32c4", "create_time": 1765306151.1542614, "update_time": 1765306151.1542616, "name": "Recovery", "order": 4, "tasks": [{"id": "43ba0f0e-1fda-4051-a97b-8f7f4682ac33", "create_time": 1764758755.7611475, "update_time": 1765306151.1540172, "name": "Restore affected systems", "order": 1, "tag": "3a888228-8354-43a5-809b-41e85114db15", "description": "Return affected systems to an operationally ready state.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "579fa706-4719-4a36-92a0-8c89395b18e6", "create_time": 1764758755.7612762, "update_time": 1765306151.1540995, "name": "Validate restoration", "order": 2, "tag": "39fc29b1-1047-4d0c-bd88-4581b10fe376", "description": "Confirm that the affected systems are functioning normally.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "080aeef1-8fb9-40e2-863e-428fd8f7f017", "create_time": 1764758755.7614079, "update_time": 1765306151.1542017, "name": "Implement additional monitoring", "order": 3, "tag": "7d818e21-eb6b-48ef-92fa-e5c447194ae0", "description": "If necessary, implement additional monitoring to look for future activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1ec64d29-231e-4c34-aec1-4aee974fc8df", "create_time": 1765306151.154456, "update_time": 1765306151.1544561, "name": "Post Incident Activity", "order": 5, "tasks": [{"id": "bab81f67-66e8-4326-be3c-6c11894e50c7", "create_time": 1764758755.7615948, "update_time": 1765306151.1543307, "name": "Create a follow-up report", "order": 1, "tag": "e0d07d6c-00cb-44bc-8536-c8eeda5470a9", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77497e1-95ce-4ebe-8b62-4929dbfdd8a5", "create_time": 1764758755.7616863, "update_time": 1765306151.1544108, "name": "Lessons learned", "order": 2, "tag": "95974f42-e739-440a-ba79-00fc2d32a7ad", "description": "Hold a lessons learned meeting (mandatory for major incidents, optional otherwise).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8756f985-929a-4076-9343-86c92b82c94f", "active": true, "used": true, "_user": "nobody", "_key": "d081a248-71b1-49b3-8d3b-5bf932aac6ba"} \ No newline at end of file diff --git a/response_templates/NetworkIndicatorEnrichment.json b/response_templates/NetworkIndicatorEnrichment.json new file mode 100644 index 0000000000..3ffb9b103f --- /dev/null +++ b/response_templates/NetworkIndicatorEnrichment.json @@ -0,0 +1 @@ +{"id": "b11a7ee4-e88a-44be-b8a2-d1609606bcae", "create_time": 1764862847.6611986, "update_time": 1765305936.2209468, "name": "Network Indicator Enrichment", "description": "Gather and analyze contextual information about URLs, hostnames, top level domain names, IP addresses, TLS certificates, and MAC addresses. These network indicators can be involved in security investigations of all types, so this response template is meant to be added as a modular component into an event or case that can have other more specific phases and tasks. For instance, when investigating an account compromise, this response template can be used during the investigation phase to rule out false positives and inform decisions about further investigation and response.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 5, "phases": [{"id": "5fc00a86-ecb5-473c-af5f-0eabced9921e", "create_time": 1765305842.3859305, "update_time": 1765305842.3859313, "name": "Network Indicator Enrichment", "order": 1, "tasks": [{"id": "09b3b9c0-1c5b-4c3f-941f-fcc4bcb6f2f6", "create_time": 1764758755.7974405, "update_time": 1765305842.3846803, "name": "Enrich URLs", "order": 1, "tag": "8fab0a3f-b436-4e3e-8c3a-9cc0a9cff8b5", "description": "Gather%20reputation%20and%20behavioral%20information%20about%20a%20suspicious%20URL.%20Automated%20actions%20can%20include%20querying%20threat%20intelligence%20databases,%20dynamic%20profiling%20of%20the%20URL%20and%20the%20associated%20redirects,%20or%20checking%20the%20categorization%20of%20a%20URL%20in%20a%20proxy%20or%20other%20safe%20browsing%20tool.%20Manual%20actions%20can%20include%20checking%20for%20typosquatting/brandjacking,%20evaluating%20the%20appropriateness%20of%20the%20URL%20given%20the%20context%20in%20which%20it%20was%20detected,%20or%20manually%20investigating%20the%20site%20from%20a%20sandboxed%20environment.%20Additionally,%20it%20might%20be%20appropriate%20to%20ask%20the%20user%20if%20they%20can%20explain%20why%20the%20URL%20was%20accessed.%20Outputs%20from%20this%20task%20could%20be%20used%20to%20pivot%20to%20investigation%20to%20underlying%20or%20associated%20domain%20names,%20other%20URLs,%20TLS%20certificates,%20IP%20addresses,%20or%20specific%20behaviors%20associated%20with%20the%20website%20such%20as%20Javascript%20execution%20patterns%20or%20downloaded%20files.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77c2c5b-488b-4ef6-a987-d4f1795e8c09", "create_time": 1764758755.7976081, "update_time": 1765305842.384996, "name": "Enrich domain names", "order": 2, "tag": "f494c551-d513-4503-a268-32d14cd9352c", "description": "Domain%20names%20can%20be%20involved%20in%20investigations%20of%20phishing,%20watering%20hole%20attacks,%20malware%20command%20and%20control,%20exfiltration,%20and%20many%20other%20malicious%20behaviors.%20Some%20of%20the%20key%20questions%20to%20answer%20about%20a%20domain%20are:%20Who%20controls%20the%20domain?%20Who%20registered%20the%20domain?%20What%20is%20the%20purpose%20of%20the%20domain?%20What%20services%20are%20hosted%20on%20the%20domain?%20What%20traffic%20would%20you%20expect%20to%20see%20to%20and%20from%20the%20domain?%20How%20popular%20is%20the%20domain?%20Does%20the%20domain%20host%20dynamic%20content%20such%20as%20cloud%20services?%20What%20sub-domains%20or%20parent%20domains%20are%20associated%20with%20the%20domain?%20Is%20the%20domain%20known%20to%20host%20malicious%20content?%20Where%20in%20the%20world%20is%20the%20domain%20hosted?%20How%20recently%20was%20the%20domain%20registered?%20What%20is%20the%20DNS%20history%20of%20the%20domain?%20Is%20the%20domain%20meant%20to%20look%20similar%20to%20another%20more%20legitimate%20domain?%20Does%20the%20domain%20name%20appear%20to%20have%20been%20randomly%20generated?%20The%20results%20of%20these%20queries%20can%20produce%20related%20IP%20addresses,%20file%20hashes,%20downloaded%20files,%20URLs,%20TLS%20certificates,%20and%20behaviors%20which%20are%20useful%20elsewhere%20in%20this%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fed103ab-b8bf-458e-a9d1-a80d7c1691ce", "create_time": 1764758755.7977073, "update_time": 1765305842.3853111, "name": "Enrich IP addresses", "order": 3, "tag": "b0444819-8d84-47b0-8011-97c9004966cc", "description": "Enrichment%20of%20IP%20addresses%20can%20be%20similar%20to%20domain%20names%20in%20many%20ways,%20but%20typically%20IP%20addresses%20will%20change%20more%20frequently.%20Frequent%20changes%20can%20be%20legitimate%20behavior%20caused%20by%20load%20balancers%20or%20content%20delivery%20networks,%20or%20it%20can%20be%20malicious%20behavior%20due%20to%20fast%20flux%20DNS%20changes,%20so%20additional%20context%20about%20the%20network%20traffic%20is%20needed.%20Also%20consider%20that%20traffic%20going%20straight%20to%20an%20IP%20address%20without%20doing%20a%20DNS%20query%20might%20be%20relevant%20to%20the%20investigation,%20and%20consider%20querying%20Tor%20or%20other%20anonymization%20systems%20to%20check%20if%20the%20IP%20address%20is%20a%20known%20exit%20node.%20Outputs%20of%20this%20task%20can%20inform%20URL%20enrichment,%20downloaded%20file%20analysis,%20domain%20name%20enrichment,%20TLS%20certificate%20enrichment,%20and%20more%20advanced%20behavioral%20analysis%20based%20on%20the%20services%20hosted%20at%20the%20IP%20address%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "9d096815-7876-4f42-9c93-73e3cc21d3ce", "create_time": 1764758755.7977993, "update_time": 1765305842.3855665, "name": "Enrich TLS certificates", "order": 4, "tag": "d98902d9-2620-41c6-90d2-d197a49a90ca", "description": "If%20an%20investigation%20involves%20a%20TLS%20certificate,%20it%20can%20be%20useful%20to%20gather%20registrant%20and%20certificate%20authority%20information%20about%20that%20certificate,%20and%20to%20query%20for%20other%20uses%20of%20similar%20infrastructure.%20The%20usage%20of%20free%20and%20automated%20certificate%20authorities%20such%20as%20Let's%20Encrypt%20does%20not%20necessarily%20imply%20that%20a%20domain%20is%20malicious,%20but%20that%20is%20a%20common%20technique%20used%20to%20build%20malicious%20infrastructure%20so%20it%20should%20warrant%20further%20investigation.%20Consider%20comparing%20the%20registrant%20information%20and%20certificate%20authority%20chain%20with%20the%20expected%20values%20for%20the%20organization%20allegedly%20hosting%20the%20website%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4e38a46a-1af2-477a-9349-8defa965ac2b", "create_time": 1764758755.7979288, "update_time": 1765305842.3857915, "name": "Enrich MAC addresses", "order": 5, "tag": "38d3329d-0ecd-494f-bbcf-5be0fd99a7c3", "description": "While%20MAC%20(media%20access%20control)%20addresses%20are%20less%20frequently%20involved%20in%20security%20investigations,%20when%20they%20are%20present%20they%20can%20sometimes%20be%20useful%20to%20cross-reference,%20identify,%20or%20profile%20a%20device.%20MAC%20addresses%20can%20be%20changed%20and%20spoofed,%20but%20it%20is%20usually%20less%20common%20than%20a%20change%20in%20IP%20address%20or%20hostname.%20In%20wifi%20investigations%20the%20MAC%20address%20can%20be%20used%20to%20identify%20both%20the%20access%20point%20and%20the%20clients%20that%20connect%20to%20it.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "47bb10fa-61c2-4bd8-b7dd-f69f376e2750", "active": true, "used": true, "_user": "nobody", "_key": "b11a7ee4-e88a-44be-b8a2-d1609606bcae"} \ No newline at end of file diff --git a/response_templates/SuspiciousEmail.json b/response_templates/SuspiciousEmail.json new file mode 100644 index 0000000000..b2fb58f193 --- /dev/null +++ b/response_templates/SuspiciousEmail.json @@ -0,0 +1 @@ +{"id": "6683e5de-56c3-4105-8eb1-2eafc6f2dc5a", "create_time": 1764964076.462259, "update_time": 1764964076.462259, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 29, "phases": [{"id": "7eddb898-085a-43fa-a03b-3ded48d53093", "create_time": 1764964076.4629169, "update_time": 1764964179.6376007, "name": "Ingestion", "order": 1, "tasks": [{"id": "de8fa91f-bfad-41e6-bfe5-e3a2732db2c2", "create_time": 1764758755.6795278, "update_time": 1764964179.6372583, "name": "Create ticket", "order": 1, "tag": "3d75cc89-a55b-4680-931c-7a5e091baaf6", "description": "Create%20any%20necessary%20tickets%20or%20tracking%20documents%20describing%20the%20initial%20conditions%20of%20the%20suspicious%20email%20investigation.%20As%20additional%20information%20is%20collected%20or%20actions%20are%20taken%20in%20the%20following%20tasks%20and%20phases,%20update%20the%20ticket%20with%20links%20and%20relevant%20information%20to%20allow%20collaboration%20and%20tracking.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "163d3490-d8de-4df9-8900-f5a2554b8024", "create_time": 1764758755.6797986, "update_time": 1764964179.6373959, "name": "Ingest email", "order": 2, "tag": "b4f73c35-e4af-40bf-a349-bed4c51cb0fc", "description": "Identify%20and%20ingest%20the%20suspicious%20email%20into%20Splunk%20Mission%20Control.%20Actual%20steps%20vary%20depending%20on%20how%20you%20create%20the%20Splunk%20Mission%20Control%20notable%20and%20where%20the%20suspicious%20email%20resides.%20For%20example,%20if%20you%20had%20a%20Splunk%20Enterprise%20Security%20correlation%20search%20running%20to%20identify%20suspicious%20emails,%20and%20forward%20those%20notable%20events%20to%20Splunk%20Mission%20Control%20as%20notables,%20you%20have%20many%20of%20the%20useful%20artifacts%20needed%20to%20investigate%20the%20email.%20If%20you%20need%20additional%20metadata,%20you%20can%20run%20the%20%22get%20email%22%20action%20to%20retrieve%20it,%20or%20the%20%22extract%20email%22%20action%20to%20add%20the%20email%20to%20Splunk%20Mission%20Control%20if%20it%20is%20in%20the%20.msg%20or%20.eml%20format.%20Or%20for%20example,%20if%20you%20send%20suspicious%20emails%20to%20a%20dedicated%20email%20address%20for%20suspected%20phishing%20attempts,%20you%20can%20use%20a%20connector%20such%20as%20IMAP,%20EWS%20for%20Exchange,%20EWS%20for%20OFfice,%20or%20GSuite%20for%20GMail%20to%20poll%20that%20inbox%20directly%20and%20send%20the%20suspicious%20email%20to%20Splunk%20Mission%20Control%20as%20a%20notable.%0A%0ASuggested%20Integrations%0A1.%20%20%5BMS%20Graph%20for%20Office%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%20%5BGmail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%20%5BIMAP%5D(https://splunkbase.splunk.com/app/5798)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6d6d47d-3c94-42ea-b575-c197be210f97", "create_time": 1764758755.6799636, "update_time": 1764964179.6375475, "name": "Extract actionable metadata and files", "order": 3, "tag": "0c5acee1-e985-43ec-aefa-9355f46fef2d", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9510afc9-a689-434d-8622-e7dbcf607e54", "create_time": 1764964076.4637728, "update_time": 1764964179.6384258, "name": "External Investigation", "order": 2, "tasks": [{"id": "2bedd439-1521-4bc1-aa32-f6502bc3b4eb", "create_time": 1764758755.6802204, "update_time": 1764964179.637681, "name": "Investigate URLs", "order": 1, "tag": "5c7e7c30-139a-45e5-9622-63c788fe10a3", "description": "Perhaps%20the%20most%20common%20email%20attack%20vector%20is%20a%20clickable%20link%20that%20brings%20a%20user%20to%20a%20malicious%20website.%20The%20malicious%20website%20might%20collect%20credentials%20or%20other%20confidential%20information,%20attempt%20to%20exploit%20the%20user's%20browser,%20lead%20the%20user%20to%20download%20a%20malicious%20file,%20or%20gather%20preliminary%20fingerprint%20information%20about%20the%20user%20to%20inform%20further%20operations.%20Investigate%20all%20URLs%20contained%20in%20the%20suspicious%20email%20using%20a%20mix%20of%20automated%20and%20manual%20techniques.%20Query%20threat%20intelligence%20services%20and%20other%20sources%20of%20reputation%20information%20to%20see%20if%20the%20URLs%20are%20linked%20to%20known%20malicious%20activity.%20Check%20the%20categorization%20of%20the%20URLs%20and%20their%20popularity%20using%20services%20such%20as%20Censys%20or%20Alexa.%20Determine%20whether%20the%20URL%20is%20spoofing%20a%20brand%20using%20a%20similar%20spelling,%20a%20unicode%20substitution,%20or%20an%20out-of-order%20domain%20name.%20Also%20consider%20using%20a%20less%20passive%20technique%20that%20analyzes%20the%20current%20state%20of%20the%20URL,%20such%20as%20a%20sandboxed%20URL%20detonation,%20a%20website%20scanning%20tool%20such%20as%20urlscan.io%20or%20SSL%20Labs,%20a%20manual%20inspection%20from%20a%20sandboxed%20environment,%20or%20a%20website%20screenshot%20engine%20such%20as%20Screenshot%20Machine.%20Consider%20that%20targeted%20attacks%20might%20only%20reveal%20the%20malicious%20behavior%20of%20a%20website%20if%20the%20user%20agent%20and/or%20the%20source%20address%20of%20the%20request%20matches%20the%20target%20environment.%20The%20output%20of%20this%20task%20might%20be%20more%20linked%20URLs,%20the%20domain%20names%20of%20the%20underlying%20servers%20responding%20to%20the%20request,%20other%20domain%20names%20used%20by%20the%20website,%20IP%20addresses,%20or%20downloadable%20files.%20All%20of%20the%20above%20should%20be%20passed%20on%20to%20further%20investigative%20tasks%20if%20needed.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "16fc04ea-4b88-4a0e-8f68-66ac2c216f8f", "create_time": 1764758755.6803753, "update_time": 1764964179.6378467, "name": "Investigate file attachments", "order": 2, "tag": "87e971c5-924c-4eee-8a08-e84975c01812", "description": "Another%20common%20email%20attack%20vector%20is%20a%20malicious%20file%20attachment.%20Any%20file%20could%20be%20malicious,%20but%20most%20attacks%20involve%20executables,%20scripts,%20or%20documents.%20Investigate%20these%20files%20using%20either%20a%20whole%20copy%20of%20the%20file%20or%20the%20file%20hash.%20Query%20threat%20intelligence%20and%20reputation%20databases%20using%20the%20hash%20to%20see%20if%20the%20file%20has%20been%20seen%20before,%20to%20see%20if%20there%20is%20suspicious%20activity%20associated%20with%20the%20file,%20and%20to%20learn%20more%20about%20the%20file's%20behavior.%20Query%20for%20previous%20analyses%20or%20submit%20the%20file%20for%20examination%20in%20a%20dynamic%20or%20static%20tool%20to%20check%20for%20potentially%20malicious%20behaviors%20or%20properties.%20Actions%20used%20for%20this%20task%20might%20extract%20associated%20URLs,%20domain%20names,%20IP%20addresses,%20or%20secondary%20file%20hashes%20which%20can%20be%20explored%20further%20in%20other%20tasks.%0A%0A%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a259ee42-6bdf-4d0c-9b27-efae878c42c2", "create_time": 1764758755.6805224, "update_time": 1764964179.6379743, "name": "Investigate%20email", "order": 3, "tag": "39af1503-2dae-40d0-8164-818a7232bf95", "description": "Analyze%20the%20full%20email%E2%80%94headers,%20subject,%20and%20body%E2%80%94using%20both%20automated%20and%20manual%20techniques%20to%20determine%20its%20origin%20and%20assess%20for%20malicious%20intent.%20Inspect%20header%20fields%20(e.g.,%20%E2%80%9CFrom,%E2%80%9D%20%E2%80%9CSender,%E2%80%9D%20%E2%80%9CReply-to%E2%80%9D)%20for%20inconsistencies,%20misleading%20display%20names,%20and%20suspicious%20infrastructure,%20validating%20authentication%20results%20such%20as%20SPF,%20DKIM,%20and%20DMARC.%20Enrich%20findings%20with%20threat%20intelligence%20and%20reputation%20sources,%20and%20use%20tools%20like%20Microsoft%20Message%20Header%20Analyzer%20or%20MxToolbox%20for%20deeper%20interpretation.%20Evaluate%20the%20content%20for%20social%20engineering%20indicators%E2%80%94such%20as%20urgency,%20context%20manipulation,%20or%20attempts%20to%20solicit%20confidential%20information%E2%80%94recognizing%20that%20these%20often%20require%20manual%20judgment%20and,%20when%20appropriate,%20direct%20confirmation%20from%20the%20recipient.%20Outputs%20such%20as%20domains%20and%20IPs%20should%20be%20forwarded%20for%20further%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": [{"id": "cf182fd6-c616-4adb-a8f6-b9969549c873", "create_time": 1764952188.108695, "update_time": 1764964179.6380632, "name": "Email - Query on Affected User", "description": "You need to have your email data being ingested into the Email data model. \n\nNOTE: in this search we have pulled the tokened field of \"src_user\" if you detection uses another output field you will need to update your search accordingly. ", "spl": "%7C%20tstats%20%60summariesonly%60%20max(_time)%20as%20_time%2C%20values(All_Email.action)%20as%20action%2C%20values(All_Email.message_id)%20as%20message_id%2C%20values(All_Email.subject)%20as%20subject%2C%20values(All_Email.size)%20as%20size%2C%20values(All_Email.protocol)%20as%20protocol%2C%20values(All_Email.recipient)%20as%20recipient%2C%20count%20from%20datamodel%3DEmail.All_Email%20by%20All_Email.src%2CAll_Email.src_user%2CAll_Email.dest%20%0A%7C%20%60drop_dm_object_name(%22All_Email%22)%60%20%0A%7C%20search%20recipient%20IN%20(%24src_user%24)%0A%7C%20sort%20-%20count%20%0A%7C%20normalizeip%20src%20dest%20%0A%7C%20fields%20_time%2C%20action%2C%20message_id%2C%20subject%2C%20size%2C%20protocol%2C%20src%2C%20src_user%2C%20dest%2C%20recipient%2C%20count"}]}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "987a5f9d-4fa2-4474-a923-10ee1fca36e9", "create_time": 1764758755.680672, "update_time": 1764964179.6381621, "name": "Investigate domains", "order": 4, "tag": "65ec0d02-4e41-4bef-ad64-bcbbe64589bf", "description": "At%20this%20point%20domain%20names%20from%20various%20sources%20should%20be%20collected%20in%20the%20notable,%20including%20email%20sending%20and%20receiving%20servers,%20web%20servers%20from%20URLs%20in%20the%20email,%20domains%20associated%20to%20other%20indicators%20in%20threat%20intelligence%20databases,%20and%20domains%20contained%20in%20the%20file%20attachment%20or%20detected%20by%20the%20detonation%20of%20the%20file%20attachment.%20Check%20each%20of%20these%20against%20threat%20intelligence%20and%20reputation%20databases,%20passive%20DNS%20trackers,%20whois%20services,%20and%20other%20information%20services.%20Look%20for%20known%20malicious%20or%20unknown%20domains,%20focusing%20more%20on%20those%20associated%20to%20clickable%20URLs%20and%20file%20attachments.%20Evaluate%20what%20services%20are%20running%20on%20each%20suspicious%20domain%20using%20a%20scanning%20service%20such%20as%20Censys%20or%20Shodan.%20Check%20the%20TLS%20certificate%20(if%20applicable),%20website%20categorization,%20popularity,%20and%20any%20other%20available%20information.%20Compare%20this%20information%20to%20the%20expected%20outcome%20given%20the%20alleged%20context%20of%20the%20email.%20For%20unknown%20domains,%20consider%20the%20domain%20history,%20the%20hosting%20provider,%20and%20whether%20the%20domain%20name%20appears%20to%20have%20been%20dynamically%20generated.%20IP%20addresses%20currently%20and%20previously%20associated%20with%20the%20domain%20should%20be%20further%20processed%20elsewhere%20in%20your%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4f72802-ef36-47d2-a6c0-9d1ab5e0aa2c", "create_time": 1764758755.6808305, "update_time": 1764964179.6383374, "name": "Investigate IP addresses", "order": 5, "tag": "bd473b00-1dc1-4446-8ce2-36d7fc8ef468", "description": "IP%20addresses%20may%20be%20involved%20in%20this%20investigation%20for%20several%20reasons.%20Some%20email%20headers%20can%20contain%20IP%20addresses%20(such%20as%20X-Originating-IP),%20URLs%20can%20contain%20IP%20addresses%20instead%20of%20hostnames,%20file%20attachments%20can%20contain%20IP%20addresses%20or%20generate%20IP%20addresses%20and%20try%20to%20connect%20to%20them%20(like%20domain%20generation%20algorithms),%20and%20IP%20addresses%20can%20be%20added%20to%20the%20notable%20through%20association%20or%20domain%20name%20resolution%20in%20other%20tasks%20within%20this%20investigation.%20Consider%20IP%20addresses%20in%20URLs%20that%20are%20not%20internal%20IP%20addresses%20for%20the%20organization%20highly%20suspicious.%20Investigate%20all%20suspicious%20IP%20addresses%20by%20checking%20the%20reputation,%20geolocation,%20whois%20record,%20DNS%20history,%20and%20by%20gathering%20information%20from%20other%20available%20services.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d36a2713-63b9-4bfd-8a66-e50df079ace9", "create_time": 1764964076.4645069, "update_time": 1764964179.638931, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "4012859c-a956-4b21-ba9e-a2004dfeb036", "create_time": 1764758755.6812239, "update_time": 1764964179.6385055, "name": "Hunt email activity", "order": 1, "tag": "e7a6d9a6-8b9e-4f8c-afdb-475b0b3472b7", "description": "Find%20other%20similar%20emails%20sent%20into%20the%20organization%20based%20on%20the%20sender%20address,%20sender%20domain,%20subject,%20embedded%20URLs,%20file%20attachments,%20or%20other%20similar%20attributes%20shared%20across%20multiple%20emails.%20If%20possible%20determine%20which%20emails%20were%20opened,%20forwarded,%20deleted,%20marked%20as%20spam,%20or%20reported%20as%20potential%20phishing.%20Consider%20which%20types%20of%20users%20are%20targeted%20and%20why.%20Also%20check%20whether%20internal%20users%20replied%20to%20the%20emails%20and%20what%20information%20was%20contained%20in%20the%20replies.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%20%5BCisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)%5D(https://splunkbase.splunk.com/app/6145)%0A3.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1701120f-ca73-42cf-87e1-5dcb228ab5a0", "create_time": 1764758755.681366, "update_time": 1764964179.6386268, "name": "Hunt network activity", "order": 2, "tag": "427ba972-75bd-42eb-8218-4a522f98b947", "description": "Based%20on%20previously%20collected%20information,%20try%20to%20determine%20whether%20or%20not%20URLs%20in%20the%20email%20were%20clicked,%20phishing%20websites%20were%20visited,%20or%20other%20suspicious%20network%20connections%20were%20made%20from%20the%20computers%20of%20users%20who%20opened%20the%20email.%20This%20can%20be%20done%20using%20many%20types%20of%20network%20monitoring,%20including%20netflow,%20full%20packet%20capture,%20DNS%20logging,%20and/or%20endpoint%20monitoring.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20protocol%20tracker%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A5.%20%5BNetwork%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24d8fa33-d658-4800-8113-5d7f7c90ad1d", "create_time": 1764758755.681554, "update_time": 1764964179.6387417, "name": "Hunt file executions", "order": 3, "tag": "ebe5a0e7-8705-4e69-b1e7-a21058c87822", "description": "If%20the%20email%20included%20a%20file%20attachment,%20try%20to%20determine%20which%20users%20downloaded%20the%20attachment%20and%20which%20users%20executed%20it%20or%20opened%20it%20in%20some%20other%20way.%20Use%20the%20file%20hash%20of%20the%20attachment%20to%20search%20across%20endpoint%20monitoring%20or%20network%20monitoring%20solutions%20for%20the%20transmission%20and/or%20execution%20of%20the%20file.%20If%20executions%20are%20detected,%20try%20to%20determine%20the%20behavior%20of%20the%20created%20process.%20If%20a%20potentially%20malicious%20document%20or%20other%20file%20type%20was%20opened,%20try%20to%20determine%20which%20application%20opened%20it%20and%20whether%20the%20file%20exploited%20or%20abused%20the%20opening%20application.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24ad66ec-2b93-4677-b1c4-a6e2c2bd6207", "create_time": 1764758755.6817021, "update_time": 1764964179.638862, "name": "Hunt user activity", "order": 4, "tag": "32798d9d-6440-4f39-98c7-6d4c30d26e1e", "description": "If%20a%20phishing%20attempt%20or%20other%20user%20account%20compromise%20attempt%20is%20suspected,%20investigate%20how%20the%20credentials%20or%20account%20access%20are%20being%20used.%20Enumerate%20resources%20available%20to%20the%20account%20and%20search%20the%20access%20logs%20for%20those%20resources,%20looking%20for%20anomalous%20usage%20patterns.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "42eb2edf-fc7d-4327-8f3e-37ee80c2536c", "create_time": 1764964076.4651353, "update_time": 1764964179.6395993, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "2eb1f1a5-8f1a-45d8-8953-ba30d1a8a6e9", "create_time": 1764758755.6819034, "update_time": 1764964179.6390114, "name": "Block or monitor email activity", "order": 1, "tag": "6b567916-424d-41b3-836f-b4abfa555448", "description": "If%20specific%20malicious%20emails%20have%20been%20identified,%20delete%20them%20from%20any%20mailboxes%20in%20which%20they%20still%20pose%20a%20threat.%20Similarly,%20if%20a%20sender%20address%20or%20an%20entire%20sender%20domain%20is%20found%20to%20be%20malicious,%20block%20inbound%20email%20from%20that%20source.%20Set%20filtering%20rules%20to%20block%20inbound%20email%20or%20increase%20monitoring%20of%20email%20based%20on%20other%20detected%20characteristics%20of%20an%20email%20campaign%20or%20malicious%20technique.%0A%0ASuggested%20Intergrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0d28b16-b4ba-46a9-8d20-c888d0d50137", "create_time": 1764758755.6820495, "update_time": 1764964179.6391416, "name": "Block or monitor network activity", "order": 2, "tag": "b537f91c-ce46-4a52-8894-0797dbc13b6b", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20malicious%20network%20connections%20associated%20with%20the%20suspicious%20email.%20Prevent%20other%20receivers%20of%20similar%20phishing%20emails%20from%20accessing%20the%20clickable%20URL%20by%20blocking%20that%20URL%20itself,%20the%20underlying%20domain%20name,%20and/or%20the%20underlying%20IP%20addresses.%20If%20malware%20or%20unwanted%20software%20was%20detected,%20block%20outbound%20connections%20known%20to%20be%20associated%20with%20that%20malware%20based%20on%20threat%20intelligence%20or%20dynamic%20analysis.%20If%20the%20threat%20is%20severe%20enough,%20consider%20isolating%20entire%20portions%20of%20the%20network.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79abbff6-2d34-46b0-b570-c9788da8668a", "create_time": 1764758755.6822183, "update_time": 1764964179.639291, "name": "Block or monitor file executions", "order": 3, "tag": "e7cb23b5-9baa-4a66-994d-43cd0f17d017", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20endpoint%20activity%20caused%20by%20the%20suspicious%20email.%20This%20could%20mean%20blocking%20the%20hash%20of%20the%20file%20attachment,%20blocking%20the%20hash%20of%20a%20file%20downloaded%20from%20a%20URL%20in%20an%20email,%20blocking%20a%20malicious%20hash%20associated%20with%20the%20email%20by%20threat%20intelligence,%20or%20blocking%20secondary%20executions%20such%20as%20dropped%20stages%20of%20malware%20identified%20from%20dynamic%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fa4ad6aa-7fc1-4897-9588-e2366ce2cc8e", "create_time": 1764758755.6823559, "update_time": 1764964179.6394064, "name": "Contain endpoints", "order": 4, "tag": "746ae480-2639-4ffe-80ce-698238ec5721", "description": "If%20an%20endpoint%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20quarantine%20or%20otherwise%20contain%20that%20endpoint%20until%20further%20investigation%20and%20remediation%20can%20be%20done.%20Consider%20the%20criticality%20of%20the%20system%20and%20the%20likelihood%20of%20a%20compromise.%20In%20other%20cases,%20simply%20increasing%20the%20monitoring%20or%20scanning%20for%20more%20information%20can%20be%20prudent.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ffee892-3e52-4aed-ba5f-30554d3de579", "create_time": 1764758755.6824956, "update_time": 1764964179.639517, "name": "Contain user accounts", "order": 5, "tag": "702244fa-e9c6-42d7-846a-697fb74ea060", "description": "If%20a%20user%20account%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20reset%20the%20credentials,%20reduce%20the%20account%20privileges,%20or%20disable%20the%20account%20until%20further%20investigation%20is%20completed.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f3f3a7c8-dcb4-4565-8827-356c60cac5f6", "create_time": 1764964076.4654303, "update_time": 1764964179.6398683, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "09b37ed6-4b6e-4fe0-a4c5-561480ed7c10", "create_time": 1764758755.68271, "update_time": 1764964179.639679, "name": "Analyze network activity", "order": 1, "tag": "9cf69134-6b81-45ca-ada8-fd4136a1912f", "description": "Perform%20any%20resource-intensive%20analysis%20of%20network%20activity%20left%20over%20from%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20full%20packet%20capture%20collection%20and%20analysis,%20sandbox%20detonation%20of%20URLs,%20long-running%20queries%20of%20network%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20protocol%20tracker%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "627cb8cc-b780-437e-951d-8ec9c64062e7", "create_time": 1764758755.682851, "update_time": 1764964179.6397936, "name": "Analyze endpoint activity", "order": 2, "tag": "2497b494-b80f-417b-b51d-f4c8d7aff019", "description": "Conduct%20deeper%20analysis%20on%20remaining%20malware%20and%20endpoint%20investigation%20tasks%20not%20finished%20in%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20sandbox%20detonation%20of%20files,%20forensic%20analysis%20of%20associated%20devices%20or%20memory%20dumps,%20reverse%20engineering%20of%20suspected%20malware,%20long-running%20queries%20of%20endpoint%20activity%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "934b1327-2484-49e2-9701-36a33a1462f9", "create_time": 1764964076.466061, "update_time": 1764964179.640515, "name": "Notification", "order": 6, "tasks": [{"id": "3b692da7-b9dc-491b-add5-2c674251a7be", "create_time": 1764758755.683051, "update_time": 1764964179.6399481, "name": "Update tickets", "order": 1, "tag": "dad41274-fb84-4b6f-bed9-fb43be506987", "description": "Make%20sure%20that%20all%20the%20necessary%20outputs%20and%20status%20updates%20from%20the%20previous%20phases%20and%20tasks%20are%20documented%20in%20the%20appropriate%20system%20of%20record.%20Summarize%20the%20current%20state%20of%20the%20investigation%20and%20any%20remaining%20tasks.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "644d1cc6-f855-4dfb-ae28-a0a58fbee6d2", "create_time": 1764758755.6832078, "update_time": 1764964179.6400516, "name": "Notify system owners", "order": 2, "tag": "824481e3-9dc5-4668-9abd-585d1cd331ca", "description": "For%20any%20systems%20that%20have%20been%20changed%20or%20need%20to%20be%20changed,%20notify%20the%20necessary%20system%20owners%20so%20the%20appropriate%20change%20management%20procedures%20can%20be%20followed.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "81905435-dd7e-493d-babf-fc5f108cbb9a", "create_time": 1764758755.6833851, "update_time": 1764964179.6401603, "name": "Notify regulatory compliance team", "order": 3, "tag": "c7f7005c-6b51-49a7-a3f9-f22aaf9dfbe4", "description": "If%20appropriate,%20notify%20the%20regulatory%20compliance%20team%20to%20support%20them%20as%20they%20report%20this%20incident%20to%20the%20correct%20regulatory%20or%20accrediting%20organizations.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a4260d25-53f9-45c4-b984-4c10deddbb82", "create_time": 1764758755.6836178, "update_time": 1764964179.6402876, "name": "Assign additional tasks", "order": 4, "tag": "29d21b34-5221-4dee-9bff-276a8241b2bd", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d0cf948f-2ba6-4a7d-82c9-851aacfa80a6", "create_time": 1764758755.6839995, "update_time": 1764964179.6403775, "name": "Educate users", "order": 5, "tag": "7ee89bfe-e39d-42c9-baa0-2e74b39adcd1", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b78276c-3dff-4546-8ff4-78cd4e1b04d3", "create_time": 1764758755.6842132, "update_time": 1764964179.6404653, "name": "Share threat intelligence", "order": 6, "tag": "3773742e-ecd3-4588-a0ae-6ac80e6b70ce", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "84c951b5-a7f7-439d-9e59-b8031190be63", "active": true, "used": true, "_user": "nobody", "_key": "6683e5de-56c3-4105-8eb1-2eafc6f2dc5a"} \ No newline at end of file diff --git a/response_templates/SuspiciousEmail_v1.json b/response_templates/SuspiciousEmail_v1.json deleted file mode 100644 index c4c37061c4..0000000000 --- a/response_templates/SuspiciousEmail_v1.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "1e541fb9-a309-45f6-8593-7e6e68d934b4", "create_time": 1762280887.1842365, "update_time": 1762280887.1842365, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "Splunk", "updated_by": "Splunk", "is_default": true, "version": 1, "phases": [{"id": "4b401ecf-a89f-463d-928d-4226f8039bdb", "create_time": 1762280887.184704, "update_time": 1762280887.1847045, "name": "Ingestion", "order": 1, "tasks": [{"id": "ee54e4eb-e532-4a92-a81e-b398920e48d9", "create_time": 1762280887.1843824, "update_time": 1762280887.184383, "name": "Create ticket", "order": 1, "tag": "fb454299-42f6-4bf2-9cbc-3d48c213dbe2", "description": "Create any necessary tickets or tracking documents describing the initial conditions of the suspicious email investigation. As additional information is collected or actions are taken in the following tasks and phases, update the ticket with links and relevant information to allow collaboration and tracking.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4d5b3e5f-26fa-4fc8-a9db-c403132fddbd", "create_time": 1762280887.1845334, "update_time": 1762280887.1845338, "name": "Ingest email", "order": 2, "tag": "3bebd6f0-e226-4f1e-92b5-ae11273fb627", "description": "Identify and ingest the suspicious email into Splunk Mission Control. Actual steps vary depending on how you create the Splunk Mission Control notable and where the suspicious email resides. For example, if you had a Splunk Enterprise Security correlation search running to identify suspicious emails, and forward those notable events to Splunk Mission Control as notables, you have many of the useful artifacts needed to investigate the email. If you need additional metadata, you can run the \"get email\" action to retrieve it, or the \"extract email\" action to add the email to Splunk Mission Control if it is in the .msg or .eml format. Or for example, if you send suspicious emails to a dedicated email address for suspected phishing attempts, you can use a connector such as IMAP, EWS for Exchange, EWS for OFfice, or GSuite for GMail to poll that inbox directly and send the suspicious email to Splunk Mission Control as a notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e0c57817-caed-4f30-9123-24ea2768b208", "create_time": 1762280887.1846468, "update_time": 1762280887.1846473, "name": "Extract actionable metadata and files", "order": 3, "tag": "160eb657-d056-4b16-9ed5-1742364948b3", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f5991490-8540-4566-b7cc-6d88ad5b87cc", "create_time": 1762280887.1854346, "update_time": 1762280887.185435, "name": "External Investigation", "order": 2, "tasks": [{"id": "44bdcadb-2a0e-4b00-b4e8-5546e7ec0cc2", "create_time": 1762280887.1848118, "update_time": 1762280887.184812, "name": "Investigate URLs", "order": 1, "tag": "e0ea0bb0-f087-4d81-b2a7-a9899d287bda", "description": "Perhaps the most common email attack vector is a clickable link that brings a user to a malicious website. The malicious website might collect credentials or other confidential information, attempt to exploit the user's browser, lead the user to download a malicious file, or gather preliminary fingerprint information about the user to inform further operations. Investigate all URLs contained in the suspicious email using a mix of automated and manual techniques. Query threat intelligence services and other sources of reputation information to see if the URLs are linked to known malicious activity. Check the categorization of the URLs and their popularity using services such as Censys or Alexa. Determine whether the URL is spoofing a brand using a similar spelling, a unicode substitution, or an out-of-order domain name. Also consider using a less passive technique that analyzes the current state of the URL, such as a sandboxed URL detonation, a website scanning tool such as urlscan.io or SSL Labs, a manual inspection from a sandboxed environment, or a website screenshot engine such as Screenshot Machine. Consider that targeted attacks might only reveal the malicious behavior of a website if the user agent and/or the source address of the request matches the target environment. The output of this task might be more linked URLs, the domain names of the underlying servers responding to the request, other domain names used by the website, IP addresses, or downloadable files. All of the above should be passed on to further investigative tasks if needed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "008e7332-8c23-4b8b-961b-de2a5bee1811", "create_time": 1762280887.1849227, "update_time": 1762280887.184923, "name": "Investigate file attachments", "order": 2, "tag": "b4379132-c701-4bcc-80f0-b7a19f8b854a", "description": "Another common email attack vector is a malicious file attachment. Any file could be malicious, but most attacks involve executables, scripts, or documents. Investigate these files using either a whole copy of the file or the file hash. Query threat intelligence and reputation databases using the hash to see if the file has been seen before, to see if there is suspicious activity associated with the file, and to learn more about the file's behavior. Query for previous analyses or submit the file for examination in a dynamic or static tool to check for potentially malicious behaviors or properties. Actions used for this task might extract associated URLs, domain names, IP addresses, or secondary file hashes which can be explored further in other tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf94fe65-6dce-40d0-87bf-35c57eb93506", "create_time": 1762280887.1850498, "update_time": 1762280887.1850502, "name": "Investigate email addresses and headers", "order": 3, "tag": "4695b6fb-a152-4585-b44c-4b8d95055a25", "description": "The source email address and other headers contain a wide variety of information about the source environment of the email and the infrastructure used to send and receive it. Use a mix of automated and manual analysis to determine where the email came from and whether it uses headers in a suspicious way. Query threat intelligence and reputation databases using the \"From\", \"Sender\", and \"Reply-to\" addresses, as well as any other email addresses in the other header fields. Compare the display names of these fields to the actual values to see if misleading names are used. Check if the servers that received the email marked it with the appropriate authentication results for SPF, DKIM, and/or DMARC. If needed use Microsoft Message Header Analyzer, MxToolbox, or other tools to interpret the remaining headers. Outputs of this task such as domain names and IP addresses can be passed on to further tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "46a2ebf5-94e6-4d12-8495-fcdc7969957d", "create_time": 1762280887.1851606, "update_time": 1762280887.185161, "name": "Investigate domains", "order": 4, "tag": "cef512e6-19b6-4887-8ce0-124d69a7fde4", "description": "At this point domain names from various sources should be collected in the notable, including email sending and receiving servers, web servers from URLs in the email, domains associated to other indicators in threat intelligence databases, and domains contained in the file attachment or detected by the detonation of the file attachment. Check each of these against threat intelligence and reputation databases, passive DNS trackers, whois services, and other information services. Look for known malicious or unknown domains, focusing more on those associated to clickable URLs and file attachments. Evaluate what services are running on each suspicious domain using a scanning service such as Censys or Shodan. Check the TLS certificate (if applicable), website categorization, popularity, and any other available information. Compare this information to the expected outcome given the alleged context of the email. For unknown domains, consider the domain history, the hosting provider, and whether the domain name appears to have been dynamically generated. IP addresses currently and previously associated with the domain should be further processed elsewhere in your investigation.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6801061-372c-4e0e-9bab-009e78ea8d59", "create_time": 1762280887.1852703, "update_time": 1762280887.1852708, "name": "Investigate IP addresses", "order": 5, "tag": "6e0691b6-82b2-442c-88f8-da26f59eb8b3", "description": "IP addresses may be involved in this investigation for several reasons. Some email headers can contain IP addresses (such as X-Originating-IP), URLs can contain IP addresses instead of hostnames, file attachments can contain IP addresses or generate IP addresses and try to connect to them (like domain generation algorithms), and IP addresses can be added to the notable through association or domain name resolution in other tasks within this investigation. Consider IP addresses in URLs that are not internal IP addresses for the organization highly suspicious. Investigate all suspicious IP addresses by checking the reputation, geolocation, whois record, DNS history, and by gathering information from other available services.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ccae86ab-acd7-48bd-acf8-e823b3894fe6", "create_time": 1762280887.1853795, "update_time": 1762280887.1853797, "name": "Investigate email subject and body", "order": 6, "tag": "21c70d94-3a33-4295-8711-a272b31940d1", "description": "The subject and body of an email can be malicious without containing a single URL or file attachment. Examples include emails that ask the receiver to reply with confidential information, contain instructions to do insecure things, manipulate automated systems that are parsing the email, or prime the receiver for other interactions. Malicious emails often use current events such as tax season, a hurricane, or other publicly available information to establish a sense of trust or an illusion of urgency. Social engineering is perhaps the hardest technique to detect in an automated fashion, often requiring manual investigation. Consider the context of the message, the intended recipient, and the identity of the sender or alleged sender. It might be necessary to ask the recipient user if they think the email is legitimate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4ee204f8-d5e9-4158-9f5f-3d898dcfd32a", "create_time": 1762280887.1859224, "update_time": 1762280887.1859229, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "605d29ce-9d16-4882-ba5b-2811f6bf4efc", "create_time": 1762280887.1855412, "update_time": 1762280887.1855416, "name": "Hunt email activity", "order": 1, "tag": "efae43b9-0c49-41b5-bb71-687f359ff73f", "description": "Find other similar emails sent into the organization based on the sender address, sender domain, subject, embedded URLs, file attachments, or other similar attributes shared across multiple emails. If possible determine which emails were opened, forwarded, deleted, marked as spam, or reported as potential phishing. Consider which types of users are targeted and why. Also check whether internal users replied to the emails and what information was contained in the replies.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8dab7fc-c86f-43a0-be73-80ba587c8bdb", "create_time": 1762280887.1856506, "update_time": 1762280887.1856513, "name": "Hunt network activity", "order": 2, "tag": "c90df879-0c52-487c-9dd7-be88e7900c9c", "description": "Based on previously collected information, try to determine whether or not URLs in the email were clicked, phishing websites were visited, or other suspicious network connections were made from the computers of users who opened the email. This can be done using many types of network monitoring, including netflow, full packet capture, DNS logging, and/or endpoint monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a26c5093-d4e3-4b3a-8173-cfa05701ec2c", "create_time": 1762280887.1857598, "update_time": 1762280887.1857603, "name": "Hunt file executions", "order": 3, "tag": "a644ccc1-8034-4299-97c8-506179a3402e", "description": "If the email included a file attachment, try to determine which users downloaded the attachment and which users executed it or opened it in some other way. Use the file hash of the attachment to search across endpoint monitoring or network monitoring solutions for the transmission and/or execution of the file. If executions are detected, try to determine the behavior of the created process. If a potentially malicious document or other file type was opened, try to determine which application opened it and whether the file exploited or abused the opening application.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "48be613f-36ae-42ab-bd35-e4ec600c3c95", "create_time": 1762280887.1858678, "update_time": 1762280887.185868, "name": "Hunt user activity", "order": 4, "tag": "e541c4de-a76f-4917-b8ba-960a16653fc5", "description": "If a phishing attempt or other user account compromise attempt is suspected, investigate how the credentials or account access are being used. Enumerate resources available to the account and search the access logs for those resources, looking for anomalous usage patterns.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d7b7765f-e5b3-4122-8791-f6274f6ba85e", "create_time": 1762280887.186552, "update_time": 1762280887.1865525, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "90905d2d-4247-462b-843a-d9f4fd9ec717", "create_time": 1762280887.186041, "update_time": 1762280887.1860416, "name": "Block or monitor email activity", "order": 1, "tag": "42060fc0-5ae2-4f15-a7f4-6bf4ed364733", "description": "If specific malicious emails have been identified, delete them from any mailboxes in which they still pose a threat. Similarly, if a sender address or an entire sender domain is found to be malicious, block inbound email from that source. Set filtering rules to block inbound email or increase monitoring of email based on other detected characteristics of an email campaign or malicious technique.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0066f95-2fe4-4d25-ae51-cbc559e0cc8a", "create_time": 1762280887.1861491, "update_time": 1762280887.1861496, "name": "Block or monitor network activity", "order": 2, "tag": "1081b34c-8234-411b-b1ec-ed0205fa4eb8", "description": "Based on gathered indicators and metadata, block or increase monitoring of malicious network connections associated with the suspicious email. Prevent other receivers of similar phishing emails from accessing the clickable URL by blocking that URL itself, the underlying domain name, and/or the underlying IP addresses. If malware or unwanted software was detected, block outbound connections known to be associated with that malware based on threat intelligence or dynamic analysis. If the threat is severe enough, consider isolating entire portions of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f8575450-6ad7-4880-ae94-1792d9cc8906", "create_time": 1762280887.1862686, "update_time": 1762280887.1862693, "name": "Block or monitor file executions", "order": 3, "tag": "872a713a-a687-404f-8e12-c432c99938ab", "description": "Based on gathered indicators and metadata, block or increase monitoring of endpoint activity caused by the suspicious email. This could mean blocking the hash of the file attachment, blocking the hash of a file downloaded from a URL in an email, blocking a malicious hash associated with the email by threat intelligence, or blocking secondary executions such as dropped stages of malware identified from dynamic analysis.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d102f2c9-b977-4016-af6a-605da7a1626b", "create_time": 1762280887.1863873, "update_time": 1762280887.1863878, "name": "Contain endpoints", "order": 4, "tag": "07490733-2250-4a3e-8ba9-9107abdfa10e", "description": "If an endpoint compromise is suspected, it might be necessary to quarantine or otherwise contain that endpoint until further investigation and remediation can be done. Consider the criticality of the system and the likelihood of a compromise. In other cases, simply increasing the monitoring or scanning for more information can be prudent.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "85721cac-d2d0-4a9f-90fc-1969fb38a3b4", "create_time": 1762280887.1864965, "update_time": 1762280887.186497, "name": "Contain user accounts", "order": 5, "tag": "ae12b741-8e83-4e23-9e8c-7f461f9c891a", "description": "If a user account compromise is suspected, it might be necessary to reset the credentials, reduce the account privileges, or disable the account until further investigation is completed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "3ea7502b-d251-4562-a489-4bec4c16300d", "create_time": 1762280887.1868212, "update_time": 1762280887.1868217, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "00adbace-3659-4464-a606-85658daf13e5", "create_time": 1762280887.186658, "update_time": 1762280887.1866581, "name": "Analyze network activity", "order": 1, "tag": "6790fca4-5cf6-40bf-b425-2e9c547acb0b", "description": "Perform any resource-intensive analysis of network activity left over from the External Investigation and Internal Hunting phases. This might mean full packet capture collection and analysis, sandbox detonation of URLs, long-running queries of network history and anomalous behavior, or other similar analysis tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c9917bdc-f49f-40a3-a297-82843edcc56c", "create_time": 1762280887.1867664, "update_time": 1762280887.1867669, "name": "Analyze endpoint activity", "order": 2, "tag": "c0e4e6fc-d6a3-48a3-80ad-17e6f3d29abd", "description": "Conduct deeper analysis on remaining malware and endpoint investigation tasks not finished in the External Investigation and Internal Hunting phases. This might mean sandbox detonation of files, forensic analysis of associated devices or memory dumps, reverse engineering of suspected malware, long-running queries of endpoint activity history and anomalous behavior, or other similar analysis tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ee783e2b-62ce-4dfa-a8ac-dfd38e3336a9", "create_time": 1762280887.1876307, "update_time": 1762280887.1876311, "name": "Notification", "order": 6, "tasks": [{"id": "25cb7e69-be9d-4faf-9e4a-088b42b4788e", "create_time": 1762280887.1869273, "update_time": 1762280887.1869276, "name": "Update tickets", "order": 1, "tag": "d1644224-bfe8-4710-be7a-42b83746e870", "description": "Make sure that all the necessary outputs and status updates from the previous phases and tasks are documented in the appropriate system of record. Summarize the current state of the investigation and any remaining tasks.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fd8e6a70-6f3b-4f12-a3d9-ced01a867591", "create_time": 1762280887.187141, "update_time": 1762280887.1871414, "name": "Notify system owners", "order": 2, "tag": "f375634e-8725-45b0-953f-913af5792047", "description": "For any systems that have been changed or need to be changed, notify the necessary system owners so the appropriate change management procedures can be followed.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6df9bdea-2fdc-469e-b3de-298bac097739", "create_time": 1762280887.1872501, "update_time": 1762280887.1872506, "name": "Notify regulatory compliance team", "order": 3, "tag": "ae1e0019-56dc-4782-9efd-fad66ee54734", "description": "If appropriate, notify the regulatory compliance team to support them as they report this incident to the correct regulatory or accrediting organizations.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ca7c9e3-547b-4e44-aacb-9f8a23665d3d", "create_time": 1762280887.1873586, "update_time": 1762280887.187359, "name": "Assign additional tasks", "order": 4, "tag": "def2f366-4f31-4b7a-ba01-0fecd5bc1c9e", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4de9d9be-e269-4d03-9fe4-0496b933abe4", "create_time": 1762280887.1874657, "update_time": 1762280887.187466, "name": "Educate users", "order": 5, "tag": "94435be3-c9bb-4cb0-a298-adad4c5e685a", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3e0fb677-9a5d-48a1-a0b8-3b1b92d05efa", "create_time": 1762280887.1875756, "update_time": 1762280887.1875758, "name": "Share threat intelligence", "order": 6, "tag": "b6e77ae5-bd3b-4809-af51-3cc9d2ee35a8", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "a819ee87-e98f-4108-9554-7c167bdfeb79", "active": true, "used": false, "_user": "nobody", "_key": "1e541fb9-a309-45f6-8593-7e6e68d934b4"} \ No newline at end of file diff --git a/response_templates/TestMultiVersion_v4.json b/response_templates/TestMultiVersion_v4.json deleted file mode 100644 index cb178dfe49..0000000000 --- a/response_templates/TestMultiVersion_v4.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "id": "27b78044-1eca-43c2-9207-b5afe3075a81", - "create_time": 1762292283.131341, - "update_time": 1762292294.8144422, - "name": "Test%20Multi%20Version", - "description": "", - "template_status": "published", - "creator": "zen_admin", - "updated_by": "zen_admin", - "is_default": false, - "version": 4, - "phases": [ - { - "id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", - "create_time": 1762292292.855246, - "update_time": 1762292294.7901058, - "name": "Test%20Phase", - "order": 1, - "tasks": [ - { - "id": "096e2f14-866e-404e-819b-a1155ac0084b", - "create_time": 1762292292.855151, - "update_time": 1762292294.790007, - "name": "Test%20Task", - "order": 1, - "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", - "description": "", - "owner": "", - "is_note_required": true, - "status": "Pending", - "notes": [], - "files": [], - "suggestions": { - "playbooks": [], - "actions": [], - "searches": [] - }, - "start_time": 0, - "end_time": 0, - "total_time_taken": 0 - } - ] - } - ], - "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", - "active": true, - "used": false, - "_user": "nobody", - "_key": "27b78044-1eca-43c2-9207-b5afe3075a81" -} \ No newline at end of file diff --git a/response_templates/TestMultiVersion_v5.json b/response_templates/TestMultiVersion_v5.json deleted file mode 100644 index 247afe72ea..0000000000 --- a/response_templates/TestMultiVersion_v5.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "27b78044-1eca-43c2-9207-b5afe3075a81", "create_time": 1762292283.131341, "update_time": 1762292328.3112774, "name": "Test%20Multi%20Version", "description": "", "template_status": "published", "creator": "zen_admin", "updated_by": "zen_admin", "is_default": false, "version": 5, "phases": [{"id": "61ed7d1f-12bb-4dcd-b30d-8bc64a735d15", "create_time": 1762292328.2866068, "update_time": 1762292328.2866073, "name": "Test%20Phase", "order": 1, "tasks": [{"id": "096e2f14-866e-404e-819b-a1155ac0084b", "create_time": 1762292292.855151, "update_time": 1762292328.2865093, "name": "Test%20Task%20V3", "order": 1, "tag": "c8283baa-3da5-4886-8975-376f2d0cbd2a", "description": "", "owner": "", "is_note_required": true, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "ab32daf2-b7b4-4525-b8a0-fc783ab2fef8", "active": true, "used": false, "_user": "nobody", "_key": "27b78044-1eca-43c2-9207-b5afe3075a81"} \ No newline at end of file From 594539ed6d9bf13ba54864c7c2f384de6170d894 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 9 Dec 2025 14:21:33 -0800 Subject: [PATCH 24/44] Fix naming of response templates --- .../{AccountCompromise.json => AccountCompromise_v13.json} | 0 response_templates/{DataBreach.json => DataBreach_v12.json} | 0 response_templates/{NIST80061.json => NIST80061_v11.json} | 0 ...ndicatorEnrichment.json => NetworkIndicatorEnrichment_v5.json} | 0 .../{SuspiciousEmail.json => SuspiciousEmail_v29.json} | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename response_templates/{AccountCompromise.json => AccountCompromise_v13.json} (100%) rename response_templates/{DataBreach.json => DataBreach_v12.json} (100%) rename response_templates/{NIST80061.json => NIST80061_v11.json} (100%) rename response_templates/{NetworkIndicatorEnrichment.json => NetworkIndicatorEnrichment_v5.json} (100%) rename response_templates/{SuspiciousEmail.json => SuspiciousEmail_v29.json} (100%) diff --git a/response_templates/AccountCompromise.json b/response_templates/AccountCompromise_v13.json similarity index 100% rename from response_templates/AccountCompromise.json rename to response_templates/AccountCompromise_v13.json diff --git a/response_templates/DataBreach.json b/response_templates/DataBreach_v12.json similarity index 100% rename from response_templates/DataBreach.json rename to response_templates/DataBreach_v12.json diff --git a/response_templates/NIST80061.json b/response_templates/NIST80061_v11.json similarity index 100% rename from response_templates/NIST80061.json rename to response_templates/NIST80061_v11.json diff --git a/response_templates/NetworkIndicatorEnrichment.json b/response_templates/NetworkIndicatorEnrichment_v5.json similarity index 100% rename from response_templates/NetworkIndicatorEnrichment.json rename to response_templates/NetworkIndicatorEnrichment_v5.json diff --git a/response_templates/SuspiciousEmail.json b/response_templates/SuspiciousEmail_v29.json similarity index 100% rename from response_templates/SuspiciousEmail.json rename to response_templates/SuspiciousEmail_v29.json From 91e1edf55e3db9c570d0c5e752269e90571c2bda Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 9 Dec 2025 15:47:30 -0800 Subject: [PATCH 25/44] Response templates to be added by response plan team --- response_templates/AccountCompromise_v13.json | 1 - response_templates/DataBreach_v12.json | 1 - response_templates/NIST80061_v11.json | 1 - response_templates/NetworkIndicatorEnrichment_v5.json | 1 - response_templates/SuspiciousEmail_v29.json | 1 - 5 files changed, 5 deletions(-) delete mode 100644 response_templates/AccountCompromise_v13.json delete mode 100644 response_templates/DataBreach_v12.json delete mode 100644 response_templates/NIST80061_v11.json delete mode 100644 response_templates/NetworkIndicatorEnrichment_v5.json delete mode 100644 response_templates/SuspiciousEmail_v29.json diff --git a/response_templates/AccountCompromise_v13.json b/response_templates/AccountCompromise_v13.json deleted file mode 100644 index b6d2ea8ae1..0000000000 --- a/response_templates/AccountCompromise_v13.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "a0258b7f-87c3-4815-8203-b55512d7fb6c", "create_time": 1765306633.4014366, "update_time": 1765306633.4014366, "name": "Account Compromise", "description": "This response template defines a response to the potential compromise of one or more system or application accounts. Across the enterprise, user and service accounts are high-value targets that provide access to wide varieties of resources and capabilities. If an unauthorized entity gains access to an account in your organization, you can use these phases and tasks to organize the effort to investigate and respond. No two account compromises are the same, so some portions of this template might not apply to certain types of account takeovers, and in most cases there will be additional appropriate responses going beyond those listed below. The general structure of this template is based on NIST SP 800-61 Revision 2, and some of the techniques come from the Credential Access tactic in the MITRE ATT&CK framework (https://attack.mitre.org/tactics/TA0006/).", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 13, "phases": [{"id": "59f2cf8d-3c77-491f-8ff4-65ed341c7503", "create_time": 1765306633.4034715, "update_time": 1765306768.469428, "name": "Detection and Analysis", "order": 1, "tasks": [{"id": "ea986cd7-db3e-48d5-8a44-e9f0f6420d24", "create_time": 1764758755.835523, "update_time": 1765306768.467449, "name": "Contact account owner", "order": 1, "tag": "51815ce4-c186-4418-9d6c-716e101953f0", "description": "If%20situational%20awareness%20concerns%20allow%20it,%20contact%20the%20legitimate%20owner%20of%20the%20account%20to%20gather%20additional%20insight,%20rule%20out%20false%20positives,%20and%20provide%20guidance%20on%20how%20to%20cooperate.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c24b5ac1-3e44-4f91-a55e-5c93a0c17a8a", "create_time": 1764758755.8356514, "update_time": 1765306768.4677045, "name": "Determine the scope of the compromise", "order": 2, "tag": "4f6e6b64-aeec-456c-806d-d0b66c9db56c", "description": "Determine%20the%20resources%20and%20capabilities%20available%20to%20the%20compromised%20account.%20Consider%20other%20types%20of%20accounts%20that%20can%20also%20be%20accessed%20based%20on%20the%20initial%20compromise.%20Is%20this%20account%20an%20Administrative%20account?%20What%20systems%20has%20the%20account%20logged%20into?%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20trackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4b7b5058-f28e-4776-8806-c71fdfaab979", "create_time": 1764758755.8357468, "update_time": 1765306768.4679203, "name": "Analyze usage of access", "order": 3, "tag": "62fe4b55-7da1-44ba-ae88-93f42cb724c8", "description": "Query%20monitoring%20systems%20to%20determine%20which%20of%20the%20potential%20resources%20and%20capabilities%20were%20actually%20used%20by%20the%20adversary.%20Look%20for%20patterns%20in%20targeted%20resources%20and%20capabilities.%20Was%20the%20compromised%20account%20used%20to%20install%20or%20download%20something?%20Were%20credentials%20to%20other%20accounts%20collected%20and%20used?%0A%0ASuggested%20Integrations%0A1.%20%5BAccess%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_center)%0A2.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)%0A3.%20%5BAccess%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ad738c70-a259-4627-84fc-30f881b1065f", "create_time": 1764758755.835839, "update_time": 1765306768.468118, "name": "Estimate impact", "order": 4, "tag": "5abdf8e0-f364-4f39-956a-aa912e0543c0", "description": "Estimate the business impact to appropriately allocate priority and resources.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1bc12376-4d51-45ed-9e37-38abc31a497a", "create_time": 1764758755.8359327, "update_time": 1765306768.4683, "name": "Track stolen credentials", "order": 5, "tag": "b7814a6d-ac12-4936-a5ef-8e1a636a08dd", "description": "If%20compromised%20credentials%20were%20used,%20try%20to%20determine%20where%20else%20they%20may%20grant%20access%0A%0ASuggested%20Integrations%0A1.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5de28da8-76f3-4104-8d62-b44f8f46a4a4", "create_time": 1764758755.8360248, "update_time": 1765306768.468481, "name": "Investigate external communications", "order": 6, "tag": "4a46b5da-c9b9-453a-80ad-161db306822e", "description": "Look%20for%20exfiltration%20and/or%20command%20and%20control%20activity.%20Inspect%20network%20traffic%20with%20abnormal%20content,%20focusing%20on%20traffic%20to%20external%20hosts%20and%20internal%20systems%20that%20are%20not%20normally%20connected%20to%20the%20system%20under%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BPort%20and%20protocol%20tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6956c82f-6811-4b3d-975b-fe690e0b54ef", "create_time": 1764758755.836118, "update_time": 1765306768.4686725, "name": "Determine initial access mechanism", "order": 7, "tag": "3b962a5e-16da-4962-9f9f-c237e88e24a3", "description": "Attempt%20to%20trace%20activity%20back%20to%20the%20point%20of%20initial%20access.%20Consider%20phishing,%20watering%20hole%20attacks,%20public-facing%20exploits,%20supply%20chain%20compromises,%20and%20other%20common%20attack%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "62a7c0a4-1c2e-4922-8dd2-9114ef305607", "create_time": 1764758755.8362353, "update_time": 1765306768.468874, "name": "Detect persistent system access", "order": 8, "tag": "023e3b98-335b-4364-8292-e34e221dcdcd", "description": "Look%20for%20attempts%20to%20establish%20persistent%20access%20to%20one%20or%20more%20systems.%20The%20persistence%20technique%20could%20include%20an%20email%20forwarding%20rule%20for%20an%20email%20account,%20a%20scheduled%20task%20on%20an%20endpoint,%20a%20newly%20added%20login%20method%20for%20a%20business%20application,%20or%20a%20wide%20array%20of%20others.%20One%20non-exhaustive%20list%20of%20persistence%20techniques%20is%20in%20the%20MITRE%20ATT&CK%20framework%20(https://attack.mitre.org/tactics/TA0003/)%20and%20another%20for%20Windows%20endpoints%20in%20particular%20is%20within%20the%20SysInternals%20Autoruns%20tool.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0bc09ecd-b582-4b51-82bd-845113fe9025", "create_time": 1764758755.8363278, "update_time": 1765306768.4691083, "name": "Enumerate other similarly vulnerable accounts", "order": 9, "tag": "44b55fc1-e45f-46ce-82d8-d23b1392790f", "description": "If an initial attack vector or other activity pattern is found, use it to look for other similarly compromised accounts.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "60b63967-c82f-4378-80ab-7234d3b8d01a", "create_time": 1764758755.8364184, "update_time": 1765306768.4692936, "name": "Notify stakeholders", "order": 10, "tag": "6f26711e-c173-4394-91cf-f2e9c7c88d8a", "description": "Notify%20incident%20response%20leadership,%20system%20owners,%20and%20other%20stakeholders%20in%20accordance%20with%20established%20incident%20notification%20and%20escalation%20procedures.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "48075a18-75b5-45d5-9c14-c791c0975316", "create_time": 1765306633.4041102, "update_time": 1765306768.4701042, "name": "Containment, Eradication, and Recovery", "order": 2, "tasks": [{"id": "4fa28acc-820f-4b9c-8fbe-b06dc8f735bb", "create_time": 1764758755.8365533, "update_time": 1765306768.4695702, "name": "Disable account", "order": 1, "tag": "582f0358-63c7-4a15-ba9e-a42861e854b5", "description": "If%20the%20business%20risk%20is%20deemed%20acceptable,%20disable%20the%20account%20or%20reset%20credentials%20to%20prevent%20further%20malicious%20usage.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f20c28db-b508-4cce-bd08-df4a1b92b1e4", "create_time": 1764758755.836641, "update_time": 1765306768.4697595, "name": "Remove persistent system access", "order": 2, "tag": "5cfd8324-141b-407f-ac19-3ab946178fc8", "description": "If%20persistent%20access%20mechanisms%20were%20detected,%20remove%20them%20by%20uninstalling%20software,%20unhooking%20libraries,%20reimaging%20systems,%20disabling%20compromised%20credentials,%20or%20implementing%20other%20remediations.%20If%20this%20action%20will%20cause%20a%20service%20outage,%20it%20may%20be%20prudent%20to%20notify%20the%20affected%20teams%20or%20organizations.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b94cc55d-a653-466a-8faf-846f699ebb75", "create_time": 1764758755.836737, "update_time": 1765306768.4699776, "name": "Mitigate or remediate vulnerabilities", "order": 3, "tag": "25d66876-4448-420d-80b5-bc359805598b", "description": "If%20any%20vulnerabilities%20were%20used%20in%20this%20compromise,%20find%20a%20way%20to%20mitigate%20or%20remediate%20them.%20This%20could%20be%20a%20system%20update,%20a%20change%20in%20software,%20disabling%20a%20certain%20feature,%20a%20change%20in%20policy,%20or%20another%20action.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "36274751-b970-4375-85dc-b06a13d05cc2", "create_time": 1765306633.4046884, "update_time": 1765306768.4707205, "name": "Post-incident Activity", "order": 3, "tasks": [{"id": "c601515a-bbef-485f-819a-9c1e477e413e", "create_time": 1764758755.8368754, "update_time": 1765306768.4702713, "name": "Notify necessary parties", "order": 1, "tag": "6e6b6839-fced-46a4-a660-e00281118cda", "description": "Determine%20if%20a%20regulatory%20risk%20calls%20for%20a%20notification%20to%20an%20internal%20or%20external%20compliance%20organization.%20Also%20consider%20an%20informational%20notice%20to%20users%20to%20prevent%20similar%20compromises%20through%20improved%20security%20hygiene.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "33acb96f-1113-489b-8dc4-882695963f99", "create_time": 1764758755.836966, "update_time": 1765306768.4704757, "name": "Tune prevention systems", "order": 2, "tag": "47e3bd73-9fea-4f85-a805-9ebedfd000ed", "description": "Depending on the mechanism of access and the systems affected, there may be a clear next step to prevent similar compromises. This might involve deployment of strong multi-factor authentication, improved automated response, stronger application of least privilege, user training, and/or a wide array of other defensive measures. Consider using CIS Cybersecurity Best Practices (https://www.cisecurity.org/cybersecurity-best-practices/) or a similar framework to assess improvements in prevention.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0d0ded65-d9dd-497f-ab9d-f51864ad88af", "create_time": 1764758755.8370595, "update_time": 1765306768.470632, "name": "Tune detection systems", "order": 3, "tag": "9411f544-f06a-4e79-9972-3844f61cc1f7", "description": "Any of the steps taken within the Detection and Analysis phase may be candidates for automated or regularly scheduled detections to find similar activity. Focus on the most generalizable patterns that will catch high-impact compromises as early as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8b0ea69b-c29f-4a70-b58b-59164312a491", "active": true, "used": true, "_user": "nobody", "_key": "a0258b7f-87c3-4815-8203-b55512d7fb6c"} \ No newline at end of file diff --git a/response_templates/DataBreach_v12.json b/response_templates/DataBreach_v12.json deleted file mode 100644 index a902d3a423..0000000000 --- a/response_templates/DataBreach_v12.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "b0ad7421-221a-4859-8af7-7cd8949ad10f", "create_time": 1764862877.558638, "update_time": 1764862877.558638, "name": "Data Breach", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 12, "phases": [{"id": "3864ce09-a850-44af-86ef-9ade49d18356", "create_time": 1765221299.7395632, "update_time": 1765221644.2423606, "name": "Escalate to accountable system owners", "order": 1, "tasks": [{"id": "5a3d4ceb-6a30-4aa3-8e8a-b30e3438dff4", "create_time": 1764758755.724739, "update_time": 1765221644.2419975, "name": "Identify accountable system owners", "order": 1, "tag": "f45e1890-72d0-4bdf-8932-ea8d78c2c58f", "description": "Query%20configuration%20management%20databases,%20ask%20teammates,%20and%20query%20on-call%20personnel%20directories%20to%20find%20the%20right%20people%20for%20notification%20and%20response.%0A%0ASuggested%20Integrations%0A1.%20%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8d090f83-6590-48b7-8233-db738d054005", "create_time": 1764758755.7248507, "update_time": 1765221644.2421408, "name": "Notify accountable system owners", "order": 2, "tag": "b0816205-58e4-4e29-991b-f415717d1c03", "description": "Determine%20what%20is%20needed%20from%20each%20team%20member%20and%20notify%20them%20as%20soon%20as%20possible.%20Consider%20speed,%20confidentiality,%20integrity,%20and%20availability%20when%20choosing%20a%20communication%20channel.%20The%20right%20choice%20may%20be%20an%20in-person%20meeting,%20email,%20chat,%20text,%20phone%20call,%20or%20a%20notification%20in%20Splunk%20Mission%20Control.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2950919f-a5ca-4dec-b3d0-5ef7edf213e3", "create_time": 1764758755.7249453, "update_time": 1765221644.2422879, "name": "Set up collaboration channels", "order": 3, "tag": "2b1518b8-77a6-4e03-8b50-e0a89dc40ed8", "description": "Establish%20shared%20access%20to%20the%20appropriate%20notable%20investigation%20that%20is%20tracking%20the%20data%20breach.%20If%20necessary%20establish%20an%20additional%20channel%20for%20communications%20such%20as%20a%20chat%20room,%20email%20chain,%20ticketing%20system,%20or%20VictorOps%20Incident.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "fa5bb456-dfe8-4f27-88a3-1639a35796c6", "create_time": 1765221299.7402437, "update_time": 1765221644.242738, "name": "Stop exfiltration", "order": 2, "tasks": [{"id": "3fcbd598-8be3-4c81-a89e-1896912ffea4", "create_time": 1764758755.725092, "update_time": 1765221644.2424421, "name": "Identify likely means of exfiltration", "order": 1, "tag": "b562799f-7155-43a2-a36a-e736575a6b1d", "description": "Evaluate%20likely%20means%20of%20exfiltration%20using%20the%20information%20from%20the%20initial%20detection%20and%20any%20other%20associated%20investigation%20the%20team%20can%20conduct.%20Use%20https://attack.mitre.org/wiki/Persistence%20and%20other%20open%20source%20intelligence%20to%20check%20for%20common%20exfiltration%20mechanisms.%20Consider%20the%20sophistication%20of%20the%20adversary,%20the%20data%20that%20is%20likely%20to%20be%20targeted,%20the%20systems%20that%20may%20have%20been%20breached,%20and%20any%20other%20knowledge%20from%20further%20investigation.%20Query%20the%20logs%20of%20any%20available%20systems%20around%20the%20time%20of%20the%20incident%20for%20context%20and%20additional%20leads.%20If%20possible%20analyze%20and/or%20reverse%20engineer%20any%20executables%20or%20scripts%20discovered%20in%20the%20investigation.%20Try%20to%20determine%20exfiltration%20mechanisms,%20protocols,%20ports,%20IP%20addresses,%20hostnames,%20URLs,%20and%20other%20indicators.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b7bfe3f3-8035-45bd-a16a-4d847cb74ba3", "create_time": 1764758755.725215, "update_time": 1765221644.242574, "name": "Determine mitigations and remediations", "order": 2, "tag": "2c398364-ef0f-4e7d-877e-0abfaa91d72d", "description": "Taking into account the confidentiality and availability considerations of the systems involved, determine which mitigations and remediations are appropriate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0a27527c-f0c1-4e54-a875-d110a8f71cb8", "create_time": 1764758755.7253134, "update_time": 1765221644.2426631, "name": "Stop exfiltration", "order": 3, "tag": "e80c691b-9bab-4f4d-86ca-8496300842c3", "description": "Use%20host-based%20or%20network%20controls%20to%20interrupt%20exfiltration.%20Scope%20the%20response%20according%20to%20the%20severity%20of%20the%20event.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A6.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A7.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A8.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a1d5e293-2b61-43f1-a776-f8d2126a1d7a", "create_time": 1765221299.740702, "update_time": 1765221644.2430031, "name": "Remove persistent adversaries", "order": 3, "tasks": [{"id": "fecaae1e-a6d8-47b2-8386-5af5bcac6d54", "create_time": 1764758755.7254562, "update_time": 1765221644.2428167, "name": "Identify likely means of persistence", "order": 1, "tag": "27ff7f99-5263-4a23-ba71-775e2a96ea00", "description": "Trace%20exfiltration%20as%20far%20as%20possible%20back%20toward%20a%20root%20cause.%20Look%20for%20patterns%20of%20activity%20from%20scheduled%20tasks,%20system%20restarts,%20polling%20of%20external%20systems,%20and%20other%20common%20means%20of%20persistence.%20Sysinternals%20AutoRuns%20and%20other%20similar%20tools%20can%20check%20wide%20varieties%20of%20persistence%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a951c1a1-61c6-4afa-b0c7-c721a97b5d3e", "create_time": 1764758755.7255518, "update_time": 1765221644.2429323, "name": "Remove identified persistence mechanisms", "order": 2, "tag": "3c87ad49-a462-47b1-93fa-401c82da9270", "description": "Block%20adversary%20persistence%20at%20the%20host%20and/or%20network%20level.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9577e82b-f68e-4fa7-a86b-987bbb51a504", "create_time": 1765221299.7409556, "update_time": 1765221644.2431514, "name": "Assess impact", "order": 4, "tasks": [{"id": "be68378a-13d6-499d-bc94-d7f54c51e012", "create_time": 1764758755.7256913, "update_time": 1765221644.2430809, "name": "Measure the size and scope", "order": 1, "tag": "26cca1bb-80c3-43ab-ab5b-13975111b607", "description": "Measure%20the%20impact%20of%20the%20breach%20by%20amount%20of%20data,%20importance%20of%20data,%20potential%20follow-on%20impacts,%20and%20other%20appropriate%20criteria.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20protocol%20trackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "befcad6f-d66d-459c-8b71-9ac22c902c6f", "create_time": 1765221299.7413394, "update_time": 1765221644.2433846, "name": "Report to appropriate stakeholders", "order": 5, "tasks": [{"id": "aa30f51a-a2fb-4284-be1d-c8d6a0f2935b", "create_time": 1764758755.7259164, "update_time": 1765221644.2432458, "name": "Identify appropriate stakeholders", "order": 1, "tag": "4bb2a31a-ccc7-4bc3-a5b7-cf946cb10fb0", "description": "Identify who should receive which information. This may include the regulatory compliance team, all internal employees, customers, partners, appropriate government officials, the public, system vendors, open source communities, and others.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c2c0365b-7e90-4f34-a074-05b31a6bbb00", "create_time": 1764758755.7260718, "update_time": 1765221644.2433343, "name": "Send reports", "order": 2, "tag": "03fd935b-9848-4eee-8179-1d33592a2658", "description": "Send the appropriate amount of information to identified parties. If it is beneficial, give them a way to respond to the information.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "370933e2-b9c1-4de8-90bd-10477e48ed7e", "create_time": 1765221299.741549, "update_time": 1765221644.2435148, "name": "Prevent future breaches", "order": 6, "tasks": [{"id": "574bfcd8-31c3-4b51-9e73-b8a35403894c", "create_time": 1764758755.726329, "update_time": 1765221644.2434611, "name": "Prevent future breaches", "order": 1, "tag": "690e3199-c277-4a6f-8ada-9c4c5bbc3e48", "description": "Use information from this case to investigate further, apply patches, prevent behaviors, change systems, and otherwise prevent similar situations from occurring again. Setup automated checks for reinfection using similar indicators or TTP's.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "dcb047a2-c621-41c6-b3d5-acabcbb20b1d", "active": true, "used": false, "_user": "nobody", "_key": "b0ad7421-221a-4859-8af7-7cd8949ad10f"} \ No newline at end of file diff --git a/response_templates/NIST80061_v11.json b/response_templates/NIST80061_v11.json deleted file mode 100644 index d9e0c2cb92..0000000000 --- a/response_templates/NIST80061_v11.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "d081a248-71b1-49b3-8d3b-5bf932aac6ba", "create_time": 1765306151.1518192, "update_time": 1765306151.1518192, "name": "NIST 800-61: Computer Security Incident Handling Guide", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 11, "phases": [{"id": "97bc8622-69ca-48a1-bf2b-e4067281f71a", "create_time": 1765306151.1526241, "update_time": 1765306151.1526246, "name": "Detection", "order": 1, "tasks": [{"id": "9126eb2f-d5e2-48e7-a9f5-0c851f2ecc57", "create_time": 1764758755.7593036, "update_time": 1765306151.151944, "name": "Determine if an incident has occurred", "order": 1, "tag": "dd8a2e5b-9131-4321-ad10-0cef889e30f1", "description": "Suggested%20Integrations%0A1.%20%5BRisk%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d9a756c-20dc-4e2e-94e1-87f4eb164447", "create_time": 1764758755.7594106, "update_time": 1765306151.1522639, "name": "Analyze precursors and indicators", "order": 2, "tag": "cd6639cc-79b1-4f66-b03a-0b29118e9439", "description": "Suggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "974fdd62-7d20-40f3-912d-60d708146ac7", "create_time": 1764758755.7595055, "update_time": 1765306151.1523738, "name": "Look for correlating information", "order": 3, "tag": "64b3aaa7-416e-4ec2-8cc1-b54b1e0758db", "description": "Suggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8d1664e-4d06-4470-8b99-124c615500ca", "create_time": 1764758755.759612, "update_time": 1765306151.1524687, "name": "Perform research", "order": 4, "tag": "c534e89d-327c-4deb-bc29-51fb49f65af6", "description": "Use%20search%20engines,%20knowledge%20bases,%20etc..%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BRisk%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "247f8ee3-e7db-437d-9a16-07e2d19673c0", "create_time": 1764758755.7597096, "update_time": 1765306151.152571, "name": "Confirmed incident", "order": 5, "tag": "415e3412-85ed-4af6-bf6e-09e6e13542b3", "description": "For a confirmed incident, document the investigation and gather evidence. Attach all relevant information from detection steps to the notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ef47436d-de45-4aab-ba6b-736137c41076", "create_time": 1765306151.1532724, "update_time": 1765306151.1532726, "name": "Analysis and Containment", "order": 2, "tasks": [{"id": "27f4ca0d-ef69-4211-9401-34d3817e879f", "create_time": 1764758755.759852, "update_time": 1765306151.1526983, "name": "Determine functional impact", "order": 1, "tag": "58850454-d4af-4cc4-a5dd-fded4be0ff4d", "description": "Suggested categories: None, Low, Medium, High", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b298ad0a-b53c-4e4d-9e27-0307d2b49d9f", "create_time": 1764758755.759945, "update_time": 1765306151.1527815, "name": "Determine information impact", "order": 2, "tag": "1150410e-72c0-4259-a499-d632727e083b", "description": "Suggested categories: None, Privacy breach, Proprietary breach, Integrity loss", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "650388ac-fa31-48c9-8031-fab7fbc1cce8", "create_time": 1764758755.760036, "update_time": 1765306151.1528761, "name": "Determine recoverability effort", "order": 3, "tag": "d6e187c9-188c-49de-ac41-5092d7ce6435", "description": "Suggested categories: Regular, Supplemented, Extended, Not Recoverable", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ae810a6c-7314-49f2-84cb-b40557c17734", "create_time": 1764758755.7601304, "update_time": 1765306151.152965, "name": "Prioritize incident", "order": 4, "tag": "082dfce7-169c-4bd2-aa73-7d39f5e26be8", "description": "Prioritize handling the incident based on the relevant factors", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3db4552a-5c3b-46e2-8792-88f27397d5ef", "create_time": 1764758755.760304, "update_time": 1765306151.1530511, "name": "Report incident", "order": 5, "tag": "716c8ff4-f8f9-406a-aa10-871b499d0892", "description": "Report%20the%20incident%20to%20the%20the%20appropriate%20internal%20personnel%20and%20external%20organizations%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ab31b96-9544-4949-8e63-04a674e6bdb6", "create_time": 1764758755.7604578, "update_time": 1765306151.1531591, "name": "Contain incident", "order": 6, "tag": "d05de9e0-1c72-4835-874a-83f6127ef09a", "description": "Suggested%20Integrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A4.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A5.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A6.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A7.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A8.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A9.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A10.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A11.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A12.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A13.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A14.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "37031e87-5234-4694-a5d9-cff1c29f8f4d", "create_time": 1765306151.1539435, "update_time": 1765306151.153944, "name": "Eradicate", "order": 3, "tasks": [{"id": "31e6eacc-4f57-4329-b146-8d3f689e3086", "create_time": 1764758755.7606778, "update_time": 1765306151.1536345, "name": "Identify and mitigate all vulnerabilities", "order": 1, "tag": "f0381ae6-f28f-402a-9f05-3e990496dd50", "description": "Identify%20and%20mitigate%20all%20vulnerabilities%20that%20were%20exploited.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A4.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A5.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A6.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A7.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A8.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "680e54ac-3708-4d38-884f-20a1a7edf0de", "create_time": 1764758755.7608309, "update_time": 1765306151.1537821, "name": "Remove malicious content", "order": 2, "tag": "e7029c6f-cce7-4c43-9a1c-b0425432ad81", "description": "Remove%20malware,%20inappropriate%20materials%20and%20other%20components.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a41b242d-1640-4d15-8104-ec399e12d1de", "create_time": 1764758755.7609744, "update_time": 1765306151.1538804, "name": "Verify no other hosts are affected", "order": 3, "tag": "7e41266d-aa31-4b86-b2f4-47f68023fb3e", "description": "If%20more%20affected%20hosts%20are%20discovered,%20repeat%20the%20Detection%20and%20Analysis%20Steps.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BEndpoint%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A4.%20%5BMalware%20Center%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b12466ec-8616-4519-b133-f6d93f9e32c4", "create_time": 1765306151.1542614, "update_time": 1765306151.1542616, "name": "Recovery", "order": 4, "tasks": [{"id": "43ba0f0e-1fda-4051-a97b-8f7f4682ac33", "create_time": 1764758755.7611475, "update_time": 1765306151.1540172, "name": "Restore affected systems", "order": 1, "tag": "3a888228-8354-43a5-809b-41e85114db15", "description": "Return affected systems to an operationally ready state.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "579fa706-4719-4a36-92a0-8c89395b18e6", "create_time": 1764758755.7612762, "update_time": 1765306151.1540995, "name": "Validate restoration", "order": 2, "tag": "39fc29b1-1047-4d0c-bd88-4581b10fe376", "description": "Confirm that the affected systems are functioning normally.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "080aeef1-8fb9-40e2-863e-428fd8f7f017", "create_time": 1764758755.7614079, "update_time": 1765306151.1542017, "name": "Implement additional monitoring", "order": 3, "tag": "7d818e21-eb6b-48ef-92fa-e5c447194ae0", "description": "If necessary, implement additional monitoring to look for future activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1ec64d29-231e-4c34-aec1-4aee974fc8df", "create_time": 1765306151.154456, "update_time": 1765306151.1544561, "name": "Post Incident Activity", "order": 5, "tasks": [{"id": "bab81f67-66e8-4326-be3c-6c11894e50c7", "create_time": 1764758755.7615948, "update_time": 1765306151.1543307, "name": "Create a follow-up report", "order": 1, "tag": "e0d07d6c-00cb-44bc-8536-c8eeda5470a9", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77497e1-95ce-4ebe-8b62-4929dbfdd8a5", "create_time": 1764758755.7616863, "update_time": 1765306151.1544108, "name": "Lessons learned", "order": 2, "tag": "95974f42-e739-440a-ba79-00fc2d32a7ad", "description": "Hold a lessons learned meeting (mandatory for major incidents, optional otherwise).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8756f985-929a-4076-9343-86c92b82c94f", "active": true, "used": true, "_user": "nobody", "_key": "d081a248-71b1-49b3-8d3b-5bf932aac6ba"} \ No newline at end of file diff --git a/response_templates/NetworkIndicatorEnrichment_v5.json b/response_templates/NetworkIndicatorEnrichment_v5.json deleted file mode 100644 index 3ffb9b103f..0000000000 --- a/response_templates/NetworkIndicatorEnrichment_v5.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "b11a7ee4-e88a-44be-b8a2-d1609606bcae", "create_time": 1764862847.6611986, "update_time": 1765305936.2209468, "name": "Network Indicator Enrichment", "description": "Gather and analyze contextual information about URLs, hostnames, top level domain names, IP addresses, TLS certificates, and MAC addresses. These network indicators can be involved in security investigations of all types, so this response template is meant to be added as a modular component into an event or case that can have other more specific phases and tasks. For instance, when investigating an account compromise, this response template can be used during the investigation phase to rule out false positives and inform decisions about further investigation and response.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 5, "phases": [{"id": "5fc00a86-ecb5-473c-af5f-0eabced9921e", "create_time": 1765305842.3859305, "update_time": 1765305842.3859313, "name": "Network Indicator Enrichment", "order": 1, "tasks": [{"id": "09b3b9c0-1c5b-4c3f-941f-fcc4bcb6f2f6", "create_time": 1764758755.7974405, "update_time": 1765305842.3846803, "name": "Enrich URLs", "order": 1, "tag": "8fab0a3f-b436-4e3e-8c3a-9cc0a9cff8b5", "description": "Gather%20reputation%20and%20behavioral%20information%20about%20a%20suspicious%20URL.%20Automated%20actions%20can%20include%20querying%20threat%20intelligence%20databases,%20dynamic%20profiling%20of%20the%20URL%20and%20the%20associated%20redirects,%20or%20checking%20the%20categorization%20of%20a%20URL%20in%20a%20proxy%20or%20other%20safe%20browsing%20tool.%20Manual%20actions%20can%20include%20checking%20for%20typosquatting/brandjacking,%20evaluating%20the%20appropriateness%20of%20the%20URL%20given%20the%20context%20in%20which%20it%20was%20detected,%20or%20manually%20investigating%20the%20site%20from%20a%20sandboxed%20environment.%20Additionally,%20it%20might%20be%20appropriate%20to%20ask%20the%20user%20if%20they%20can%20explain%20why%20the%20URL%20was%20accessed.%20Outputs%20from%20this%20task%20could%20be%20used%20to%20pivot%20to%20investigation%20to%20underlying%20or%20associated%20domain%20names,%20other%20URLs,%20TLS%20certificates,%20IP%20addresses,%20or%20specific%20behaviors%20associated%20with%20the%20website%20such%20as%20Javascript%20execution%20patterns%20or%20downloaded%20files.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77c2c5b-488b-4ef6-a987-d4f1795e8c09", "create_time": 1764758755.7976081, "update_time": 1765305842.384996, "name": "Enrich domain names", "order": 2, "tag": "f494c551-d513-4503-a268-32d14cd9352c", "description": "Domain%20names%20can%20be%20involved%20in%20investigations%20of%20phishing,%20watering%20hole%20attacks,%20malware%20command%20and%20control,%20exfiltration,%20and%20many%20other%20malicious%20behaviors.%20Some%20of%20the%20key%20questions%20to%20answer%20about%20a%20domain%20are:%20Who%20controls%20the%20domain?%20Who%20registered%20the%20domain?%20What%20is%20the%20purpose%20of%20the%20domain?%20What%20services%20are%20hosted%20on%20the%20domain?%20What%20traffic%20would%20you%20expect%20to%20see%20to%20and%20from%20the%20domain?%20How%20popular%20is%20the%20domain?%20Does%20the%20domain%20host%20dynamic%20content%20such%20as%20cloud%20services?%20What%20sub-domains%20or%20parent%20domains%20are%20associated%20with%20the%20domain?%20Is%20the%20domain%20known%20to%20host%20malicious%20content?%20Where%20in%20the%20world%20is%20the%20domain%20hosted?%20How%20recently%20was%20the%20domain%20registered?%20What%20is%20the%20DNS%20history%20of%20the%20domain?%20Is%20the%20domain%20meant%20to%20look%20similar%20to%20another%20more%20legitimate%20domain?%20Does%20the%20domain%20name%20appear%20to%20have%20been%20randomly%20generated?%20The%20results%20of%20these%20queries%20can%20produce%20related%20IP%20addresses,%20file%20hashes,%20downloaded%20files,%20URLs,%20TLS%20certificates,%20and%20behaviors%20which%20are%20useful%20elsewhere%20in%20this%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fed103ab-b8bf-458e-a9d1-a80d7c1691ce", "create_time": 1764758755.7977073, "update_time": 1765305842.3853111, "name": "Enrich IP addresses", "order": 3, "tag": "b0444819-8d84-47b0-8011-97c9004966cc", "description": "Enrichment%20of%20IP%20addresses%20can%20be%20similar%20to%20domain%20names%20in%20many%20ways,%20but%20typically%20IP%20addresses%20will%20change%20more%20frequently.%20Frequent%20changes%20can%20be%20legitimate%20behavior%20caused%20by%20load%20balancers%20or%20content%20delivery%20networks,%20or%20it%20can%20be%20malicious%20behavior%20due%20to%20fast%20flux%20DNS%20changes,%20so%20additional%20context%20about%20the%20network%20traffic%20is%20needed.%20Also%20consider%20that%20traffic%20going%20straight%20to%20an%20IP%20address%20without%20doing%20a%20DNS%20query%20might%20be%20relevant%20to%20the%20investigation,%20and%20consider%20querying%20Tor%20or%20other%20anonymization%20systems%20to%20check%20if%20the%20IP%20address%20is%20a%20known%20exit%20node.%20Outputs%20of%20this%20task%20can%20inform%20URL%20enrichment,%20downloaded%20file%20analysis,%20domain%20name%20enrichment,%20TLS%20certificate%20enrichment,%20and%20more%20advanced%20behavioral%20analysis%20based%20on%20the%20services%20hosted%20at%20the%20IP%20address%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "9d096815-7876-4f42-9c93-73e3cc21d3ce", "create_time": 1764758755.7977993, "update_time": 1765305842.3855665, "name": "Enrich TLS certificates", "order": 4, "tag": "d98902d9-2620-41c6-90d2-d197a49a90ca", "description": "If%20an%20investigation%20involves%20a%20TLS%20certificate,%20it%20can%20be%20useful%20to%20gather%20registrant%20and%20certificate%20authority%20information%20about%20that%20certificate,%20and%20to%20query%20for%20other%20uses%20of%20similar%20infrastructure.%20The%20usage%20of%20free%20and%20automated%20certificate%20authorities%20such%20as%20Let's%20Encrypt%20does%20not%20necessarily%20imply%20that%20a%20domain%20is%20malicious,%20but%20that%20is%20a%20common%20technique%20used%20to%20build%20malicious%20infrastructure%20so%20it%20should%20warrant%20further%20investigation.%20Consider%20comparing%20the%20registrant%20information%20and%20certificate%20authority%20chain%20with%20the%20expected%20values%20for%20the%20organization%20allegedly%20hosting%20the%20website%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4e38a46a-1af2-477a-9349-8defa965ac2b", "create_time": 1764758755.7979288, "update_time": 1765305842.3857915, "name": "Enrich MAC addresses", "order": 5, "tag": "38d3329d-0ecd-494f-bbcf-5be0fd99a7c3", "description": "While%20MAC%20(media%20access%20control)%20addresses%20are%20less%20frequently%20involved%20in%20security%20investigations,%20when%20they%20are%20present%20they%20can%20sometimes%20be%20useful%20to%20cross-reference,%20identify,%20or%20profile%20a%20device.%20MAC%20addresses%20can%20be%20changed%20and%20spoofed,%20but%20it%20is%20usually%20less%20common%20than%20a%20change%20in%20IP%20address%20or%20hostname.%20In%20wifi%20investigations%20the%20MAC%20address%20can%20be%20used%20to%20identify%20both%20the%20access%20point%20and%20the%20clients%20that%20connect%20to%20it.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "47bb10fa-61c2-4bd8-b7dd-f69f376e2750", "active": true, "used": true, "_user": "nobody", "_key": "b11a7ee4-e88a-44be-b8a2-d1609606bcae"} \ No newline at end of file diff --git a/response_templates/SuspiciousEmail_v29.json b/response_templates/SuspiciousEmail_v29.json deleted file mode 100644 index b2fb58f193..0000000000 --- a/response_templates/SuspiciousEmail_v29.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "6683e5de-56c3-4105-8eb1-2eafc6f2dc5a", "create_time": 1764964076.462259, "update_time": 1764964076.462259, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 29, "phases": [{"id": "7eddb898-085a-43fa-a03b-3ded48d53093", "create_time": 1764964076.4629169, "update_time": 1764964179.6376007, "name": "Ingestion", "order": 1, "tasks": [{"id": "de8fa91f-bfad-41e6-bfe5-e3a2732db2c2", "create_time": 1764758755.6795278, "update_time": 1764964179.6372583, "name": "Create ticket", "order": 1, "tag": "3d75cc89-a55b-4680-931c-7a5e091baaf6", "description": "Create%20any%20necessary%20tickets%20or%20tracking%20documents%20describing%20the%20initial%20conditions%20of%20the%20suspicious%20email%20investigation.%20As%20additional%20information%20is%20collected%20or%20actions%20are%20taken%20in%20the%20following%20tasks%20and%20phases,%20update%20the%20ticket%20with%20links%20and%20relevant%20information%20to%20allow%20collaboration%20and%20tracking.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "163d3490-d8de-4df9-8900-f5a2554b8024", "create_time": 1764758755.6797986, "update_time": 1764964179.6373959, "name": "Ingest email", "order": 2, "tag": "b4f73c35-e4af-40bf-a349-bed4c51cb0fc", "description": "Identify%20and%20ingest%20the%20suspicious%20email%20into%20Splunk%20Mission%20Control.%20Actual%20steps%20vary%20depending%20on%20how%20you%20create%20the%20Splunk%20Mission%20Control%20notable%20and%20where%20the%20suspicious%20email%20resides.%20For%20example,%20if%20you%20had%20a%20Splunk%20Enterprise%20Security%20correlation%20search%20running%20to%20identify%20suspicious%20emails,%20and%20forward%20those%20notable%20events%20to%20Splunk%20Mission%20Control%20as%20notables,%20you%20have%20many%20of%20the%20useful%20artifacts%20needed%20to%20investigate%20the%20email.%20If%20you%20need%20additional%20metadata,%20you%20can%20run%20the%20%22get%20email%22%20action%20to%20retrieve%20it,%20or%20the%20%22extract%20email%22%20action%20to%20add%20the%20email%20to%20Splunk%20Mission%20Control%20if%20it%20is%20in%20the%20.msg%20or%20.eml%20format.%20Or%20for%20example,%20if%20you%20send%20suspicious%20emails%20to%20a%20dedicated%20email%20address%20for%20suspected%20phishing%20attempts,%20you%20can%20use%20a%20connector%20such%20as%20IMAP,%20EWS%20for%20Exchange,%20EWS%20for%20OFfice,%20or%20GSuite%20for%20GMail%20to%20poll%20that%20inbox%20directly%20and%20send%20the%20suspicious%20email%20to%20Splunk%20Mission%20Control%20as%20a%20notable.%0A%0ASuggested%20Integrations%0A1.%20%20%5BMS%20Graph%20for%20Office%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%20%5BGmail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%20%5BIMAP%5D(https://splunkbase.splunk.com/app/5798)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6d6d47d-3c94-42ea-b575-c197be210f97", "create_time": 1764758755.6799636, "update_time": 1764964179.6375475, "name": "Extract actionable metadata and files", "order": 3, "tag": "0c5acee1-e985-43ec-aefa-9355f46fef2d", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9510afc9-a689-434d-8622-e7dbcf607e54", "create_time": 1764964076.4637728, "update_time": 1764964179.6384258, "name": "External Investigation", "order": 2, "tasks": [{"id": "2bedd439-1521-4bc1-aa32-f6502bc3b4eb", "create_time": 1764758755.6802204, "update_time": 1764964179.637681, "name": "Investigate URLs", "order": 1, "tag": "5c7e7c30-139a-45e5-9622-63c788fe10a3", "description": "Perhaps%20the%20most%20common%20email%20attack%20vector%20is%20a%20clickable%20link%20that%20brings%20a%20user%20to%20a%20malicious%20website.%20The%20malicious%20website%20might%20collect%20credentials%20or%20other%20confidential%20information,%20attempt%20to%20exploit%20the%20user's%20browser,%20lead%20the%20user%20to%20download%20a%20malicious%20file,%20or%20gather%20preliminary%20fingerprint%20information%20about%20the%20user%20to%20inform%20further%20operations.%20Investigate%20all%20URLs%20contained%20in%20the%20suspicious%20email%20using%20a%20mix%20of%20automated%20and%20manual%20techniques.%20Query%20threat%20intelligence%20services%20and%20other%20sources%20of%20reputation%20information%20to%20see%20if%20the%20URLs%20are%20linked%20to%20known%20malicious%20activity.%20Check%20the%20categorization%20of%20the%20URLs%20and%20their%20popularity%20using%20services%20such%20as%20Censys%20or%20Alexa.%20Determine%20whether%20the%20URL%20is%20spoofing%20a%20brand%20using%20a%20similar%20spelling,%20a%20unicode%20substitution,%20or%20an%20out-of-order%20domain%20name.%20Also%20consider%20using%20a%20less%20passive%20technique%20that%20analyzes%20the%20current%20state%20of%20the%20URL,%20such%20as%20a%20sandboxed%20URL%20detonation,%20a%20website%20scanning%20tool%20such%20as%20urlscan.io%20or%20SSL%20Labs,%20a%20manual%20inspection%20from%20a%20sandboxed%20environment,%20or%20a%20website%20screenshot%20engine%20such%20as%20Screenshot%20Machine.%20Consider%20that%20targeted%20attacks%20might%20only%20reveal%20the%20malicious%20behavior%20of%20a%20website%20if%20the%20user%20agent%20and/or%20the%20source%20address%20of%20the%20request%20matches%20the%20target%20environment.%20The%20output%20of%20this%20task%20might%20be%20more%20linked%20URLs,%20the%20domain%20names%20of%20the%20underlying%20servers%20responding%20to%20the%20request,%20other%20domain%20names%20used%20by%20the%20website,%20IP%20addresses,%20or%20downloadable%20files.%20All%20of%20the%20above%20should%20be%20passed%20on%20to%20further%20investigative%20tasks%20if%20needed.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "16fc04ea-4b88-4a0e-8f68-66ac2c216f8f", "create_time": 1764758755.6803753, "update_time": 1764964179.6378467, "name": "Investigate file attachments", "order": 2, "tag": "87e971c5-924c-4eee-8a08-e84975c01812", "description": "Another%20common%20email%20attack%20vector%20is%20a%20malicious%20file%20attachment.%20Any%20file%20could%20be%20malicious,%20but%20most%20attacks%20involve%20executables,%20scripts,%20or%20documents.%20Investigate%20these%20files%20using%20either%20a%20whole%20copy%20of%20the%20file%20or%20the%20file%20hash.%20Query%20threat%20intelligence%20and%20reputation%20databases%20using%20the%20hash%20to%20see%20if%20the%20file%20has%20been%20seen%20before,%20to%20see%20if%20there%20is%20suspicious%20activity%20associated%20with%20the%20file,%20and%20to%20learn%20more%20about%20the%20file's%20behavior.%20Query%20for%20previous%20analyses%20or%20submit%20the%20file%20for%20examination%20in%20a%20dynamic%20or%20static%20tool%20to%20check%20for%20potentially%20malicious%20behaviors%20or%20properties.%20Actions%20used%20for%20this%20task%20might%20extract%20associated%20URLs,%20domain%20names,%20IP%20addresses,%20or%20secondary%20file%20hashes%20which%20can%20be%20explored%20further%20in%20other%20tasks.%0A%0A%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a259ee42-6bdf-4d0c-9b27-efae878c42c2", "create_time": 1764758755.6805224, "update_time": 1764964179.6379743, "name": "Investigate%20email", "order": 3, "tag": "39af1503-2dae-40d0-8164-818a7232bf95", "description": "Analyze%20the%20full%20email%E2%80%94headers,%20subject,%20and%20body%E2%80%94using%20both%20automated%20and%20manual%20techniques%20to%20determine%20its%20origin%20and%20assess%20for%20malicious%20intent.%20Inspect%20header%20fields%20(e.g.,%20%E2%80%9CFrom,%E2%80%9D%20%E2%80%9CSender,%E2%80%9D%20%E2%80%9CReply-to%E2%80%9D)%20for%20inconsistencies,%20misleading%20display%20names,%20and%20suspicious%20infrastructure,%20validating%20authentication%20results%20such%20as%20SPF,%20DKIM,%20and%20DMARC.%20Enrich%20findings%20with%20threat%20intelligence%20and%20reputation%20sources,%20and%20use%20tools%20like%20Microsoft%20Message%20Header%20Analyzer%20or%20MxToolbox%20for%20deeper%20interpretation.%20Evaluate%20the%20content%20for%20social%20engineering%20indicators%E2%80%94such%20as%20urgency,%20context%20manipulation,%20or%20attempts%20to%20solicit%20confidential%20information%E2%80%94recognizing%20that%20these%20often%20require%20manual%20judgment%20and,%20when%20appropriate,%20direct%20confirmation%20from%20the%20recipient.%20Outputs%20such%20as%20domains%20and%20IPs%20should%20be%20forwarded%20for%20further%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": [{"id": "cf182fd6-c616-4adb-a8f6-b9969549c873", "create_time": 1764952188.108695, "update_time": 1764964179.6380632, "name": "Email - Query on Affected User", "description": "You need to have your email data being ingested into the Email data model. \n\nNOTE: in this search we have pulled the tokened field of \"src_user\" if you detection uses another output field you will need to update your search accordingly. ", "spl": "%7C%20tstats%20%60summariesonly%60%20max(_time)%20as%20_time%2C%20values(All_Email.action)%20as%20action%2C%20values(All_Email.message_id)%20as%20message_id%2C%20values(All_Email.subject)%20as%20subject%2C%20values(All_Email.size)%20as%20size%2C%20values(All_Email.protocol)%20as%20protocol%2C%20values(All_Email.recipient)%20as%20recipient%2C%20count%20from%20datamodel%3DEmail.All_Email%20by%20All_Email.src%2CAll_Email.src_user%2CAll_Email.dest%20%0A%7C%20%60drop_dm_object_name(%22All_Email%22)%60%20%0A%7C%20search%20recipient%20IN%20(%24src_user%24)%0A%7C%20sort%20-%20count%20%0A%7C%20normalizeip%20src%20dest%20%0A%7C%20fields%20_time%2C%20action%2C%20message_id%2C%20subject%2C%20size%2C%20protocol%2C%20src%2C%20src_user%2C%20dest%2C%20recipient%2C%20count"}]}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "987a5f9d-4fa2-4474-a923-10ee1fca36e9", "create_time": 1764758755.680672, "update_time": 1764964179.6381621, "name": "Investigate domains", "order": 4, "tag": "65ec0d02-4e41-4bef-ad64-bcbbe64589bf", "description": "At%20this%20point%20domain%20names%20from%20various%20sources%20should%20be%20collected%20in%20the%20notable,%20including%20email%20sending%20and%20receiving%20servers,%20web%20servers%20from%20URLs%20in%20the%20email,%20domains%20associated%20to%20other%20indicators%20in%20threat%20intelligence%20databases,%20and%20domains%20contained%20in%20the%20file%20attachment%20or%20detected%20by%20the%20detonation%20of%20the%20file%20attachment.%20Check%20each%20of%20these%20against%20threat%20intelligence%20and%20reputation%20databases,%20passive%20DNS%20trackers,%20whois%20services,%20and%20other%20information%20services.%20Look%20for%20known%20malicious%20or%20unknown%20domains,%20focusing%20more%20on%20those%20associated%20to%20clickable%20URLs%20and%20file%20attachments.%20Evaluate%20what%20services%20are%20running%20on%20each%20suspicious%20domain%20using%20a%20scanning%20service%20such%20as%20Censys%20or%20Shodan.%20Check%20the%20TLS%20certificate%20(if%20applicable),%20website%20categorization,%20popularity,%20and%20any%20other%20available%20information.%20Compare%20this%20information%20to%20the%20expected%20outcome%20given%20the%20alleged%20context%20of%20the%20email.%20For%20unknown%20domains,%20consider%20the%20domain%20history,%20the%20hosting%20provider,%20and%20whether%20the%20domain%20name%20appears%20to%20have%20been%20dynamically%20generated.%20IP%20addresses%20currently%20and%20previously%20associated%20with%20the%20domain%20should%20be%20further%20processed%20elsewhere%20in%20your%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4f72802-ef36-47d2-a6c0-9d1ab5e0aa2c", "create_time": 1764758755.6808305, "update_time": 1764964179.6383374, "name": "Investigate IP addresses", "order": 5, "tag": "bd473b00-1dc1-4446-8ce2-36d7fc8ef468", "description": "IP%20addresses%20may%20be%20involved%20in%20this%20investigation%20for%20several%20reasons.%20Some%20email%20headers%20can%20contain%20IP%20addresses%20(such%20as%20X-Originating-IP),%20URLs%20can%20contain%20IP%20addresses%20instead%20of%20hostnames,%20file%20attachments%20can%20contain%20IP%20addresses%20or%20generate%20IP%20addresses%20and%20try%20to%20connect%20to%20them%20(like%20domain%20generation%20algorithms),%20and%20IP%20addresses%20can%20be%20added%20to%20the%20notable%20through%20association%20or%20domain%20name%20resolution%20in%20other%20tasks%20within%20this%20investigation.%20Consider%20IP%20addresses%20in%20URLs%20that%20are%20not%20internal%20IP%20addresses%20for%20the%20organization%20highly%20suspicious.%20Investigate%20all%20suspicious%20IP%20addresses%20by%20checking%20the%20reputation,%20geolocation,%20whois%20record,%20DNS%20history,%20and%20by%20gathering%20information%20from%20other%20available%20services.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d36a2713-63b9-4bfd-8a66-e50df079ace9", "create_time": 1764964076.4645069, "update_time": 1764964179.638931, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "4012859c-a956-4b21-ba9e-a2004dfeb036", "create_time": 1764758755.6812239, "update_time": 1764964179.6385055, "name": "Hunt email activity", "order": 1, "tag": "e7a6d9a6-8b9e-4f8c-afdb-475b0b3472b7", "description": "Find%20other%20similar%20emails%20sent%20into%20the%20organization%20based%20on%20the%20sender%20address,%20sender%20domain,%20subject,%20embedded%20URLs,%20file%20attachments,%20or%20other%20similar%20attributes%20shared%20across%20multiple%20emails.%20If%20possible%20determine%20which%20emails%20were%20opened,%20forwarded,%20deleted,%20marked%20as%20spam,%20or%20reported%20as%20potential%20phishing.%20Consider%20which%20types%20of%20users%20are%20targeted%20and%20why.%20Also%20check%20whether%20internal%20users%20replied%20to%20the%20emails%20and%20what%20information%20was%20contained%20in%20the%20replies.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%20%5BCisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)%5D(https://splunkbase.splunk.com/app/6145)%0A3.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1701120f-ca73-42cf-87e1-5dcb228ab5a0", "create_time": 1764758755.681366, "update_time": 1764964179.6386268, "name": "Hunt network activity", "order": 2, "tag": "427ba972-75bd-42eb-8218-4a522f98b947", "description": "Based%20on%20previously%20collected%20information,%20try%20to%20determine%20whether%20or%20not%20URLs%20in%20the%20email%20were%20clicked,%20phishing%20websites%20were%20visited,%20or%20other%20suspicious%20network%20connections%20were%20made%20from%20the%20computers%20of%20users%20who%20opened%20the%20email.%20This%20can%20be%20done%20using%20many%20types%20of%20network%20monitoring,%20including%20netflow,%20full%20packet%20capture,%20DNS%20logging,%20and/or%20endpoint%20monitoring.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20protocol%20tracker%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A5.%20%5BNetwork%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24d8fa33-d658-4800-8113-5d7f7c90ad1d", "create_time": 1764758755.681554, "update_time": 1764964179.6387417, "name": "Hunt file executions", "order": 3, "tag": "ebe5a0e7-8705-4e69-b1e7-a21058c87822", "description": "If%20the%20email%20included%20a%20file%20attachment,%20try%20to%20determine%20which%20users%20downloaded%20the%20attachment%20and%20which%20users%20executed%20it%20or%20opened%20it%20in%20some%20other%20way.%20Use%20the%20file%20hash%20of%20the%20attachment%20to%20search%20across%20endpoint%20monitoring%20or%20network%20monitoring%20solutions%20for%20the%20transmission%20and/or%20execution%20of%20the%20file.%20If%20executions%20are%20detected,%20try%20to%20determine%20the%20behavior%20of%20the%20created%20process.%20If%20a%20potentially%20malicious%20document%20or%20other%20file%20type%20was%20opened,%20try%20to%20determine%20which%20application%20opened%20it%20and%20whether%20the%20file%20exploited%20or%20abused%20the%20opening%20application.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24ad66ec-2b93-4677-b1c4-a6e2c2bd6207", "create_time": 1764758755.6817021, "update_time": 1764964179.638862, "name": "Hunt user activity", "order": 4, "tag": "32798d9d-6440-4f39-98c7-6d4c30d26e1e", "description": "If%20a%20phishing%20attempt%20or%20other%20user%20account%20compromise%20attempt%20is%20suspected,%20investigate%20how%20the%20credentials%20or%20account%20access%20are%20being%20used.%20Enumerate%20resources%20available%20to%20the%20account%20and%20search%20the%20access%20logs%20for%20those%20resources,%20looking%20for%20anomalous%20usage%20patterns.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "42eb2edf-fc7d-4327-8f3e-37ee80c2536c", "create_time": 1764964076.4651353, "update_time": 1764964179.6395993, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "2eb1f1a5-8f1a-45d8-8953-ba30d1a8a6e9", "create_time": 1764758755.6819034, "update_time": 1764964179.6390114, "name": "Block or monitor email activity", "order": 1, "tag": "6b567916-424d-41b3-836f-b4abfa555448", "description": "If%20specific%20malicious%20emails%20have%20been%20identified,%20delete%20them%20from%20any%20mailboxes%20in%20which%20they%20still%20pose%20a%20threat.%20Similarly,%20if%20a%20sender%20address%20or%20an%20entire%20sender%20domain%20is%20found%20to%20be%20malicious,%20block%20inbound%20email%20from%20that%20source.%20Set%20filtering%20rules%20to%20block%20inbound%20email%20or%20increase%20monitoring%20of%20email%20based%20on%20other%20detected%20characteristics%20of%20an%20email%20campaign%20or%20malicious%20technique.%0A%0ASuggested%20Intergrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0d28b16-b4ba-46a9-8d20-c888d0d50137", "create_time": 1764758755.6820495, "update_time": 1764964179.6391416, "name": "Block or monitor network activity", "order": 2, "tag": "b537f91c-ce46-4a52-8894-0797dbc13b6b", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20malicious%20network%20connections%20associated%20with%20the%20suspicious%20email.%20Prevent%20other%20receivers%20of%20similar%20phishing%20emails%20from%20accessing%20the%20clickable%20URL%20by%20blocking%20that%20URL%20itself,%20the%20underlying%20domain%20name,%20and/or%20the%20underlying%20IP%20addresses.%20If%20malware%20or%20unwanted%20software%20was%20detected,%20block%20outbound%20connections%20known%20to%20be%20associated%20with%20that%20malware%20based%20on%20threat%20intelligence%20or%20dynamic%20analysis.%20If%20the%20threat%20is%20severe%20enough,%20consider%20isolating%20entire%20portions%20of%20the%20network.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79abbff6-2d34-46b0-b570-c9788da8668a", "create_time": 1764758755.6822183, "update_time": 1764964179.639291, "name": "Block or monitor file executions", "order": 3, "tag": "e7cb23b5-9baa-4a66-994d-43cd0f17d017", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20endpoint%20activity%20caused%20by%20the%20suspicious%20email.%20This%20could%20mean%20blocking%20the%20hash%20of%20the%20file%20attachment,%20blocking%20the%20hash%20of%20a%20file%20downloaded%20from%20a%20URL%20in%20an%20email,%20blocking%20a%20malicious%20hash%20associated%20with%20the%20email%20by%20threat%20intelligence,%20or%20blocking%20secondary%20executions%20such%20as%20dropped%20stages%20of%20malware%20identified%20from%20dynamic%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fa4ad6aa-7fc1-4897-9588-e2366ce2cc8e", "create_time": 1764758755.6823559, "update_time": 1764964179.6394064, "name": "Contain endpoints", "order": 4, "tag": "746ae480-2639-4ffe-80ce-698238ec5721", "description": "If%20an%20endpoint%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20quarantine%20or%20otherwise%20contain%20that%20endpoint%20until%20further%20investigation%20and%20remediation%20can%20be%20done.%20Consider%20the%20criticality%20of%20the%20system%20and%20the%20likelihood%20of%20a%20compromise.%20In%20other%20cases,%20simply%20increasing%20the%20monitoring%20or%20scanning%20for%20more%20information%20can%20be%20prudent.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ffee892-3e52-4aed-ba5f-30554d3de579", "create_time": 1764758755.6824956, "update_time": 1764964179.639517, "name": "Contain user accounts", "order": 5, "tag": "702244fa-e9c6-42d7-846a-697fb74ea060", "description": "If%20a%20user%20account%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20reset%20the%20credentials,%20reduce%20the%20account%20privileges,%20or%20disable%20the%20account%20until%20further%20investigation%20is%20completed.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f3f3a7c8-dcb4-4565-8827-356c60cac5f6", "create_time": 1764964076.4654303, "update_time": 1764964179.6398683, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "09b37ed6-4b6e-4fe0-a4c5-561480ed7c10", "create_time": 1764758755.68271, "update_time": 1764964179.639679, "name": "Analyze network activity", "order": 1, "tag": "9cf69134-6b81-45ca-ada8-fd4136a1912f", "description": "Perform%20any%20resource-intensive%20analysis%20of%20network%20activity%20left%20over%20from%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20full%20packet%20capture%20collection%20and%20analysis,%20sandbox%20detonation%20of%20URLs,%20long-running%20queries%20of%20network%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20protocol%20tracker%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "627cb8cc-b780-437e-951d-8ec9c64062e7", "create_time": 1764758755.682851, "update_time": 1764964179.6397936, "name": "Analyze endpoint activity", "order": 2, "tag": "2497b494-b80f-417b-b51d-f4c8d7aff019", "description": "Conduct%20deeper%20analysis%20on%20remaining%20malware%20and%20endpoint%20investigation%20tasks%20not%20finished%20in%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20sandbox%20detonation%20of%20files,%20forensic%20analysis%20of%20associated%20devices%20or%20memory%20dumps,%20reverse%20engineering%20of%20suspected%20malware,%20long-running%20queries%20of%20endpoint%20activity%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "934b1327-2484-49e2-9701-36a33a1462f9", "create_time": 1764964076.466061, "update_time": 1764964179.640515, "name": "Notification", "order": 6, "tasks": [{"id": "3b692da7-b9dc-491b-add5-2c674251a7be", "create_time": 1764758755.683051, "update_time": 1764964179.6399481, "name": "Update tickets", "order": 1, "tag": "dad41274-fb84-4b6f-bed9-fb43be506987", "description": "Make%20sure%20that%20all%20the%20necessary%20outputs%20and%20status%20updates%20from%20the%20previous%20phases%20and%20tasks%20are%20documented%20in%20the%20appropriate%20system%20of%20record.%20Summarize%20the%20current%20state%20of%20the%20investigation%20and%20any%20remaining%20tasks.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "644d1cc6-f855-4dfb-ae28-a0a58fbee6d2", "create_time": 1764758755.6832078, "update_time": 1764964179.6400516, "name": "Notify system owners", "order": 2, "tag": "824481e3-9dc5-4668-9abd-585d1cd331ca", "description": "For%20any%20systems%20that%20have%20been%20changed%20or%20need%20to%20be%20changed,%20notify%20the%20necessary%20system%20owners%20so%20the%20appropriate%20change%20management%20procedures%20can%20be%20followed.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "81905435-dd7e-493d-babf-fc5f108cbb9a", "create_time": 1764758755.6833851, "update_time": 1764964179.6401603, "name": "Notify regulatory compliance team", "order": 3, "tag": "c7f7005c-6b51-49a7-a3f9-f22aaf9dfbe4", "description": "If%20appropriate,%20notify%20the%20regulatory%20compliance%20team%20to%20support%20them%20as%20they%20report%20this%20incident%20to%20the%20correct%20regulatory%20or%20accrediting%20organizations.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a4260d25-53f9-45c4-b984-4c10deddbb82", "create_time": 1764758755.6836178, "update_time": 1764964179.6402876, "name": "Assign additional tasks", "order": 4, "tag": "29d21b34-5221-4dee-9bff-276a8241b2bd", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d0cf948f-2ba6-4a7d-82c9-851aacfa80a6", "create_time": 1764758755.6839995, "update_time": 1764964179.6403775, "name": "Educate users", "order": 5, "tag": "7ee89bfe-e39d-42c9-baa0-2e74b39adcd1", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b78276c-3dff-4546-8ff4-78cd4e1b04d3", "create_time": 1764758755.6842132, "update_time": 1764964179.6404653, "name": "Share threat intelligence", "order": 6, "tag": "3773742e-ecd3-4588-a0ae-6ac80e6b70ce", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "84c951b5-a7f7-439d-9e59-b8031190be63", "active": true, "used": true, "_user": "nobody", "_key": "6683e5de-56c3-4105-8eb1-2eafc6f2dc5a"} \ No newline at end of file From 541b8a0c60d4c25229aec676ceeb812f730046d7 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 9 Dec 2025 15:50:18 -0800 Subject: [PATCH 26/44] Keep response_templates directory --- response_templates/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 response_templates/.gitkeep diff --git a/response_templates/.gitkeep b/response_templates/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 From ac368d0705a61c46faea21248e7dd1e0902f1307 Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 9 Dec 2025 16:03:33 -0800 Subject: [PATCH 27/44] Skip .gitkeep checking when check non-json files --- .github/workflows/response_templates/template_script.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/response_templates/template_script.py b/.github/workflows/response_templates/template_script.py index 2731194ae8..af20b08258 100644 --- a/.github/workflows/response_templates/template_script.py +++ b/.github/workflows/response_templates/template_script.py @@ -46,8 +46,8 @@ def _get_template_mapping(directory): if not path.exists() or not path.is_dir(): raise ValueError(f"The directory {directory} does not exist or is not a directory.") - # Check for non-JSON files - non_json_files = [f.name for f in path.iterdir() if f.is_file() and f.suffix != '.json'] + # Check for non-JSON files (skip .gitkeep) + non_json_files = [f.name for f in path.iterdir() if f.is_file() and f.suffix != '.json' and f.name != '.gitkeep'] if non_json_files: raise ValueError(f"Non-JSON files found in directory {directory}: {', '.join(non_json_files)}") From 6956c1531baba4f43bd1b22effdb5b2c2d95aebe Mon Sep 17 00:00:00 2001 From: Xiaonan Qi Date: Tue, 9 Dec 2025 16:10:29 -0800 Subject: [PATCH 28/44] Remove the .gitkeep --- .github/workflows/response_templates/template_script.py | 4 ++-- response_templates/.gitkeep | 0 2 files changed, 2 insertions(+), 2 deletions(-) delete mode 100644 response_templates/.gitkeep diff --git a/.github/workflows/response_templates/template_script.py b/.github/workflows/response_templates/template_script.py index af20b08258..2731194ae8 100644 --- a/.github/workflows/response_templates/template_script.py +++ b/.github/workflows/response_templates/template_script.py @@ -46,8 +46,8 @@ def _get_template_mapping(directory): if not path.exists() or not path.is_dir(): raise ValueError(f"The directory {directory} does not exist or is not a directory.") - # Check for non-JSON files (skip .gitkeep) - non_json_files = [f.name for f in path.iterdir() if f.is_file() and f.suffix != '.json' and f.name != '.gitkeep'] + # Check for non-JSON files + non_json_files = [f.name for f in path.iterdir() if f.is_file() and f.suffix != '.json'] if non_json_files: raise ValueError(f"Non-JSON files found in directory {directory}: {', '.join(non_json_files)}") diff --git a/response_templates/.gitkeep b/response_templates/.gitkeep deleted file mode 100644 index e69de29bb2..0000000000 From 6014b4870b7f9318bb6bd237dec4b93c4f394866 Mon Sep 17 00:00:00 2001 From: Christian Cloutier Date: Thu, 11 Dec 2025 15:18:38 -0500 Subject: [PATCH 29/44] Initial version of Response Templates --- response_templates/AccountCompromise.json | 1 + response_templates/DataBreach.json | 1 + response_templates/GenericIncidentResponse.json | 1 + response_templates/NIST80061.json | 1 + response_templates/NetworkIndicatorEnrichment.json | 1 + response_templates/SelfReplicatingMalware.json | 1 + response_templates/SuspiciousEmail.json | 1 + response_templates/VulnerabilityDisclosure.json | 1 + 8 files changed, 8 insertions(+) create mode 100644 response_templates/AccountCompromise.json create mode 100644 response_templates/DataBreach.json create mode 100644 response_templates/GenericIncidentResponse.json create mode 100644 response_templates/NIST80061.json create mode 100644 response_templates/NetworkIndicatorEnrichment.json create mode 100644 response_templates/SelfReplicatingMalware.json create mode 100644 response_templates/SuspiciousEmail.json create mode 100644 response_templates/VulnerabilityDisclosure.json diff --git a/response_templates/AccountCompromise.json b/response_templates/AccountCompromise.json new file mode 100644 index 0000000000..a215ad7ee6 --- /dev/null +++ b/response_templates/AccountCompromise.json @@ -0,0 +1 @@ +{"id": "94198adf-1fc1-4c2d-8c94-baf4523bee4f", "create_time": 1765479652.5729501, "update_time": 1765479652.5729501, "name": "Account Compromise", "description": "This response template defines a response to the potential compromise of one or more system or application accounts. Across the enterprise, user and service accounts are high-value targets that provide access to wide varieties of resources and capabilities. If an unauthorized entity gains access to an account in your organization, you can use these phases and tasks to organize the effort to investigate and respond. No two account compromises are the same, so some portions of this template might not apply to certain types of account takeovers, and in most cases there will be additional appropriate responses going beyond those listed below. The general structure of this template is based on NIST SP 800-61 Revision 2, and some of the techniques come from the Credential Access tactic in the MITRE ATT&CK framework (https://attack.mitre.org/tactics/TA0006/).", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "59f2cf8d-3c77-491f-8ff4-65ed341c7503", "create_time": 1765479652.5742395, "update_time": 1765479652.57424, "name": "Detection and Analysis", "order": 1, "tasks": [{"id": "ea986cd7-db3e-48d5-8a44-e9f0f6420d24", "create_time": 1764758755.835523, "update_time": 1765479652.5730562, "name": "Contact account owner", "order": 1, "tag": "51815ce4-c186-4418-9d6c-716e101953f0", "description": "If%20situational%20awareness%20concerns%20allow%20it,%20contact%20the%20legitimate%20owner%20of%20the%20account%20to%20gather%20additional%20insight,%20rule%20out%20false%20positives,%20and%20provide%20guidance%20on%20how%20to%20cooperate.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c24b5ac1-3e44-4f91-a55e-5c93a0c17a8a", "create_time": 1764758755.8356514, "update_time": 1765479652.573373, "name": "Determine the scope of the compromise", "order": 2, "tag": "4f6e6b64-aeec-456c-806d-d0b66c9db56c", "description": "Determine%20the%20resources%20and%20capabilities%20available%20to%20the%20compromised%20account.%20Consider%20other%20types%20of%20accounts%20that%20can%20also%20be%20accessed%20based%20on%20the%20initial%20compromise.%20Is%20this%20account%20an%20Administrative%20account?%20What%20systems%20has%20the%20account%20logged%20into?%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4b7b5058-f28e-4776-8806-c71fdfaab979", "create_time": 1764758755.8357468, "update_time": 1765479652.5734894, "name": "Analyze usage of access", "order": 3, "tag": "62fe4b55-7da1-44ba-ae88-93f42cb724c8", "description": "Query%20monitoring%20systems%20to%20determine%20which%20of%20the%20potential%20resources%20and%20capabilities%20were%20actually%20used%20by%20the%20adversary.%20Look%20for%20patterns%20in%20targeted%20resources%20and%20capabilities.%20Was%20the%20compromised%20account%20used%20to%20install%20or%20download%20something?%20Were%20credentials%20to%20other%20accounts%20collected%20and%20used?%0A%0ASuggested%20Integrations%0A1.%20%5BAccess%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_center)%0A2.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)%0A3.%20%5BAccess%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ad738c70-a259-4627-84fc-30f881b1065f", "create_time": 1764758755.835839, "update_time": 1765479652.5735939, "name": "Estimate impact", "order": 4, "tag": "5abdf8e0-f364-4f39-956a-aa912e0543c0", "description": "Estimate the business impact to appropriately allocate priority and resources.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1bc12376-4d51-45ed-9e37-38abc31a497a", "create_time": 1764758755.8359327, "update_time": 1765479652.5736716, "name": "Track stolen credentials", "order": 5, "tag": "b7814a6d-ac12-4936-a5ef-8e1a636a08dd", "description": "If%20compromised%20credentials%20were%20used,%20try%20to%20determine%20where%20else%20they%20may%20grant%20access%0A%0ASuggested%20Integrations%0A1.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5de28da8-76f3-4104-8d62-b44f8f46a4a4", "create_time": 1764758755.8360248, "update_time": 1765479652.573762, "name": "Investigate external communications", "order": 6, "tag": "4a46b5da-c9b9-453a-80ad-161db306822e", "description": "Look%20for%20exfiltration%20and/or%20command%20and%20control%20activity.%20Inspect%20network%20traffic%20with%20abnormal%20content,%20focusing%20on%20traffic%20to%20external%20hosts%20and%20internal%20systems%20that%20are%20not%20normally%20connected%20to%20the%20system%20under%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6956c82f-6811-4b3d-975b-fe690e0b54ef", "create_time": 1764758755.836118, "update_time": 1765479652.5738606, "name": "Determine initial access mechanism", "order": 7, "tag": "3b962a5e-16da-4962-9f9f-c237e88e24a3", "description": "Attempt%20to%20trace%20activity%20back%20to%20the%20point%20of%20initial%20access.%20Consider%20phishing,%20watering%20hole%20attacks,%20public-facing%20exploits,%20supply%20chain%20compromises,%20and%20other%20common%20attack%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "62a7c0a4-1c2e-4922-8dd2-9114ef305607", "create_time": 1764758755.8362353, "update_time": 1765479652.573958, "name": "Detect persistent system access", "order": 8, "tag": "023e3b98-335b-4364-8292-e34e221dcdcd", "description": "Look%20for%20attempts%20to%20establish%20persistent%20access%20to%20one%20or%20more%20systems.%20The%20persistence%20technique%20could%20include%20an%20email%20forwarding%20rule%20for%20an%20email%20account,%20a%20scheduled%20task%20on%20an%20endpoint,%20a%20newly%20added%20login%20method%20for%20a%20business%20application,%20or%20a%20wide%20array%20of%20others.%20One%20non-exhaustive%20list%20of%20persistence%20techniques%20is%20in%20the%20MITRE%20ATT&CK%20framework%20(https://attack.mitre.org/tactics/TA0003/)%20and%20another%20for%20Windows%20endpoints%20in%20particular%20is%20within%20the%20SysInternals%20Autoruns%20tool.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0bc09ecd-b582-4b51-82bd-845113fe9025", "create_time": 1764758755.8363278, "update_time": 1765479652.5740716, "name": "Enumerate other similarly vulnerable accounts", "order": 9, "tag": "44b55fc1-e45f-46ce-82d8-d23b1392790f", "description": "If an initial attack vector or other activity pattern is found, use it to look for other similarly compromised accounts.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "60b63967-c82f-4378-80ab-7234d3b8d01a", "create_time": 1764758755.8364184, "update_time": 1765479652.5741494, "name": "Notify stakeholders", "order": 10, "tag": "6f26711e-c173-4394-91cf-f2e9c7c88d8a", "description": "Notify%20incident%20response%20leadership,%20system%20owners,%20and%20other%20stakeholders%20in%20accordance%20with%20established%20incident%20notification%20and%20escalation%20procedures.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "48075a18-75b5-45d5-9c14-c791c0975316", "create_time": 1765479652.574572, "update_time": 1765479652.5745726, "name": "Containment, Eradication, and Recovery", "order": 2, "tasks": [{"id": "4fa28acc-820f-4b9c-8fbe-b06dc8f735bb", "create_time": 1764758755.8365533, "update_time": 1765479652.5743093, "name": "Disable account", "order": 1, "tag": "582f0358-63c7-4a15-ba9e-a42861e854b5", "description": "If%20the%20business%20risk%20is%20deemed%20acceptable,%20disable%20the%20account%20or%20reset%20credentials%20to%20prevent%20further%20malicious%20usage.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f20c28db-b508-4cce-bd08-df4a1b92b1e4", "create_time": 1764758755.836641, "update_time": 1765479652.5744092, "name": "Remove persistent system access", "order": 2, "tag": "5cfd8324-141b-407f-ac19-3ab946178fc8", "description": "If%20persistent%20access%20mechanisms%20were%20detected,%20remove%20them%20by%20uninstalling%20software,%20unhooking%20libraries,%20reimaging%20systems,%20disabling%20compromised%20credentials,%20or%20implementing%20other%20remediations.%20If%20this%20action%20will%20cause%20a%20service%20outage,%20it%20may%20be%20prudent%20to%20notify%20the%20affected%20teams%20or%20organizations.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b94cc55d-a653-466a-8faf-846f699ebb75", "create_time": 1764758755.836737, "update_time": 1765479652.5745091, "name": "Mitigate or remediate vulnerabilities", "order": 3, "tag": "25d66876-4448-420d-80b5-bc359805598b", "description": "If%20any%20vulnerabilities%20were%20used%20in%20this%20compromise,%20find%20a%20way%20to%20mitigate%20or%20remediate%20them.%20This%20could%20be%20a%20system%20update,%20a%20change%20in%20software,%20disabling%20a%20certain%20feature,%20a%20change%20in%20policy,%20or%20another%20action.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "36274751-b970-4375-85dc-b06a13d05cc2", "create_time": 1765479652.5748563, "update_time": 1765479652.5748568, "name": "Post-incident Activity", "order": 3, "tasks": [{"id": "c601515a-bbef-485f-819a-9c1e477e413e", "create_time": 1764758755.8368754, "update_time": 1765479652.57464, "name": "Notify necessary parties", "order": 1, "tag": "6e6b6839-fced-46a4-a660-e00281118cda", "description": "Determine%20if%20a%20regulatory%20risk%20calls%20for%20a%20notification%20to%20an%20internal%20or%20external%20compliance%20organization.%20Also%20consider%20an%20informational%20notice%20to%20users%20to%20prevent%20similar%20compromises%20through%20improved%20security%20hygiene.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "33acb96f-1113-489b-8dc4-882695963f99", "create_time": 1764758755.836966, "update_time": 1765479652.574736, "name": "Tune prevention systems", "order": 2, "tag": "47e3bd73-9fea-4f85-a805-9ebedfd000ed", "description": "Depending on the mechanism of access and the systems affected, there may be a clear next step to prevent similar compromises. This might involve deployment of strong multi-factor authentication, improved automated response, stronger application of least privilege, user training, and/or a wide array of other defensive measures. Consider using CIS Cybersecurity Best Practices (https://www.cisecurity.org/cybersecurity-best-practices/) or a similar framework to assess improvements in prevention.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0d0ded65-d9dd-497f-ab9d-f51864ad88af", "create_time": 1764758755.8370595, "update_time": 1765479652.574812, "name": "Tune detection systems", "order": 3, "tag": "9411f544-f06a-4e79-9972-3844f61cc1f7", "description": "Any of the steps taken within the Detection and Analysis phase may be candidates for automated or regularly scheduled detections to find similar activity. Focus on the most generalizable patterns that will catch high-impact compromises as early as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8b0ea69b-c29f-4a70-b58b-59164312a491", "active": true, "used": true, "_user": "nobody", "_key": "94198adf-1fc1-4c2d-8c94-baf4523bee4f"} \ No newline at end of file diff --git a/response_templates/DataBreach.json b/response_templates/DataBreach.json new file mode 100644 index 0000000000..3534746ef5 --- /dev/null +++ b/response_templates/DataBreach.json @@ -0,0 +1 @@ +{"id": "b0ad7421-221a-4859-8af7-7cd8949ad10f", "create_time": 1764862877.558638, "update_time": 1765481882.0017216, "name": "Data Breach", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 15, "phases": [{"id": "3864ce09-a850-44af-86ef-9ade49d18356", "create_time": 1765481830.6013758, "update_time": 1765481881.9174762, "name": "Escalate to accountable system owners", "order": 1, "tasks": [{"id": "5a3d4ceb-6a30-4aa3-8e8a-b30e3438dff4", "create_time": 1764758755.724739, "update_time": 1765481881.9169092, "name": "Identify accountable system owners", "order": 1, "tag": "f45e1890-72d0-4bdf-8932-ea8d78c2c58f", "description": "Query%20configuration%20management%20databases,%20ask%20teammates,%20and%20query%20on-call%20personnel%20directories%20to%20find%20the%20right%20people%20for%20notification%20and%20response.%0A%0ASuggested%20Integrations%0A1.%20%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8d090f83-6590-48b7-8233-db738d054005", "create_time": 1764758755.7248507, "update_time": 1765481881.9171314, "name": "Notify accountable system owners", "order": 2, "tag": "b0816205-58e4-4e29-991b-f415717d1c03", "description": "Determine%20what%20is%20needed%20from%20each%20team%20member%20and%20notify%20them%20as%20soon%20as%20possible.%20Consider%20speed,%20confidentiality,%20integrity,%20and%20availability%20when%20choosing%20a%20communication%20channel.%20The%20right%20choice%20may%20be%20an%20in-person%20meeting,%20email,%20chat,%20text,%20phone%20call,%20or%20a%20notification%20in%20Splunk%20Mission%20Control.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2950919f-a5ca-4dec-b3d0-5ef7edf213e3", "create_time": 1764758755.7249453, "update_time": 1765481881.9173613, "name": "Set up collaboration channels", "order": 3, "tag": "2b1518b8-77a6-4e03-8b50-e0a89dc40ed8", "description": "Establish%20shared%20access%20to%20the%20appropriate%20notable%20investigation%20that%20is%20tracking%20the%20data%20breach.%20If%20necessary%20establish%20an%20additional%20channel%20for%20communications%20such%20as%20a%20chat%20room,%20email%20chain,%20ticketing%20system,%20or%20VictorOps%20Incident.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "fa5bb456-dfe8-4f27-88a3-1639a35796c6", "create_time": 1765481830.6017647, "update_time": 1765481881.918081, "name": "Stop exfiltration", "order": 2, "tasks": [{"id": "3fcbd598-8be3-4c81-a89e-1896912ffea4", "create_time": 1764758755.725092, "update_time": 1765481881.9176087, "name": "Identify likely means of exfiltration", "order": 1, "tag": "b562799f-7155-43a2-a36a-e736575a6b1d", "description": "Evaluate%20likely%20means%20of%20exfiltration%20using%20the%20information%20from%20the%20initial%20detection%20and%20any%20other%20associated%20investigation%20the%20team%20can%20conduct.%20Use%20https://attack.mitre.org/wiki/Persistence%20and%20other%20open%20source%20intelligence%20to%20check%20for%20common%20exfiltration%20mechanisms.%20Consider%20the%20sophistication%20of%20the%20adversary,%20the%20data%20that%20is%20likely%20to%20be%20targeted,%20the%20systems%20that%20may%20have%20been%20breached,%20and%20any%20other%20knowledge%20from%20further%20investigation.%20Query%20the%20logs%20of%20any%20available%20systems%20around%20the%20time%20of%20the%20incident%20for%20context%20and%20additional%20leads.%20If%20possible%20analyze%20and/or%20reverse%20engineer%20any%20executables%20or%20scripts%20discovered%20in%20the%20investigation.%20Try%20to%20determine%20exfiltration%20mechanisms,%20protocols,%20ports,%20IP%20addresses,%20hostnames,%20URLs,%20and%20other%20indicators.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b7bfe3f3-8035-45bd-a16a-4d847cb74ba3", "create_time": 1764758755.725215, "update_time": 1765481881.9178276, "name": "Determine mitigations and remediations", "order": 2, "tag": "2c398364-ef0f-4e7d-877e-0abfaa91d72d", "description": "Taking into account the confidentiality and availability considerations of the systems involved, determine which mitigations and remediations are appropriate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0a27527c-f0c1-4e54-a875-d110a8f71cb8", "create_time": 1764758755.7253134, "update_time": 1765481881.9179668, "name": "Stop exfiltration", "order": 3, "tag": "e80c691b-9bab-4f4d-86ca-8496300842c3", "description": "Use%20host-based%20or%20network%20controls%20to%20interrupt%20exfiltration.%20Scope%20the%20response%20according%20to%20the%20severity%20of%20the%20event.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A6.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A7.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A8.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a1d5e293-2b61-43f1-a776-f8d2126a1d7a", "create_time": 1765481830.6020367, "update_time": 1765481881.918544, "name": "Remove persistent adversaries", "order": 3, "tasks": [{"id": "fecaae1e-a6d8-47b2-8386-5af5bcac6d54", "create_time": 1764758755.7254562, "update_time": 1765481881.9182255, "name": "Identify likely means of persistence", "order": 1, "tag": "27ff7f99-5263-4a23-ba71-775e2a96ea00", "description": "Trace%20exfiltration%20as%20far%20as%20possible%20back%20toward%20a%20root%20cause.%20Look%20for%20patterns%20of%20activity%20from%20scheduled%20tasks,%20system%20restarts,%20polling%20of%20external%20systems,%20and%20other%20common%20means%20of%20persistence.%20Sysinternals%20AutoRuns%20and%20other%20similar%20tools%20can%20check%20wide%20varieties%20of%20persistence%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a951c1a1-61c6-4afa-b0c7-c721a97b5d3e", "create_time": 1764758755.7255518, "update_time": 1765481881.9184313, "name": "Remove identified persistence mechanisms", "order": 2, "tag": "3c87ad49-a462-47b1-93fa-401c82da9270", "description": "Block%20adversary%20persistence%20at%20the%20host%20and/or%20network%20level.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5BPalo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9577e82b-f68e-4fa7-a86b-987bbb51a504", "create_time": 1765481830.6022003, "update_time": 1765481881.918786, "name": "Assess impact", "order": 4, "tasks": [{"id": "be68378a-13d6-499d-bc94-d7f54c51e012", "create_time": 1764758755.7256913, "update_time": 1765481881.9186735, "name": "Measure the size and scope", "order": 1, "tag": "26cca1bb-80c3-43ab-ab5b-13975111b607", "description": "Measure%20the%20impact%20of%20the%20breach%20by%20amount%20of%20data,%20importance%20of%20data,%20potential%20follow-on%20impacts,%20and%20other%20appropriate%20criteria.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20TrackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "befcad6f-d66d-459c-8b71-9ac22c902c6f", "create_time": 1765481830.6024225, "update_time": 1765481881.9191456, "name": "Report to appropriate stakeholders", "order": 5, "tasks": [{"id": "aa30f51a-a2fb-4284-be1d-c8d6a0f2935b", "create_time": 1764758755.7259164, "update_time": 1765481881.91892, "name": "Identify appropriate stakeholders", "order": 1, "tag": "4bb2a31a-ccc7-4bc3-a5b7-cf946cb10fb0", "description": "Identify who should receive which information. This may include the regulatory compliance team, all internal employees, customers, partners, appropriate government officials, the public, system vendors, open source communities, and others.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c2c0365b-7e90-4f34-a074-05b31a6bbb00", "create_time": 1764758755.7260718, "update_time": 1765481881.9190648, "name": "Send reports", "order": 2, "tag": "03fd935b-9848-4eee-8179-1d33592a2658", "description": "Send the appropriate amount of information to identified parties. If it is beneficial, give them a way to respond to the information.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "370933e2-b9c1-4de8-90bd-10477e48ed7e", "create_time": 1765481830.602553, "update_time": 1765481881.9215052, "name": "Prevent future breaches", "order": 6, "tasks": [{"id": "574bfcd8-31c3-4b51-9e73-b8a35403894c", "create_time": 1764758755.726329, "update_time": 1765481881.921397, "name": "Prevent future breaches", "order": 1, "tag": "690e3199-c277-4a6f-8ada-9c4c5bbc3e48", "description": "Use information from this case to investigate further, apply patches, prevent behaviors, change systems, and otherwise prevent similar situations from occurring again. Setup automated checks for reinfection using similar indicators or TTP's.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "dcb047a2-c621-41c6-b3d5-acabcbb20b1d", "active": true, "used": false, "_user": "nobody", "_key": "b0ad7421-221a-4859-8af7-7cd8949ad10f"} \ No newline at end of file diff --git a/response_templates/GenericIncidentResponse.json b/response_templates/GenericIncidentResponse.json new file mode 100644 index 0000000000..631cedc8eb --- /dev/null +++ b/response_templates/GenericIncidentResponse.json @@ -0,0 +1 @@ +{"id": "c3326c0e-417c-46de-b79a-7a33e457b91b", "create_time": 1764862802.518435, "update_time": 1765478297.8226988, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 13, "phases": [{"id": "c8c1bb29-a14c-4230-ba02-283f98645b90", "create_time": 1765478297.7930639, "update_time": 1765478297.7930644, "name": "Detection", "order": 1, "tasks": [{"id": "76fd8383-b2f7-47d8-b952-49a60105c23f", "create_time": 1764758755.9055116, "update_time": 1765478297.7925363, "name": "Report incident response execution", "order": 1, "tag": "69c9baf1-bd12-4b09-b6b6-a77df9428682", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20starting.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c62f8956-c622-4c11-a664-9d68661f2df1", "create_time": 1764758755.905616, "update_time": 1765478297.7928247, "name": "Document associated events", "order": 2, "tag": "8ca56a2a-f0d7-43c1-96e3-06bac95deffe", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8e84a157-60e0-4914-97e7-a59936ba4fcf", "create_time": 1764758755.9057095, "update_time": 1765478297.7929223, "name": "Document known attack surface and attacker information", "order": 3, "tag": "604e26c0-fb5a-4320-9d95-ef887d406d71", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ea952b70-0c68-4750-b791-7489117f5a3a", "create_time": 1764758755.9058, "update_time": 1765478297.7930133, "name": "Assign roles", "order": 4, "tag": "389fce05-2170-4971-aabb-da3d88ea668a", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "816cf263-fcdd-45d6-8f5f-f4c5c3f638bd", "create_time": 1765478297.7943053, "update_time": 1765478297.7943058, "name": "Analysis", "order": 2, "tasks": [{"id": "2444a355-821e-4485-86c5-03c836cba7c5", "create_time": 1764758755.9059348, "update_time": 1765478297.7931442, "name": "Research intelligence resources", "order": 1, "tag": "595d75bb-316e-4dec-bfc6-6729d3e7b280", "description": "Find%20out%20if%20this%20attacker%20is%20a%20known%20agent%20and%20gather%20associated%20tactics,%20techniques,%20and%20procedures%20(TTP)%20used.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%203.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a947eacc-04e3-485e-bac4-6566e85df173", "create_time": 1764758755.9060266, "update_time": 1765478297.7932744, "name": "Research proxy logs", "order": 2, "tag": "7586c74e-6844-45bb-9535-4924752ff0de", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bfa0b1ad-7bb1-484d-bcfa-16df7989518c", "create_time": 1764758755.906122, "update_time": 1765478297.7933776, "name": "Research firewall logs", "order": 3, "tag": "5f7e4c57-343a-4a5c-8c90-643bdb578dbb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0168209e-eb24-4a5a-b72a-7c074a96a19c", "create_time": 1764758755.906265, "update_time": 1765478297.7934852, "name": "Research OS logs", "order": 4, "tag": "357d8065-7af2-4968-a52e-1daba8d36bcb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "82beb15d-df47-49e4-a504-6a7dd5f33558", "create_time": 1764758755.9063575, "update_time": 1765478297.7935877, "name": "Research network logs", "order": 5, "tag": "f5aabd39-0213-498c-9a91-db8b62c1d262", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d339af9b-fdfb-4944-8f9a-6febf9fbceb3", "create_time": 1764758755.9064476, "update_time": 1765478297.7936852, "name": "Research endpoint protection logs", "order": 6, "tag": "a0d0a5b6-e961-470a-8fed-2fd0f1f56e54", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a6d8b29-55f0-4eb8-817b-281fbddccd40", "create_time": 1764758755.9065409, "update_time": 1765478297.7937844, "name": "Determine infection vector", "order": 7, "tag": "e840c5b9-b804-4851-ace7-ed2b20e94374", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ef1d9524-231c-4c12-9544-f01fe50f0e9b", "create_time": 1764758755.9066322, "update_time": 1765478297.7938728, "name": "Document all attack targets", "order": 8, "tag": "2a1efed7-4cba-4f66-b7f4-c51555f6dafd", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "27b6ef2b-735d-4598-ab6e-6875f837a484", "create_time": 1764758755.9067245, "update_time": 1765478297.7939599, "name": "Document all attacker sources and TTP", "order": 9, "tag": "3ce58599-9e4e-4936-a604-9b2783fbb4be", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a2fdf16b-e79d-4cf6-8f57-026a2c0b63d0", "create_time": 1764758755.9068127, "update_time": 1765478297.794048, "name": "Document infected devices", "order": 10, "tag": "8854bf07-df2e-4536-a7ef-c268776eba0e", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a16d098a-10a7-4b53-a798-fd83c467ddb6", "create_time": 1764758755.9069023, "update_time": 1765478297.7941349, "name": "Determine full impact of attack", "order": 11, "tag": "2419ca1b-fa9e-4443-8334-4642877218c4", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92b46948-e8f0-4194-9ada-76bbf21bea3a", "create_time": 1764758755.9069924, "update_time": 1765478297.7942424, "name": "Analyze malware samples", "order": 12, "tag": "7486b744-568f-4a71-b6ab-6c18b0975234", "description": "Analyze%20discovered%20malware%20and%20document%20indicators%20of%20compromise%20(IOCs).%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1cfc9549-b74f-4dfd-b1c5-956b1587e546", "create_time": 1765478297.7946434, "update_time": 1765478297.7946439, "name": "Containment", "order": 3, "tasks": [{"id": "91691144-6812-44e7-ae84-769b7c91778f", "create_time": 1764758755.9071276, "update_time": 1765478297.7943835, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "fa5fbdd4-4224-460f-80b1-081083c3a8e5", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "884da2c4-4fb8-494f-bd5a-2c0eacb81646", "create_time": 1764758755.9072351, "update_time": 1765478297.794471, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "f735a650-8d7e-42ee-95fa-ca8122e29df4", "description": "Suggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b6fd766-744a-4ada-9612-9934ff090668", "create_time": 1764758755.9073257, "update_time": 1765478297.7945688, "name": "Contain incident", "order": 3, "tag": "de5b8d96-bc90-47e5-a707-4b4ce273b2f5", "description": "Suggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A8.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A9.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A10.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A11.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A12.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a5675456-ec54-4045-beb4-d521f14192cc", "create_time": 1765478297.7949696, "update_time": 1765478297.7949698, "name": "Eradication", "order": 4, "tasks": [{"id": "74739ca3-8849-4d32-b41f-6dcf53ab6598", "create_time": 1764758755.9074597, "update_time": 1765478297.7947214, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "160a14ef-e1d7-46db-9a35-5e452602416a", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf7fc36c-f08b-4fda-89ec-95594bbf238c", "create_time": 1764758755.9075792, "update_time": 1765478297.794821, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "f02e09fa-0ed7-4ca7-a001-a6adcfe83437", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f5c72b7c-f274-4825-9b9f-5c34f8d384e9", "create_time": 1764758755.907677, "update_time": 1765478297.7949193, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "c8032097-7574-438a-8473-d614b8f135ff", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "50452b43-98af-43ab-bfb0-1e9f7368b2c9", "create_time": 1765478297.795289, "update_time": 1765478297.7952893, "name": "Recovery", "order": 5, "tasks": [{"id": "91a74317-f931-4ced-b4aa-6cdf54433221", "create_time": 1764758755.9079046, "update_time": 1765478297.7950459, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "c3c83a87-0d75-4d0a-b4e7-9fef0d60e5f4", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "91f6342d-a92b-4157-a124-5e87ab0c9827", "create_time": 1764758755.9080007, "update_time": 1765478297.7951343, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "27d8d5a5-4c1b-470c-b995-c39275b61444", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5840a534-399b-4ac1-b0bc-80927edf8f8b", "create_time": 1764758755.9080942, "update_time": 1765478297.7952387, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "085d0c66-3bb9-48c8-9403-0fc21217d77c", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "dd359232-b8be-435a-b5bc-1a5fd3e44559", "create_time": 1765478297.795616, "update_time": 1765478297.7956161, "name": "Post", "order": 6, "tasks": [{"id": "0f4c6d6e-5e22-4d2c-8de3-8fb45346b917", "create_time": 1764758755.908245, "update_time": 1765478297.7953663, "name": "Schedule after-action review meeting", "order": 1, "tag": "815e442f-e87d-42ef-81ea-5c13b4d1e3cf", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8864f28a-1b75-4317-b6e7-4088f8d19d9a", "create_time": 1764758755.9083498, "update_time": 1765478297.7954535, "name": "Generate incident response action report", "order": 2, "tag": "5a4862af-5001-4418-a48b-e028ef91b542", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "08014d2b-5977-45d2-a14e-519c990aed93", "create_time": 1764758755.9084463, "update_time": 1765478297.7955399, "name": "Report incident response complete", "order": 3, "tag": "4b12a641-8105-4b64-bd89-eef26fabb47a", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20complete.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "28753dcd-47c7-44ad-b85f-f840c3f0da96", "active": true, "used": false, "_user": "nobody", "_key": "c3326c0e-417c-46de-b79a-7a33e457b91b"} \ No newline at end of file diff --git a/response_templates/NIST80061.json b/response_templates/NIST80061.json new file mode 100644 index 0000000000..225c2dd043 --- /dev/null +++ b/response_templates/NIST80061.json @@ -0,0 +1 @@ +{"id": "475a4c40-0996-4b54-a634-711205549572", "create_time": 1765482414.4679432, "update_time": 1765482414.4679432, "name": "NIST%20800-61:%20Computer%20Security%20Incident%20Handling%20Guide", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "97bc8622-69ca-48a1-bf2b-e4067281f71a", "create_time": 1765482414.4685507, "update_time": 1765482414.4685512, "name": "Detection", "order": 1, "tasks": [{"id": "9126eb2f-d5e2-48e7-a9f5-0c851f2ecc57", "create_time": 1764758755.7593036, "update_time": 1765482414.4680352, "name": "Determine if an incident has occurred", "order": 1, "tag": "dd8a2e5b-9131-4321-ad10-0cef889e30f1", "description": "Suggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d9a756c-20dc-4e2e-94e1-87f4eb164447", "create_time": 1764758755.7594106, "update_time": 1765482414.4681613, "name": "Analyze precursors and indicators", "order": 2, "tag": "cd6639cc-79b1-4f66-b03a-0b29118e9439", "description": "Suggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "974fdd62-7d20-40f3-912d-60d708146ac7", "create_time": 1764758755.7595055, "update_time": 1765482414.4682908, "name": "Look for correlating information", "order": 3, "tag": "64b3aaa7-416e-4ec2-8cc1-b54b1e0758db", "description": "Suggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8d1664e-4d06-4470-8b99-124c615500ca", "create_time": 1764758755.759612, "update_time": 1765482414.4683938, "name": "Perform research", "order": 4, "tag": "c534e89d-327c-4deb-bc29-51fb49f65af6", "description": "Use%20search%20engines,%20knowledge%20bases,%20etc..%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "247f8ee3-e7db-437d-9a16-07e2d19673c0", "create_time": 1764758755.7597096, "update_time": 1765482414.4685001, "name": "Confirmed incident", "order": 5, "tag": "415e3412-85ed-4af6-bf6e-09e6e13542b3", "description": "For a confirmed incident, document the investigation and gather evidence. Attach all relevant information from detection steps to the notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ef47436d-de45-4aab-ba6b-736137c41076", "create_time": 1765482414.4691532, "update_time": 1765482414.469154, "name": "Analysis and Containment", "order": 2, "tasks": [{"id": "27f4ca0d-ef69-4211-9401-34d3817e879f", "create_time": 1764758755.759852, "update_time": 1765482414.4686282, "name": "Determine functional impact", "order": 1, "tag": "58850454-d4af-4cc4-a5dd-fded4be0ff4d", "description": "Suggested categories: None, Low, Medium, High", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b298ad0a-b53c-4e4d-9e27-0307d2b49d9f", "create_time": 1764758755.759945, "update_time": 1765482414.4687133, "name": "Determine information impact", "order": 2, "tag": "1150410e-72c0-4259-a499-d632727e083b", "description": "Suggested categories: None, Privacy breach, Proprietary breach, Integrity loss", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "650388ac-fa31-48c9-8031-fab7fbc1cce8", "create_time": 1764758755.760036, "update_time": 1765482414.4687974, "name": "Determine recoverability effort", "order": 3, "tag": "d6e187c9-188c-49de-ac41-5092d7ce6435", "description": "Suggested categories: Regular, Supplemented, Extended, Not Recoverable", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ae810a6c-7314-49f2-84cb-b40557c17734", "create_time": 1764758755.7601304, "update_time": 1765482414.4688811, "name": "Prioritize incident", "order": 4, "tag": "082dfce7-169c-4bd2-aa73-7d39f5e26be8", "description": "Prioritize handling the incident based on the relevant factors", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3db4552a-5c3b-46e2-8792-88f27397d5ef", "create_time": 1764758755.760304, "update_time": 1765482414.4689677, "name": "Report incident", "order": 5, "tag": "716c8ff4-f8f9-406a-aa10-871b499d0892", "description": "Report%20the%20incident%20to%20the%20the%20appropriate%20internal%20personnel%20and%20external%20organizations%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ab31b96-9544-4949-8e63-04a674e6bdb6", "create_time": 1764758755.7604578, "update_time": 1765482414.4690719, "name": "Contain incident", "order": 6, "tag": "d05de9e0-1c72-4835-874a-83f6127ef09a", "description": "Suggested%20Integrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A4.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A5.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A6.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A7.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A8.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A9.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A10.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A11.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A12.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A13.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A14.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "37031e87-5234-4694-a5d9-cff1c29f8f4d", "create_time": 1765482414.4695153, "update_time": 1765482414.4695156, "name": "Eradicate", "order": 3, "tasks": [{"id": "31e6eacc-4f57-4329-b146-8d3f689e3086", "create_time": 1764758755.7606778, "update_time": 1765482414.4692445, "name": "Identify and mitigate all vulnerabilities", "order": 1, "tag": "f0381ae6-f28f-402a-9f05-3e990496dd50", "description": "Identify%20and%20mitigate%20all%20vulnerabilities%20that%20were%20exploited.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A4.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A5.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A6.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A7.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A8.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "680e54ac-3708-4d38-884f-20a1a7edf0de", "create_time": 1764758755.7608309, "update_time": 1765482414.4693527, "name": "Remove malicious content", "order": 2, "tag": "e7029c6f-cce7-4c43-9a1c-b0425432ad81", "description": "Remove%20malware,%20inappropriate%20materials%20and%20other%20components.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a41b242d-1640-4d15-8104-ec399e12d1de", "create_time": 1764758755.7609744, "update_time": 1765482414.469451, "name": "Verify no other hosts are affected", "order": 3, "tag": "7e41266d-aa31-4b86-b2f4-47f68023fb3e", "description": "If%20more%20affected%20hosts%20are%20discovered,%20repeat%20the%20Detection%20and%20Analysis%20Steps.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b12466ec-8616-4519-b133-f6d93f9e32c4", "create_time": 1765482414.4698043, "update_time": 1765482414.4698048, "name": "Recovery", "order": 4, "tasks": [{"id": "43ba0f0e-1fda-4051-a97b-8f7f4682ac33", "create_time": 1764758755.7611475, "update_time": 1765482414.46959, "name": "Restore affected systems", "order": 1, "tag": "3a888228-8354-43a5-809b-41e85114db15", "description": "Return affected systems to an operationally ready state.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "579fa706-4719-4a36-92a0-8c89395b18e6", "create_time": 1764758755.7612762, "update_time": 1765482414.4696727, "name": "Validate restoration", "order": 2, "tag": "39fc29b1-1047-4d0c-bd88-4581b10fe376", "description": "Confirm that the affected systems are functioning normally.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "080aeef1-8fb9-40e2-863e-428fd8f7f017", "create_time": 1764758755.7614079, "update_time": 1765482414.4697568, "name": "Implement additional monitoring", "order": 3, "tag": "7d818e21-eb6b-48ef-92fa-e5c447194ae0", "description": "If necessary, implement additional monitoring to look for future activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1ec64d29-231e-4c34-aec1-4aee974fc8df", "create_time": 1765482414.4700096, "update_time": 1765482414.4700098, "name": "Post Incident Activity", "order": 5, "tasks": [{"id": "bab81f67-66e8-4326-be3c-6c11894e50c7", "create_time": 1764758755.7615948, "update_time": 1765482414.469876, "name": "Create a follow-up report", "order": 1, "tag": "e0d07d6c-00cb-44bc-8536-c8eeda5470a9", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77497e1-95ce-4ebe-8b62-4929dbfdd8a5", "create_time": 1764758755.7616863, "update_time": 1765482414.4699602, "name": "Lessons learned", "order": 2, "tag": "95974f42-e739-440a-ba79-00fc2d32a7ad", "description": "Hold a lessons learned meeting (mandatory for major incidents, optional otherwise).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8756f985-929a-4076-9343-86c92b82c94f", "active": true, "used": true, "_user": "nobody", "_key": "475a4c40-0996-4b54-a634-711205549572"} \ No newline at end of file diff --git a/response_templates/NetworkIndicatorEnrichment.json b/response_templates/NetworkIndicatorEnrichment.json new file mode 100644 index 0000000000..cad8f820e8 --- /dev/null +++ b/response_templates/NetworkIndicatorEnrichment.json @@ -0,0 +1 @@ +{"id": "8b1df498-d692-4212-a4fd-6b99b99e9027", "create_time": 1765481757.0347831, "update_time": 1765481757.0347831, "name": "Network Indicator Enrichment", "description": "Gather and analyze contextual information about URLs, hostnames, top level domain names, IP addresses, TLS certificates, and MAC addresses. These network indicators can be involved in security investigations of all types, so this response template is meant to be added as a modular component into an event or case that can have other more specific phases and tasks. For instance, when investigating an account compromise, this response template can be used during the investigation phase to rule out false positives and inform decisions about further investigation and response.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 6, "phases": [{"id": "5fc00a86-ecb5-473c-af5f-0eabced9921e", "create_time": 1765481757.0357888, "update_time": 1765481757.0357893, "name": "Network Indicator Enrichment", "order": 1, "tasks": [{"id": "09b3b9c0-1c5b-4c3f-941f-fcc4bcb6f2f6", "create_time": 1764758755.7974405, "update_time": 1765481757.0349212, "name": "Enrich URLs", "order": 1, "tag": "8fab0a3f-b436-4e3e-8c3a-9cc0a9cff8b5", "description": "Gather%20reputation%20and%20behavioral%20information%20about%20a%20suspicious%20URL.%20Automated%20actions%20can%20include%20querying%20threat%20intelligence%20databases,%20dynamic%20profiling%20of%20the%20URL%20and%20the%20associated%20redirects,%20or%20checking%20the%20categorization%20of%20a%20URL%20in%20a%20proxy%20or%20other%20safe%20browsing%20tool.%20Manual%20actions%20can%20include%20checking%20for%20typosquatting/brandjacking,%20evaluating%20the%20appropriateness%20of%20the%20URL%20given%20the%20context%20in%20which%20it%20was%20detected,%20or%20manually%20investigating%20the%20site%20from%20a%20sandboxed%20environment.%20Additionally,%20it%20might%20be%20appropriate%20to%20ask%20the%20user%20if%20they%20can%20explain%20why%20the%20URL%20was%20accessed.%20Outputs%20from%20this%20task%20could%20be%20used%20to%20pivot%20to%20investigation%20to%20underlying%20or%20associated%20domain%20names,%20other%20URLs,%20TLS%20certificates,%20IP%20addresses,%20or%20specific%20behaviors%20associated%20with%20the%20website%20such%20as%20Javascript%20execution%20patterns%20or%20downloaded%20files.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77c2c5b-488b-4ef6-a987-d4f1795e8c09", "create_time": 1764758755.7976081, "update_time": 1765481757.0352638, "name": "Enrich domain names", "order": 2, "tag": "f494c551-d513-4503-a268-32d14cd9352c", "description": "Domain%20names%20can%20be%20involved%20in%20investigations%20of%20phishing,%20watering%20hole%20attacks,%20malware%20command%20and%20control,%20exfiltration,%20and%20many%20other%20malicious%20behaviors.%20Some%20of%20the%20key%20questions%20to%20answer%20about%20a%20domain%20are:%20Who%20controls%20the%20domain?%20Who%20registered%20the%20domain?%20What%20is%20the%20purpose%20of%20the%20domain?%20What%20services%20are%20hosted%20on%20the%20domain?%20What%20traffic%20would%20you%20expect%20to%20see%20to%20and%20from%20the%20domain?%20How%20popular%20is%20the%20domain?%20Does%20the%20domain%20host%20dynamic%20content%20such%20as%20cloud%20services?%20What%20sub-domains%20or%20parent%20domains%20are%20associated%20with%20the%20domain?%20Is%20the%20domain%20known%20to%20host%20malicious%20content?%20Where%20in%20the%20world%20is%20the%20domain%20hosted?%20How%20recently%20was%20the%20domain%20registered?%20What%20is%20the%20DNS%20history%20of%20the%20domain?%20Is%20the%20domain%20meant%20to%20look%20similar%20to%20another%20more%20legitimate%20domain?%20Does%20the%20domain%20name%20appear%20to%20have%20been%20randomly%20generated?%20The%20results%20of%20these%20queries%20can%20produce%20related%20IP%20addresses,%20file%20hashes,%20downloaded%20files,%20URLs,%20TLS%20certificates,%20and%20behaviors%20which%20are%20useful%20elsewhere%20in%20this%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fed103ab-b8bf-458e-a9d1-a80d7c1691ce", "create_time": 1764758755.7977073, "update_time": 1765481757.0354254, "name": "Enrich IP addresses", "order": 3, "tag": "b0444819-8d84-47b0-8011-97c9004966cc", "description": "Enrichment%20of%20IP%20addresses%20can%20be%20similar%20to%20domain%20names%20in%20many%20ways,%20but%20typically%20IP%20addresses%20will%20change%20more%20frequently.%20Frequent%20changes%20can%20be%20legitimate%20behavior%20caused%20by%20load%20balancers%20or%20content%20delivery%20networks,%20or%20it%20can%20be%20malicious%20behavior%20due%20to%20fast%20flux%20DNS%20changes,%20so%20additional%20context%20about%20the%20network%20traffic%20is%20needed.%20Also%20consider%20that%20traffic%20going%20straight%20to%20an%20IP%20address%20without%20doing%20a%20DNS%20query%20might%20be%20relevant%20to%20the%20investigation,%20and%20consider%20querying%20Tor%20or%20other%20anonymization%20systems%20to%20check%20if%20the%20IP%20address%20is%20a%20known%20exit%20node.%20Outputs%20of%20this%20task%20can%20inform%20URL%20enrichment,%20downloaded%20file%20analysis,%20domain%20name%20enrichment,%20TLS%20certificate%20enrichment,%20and%20more%20advanced%20behavioral%20analysis%20based%20on%20the%20services%20hosted%20at%20the%20IP%20address%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "9d096815-7876-4f42-9c93-73e3cc21d3ce", "create_time": 1764758755.7977993, "update_time": 1765481757.0355642, "name": "Enrich TLS certificates", "order": 4, "tag": "d98902d9-2620-41c6-90d2-d197a49a90ca", "description": "If%20an%20investigation%20involves%20a%20TLS%20certificate,%20it%20can%20be%20useful%20to%20gather%20registrant%20and%20certificate%20authority%20information%20about%20that%20certificate,%20and%20to%20query%20for%20other%20uses%20of%20similar%20infrastructure.%20The%20usage%20of%20free%20and%20automated%20certificate%20authorities%20such%20as%20Let's%20Encrypt%20does%20not%20necessarily%20imply%20that%20a%20domain%20is%20malicious,%20but%20that%20is%20a%20common%20technique%20used%20to%20build%20malicious%20infrastructure%20so%20it%20should%20warrant%20further%20investigation.%20Consider%20comparing%20the%20registrant%20information%20and%20certificate%20authority%20chain%20with%20the%20expected%20values%20for%20the%20organization%20allegedly%20hosting%20the%20website%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4e38a46a-1af2-477a-9349-8defa965ac2b", "create_time": 1764758755.7979288, "update_time": 1765481757.0357046, "name": "Enrich MAC addresses", "order": 5, "tag": "38d3329d-0ecd-494f-bbcf-5be0fd99a7c3", "description": "While%20MAC%20(media%20access%20control)%20addresses%20are%20less%20frequently%20involved%20in%20security%20investigations,%20when%20they%20are%20present%20they%20can%20sometimes%20be%20useful%20to%20cross-reference,%20identify,%20or%20profile%20a%20device.%20MAC%20addresses%20can%20be%20changed%20and%20spoofed,%20but%20it%20is%20usually%20less%20common%20than%20a%20change%20in%20IP%20address%20or%20hostname.%20In%20wifi%20investigations%20the%20MAC%20address%20can%20be%20used%20to%20identify%20both%20the%20access%20point%20and%20the%20clients%20that%20connect%20to%20it.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "47bb10fa-61c2-4bd8-b7dd-f69f376e2750", "active": true, "used": true, "_user": "nobody", "_key": "8b1df498-d692-4212-a4fd-6b99b99e9027"} \ No newline at end of file diff --git a/response_templates/SelfReplicatingMalware.json b/response_templates/SelfReplicatingMalware.json new file mode 100644 index 0000000000..3a28c86a8a --- /dev/null +++ b/response_templates/SelfReplicatingMalware.json @@ -0,0 +1 @@ +{"id": "ec7f5b1d-f689-4ea7-b00c-703d062755ef", "create_time": 1764862816.2406306, "update_time": 1765478655.8295362, "name": "Self-Replicating Malware", "description": "This response template outlines a response to a potential infection by self-replicating malware (malware that propagates itself without human interaction). While there is much overlap between the response necessary for self-replicating malware and the response to any other malware, the ability to propagate from one system to the next automatically adds the potential for faster and more thorough infection of enterprise systems. Often the infection mechanism is a particular network service or shared resource, so an appropriate response tends to be a fast configuration change to contain the effect immediately.\n\nThis template is adapted from a modified version of the CERT Societe Generale Incident Response Methodology called Worm Infection Response. The full methodology is available at https://github.com/certsocietegenerale/IRM/blob/HEAD/EN/IRM-1-WormInfection.pdf and is covered under the Creative Commons Attribution 3.0 Imported license available at https://github.com/certsocietegenerale/IRM/blob/HEAD/LICENSE.md, while the CERT Societe Generale homepage is https://cert.societegenerale.com/en/.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "56b864aa-4f46-4eab-8631-15340fe85f3d", "create_time": 1765478655.800768, "update_time": 1765478655.8007686, "name": "Preparation", "order": 1, "tasks": [{"id": "ec3ed15c-7140-4e3d-ad5f-324edaf32d30", "create_time": 1764758755.867025, "update_time": 1765478655.8002567, "name": "Define team members", "order": 1, "tag": "a901e393-ab86-4ca7-95db-14d8774a60da", "description": "Determine%20which%20team%20members%20will%20play%20which%20role%20in%20the%20response%20and%20establish%20communications%20channels%20with%20all%20involved.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "faf9efef-e4dc-4100-98b4-3ed62777f915", "create_time": 1764758755.867135, "update_time": 1765478655.8004067, "name": "Check analysis tools", "order": 2, "tag": "6700e71f-245c-4f8c-b835-d91eaefe716b", "description": "Test%20connectivity,%20check%20patch%20level,%20and%20run%20example%20queries%20on%20all%20analysis%20tools.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A3.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A4.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A5.%20%20PhishTank%20(preconfigured)%0A6.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e8b572ad-9cb7-4a0b-accc-dc0d6bc672af", "create_time": 1764758755.867274, "update_time": 1765478655.8005216, "name": "Acquire architecture map", "order": 3, "tag": "10b5cc45-188d-4152-99c2-d9ee90a0df52", "description": "Find or build an up-to-date map of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "49e8c224-9ffe-472f-b5d5-d0134314ddc0", "create_time": 1764758755.8673825, "update_time": 1765478655.800613, "name": "Acquire asset inventory", "order": 4, "tag": "27d598df-8c52-4d6b-871d-93ee5ccdaf3f", "description": "Find%20or%20build%20an%20up-to-date%20inventory%20of%20all%20devices.%0A%0ASuggested%20Integrations%0A1.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd65385f-53f6-4b16-ae5b-8480703a5e29", "create_time": 1764758755.8674753, "update_time": 1765478655.8007166, "name": "Continuous monitoring", "order": 5, "tag": "3959e856-64e9-486e-a0b6-0cb97176c283", "description": "Monitor threat trends and system activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d8781b52-5f94-496a-9221-20af11959541", "create_time": 1765478655.8011546, "update_time": 1765478655.8011549, "name": "Identification", "order": 2, "tasks": [{"id": "0fc8d25d-2b92-4617-b573-518330fb9da1", "create_time": 1764758755.867626, "update_time": 1765478655.8008454, "name": "Detect the infection", "order": 1, "tag": "27c2ab29-35d9-4643-9216-85a8c201e0ed", "description": "Detect%20abnormalities%20and%20potential%20infections%20using%20endpoint%20and%20network%20intrusion%20detection%20systems,%20application%20logs,%20authentication%20logs,%20system%20load%20monitoring,%20notification%20from%20external%20sources,%20and%20other%20methods.%20Seek%20a%20repeatable%20detection%20that%20is%20as%20reliable%20as%20possible,%20as%20future%20steps%20call%20for%20checking%20and%20re-checking%20to%20monitor%20progress.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "709ed3e1-de9b-421a-b7b2-eae661d66b04", "create_time": 1764758755.867718, "update_time": 1765478655.8009667, "name": "Identify the infection", "order": 2, "tag": "fcd59f33-221b-43aa-a26f-7a7536dc298a", "description": "Compare%20the%20known%20symptoms%20to%20all%20available%20threat%20intelligence%20and%20try%20to%20identify%20the%20threat%20as%20specifically%20as%20possible.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A6.%20%5BIndicators%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/threat_artifacts)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "07f7f8bf-c7d0-4312-a878-1cc5910284e3", "create_time": 1764758755.8678086, "update_time": 1765478655.8010774, "name": "Assess the perimeter of the infection", "order": 3, "tag": "d5aa1644-4d52-4274-92b7-c8b9e33b56e0", "description": "Check%20systems%20in%20different%20parts%20of%20the%20organization%20to%20define%20the%20perimeter%20of%20the%20infection%20and%20assess%20the%20potential%20business%20impact.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b077cd75-7ba9-467c-a53e-bfcea36eb013", "create_time": 1765478655.8017411, "update_time": 1765478655.8017416, "name": "Containment", "order": 3, "tasks": [{"id": "3aee7278-0f5f-48ff-ad16-9ddaec267689", "create_time": 1764758755.8679423, "update_time": 1765478655.80125, "name": "Disconnect infected areas from the internet", "order": 1, "tag": "e53fd536-8058-4a06-8c6c-e6fc9467ddf8", "description": "Stop%20command%20and%20control%20behavior%20and%20further%20propagation%20by%20disconnecting%20affected%20areas%20from%20the%20internet.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "50bcd8ba-7edc-4b44-8a04-fdd5ee6daa0b", "create_time": 1764758755.8680344, "update_time": 1765478655.8013616, "name": "Isolate infected area from all networks", "order": 2, "tag": "884437ea-ff98-40f7-999d-69efd55841ae", "description": "Enforce%20more%20strict%20network%20segmentation%20to%20prevent%20further%20internal%20spreading.%20Consider%20disconnecting%20mobile%20devices%20and%20laptops%20to%20minimize%20the%20propagation%20surface.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ff5509b-ae70-431c-ac11-f4445d9bd890", "create_time": 1764758755.8681533, "update_time": 1765478655.8014727, "name": "Monitor business-critical network connections that cannot be disconnected", "order": 3, "tag": "400bb1f4-670c-4503-91a0-fe813d7285f2", "description": "For%20those%20applications%20that%20cannot%20be%20disconnected%20due%20to%20continuity%20needs,%20increase%20monitoring%20and%20analyze%20traffic%20for%20malicious%20activity.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d220afbd-3306-4e8a-ad41-3028fb9f309f", "create_time": 1764758755.8682685, "update_time": 1765478655.8015823, "name": "Neutralize propagation vectors", "order": 4, "tag": "92bef873-aca9-4ef8-946b-edfb9ce66e36", "description": "Deploy%20patches,%20change%20configurations,%20sinkhole%20domains,%20re-image%20systems,%20stop%20services,%20or%20take%20other%20appropriate%20actions%20to%20prevent%20further%20propagation%20using%20all%20known%20vectors.%20Notify%20users%20of%20changes%20that%20will%20affect%20them%20and/or%20request%20their%20assistance%20for%20manual%20neutralization%20steps.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "640ecd84-2bff-4b55-b16e-2f00b863cfe0", "create_time": 1764758755.8683593, "update_time": 1765478655.8016906, "name": "Monitor progress", "order": 5, "tag": "66412e78-657c-4f0d-a15a-2533d1b9a948", "description": "Re-check neutralized systems and repeat or improve processes to cover important systems as quickly as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4999e420-9fa9-46ea-9da3-4ffb078c45a0", "create_time": 1765478655.8021305, "update_time": 1765478655.802131, "name": "Remediation", "order": 4, "tasks": [{"id": "06bd975f-1fb6-4333-b714-27ce6a1ced40", "create_time": 1764758755.8684924, "update_time": 1765478655.8018172, "name": "Identify", "order": 1, "tag": "7f4c59cc-2f64-459c-8245-31bb42439ea9", "description": "Consider vendor fixes, antivirus updates, external support options, and custom solutions. Use these to define a disinfection process and validate it with a reputable source if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "93e47407-dfd0-40ba-a01d-1ef596ee0c42", "create_time": 1764758755.8685825, "update_time": 1765478655.8019052, "name": "Test", "order": 2, "tag": "e0cc2310-9631-4a7f-b637-79d890e0a79a", "description": "Test the disinfection process on a system that is as close to a production configuration as possible and verify that it works while not damaging any service.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "448524ff-39de-428d-95f7-2cc16c03ea28", "create_time": 1764758755.8686728, "update_time": 1765478655.801993, "name": "Deploy", "order": 3, "tag": "69ea1765-0326-4559-9f52-0202bcd1684e", "description": "Deploy the process and scale it up if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "154ef40e-9a4e-4072-b222-e4b5c286ce4f", "create_time": 1764758755.8687656, "update_time": 1765478655.8020792, "name": "Confirm", "order": 4, "tag": "ec04ad38-972d-40d5-9672-64ccce7f2ebc", "description": "Confirm that the malware did not block remediations and find a workaround if it did.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "46c10e9a-74fd-4c28-ae23-80c66c6959ff", "create_time": 1765478655.802708, "update_time": 1765478655.8027081, "name": "Recovery", "order": 5, "tasks": [{"id": "b5137ace-0638-4c0d-bf3a-89808acb2796", "create_time": 1764758755.8689115, "update_time": 1765478655.8022254, "name": "Verify Containment and Remediation", "order": 1, "tag": "11e7491e-04ec-46dd-8763-7f7259aa86a9", "description": "Review current progress towards remediation by re-checking systems.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "916ce97e-d38f-41bd-8e31-fd4ebac266fa", "create_time": 1764758755.8690028, "update_time": 1765478655.8023124, "name": "Reopen propagation network mechanism", "order": 2, "tag": "3e4bb0aa-beab-472e-b19a-5d0974e25942", "description": "Turn off network enforcement for a segment of the network and monitor for new attempts to reinfect.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d6b12db-a684-4eee-b942-8d720c1e7c1a", "create_time": 1764758755.8690934, "update_time": 1765478655.8024004, "name": "Reconnect isolated sub-areas to each other", "order": 3, "tag": "ecd50bc1-ba91-4333-b50e-8065b2552e83", "description": "Turn off inter-area network enforcement and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "77f860e3-1ab9-47f4-b9f5-29b02f762628", "create_time": 1764758755.8692014, "update_time": 1765478655.8024862, "name": "Reconnect mobile devices", "order": 4, "tag": "786a211c-5a54-4465-a6ae-fb26047d3d77", "description": "Reconnect mobile devices and laptops to monitor for persistence and check coverage across all device categories.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "eea6a167-30bf-434e-a7a5-7f0af8bd0ec6", "create_time": 1764758755.8692956, "update_time": 1765478655.802572, "name": "Reconnect isolated areas to main enterprise network", "order": 5, "tag": "739634b9-8f30-4fb4-b531-8f3e1bb5dcbc", "description": "Disable network enforcement between cleaned areas and the rest of the network while monitoring for reinfection.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "7947c3e9-c721-44ad-92e5-cbda84dd7687", "create_time": 1764758755.8693867, "update_time": 1765478655.8026576, "name": "Reconnect to the internet", "order": 6, "tag": "d80ab11b-58f4-4aed-a533-93f344fdc898", "description": "Reconnect to the internet and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "76b0e701-8fe2-49da-a85d-c100fc2a3a19", "create_time": 1765478655.80292, "update_time": 1765478655.8029208, "name": "Aftermath", "order": 6, "tasks": [{"id": "bb39e701-edec-47a4-a5d9-47483140b788", "create_time": 1764758755.8695176, "update_time": 1765478655.8027844, "name": "Build crisis report", "order": 1, "tag": "bb5d871c-99f4-408a-8a1e-9efa55ff1465", "description": "Notify affected parties with as much detail as is appropriate. Consider the initial cause of the infection, actions and timelines of important events, what went right, what went wrong, and the incident cost.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4a48b7c9-f36d-412f-a2e2-c369a98d4261", "create_time": 1764758755.8696067, "update_time": 1765478655.8028712, "name": "Improve processes", "order": 2, "tag": "114c1009-376f-4715-a825-145c3dbcbba0", "description": "Capitalize on the experience by improving the processes that were used, creating new processes where needed, and automating that which is generalizable and repeatable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "633942a9-b466-49c5-9cb0-1a4488da8473", "active": true, "used": false, "_user": "nobody", "_key": "ec7f5b1d-f689-4ea7-b00c-703d062755ef"} \ No newline at end of file diff --git a/response_templates/SuspiciousEmail.json b/response_templates/SuspiciousEmail.json new file mode 100644 index 0000000000..0ba80ed93b --- /dev/null +++ b/response_templates/SuspiciousEmail.json @@ -0,0 +1 @@ +{"id": "a72d40f3-a567-48e2-9fd3-c29db06c3907", "create_time": 1765479748.831508, "update_time": 1765479748.831508, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 35, "phases": [{"id": "7eddb898-085a-43fa-a03b-3ded48d53093", "create_time": 1765479748.831965, "update_time": 1765479796.6274312, "name": "Ingestion", "order": 1, "tasks": [{"id": "de8fa91f-bfad-41e6-bfe5-e3a2732db2c2", "create_time": 1764758755.6795278, "update_time": 1765479796.626802, "name": "Create ticket", "order": 1, "tag": "3d75cc89-a55b-4680-931c-7a5e091baaf6", "description": "Create%20any%20necessary%20tickets%20or%20tracking%20documents%20describing%20the%20initial%20conditions%20of%20the%20suspicious%20email%20investigation.%20As%20additional%20information%20is%20collected%20or%20actions%20are%20taken%20in%20the%20following%20tasks%20and%20phases,%20update%20the%20ticket%20with%20links%20and%20relevant%20information%20to%20allow%20collaboration%20and%20tracking.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "163d3490-d8de-4df9-8900-f5a2554b8024", "create_time": 1764758755.6797986, "update_time": 1765479796.6270301, "name": "Ingest email", "order": 2, "tag": "b4f73c35-e4af-40bf-a349-bed4c51cb0fc", "description": "Identify%20and%20ingest%20the%20suspicious%20email%20into%20Splunk%20Mission%20Control.%20Actual%20steps%20vary%20depending%20on%20how%20you%20create%20the%20Splunk%20Mission%20Control%20notable%20and%20where%20the%20suspicious%20email%20resides.%20For%20example,%20if%20you%20had%20a%20Splunk%20Enterprise%20Security%20correlation%20search%20running%20to%20identify%20suspicious%20emails,%20and%20forward%20those%20notable%20events%20to%20Splunk%20Mission%20Control%20as%20notables,%20you%20have%20many%20of%20the%20useful%20artifacts%20needed%20to%20investigate%20the%20email.%20If%20you%20need%20additional%20metadata,%20you%20can%20run%20the%20%22get%20email%22%20action%20to%20retrieve%20it,%20or%20the%20%22extract%20email%22%20action%20to%20add%20the%20email%20to%20Splunk%20Mission%20Control%20if%20it%20is%20in%20the%20.msg%20or%20.eml%20format.%20Or%20for%20example,%20if%20you%20send%20suspicious%20emails%20to%20a%20dedicated%20email%20address%20for%20suspected%20phishing%20attempts,%20you%20can%20use%20a%20connector%20such%20as%20IMAP,%20EWS%20for%20Exchange,%20EWS%20for%20OFfice,%20or%20GSuite%20for%20GMail%20to%20poll%20that%20inbox%20directly%20and%20send%20the%20suspicious%20email%20to%20Splunk%20Mission%20Control%20as%20a%20notable.%0A%0ASuggested%20Integrations%0A1.%20%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BMS%20Graph%20for%20Office%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%20%5BGmail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%20%5BIMAP%5D(https://splunkbase.splunk.com/app/5798)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6d6d47d-3c94-42ea-b575-c197be210f97", "create_time": 1764758755.6799636, "update_time": 1765479796.627336, "name": "Extract actionable metadata and files", "order": 3, "tag": "0c5acee1-e985-43ec-aefa-9355f46fef2d", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9510afc9-a689-434d-8622-e7dbcf607e54", "create_time": 1765479748.832889, "update_time": 1765479796.6289487, "name": "External Investigation", "order": 2, "tasks": [{"id": "2bedd439-1521-4bc1-aa32-f6502bc3b4eb", "create_time": 1764758755.6802204, "update_time": 1765479796.6275756, "name": "Investigate URLs", "order": 1, "tag": "5c7e7c30-139a-45e5-9622-63c788fe10a3", "description": "Perhaps%20the%20most%20common%20email%20attack%20vector%20is%20a%20clickable%20link%20that%20brings%20a%20user%20to%20a%20malicious%20website.%20The%20malicious%20website%20might%20collect%20credentials%20or%20other%20confidential%20information,%20attempt%20to%20exploit%20the%20user's%20browser,%20lead%20the%20user%20to%20download%20a%20malicious%20file,%20or%20gather%20preliminary%20fingerprint%20information%20about%20the%20user%20to%20inform%20further%20operations.%20Investigate%20all%20URLs%20contained%20in%20the%20suspicious%20email%20using%20a%20mix%20of%20automated%20and%20manual%20techniques.%20Query%20threat%20intelligence%20services%20and%20other%20sources%20of%20reputation%20information%20to%20see%20if%20the%20URLs%20are%20linked%20to%20known%20malicious%20activity.%20Check%20the%20categorization%20of%20the%20URLs%20and%20their%20popularity%20using%20services%20such%20as%20Censys%20or%20Alexa.%20Determine%20whether%20the%20URL%20is%20spoofing%20a%20brand%20using%20a%20similar%20spelling,%20a%20unicode%20substitution,%20or%20an%20out-of-order%20domain%20name.%20Also%20consider%20using%20a%20less%20passive%20technique%20that%20analyzes%20the%20current%20state%20of%20the%20URL,%20such%20as%20a%20sandboxed%20URL%20detonation,%20a%20website%20scanning%20tool%20such%20as%20urlscan.io%20or%20SSL%20Labs,%20a%20manual%20inspection%20from%20a%20sandboxed%20environment,%20or%20a%20website%20screenshot%20engine%20such%20as%20Screenshot%20Machine.%20Consider%20that%20targeted%20attacks%20might%20only%20reveal%20the%20malicious%20behavior%20of%20a%20website%20if%20the%20user%20agent%20and/or%20the%20source%20address%20of%20the%20request%20matches%20the%20target%20environment.%20The%20output%20of%20this%20task%20might%20be%20more%20linked%20URLs,%20the%20domain%20names%20of%20the%20underlying%20servers%20responding%20to%20the%20request,%20other%20domain%20names%20used%20by%20the%20website,%20IP%20addresses,%20or%20downloadable%20files.%20All%20of%20the%20above%20should%20be%20passed%20on%20to%20further%20investigative%20tasks%20if%20needed.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "16fc04ea-4b88-4a0e-8f68-66ac2c216f8f", "create_time": 1764758755.6803753, "update_time": 1765479796.6279, "name": "Investigate file attachments", "order": 2, "tag": "87e971c5-924c-4eee-8a08-e84975c01812", "description": "Another%20common%20email%20attack%20vector%20is%20a%20malicious%20file%20attachment.%20Any%20file%20could%20be%20malicious,%20but%20most%20attacks%20involve%20executables,%20scripts,%20or%20documents.%20Investigate%20these%20files%20using%20either%20a%20whole%20copy%20of%20the%20file%20or%20the%20file%20hash.%20Query%20threat%20intelligence%20and%20reputation%20databases%20using%20the%20hash%20to%20see%20if%20the%20file%20has%20been%20seen%20before,%20to%20see%20if%20there%20is%20suspicious%20activity%20associated%20with%20the%20file,%20and%20to%20learn%20more%20about%20the%20file's%20behavior.%20Query%20for%20previous%20analyses%20or%20submit%20the%20file%20for%20examination%20in%20a%20dynamic%20or%20static%20tool%20to%20check%20for%20potentially%20malicious%20behaviors%20or%20properties.%20Actions%20used%20for%20this%20task%20might%20extract%20associated%20URLs,%20domain%20names,%20IP%20addresses,%20or%20secondary%20file%20hashes%20which%20can%20be%20explored%20further%20in%20other%20tasks.%0A%0A%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a259ee42-6bdf-4d0c-9b27-efae878c42c2", "create_time": 1764758755.6805224, "update_time": 1765479796.62813, "name": "Investigate%20email", "order": 3, "tag": "39af1503-2dae-40d0-8164-818a7232bf95", "description": "Analyze%20the%20full%20email%E2%80%94headers,%20subject,%20and%20body%E2%80%94using%20both%20automated%20and%20manual%20techniques%20to%20determine%20its%20origin%20and%20assess%20for%20malicious%20intent.%20Inspect%20header%20fields%20(e.g.,%20%E2%80%9CFrom,%E2%80%9D%20%E2%80%9CSender,%E2%80%9D%20%E2%80%9CReply-to%E2%80%9D)%20for%20inconsistencies,%20misleading%20display%20names,%20and%20suspicious%20infrastructure,%20validating%20authentication%20results%20such%20as%20SPF,%20DKIM,%20and%20DMARC.%20Enrich%20findings%20with%20threat%20intelligence%20and%20reputation%20sources,%20and%20use%20tools%20like%20Microsoft%20Message%20Header%20Analyzer%20or%20MxToolbox%20for%20deeper%20interpretation.%20Evaluate%20the%20content%20for%20social%20engineering%20indicators%E2%80%94such%20as%20urgency,%20context%20manipulation,%20or%20attempts%20to%20solicit%20confidential%20information%E2%80%94recognizing%20that%20these%20often%20require%20manual%20judgment%20and,%20when%20appropriate,%20direct%20confirmation%20from%20the%20recipient.%20Outputs%20such%20as%20domains%20and%20IPs%20should%20be%20forwarded%20for%20further%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": [{"id": "cf182fd6-c616-4adb-a8f6-b9969549c873", "create_time": 1764952188.108695, "update_time": 1765479796.6283174, "name": "Email - Query on Affected User", "description": "You need to have your email data being ingested into the Email data model. \n\nNOTE: in this search we have pulled the tokened field of \"src_user\" if you detection uses another output field you will need to update your search accordingly. ", "spl": "%7C%20tstats%20%60summariesonly%60%20max(_time)%20as%20_time%2C%20values(All_Email.action)%20as%20action%2C%20values(All_Email.message_id)%20as%20message_id%2C%20values(All_Email.subject)%20as%20subject%2C%20values(All_Email.size)%20as%20size%2C%20values(All_Email.protocol)%20as%20protocol%2C%20values(All_Email.recipient)%20as%20recipient%2C%20count%20from%20datamodel%3DEmail.All_Email%20by%20All_Email.src%2CAll_Email.src_user%2CAll_Email.dest%20%0A%7C%20%60drop_dm_object_name(%22All_Email%22)%60%20%0A%7C%20search%20recipient%20IN%20(%24src_user%24)%0A%7C%20sort%20-%20count%20%0A%7C%20normalizeip%20src%20dest%20%0A%7C%20fields%20_time%2C%20action%2C%20message_id%2C%20subject%2C%20size%2C%20protocol%2C%20src%2C%20src_user%2C%20dest%2C%20recipient%2C%20count"}]}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "987a5f9d-4fa2-4474-a923-10ee1fca36e9", "create_time": 1764758755.680672, "update_time": 1765479796.6285076, "name": "Investigate domains", "order": 4, "tag": "65ec0d02-4e41-4bef-ad64-bcbbe64589bf", "description": "At%20this%20point%20domain%20names%20from%20various%20sources%20should%20be%20collected%20in%20the%20notable,%20including%20email%20sending%20and%20receiving%20servers,%20web%20servers%20from%20URLs%20in%20the%20email,%20domains%20associated%20to%20other%20indicators%20in%20threat%20intelligence%20databases,%20and%20domains%20contained%20in%20the%20file%20attachment%20or%20detected%20by%20the%20detonation%20of%20the%20file%20attachment.%20Check%20each%20of%20these%20against%20threat%20intelligence%20and%20reputation%20databases,%20passive%20DNS%20trackers,%20whois%20services,%20and%20other%20information%20services.%20Look%20for%20known%20malicious%20or%20unknown%20domains,%20focusing%20more%20on%20those%20associated%20to%20clickable%20URLs%20and%20file%20attachments.%20Evaluate%20what%20services%20are%20running%20on%20each%20suspicious%20domain%20using%20a%20scanning%20service%20such%20as%20Censys%20or%20Shodan.%20Check%20the%20TLS%20certificate%20(if%20applicable),%20website%20categorization,%20popularity,%20and%20any%20other%20available%20information.%20Compare%20this%20information%20to%20the%20expected%20outcome%20given%20the%20alleged%20context%20of%20the%20email.%20For%20unknown%20domains,%20consider%20the%20domain%20history,%20the%20hosting%20provider,%20and%20whether%20the%20domain%20name%20appears%20to%20have%20been%20dynamically%20generated.%20IP%20addresses%20currently%20and%20previously%20associated%20with%20the%20domain%20should%20be%20further%20processed%20elsewhere%20in%20your%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4f72802-ef36-47d2-a6c0-9d1ab5e0aa2c", "create_time": 1764758755.6808305, "update_time": 1765479796.6287827, "name": "Investigate IP addresses", "order": 5, "tag": "bd473b00-1dc1-4446-8ce2-36d7fc8ef468", "description": "IP%20addresses%20may%20be%20involved%20in%20this%20investigation%20for%20several%20reasons.%20Some%20email%20headers%20can%20contain%20IP%20addresses%20(such%20as%20X-Originating-IP),%20URLs%20can%20contain%20IP%20addresses%20instead%20of%20hostnames,%20file%20attachments%20can%20contain%20IP%20addresses%20or%20generate%20IP%20addresses%20and%20try%20to%20connect%20to%20them%20(like%20domain%20generation%20algorithms),%20and%20IP%20addresses%20can%20be%20added%20to%20the%20notable%20through%20association%20or%20domain%20name%20resolution%20in%20other%20tasks%20within%20this%20investigation.%20Consider%20IP%20addresses%20in%20URLs%20that%20are%20not%20internal%20IP%20addresses%20for%20the%20organization%20highly%20suspicious.%20Investigate%20all%20suspicious%20IP%20addresses%20by%20checking%20the%20reputation,%20geolocation,%20whois%20record,%20DNS%20history,%20and%20by%20gathering%20information%20from%20other%20available%20services.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d36a2713-63b9-4bfd-8a66-e50df079ace9", "create_time": 1765479748.8334155, "update_time": 1765479796.6299407, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "4012859c-a956-4b21-ba9e-a2004dfeb036", "create_time": 1764758755.6812239, "update_time": 1765479796.6290972, "name": "Hunt email activity", "order": 1, "tag": "e7a6d9a6-8b9e-4f8c-afdb-475b0b3472b7", "description": "Find%20other%20similar%20emails%20sent%20into%20the%20organization%20based%20on%20the%20sender%20address,%20sender%20domain,%20subject,%20embedded%20URLs,%20file%20attachments,%20or%20other%20similar%20attributes%20shared%20across%20multiple%20emails.%20If%20possible%20determine%20which%20emails%20were%20opened,%20forwarded,%20deleted,%20marked%20as%20spam,%20or%20reported%20as%20potential%20phishing.%20Consider%20which%20types%20of%20users%20are%20targeted%20and%20why.%20Also%20check%20whether%20internal%20users%20replied%20to%20the%20emails%20and%20what%20information%20was%20contained%20in%20the%20replies.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%20%5BCisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)%5D(https://splunkbase.splunk.com/app/6145)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1701120f-ca73-42cf-87e1-5dcb228ab5a0", "create_time": 1764758755.681366, "update_time": 1765479796.629352, "name": "Hunt network activity", "order": 2, "tag": "427ba972-75bd-42eb-8218-4a522f98b947", "description": "Based%20on%20previously%20collected%20information,%20try%20to%20determine%20whether%20or%20not%20URLs%20in%20the%20email%20were%20clicked,%20phishing%20websites%20were%20visited,%20or%20other%20suspicious%20network%20connections%20were%20made%20from%20the%20computers%20of%20users%20who%20opened%20the%20email.%20This%20can%20be%20done%20using%20many%20types%20of%20network%20monitoring,%20including%20netflow,%20full%20packet%20capture,%20DNS%20logging,%20and/or%20endpoint%20monitoring.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A5.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24d8fa33-d658-4800-8113-5d7f7c90ad1d", "create_time": 1764758755.681554, "update_time": 1765479796.6295755, "name": "Hunt file executions", "order": 3, "tag": "ebe5a0e7-8705-4e69-b1e7-a21058c87822", "description": "If%20the%20email%20included%20a%20file%20attachment,%20try%20to%20determine%20which%20users%20downloaded%20the%20attachment%20and%20which%20users%20executed%20it%20or%20opened%20it%20in%20some%20other%20way.%20Use%20the%20file%20hash%20of%20the%20attachment%20to%20search%20across%20endpoint%20monitoring%20or%20network%20monitoring%20solutions%20for%20the%20transmission%20and/or%20execution%20of%20the%20file.%20If%20executions%20are%20detected,%20try%20to%20determine%20the%20behavior%20of%20the%20created%20process.%20If%20a%20potentially%20malicious%20document%20or%20other%20file%20type%20was%20opened,%20try%20to%20determine%20which%20application%20opened%20it%20and%20whether%20the%20file%20exploited%20or%20abused%20the%20opening%20application.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24ad66ec-2b93-4677-b1c4-a6e2c2bd6207", "create_time": 1764758755.6817021, "update_time": 1765479796.6298037, "name": "Hunt user activity", "order": 4, "tag": "32798d9d-6440-4f39-98c7-6d4c30d26e1e", "description": "If%20a%20phishing%20attempt%20or%20other%20user%20account%20compromise%20attempt%20is%20suspected,%20investigate%20how%20the%20credentials%20or%20account%20access%20are%20being%20used.%20Enumerate%20resources%20available%20to%20the%20account%20and%20search%20the%20access%20logs%20for%20those%20resources,%20looking%20for%20anomalous%20usage%20patterns.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "42eb2edf-fc7d-4327-8f3e-37ee80c2536c", "create_time": 1765479748.8340182, "update_time": 1765479796.6310995, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "2eb1f1a5-8f1a-45d8-8953-ba30d1a8a6e9", "create_time": 1764758755.6819034, "update_time": 1765479796.6300797, "name": "Block or monitor email activity", "order": 1, "tag": "6b567916-424d-41b3-836f-b4abfa555448", "description": "If%20specific%20malicious%20emails%20have%20been%20identified,%20delete%20them%20from%20any%20mailboxes%20in%20which%20they%20still%20pose%20a%20threat.%20Similarly,%20if%20a%20sender%20address%20or%20an%20entire%20sender%20domain%20is%20found%20to%20be%20malicious,%20block%20inbound%20email%20from%20that%20source.%20Set%20filtering%20rules%20to%20block%20inbound%20email%20or%20increase%20monitoring%20of%20email%20based%20on%20other%20detected%20characteristics%20of%20an%20email%20campaign%20or%20malicious%20technique.%0A%0ASuggested%20Intergrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0d28b16-b4ba-46a9-8d20-c888d0d50137", "create_time": 1764758755.6820495, "update_time": 1765479796.6303134, "name": "Block or monitor network activity", "order": 2, "tag": "b537f91c-ce46-4a52-8894-0797dbc13b6b", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20malicious%20network%20connections%20associated%20with%20the%20suspicious%20email.%20Prevent%20other%20receivers%20of%20similar%20phishing%20emails%20from%20accessing%20the%20clickable%20URL%20by%20blocking%20that%20URL%20itself,%20the%20underlying%20domain%20name,%20and/or%20the%20underlying%20IP%20addresses.%20If%20malware%20or%20unwanted%20software%20was%20detected,%20block%20outbound%20connections%20known%20to%20be%20associated%20with%20that%20malware%20based%20on%20threat%20intelligence%20or%20dynamic%20analysis.%20If%20the%20threat%20is%20severe%20enough,%20consider%20isolating%20entire%20portions%20of%20the%20network.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79abbff6-2d34-46b0-b570-c9788da8668a", "create_time": 1764758755.6822183, "update_time": 1765479796.6305444, "name": "Block or monitor file executions", "order": 3, "tag": "e7cb23b5-9baa-4a66-994d-43cd0f17d017", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20endpoint%20activity%20caused%20by%20the%20suspicious%20email.%20This%20could%20mean%20blocking%20the%20hash%20of%20the%20file%20attachment,%20blocking%20the%20hash%20of%20a%20file%20downloaded%20from%20a%20URL%20in%20an%20email,%20blocking%20a%20malicious%20hash%20associated%20with%20the%20email%20by%20threat%20intelligence,%20or%20blocking%20secondary%20executions%20such%20as%20dropped%20stages%20of%20malware%20identified%20from%20dynamic%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fa4ad6aa-7fc1-4897-9588-e2366ce2cc8e", "create_time": 1764758755.6823559, "update_time": 1765479796.6307607, "name": "Contain endpoints", "order": 4, "tag": "746ae480-2639-4ffe-80ce-698238ec5721", "description": "If%20an%20endpoint%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20quarantine%20or%20otherwise%20contain%20that%20endpoint%20until%20further%20investigation%20and%20remediation%20can%20be%20done.%20Consider%20the%20criticality%20of%20the%20system%20and%20the%20likelihood%20of%20a%20compromise.%20In%20other%20cases,%20simply%20increasing%20the%20monitoring%20or%20scanning%20for%20more%20information%20can%20be%20prudent.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ffee892-3e52-4aed-ba5f-30554d3de579", "create_time": 1764758755.6824956, "update_time": 1765479796.6309698, "name": "Contain user accounts", "order": 5, "tag": "702244fa-e9c6-42d7-846a-697fb74ea060", "description": "If%20a%20user%20account%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20reset%20the%20credentials,%20reduce%20the%20account%20privileges,%20or%20disable%20the%20account%20until%20further%20investigation%20is%20completed.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f3f3a7c8-dcb4-4565-8827-356c60cac5f6", "create_time": 1765479748.8343027, "update_time": 1765479796.6315908, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "09b37ed6-4b6e-4fe0-a4c5-561480ed7c10", "create_time": 1764758755.68271, "update_time": 1765479796.631251, "name": "Analyze network activity", "order": 1, "tag": "9cf69134-6b81-45ca-ada8-fd4136a1912f", "description": "Perform%20any%20resource-intensive%20analysis%20of%20network%20activity%20left%20over%20from%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20full%20packet%20capture%20collection%20and%20analysis,%20sandbox%20detonation%20of%20URLs,%20long-running%20queries%20of%20network%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "627cb8cc-b780-437e-951d-8ec9c64062e7", "create_time": 1764758755.682851, "update_time": 1765479796.631454, "name": "Analyze endpoint activity", "order": 2, "tag": "2497b494-b80f-417b-b51d-f4c8d7aff019", "description": "Conduct%20deeper%20analysis%20on%20remaining%20malware%20and%20endpoint%20investigation%20tasks%20not%20finished%20in%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20sandbox%20detonation%20of%20files,%20forensic%20analysis%20of%20associated%20devices%20or%20memory%20dumps,%20reverse%20engineering%20of%20suspected%20malware,%20long-running%20queries%20of%20endpoint%20activity%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A4.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "934b1327-2484-49e2-9701-36a33a1462f9", "create_time": 1765479748.8349223, "update_time": 1765479796.6327975, "name": "Notification", "order": 6, "tasks": [{"id": "3b692da7-b9dc-491b-add5-2c674251a7be", "create_time": 1764758755.683051, "update_time": 1765479796.6317682, "name": "Update tickets", "order": 1, "tag": "dad41274-fb84-4b6f-bed9-fb43be506987", "description": "Make%20sure%20that%20all%20the%20necessary%20outputs%20and%20status%20updates%20from%20the%20previous%20phases%20and%20tasks%20are%20documented%20in%20the%20appropriate%20system%20of%20record.%20Summarize%20the%20current%20state%20of%20the%20investigation%20and%20any%20remaining%20tasks.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "644d1cc6-f855-4dfb-ae28-a0a58fbee6d2", "create_time": 1764758755.6832078, "update_time": 1765479796.631959, "name": "Notify system owners", "order": 2, "tag": "824481e3-9dc5-4668-9abd-585d1cd331ca", "description": "For%20any%20systems%20that%20have%20been%20changed%20or%20need%20to%20be%20changed,%20notify%20the%20necessary%20system%20owners%20so%20the%20appropriate%20change%20management%20procedures%20can%20be%20followed.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "81905435-dd7e-493d-babf-fc5f108cbb9a", "create_time": 1764758755.6833851, "update_time": 1765479796.6321607, "name": "Notify regulatory compliance team", "order": 3, "tag": "c7f7005c-6b51-49a7-a3f9-f22aaf9dfbe4", "description": "If%20appropriate,%20notify%20the%20regulatory%20compliance%20team%20to%20support%20them%20as%20they%20report%20this%20incident%20to%20the%20correct%20regulatory%20or%20accrediting%20organizations.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a4260d25-53f9-45c4-b984-4c10deddbb82", "create_time": 1764758755.6836178, "update_time": 1765479796.6323862, "name": "Assign additional tasks", "order": 4, "tag": "29d21b34-5221-4dee-9bff-276a8241b2bd", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d0cf948f-2ba6-4a7d-82c9-851aacfa80a6", "create_time": 1764758755.6839995, "update_time": 1765479796.6325488, "name": "Educate users", "order": 5, "tag": "7ee89bfe-e39d-42c9-baa0-2e74b39adcd1", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b78276c-3dff-4546-8ff4-78cd4e1b04d3", "create_time": 1764758755.6842132, "update_time": 1765479796.6327078, "name": "Share threat intelligence", "order": 6, "tag": "3773742e-ecd3-4588-a0ae-6ac80e6b70ce", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "84c951b5-a7f7-439d-9e59-b8031190be63", "active": true, "used": true, "_user": "nobody", "_key": "a72d40f3-a567-48e2-9fd3-c29db06c3907"} \ No newline at end of file diff --git a/response_templates/VulnerabilityDisclosure.json b/response_templates/VulnerabilityDisclosure.json new file mode 100644 index 0000000000..5cd3ef22f0 --- /dev/null +++ b/response_templates/VulnerabilityDisclosure.json @@ -0,0 +1 @@ +{"id": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc", "create_time": 1764862787.2717, "update_time": 1765478160.218586, "name": "Vulnerability Disclosure", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 10, "phases": [{"id": "63140a0e-8d42-4aba-943a-899170cc7fd3", "create_time": 1765478079.1544676, "update_time": 1765478160.185931, "name": "Understand the vulnerability", "order": 1, "tasks": [{"id": "c2906aa1-2ba2-4d46-b927-04a348dfc8ed", "create_time": 1764758755.9402392, "update_time": 1765478160.1855013, "name": "Research types of systems that are affected", "order": 1, "tag": "f0045b4e-6680-4782-b80b-ba292805d290", "description": "Research%20the%20known%20hardware%20or%20software%20systems%20and%20versions%20that%20are%20affected.%20If%20possible%20use,%20a%20vulnerability%20database%20or%20software%20composition%20analysis%20solution%20to%20walk%20the%20dependency%20chain%20and%20evaluate%20the%20scope%20of%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd74c974-5d88-4136-aae1-13642d0f5bb5", "create_time": 1764758755.9403417, "update_time": 1765478160.185846, "name": "Research how the vulnerability works", "order": 2, "tag": "207e6bdb-1eed-41f8-9ee6-f87bf260978a", "description": "Research%20the%20mechanism%20that%20makes%20the%20system%20vulnerable%20and%20the%20conditions%20in%20which%20the%20system%20is%20vulnerable.%20Often%20there%20are%20certain%20configurations,%20software%20packages,%20system%20states,%20operating%20modes,%20and%20other%20characteristics%20that%20make%20a%20vulnerability%20exploitable%20and%20affect%20the%20impact%20if%20exploited.%20Assess%20the%20difficulty%20to%20exploit%20the%20vulnerability%20and%20the%20reliability%20of%20the%20exploit.%0A%0A%0A1.%20%5BES%20Use%20Case%20Library%5D(/app/SplunkEnterpriseSecuritySuite/ess_use_case_library)%0A2.%20%5BSplunk%20Security%20Content%5D(https://research.splunk.com/)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "0e4796c9-bcb5-4837-b0cd-7c83b40dd2c3", "create_time": 1765478079.1550362, "update_time": 1765478160.1863368, "name": "Understand impact to the organization", "order": 2, "tasks": [{"id": "6dc2dedf-7fe4-4d02-bc74-4b386a320460", "create_time": 1764758755.940481, "update_time": 1765478160.186015, "name": "Find potentially affected systems", "order": 1, "tag": "b5bcfe17-e8a5-40a0-984c-c8fefe77093c", "description": "Check%20the%20internal%20environment%20and%20dependencies%20of%20the%20organization%20for%20the%20software%20or%20hardware%20that%20is%20vulnerable.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A7.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "26f32c1e-5de3-4565-9a72-c17aa0dfee4e", "create_time": 1764758755.9405725, "update_time": 1765478160.186133, "name": "Determine exploitability", "order": 2, "tag": "9b967031-b163-4c25-a971-011f10df8051", "description": "Check%20for%20exploitable%20conditions.%20If%20appropriate,%20attempt%20to%20implement%20the%20vulnerability%20or%20use%20a%20safe%20proof%20of%20concept%20to%20verify%20exploitability.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1f4e957a-1bc6-4b22-b222-44c845454b45", "create_time": 1764758755.9406626, "update_time": 1765478160.1862617, "name": "Investigate possible exploitation", "order": 3, "tag": "b944edaa-aa8a-4877-8b78-f022580d2731", "description": "Investigate%20whether%20or%20not%20vulnerable%20systems%20were%20exploited.%20Use%20the%20particular%20behavior%20of%20the%20exploit%20and%20likely%20post-exploitation%20techniques%20to%20narrow%20down%20the%20search%20for%20exploited%20systems.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "e8928704-4ba7-41c1-abba-a0444d548fe0", "create_time": 1765478079.1552103, "update_time": 1765478160.1864805, "name": "Decide how to respond", "order": 3, "tasks": [{"id": "860d180e-5d53-4eb7-b867-97ad48f470e6", "create_time": 1764758755.9407957, "update_time": 1765478160.1864188, "name": "Evaluate patches, workarounds, and service outages", "order": 1, "tag": "23a1b3d3-d2db-40d9-9a96-39a154c94ff0", "description": "Consider%20how%20mitigations,%20remediations,%20and%20forced%20system%20shutdowns%20affect%20the%20situation.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1559a28c-3e76-4910-a22e-f5e6977d0647", "create_time": 1765478079.1555555, "update_time": 1765478160.1868198, "name": "Execute the response", "order": 4, "tasks": [{"id": "1d4394f7-8781-4802-a6a2-7d77b655a9ee", "create_time": 1764758755.9409366, "update_time": 1765478160.1865623, "name": "Remediate", "order": 1, "tag": "6e13819e-dfdf-4e48-90fa-95c7ddfc139c", "description": "Apply%20patches,%20upgrades,%20configuration%20changes,%20or%20state%20changes%20that%20can%20remediate%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "43f50b91-ee22-4731-a5fe-c6b4463134cf", "create_time": 1764758755.941027, "update_time": 1765478160.186665, "name": "Mitigate", "order": 2, "tag": "5c813f0c-e55c-492a-933b-59b99ad11071", "description": "Apply%20workarounds,%20temporary%20fixes,%20additional%20hardening,%20new%20security%20tools,%20new%20detections,%20and%20other%20mitigations%20to%20reduce%20risk.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "90f60618-b458-4baa-ae0d-af0fe1c4b3ec", "create_time": 1764758755.941116, "update_time": 1765478160.1867695, "name": "Document accepted risks", "order": 3, "tag": "47c9830a-c0e1-4b75-ae76-4b5e0cddbf5c", "description": "Document remaining risk and notify stakeholders.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "b0687c98-dcde-4d9a-bf6f-4a31859fef16", "active": true, "used": false, "_user": "nobody", "_key": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc"} \ No newline at end of file From 26fa66ddded56000dcaee65e381cc36c76520f91 Mon Sep 17 00:00:00 2001 From: Christian Cloutier Date: Thu, 11 Dec 2025 15:24:05 -0500 Subject: [PATCH 30/44] Initial version of Response Templates --- .../{AccountCompromise.json => AccountCompromise_v14.json} | 0 response_templates/{DataBreach.json => DataBreach_v14.json} | 0 ...ericIncidentResponse.json => GenericIncidentResponse_v14.json} | 0 response_templates/{NIST80061.json => NIST80061_v14.json} | 0 ...dicatorEnrichment.json => NetworkIndicatorEnrichment_v14.json} | 0 ...elfReplicatingMalware.json => SelfReplicatingMalware_v14.json} | 0 .../{SuspiciousEmail.json => SuspiciousEmail_v14.json} | 0 ...nerabilityDisclosure.json => VulnerabilityDisclosure_v14.json} | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename response_templates/{AccountCompromise.json => AccountCompromise_v14.json} (100%) rename response_templates/{DataBreach.json => DataBreach_v14.json} (100%) rename response_templates/{GenericIncidentResponse.json => GenericIncidentResponse_v14.json} (100%) rename response_templates/{NIST80061.json => NIST80061_v14.json} (100%) rename response_templates/{NetworkIndicatorEnrichment.json => NetworkIndicatorEnrichment_v14.json} (100%) rename response_templates/{SelfReplicatingMalware.json => SelfReplicatingMalware_v14.json} (100%) rename response_templates/{SuspiciousEmail.json => SuspiciousEmail_v14.json} (100%) rename response_templates/{VulnerabilityDisclosure.json => VulnerabilityDisclosure_v14.json} (100%) diff --git a/response_templates/AccountCompromise.json b/response_templates/AccountCompromise_v14.json similarity index 100% rename from response_templates/AccountCompromise.json rename to response_templates/AccountCompromise_v14.json diff --git a/response_templates/DataBreach.json b/response_templates/DataBreach_v14.json similarity index 100% rename from response_templates/DataBreach.json rename to response_templates/DataBreach_v14.json diff --git a/response_templates/GenericIncidentResponse.json b/response_templates/GenericIncidentResponse_v14.json similarity index 100% rename from response_templates/GenericIncidentResponse.json rename to response_templates/GenericIncidentResponse_v14.json diff --git a/response_templates/NIST80061.json b/response_templates/NIST80061_v14.json similarity index 100% rename from response_templates/NIST80061.json rename to response_templates/NIST80061_v14.json diff --git a/response_templates/NetworkIndicatorEnrichment.json b/response_templates/NetworkIndicatorEnrichment_v14.json similarity index 100% rename from response_templates/NetworkIndicatorEnrichment.json rename to response_templates/NetworkIndicatorEnrichment_v14.json diff --git a/response_templates/SelfReplicatingMalware.json b/response_templates/SelfReplicatingMalware_v14.json similarity index 100% rename from response_templates/SelfReplicatingMalware.json rename to response_templates/SelfReplicatingMalware_v14.json diff --git a/response_templates/SuspiciousEmail.json b/response_templates/SuspiciousEmail_v14.json similarity index 100% rename from response_templates/SuspiciousEmail.json rename to response_templates/SuspiciousEmail_v14.json diff --git a/response_templates/VulnerabilityDisclosure.json b/response_templates/VulnerabilityDisclosure_v14.json similarity index 100% rename from response_templates/VulnerabilityDisclosure.json rename to response_templates/VulnerabilityDisclosure_v14.json From 3a174dd02e8e0a36f3d82eafc372c895c084260b Mon Sep 17 00:00:00 2001 From: Christian Cloutier Date: Thu, 11 Dec 2025 15:32:07 -0500 Subject: [PATCH 31/44] Initial version of Response Templates --- response_templates/{DataBreach_v14.json => DataBreach_v15.json} | 0 ...IncidentResponse_v14.json => GenericIncidentResponse_v13.json} | 0 ...atorEnrichment_v14.json => NetworkIndicatorEnrichment_v6.json} | 0 .../{SuspiciousEmail_v14.json => SuspiciousEmail_v35.json} | 0 ...bilityDisclosure_v14.json => VulnerabilityDisclosure_v10.json} | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename response_templates/{DataBreach_v14.json => DataBreach_v15.json} (100%) rename response_templates/{GenericIncidentResponse_v14.json => GenericIncidentResponse_v13.json} (100%) rename response_templates/{NetworkIndicatorEnrichment_v14.json => NetworkIndicatorEnrichment_v6.json} (100%) rename response_templates/{SuspiciousEmail_v14.json => SuspiciousEmail_v35.json} (100%) rename response_templates/{VulnerabilityDisclosure_v14.json => VulnerabilityDisclosure_v10.json} (100%) diff --git a/response_templates/DataBreach_v14.json b/response_templates/DataBreach_v15.json similarity index 100% rename from response_templates/DataBreach_v14.json rename to response_templates/DataBreach_v15.json diff --git a/response_templates/GenericIncidentResponse_v14.json b/response_templates/GenericIncidentResponse_v13.json similarity index 100% rename from response_templates/GenericIncidentResponse_v14.json rename to response_templates/GenericIncidentResponse_v13.json diff --git a/response_templates/NetworkIndicatorEnrichment_v14.json b/response_templates/NetworkIndicatorEnrichment_v6.json similarity index 100% rename from response_templates/NetworkIndicatorEnrichment_v14.json rename to response_templates/NetworkIndicatorEnrichment_v6.json diff --git a/response_templates/SuspiciousEmail_v14.json b/response_templates/SuspiciousEmail_v35.json similarity index 100% rename from response_templates/SuspiciousEmail_v14.json rename to response_templates/SuspiciousEmail_v35.json diff --git a/response_templates/VulnerabilityDisclosure_v14.json b/response_templates/VulnerabilityDisclosure_v10.json similarity index 100% rename from response_templates/VulnerabilityDisclosure_v14.json rename to response_templates/VulnerabilityDisclosure_v10.json From 14bba480bf20d0369efefc168311c5fefbe4a231 Mon Sep 17 00:00:00 2001 From: Christian Cloutier Date: Thu, 11 Dec 2025 15:43:17 -0500 Subject: [PATCH 32/44] Revert "Initial version of Response Templates" This reverts commit 3a174dd02e8e0a36f3d82eafc372c895c084260b. --- response_templates/{DataBreach_v15.json => DataBreach_v14.json} | 0 ...IncidentResponse_v13.json => GenericIncidentResponse_v14.json} | 0 ...atorEnrichment_v6.json => NetworkIndicatorEnrichment_v14.json} | 0 .../{SuspiciousEmail_v35.json => SuspiciousEmail_v14.json} | 0 ...bilityDisclosure_v10.json => VulnerabilityDisclosure_v14.json} | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename response_templates/{DataBreach_v15.json => DataBreach_v14.json} (100%) rename response_templates/{GenericIncidentResponse_v13.json => GenericIncidentResponse_v14.json} (100%) rename response_templates/{NetworkIndicatorEnrichment_v6.json => NetworkIndicatorEnrichment_v14.json} (100%) rename response_templates/{SuspiciousEmail_v35.json => SuspiciousEmail_v14.json} (100%) rename response_templates/{VulnerabilityDisclosure_v10.json => VulnerabilityDisclosure_v14.json} (100%) diff --git a/response_templates/DataBreach_v15.json b/response_templates/DataBreach_v14.json similarity index 100% rename from response_templates/DataBreach_v15.json rename to response_templates/DataBreach_v14.json diff --git a/response_templates/GenericIncidentResponse_v13.json b/response_templates/GenericIncidentResponse_v14.json similarity index 100% rename from response_templates/GenericIncidentResponse_v13.json rename to response_templates/GenericIncidentResponse_v14.json diff --git a/response_templates/NetworkIndicatorEnrichment_v6.json b/response_templates/NetworkIndicatorEnrichment_v14.json similarity index 100% rename from response_templates/NetworkIndicatorEnrichment_v6.json rename to response_templates/NetworkIndicatorEnrichment_v14.json diff --git a/response_templates/SuspiciousEmail_v35.json b/response_templates/SuspiciousEmail_v14.json similarity index 100% rename from response_templates/SuspiciousEmail_v35.json rename to response_templates/SuspiciousEmail_v14.json diff --git a/response_templates/VulnerabilityDisclosure_v10.json b/response_templates/VulnerabilityDisclosure_v14.json similarity index 100% rename from response_templates/VulnerabilityDisclosure_v10.json rename to response_templates/VulnerabilityDisclosure_v14.json From de22061f15f7d7a20d11954f25905c4091db01f2 Mon Sep 17 00:00:00 2001 From: Christian Cloutier Date: Thu, 11 Dec 2025 15:43:40 -0500 Subject: [PATCH 33/44] Revert "Initial version of Response Templates" This reverts commit 26fa66ddded56000dcaee65e381cc36c76520f91. --- .../{AccountCompromise_v14.json => AccountCompromise.json} | 0 response_templates/{DataBreach_v14.json => DataBreach.json} | 0 ...ericIncidentResponse_v14.json => GenericIncidentResponse.json} | 0 response_templates/{NIST80061_v14.json => NIST80061.json} | 0 ...dicatorEnrichment_v14.json => NetworkIndicatorEnrichment.json} | 0 ...elfReplicatingMalware_v14.json => SelfReplicatingMalware.json} | 0 .../{SuspiciousEmail_v14.json => SuspiciousEmail.json} | 0 ...nerabilityDisclosure_v14.json => VulnerabilityDisclosure.json} | 0 8 files changed, 0 insertions(+), 0 deletions(-) rename response_templates/{AccountCompromise_v14.json => AccountCompromise.json} (100%) rename response_templates/{DataBreach_v14.json => DataBreach.json} (100%) rename response_templates/{GenericIncidentResponse_v14.json => GenericIncidentResponse.json} (100%) rename response_templates/{NIST80061_v14.json => NIST80061.json} (100%) rename response_templates/{NetworkIndicatorEnrichment_v14.json => NetworkIndicatorEnrichment.json} (100%) rename response_templates/{SelfReplicatingMalware_v14.json => SelfReplicatingMalware.json} (100%) rename response_templates/{SuspiciousEmail_v14.json => SuspiciousEmail.json} (100%) rename response_templates/{VulnerabilityDisclosure_v14.json => VulnerabilityDisclosure.json} (100%) diff --git a/response_templates/AccountCompromise_v14.json b/response_templates/AccountCompromise.json similarity index 100% rename from response_templates/AccountCompromise_v14.json rename to response_templates/AccountCompromise.json diff --git a/response_templates/DataBreach_v14.json b/response_templates/DataBreach.json similarity index 100% rename from response_templates/DataBreach_v14.json rename to response_templates/DataBreach.json diff --git a/response_templates/GenericIncidentResponse_v14.json b/response_templates/GenericIncidentResponse.json similarity index 100% rename from response_templates/GenericIncidentResponse_v14.json rename to response_templates/GenericIncidentResponse.json diff --git a/response_templates/NIST80061_v14.json b/response_templates/NIST80061.json similarity index 100% rename from response_templates/NIST80061_v14.json rename to response_templates/NIST80061.json diff --git a/response_templates/NetworkIndicatorEnrichment_v14.json b/response_templates/NetworkIndicatorEnrichment.json similarity index 100% rename from response_templates/NetworkIndicatorEnrichment_v14.json rename to response_templates/NetworkIndicatorEnrichment.json diff --git a/response_templates/SelfReplicatingMalware_v14.json b/response_templates/SelfReplicatingMalware.json similarity index 100% rename from response_templates/SelfReplicatingMalware_v14.json rename to response_templates/SelfReplicatingMalware.json diff --git a/response_templates/SuspiciousEmail_v14.json b/response_templates/SuspiciousEmail.json similarity index 100% rename from response_templates/SuspiciousEmail_v14.json rename to response_templates/SuspiciousEmail.json diff --git a/response_templates/VulnerabilityDisclosure_v14.json b/response_templates/VulnerabilityDisclosure.json similarity index 100% rename from response_templates/VulnerabilityDisclosure_v14.json rename to response_templates/VulnerabilityDisclosure.json From cc74c88f2cb998b446f683db4e892ad0b48da3ea Mon Sep 17 00:00:00 2001 From: Christian Cloutier Date: Thu, 11 Dec 2025 15:44:04 -0500 Subject: [PATCH 34/44] Revert "Initial version of Response Templates" This reverts commit 6014b4870b7f9318bb6bd237dec4b93c4f394866. --- response_templates/AccountCompromise.json | 1 - response_templates/DataBreach.json | 1 - response_templates/GenericIncidentResponse.json | 1 - response_templates/NIST80061.json | 1 - response_templates/NetworkIndicatorEnrichment.json | 1 - response_templates/SelfReplicatingMalware.json | 1 - response_templates/SuspiciousEmail.json | 1 - response_templates/VulnerabilityDisclosure.json | 1 - 8 files changed, 8 deletions(-) delete mode 100644 response_templates/AccountCompromise.json delete mode 100644 response_templates/DataBreach.json delete mode 100644 response_templates/GenericIncidentResponse.json delete mode 100644 response_templates/NIST80061.json delete mode 100644 response_templates/NetworkIndicatorEnrichment.json delete mode 100644 response_templates/SelfReplicatingMalware.json delete mode 100644 response_templates/SuspiciousEmail.json delete mode 100644 response_templates/VulnerabilityDisclosure.json diff --git a/response_templates/AccountCompromise.json b/response_templates/AccountCompromise.json deleted file mode 100644 index a215ad7ee6..0000000000 --- a/response_templates/AccountCompromise.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "94198adf-1fc1-4c2d-8c94-baf4523bee4f", "create_time": 1765479652.5729501, "update_time": 1765479652.5729501, "name": "Account Compromise", "description": "This response template defines a response to the potential compromise of one or more system or application accounts. Across the enterprise, user and service accounts are high-value targets that provide access to wide varieties of resources and capabilities. If an unauthorized entity gains access to an account in your organization, you can use these phases and tasks to organize the effort to investigate and respond. No two account compromises are the same, so some portions of this template might not apply to certain types of account takeovers, and in most cases there will be additional appropriate responses going beyond those listed below. The general structure of this template is based on NIST SP 800-61 Revision 2, and some of the techniques come from the Credential Access tactic in the MITRE ATT&CK framework (https://attack.mitre.org/tactics/TA0006/).", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "59f2cf8d-3c77-491f-8ff4-65ed341c7503", "create_time": 1765479652.5742395, "update_time": 1765479652.57424, "name": "Detection and Analysis", "order": 1, "tasks": [{"id": "ea986cd7-db3e-48d5-8a44-e9f0f6420d24", "create_time": 1764758755.835523, "update_time": 1765479652.5730562, "name": "Contact account owner", "order": 1, "tag": "51815ce4-c186-4418-9d6c-716e101953f0", "description": "If%20situational%20awareness%20concerns%20allow%20it,%20contact%20the%20legitimate%20owner%20of%20the%20account%20to%20gather%20additional%20insight,%20rule%20out%20false%20positives,%20and%20provide%20guidance%20on%20how%20to%20cooperate.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c24b5ac1-3e44-4f91-a55e-5c93a0c17a8a", "create_time": 1764758755.8356514, "update_time": 1765479652.573373, "name": "Determine the scope of the compromise", "order": 2, "tag": "4f6e6b64-aeec-456c-806d-d0b66c9db56c", "description": "Determine%20the%20resources%20and%20capabilities%20available%20to%20the%20compromised%20account.%20Consider%20other%20types%20of%20accounts%20that%20can%20also%20be%20accessed%20based%20on%20the%20initial%20compromise.%20Is%20this%20account%20an%20Administrative%20account?%20What%20systems%20has%20the%20account%20logged%20into?%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4b7b5058-f28e-4776-8806-c71fdfaab979", "create_time": 1764758755.8357468, "update_time": 1765479652.5734894, "name": "Analyze usage of access", "order": 3, "tag": "62fe4b55-7da1-44ba-ae88-93f42cb724c8", "description": "Query%20monitoring%20systems%20to%20determine%20which%20of%20the%20potential%20resources%20and%20capabilities%20were%20actually%20used%20by%20the%20adversary.%20Look%20for%20patterns%20in%20targeted%20resources%20and%20capabilities.%20Was%20the%20compromised%20account%20used%20to%20install%20or%20download%20something?%20Were%20credentials%20to%20other%20accounts%20collected%20and%20used?%0A%0ASuggested%20Integrations%0A1.%20%5BAccess%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_center)%0A2.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)%0A3.%20%5BAccess%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ad738c70-a259-4627-84fc-30f881b1065f", "create_time": 1764758755.835839, "update_time": 1765479652.5735939, "name": "Estimate impact", "order": 4, "tag": "5abdf8e0-f364-4f39-956a-aa912e0543c0", "description": "Estimate the business impact to appropriately allocate priority and resources.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1bc12376-4d51-45ed-9e37-38abc31a497a", "create_time": 1764758755.8359327, "update_time": 1765479652.5736716, "name": "Track stolen credentials", "order": 5, "tag": "b7814a6d-ac12-4936-a5ef-8e1a636a08dd", "description": "If%20compromised%20credentials%20were%20used,%20try%20to%20determine%20where%20else%20they%20may%20grant%20access%0A%0ASuggested%20Integrations%0A1.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5de28da8-76f3-4104-8d62-b44f8f46a4a4", "create_time": 1764758755.8360248, "update_time": 1765479652.573762, "name": "Investigate external communications", "order": 6, "tag": "4a46b5da-c9b9-453a-80ad-161db306822e", "description": "Look%20for%20exfiltration%20and/or%20command%20and%20control%20activity.%20Inspect%20network%20traffic%20with%20abnormal%20content,%20focusing%20on%20traffic%20to%20external%20hosts%20and%20internal%20systems%20that%20are%20not%20normally%20connected%20to%20the%20system%20under%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6956c82f-6811-4b3d-975b-fe690e0b54ef", "create_time": 1764758755.836118, "update_time": 1765479652.5738606, "name": "Determine initial access mechanism", "order": 7, "tag": "3b962a5e-16da-4962-9f9f-c237e88e24a3", "description": "Attempt%20to%20trace%20activity%20back%20to%20the%20point%20of%20initial%20access.%20Consider%20phishing,%20watering%20hole%20attacks,%20public-facing%20exploits,%20supply%20chain%20compromises,%20and%20other%20common%20attack%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "62a7c0a4-1c2e-4922-8dd2-9114ef305607", "create_time": 1764758755.8362353, "update_time": 1765479652.573958, "name": "Detect persistent system access", "order": 8, "tag": "023e3b98-335b-4364-8292-e34e221dcdcd", "description": "Look%20for%20attempts%20to%20establish%20persistent%20access%20to%20one%20or%20more%20systems.%20The%20persistence%20technique%20could%20include%20an%20email%20forwarding%20rule%20for%20an%20email%20account,%20a%20scheduled%20task%20on%20an%20endpoint,%20a%20newly%20added%20login%20method%20for%20a%20business%20application,%20or%20a%20wide%20array%20of%20others.%20One%20non-exhaustive%20list%20of%20persistence%20techniques%20is%20in%20the%20MITRE%20ATT&CK%20framework%20(https://attack.mitre.org/tactics/TA0003/)%20and%20another%20for%20Windows%20endpoints%20in%20particular%20is%20within%20the%20SysInternals%20Autoruns%20tool.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0bc09ecd-b582-4b51-82bd-845113fe9025", "create_time": 1764758755.8363278, "update_time": 1765479652.5740716, "name": "Enumerate other similarly vulnerable accounts", "order": 9, "tag": "44b55fc1-e45f-46ce-82d8-d23b1392790f", "description": "If an initial attack vector or other activity pattern is found, use it to look for other similarly compromised accounts.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "60b63967-c82f-4378-80ab-7234d3b8d01a", "create_time": 1764758755.8364184, "update_time": 1765479652.5741494, "name": "Notify stakeholders", "order": 10, "tag": "6f26711e-c173-4394-91cf-f2e9c7c88d8a", "description": "Notify%20incident%20response%20leadership,%20system%20owners,%20and%20other%20stakeholders%20in%20accordance%20with%20established%20incident%20notification%20and%20escalation%20procedures.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "48075a18-75b5-45d5-9c14-c791c0975316", "create_time": 1765479652.574572, "update_time": 1765479652.5745726, "name": "Containment, Eradication, and Recovery", "order": 2, "tasks": [{"id": "4fa28acc-820f-4b9c-8fbe-b06dc8f735bb", "create_time": 1764758755.8365533, "update_time": 1765479652.5743093, "name": "Disable account", "order": 1, "tag": "582f0358-63c7-4a15-ba9e-a42861e854b5", "description": "If%20the%20business%20risk%20is%20deemed%20acceptable,%20disable%20the%20account%20or%20reset%20credentials%20to%20prevent%20further%20malicious%20usage.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f20c28db-b508-4cce-bd08-df4a1b92b1e4", "create_time": 1764758755.836641, "update_time": 1765479652.5744092, "name": "Remove persistent system access", "order": 2, "tag": "5cfd8324-141b-407f-ac19-3ab946178fc8", "description": "If%20persistent%20access%20mechanisms%20were%20detected,%20remove%20them%20by%20uninstalling%20software,%20unhooking%20libraries,%20reimaging%20systems,%20disabling%20compromised%20credentials,%20or%20implementing%20other%20remediations.%20If%20this%20action%20will%20cause%20a%20service%20outage,%20it%20may%20be%20prudent%20to%20notify%20the%20affected%20teams%20or%20organizations.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b94cc55d-a653-466a-8faf-846f699ebb75", "create_time": 1764758755.836737, "update_time": 1765479652.5745091, "name": "Mitigate or remediate vulnerabilities", "order": 3, "tag": "25d66876-4448-420d-80b5-bc359805598b", "description": "If%20any%20vulnerabilities%20were%20used%20in%20this%20compromise,%20find%20a%20way%20to%20mitigate%20or%20remediate%20them.%20This%20could%20be%20a%20system%20update,%20a%20change%20in%20software,%20disabling%20a%20certain%20feature,%20a%20change%20in%20policy,%20or%20another%20action.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "36274751-b970-4375-85dc-b06a13d05cc2", "create_time": 1765479652.5748563, "update_time": 1765479652.5748568, "name": "Post-incident Activity", "order": 3, "tasks": [{"id": "c601515a-bbef-485f-819a-9c1e477e413e", "create_time": 1764758755.8368754, "update_time": 1765479652.57464, "name": "Notify necessary parties", "order": 1, "tag": "6e6b6839-fced-46a4-a660-e00281118cda", "description": "Determine%20if%20a%20regulatory%20risk%20calls%20for%20a%20notification%20to%20an%20internal%20or%20external%20compliance%20organization.%20Also%20consider%20an%20informational%20notice%20to%20users%20to%20prevent%20similar%20compromises%20through%20improved%20security%20hygiene.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "33acb96f-1113-489b-8dc4-882695963f99", "create_time": 1764758755.836966, "update_time": 1765479652.574736, "name": "Tune prevention systems", "order": 2, "tag": "47e3bd73-9fea-4f85-a805-9ebedfd000ed", "description": "Depending on the mechanism of access and the systems affected, there may be a clear next step to prevent similar compromises. This might involve deployment of strong multi-factor authentication, improved automated response, stronger application of least privilege, user training, and/or a wide array of other defensive measures. Consider using CIS Cybersecurity Best Practices (https://www.cisecurity.org/cybersecurity-best-practices/) or a similar framework to assess improvements in prevention.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0d0ded65-d9dd-497f-ab9d-f51864ad88af", "create_time": 1764758755.8370595, "update_time": 1765479652.574812, "name": "Tune detection systems", "order": 3, "tag": "9411f544-f06a-4e79-9972-3844f61cc1f7", "description": "Any of the steps taken within the Detection and Analysis phase may be candidates for automated or regularly scheduled detections to find similar activity. Focus on the most generalizable patterns that will catch high-impact compromises as early as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8b0ea69b-c29f-4a70-b58b-59164312a491", "active": true, "used": true, "_user": "nobody", "_key": "94198adf-1fc1-4c2d-8c94-baf4523bee4f"} \ No newline at end of file diff --git a/response_templates/DataBreach.json b/response_templates/DataBreach.json deleted file mode 100644 index 3534746ef5..0000000000 --- a/response_templates/DataBreach.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "b0ad7421-221a-4859-8af7-7cd8949ad10f", "create_time": 1764862877.558638, "update_time": 1765481882.0017216, "name": "Data Breach", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 15, "phases": [{"id": "3864ce09-a850-44af-86ef-9ade49d18356", "create_time": 1765481830.6013758, "update_time": 1765481881.9174762, "name": "Escalate to accountable system owners", "order": 1, "tasks": [{"id": "5a3d4ceb-6a30-4aa3-8e8a-b30e3438dff4", "create_time": 1764758755.724739, "update_time": 1765481881.9169092, "name": "Identify accountable system owners", "order": 1, "tag": "f45e1890-72d0-4bdf-8932-ea8d78c2c58f", "description": "Query%20configuration%20management%20databases,%20ask%20teammates,%20and%20query%20on-call%20personnel%20directories%20to%20find%20the%20right%20people%20for%20notification%20and%20response.%0A%0ASuggested%20Integrations%0A1.%20%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8d090f83-6590-48b7-8233-db738d054005", "create_time": 1764758755.7248507, "update_time": 1765481881.9171314, "name": "Notify accountable system owners", "order": 2, "tag": "b0816205-58e4-4e29-991b-f415717d1c03", "description": "Determine%20what%20is%20needed%20from%20each%20team%20member%20and%20notify%20them%20as%20soon%20as%20possible.%20Consider%20speed,%20confidentiality,%20integrity,%20and%20availability%20when%20choosing%20a%20communication%20channel.%20The%20right%20choice%20may%20be%20an%20in-person%20meeting,%20email,%20chat,%20text,%20phone%20call,%20or%20a%20notification%20in%20Splunk%20Mission%20Control.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2950919f-a5ca-4dec-b3d0-5ef7edf213e3", "create_time": 1764758755.7249453, "update_time": 1765481881.9173613, "name": "Set up collaboration channels", "order": 3, "tag": "2b1518b8-77a6-4e03-8b50-e0a89dc40ed8", "description": "Establish%20shared%20access%20to%20the%20appropriate%20notable%20investigation%20that%20is%20tracking%20the%20data%20breach.%20If%20necessary%20establish%20an%20additional%20channel%20for%20communications%20such%20as%20a%20chat%20room,%20email%20chain,%20ticketing%20system,%20or%20VictorOps%20Incident.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "fa5bb456-dfe8-4f27-88a3-1639a35796c6", "create_time": 1765481830.6017647, "update_time": 1765481881.918081, "name": "Stop exfiltration", "order": 2, "tasks": [{"id": "3fcbd598-8be3-4c81-a89e-1896912ffea4", "create_time": 1764758755.725092, "update_time": 1765481881.9176087, "name": "Identify likely means of exfiltration", "order": 1, "tag": "b562799f-7155-43a2-a36a-e736575a6b1d", "description": "Evaluate%20likely%20means%20of%20exfiltration%20using%20the%20information%20from%20the%20initial%20detection%20and%20any%20other%20associated%20investigation%20the%20team%20can%20conduct.%20Use%20https://attack.mitre.org/wiki/Persistence%20and%20other%20open%20source%20intelligence%20to%20check%20for%20common%20exfiltration%20mechanisms.%20Consider%20the%20sophistication%20of%20the%20adversary,%20the%20data%20that%20is%20likely%20to%20be%20targeted,%20the%20systems%20that%20may%20have%20been%20breached,%20and%20any%20other%20knowledge%20from%20further%20investigation.%20Query%20the%20logs%20of%20any%20available%20systems%20around%20the%20time%20of%20the%20incident%20for%20context%20and%20additional%20leads.%20If%20possible%20analyze%20and/or%20reverse%20engineer%20any%20executables%20or%20scripts%20discovered%20in%20the%20investigation.%20Try%20to%20determine%20exfiltration%20mechanisms,%20protocols,%20ports,%20IP%20addresses,%20hostnames,%20URLs,%20and%20other%20indicators.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b7bfe3f3-8035-45bd-a16a-4d847cb74ba3", "create_time": 1764758755.725215, "update_time": 1765481881.9178276, "name": "Determine mitigations and remediations", "order": 2, "tag": "2c398364-ef0f-4e7d-877e-0abfaa91d72d", "description": "Taking into account the confidentiality and availability considerations of the systems involved, determine which mitigations and remediations are appropriate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0a27527c-f0c1-4e54-a875-d110a8f71cb8", "create_time": 1764758755.7253134, "update_time": 1765481881.9179668, "name": "Stop exfiltration", "order": 3, "tag": "e80c691b-9bab-4f4d-86ca-8496300842c3", "description": "Use%20host-based%20or%20network%20controls%20to%20interrupt%20exfiltration.%20Scope%20the%20response%20according%20to%20the%20severity%20of%20the%20event.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A6.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A7.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A8.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a1d5e293-2b61-43f1-a776-f8d2126a1d7a", "create_time": 1765481830.6020367, "update_time": 1765481881.918544, "name": "Remove persistent adversaries", "order": 3, "tasks": [{"id": "fecaae1e-a6d8-47b2-8386-5af5bcac6d54", "create_time": 1764758755.7254562, "update_time": 1765481881.9182255, "name": "Identify likely means of persistence", "order": 1, "tag": "27ff7f99-5263-4a23-ba71-775e2a96ea00", "description": "Trace%20exfiltration%20as%20far%20as%20possible%20back%20toward%20a%20root%20cause.%20Look%20for%20patterns%20of%20activity%20from%20scheduled%20tasks,%20system%20restarts,%20polling%20of%20external%20systems,%20and%20other%20common%20means%20of%20persistence.%20Sysinternals%20AutoRuns%20and%20other%20similar%20tools%20can%20check%20wide%20varieties%20of%20persistence%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a951c1a1-61c6-4afa-b0c7-c721a97b5d3e", "create_time": 1764758755.7255518, "update_time": 1765481881.9184313, "name": "Remove identified persistence mechanisms", "order": 2, "tag": "3c87ad49-a462-47b1-93fa-401c82da9270", "description": "Block%20adversary%20persistence%20at%20the%20host%20and/or%20network%20level.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5BPalo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9577e82b-f68e-4fa7-a86b-987bbb51a504", "create_time": 1765481830.6022003, "update_time": 1765481881.918786, "name": "Assess impact", "order": 4, "tasks": [{"id": "be68378a-13d6-499d-bc94-d7f54c51e012", "create_time": 1764758755.7256913, "update_time": 1765481881.9186735, "name": "Measure the size and scope", "order": 1, "tag": "26cca1bb-80c3-43ab-ab5b-13975111b607", "description": "Measure%20the%20impact%20of%20the%20breach%20by%20amount%20of%20data,%20importance%20of%20data,%20potential%20follow-on%20impacts,%20and%20other%20appropriate%20criteria.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20TrackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "befcad6f-d66d-459c-8b71-9ac22c902c6f", "create_time": 1765481830.6024225, "update_time": 1765481881.9191456, "name": "Report to appropriate stakeholders", "order": 5, "tasks": [{"id": "aa30f51a-a2fb-4284-be1d-c8d6a0f2935b", "create_time": 1764758755.7259164, "update_time": 1765481881.91892, "name": "Identify appropriate stakeholders", "order": 1, "tag": "4bb2a31a-ccc7-4bc3-a5b7-cf946cb10fb0", "description": "Identify who should receive which information. This may include the regulatory compliance team, all internal employees, customers, partners, appropriate government officials, the public, system vendors, open source communities, and others.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c2c0365b-7e90-4f34-a074-05b31a6bbb00", "create_time": 1764758755.7260718, "update_time": 1765481881.9190648, "name": "Send reports", "order": 2, "tag": "03fd935b-9848-4eee-8179-1d33592a2658", "description": "Send the appropriate amount of information to identified parties. If it is beneficial, give them a way to respond to the information.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "370933e2-b9c1-4de8-90bd-10477e48ed7e", "create_time": 1765481830.602553, "update_time": 1765481881.9215052, "name": "Prevent future breaches", "order": 6, "tasks": [{"id": "574bfcd8-31c3-4b51-9e73-b8a35403894c", "create_time": 1764758755.726329, "update_time": 1765481881.921397, "name": "Prevent future breaches", "order": 1, "tag": "690e3199-c277-4a6f-8ada-9c4c5bbc3e48", "description": "Use information from this case to investigate further, apply patches, prevent behaviors, change systems, and otherwise prevent similar situations from occurring again. Setup automated checks for reinfection using similar indicators or TTP's.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "dcb047a2-c621-41c6-b3d5-acabcbb20b1d", "active": true, "used": false, "_user": "nobody", "_key": "b0ad7421-221a-4859-8af7-7cd8949ad10f"} \ No newline at end of file diff --git a/response_templates/GenericIncidentResponse.json b/response_templates/GenericIncidentResponse.json deleted file mode 100644 index 631cedc8eb..0000000000 --- a/response_templates/GenericIncidentResponse.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "c3326c0e-417c-46de-b79a-7a33e457b91b", "create_time": 1764862802.518435, "update_time": 1765478297.8226988, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 13, "phases": [{"id": "c8c1bb29-a14c-4230-ba02-283f98645b90", "create_time": 1765478297.7930639, "update_time": 1765478297.7930644, "name": "Detection", "order": 1, "tasks": [{"id": "76fd8383-b2f7-47d8-b952-49a60105c23f", "create_time": 1764758755.9055116, "update_time": 1765478297.7925363, "name": "Report incident response execution", "order": 1, "tag": "69c9baf1-bd12-4b09-b6b6-a77df9428682", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20starting.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c62f8956-c622-4c11-a664-9d68661f2df1", "create_time": 1764758755.905616, "update_time": 1765478297.7928247, "name": "Document associated events", "order": 2, "tag": "8ca56a2a-f0d7-43c1-96e3-06bac95deffe", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8e84a157-60e0-4914-97e7-a59936ba4fcf", "create_time": 1764758755.9057095, "update_time": 1765478297.7929223, "name": "Document known attack surface and attacker information", "order": 3, "tag": "604e26c0-fb5a-4320-9d95-ef887d406d71", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ea952b70-0c68-4750-b791-7489117f5a3a", "create_time": 1764758755.9058, "update_time": 1765478297.7930133, "name": "Assign roles", "order": 4, "tag": "389fce05-2170-4971-aabb-da3d88ea668a", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "816cf263-fcdd-45d6-8f5f-f4c5c3f638bd", "create_time": 1765478297.7943053, "update_time": 1765478297.7943058, "name": "Analysis", "order": 2, "tasks": [{"id": "2444a355-821e-4485-86c5-03c836cba7c5", "create_time": 1764758755.9059348, "update_time": 1765478297.7931442, "name": "Research intelligence resources", "order": 1, "tag": "595d75bb-316e-4dec-bfc6-6729d3e7b280", "description": "Find%20out%20if%20this%20attacker%20is%20a%20known%20agent%20and%20gather%20associated%20tactics,%20techniques,%20and%20procedures%20(TTP)%20used.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%203.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a947eacc-04e3-485e-bac4-6566e85df173", "create_time": 1764758755.9060266, "update_time": 1765478297.7932744, "name": "Research proxy logs", "order": 2, "tag": "7586c74e-6844-45bb-9535-4924752ff0de", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bfa0b1ad-7bb1-484d-bcfa-16df7989518c", "create_time": 1764758755.906122, "update_time": 1765478297.7933776, "name": "Research firewall logs", "order": 3, "tag": "5f7e4c57-343a-4a5c-8c90-643bdb578dbb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0168209e-eb24-4a5a-b72a-7c074a96a19c", "create_time": 1764758755.906265, "update_time": 1765478297.7934852, "name": "Research OS logs", "order": 4, "tag": "357d8065-7af2-4968-a52e-1daba8d36bcb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "82beb15d-df47-49e4-a504-6a7dd5f33558", "create_time": 1764758755.9063575, "update_time": 1765478297.7935877, "name": "Research network logs", "order": 5, "tag": "f5aabd39-0213-498c-9a91-db8b62c1d262", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d339af9b-fdfb-4944-8f9a-6febf9fbceb3", "create_time": 1764758755.9064476, "update_time": 1765478297.7936852, "name": "Research endpoint protection logs", "order": 6, "tag": "a0d0a5b6-e961-470a-8fed-2fd0f1f56e54", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a6d8b29-55f0-4eb8-817b-281fbddccd40", "create_time": 1764758755.9065409, "update_time": 1765478297.7937844, "name": "Determine infection vector", "order": 7, "tag": "e840c5b9-b804-4851-ace7-ed2b20e94374", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ef1d9524-231c-4c12-9544-f01fe50f0e9b", "create_time": 1764758755.9066322, "update_time": 1765478297.7938728, "name": "Document all attack targets", "order": 8, "tag": "2a1efed7-4cba-4f66-b7f4-c51555f6dafd", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "27b6ef2b-735d-4598-ab6e-6875f837a484", "create_time": 1764758755.9067245, "update_time": 1765478297.7939599, "name": "Document all attacker sources and TTP", "order": 9, "tag": "3ce58599-9e4e-4936-a604-9b2783fbb4be", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a2fdf16b-e79d-4cf6-8f57-026a2c0b63d0", "create_time": 1764758755.9068127, "update_time": 1765478297.794048, "name": "Document infected devices", "order": 10, "tag": "8854bf07-df2e-4536-a7ef-c268776eba0e", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a16d098a-10a7-4b53-a798-fd83c467ddb6", "create_time": 1764758755.9069023, "update_time": 1765478297.7941349, "name": "Determine full impact of attack", "order": 11, "tag": "2419ca1b-fa9e-4443-8334-4642877218c4", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92b46948-e8f0-4194-9ada-76bbf21bea3a", "create_time": 1764758755.9069924, "update_time": 1765478297.7942424, "name": "Analyze malware samples", "order": 12, "tag": "7486b744-568f-4a71-b6ab-6c18b0975234", "description": "Analyze%20discovered%20malware%20and%20document%20indicators%20of%20compromise%20(IOCs).%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1cfc9549-b74f-4dfd-b1c5-956b1587e546", "create_time": 1765478297.7946434, "update_time": 1765478297.7946439, "name": "Containment", "order": 3, "tasks": [{"id": "91691144-6812-44e7-ae84-769b7c91778f", "create_time": 1764758755.9071276, "update_time": 1765478297.7943835, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "fa5fbdd4-4224-460f-80b1-081083c3a8e5", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "884da2c4-4fb8-494f-bd5a-2c0eacb81646", "create_time": 1764758755.9072351, "update_time": 1765478297.794471, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "f735a650-8d7e-42ee-95fa-ca8122e29df4", "description": "Suggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b6fd766-744a-4ada-9612-9934ff090668", "create_time": 1764758755.9073257, "update_time": 1765478297.7945688, "name": "Contain incident", "order": 3, "tag": "de5b8d96-bc90-47e5-a707-4b4ce273b2f5", "description": "Suggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A8.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A9.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A10.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A11.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A12.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a5675456-ec54-4045-beb4-d521f14192cc", "create_time": 1765478297.7949696, "update_time": 1765478297.7949698, "name": "Eradication", "order": 4, "tasks": [{"id": "74739ca3-8849-4d32-b41f-6dcf53ab6598", "create_time": 1764758755.9074597, "update_time": 1765478297.7947214, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "160a14ef-e1d7-46db-9a35-5e452602416a", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf7fc36c-f08b-4fda-89ec-95594bbf238c", "create_time": 1764758755.9075792, "update_time": 1765478297.794821, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "f02e09fa-0ed7-4ca7-a001-a6adcfe83437", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f5c72b7c-f274-4825-9b9f-5c34f8d384e9", "create_time": 1764758755.907677, "update_time": 1765478297.7949193, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "c8032097-7574-438a-8473-d614b8f135ff", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "50452b43-98af-43ab-bfb0-1e9f7368b2c9", "create_time": 1765478297.795289, "update_time": 1765478297.7952893, "name": "Recovery", "order": 5, "tasks": [{"id": "91a74317-f931-4ced-b4aa-6cdf54433221", "create_time": 1764758755.9079046, "update_time": 1765478297.7950459, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "c3c83a87-0d75-4d0a-b4e7-9fef0d60e5f4", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "91f6342d-a92b-4157-a124-5e87ab0c9827", "create_time": 1764758755.9080007, "update_time": 1765478297.7951343, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "27d8d5a5-4c1b-470c-b995-c39275b61444", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5840a534-399b-4ac1-b0bc-80927edf8f8b", "create_time": 1764758755.9080942, "update_time": 1765478297.7952387, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "085d0c66-3bb9-48c8-9403-0fc21217d77c", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "dd359232-b8be-435a-b5bc-1a5fd3e44559", "create_time": 1765478297.795616, "update_time": 1765478297.7956161, "name": "Post", "order": 6, "tasks": [{"id": "0f4c6d6e-5e22-4d2c-8de3-8fb45346b917", "create_time": 1764758755.908245, "update_time": 1765478297.7953663, "name": "Schedule after-action review meeting", "order": 1, "tag": "815e442f-e87d-42ef-81ea-5c13b4d1e3cf", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8864f28a-1b75-4317-b6e7-4088f8d19d9a", "create_time": 1764758755.9083498, "update_time": 1765478297.7954535, "name": "Generate incident response action report", "order": 2, "tag": "5a4862af-5001-4418-a48b-e028ef91b542", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "08014d2b-5977-45d2-a14e-519c990aed93", "create_time": 1764758755.9084463, "update_time": 1765478297.7955399, "name": "Report incident response complete", "order": 3, "tag": "4b12a641-8105-4b64-bd89-eef26fabb47a", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20complete.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "28753dcd-47c7-44ad-b85f-f840c3f0da96", "active": true, "used": false, "_user": "nobody", "_key": "c3326c0e-417c-46de-b79a-7a33e457b91b"} \ No newline at end of file diff --git a/response_templates/NIST80061.json b/response_templates/NIST80061.json deleted file mode 100644 index 225c2dd043..0000000000 --- a/response_templates/NIST80061.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "475a4c40-0996-4b54-a634-711205549572", "create_time": 1765482414.4679432, "update_time": 1765482414.4679432, "name": "NIST%20800-61:%20Computer%20Security%20Incident%20Handling%20Guide", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "97bc8622-69ca-48a1-bf2b-e4067281f71a", "create_time": 1765482414.4685507, "update_time": 1765482414.4685512, "name": "Detection", "order": 1, "tasks": [{"id": "9126eb2f-d5e2-48e7-a9f5-0c851f2ecc57", "create_time": 1764758755.7593036, "update_time": 1765482414.4680352, "name": "Determine if an incident has occurred", "order": 1, "tag": "dd8a2e5b-9131-4321-ad10-0cef889e30f1", "description": "Suggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d9a756c-20dc-4e2e-94e1-87f4eb164447", "create_time": 1764758755.7594106, "update_time": 1765482414.4681613, "name": "Analyze precursors and indicators", "order": 2, "tag": "cd6639cc-79b1-4f66-b03a-0b29118e9439", "description": "Suggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "974fdd62-7d20-40f3-912d-60d708146ac7", "create_time": 1764758755.7595055, "update_time": 1765482414.4682908, "name": "Look for correlating information", "order": 3, "tag": "64b3aaa7-416e-4ec2-8cc1-b54b1e0758db", "description": "Suggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8d1664e-4d06-4470-8b99-124c615500ca", "create_time": 1764758755.759612, "update_time": 1765482414.4683938, "name": "Perform research", "order": 4, "tag": "c534e89d-327c-4deb-bc29-51fb49f65af6", "description": "Use%20search%20engines,%20knowledge%20bases,%20etc..%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "247f8ee3-e7db-437d-9a16-07e2d19673c0", "create_time": 1764758755.7597096, "update_time": 1765482414.4685001, "name": "Confirmed incident", "order": 5, "tag": "415e3412-85ed-4af6-bf6e-09e6e13542b3", "description": "For a confirmed incident, document the investigation and gather evidence. Attach all relevant information from detection steps to the notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ef47436d-de45-4aab-ba6b-736137c41076", "create_time": 1765482414.4691532, "update_time": 1765482414.469154, "name": "Analysis and Containment", "order": 2, "tasks": [{"id": "27f4ca0d-ef69-4211-9401-34d3817e879f", "create_time": 1764758755.759852, "update_time": 1765482414.4686282, "name": "Determine functional impact", "order": 1, "tag": "58850454-d4af-4cc4-a5dd-fded4be0ff4d", "description": "Suggested categories: None, Low, Medium, High", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b298ad0a-b53c-4e4d-9e27-0307d2b49d9f", "create_time": 1764758755.759945, "update_time": 1765482414.4687133, "name": "Determine information impact", "order": 2, "tag": "1150410e-72c0-4259-a499-d632727e083b", "description": "Suggested categories: None, Privacy breach, Proprietary breach, Integrity loss", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "650388ac-fa31-48c9-8031-fab7fbc1cce8", "create_time": 1764758755.760036, "update_time": 1765482414.4687974, "name": "Determine recoverability effort", "order": 3, "tag": "d6e187c9-188c-49de-ac41-5092d7ce6435", "description": "Suggested categories: Regular, Supplemented, Extended, Not Recoverable", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ae810a6c-7314-49f2-84cb-b40557c17734", "create_time": 1764758755.7601304, "update_time": 1765482414.4688811, "name": "Prioritize incident", "order": 4, "tag": "082dfce7-169c-4bd2-aa73-7d39f5e26be8", "description": "Prioritize handling the incident based on the relevant factors", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3db4552a-5c3b-46e2-8792-88f27397d5ef", "create_time": 1764758755.760304, "update_time": 1765482414.4689677, "name": "Report incident", "order": 5, "tag": "716c8ff4-f8f9-406a-aa10-871b499d0892", "description": "Report%20the%20incident%20to%20the%20the%20appropriate%20internal%20personnel%20and%20external%20organizations%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ab31b96-9544-4949-8e63-04a674e6bdb6", "create_time": 1764758755.7604578, "update_time": 1765482414.4690719, "name": "Contain incident", "order": 6, "tag": "d05de9e0-1c72-4835-874a-83f6127ef09a", "description": "Suggested%20Integrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A4.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A5.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A6.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A7.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A8.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A9.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A10.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A11.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A12.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A13.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A14.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "37031e87-5234-4694-a5d9-cff1c29f8f4d", "create_time": 1765482414.4695153, "update_time": 1765482414.4695156, "name": "Eradicate", "order": 3, "tasks": [{"id": "31e6eacc-4f57-4329-b146-8d3f689e3086", "create_time": 1764758755.7606778, "update_time": 1765482414.4692445, "name": "Identify and mitigate all vulnerabilities", "order": 1, "tag": "f0381ae6-f28f-402a-9f05-3e990496dd50", "description": "Identify%20and%20mitigate%20all%20vulnerabilities%20that%20were%20exploited.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A4.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A5.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A6.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A7.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A8.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "680e54ac-3708-4d38-884f-20a1a7edf0de", "create_time": 1764758755.7608309, "update_time": 1765482414.4693527, "name": "Remove malicious content", "order": 2, "tag": "e7029c6f-cce7-4c43-9a1c-b0425432ad81", "description": "Remove%20malware,%20inappropriate%20materials%20and%20other%20components.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a41b242d-1640-4d15-8104-ec399e12d1de", "create_time": 1764758755.7609744, "update_time": 1765482414.469451, "name": "Verify no other hosts are affected", "order": 3, "tag": "7e41266d-aa31-4b86-b2f4-47f68023fb3e", "description": "If%20more%20affected%20hosts%20are%20discovered,%20repeat%20the%20Detection%20and%20Analysis%20Steps.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b12466ec-8616-4519-b133-f6d93f9e32c4", "create_time": 1765482414.4698043, "update_time": 1765482414.4698048, "name": "Recovery", "order": 4, "tasks": [{"id": "43ba0f0e-1fda-4051-a97b-8f7f4682ac33", "create_time": 1764758755.7611475, "update_time": 1765482414.46959, "name": "Restore affected systems", "order": 1, "tag": "3a888228-8354-43a5-809b-41e85114db15", "description": "Return affected systems to an operationally ready state.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "579fa706-4719-4a36-92a0-8c89395b18e6", "create_time": 1764758755.7612762, "update_time": 1765482414.4696727, "name": "Validate restoration", "order": 2, "tag": "39fc29b1-1047-4d0c-bd88-4581b10fe376", "description": "Confirm that the affected systems are functioning normally.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "080aeef1-8fb9-40e2-863e-428fd8f7f017", "create_time": 1764758755.7614079, "update_time": 1765482414.4697568, "name": "Implement additional monitoring", "order": 3, "tag": "7d818e21-eb6b-48ef-92fa-e5c447194ae0", "description": "If necessary, implement additional monitoring to look for future activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1ec64d29-231e-4c34-aec1-4aee974fc8df", "create_time": 1765482414.4700096, "update_time": 1765482414.4700098, "name": "Post Incident Activity", "order": 5, "tasks": [{"id": "bab81f67-66e8-4326-be3c-6c11894e50c7", "create_time": 1764758755.7615948, "update_time": 1765482414.469876, "name": "Create a follow-up report", "order": 1, "tag": "e0d07d6c-00cb-44bc-8536-c8eeda5470a9", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77497e1-95ce-4ebe-8b62-4929dbfdd8a5", "create_time": 1764758755.7616863, "update_time": 1765482414.4699602, "name": "Lessons learned", "order": 2, "tag": "95974f42-e739-440a-ba79-00fc2d32a7ad", "description": "Hold a lessons learned meeting (mandatory for major incidents, optional otherwise).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8756f985-929a-4076-9343-86c92b82c94f", "active": true, "used": true, "_user": "nobody", "_key": "475a4c40-0996-4b54-a634-711205549572"} \ No newline at end of file diff --git a/response_templates/NetworkIndicatorEnrichment.json b/response_templates/NetworkIndicatorEnrichment.json deleted file mode 100644 index cad8f820e8..0000000000 --- a/response_templates/NetworkIndicatorEnrichment.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "8b1df498-d692-4212-a4fd-6b99b99e9027", "create_time": 1765481757.0347831, "update_time": 1765481757.0347831, "name": "Network Indicator Enrichment", "description": "Gather and analyze contextual information about URLs, hostnames, top level domain names, IP addresses, TLS certificates, and MAC addresses. These network indicators can be involved in security investigations of all types, so this response template is meant to be added as a modular component into an event or case that can have other more specific phases and tasks. For instance, when investigating an account compromise, this response template can be used during the investigation phase to rule out false positives and inform decisions about further investigation and response.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 6, "phases": [{"id": "5fc00a86-ecb5-473c-af5f-0eabced9921e", "create_time": 1765481757.0357888, "update_time": 1765481757.0357893, "name": "Network Indicator Enrichment", "order": 1, "tasks": [{"id": "09b3b9c0-1c5b-4c3f-941f-fcc4bcb6f2f6", "create_time": 1764758755.7974405, "update_time": 1765481757.0349212, "name": "Enrich URLs", "order": 1, "tag": "8fab0a3f-b436-4e3e-8c3a-9cc0a9cff8b5", "description": "Gather%20reputation%20and%20behavioral%20information%20about%20a%20suspicious%20URL.%20Automated%20actions%20can%20include%20querying%20threat%20intelligence%20databases,%20dynamic%20profiling%20of%20the%20URL%20and%20the%20associated%20redirects,%20or%20checking%20the%20categorization%20of%20a%20URL%20in%20a%20proxy%20or%20other%20safe%20browsing%20tool.%20Manual%20actions%20can%20include%20checking%20for%20typosquatting/brandjacking,%20evaluating%20the%20appropriateness%20of%20the%20URL%20given%20the%20context%20in%20which%20it%20was%20detected,%20or%20manually%20investigating%20the%20site%20from%20a%20sandboxed%20environment.%20Additionally,%20it%20might%20be%20appropriate%20to%20ask%20the%20user%20if%20they%20can%20explain%20why%20the%20URL%20was%20accessed.%20Outputs%20from%20this%20task%20could%20be%20used%20to%20pivot%20to%20investigation%20to%20underlying%20or%20associated%20domain%20names,%20other%20URLs,%20TLS%20certificates,%20IP%20addresses,%20or%20specific%20behaviors%20associated%20with%20the%20website%20such%20as%20Javascript%20execution%20patterns%20or%20downloaded%20files.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77c2c5b-488b-4ef6-a987-d4f1795e8c09", "create_time": 1764758755.7976081, "update_time": 1765481757.0352638, "name": "Enrich domain names", "order": 2, "tag": "f494c551-d513-4503-a268-32d14cd9352c", "description": "Domain%20names%20can%20be%20involved%20in%20investigations%20of%20phishing,%20watering%20hole%20attacks,%20malware%20command%20and%20control,%20exfiltration,%20and%20many%20other%20malicious%20behaviors.%20Some%20of%20the%20key%20questions%20to%20answer%20about%20a%20domain%20are:%20Who%20controls%20the%20domain?%20Who%20registered%20the%20domain?%20What%20is%20the%20purpose%20of%20the%20domain?%20What%20services%20are%20hosted%20on%20the%20domain?%20What%20traffic%20would%20you%20expect%20to%20see%20to%20and%20from%20the%20domain?%20How%20popular%20is%20the%20domain?%20Does%20the%20domain%20host%20dynamic%20content%20such%20as%20cloud%20services?%20What%20sub-domains%20or%20parent%20domains%20are%20associated%20with%20the%20domain?%20Is%20the%20domain%20known%20to%20host%20malicious%20content?%20Where%20in%20the%20world%20is%20the%20domain%20hosted?%20How%20recently%20was%20the%20domain%20registered?%20What%20is%20the%20DNS%20history%20of%20the%20domain?%20Is%20the%20domain%20meant%20to%20look%20similar%20to%20another%20more%20legitimate%20domain?%20Does%20the%20domain%20name%20appear%20to%20have%20been%20randomly%20generated?%20The%20results%20of%20these%20queries%20can%20produce%20related%20IP%20addresses,%20file%20hashes,%20downloaded%20files,%20URLs,%20TLS%20certificates,%20and%20behaviors%20which%20are%20useful%20elsewhere%20in%20this%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fed103ab-b8bf-458e-a9d1-a80d7c1691ce", "create_time": 1764758755.7977073, "update_time": 1765481757.0354254, "name": "Enrich IP addresses", "order": 3, "tag": "b0444819-8d84-47b0-8011-97c9004966cc", "description": "Enrichment%20of%20IP%20addresses%20can%20be%20similar%20to%20domain%20names%20in%20many%20ways,%20but%20typically%20IP%20addresses%20will%20change%20more%20frequently.%20Frequent%20changes%20can%20be%20legitimate%20behavior%20caused%20by%20load%20balancers%20or%20content%20delivery%20networks,%20or%20it%20can%20be%20malicious%20behavior%20due%20to%20fast%20flux%20DNS%20changes,%20so%20additional%20context%20about%20the%20network%20traffic%20is%20needed.%20Also%20consider%20that%20traffic%20going%20straight%20to%20an%20IP%20address%20without%20doing%20a%20DNS%20query%20might%20be%20relevant%20to%20the%20investigation,%20and%20consider%20querying%20Tor%20or%20other%20anonymization%20systems%20to%20check%20if%20the%20IP%20address%20is%20a%20known%20exit%20node.%20Outputs%20of%20this%20task%20can%20inform%20URL%20enrichment,%20downloaded%20file%20analysis,%20domain%20name%20enrichment,%20TLS%20certificate%20enrichment,%20and%20more%20advanced%20behavioral%20analysis%20based%20on%20the%20services%20hosted%20at%20the%20IP%20address%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "9d096815-7876-4f42-9c93-73e3cc21d3ce", "create_time": 1764758755.7977993, "update_time": 1765481757.0355642, "name": "Enrich TLS certificates", "order": 4, "tag": "d98902d9-2620-41c6-90d2-d197a49a90ca", "description": "If%20an%20investigation%20involves%20a%20TLS%20certificate,%20it%20can%20be%20useful%20to%20gather%20registrant%20and%20certificate%20authority%20information%20about%20that%20certificate,%20and%20to%20query%20for%20other%20uses%20of%20similar%20infrastructure.%20The%20usage%20of%20free%20and%20automated%20certificate%20authorities%20such%20as%20Let's%20Encrypt%20does%20not%20necessarily%20imply%20that%20a%20domain%20is%20malicious,%20but%20that%20is%20a%20common%20technique%20used%20to%20build%20malicious%20infrastructure%20so%20it%20should%20warrant%20further%20investigation.%20Consider%20comparing%20the%20registrant%20information%20and%20certificate%20authority%20chain%20with%20the%20expected%20values%20for%20the%20organization%20allegedly%20hosting%20the%20website%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4e38a46a-1af2-477a-9349-8defa965ac2b", "create_time": 1764758755.7979288, "update_time": 1765481757.0357046, "name": "Enrich MAC addresses", "order": 5, "tag": "38d3329d-0ecd-494f-bbcf-5be0fd99a7c3", "description": "While%20MAC%20(media%20access%20control)%20addresses%20are%20less%20frequently%20involved%20in%20security%20investigations,%20when%20they%20are%20present%20they%20can%20sometimes%20be%20useful%20to%20cross-reference,%20identify,%20or%20profile%20a%20device.%20MAC%20addresses%20can%20be%20changed%20and%20spoofed,%20but%20it%20is%20usually%20less%20common%20than%20a%20change%20in%20IP%20address%20or%20hostname.%20In%20wifi%20investigations%20the%20MAC%20address%20can%20be%20used%20to%20identify%20both%20the%20access%20point%20and%20the%20clients%20that%20connect%20to%20it.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "47bb10fa-61c2-4bd8-b7dd-f69f376e2750", "active": true, "used": true, "_user": "nobody", "_key": "8b1df498-d692-4212-a4fd-6b99b99e9027"} \ No newline at end of file diff --git a/response_templates/SelfReplicatingMalware.json b/response_templates/SelfReplicatingMalware.json deleted file mode 100644 index 3a28c86a8a..0000000000 --- a/response_templates/SelfReplicatingMalware.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "ec7f5b1d-f689-4ea7-b00c-703d062755ef", "create_time": 1764862816.2406306, "update_time": 1765478655.8295362, "name": "Self-Replicating Malware", "description": "This response template outlines a response to a potential infection by self-replicating malware (malware that propagates itself without human interaction). While there is much overlap between the response necessary for self-replicating malware and the response to any other malware, the ability to propagate from one system to the next automatically adds the potential for faster and more thorough infection of enterprise systems. Often the infection mechanism is a particular network service or shared resource, so an appropriate response tends to be a fast configuration change to contain the effect immediately.\n\nThis template is adapted from a modified version of the CERT Societe Generale Incident Response Methodology called Worm Infection Response. The full methodology is available at https://github.com/certsocietegenerale/IRM/blob/HEAD/EN/IRM-1-WormInfection.pdf and is covered under the Creative Commons Attribution 3.0 Imported license available at https://github.com/certsocietegenerale/IRM/blob/HEAD/LICENSE.md, while the CERT Societe Generale homepage is https://cert.societegenerale.com/en/.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "56b864aa-4f46-4eab-8631-15340fe85f3d", "create_time": 1765478655.800768, "update_time": 1765478655.8007686, "name": "Preparation", "order": 1, "tasks": [{"id": "ec3ed15c-7140-4e3d-ad5f-324edaf32d30", "create_time": 1764758755.867025, "update_time": 1765478655.8002567, "name": "Define team members", "order": 1, "tag": "a901e393-ab86-4ca7-95db-14d8774a60da", "description": "Determine%20which%20team%20members%20will%20play%20which%20role%20in%20the%20response%20and%20establish%20communications%20channels%20with%20all%20involved.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "faf9efef-e4dc-4100-98b4-3ed62777f915", "create_time": 1764758755.867135, "update_time": 1765478655.8004067, "name": "Check analysis tools", "order": 2, "tag": "6700e71f-245c-4f8c-b835-d91eaefe716b", "description": "Test%20connectivity,%20check%20patch%20level,%20and%20run%20example%20queries%20on%20all%20analysis%20tools.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A3.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A4.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A5.%20%20PhishTank%20(preconfigured)%0A6.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e8b572ad-9cb7-4a0b-accc-dc0d6bc672af", "create_time": 1764758755.867274, "update_time": 1765478655.8005216, "name": "Acquire architecture map", "order": 3, "tag": "10b5cc45-188d-4152-99c2-d9ee90a0df52", "description": "Find or build an up-to-date map of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "49e8c224-9ffe-472f-b5d5-d0134314ddc0", "create_time": 1764758755.8673825, "update_time": 1765478655.800613, "name": "Acquire asset inventory", "order": 4, "tag": "27d598df-8c52-4d6b-871d-93ee5ccdaf3f", "description": "Find%20or%20build%20an%20up-to-date%20inventory%20of%20all%20devices.%0A%0ASuggested%20Integrations%0A1.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd65385f-53f6-4b16-ae5b-8480703a5e29", "create_time": 1764758755.8674753, "update_time": 1765478655.8007166, "name": "Continuous monitoring", "order": 5, "tag": "3959e856-64e9-486e-a0b6-0cb97176c283", "description": "Monitor threat trends and system activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d8781b52-5f94-496a-9221-20af11959541", "create_time": 1765478655.8011546, "update_time": 1765478655.8011549, "name": "Identification", "order": 2, "tasks": [{"id": "0fc8d25d-2b92-4617-b573-518330fb9da1", "create_time": 1764758755.867626, "update_time": 1765478655.8008454, "name": "Detect the infection", "order": 1, "tag": "27c2ab29-35d9-4643-9216-85a8c201e0ed", "description": "Detect%20abnormalities%20and%20potential%20infections%20using%20endpoint%20and%20network%20intrusion%20detection%20systems,%20application%20logs,%20authentication%20logs,%20system%20load%20monitoring,%20notification%20from%20external%20sources,%20and%20other%20methods.%20Seek%20a%20repeatable%20detection%20that%20is%20as%20reliable%20as%20possible,%20as%20future%20steps%20call%20for%20checking%20and%20re-checking%20to%20monitor%20progress.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "709ed3e1-de9b-421a-b7b2-eae661d66b04", "create_time": 1764758755.867718, "update_time": 1765478655.8009667, "name": "Identify the infection", "order": 2, "tag": "fcd59f33-221b-43aa-a26f-7a7536dc298a", "description": "Compare%20the%20known%20symptoms%20to%20all%20available%20threat%20intelligence%20and%20try%20to%20identify%20the%20threat%20as%20specifically%20as%20possible.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A6.%20%5BIndicators%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/threat_artifacts)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "07f7f8bf-c7d0-4312-a878-1cc5910284e3", "create_time": 1764758755.8678086, "update_time": 1765478655.8010774, "name": "Assess the perimeter of the infection", "order": 3, "tag": "d5aa1644-4d52-4274-92b7-c8b9e33b56e0", "description": "Check%20systems%20in%20different%20parts%20of%20the%20organization%20to%20define%20the%20perimeter%20of%20the%20infection%20and%20assess%20the%20potential%20business%20impact.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b077cd75-7ba9-467c-a53e-bfcea36eb013", "create_time": 1765478655.8017411, "update_time": 1765478655.8017416, "name": "Containment", "order": 3, "tasks": [{"id": "3aee7278-0f5f-48ff-ad16-9ddaec267689", "create_time": 1764758755.8679423, "update_time": 1765478655.80125, "name": "Disconnect infected areas from the internet", "order": 1, "tag": "e53fd536-8058-4a06-8c6c-e6fc9467ddf8", "description": "Stop%20command%20and%20control%20behavior%20and%20further%20propagation%20by%20disconnecting%20affected%20areas%20from%20the%20internet.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "50bcd8ba-7edc-4b44-8a04-fdd5ee6daa0b", "create_time": 1764758755.8680344, "update_time": 1765478655.8013616, "name": "Isolate infected area from all networks", "order": 2, "tag": "884437ea-ff98-40f7-999d-69efd55841ae", "description": "Enforce%20more%20strict%20network%20segmentation%20to%20prevent%20further%20internal%20spreading.%20Consider%20disconnecting%20mobile%20devices%20and%20laptops%20to%20minimize%20the%20propagation%20surface.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ff5509b-ae70-431c-ac11-f4445d9bd890", "create_time": 1764758755.8681533, "update_time": 1765478655.8014727, "name": "Monitor business-critical network connections that cannot be disconnected", "order": 3, "tag": "400bb1f4-670c-4503-91a0-fe813d7285f2", "description": "For%20those%20applications%20that%20cannot%20be%20disconnected%20due%20to%20continuity%20needs,%20increase%20monitoring%20and%20analyze%20traffic%20for%20malicious%20activity.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d220afbd-3306-4e8a-ad41-3028fb9f309f", "create_time": 1764758755.8682685, "update_time": 1765478655.8015823, "name": "Neutralize propagation vectors", "order": 4, "tag": "92bef873-aca9-4ef8-946b-edfb9ce66e36", "description": "Deploy%20patches,%20change%20configurations,%20sinkhole%20domains,%20re-image%20systems,%20stop%20services,%20or%20take%20other%20appropriate%20actions%20to%20prevent%20further%20propagation%20using%20all%20known%20vectors.%20Notify%20users%20of%20changes%20that%20will%20affect%20them%20and/or%20request%20their%20assistance%20for%20manual%20neutralization%20steps.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "640ecd84-2bff-4b55-b16e-2f00b863cfe0", "create_time": 1764758755.8683593, "update_time": 1765478655.8016906, "name": "Monitor progress", "order": 5, "tag": "66412e78-657c-4f0d-a15a-2533d1b9a948", "description": "Re-check neutralized systems and repeat or improve processes to cover important systems as quickly as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4999e420-9fa9-46ea-9da3-4ffb078c45a0", "create_time": 1765478655.8021305, "update_time": 1765478655.802131, "name": "Remediation", "order": 4, "tasks": [{"id": "06bd975f-1fb6-4333-b714-27ce6a1ced40", "create_time": 1764758755.8684924, "update_time": 1765478655.8018172, "name": "Identify", "order": 1, "tag": "7f4c59cc-2f64-459c-8245-31bb42439ea9", "description": "Consider vendor fixes, antivirus updates, external support options, and custom solutions. Use these to define a disinfection process and validate it with a reputable source if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "93e47407-dfd0-40ba-a01d-1ef596ee0c42", "create_time": 1764758755.8685825, "update_time": 1765478655.8019052, "name": "Test", "order": 2, "tag": "e0cc2310-9631-4a7f-b637-79d890e0a79a", "description": "Test the disinfection process on a system that is as close to a production configuration as possible and verify that it works while not damaging any service.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "448524ff-39de-428d-95f7-2cc16c03ea28", "create_time": 1764758755.8686728, "update_time": 1765478655.801993, "name": "Deploy", "order": 3, "tag": "69ea1765-0326-4559-9f52-0202bcd1684e", "description": "Deploy the process and scale it up if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "154ef40e-9a4e-4072-b222-e4b5c286ce4f", "create_time": 1764758755.8687656, "update_time": 1765478655.8020792, "name": "Confirm", "order": 4, "tag": "ec04ad38-972d-40d5-9672-64ccce7f2ebc", "description": "Confirm that the malware did not block remediations and find a workaround if it did.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "46c10e9a-74fd-4c28-ae23-80c66c6959ff", "create_time": 1765478655.802708, "update_time": 1765478655.8027081, "name": "Recovery", "order": 5, "tasks": [{"id": "b5137ace-0638-4c0d-bf3a-89808acb2796", "create_time": 1764758755.8689115, "update_time": 1765478655.8022254, "name": "Verify Containment and Remediation", "order": 1, "tag": "11e7491e-04ec-46dd-8763-7f7259aa86a9", "description": "Review current progress towards remediation by re-checking systems.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "916ce97e-d38f-41bd-8e31-fd4ebac266fa", "create_time": 1764758755.8690028, "update_time": 1765478655.8023124, "name": "Reopen propagation network mechanism", "order": 2, "tag": "3e4bb0aa-beab-472e-b19a-5d0974e25942", "description": "Turn off network enforcement for a segment of the network and monitor for new attempts to reinfect.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d6b12db-a684-4eee-b942-8d720c1e7c1a", "create_time": 1764758755.8690934, "update_time": 1765478655.8024004, "name": "Reconnect isolated sub-areas to each other", "order": 3, "tag": "ecd50bc1-ba91-4333-b50e-8065b2552e83", "description": "Turn off inter-area network enforcement and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "77f860e3-1ab9-47f4-b9f5-29b02f762628", "create_time": 1764758755.8692014, "update_time": 1765478655.8024862, "name": "Reconnect mobile devices", "order": 4, "tag": "786a211c-5a54-4465-a6ae-fb26047d3d77", "description": "Reconnect mobile devices and laptops to monitor for persistence and check coverage across all device categories.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "eea6a167-30bf-434e-a7a5-7f0af8bd0ec6", "create_time": 1764758755.8692956, "update_time": 1765478655.802572, "name": "Reconnect isolated areas to main enterprise network", "order": 5, "tag": "739634b9-8f30-4fb4-b531-8f3e1bb5dcbc", "description": "Disable network enforcement between cleaned areas and the rest of the network while monitoring for reinfection.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "7947c3e9-c721-44ad-92e5-cbda84dd7687", "create_time": 1764758755.8693867, "update_time": 1765478655.8026576, "name": "Reconnect to the internet", "order": 6, "tag": "d80ab11b-58f4-4aed-a533-93f344fdc898", "description": "Reconnect to the internet and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "76b0e701-8fe2-49da-a85d-c100fc2a3a19", "create_time": 1765478655.80292, "update_time": 1765478655.8029208, "name": "Aftermath", "order": 6, "tasks": [{"id": "bb39e701-edec-47a4-a5d9-47483140b788", "create_time": 1764758755.8695176, "update_time": 1765478655.8027844, "name": "Build crisis report", "order": 1, "tag": "bb5d871c-99f4-408a-8a1e-9efa55ff1465", "description": "Notify affected parties with as much detail as is appropriate. Consider the initial cause of the infection, actions and timelines of important events, what went right, what went wrong, and the incident cost.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4a48b7c9-f36d-412f-a2e2-c369a98d4261", "create_time": 1764758755.8696067, "update_time": 1765478655.8028712, "name": "Improve processes", "order": 2, "tag": "114c1009-376f-4715-a825-145c3dbcbba0", "description": "Capitalize on the experience by improving the processes that were used, creating new processes where needed, and automating that which is generalizable and repeatable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "633942a9-b466-49c5-9cb0-1a4488da8473", "active": true, "used": false, "_user": "nobody", "_key": "ec7f5b1d-f689-4ea7-b00c-703d062755ef"} \ No newline at end of file diff --git a/response_templates/SuspiciousEmail.json b/response_templates/SuspiciousEmail.json deleted file mode 100644 index 0ba80ed93b..0000000000 --- a/response_templates/SuspiciousEmail.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "a72d40f3-a567-48e2-9fd3-c29db06c3907", "create_time": 1765479748.831508, "update_time": 1765479748.831508, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 35, "phases": [{"id": "7eddb898-085a-43fa-a03b-3ded48d53093", "create_time": 1765479748.831965, "update_time": 1765479796.6274312, "name": "Ingestion", "order": 1, "tasks": [{"id": "de8fa91f-bfad-41e6-bfe5-e3a2732db2c2", "create_time": 1764758755.6795278, "update_time": 1765479796.626802, "name": "Create ticket", "order": 1, "tag": "3d75cc89-a55b-4680-931c-7a5e091baaf6", "description": "Create%20any%20necessary%20tickets%20or%20tracking%20documents%20describing%20the%20initial%20conditions%20of%20the%20suspicious%20email%20investigation.%20As%20additional%20information%20is%20collected%20or%20actions%20are%20taken%20in%20the%20following%20tasks%20and%20phases,%20update%20the%20ticket%20with%20links%20and%20relevant%20information%20to%20allow%20collaboration%20and%20tracking.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "163d3490-d8de-4df9-8900-f5a2554b8024", "create_time": 1764758755.6797986, "update_time": 1765479796.6270301, "name": "Ingest email", "order": 2, "tag": "b4f73c35-e4af-40bf-a349-bed4c51cb0fc", "description": "Identify%20and%20ingest%20the%20suspicious%20email%20into%20Splunk%20Mission%20Control.%20Actual%20steps%20vary%20depending%20on%20how%20you%20create%20the%20Splunk%20Mission%20Control%20notable%20and%20where%20the%20suspicious%20email%20resides.%20For%20example,%20if%20you%20had%20a%20Splunk%20Enterprise%20Security%20correlation%20search%20running%20to%20identify%20suspicious%20emails,%20and%20forward%20those%20notable%20events%20to%20Splunk%20Mission%20Control%20as%20notables,%20you%20have%20many%20of%20the%20useful%20artifacts%20needed%20to%20investigate%20the%20email.%20If%20you%20need%20additional%20metadata,%20you%20can%20run%20the%20%22get%20email%22%20action%20to%20retrieve%20it,%20or%20the%20%22extract%20email%22%20action%20to%20add%20the%20email%20to%20Splunk%20Mission%20Control%20if%20it%20is%20in%20the%20.msg%20or%20.eml%20format.%20Or%20for%20example,%20if%20you%20send%20suspicious%20emails%20to%20a%20dedicated%20email%20address%20for%20suspected%20phishing%20attempts,%20you%20can%20use%20a%20connector%20such%20as%20IMAP,%20EWS%20for%20Exchange,%20EWS%20for%20OFfice,%20or%20GSuite%20for%20GMail%20to%20poll%20that%20inbox%20directly%20and%20send%20the%20suspicious%20email%20to%20Splunk%20Mission%20Control%20as%20a%20notable.%0A%0ASuggested%20Integrations%0A1.%20%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BMS%20Graph%20for%20Office%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%20%5BGmail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%20%5BIMAP%5D(https://splunkbase.splunk.com/app/5798)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6d6d47d-3c94-42ea-b575-c197be210f97", "create_time": 1764758755.6799636, "update_time": 1765479796.627336, "name": "Extract actionable metadata and files", "order": 3, "tag": "0c5acee1-e985-43ec-aefa-9355f46fef2d", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9510afc9-a689-434d-8622-e7dbcf607e54", "create_time": 1765479748.832889, "update_time": 1765479796.6289487, "name": "External Investigation", "order": 2, "tasks": [{"id": "2bedd439-1521-4bc1-aa32-f6502bc3b4eb", "create_time": 1764758755.6802204, "update_time": 1765479796.6275756, "name": "Investigate URLs", "order": 1, "tag": "5c7e7c30-139a-45e5-9622-63c788fe10a3", "description": "Perhaps%20the%20most%20common%20email%20attack%20vector%20is%20a%20clickable%20link%20that%20brings%20a%20user%20to%20a%20malicious%20website.%20The%20malicious%20website%20might%20collect%20credentials%20or%20other%20confidential%20information,%20attempt%20to%20exploit%20the%20user's%20browser,%20lead%20the%20user%20to%20download%20a%20malicious%20file,%20or%20gather%20preliminary%20fingerprint%20information%20about%20the%20user%20to%20inform%20further%20operations.%20Investigate%20all%20URLs%20contained%20in%20the%20suspicious%20email%20using%20a%20mix%20of%20automated%20and%20manual%20techniques.%20Query%20threat%20intelligence%20services%20and%20other%20sources%20of%20reputation%20information%20to%20see%20if%20the%20URLs%20are%20linked%20to%20known%20malicious%20activity.%20Check%20the%20categorization%20of%20the%20URLs%20and%20their%20popularity%20using%20services%20such%20as%20Censys%20or%20Alexa.%20Determine%20whether%20the%20URL%20is%20spoofing%20a%20brand%20using%20a%20similar%20spelling,%20a%20unicode%20substitution,%20or%20an%20out-of-order%20domain%20name.%20Also%20consider%20using%20a%20less%20passive%20technique%20that%20analyzes%20the%20current%20state%20of%20the%20URL,%20such%20as%20a%20sandboxed%20URL%20detonation,%20a%20website%20scanning%20tool%20such%20as%20urlscan.io%20or%20SSL%20Labs,%20a%20manual%20inspection%20from%20a%20sandboxed%20environment,%20or%20a%20website%20screenshot%20engine%20such%20as%20Screenshot%20Machine.%20Consider%20that%20targeted%20attacks%20might%20only%20reveal%20the%20malicious%20behavior%20of%20a%20website%20if%20the%20user%20agent%20and/or%20the%20source%20address%20of%20the%20request%20matches%20the%20target%20environment.%20The%20output%20of%20this%20task%20might%20be%20more%20linked%20URLs,%20the%20domain%20names%20of%20the%20underlying%20servers%20responding%20to%20the%20request,%20other%20domain%20names%20used%20by%20the%20website,%20IP%20addresses,%20or%20downloadable%20files.%20All%20of%20the%20above%20should%20be%20passed%20on%20to%20further%20investigative%20tasks%20if%20needed.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "16fc04ea-4b88-4a0e-8f68-66ac2c216f8f", "create_time": 1764758755.6803753, "update_time": 1765479796.6279, "name": "Investigate file attachments", "order": 2, "tag": "87e971c5-924c-4eee-8a08-e84975c01812", "description": "Another%20common%20email%20attack%20vector%20is%20a%20malicious%20file%20attachment.%20Any%20file%20could%20be%20malicious,%20but%20most%20attacks%20involve%20executables,%20scripts,%20or%20documents.%20Investigate%20these%20files%20using%20either%20a%20whole%20copy%20of%20the%20file%20or%20the%20file%20hash.%20Query%20threat%20intelligence%20and%20reputation%20databases%20using%20the%20hash%20to%20see%20if%20the%20file%20has%20been%20seen%20before,%20to%20see%20if%20there%20is%20suspicious%20activity%20associated%20with%20the%20file,%20and%20to%20learn%20more%20about%20the%20file's%20behavior.%20Query%20for%20previous%20analyses%20or%20submit%20the%20file%20for%20examination%20in%20a%20dynamic%20or%20static%20tool%20to%20check%20for%20potentially%20malicious%20behaviors%20or%20properties.%20Actions%20used%20for%20this%20task%20might%20extract%20associated%20URLs,%20domain%20names,%20IP%20addresses,%20or%20secondary%20file%20hashes%20which%20can%20be%20explored%20further%20in%20other%20tasks.%0A%0A%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a259ee42-6bdf-4d0c-9b27-efae878c42c2", "create_time": 1764758755.6805224, "update_time": 1765479796.62813, "name": "Investigate%20email", "order": 3, "tag": "39af1503-2dae-40d0-8164-818a7232bf95", "description": "Analyze%20the%20full%20email%E2%80%94headers,%20subject,%20and%20body%E2%80%94using%20both%20automated%20and%20manual%20techniques%20to%20determine%20its%20origin%20and%20assess%20for%20malicious%20intent.%20Inspect%20header%20fields%20(e.g.,%20%E2%80%9CFrom,%E2%80%9D%20%E2%80%9CSender,%E2%80%9D%20%E2%80%9CReply-to%E2%80%9D)%20for%20inconsistencies,%20misleading%20display%20names,%20and%20suspicious%20infrastructure,%20validating%20authentication%20results%20such%20as%20SPF,%20DKIM,%20and%20DMARC.%20Enrich%20findings%20with%20threat%20intelligence%20and%20reputation%20sources,%20and%20use%20tools%20like%20Microsoft%20Message%20Header%20Analyzer%20or%20MxToolbox%20for%20deeper%20interpretation.%20Evaluate%20the%20content%20for%20social%20engineering%20indicators%E2%80%94such%20as%20urgency,%20context%20manipulation,%20or%20attempts%20to%20solicit%20confidential%20information%E2%80%94recognizing%20that%20these%20often%20require%20manual%20judgment%20and,%20when%20appropriate,%20direct%20confirmation%20from%20the%20recipient.%20Outputs%20such%20as%20domains%20and%20IPs%20should%20be%20forwarded%20for%20further%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": [{"id": "cf182fd6-c616-4adb-a8f6-b9969549c873", "create_time": 1764952188.108695, "update_time": 1765479796.6283174, "name": "Email - Query on Affected User", "description": "You need to have your email data being ingested into the Email data model. \n\nNOTE: in this search we have pulled the tokened field of \"src_user\" if you detection uses another output field you will need to update your search accordingly. ", "spl": "%7C%20tstats%20%60summariesonly%60%20max(_time)%20as%20_time%2C%20values(All_Email.action)%20as%20action%2C%20values(All_Email.message_id)%20as%20message_id%2C%20values(All_Email.subject)%20as%20subject%2C%20values(All_Email.size)%20as%20size%2C%20values(All_Email.protocol)%20as%20protocol%2C%20values(All_Email.recipient)%20as%20recipient%2C%20count%20from%20datamodel%3DEmail.All_Email%20by%20All_Email.src%2CAll_Email.src_user%2CAll_Email.dest%20%0A%7C%20%60drop_dm_object_name(%22All_Email%22)%60%20%0A%7C%20search%20recipient%20IN%20(%24src_user%24)%0A%7C%20sort%20-%20count%20%0A%7C%20normalizeip%20src%20dest%20%0A%7C%20fields%20_time%2C%20action%2C%20message_id%2C%20subject%2C%20size%2C%20protocol%2C%20src%2C%20src_user%2C%20dest%2C%20recipient%2C%20count"}]}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "987a5f9d-4fa2-4474-a923-10ee1fca36e9", "create_time": 1764758755.680672, "update_time": 1765479796.6285076, "name": "Investigate domains", "order": 4, "tag": "65ec0d02-4e41-4bef-ad64-bcbbe64589bf", "description": "At%20this%20point%20domain%20names%20from%20various%20sources%20should%20be%20collected%20in%20the%20notable,%20including%20email%20sending%20and%20receiving%20servers,%20web%20servers%20from%20URLs%20in%20the%20email,%20domains%20associated%20to%20other%20indicators%20in%20threat%20intelligence%20databases,%20and%20domains%20contained%20in%20the%20file%20attachment%20or%20detected%20by%20the%20detonation%20of%20the%20file%20attachment.%20Check%20each%20of%20these%20against%20threat%20intelligence%20and%20reputation%20databases,%20passive%20DNS%20trackers,%20whois%20services,%20and%20other%20information%20services.%20Look%20for%20known%20malicious%20or%20unknown%20domains,%20focusing%20more%20on%20those%20associated%20to%20clickable%20URLs%20and%20file%20attachments.%20Evaluate%20what%20services%20are%20running%20on%20each%20suspicious%20domain%20using%20a%20scanning%20service%20such%20as%20Censys%20or%20Shodan.%20Check%20the%20TLS%20certificate%20(if%20applicable),%20website%20categorization,%20popularity,%20and%20any%20other%20available%20information.%20Compare%20this%20information%20to%20the%20expected%20outcome%20given%20the%20alleged%20context%20of%20the%20email.%20For%20unknown%20domains,%20consider%20the%20domain%20history,%20the%20hosting%20provider,%20and%20whether%20the%20domain%20name%20appears%20to%20have%20been%20dynamically%20generated.%20IP%20addresses%20currently%20and%20previously%20associated%20with%20the%20domain%20should%20be%20further%20processed%20elsewhere%20in%20your%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4f72802-ef36-47d2-a6c0-9d1ab5e0aa2c", "create_time": 1764758755.6808305, "update_time": 1765479796.6287827, "name": "Investigate IP addresses", "order": 5, "tag": "bd473b00-1dc1-4446-8ce2-36d7fc8ef468", "description": "IP%20addresses%20may%20be%20involved%20in%20this%20investigation%20for%20several%20reasons.%20Some%20email%20headers%20can%20contain%20IP%20addresses%20(such%20as%20X-Originating-IP),%20URLs%20can%20contain%20IP%20addresses%20instead%20of%20hostnames,%20file%20attachments%20can%20contain%20IP%20addresses%20or%20generate%20IP%20addresses%20and%20try%20to%20connect%20to%20them%20(like%20domain%20generation%20algorithms),%20and%20IP%20addresses%20can%20be%20added%20to%20the%20notable%20through%20association%20or%20domain%20name%20resolution%20in%20other%20tasks%20within%20this%20investigation.%20Consider%20IP%20addresses%20in%20URLs%20that%20are%20not%20internal%20IP%20addresses%20for%20the%20organization%20highly%20suspicious.%20Investigate%20all%20suspicious%20IP%20addresses%20by%20checking%20the%20reputation,%20geolocation,%20whois%20record,%20DNS%20history,%20and%20by%20gathering%20information%20from%20other%20available%20services.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d36a2713-63b9-4bfd-8a66-e50df079ace9", "create_time": 1765479748.8334155, "update_time": 1765479796.6299407, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "4012859c-a956-4b21-ba9e-a2004dfeb036", "create_time": 1764758755.6812239, "update_time": 1765479796.6290972, "name": "Hunt email activity", "order": 1, "tag": "e7a6d9a6-8b9e-4f8c-afdb-475b0b3472b7", "description": "Find%20other%20similar%20emails%20sent%20into%20the%20organization%20based%20on%20the%20sender%20address,%20sender%20domain,%20subject,%20embedded%20URLs,%20file%20attachments,%20or%20other%20similar%20attributes%20shared%20across%20multiple%20emails.%20If%20possible%20determine%20which%20emails%20were%20opened,%20forwarded,%20deleted,%20marked%20as%20spam,%20or%20reported%20as%20potential%20phishing.%20Consider%20which%20types%20of%20users%20are%20targeted%20and%20why.%20Also%20check%20whether%20internal%20users%20replied%20to%20the%20emails%20and%20what%20information%20was%20contained%20in%20the%20replies.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%20%5BCisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)%5D(https://splunkbase.splunk.com/app/6145)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1701120f-ca73-42cf-87e1-5dcb228ab5a0", "create_time": 1764758755.681366, "update_time": 1765479796.629352, "name": "Hunt network activity", "order": 2, "tag": "427ba972-75bd-42eb-8218-4a522f98b947", "description": "Based%20on%20previously%20collected%20information,%20try%20to%20determine%20whether%20or%20not%20URLs%20in%20the%20email%20were%20clicked,%20phishing%20websites%20were%20visited,%20or%20other%20suspicious%20network%20connections%20were%20made%20from%20the%20computers%20of%20users%20who%20opened%20the%20email.%20This%20can%20be%20done%20using%20many%20types%20of%20network%20monitoring,%20including%20netflow,%20full%20packet%20capture,%20DNS%20logging,%20and/or%20endpoint%20monitoring.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A5.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24d8fa33-d658-4800-8113-5d7f7c90ad1d", "create_time": 1764758755.681554, "update_time": 1765479796.6295755, "name": "Hunt file executions", "order": 3, "tag": "ebe5a0e7-8705-4e69-b1e7-a21058c87822", "description": "If%20the%20email%20included%20a%20file%20attachment,%20try%20to%20determine%20which%20users%20downloaded%20the%20attachment%20and%20which%20users%20executed%20it%20or%20opened%20it%20in%20some%20other%20way.%20Use%20the%20file%20hash%20of%20the%20attachment%20to%20search%20across%20endpoint%20monitoring%20or%20network%20monitoring%20solutions%20for%20the%20transmission%20and/or%20execution%20of%20the%20file.%20If%20executions%20are%20detected,%20try%20to%20determine%20the%20behavior%20of%20the%20created%20process.%20If%20a%20potentially%20malicious%20document%20or%20other%20file%20type%20was%20opened,%20try%20to%20determine%20which%20application%20opened%20it%20and%20whether%20the%20file%20exploited%20or%20abused%20the%20opening%20application.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24ad66ec-2b93-4677-b1c4-a6e2c2bd6207", "create_time": 1764758755.6817021, "update_time": 1765479796.6298037, "name": "Hunt user activity", "order": 4, "tag": "32798d9d-6440-4f39-98c7-6d4c30d26e1e", "description": "If%20a%20phishing%20attempt%20or%20other%20user%20account%20compromise%20attempt%20is%20suspected,%20investigate%20how%20the%20credentials%20or%20account%20access%20are%20being%20used.%20Enumerate%20resources%20available%20to%20the%20account%20and%20search%20the%20access%20logs%20for%20those%20resources,%20looking%20for%20anomalous%20usage%20patterns.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "42eb2edf-fc7d-4327-8f3e-37ee80c2536c", "create_time": 1765479748.8340182, "update_time": 1765479796.6310995, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "2eb1f1a5-8f1a-45d8-8953-ba30d1a8a6e9", "create_time": 1764758755.6819034, "update_time": 1765479796.6300797, "name": "Block or monitor email activity", "order": 1, "tag": "6b567916-424d-41b3-836f-b4abfa555448", "description": "If%20specific%20malicious%20emails%20have%20been%20identified,%20delete%20them%20from%20any%20mailboxes%20in%20which%20they%20still%20pose%20a%20threat.%20Similarly,%20if%20a%20sender%20address%20or%20an%20entire%20sender%20domain%20is%20found%20to%20be%20malicious,%20block%20inbound%20email%20from%20that%20source.%20Set%20filtering%20rules%20to%20block%20inbound%20email%20or%20increase%20monitoring%20of%20email%20based%20on%20other%20detected%20characteristics%20of%20an%20email%20campaign%20or%20malicious%20technique.%0A%0ASuggested%20Intergrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0d28b16-b4ba-46a9-8d20-c888d0d50137", "create_time": 1764758755.6820495, "update_time": 1765479796.6303134, "name": "Block or monitor network activity", "order": 2, "tag": "b537f91c-ce46-4a52-8894-0797dbc13b6b", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20malicious%20network%20connections%20associated%20with%20the%20suspicious%20email.%20Prevent%20other%20receivers%20of%20similar%20phishing%20emails%20from%20accessing%20the%20clickable%20URL%20by%20blocking%20that%20URL%20itself,%20the%20underlying%20domain%20name,%20and/or%20the%20underlying%20IP%20addresses.%20If%20malware%20or%20unwanted%20software%20was%20detected,%20block%20outbound%20connections%20known%20to%20be%20associated%20with%20that%20malware%20based%20on%20threat%20intelligence%20or%20dynamic%20analysis.%20If%20the%20threat%20is%20severe%20enough,%20consider%20isolating%20entire%20portions%20of%20the%20network.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79abbff6-2d34-46b0-b570-c9788da8668a", "create_time": 1764758755.6822183, "update_time": 1765479796.6305444, "name": "Block or monitor file executions", "order": 3, "tag": "e7cb23b5-9baa-4a66-994d-43cd0f17d017", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20endpoint%20activity%20caused%20by%20the%20suspicious%20email.%20This%20could%20mean%20blocking%20the%20hash%20of%20the%20file%20attachment,%20blocking%20the%20hash%20of%20a%20file%20downloaded%20from%20a%20URL%20in%20an%20email,%20blocking%20a%20malicious%20hash%20associated%20with%20the%20email%20by%20threat%20intelligence,%20or%20blocking%20secondary%20executions%20such%20as%20dropped%20stages%20of%20malware%20identified%20from%20dynamic%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fa4ad6aa-7fc1-4897-9588-e2366ce2cc8e", "create_time": 1764758755.6823559, "update_time": 1765479796.6307607, "name": "Contain endpoints", "order": 4, "tag": "746ae480-2639-4ffe-80ce-698238ec5721", "description": "If%20an%20endpoint%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20quarantine%20or%20otherwise%20contain%20that%20endpoint%20until%20further%20investigation%20and%20remediation%20can%20be%20done.%20Consider%20the%20criticality%20of%20the%20system%20and%20the%20likelihood%20of%20a%20compromise.%20In%20other%20cases,%20simply%20increasing%20the%20monitoring%20or%20scanning%20for%20more%20information%20can%20be%20prudent.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ffee892-3e52-4aed-ba5f-30554d3de579", "create_time": 1764758755.6824956, "update_time": 1765479796.6309698, "name": "Contain user accounts", "order": 5, "tag": "702244fa-e9c6-42d7-846a-697fb74ea060", "description": "If%20a%20user%20account%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20reset%20the%20credentials,%20reduce%20the%20account%20privileges,%20or%20disable%20the%20account%20until%20further%20investigation%20is%20completed.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f3f3a7c8-dcb4-4565-8827-356c60cac5f6", "create_time": 1765479748.8343027, "update_time": 1765479796.6315908, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "09b37ed6-4b6e-4fe0-a4c5-561480ed7c10", "create_time": 1764758755.68271, "update_time": 1765479796.631251, "name": "Analyze network activity", "order": 1, "tag": "9cf69134-6b81-45ca-ada8-fd4136a1912f", "description": "Perform%20any%20resource-intensive%20analysis%20of%20network%20activity%20left%20over%20from%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20full%20packet%20capture%20collection%20and%20analysis,%20sandbox%20detonation%20of%20URLs,%20long-running%20queries%20of%20network%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "627cb8cc-b780-437e-951d-8ec9c64062e7", "create_time": 1764758755.682851, "update_time": 1765479796.631454, "name": "Analyze endpoint activity", "order": 2, "tag": "2497b494-b80f-417b-b51d-f4c8d7aff019", "description": "Conduct%20deeper%20analysis%20on%20remaining%20malware%20and%20endpoint%20investigation%20tasks%20not%20finished%20in%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20sandbox%20detonation%20of%20files,%20forensic%20analysis%20of%20associated%20devices%20or%20memory%20dumps,%20reverse%20engineering%20of%20suspected%20malware,%20long-running%20queries%20of%20endpoint%20activity%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A4.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "934b1327-2484-49e2-9701-36a33a1462f9", "create_time": 1765479748.8349223, "update_time": 1765479796.6327975, "name": "Notification", "order": 6, "tasks": [{"id": "3b692da7-b9dc-491b-add5-2c674251a7be", "create_time": 1764758755.683051, "update_time": 1765479796.6317682, "name": "Update tickets", "order": 1, "tag": "dad41274-fb84-4b6f-bed9-fb43be506987", "description": "Make%20sure%20that%20all%20the%20necessary%20outputs%20and%20status%20updates%20from%20the%20previous%20phases%20and%20tasks%20are%20documented%20in%20the%20appropriate%20system%20of%20record.%20Summarize%20the%20current%20state%20of%20the%20investigation%20and%20any%20remaining%20tasks.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "644d1cc6-f855-4dfb-ae28-a0a58fbee6d2", "create_time": 1764758755.6832078, "update_time": 1765479796.631959, "name": "Notify system owners", "order": 2, "tag": "824481e3-9dc5-4668-9abd-585d1cd331ca", "description": "For%20any%20systems%20that%20have%20been%20changed%20or%20need%20to%20be%20changed,%20notify%20the%20necessary%20system%20owners%20so%20the%20appropriate%20change%20management%20procedures%20can%20be%20followed.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "81905435-dd7e-493d-babf-fc5f108cbb9a", "create_time": 1764758755.6833851, "update_time": 1765479796.6321607, "name": "Notify regulatory compliance team", "order": 3, "tag": "c7f7005c-6b51-49a7-a3f9-f22aaf9dfbe4", "description": "If%20appropriate,%20notify%20the%20regulatory%20compliance%20team%20to%20support%20them%20as%20they%20report%20this%20incident%20to%20the%20correct%20regulatory%20or%20accrediting%20organizations.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a4260d25-53f9-45c4-b984-4c10deddbb82", "create_time": 1764758755.6836178, "update_time": 1765479796.6323862, "name": "Assign additional tasks", "order": 4, "tag": "29d21b34-5221-4dee-9bff-276a8241b2bd", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d0cf948f-2ba6-4a7d-82c9-851aacfa80a6", "create_time": 1764758755.6839995, "update_time": 1765479796.6325488, "name": "Educate users", "order": 5, "tag": "7ee89bfe-e39d-42c9-baa0-2e74b39adcd1", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b78276c-3dff-4546-8ff4-78cd4e1b04d3", "create_time": 1764758755.6842132, "update_time": 1765479796.6327078, "name": "Share threat intelligence", "order": 6, "tag": "3773742e-ecd3-4588-a0ae-6ac80e6b70ce", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "84c951b5-a7f7-439d-9e59-b8031190be63", "active": true, "used": true, "_user": "nobody", "_key": "a72d40f3-a567-48e2-9fd3-c29db06c3907"} \ No newline at end of file diff --git a/response_templates/VulnerabilityDisclosure.json b/response_templates/VulnerabilityDisclosure.json deleted file mode 100644 index 5cd3ef22f0..0000000000 --- a/response_templates/VulnerabilityDisclosure.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc", "create_time": 1764862787.2717, "update_time": 1765478160.218586, "name": "Vulnerability Disclosure", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 10, "phases": [{"id": "63140a0e-8d42-4aba-943a-899170cc7fd3", "create_time": 1765478079.1544676, "update_time": 1765478160.185931, "name": "Understand the vulnerability", "order": 1, "tasks": [{"id": "c2906aa1-2ba2-4d46-b927-04a348dfc8ed", "create_time": 1764758755.9402392, "update_time": 1765478160.1855013, "name": "Research types of systems that are affected", "order": 1, "tag": "f0045b4e-6680-4782-b80b-ba292805d290", "description": "Research%20the%20known%20hardware%20or%20software%20systems%20and%20versions%20that%20are%20affected.%20If%20possible%20use,%20a%20vulnerability%20database%20or%20software%20composition%20analysis%20solution%20to%20walk%20the%20dependency%20chain%20and%20evaluate%20the%20scope%20of%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd74c974-5d88-4136-aae1-13642d0f5bb5", "create_time": 1764758755.9403417, "update_time": 1765478160.185846, "name": "Research how the vulnerability works", "order": 2, "tag": "207e6bdb-1eed-41f8-9ee6-f87bf260978a", "description": "Research%20the%20mechanism%20that%20makes%20the%20system%20vulnerable%20and%20the%20conditions%20in%20which%20the%20system%20is%20vulnerable.%20Often%20there%20are%20certain%20configurations,%20software%20packages,%20system%20states,%20operating%20modes,%20and%20other%20characteristics%20that%20make%20a%20vulnerability%20exploitable%20and%20affect%20the%20impact%20if%20exploited.%20Assess%20the%20difficulty%20to%20exploit%20the%20vulnerability%20and%20the%20reliability%20of%20the%20exploit.%0A%0A%0A1.%20%5BES%20Use%20Case%20Library%5D(/app/SplunkEnterpriseSecuritySuite/ess_use_case_library)%0A2.%20%5BSplunk%20Security%20Content%5D(https://research.splunk.com/)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "0e4796c9-bcb5-4837-b0cd-7c83b40dd2c3", "create_time": 1765478079.1550362, "update_time": 1765478160.1863368, "name": "Understand impact to the organization", "order": 2, "tasks": [{"id": "6dc2dedf-7fe4-4d02-bc74-4b386a320460", "create_time": 1764758755.940481, "update_time": 1765478160.186015, "name": "Find potentially affected systems", "order": 1, "tag": "b5bcfe17-e8a5-40a0-984c-c8fefe77093c", "description": "Check%20the%20internal%20environment%20and%20dependencies%20of%20the%20organization%20for%20the%20software%20or%20hardware%20that%20is%20vulnerable.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A7.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "26f32c1e-5de3-4565-9a72-c17aa0dfee4e", "create_time": 1764758755.9405725, "update_time": 1765478160.186133, "name": "Determine exploitability", "order": 2, "tag": "9b967031-b163-4c25-a971-011f10df8051", "description": "Check%20for%20exploitable%20conditions.%20If%20appropriate,%20attempt%20to%20implement%20the%20vulnerability%20or%20use%20a%20safe%20proof%20of%20concept%20to%20verify%20exploitability.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1f4e957a-1bc6-4b22-b222-44c845454b45", "create_time": 1764758755.9406626, "update_time": 1765478160.1862617, "name": "Investigate possible exploitation", "order": 3, "tag": "b944edaa-aa8a-4877-8b78-f022580d2731", "description": "Investigate%20whether%20or%20not%20vulnerable%20systems%20were%20exploited.%20Use%20the%20particular%20behavior%20of%20the%20exploit%20and%20likely%20post-exploitation%20techniques%20to%20narrow%20down%20the%20search%20for%20exploited%20systems.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "e8928704-4ba7-41c1-abba-a0444d548fe0", "create_time": 1765478079.1552103, "update_time": 1765478160.1864805, "name": "Decide how to respond", "order": 3, "tasks": [{"id": "860d180e-5d53-4eb7-b867-97ad48f470e6", "create_time": 1764758755.9407957, "update_time": 1765478160.1864188, "name": "Evaluate patches, workarounds, and service outages", "order": 1, "tag": "23a1b3d3-d2db-40d9-9a96-39a154c94ff0", "description": "Consider%20how%20mitigations,%20remediations,%20and%20forced%20system%20shutdowns%20affect%20the%20situation.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1559a28c-3e76-4910-a22e-f5e6977d0647", "create_time": 1765478079.1555555, "update_time": 1765478160.1868198, "name": "Execute the response", "order": 4, "tasks": [{"id": "1d4394f7-8781-4802-a6a2-7d77b655a9ee", "create_time": 1764758755.9409366, "update_time": 1765478160.1865623, "name": "Remediate", "order": 1, "tag": "6e13819e-dfdf-4e48-90fa-95c7ddfc139c", "description": "Apply%20patches,%20upgrades,%20configuration%20changes,%20or%20state%20changes%20that%20can%20remediate%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "43f50b91-ee22-4731-a5fe-c6b4463134cf", "create_time": 1764758755.941027, "update_time": 1765478160.186665, "name": "Mitigate", "order": 2, "tag": "5c813f0c-e55c-492a-933b-59b99ad11071", "description": "Apply%20workarounds,%20temporary%20fixes,%20additional%20hardening,%20new%20security%20tools,%20new%20detections,%20and%20other%20mitigations%20to%20reduce%20risk.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "90f60618-b458-4baa-ae0d-af0fe1c4b3ec", "create_time": 1764758755.941116, "update_time": 1765478160.1867695, "name": "Document accepted risks", "order": 3, "tag": "47c9830a-c0e1-4b75-ae76-4b5e0cddbf5c", "description": "Document remaining risk and notify stakeholders.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "b0687c98-dcde-4d9a-bf6f-4a31859fef16", "active": true, "used": false, "_user": "nobody", "_key": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc"} \ No newline at end of file From 039929bf961ce065d9035890f71304fcc281cd28 Mon Sep 17 00:00:00 2001 From: Christian Cloutier Date: Thu, 11 Dec 2025 15:52:43 -0500 Subject: [PATCH 35/44] Initial version of Response Templates --- response_templates/AccountCompromise_v14.json | 1 + response_templates/DataBreach_v15.json | 1 + response_templates/GenericIncidentResponse_v13.json | 1 + response_templates/NIST80061_v14.json | 1 + response_templates/NetworkIndicatorEnrichment_6.json | 1 + response_templates/SelfReplicatingMalware_14.json | 1 + response_templates/SuspiciousEmail_v35.json | 1 + response_templates/VulnerabilityDisclosure_v10.json | 1 + 8 files changed, 8 insertions(+) create mode 100644 response_templates/AccountCompromise_v14.json create mode 100644 response_templates/DataBreach_v15.json create mode 100644 response_templates/GenericIncidentResponse_v13.json create mode 100644 response_templates/NIST80061_v14.json create mode 100644 response_templates/NetworkIndicatorEnrichment_6.json create mode 100644 response_templates/SelfReplicatingMalware_14.json create mode 100644 response_templates/SuspiciousEmail_v35.json create mode 100644 response_templates/VulnerabilityDisclosure_v10.json diff --git a/response_templates/AccountCompromise_v14.json b/response_templates/AccountCompromise_v14.json new file mode 100644 index 0000000000..a215ad7ee6 --- /dev/null +++ b/response_templates/AccountCompromise_v14.json @@ -0,0 +1 @@ +{"id": "94198adf-1fc1-4c2d-8c94-baf4523bee4f", "create_time": 1765479652.5729501, "update_time": 1765479652.5729501, "name": "Account Compromise", "description": "This response template defines a response to the potential compromise of one or more system or application accounts. Across the enterprise, user and service accounts are high-value targets that provide access to wide varieties of resources and capabilities. If an unauthorized entity gains access to an account in your organization, you can use these phases and tasks to organize the effort to investigate and respond. No two account compromises are the same, so some portions of this template might not apply to certain types of account takeovers, and in most cases there will be additional appropriate responses going beyond those listed below. The general structure of this template is based on NIST SP 800-61 Revision 2, and some of the techniques come from the Credential Access tactic in the MITRE ATT&CK framework (https://attack.mitre.org/tactics/TA0006/).", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "59f2cf8d-3c77-491f-8ff4-65ed341c7503", "create_time": 1765479652.5742395, "update_time": 1765479652.57424, "name": "Detection and Analysis", "order": 1, "tasks": [{"id": "ea986cd7-db3e-48d5-8a44-e9f0f6420d24", "create_time": 1764758755.835523, "update_time": 1765479652.5730562, "name": "Contact account owner", "order": 1, "tag": "51815ce4-c186-4418-9d6c-716e101953f0", "description": "If%20situational%20awareness%20concerns%20allow%20it,%20contact%20the%20legitimate%20owner%20of%20the%20account%20to%20gather%20additional%20insight,%20rule%20out%20false%20positives,%20and%20provide%20guidance%20on%20how%20to%20cooperate.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c24b5ac1-3e44-4f91-a55e-5c93a0c17a8a", "create_time": 1764758755.8356514, "update_time": 1765479652.573373, "name": "Determine the scope of the compromise", "order": 2, "tag": "4f6e6b64-aeec-456c-806d-d0b66c9db56c", "description": "Determine%20the%20resources%20and%20capabilities%20available%20to%20the%20compromised%20account.%20Consider%20other%20types%20of%20accounts%20that%20can%20also%20be%20accessed%20based%20on%20the%20initial%20compromise.%20Is%20this%20account%20an%20Administrative%20account?%20What%20systems%20has%20the%20account%20logged%20into?%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4b7b5058-f28e-4776-8806-c71fdfaab979", "create_time": 1764758755.8357468, "update_time": 1765479652.5734894, "name": "Analyze usage of access", "order": 3, "tag": "62fe4b55-7da1-44ba-ae88-93f42cb724c8", "description": "Query%20monitoring%20systems%20to%20determine%20which%20of%20the%20potential%20resources%20and%20capabilities%20were%20actually%20used%20by%20the%20adversary.%20Look%20for%20patterns%20in%20targeted%20resources%20and%20capabilities.%20Was%20the%20compromised%20account%20used%20to%20install%20or%20download%20something?%20Were%20credentials%20to%20other%20accounts%20collected%20and%20used?%0A%0ASuggested%20Integrations%0A1.%20%5BAccess%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_center)%0A2.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)%0A3.%20%5BAccess%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ad738c70-a259-4627-84fc-30f881b1065f", "create_time": 1764758755.835839, "update_time": 1765479652.5735939, "name": "Estimate impact", "order": 4, "tag": "5abdf8e0-f364-4f39-956a-aa912e0543c0", "description": "Estimate the business impact to appropriately allocate priority and resources.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1bc12376-4d51-45ed-9e37-38abc31a497a", "create_time": 1764758755.8359327, "update_time": 1765479652.5736716, "name": "Track stolen credentials", "order": 5, "tag": "b7814a6d-ac12-4936-a5ef-8e1a636a08dd", "description": "If%20compromised%20credentials%20were%20used,%20try%20to%20determine%20where%20else%20they%20may%20grant%20access%0A%0ASuggested%20Integrations%0A1.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5de28da8-76f3-4104-8d62-b44f8f46a4a4", "create_time": 1764758755.8360248, "update_time": 1765479652.573762, "name": "Investigate external communications", "order": 6, "tag": "4a46b5da-c9b9-453a-80ad-161db306822e", "description": "Look%20for%20exfiltration%20and/or%20command%20and%20control%20activity.%20Inspect%20network%20traffic%20with%20abnormal%20content,%20focusing%20on%20traffic%20to%20external%20hosts%20and%20internal%20systems%20that%20are%20not%20normally%20connected%20to%20the%20system%20under%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6956c82f-6811-4b3d-975b-fe690e0b54ef", "create_time": 1764758755.836118, "update_time": 1765479652.5738606, "name": "Determine initial access mechanism", "order": 7, "tag": "3b962a5e-16da-4962-9f9f-c237e88e24a3", "description": "Attempt%20to%20trace%20activity%20back%20to%20the%20point%20of%20initial%20access.%20Consider%20phishing,%20watering%20hole%20attacks,%20public-facing%20exploits,%20supply%20chain%20compromises,%20and%20other%20common%20attack%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "62a7c0a4-1c2e-4922-8dd2-9114ef305607", "create_time": 1764758755.8362353, "update_time": 1765479652.573958, "name": "Detect persistent system access", "order": 8, "tag": "023e3b98-335b-4364-8292-e34e221dcdcd", "description": "Look%20for%20attempts%20to%20establish%20persistent%20access%20to%20one%20or%20more%20systems.%20The%20persistence%20technique%20could%20include%20an%20email%20forwarding%20rule%20for%20an%20email%20account,%20a%20scheduled%20task%20on%20an%20endpoint,%20a%20newly%20added%20login%20method%20for%20a%20business%20application,%20or%20a%20wide%20array%20of%20others.%20One%20non-exhaustive%20list%20of%20persistence%20techniques%20is%20in%20the%20MITRE%20ATT&CK%20framework%20(https://attack.mitre.org/tactics/TA0003/)%20and%20another%20for%20Windows%20endpoints%20in%20particular%20is%20within%20the%20SysInternals%20Autoruns%20tool.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0bc09ecd-b582-4b51-82bd-845113fe9025", "create_time": 1764758755.8363278, "update_time": 1765479652.5740716, "name": "Enumerate other similarly vulnerable accounts", "order": 9, "tag": "44b55fc1-e45f-46ce-82d8-d23b1392790f", "description": "If an initial attack vector or other activity pattern is found, use it to look for other similarly compromised accounts.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "60b63967-c82f-4378-80ab-7234d3b8d01a", "create_time": 1764758755.8364184, "update_time": 1765479652.5741494, "name": "Notify stakeholders", "order": 10, "tag": "6f26711e-c173-4394-91cf-f2e9c7c88d8a", "description": "Notify%20incident%20response%20leadership,%20system%20owners,%20and%20other%20stakeholders%20in%20accordance%20with%20established%20incident%20notification%20and%20escalation%20procedures.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "48075a18-75b5-45d5-9c14-c791c0975316", "create_time": 1765479652.574572, "update_time": 1765479652.5745726, "name": "Containment, Eradication, and Recovery", "order": 2, "tasks": [{"id": "4fa28acc-820f-4b9c-8fbe-b06dc8f735bb", "create_time": 1764758755.8365533, "update_time": 1765479652.5743093, "name": "Disable account", "order": 1, "tag": "582f0358-63c7-4a15-ba9e-a42861e854b5", "description": "If%20the%20business%20risk%20is%20deemed%20acceptable,%20disable%20the%20account%20or%20reset%20credentials%20to%20prevent%20further%20malicious%20usage.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f20c28db-b508-4cce-bd08-df4a1b92b1e4", "create_time": 1764758755.836641, "update_time": 1765479652.5744092, "name": "Remove persistent system access", "order": 2, "tag": "5cfd8324-141b-407f-ac19-3ab946178fc8", "description": "If%20persistent%20access%20mechanisms%20were%20detected,%20remove%20them%20by%20uninstalling%20software,%20unhooking%20libraries,%20reimaging%20systems,%20disabling%20compromised%20credentials,%20or%20implementing%20other%20remediations.%20If%20this%20action%20will%20cause%20a%20service%20outage,%20it%20may%20be%20prudent%20to%20notify%20the%20affected%20teams%20or%20organizations.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b94cc55d-a653-466a-8faf-846f699ebb75", "create_time": 1764758755.836737, "update_time": 1765479652.5745091, "name": "Mitigate or remediate vulnerabilities", "order": 3, "tag": "25d66876-4448-420d-80b5-bc359805598b", "description": "If%20any%20vulnerabilities%20were%20used%20in%20this%20compromise,%20find%20a%20way%20to%20mitigate%20or%20remediate%20them.%20This%20could%20be%20a%20system%20update,%20a%20change%20in%20software,%20disabling%20a%20certain%20feature,%20a%20change%20in%20policy,%20or%20another%20action.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "36274751-b970-4375-85dc-b06a13d05cc2", "create_time": 1765479652.5748563, "update_time": 1765479652.5748568, "name": "Post-incident Activity", "order": 3, "tasks": [{"id": "c601515a-bbef-485f-819a-9c1e477e413e", "create_time": 1764758755.8368754, "update_time": 1765479652.57464, "name": "Notify necessary parties", "order": 1, "tag": "6e6b6839-fced-46a4-a660-e00281118cda", "description": "Determine%20if%20a%20regulatory%20risk%20calls%20for%20a%20notification%20to%20an%20internal%20or%20external%20compliance%20organization.%20Also%20consider%20an%20informational%20notice%20to%20users%20to%20prevent%20similar%20compromises%20through%20improved%20security%20hygiene.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "33acb96f-1113-489b-8dc4-882695963f99", "create_time": 1764758755.836966, "update_time": 1765479652.574736, "name": "Tune prevention systems", "order": 2, "tag": "47e3bd73-9fea-4f85-a805-9ebedfd000ed", "description": "Depending on the mechanism of access and the systems affected, there may be a clear next step to prevent similar compromises. This might involve deployment of strong multi-factor authentication, improved automated response, stronger application of least privilege, user training, and/or a wide array of other defensive measures. Consider using CIS Cybersecurity Best Practices (https://www.cisecurity.org/cybersecurity-best-practices/) or a similar framework to assess improvements in prevention.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0d0ded65-d9dd-497f-ab9d-f51864ad88af", "create_time": 1764758755.8370595, "update_time": 1765479652.574812, "name": "Tune detection systems", "order": 3, "tag": "9411f544-f06a-4e79-9972-3844f61cc1f7", "description": "Any of the steps taken within the Detection and Analysis phase may be candidates for automated or regularly scheduled detections to find similar activity. Focus on the most generalizable patterns that will catch high-impact compromises as early as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8b0ea69b-c29f-4a70-b58b-59164312a491", "active": true, "used": true, "_user": "nobody", "_key": "94198adf-1fc1-4c2d-8c94-baf4523bee4f"} \ No newline at end of file diff --git a/response_templates/DataBreach_v15.json b/response_templates/DataBreach_v15.json new file mode 100644 index 0000000000..3534746ef5 --- /dev/null +++ b/response_templates/DataBreach_v15.json @@ -0,0 +1 @@ +{"id": "b0ad7421-221a-4859-8af7-7cd8949ad10f", "create_time": 1764862877.558638, "update_time": 1765481882.0017216, "name": "Data Breach", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 15, "phases": [{"id": "3864ce09-a850-44af-86ef-9ade49d18356", "create_time": 1765481830.6013758, "update_time": 1765481881.9174762, "name": "Escalate to accountable system owners", "order": 1, "tasks": [{"id": "5a3d4ceb-6a30-4aa3-8e8a-b30e3438dff4", "create_time": 1764758755.724739, "update_time": 1765481881.9169092, "name": "Identify accountable system owners", "order": 1, "tag": "f45e1890-72d0-4bdf-8932-ea8d78c2c58f", "description": "Query%20configuration%20management%20databases,%20ask%20teammates,%20and%20query%20on-call%20personnel%20directories%20to%20find%20the%20right%20people%20for%20notification%20and%20response.%0A%0ASuggested%20Integrations%0A1.%20%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8d090f83-6590-48b7-8233-db738d054005", "create_time": 1764758755.7248507, "update_time": 1765481881.9171314, "name": "Notify accountable system owners", "order": 2, "tag": "b0816205-58e4-4e29-991b-f415717d1c03", "description": "Determine%20what%20is%20needed%20from%20each%20team%20member%20and%20notify%20them%20as%20soon%20as%20possible.%20Consider%20speed,%20confidentiality,%20integrity,%20and%20availability%20when%20choosing%20a%20communication%20channel.%20The%20right%20choice%20may%20be%20an%20in-person%20meeting,%20email,%20chat,%20text,%20phone%20call,%20or%20a%20notification%20in%20Splunk%20Mission%20Control.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2950919f-a5ca-4dec-b3d0-5ef7edf213e3", "create_time": 1764758755.7249453, "update_time": 1765481881.9173613, "name": "Set up collaboration channels", "order": 3, "tag": "2b1518b8-77a6-4e03-8b50-e0a89dc40ed8", "description": "Establish%20shared%20access%20to%20the%20appropriate%20notable%20investigation%20that%20is%20tracking%20the%20data%20breach.%20If%20necessary%20establish%20an%20additional%20channel%20for%20communications%20such%20as%20a%20chat%20room,%20email%20chain,%20ticketing%20system,%20or%20VictorOps%20Incident.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "fa5bb456-dfe8-4f27-88a3-1639a35796c6", "create_time": 1765481830.6017647, "update_time": 1765481881.918081, "name": "Stop exfiltration", "order": 2, "tasks": [{"id": "3fcbd598-8be3-4c81-a89e-1896912ffea4", "create_time": 1764758755.725092, "update_time": 1765481881.9176087, "name": "Identify likely means of exfiltration", "order": 1, "tag": "b562799f-7155-43a2-a36a-e736575a6b1d", "description": "Evaluate%20likely%20means%20of%20exfiltration%20using%20the%20information%20from%20the%20initial%20detection%20and%20any%20other%20associated%20investigation%20the%20team%20can%20conduct.%20Use%20https://attack.mitre.org/wiki/Persistence%20and%20other%20open%20source%20intelligence%20to%20check%20for%20common%20exfiltration%20mechanisms.%20Consider%20the%20sophistication%20of%20the%20adversary,%20the%20data%20that%20is%20likely%20to%20be%20targeted,%20the%20systems%20that%20may%20have%20been%20breached,%20and%20any%20other%20knowledge%20from%20further%20investigation.%20Query%20the%20logs%20of%20any%20available%20systems%20around%20the%20time%20of%20the%20incident%20for%20context%20and%20additional%20leads.%20If%20possible%20analyze%20and/or%20reverse%20engineer%20any%20executables%20or%20scripts%20discovered%20in%20the%20investigation.%20Try%20to%20determine%20exfiltration%20mechanisms,%20protocols,%20ports,%20IP%20addresses,%20hostnames,%20URLs,%20and%20other%20indicators.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b7bfe3f3-8035-45bd-a16a-4d847cb74ba3", "create_time": 1764758755.725215, "update_time": 1765481881.9178276, "name": "Determine mitigations and remediations", "order": 2, "tag": "2c398364-ef0f-4e7d-877e-0abfaa91d72d", "description": "Taking into account the confidentiality and availability considerations of the systems involved, determine which mitigations and remediations are appropriate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0a27527c-f0c1-4e54-a875-d110a8f71cb8", "create_time": 1764758755.7253134, "update_time": 1765481881.9179668, "name": "Stop exfiltration", "order": 3, "tag": "e80c691b-9bab-4f4d-86ca-8496300842c3", "description": "Use%20host-based%20or%20network%20controls%20to%20interrupt%20exfiltration.%20Scope%20the%20response%20according%20to%20the%20severity%20of%20the%20event.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A6.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A7.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A8.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a1d5e293-2b61-43f1-a776-f8d2126a1d7a", "create_time": 1765481830.6020367, "update_time": 1765481881.918544, "name": "Remove persistent adversaries", "order": 3, "tasks": [{"id": "fecaae1e-a6d8-47b2-8386-5af5bcac6d54", "create_time": 1764758755.7254562, "update_time": 1765481881.9182255, "name": "Identify likely means of persistence", "order": 1, "tag": "27ff7f99-5263-4a23-ba71-775e2a96ea00", "description": "Trace%20exfiltration%20as%20far%20as%20possible%20back%20toward%20a%20root%20cause.%20Look%20for%20patterns%20of%20activity%20from%20scheduled%20tasks,%20system%20restarts,%20polling%20of%20external%20systems,%20and%20other%20common%20means%20of%20persistence.%20Sysinternals%20AutoRuns%20and%20other%20similar%20tools%20can%20check%20wide%20varieties%20of%20persistence%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a951c1a1-61c6-4afa-b0c7-c721a97b5d3e", "create_time": 1764758755.7255518, "update_time": 1765481881.9184313, "name": "Remove identified persistence mechanisms", "order": 2, "tag": "3c87ad49-a462-47b1-93fa-401c82da9270", "description": "Block%20adversary%20persistence%20at%20the%20host%20and/or%20network%20level.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5BPalo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9577e82b-f68e-4fa7-a86b-987bbb51a504", "create_time": 1765481830.6022003, "update_time": 1765481881.918786, "name": "Assess impact", "order": 4, "tasks": [{"id": "be68378a-13d6-499d-bc94-d7f54c51e012", "create_time": 1764758755.7256913, "update_time": 1765481881.9186735, "name": "Measure the size and scope", "order": 1, "tag": "26cca1bb-80c3-43ab-ab5b-13975111b607", "description": "Measure%20the%20impact%20of%20the%20breach%20by%20amount%20of%20data,%20importance%20of%20data,%20potential%20follow-on%20impacts,%20and%20other%20appropriate%20criteria.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20TrackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "befcad6f-d66d-459c-8b71-9ac22c902c6f", "create_time": 1765481830.6024225, "update_time": 1765481881.9191456, "name": "Report to appropriate stakeholders", "order": 5, "tasks": [{"id": "aa30f51a-a2fb-4284-be1d-c8d6a0f2935b", "create_time": 1764758755.7259164, "update_time": 1765481881.91892, "name": "Identify appropriate stakeholders", "order": 1, "tag": "4bb2a31a-ccc7-4bc3-a5b7-cf946cb10fb0", "description": "Identify who should receive which information. This may include the regulatory compliance team, all internal employees, customers, partners, appropriate government officials, the public, system vendors, open source communities, and others.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c2c0365b-7e90-4f34-a074-05b31a6bbb00", "create_time": 1764758755.7260718, "update_time": 1765481881.9190648, "name": "Send reports", "order": 2, "tag": "03fd935b-9848-4eee-8179-1d33592a2658", "description": "Send the appropriate amount of information to identified parties. If it is beneficial, give them a way to respond to the information.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "370933e2-b9c1-4de8-90bd-10477e48ed7e", "create_time": 1765481830.602553, "update_time": 1765481881.9215052, "name": "Prevent future breaches", "order": 6, "tasks": [{"id": "574bfcd8-31c3-4b51-9e73-b8a35403894c", "create_time": 1764758755.726329, "update_time": 1765481881.921397, "name": "Prevent future breaches", "order": 1, "tag": "690e3199-c277-4a6f-8ada-9c4c5bbc3e48", "description": "Use information from this case to investigate further, apply patches, prevent behaviors, change systems, and otherwise prevent similar situations from occurring again. Setup automated checks for reinfection using similar indicators or TTP's.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "dcb047a2-c621-41c6-b3d5-acabcbb20b1d", "active": true, "used": false, "_user": "nobody", "_key": "b0ad7421-221a-4859-8af7-7cd8949ad10f"} \ No newline at end of file diff --git a/response_templates/GenericIncidentResponse_v13.json b/response_templates/GenericIncidentResponse_v13.json new file mode 100644 index 0000000000..631cedc8eb --- /dev/null +++ b/response_templates/GenericIncidentResponse_v13.json @@ -0,0 +1 @@ +{"id": "c3326c0e-417c-46de-b79a-7a33e457b91b", "create_time": 1764862802.518435, "update_time": 1765478297.8226988, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 13, "phases": [{"id": "c8c1bb29-a14c-4230-ba02-283f98645b90", "create_time": 1765478297.7930639, "update_time": 1765478297.7930644, "name": "Detection", "order": 1, "tasks": [{"id": "76fd8383-b2f7-47d8-b952-49a60105c23f", "create_time": 1764758755.9055116, "update_time": 1765478297.7925363, "name": "Report incident response execution", "order": 1, "tag": "69c9baf1-bd12-4b09-b6b6-a77df9428682", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20starting.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c62f8956-c622-4c11-a664-9d68661f2df1", "create_time": 1764758755.905616, "update_time": 1765478297.7928247, "name": "Document associated events", "order": 2, "tag": "8ca56a2a-f0d7-43c1-96e3-06bac95deffe", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8e84a157-60e0-4914-97e7-a59936ba4fcf", "create_time": 1764758755.9057095, "update_time": 1765478297.7929223, "name": "Document known attack surface and attacker information", "order": 3, "tag": "604e26c0-fb5a-4320-9d95-ef887d406d71", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ea952b70-0c68-4750-b791-7489117f5a3a", "create_time": 1764758755.9058, "update_time": 1765478297.7930133, "name": "Assign roles", "order": 4, "tag": "389fce05-2170-4971-aabb-da3d88ea668a", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "816cf263-fcdd-45d6-8f5f-f4c5c3f638bd", "create_time": 1765478297.7943053, "update_time": 1765478297.7943058, "name": "Analysis", "order": 2, "tasks": [{"id": "2444a355-821e-4485-86c5-03c836cba7c5", "create_time": 1764758755.9059348, "update_time": 1765478297.7931442, "name": "Research intelligence resources", "order": 1, "tag": "595d75bb-316e-4dec-bfc6-6729d3e7b280", "description": "Find%20out%20if%20this%20attacker%20is%20a%20known%20agent%20and%20gather%20associated%20tactics,%20techniques,%20and%20procedures%20(TTP)%20used.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%203.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a947eacc-04e3-485e-bac4-6566e85df173", "create_time": 1764758755.9060266, "update_time": 1765478297.7932744, "name": "Research proxy logs", "order": 2, "tag": "7586c74e-6844-45bb-9535-4924752ff0de", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bfa0b1ad-7bb1-484d-bcfa-16df7989518c", "create_time": 1764758755.906122, "update_time": 1765478297.7933776, "name": "Research firewall logs", "order": 3, "tag": "5f7e4c57-343a-4a5c-8c90-643bdb578dbb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0168209e-eb24-4a5a-b72a-7c074a96a19c", "create_time": 1764758755.906265, "update_time": 1765478297.7934852, "name": "Research OS logs", "order": 4, "tag": "357d8065-7af2-4968-a52e-1daba8d36bcb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "82beb15d-df47-49e4-a504-6a7dd5f33558", "create_time": 1764758755.9063575, "update_time": 1765478297.7935877, "name": "Research network logs", "order": 5, "tag": "f5aabd39-0213-498c-9a91-db8b62c1d262", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d339af9b-fdfb-4944-8f9a-6febf9fbceb3", "create_time": 1764758755.9064476, "update_time": 1765478297.7936852, "name": "Research endpoint protection logs", "order": 6, "tag": "a0d0a5b6-e961-470a-8fed-2fd0f1f56e54", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a6d8b29-55f0-4eb8-817b-281fbddccd40", "create_time": 1764758755.9065409, "update_time": 1765478297.7937844, "name": "Determine infection vector", "order": 7, "tag": "e840c5b9-b804-4851-ace7-ed2b20e94374", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ef1d9524-231c-4c12-9544-f01fe50f0e9b", "create_time": 1764758755.9066322, "update_time": 1765478297.7938728, "name": "Document all attack targets", "order": 8, "tag": "2a1efed7-4cba-4f66-b7f4-c51555f6dafd", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "27b6ef2b-735d-4598-ab6e-6875f837a484", "create_time": 1764758755.9067245, "update_time": 1765478297.7939599, "name": "Document all attacker sources and TTP", "order": 9, "tag": "3ce58599-9e4e-4936-a604-9b2783fbb4be", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a2fdf16b-e79d-4cf6-8f57-026a2c0b63d0", "create_time": 1764758755.9068127, "update_time": 1765478297.794048, "name": "Document infected devices", "order": 10, "tag": "8854bf07-df2e-4536-a7ef-c268776eba0e", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a16d098a-10a7-4b53-a798-fd83c467ddb6", "create_time": 1764758755.9069023, "update_time": 1765478297.7941349, "name": "Determine full impact of attack", "order": 11, "tag": "2419ca1b-fa9e-4443-8334-4642877218c4", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92b46948-e8f0-4194-9ada-76bbf21bea3a", "create_time": 1764758755.9069924, "update_time": 1765478297.7942424, "name": "Analyze malware samples", "order": 12, "tag": "7486b744-568f-4a71-b6ab-6c18b0975234", "description": "Analyze%20discovered%20malware%20and%20document%20indicators%20of%20compromise%20(IOCs).%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1cfc9549-b74f-4dfd-b1c5-956b1587e546", "create_time": 1765478297.7946434, "update_time": 1765478297.7946439, "name": "Containment", "order": 3, "tasks": [{"id": "91691144-6812-44e7-ae84-769b7c91778f", "create_time": 1764758755.9071276, "update_time": 1765478297.7943835, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "fa5fbdd4-4224-460f-80b1-081083c3a8e5", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "884da2c4-4fb8-494f-bd5a-2c0eacb81646", "create_time": 1764758755.9072351, "update_time": 1765478297.794471, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "f735a650-8d7e-42ee-95fa-ca8122e29df4", "description": "Suggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b6fd766-744a-4ada-9612-9934ff090668", "create_time": 1764758755.9073257, "update_time": 1765478297.7945688, "name": "Contain incident", "order": 3, "tag": "de5b8d96-bc90-47e5-a707-4b4ce273b2f5", "description": "Suggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A8.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A9.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A10.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A11.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A12.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a5675456-ec54-4045-beb4-d521f14192cc", "create_time": 1765478297.7949696, "update_time": 1765478297.7949698, "name": "Eradication", "order": 4, "tasks": [{"id": "74739ca3-8849-4d32-b41f-6dcf53ab6598", "create_time": 1764758755.9074597, "update_time": 1765478297.7947214, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "160a14ef-e1d7-46db-9a35-5e452602416a", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf7fc36c-f08b-4fda-89ec-95594bbf238c", "create_time": 1764758755.9075792, "update_time": 1765478297.794821, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "f02e09fa-0ed7-4ca7-a001-a6adcfe83437", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f5c72b7c-f274-4825-9b9f-5c34f8d384e9", "create_time": 1764758755.907677, "update_time": 1765478297.7949193, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "c8032097-7574-438a-8473-d614b8f135ff", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "50452b43-98af-43ab-bfb0-1e9f7368b2c9", "create_time": 1765478297.795289, "update_time": 1765478297.7952893, "name": "Recovery", "order": 5, "tasks": [{"id": "91a74317-f931-4ced-b4aa-6cdf54433221", "create_time": 1764758755.9079046, "update_time": 1765478297.7950459, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "c3c83a87-0d75-4d0a-b4e7-9fef0d60e5f4", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "91f6342d-a92b-4157-a124-5e87ab0c9827", "create_time": 1764758755.9080007, "update_time": 1765478297.7951343, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "27d8d5a5-4c1b-470c-b995-c39275b61444", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5840a534-399b-4ac1-b0bc-80927edf8f8b", "create_time": 1764758755.9080942, "update_time": 1765478297.7952387, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "085d0c66-3bb9-48c8-9403-0fc21217d77c", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "dd359232-b8be-435a-b5bc-1a5fd3e44559", "create_time": 1765478297.795616, "update_time": 1765478297.7956161, "name": "Post", "order": 6, "tasks": [{"id": "0f4c6d6e-5e22-4d2c-8de3-8fb45346b917", "create_time": 1764758755.908245, "update_time": 1765478297.7953663, "name": "Schedule after-action review meeting", "order": 1, "tag": "815e442f-e87d-42ef-81ea-5c13b4d1e3cf", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8864f28a-1b75-4317-b6e7-4088f8d19d9a", "create_time": 1764758755.9083498, "update_time": 1765478297.7954535, "name": "Generate incident response action report", "order": 2, "tag": "5a4862af-5001-4418-a48b-e028ef91b542", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "08014d2b-5977-45d2-a14e-519c990aed93", "create_time": 1764758755.9084463, "update_time": 1765478297.7955399, "name": "Report incident response complete", "order": 3, "tag": "4b12a641-8105-4b64-bd89-eef26fabb47a", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20complete.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "28753dcd-47c7-44ad-b85f-f840c3f0da96", "active": true, "used": false, "_user": "nobody", "_key": "c3326c0e-417c-46de-b79a-7a33e457b91b"} \ No newline at end of file diff --git a/response_templates/NIST80061_v14.json b/response_templates/NIST80061_v14.json new file mode 100644 index 0000000000..225c2dd043 --- /dev/null +++ b/response_templates/NIST80061_v14.json @@ -0,0 +1 @@ +{"id": "475a4c40-0996-4b54-a634-711205549572", "create_time": 1765482414.4679432, "update_time": 1765482414.4679432, "name": "NIST%20800-61:%20Computer%20Security%20Incident%20Handling%20Guide", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "97bc8622-69ca-48a1-bf2b-e4067281f71a", "create_time": 1765482414.4685507, "update_time": 1765482414.4685512, "name": "Detection", "order": 1, "tasks": [{"id": "9126eb2f-d5e2-48e7-a9f5-0c851f2ecc57", "create_time": 1764758755.7593036, "update_time": 1765482414.4680352, "name": "Determine if an incident has occurred", "order": 1, "tag": "dd8a2e5b-9131-4321-ad10-0cef889e30f1", "description": "Suggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d9a756c-20dc-4e2e-94e1-87f4eb164447", "create_time": 1764758755.7594106, "update_time": 1765482414.4681613, "name": "Analyze precursors and indicators", "order": 2, "tag": "cd6639cc-79b1-4f66-b03a-0b29118e9439", "description": "Suggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "974fdd62-7d20-40f3-912d-60d708146ac7", "create_time": 1764758755.7595055, "update_time": 1765482414.4682908, "name": "Look for correlating information", "order": 3, "tag": "64b3aaa7-416e-4ec2-8cc1-b54b1e0758db", "description": "Suggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8d1664e-4d06-4470-8b99-124c615500ca", "create_time": 1764758755.759612, "update_time": 1765482414.4683938, "name": "Perform research", "order": 4, "tag": "c534e89d-327c-4deb-bc29-51fb49f65af6", "description": "Use%20search%20engines,%20knowledge%20bases,%20etc..%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "247f8ee3-e7db-437d-9a16-07e2d19673c0", "create_time": 1764758755.7597096, "update_time": 1765482414.4685001, "name": "Confirmed incident", "order": 5, "tag": "415e3412-85ed-4af6-bf6e-09e6e13542b3", "description": "For a confirmed incident, document the investigation and gather evidence. Attach all relevant information from detection steps to the notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ef47436d-de45-4aab-ba6b-736137c41076", "create_time": 1765482414.4691532, "update_time": 1765482414.469154, "name": "Analysis and Containment", "order": 2, "tasks": [{"id": "27f4ca0d-ef69-4211-9401-34d3817e879f", "create_time": 1764758755.759852, "update_time": 1765482414.4686282, "name": "Determine functional impact", "order": 1, "tag": "58850454-d4af-4cc4-a5dd-fded4be0ff4d", "description": "Suggested categories: None, Low, Medium, High", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b298ad0a-b53c-4e4d-9e27-0307d2b49d9f", "create_time": 1764758755.759945, "update_time": 1765482414.4687133, "name": "Determine information impact", "order": 2, "tag": "1150410e-72c0-4259-a499-d632727e083b", "description": "Suggested categories: None, Privacy breach, Proprietary breach, Integrity loss", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "650388ac-fa31-48c9-8031-fab7fbc1cce8", "create_time": 1764758755.760036, "update_time": 1765482414.4687974, "name": "Determine recoverability effort", "order": 3, "tag": "d6e187c9-188c-49de-ac41-5092d7ce6435", "description": "Suggested categories: Regular, Supplemented, Extended, Not Recoverable", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ae810a6c-7314-49f2-84cb-b40557c17734", "create_time": 1764758755.7601304, "update_time": 1765482414.4688811, "name": "Prioritize incident", "order": 4, "tag": "082dfce7-169c-4bd2-aa73-7d39f5e26be8", "description": "Prioritize handling the incident based on the relevant factors", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3db4552a-5c3b-46e2-8792-88f27397d5ef", "create_time": 1764758755.760304, "update_time": 1765482414.4689677, "name": "Report incident", "order": 5, "tag": "716c8ff4-f8f9-406a-aa10-871b499d0892", "description": "Report%20the%20incident%20to%20the%20the%20appropriate%20internal%20personnel%20and%20external%20organizations%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ab31b96-9544-4949-8e63-04a674e6bdb6", "create_time": 1764758755.7604578, "update_time": 1765482414.4690719, "name": "Contain incident", "order": 6, "tag": "d05de9e0-1c72-4835-874a-83f6127ef09a", "description": "Suggested%20Integrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A4.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A5.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A6.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A7.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A8.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A9.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A10.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A11.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A12.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A13.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A14.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "37031e87-5234-4694-a5d9-cff1c29f8f4d", "create_time": 1765482414.4695153, "update_time": 1765482414.4695156, "name": "Eradicate", "order": 3, "tasks": [{"id": "31e6eacc-4f57-4329-b146-8d3f689e3086", "create_time": 1764758755.7606778, "update_time": 1765482414.4692445, "name": "Identify and mitigate all vulnerabilities", "order": 1, "tag": "f0381ae6-f28f-402a-9f05-3e990496dd50", "description": "Identify%20and%20mitigate%20all%20vulnerabilities%20that%20were%20exploited.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A4.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A5.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A6.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A7.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A8.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "680e54ac-3708-4d38-884f-20a1a7edf0de", "create_time": 1764758755.7608309, "update_time": 1765482414.4693527, "name": "Remove malicious content", "order": 2, "tag": "e7029c6f-cce7-4c43-9a1c-b0425432ad81", "description": "Remove%20malware,%20inappropriate%20materials%20and%20other%20components.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a41b242d-1640-4d15-8104-ec399e12d1de", "create_time": 1764758755.7609744, "update_time": 1765482414.469451, "name": "Verify no other hosts are affected", "order": 3, "tag": "7e41266d-aa31-4b86-b2f4-47f68023fb3e", "description": "If%20more%20affected%20hosts%20are%20discovered,%20repeat%20the%20Detection%20and%20Analysis%20Steps.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b12466ec-8616-4519-b133-f6d93f9e32c4", "create_time": 1765482414.4698043, "update_time": 1765482414.4698048, "name": "Recovery", "order": 4, "tasks": [{"id": "43ba0f0e-1fda-4051-a97b-8f7f4682ac33", "create_time": 1764758755.7611475, "update_time": 1765482414.46959, "name": "Restore affected systems", "order": 1, "tag": "3a888228-8354-43a5-809b-41e85114db15", "description": "Return affected systems to an operationally ready state.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "579fa706-4719-4a36-92a0-8c89395b18e6", "create_time": 1764758755.7612762, "update_time": 1765482414.4696727, "name": "Validate restoration", "order": 2, "tag": "39fc29b1-1047-4d0c-bd88-4581b10fe376", "description": "Confirm that the affected systems are functioning normally.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "080aeef1-8fb9-40e2-863e-428fd8f7f017", "create_time": 1764758755.7614079, "update_time": 1765482414.4697568, "name": "Implement additional monitoring", "order": 3, "tag": "7d818e21-eb6b-48ef-92fa-e5c447194ae0", "description": "If necessary, implement additional monitoring to look for future activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1ec64d29-231e-4c34-aec1-4aee974fc8df", "create_time": 1765482414.4700096, "update_time": 1765482414.4700098, "name": "Post Incident Activity", "order": 5, "tasks": [{"id": "bab81f67-66e8-4326-be3c-6c11894e50c7", "create_time": 1764758755.7615948, "update_time": 1765482414.469876, "name": "Create a follow-up report", "order": 1, "tag": "e0d07d6c-00cb-44bc-8536-c8eeda5470a9", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77497e1-95ce-4ebe-8b62-4929dbfdd8a5", "create_time": 1764758755.7616863, "update_time": 1765482414.4699602, "name": "Lessons learned", "order": 2, "tag": "95974f42-e739-440a-ba79-00fc2d32a7ad", "description": "Hold a lessons learned meeting (mandatory for major incidents, optional otherwise).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8756f985-929a-4076-9343-86c92b82c94f", "active": true, "used": true, "_user": "nobody", "_key": "475a4c40-0996-4b54-a634-711205549572"} \ No newline at end of file diff --git a/response_templates/NetworkIndicatorEnrichment_6.json b/response_templates/NetworkIndicatorEnrichment_6.json new file mode 100644 index 0000000000..cad8f820e8 --- /dev/null +++ b/response_templates/NetworkIndicatorEnrichment_6.json @@ -0,0 +1 @@ +{"id": "8b1df498-d692-4212-a4fd-6b99b99e9027", "create_time": 1765481757.0347831, "update_time": 1765481757.0347831, "name": "Network Indicator Enrichment", "description": "Gather and analyze contextual information about URLs, hostnames, top level domain names, IP addresses, TLS certificates, and MAC addresses. These network indicators can be involved in security investigations of all types, so this response template is meant to be added as a modular component into an event or case that can have other more specific phases and tasks. For instance, when investigating an account compromise, this response template can be used during the investigation phase to rule out false positives and inform decisions about further investigation and response.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 6, "phases": [{"id": "5fc00a86-ecb5-473c-af5f-0eabced9921e", "create_time": 1765481757.0357888, "update_time": 1765481757.0357893, "name": "Network Indicator Enrichment", "order": 1, "tasks": [{"id": "09b3b9c0-1c5b-4c3f-941f-fcc4bcb6f2f6", "create_time": 1764758755.7974405, "update_time": 1765481757.0349212, "name": "Enrich URLs", "order": 1, "tag": "8fab0a3f-b436-4e3e-8c3a-9cc0a9cff8b5", "description": "Gather%20reputation%20and%20behavioral%20information%20about%20a%20suspicious%20URL.%20Automated%20actions%20can%20include%20querying%20threat%20intelligence%20databases,%20dynamic%20profiling%20of%20the%20URL%20and%20the%20associated%20redirects,%20or%20checking%20the%20categorization%20of%20a%20URL%20in%20a%20proxy%20or%20other%20safe%20browsing%20tool.%20Manual%20actions%20can%20include%20checking%20for%20typosquatting/brandjacking,%20evaluating%20the%20appropriateness%20of%20the%20URL%20given%20the%20context%20in%20which%20it%20was%20detected,%20or%20manually%20investigating%20the%20site%20from%20a%20sandboxed%20environment.%20Additionally,%20it%20might%20be%20appropriate%20to%20ask%20the%20user%20if%20they%20can%20explain%20why%20the%20URL%20was%20accessed.%20Outputs%20from%20this%20task%20could%20be%20used%20to%20pivot%20to%20investigation%20to%20underlying%20or%20associated%20domain%20names,%20other%20URLs,%20TLS%20certificates,%20IP%20addresses,%20or%20specific%20behaviors%20associated%20with%20the%20website%20such%20as%20Javascript%20execution%20patterns%20or%20downloaded%20files.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77c2c5b-488b-4ef6-a987-d4f1795e8c09", "create_time": 1764758755.7976081, "update_time": 1765481757.0352638, "name": "Enrich domain names", "order": 2, "tag": "f494c551-d513-4503-a268-32d14cd9352c", "description": "Domain%20names%20can%20be%20involved%20in%20investigations%20of%20phishing,%20watering%20hole%20attacks,%20malware%20command%20and%20control,%20exfiltration,%20and%20many%20other%20malicious%20behaviors.%20Some%20of%20the%20key%20questions%20to%20answer%20about%20a%20domain%20are:%20Who%20controls%20the%20domain?%20Who%20registered%20the%20domain?%20What%20is%20the%20purpose%20of%20the%20domain?%20What%20services%20are%20hosted%20on%20the%20domain?%20What%20traffic%20would%20you%20expect%20to%20see%20to%20and%20from%20the%20domain?%20How%20popular%20is%20the%20domain?%20Does%20the%20domain%20host%20dynamic%20content%20such%20as%20cloud%20services?%20What%20sub-domains%20or%20parent%20domains%20are%20associated%20with%20the%20domain?%20Is%20the%20domain%20known%20to%20host%20malicious%20content?%20Where%20in%20the%20world%20is%20the%20domain%20hosted?%20How%20recently%20was%20the%20domain%20registered?%20What%20is%20the%20DNS%20history%20of%20the%20domain?%20Is%20the%20domain%20meant%20to%20look%20similar%20to%20another%20more%20legitimate%20domain?%20Does%20the%20domain%20name%20appear%20to%20have%20been%20randomly%20generated?%20The%20results%20of%20these%20queries%20can%20produce%20related%20IP%20addresses,%20file%20hashes,%20downloaded%20files,%20URLs,%20TLS%20certificates,%20and%20behaviors%20which%20are%20useful%20elsewhere%20in%20this%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fed103ab-b8bf-458e-a9d1-a80d7c1691ce", "create_time": 1764758755.7977073, "update_time": 1765481757.0354254, "name": "Enrich IP addresses", "order": 3, "tag": "b0444819-8d84-47b0-8011-97c9004966cc", "description": "Enrichment%20of%20IP%20addresses%20can%20be%20similar%20to%20domain%20names%20in%20many%20ways,%20but%20typically%20IP%20addresses%20will%20change%20more%20frequently.%20Frequent%20changes%20can%20be%20legitimate%20behavior%20caused%20by%20load%20balancers%20or%20content%20delivery%20networks,%20or%20it%20can%20be%20malicious%20behavior%20due%20to%20fast%20flux%20DNS%20changes,%20so%20additional%20context%20about%20the%20network%20traffic%20is%20needed.%20Also%20consider%20that%20traffic%20going%20straight%20to%20an%20IP%20address%20without%20doing%20a%20DNS%20query%20might%20be%20relevant%20to%20the%20investigation,%20and%20consider%20querying%20Tor%20or%20other%20anonymization%20systems%20to%20check%20if%20the%20IP%20address%20is%20a%20known%20exit%20node.%20Outputs%20of%20this%20task%20can%20inform%20URL%20enrichment,%20downloaded%20file%20analysis,%20domain%20name%20enrichment,%20TLS%20certificate%20enrichment,%20and%20more%20advanced%20behavioral%20analysis%20based%20on%20the%20services%20hosted%20at%20the%20IP%20address%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "9d096815-7876-4f42-9c93-73e3cc21d3ce", "create_time": 1764758755.7977993, "update_time": 1765481757.0355642, "name": "Enrich TLS certificates", "order": 4, "tag": "d98902d9-2620-41c6-90d2-d197a49a90ca", "description": "If%20an%20investigation%20involves%20a%20TLS%20certificate,%20it%20can%20be%20useful%20to%20gather%20registrant%20and%20certificate%20authority%20information%20about%20that%20certificate,%20and%20to%20query%20for%20other%20uses%20of%20similar%20infrastructure.%20The%20usage%20of%20free%20and%20automated%20certificate%20authorities%20such%20as%20Let's%20Encrypt%20does%20not%20necessarily%20imply%20that%20a%20domain%20is%20malicious,%20but%20that%20is%20a%20common%20technique%20used%20to%20build%20malicious%20infrastructure%20so%20it%20should%20warrant%20further%20investigation.%20Consider%20comparing%20the%20registrant%20information%20and%20certificate%20authority%20chain%20with%20the%20expected%20values%20for%20the%20organization%20allegedly%20hosting%20the%20website%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4e38a46a-1af2-477a-9349-8defa965ac2b", "create_time": 1764758755.7979288, "update_time": 1765481757.0357046, "name": "Enrich MAC addresses", "order": 5, "tag": "38d3329d-0ecd-494f-bbcf-5be0fd99a7c3", "description": "While%20MAC%20(media%20access%20control)%20addresses%20are%20less%20frequently%20involved%20in%20security%20investigations,%20when%20they%20are%20present%20they%20can%20sometimes%20be%20useful%20to%20cross-reference,%20identify,%20or%20profile%20a%20device.%20MAC%20addresses%20can%20be%20changed%20and%20spoofed,%20but%20it%20is%20usually%20less%20common%20than%20a%20change%20in%20IP%20address%20or%20hostname.%20In%20wifi%20investigations%20the%20MAC%20address%20can%20be%20used%20to%20identify%20both%20the%20access%20point%20and%20the%20clients%20that%20connect%20to%20it.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "47bb10fa-61c2-4bd8-b7dd-f69f376e2750", "active": true, "used": true, "_user": "nobody", "_key": "8b1df498-d692-4212-a4fd-6b99b99e9027"} \ No newline at end of file diff --git a/response_templates/SelfReplicatingMalware_14.json b/response_templates/SelfReplicatingMalware_14.json new file mode 100644 index 0000000000..3a28c86a8a --- /dev/null +++ b/response_templates/SelfReplicatingMalware_14.json @@ -0,0 +1 @@ +{"id": "ec7f5b1d-f689-4ea7-b00c-703d062755ef", "create_time": 1764862816.2406306, "update_time": 1765478655.8295362, "name": "Self-Replicating Malware", "description": "This response template outlines a response to a potential infection by self-replicating malware (malware that propagates itself without human interaction). While there is much overlap between the response necessary for self-replicating malware and the response to any other malware, the ability to propagate from one system to the next automatically adds the potential for faster and more thorough infection of enterprise systems. Often the infection mechanism is a particular network service or shared resource, so an appropriate response tends to be a fast configuration change to contain the effect immediately.\n\nThis template is adapted from a modified version of the CERT Societe Generale Incident Response Methodology called Worm Infection Response. The full methodology is available at https://github.com/certsocietegenerale/IRM/blob/HEAD/EN/IRM-1-WormInfection.pdf and is covered under the Creative Commons Attribution 3.0 Imported license available at https://github.com/certsocietegenerale/IRM/blob/HEAD/LICENSE.md, while the CERT Societe Generale homepage is https://cert.societegenerale.com/en/.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "56b864aa-4f46-4eab-8631-15340fe85f3d", "create_time": 1765478655.800768, "update_time": 1765478655.8007686, "name": "Preparation", "order": 1, "tasks": [{"id": "ec3ed15c-7140-4e3d-ad5f-324edaf32d30", "create_time": 1764758755.867025, "update_time": 1765478655.8002567, "name": "Define team members", "order": 1, "tag": "a901e393-ab86-4ca7-95db-14d8774a60da", "description": "Determine%20which%20team%20members%20will%20play%20which%20role%20in%20the%20response%20and%20establish%20communications%20channels%20with%20all%20involved.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "faf9efef-e4dc-4100-98b4-3ed62777f915", "create_time": 1764758755.867135, "update_time": 1765478655.8004067, "name": "Check analysis tools", "order": 2, "tag": "6700e71f-245c-4f8c-b835-d91eaefe716b", "description": "Test%20connectivity,%20check%20patch%20level,%20and%20run%20example%20queries%20on%20all%20analysis%20tools.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A3.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A4.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A5.%20%20PhishTank%20(preconfigured)%0A6.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e8b572ad-9cb7-4a0b-accc-dc0d6bc672af", "create_time": 1764758755.867274, "update_time": 1765478655.8005216, "name": "Acquire architecture map", "order": 3, "tag": "10b5cc45-188d-4152-99c2-d9ee90a0df52", "description": "Find or build an up-to-date map of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "49e8c224-9ffe-472f-b5d5-d0134314ddc0", "create_time": 1764758755.8673825, "update_time": 1765478655.800613, "name": "Acquire asset inventory", "order": 4, "tag": "27d598df-8c52-4d6b-871d-93ee5ccdaf3f", "description": "Find%20or%20build%20an%20up-to-date%20inventory%20of%20all%20devices.%0A%0ASuggested%20Integrations%0A1.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd65385f-53f6-4b16-ae5b-8480703a5e29", "create_time": 1764758755.8674753, "update_time": 1765478655.8007166, "name": "Continuous monitoring", "order": 5, "tag": "3959e856-64e9-486e-a0b6-0cb97176c283", "description": "Monitor threat trends and system activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d8781b52-5f94-496a-9221-20af11959541", "create_time": 1765478655.8011546, "update_time": 1765478655.8011549, "name": "Identification", "order": 2, "tasks": [{"id": "0fc8d25d-2b92-4617-b573-518330fb9da1", "create_time": 1764758755.867626, "update_time": 1765478655.8008454, "name": "Detect the infection", "order": 1, "tag": "27c2ab29-35d9-4643-9216-85a8c201e0ed", "description": "Detect%20abnormalities%20and%20potential%20infections%20using%20endpoint%20and%20network%20intrusion%20detection%20systems,%20application%20logs,%20authentication%20logs,%20system%20load%20monitoring,%20notification%20from%20external%20sources,%20and%20other%20methods.%20Seek%20a%20repeatable%20detection%20that%20is%20as%20reliable%20as%20possible,%20as%20future%20steps%20call%20for%20checking%20and%20re-checking%20to%20monitor%20progress.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "709ed3e1-de9b-421a-b7b2-eae661d66b04", "create_time": 1764758755.867718, "update_time": 1765478655.8009667, "name": "Identify the infection", "order": 2, "tag": "fcd59f33-221b-43aa-a26f-7a7536dc298a", "description": "Compare%20the%20known%20symptoms%20to%20all%20available%20threat%20intelligence%20and%20try%20to%20identify%20the%20threat%20as%20specifically%20as%20possible.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A6.%20%5BIndicators%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/threat_artifacts)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "07f7f8bf-c7d0-4312-a878-1cc5910284e3", "create_time": 1764758755.8678086, "update_time": 1765478655.8010774, "name": "Assess the perimeter of the infection", "order": 3, "tag": "d5aa1644-4d52-4274-92b7-c8b9e33b56e0", "description": "Check%20systems%20in%20different%20parts%20of%20the%20organization%20to%20define%20the%20perimeter%20of%20the%20infection%20and%20assess%20the%20potential%20business%20impact.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b077cd75-7ba9-467c-a53e-bfcea36eb013", "create_time": 1765478655.8017411, "update_time": 1765478655.8017416, "name": "Containment", "order": 3, "tasks": [{"id": "3aee7278-0f5f-48ff-ad16-9ddaec267689", "create_time": 1764758755.8679423, "update_time": 1765478655.80125, "name": "Disconnect infected areas from the internet", "order": 1, "tag": "e53fd536-8058-4a06-8c6c-e6fc9467ddf8", "description": "Stop%20command%20and%20control%20behavior%20and%20further%20propagation%20by%20disconnecting%20affected%20areas%20from%20the%20internet.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "50bcd8ba-7edc-4b44-8a04-fdd5ee6daa0b", "create_time": 1764758755.8680344, "update_time": 1765478655.8013616, "name": "Isolate infected area from all networks", "order": 2, "tag": "884437ea-ff98-40f7-999d-69efd55841ae", "description": "Enforce%20more%20strict%20network%20segmentation%20to%20prevent%20further%20internal%20spreading.%20Consider%20disconnecting%20mobile%20devices%20and%20laptops%20to%20minimize%20the%20propagation%20surface.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ff5509b-ae70-431c-ac11-f4445d9bd890", "create_time": 1764758755.8681533, "update_time": 1765478655.8014727, "name": "Monitor business-critical network connections that cannot be disconnected", "order": 3, "tag": "400bb1f4-670c-4503-91a0-fe813d7285f2", "description": "For%20those%20applications%20that%20cannot%20be%20disconnected%20due%20to%20continuity%20needs,%20increase%20monitoring%20and%20analyze%20traffic%20for%20malicious%20activity.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d220afbd-3306-4e8a-ad41-3028fb9f309f", "create_time": 1764758755.8682685, "update_time": 1765478655.8015823, "name": "Neutralize propagation vectors", "order": 4, "tag": "92bef873-aca9-4ef8-946b-edfb9ce66e36", "description": "Deploy%20patches,%20change%20configurations,%20sinkhole%20domains,%20re-image%20systems,%20stop%20services,%20or%20take%20other%20appropriate%20actions%20to%20prevent%20further%20propagation%20using%20all%20known%20vectors.%20Notify%20users%20of%20changes%20that%20will%20affect%20them%20and/or%20request%20their%20assistance%20for%20manual%20neutralization%20steps.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "640ecd84-2bff-4b55-b16e-2f00b863cfe0", "create_time": 1764758755.8683593, "update_time": 1765478655.8016906, "name": "Monitor progress", "order": 5, "tag": "66412e78-657c-4f0d-a15a-2533d1b9a948", "description": "Re-check neutralized systems and repeat or improve processes to cover important systems as quickly as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4999e420-9fa9-46ea-9da3-4ffb078c45a0", "create_time": 1765478655.8021305, "update_time": 1765478655.802131, "name": "Remediation", "order": 4, "tasks": [{"id": "06bd975f-1fb6-4333-b714-27ce6a1ced40", "create_time": 1764758755.8684924, "update_time": 1765478655.8018172, "name": "Identify", "order": 1, "tag": "7f4c59cc-2f64-459c-8245-31bb42439ea9", "description": "Consider vendor fixes, antivirus updates, external support options, and custom solutions. Use these to define a disinfection process and validate it with a reputable source if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "93e47407-dfd0-40ba-a01d-1ef596ee0c42", "create_time": 1764758755.8685825, "update_time": 1765478655.8019052, "name": "Test", "order": 2, "tag": "e0cc2310-9631-4a7f-b637-79d890e0a79a", "description": "Test the disinfection process on a system that is as close to a production configuration as possible and verify that it works while not damaging any service.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "448524ff-39de-428d-95f7-2cc16c03ea28", "create_time": 1764758755.8686728, "update_time": 1765478655.801993, "name": "Deploy", "order": 3, "tag": "69ea1765-0326-4559-9f52-0202bcd1684e", "description": "Deploy the process and scale it up if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "154ef40e-9a4e-4072-b222-e4b5c286ce4f", "create_time": 1764758755.8687656, "update_time": 1765478655.8020792, "name": "Confirm", "order": 4, "tag": "ec04ad38-972d-40d5-9672-64ccce7f2ebc", "description": "Confirm that the malware did not block remediations and find a workaround if it did.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "46c10e9a-74fd-4c28-ae23-80c66c6959ff", "create_time": 1765478655.802708, "update_time": 1765478655.8027081, "name": "Recovery", "order": 5, "tasks": [{"id": "b5137ace-0638-4c0d-bf3a-89808acb2796", "create_time": 1764758755.8689115, "update_time": 1765478655.8022254, "name": "Verify Containment and Remediation", "order": 1, "tag": "11e7491e-04ec-46dd-8763-7f7259aa86a9", "description": "Review current progress towards remediation by re-checking systems.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "916ce97e-d38f-41bd-8e31-fd4ebac266fa", "create_time": 1764758755.8690028, "update_time": 1765478655.8023124, "name": "Reopen propagation network mechanism", "order": 2, "tag": "3e4bb0aa-beab-472e-b19a-5d0974e25942", "description": "Turn off network enforcement for a segment of the network and monitor for new attempts to reinfect.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d6b12db-a684-4eee-b942-8d720c1e7c1a", "create_time": 1764758755.8690934, "update_time": 1765478655.8024004, "name": "Reconnect isolated sub-areas to each other", "order": 3, "tag": "ecd50bc1-ba91-4333-b50e-8065b2552e83", "description": "Turn off inter-area network enforcement and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "77f860e3-1ab9-47f4-b9f5-29b02f762628", "create_time": 1764758755.8692014, "update_time": 1765478655.8024862, "name": "Reconnect mobile devices", "order": 4, "tag": "786a211c-5a54-4465-a6ae-fb26047d3d77", "description": "Reconnect mobile devices and laptops to monitor for persistence and check coverage across all device categories.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "eea6a167-30bf-434e-a7a5-7f0af8bd0ec6", "create_time": 1764758755.8692956, "update_time": 1765478655.802572, "name": "Reconnect isolated areas to main enterprise network", "order": 5, "tag": "739634b9-8f30-4fb4-b531-8f3e1bb5dcbc", "description": "Disable network enforcement between cleaned areas and the rest of the network while monitoring for reinfection.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "7947c3e9-c721-44ad-92e5-cbda84dd7687", "create_time": 1764758755.8693867, "update_time": 1765478655.8026576, "name": "Reconnect to the internet", "order": 6, "tag": "d80ab11b-58f4-4aed-a533-93f344fdc898", "description": "Reconnect to the internet and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "76b0e701-8fe2-49da-a85d-c100fc2a3a19", "create_time": 1765478655.80292, "update_time": 1765478655.8029208, "name": "Aftermath", "order": 6, "tasks": [{"id": "bb39e701-edec-47a4-a5d9-47483140b788", "create_time": 1764758755.8695176, "update_time": 1765478655.8027844, "name": "Build crisis report", "order": 1, "tag": "bb5d871c-99f4-408a-8a1e-9efa55ff1465", "description": "Notify affected parties with as much detail as is appropriate. Consider the initial cause of the infection, actions and timelines of important events, what went right, what went wrong, and the incident cost.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4a48b7c9-f36d-412f-a2e2-c369a98d4261", "create_time": 1764758755.8696067, "update_time": 1765478655.8028712, "name": "Improve processes", "order": 2, "tag": "114c1009-376f-4715-a825-145c3dbcbba0", "description": "Capitalize on the experience by improving the processes that were used, creating new processes where needed, and automating that which is generalizable and repeatable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "633942a9-b466-49c5-9cb0-1a4488da8473", "active": true, "used": false, "_user": "nobody", "_key": "ec7f5b1d-f689-4ea7-b00c-703d062755ef"} \ No newline at end of file diff --git a/response_templates/SuspiciousEmail_v35.json b/response_templates/SuspiciousEmail_v35.json new file mode 100644 index 0000000000..0ba80ed93b --- /dev/null +++ b/response_templates/SuspiciousEmail_v35.json @@ -0,0 +1 @@ +{"id": "a72d40f3-a567-48e2-9fd3-c29db06c3907", "create_time": 1765479748.831508, "update_time": 1765479748.831508, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 35, "phases": [{"id": "7eddb898-085a-43fa-a03b-3ded48d53093", "create_time": 1765479748.831965, "update_time": 1765479796.6274312, "name": "Ingestion", "order": 1, "tasks": [{"id": "de8fa91f-bfad-41e6-bfe5-e3a2732db2c2", "create_time": 1764758755.6795278, "update_time": 1765479796.626802, "name": "Create ticket", "order": 1, "tag": "3d75cc89-a55b-4680-931c-7a5e091baaf6", "description": "Create%20any%20necessary%20tickets%20or%20tracking%20documents%20describing%20the%20initial%20conditions%20of%20the%20suspicious%20email%20investigation.%20As%20additional%20information%20is%20collected%20or%20actions%20are%20taken%20in%20the%20following%20tasks%20and%20phases,%20update%20the%20ticket%20with%20links%20and%20relevant%20information%20to%20allow%20collaboration%20and%20tracking.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "163d3490-d8de-4df9-8900-f5a2554b8024", "create_time": 1764758755.6797986, "update_time": 1765479796.6270301, "name": "Ingest email", "order": 2, "tag": "b4f73c35-e4af-40bf-a349-bed4c51cb0fc", "description": "Identify%20and%20ingest%20the%20suspicious%20email%20into%20Splunk%20Mission%20Control.%20Actual%20steps%20vary%20depending%20on%20how%20you%20create%20the%20Splunk%20Mission%20Control%20notable%20and%20where%20the%20suspicious%20email%20resides.%20For%20example,%20if%20you%20had%20a%20Splunk%20Enterprise%20Security%20correlation%20search%20running%20to%20identify%20suspicious%20emails,%20and%20forward%20those%20notable%20events%20to%20Splunk%20Mission%20Control%20as%20notables,%20you%20have%20many%20of%20the%20useful%20artifacts%20needed%20to%20investigate%20the%20email.%20If%20you%20need%20additional%20metadata,%20you%20can%20run%20the%20%22get%20email%22%20action%20to%20retrieve%20it,%20or%20the%20%22extract%20email%22%20action%20to%20add%20the%20email%20to%20Splunk%20Mission%20Control%20if%20it%20is%20in%20the%20.msg%20or%20.eml%20format.%20Or%20for%20example,%20if%20you%20send%20suspicious%20emails%20to%20a%20dedicated%20email%20address%20for%20suspected%20phishing%20attempts,%20you%20can%20use%20a%20connector%20such%20as%20IMAP,%20EWS%20for%20Exchange,%20EWS%20for%20OFfice,%20or%20GSuite%20for%20GMail%20to%20poll%20that%20inbox%20directly%20and%20send%20the%20suspicious%20email%20to%20Splunk%20Mission%20Control%20as%20a%20notable.%0A%0ASuggested%20Integrations%0A1.%20%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BMS%20Graph%20for%20Office%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%20%5BGmail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%20%5BIMAP%5D(https://splunkbase.splunk.com/app/5798)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6d6d47d-3c94-42ea-b575-c197be210f97", "create_time": 1764758755.6799636, "update_time": 1765479796.627336, "name": "Extract actionable metadata and files", "order": 3, "tag": "0c5acee1-e985-43ec-aefa-9355f46fef2d", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9510afc9-a689-434d-8622-e7dbcf607e54", "create_time": 1765479748.832889, "update_time": 1765479796.6289487, "name": "External Investigation", "order": 2, "tasks": [{"id": "2bedd439-1521-4bc1-aa32-f6502bc3b4eb", "create_time": 1764758755.6802204, "update_time": 1765479796.6275756, "name": "Investigate URLs", "order": 1, "tag": "5c7e7c30-139a-45e5-9622-63c788fe10a3", "description": "Perhaps%20the%20most%20common%20email%20attack%20vector%20is%20a%20clickable%20link%20that%20brings%20a%20user%20to%20a%20malicious%20website.%20The%20malicious%20website%20might%20collect%20credentials%20or%20other%20confidential%20information,%20attempt%20to%20exploit%20the%20user's%20browser,%20lead%20the%20user%20to%20download%20a%20malicious%20file,%20or%20gather%20preliminary%20fingerprint%20information%20about%20the%20user%20to%20inform%20further%20operations.%20Investigate%20all%20URLs%20contained%20in%20the%20suspicious%20email%20using%20a%20mix%20of%20automated%20and%20manual%20techniques.%20Query%20threat%20intelligence%20services%20and%20other%20sources%20of%20reputation%20information%20to%20see%20if%20the%20URLs%20are%20linked%20to%20known%20malicious%20activity.%20Check%20the%20categorization%20of%20the%20URLs%20and%20their%20popularity%20using%20services%20such%20as%20Censys%20or%20Alexa.%20Determine%20whether%20the%20URL%20is%20spoofing%20a%20brand%20using%20a%20similar%20spelling,%20a%20unicode%20substitution,%20or%20an%20out-of-order%20domain%20name.%20Also%20consider%20using%20a%20less%20passive%20technique%20that%20analyzes%20the%20current%20state%20of%20the%20URL,%20such%20as%20a%20sandboxed%20URL%20detonation,%20a%20website%20scanning%20tool%20such%20as%20urlscan.io%20or%20SSL%20Labs,%20a%20manual%20inspection%20from%20a%20sandboxed%20environment,%20or%20a%20website%20screenshot%20engine%20such%20as%20Screenshot%20Machine.%20Consider%20that%20targeted%20attacks%20might%20only%20reveal%20the%20malicious%20behavior%20of%20a%20website%20if%20the%20user%20agent%20and/or%20the%20source%20address%20of%20the%20request%20matches%20the%20target%20environment.%20The%20output%20of%20this%20task%20might%20be%20more%20linked%20URLs,%20the%20domain%20names%20of%20the%20underlying%20servers%20responding%20to%20the%20request,%20other%20domain%20names%20used%20by%20the%20website,%20IP%20addresses,%20or%20downloadable%20files.%20All%20of%20the%20above%20should%20be%20passed%20on%20to%20further%20investigative%20tasks%20if%20needed.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "16fc04ea-4b88-4a0e-8f68-66ac2c216f8f", "create_time": 1764758755.6803753, "update_time": 1765479796.6279, "name": "Investigate file attachments", "order": 2, "tag": "87e971c5-924c-4eee-8a08-e84975c01812", "description": "Another%20common%20email%20attack%20vector%20is%20a%20malicious%20file%20attachment.%20Any%20file%20could%20be%20malicious,%20but%20most%20attacks%20involve%20executables,%20scripts,%20or%20documents.%20Investigate%20these%20files%20using%20either%20a%20whole%20copy%20of%20the%20file%20or%20the%20file%20hash.%20Query%20threat%20intelligence%20and%20reputation%20databases%20using%20the%20hash%20to%20see%20if%20the%20file%20has%20been%20seen%20before,%20to%20see%20if%20there%20is%20suspicious%20activity%20associated%20with%20the%20file,%20and%20to%20learn%20more%20about%20the%20file's%20behavior.%20Query%20for%20previous%20analyses%20or%20submit%20the%20file%20for%20examination%20in%20a%20dynamic%20or%20static%20tool%20to%20check%20for%20potentially%20malicious%20behaviors%20or%20properties.%20Actions%20used%20for%20this%20task%20might%20extract%20associated%20URLs,%20domain%20names,%20IP%20addresses,%20or%20secondary%20file%20hashes%20which%20can%20be%20explored%20further%20in%20other%20tasks.%0A%0A%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a259ee42-6bdf-4d0c-9b27-efae878c42c2", "create_time": 1764758755.6805224, "update_time": 1765479796.62813, "name": "Investigate%20email", "order": 3, "tag": "39af1503-2dae-40d0-8164-818a7232bf95", "description": "Analyze%20the%20full%20email%E2%80%94headers,%20subject,%20and%20body%E2%80%94using%20both%20automated%20and%20manual%20techniques%20to%20determine%20its%20origin%20and%20assess%20for%20malicious%20intent.%20Inspect%20header%20fields%20(e.g.,%20%E2%80%9CFrom,%E2%80%9D%20%E2%80%9CSender,%E2%80%9D%20%E2%80%9CReply-to%E2%80%9D)%20for%20inconsistencies,%20misleading%20display%20names,%20and%20suspicious%20infrastructure,%20validating%20authentication%20results%20such%20as%20SPF,%20DKIM,%20and%20DMARC.%20Enrich%20findings%20with%20threat%20intelligence%20and%20reputation%20sources,%20and%20use%20tools%20like%20Microsoft%20Message%20Header%20Analyzer%20or%20MxToolbox%20for%20deeper%20interpretation.%20Evaluate%20the%20content%20for%20social%20engineering%20indicators%E2%80%94such%20as%20urgency,%20context%20manipulation,%20or%20attempts%20to%20solicit%20confidential%20information%E2%80%94recognizing%20that%20these%20often%20require%20manual%20judgment%20and,%20when%20appropriate,%20direct%20confirmation%20from%20the%20recipient.%20Outputs%20such%20as%20domains%20and%20IPs%20should%20be%20forwarded%20for%20further%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": [{"id": "cf182fd6-c616-4adb-a8f6-b9969549c873", "create_time": 1764952188.108695, "update_time": 1765479796.6283174, "name": "Email - Query on Affected User", "description": "You need to have your email data being ingested into the Email data model. \n\nNOTE: in this search we have pulled the tokened field of \"src_user\" if you detection uses another output field you will need to update your search accordingly. ", "spl": "%7C%20tstats%20%60summariesonly%60%20max(_time)%20as%20_time%2C%20values(All_Email.action)%20as%20action%2C%20values(All_Email.message_id)%20as%20message_id%2C%20values(All_Email.subject)%20as%20subject%2C%20values(All_Email.size)%20as%20size%2C%20values(All_Email.protocol)%20as%20protocol%2C%20values(All_Email.recipient)%20as%20recipient%2C%20count%20from%20datamodel%3DEmail.All_Email%20by%20All_Email.src%2CAll_Email.src_user%2CAll_Email.dest%20%0A%7C%20%60drop_dm_object_name(%22All_Email%22)%60%20%0A%7C%20search%20recipient%20IN%20(%24src_user%24)%0A%7C%20sort%20-%20count%20%0A%7C%20normalizeip%20src%20dest%20%0A%7C%20fields%20_time%2C%20action%2C%20message_id%2C%20subject%2C%20size%2C%20protocol%2C%20src%2C%20src_user%2C%20dest%2C%20recipient%2C%20count"}]}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "987a5f9d-4fa2-4474-a923-10ee1fca36e9", "create_time": 1764758755.680672, "update_time": 1765479796.6285076, "name": "Investigate domains", "order": 4, "tag": "65ec0d02-4e41-4bef-ad64-bcbbe64589bf", "description": "At%20this%20point%20domain%20names%20from%20various%20sources%20should%20be%20collected%20in%20the%20notable,%20including%20email%20sending%20and%20receiving%20servers,%20web%20servers%20from%20URLs%20in%20the%20email,%20domains%20associated%20to%20other%20indicators%20in%20threat%20intelligence%20databases,%20and%20domains%20contained%20in%20the%20file%20attachment%20or%20detected%20by%20the%20detonation%20of%20the%20file%20attachment.%20Check%20each%20of%20these%20against%20threat%20intelligence%20and%20reputation%20databases,%20passive%20DNS%20trackers,%20whois%20services,%20and%20other%20information%20services.%20Look%20for%20known%20malicious%20or%20unknown%20domains,%20focusing%20more%20on%20those%20associated%20to%20clickable%20URLs%20and%20file%20attachments.%20Evaluate%20what%20services%20are%20running%20on%20each%20suspicious%20domain%20using%20a%20scanning%20service%20such%20as%20Censys%20or%20Shodan.%20Check%20the%20TLS%20certificate%20(if%20applicable),%20website%20categorization,%20popularity,%20and%20any%20other%20available%20information.%20Compare%20this%20information%20to%20the%20expected%20outcome%20given%20the%20alleged%20context%20of%20the%20email.%20For%20unknown%20domains,%20consider%20the%20domain%20history,%20the%20hosting%20provider,%20and%20whether%20the%20domain%20name%20appears%20to%20have%20been%20dynamically%20generated.%20IP%20addresses%20currently%20and%20previously%20associated%20with%20the%20domain%20should%20be%20further%20processed%20elsewhere%20in%20your%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4f72802-ef36-47d2-a6c0-9d1ab5e0aa2c", "create_time": 1764758755.6808305, "update_time": 1765479796.6287827, "name": "Investigate IP addresses", "order": 5, "tag": "bd473b00-1dc1-4446-8ce2-36d7fc8ef468", "description": "IP%20addresses%20may%20be%20involved%20in%20this%20investigation%20for%20several%20reasons.%20Some%20email%20headers%20can%20contain%20IP%20addresses%20(such%20as%20X-Originating-IP),%20URLs%20can%20contain%20IP%20addresses%20instead%20of%20hostnames,%20file%20attachments%20can%20contain%20IP%20addresses%20or%20generate%20IP%20addresses%20and%20try%20to%20connect%20to%20them%20(like%20domain%20generation%20algorithms),%20and%20IP%20addresses%20can%20be%20added%20to%20the%20notable%20through%20association%20or%20domain%20name%20resolution%20in%20other%20tasks%20within%20this%20investigation.%20Consider%20IP%20addresses%20in%20URLs%20that%20are%20not%20internal%20IP%20addresses%20for%20the%20organization%20highly%20suspicious.%20Investigate%20all%20suspicious%20IP%20addresses%20by%20checking%20the%20reputation,%20geolocation,%20whois%20record,%20DNS%20history,%20and%20by%20gathering%20information%20from%20other%20available%20services.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d36a2713-63b9-4bfd-8a66-e50df079ace9", "create_time": 1765479748.8334155, "update_time": 1765479796.6299407, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "4012859c-a956-4b21-ba9e-a2004dfeb036", "create_time": 1764758755.6812239, "update_time": 1765479796.6290972, "name": "Hunt email activity", "order": 1, "tag": "e7a6d9a6-8b9e-4f8c-afdb-475b0b3472b7", "description": "Find%20other%20similar%20emails%20sent%20into%20the%20organization%20based%20on%20the%20sender%20address,%20sender%20domain,%20subject,%20embedded%20URLs,%20file%20attachments,%20or%20other%20similar%20attributes%20shared%20across%20multiple%20emails.%20If%20possible%20determine%20which%20emails%20were%20opened,%20forwarded,%20deleted,%20marked%20as%20spam,%20or%20reported%20as%20potential%20phishing.%20Consider%20which%20types%20of%20users%20are%20targeted%20and%20why.%20Also%20check%20whether%20internal%20users%20replied%20to%20the%20emails%20and%20what%20information%20was%20contained%20in%20the%20replies.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%20%5BCisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)%5D(https://splunkbase.splunk.com/app/6145)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1701120f-ca73-42cf-87e1-5dcb228ab5a0", "create_time": 1764758755.681366, "update_time": 1765479796.629352, "name": "Hunt network activity", "order": 2, "tag": "427ba972-75bd-42eb-8218-4a522f98b947", "description": "Based%20on%20previously%20collected%20information,%20try%20to%20determine%20whether%20or%20not%20URLs%20in%20the%20email%20were%20clicked,%20phishing%20websites%20were%20visited,%20or%20other%20suspicious%20network%20connections%20were%20made%20from%20the%20computers%20of%20users%20who%20opened%20the%20email.%20This%20can%20be%20done%20using%20many%20types%20of%20network%20monitoring,%20including%20netflow,%20full%20packet%20capture,%20DNS%20logging,%20and/or%20endpoint%20monitoring.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A5.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24d8fa33-d658-4800-8113-5d7f7c90ad1d", "create_time": 1764758755.681554, "update_time": 1765479796.6295755, "name": "Hunt file executions", "order": 3, "tag": "ebe5a0e7-8705-4e69-b1e7-a21058c87822", "description": "If%20the%20email%20included%20a%20file%20attachment,%20try%20to%20determine%20which%20users%20downloaded%20the%20attachment%20and%20which%20users%20executed%20it%20or%20opened%20it%20in%20some%20other%20way.%20Use%20the%20file%20hash%20of%20the%20attachment%20to%20search%20across%20endpoint%20monitoring%20or%20network%20monitoring%20solutions%20for%20the%20transmission%20and/or%20execution%20of%20the%20file.%20If%20executions%20are%20detected,%20try%20to%20determine%20the%20behavior%20of%20the%20created%20process.%20If%20a%20potentially%20malicious%20document%20or%20other%20file%20type%20was%20opened,%20try%20to%20determine%20which%20application%20opened%20it%20and%20whether%20the%20file%20exploited%20or%20abused%20the%20opening%20application.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24ad66ec-2b93-4677-b1c4-a6e2c2bd6207", "create_time": 1764758755.6817021, "update_time": 1765479796.6298037, "name": "Hunt user activity", "order": 4, "tag": "32798d9d-6440-4f39-98c7-6d4c30d26e1e", "description": "If%20a%20phishing%20attempt%20or%20other%20user%20account%20compromise%20attempt%20is%20suspected,%20investigate%20how%20the%20credentials%20or%20account%20access%20are%20being%20used.%20Enumerate%20resources%20available%20to%20the%20account%20and%20search%20the%20access%20logs%20for%20those%20resources,%20looking%20for%20anomalous%20usage%20patterns.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "42eb2edf-fc7d-4327-8f3e-37ee80c2536c", "create_time": 1765479748.8340182, "update_time": 1765479796.6310995, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "2eb1f1a5-8f1a-45d8-8953-ba30d1a8a6e9", "create_time": 1764758755.6819034, "update_time": 1765479796.6300797, "name": "Block or monitor email activity", "order": 1, "tag": "6b567916-424d-41b3-836f-b4abfa555448", "description": "If%20specific%20malicious%20emails%20have%20been%20identified,%20delete%20them%20from%20any%20mailboxes%20in%20which%20they%20still%20pose%20a%20threat.%20Similarly,%20if%20a%20sender%20address%20or%20an%20entire%20sender%20domain%20is%20found%20to%20be%20malicious,%20block%20inbound%20email%20from%20that%20source.%20Set%20filtering%20rules%20to%20block%20inbound%20email%20or%20increase%20monitoring%20of%20email%20based%20on%20other%20detected%20characteristics%20of%20an%20email%20campaign%20or%20malicious%20technique.%0A%0ASuggested%20Intergrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0d28b16-b4ba-46a9-8d20-c888d0d50137", "create_time": 1764758755.6820495, "update_time": 1765479796.6303134, "name": "Block or monitor network activity", "order": 2, "tag": "b537f91c-ce46-4a52-8894-0797dbc13b6b", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20malicious%20network%20connections%20associated%20with%20the%20suspicious%20email.%20Prevent%20other%20receivers%20of%20similar%20phishing%20emails%20from%20accessing%20the%20clickable%20URL%20by%20blocking%20that%20URL%20itself,%20the%20underlying%20domain%20name,%20and/or%20the%20underlying%20IP%20addresses.%20If%20malware%20or%20unwanted%20software%20was%20detected,%20block%20outbound%20connections%20known%20to%20be%20associated%20with%20that%20malware%20based%20on%20threat%20intelligence%20or%20dynamic%20analysis.%20If%20the%20threat%20is%20severe%20enough,%20consider%20isolating%20entire%20portions%20of%20the%20network.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79abbff6-2d34-46b0-b570-c9788da8668a", "create_time": 1764758755.6822183, "update_time": 1765479796.6305444, "name": "Block or monitor file executions", "order": 3, "tag": "e7cb23b5-9baa-4a66-994d-43cd0f17d017", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20endpoint%20activity%20caused%20by%20the%20suspicious%20email.%20This%20could%20mean%20blocking%20the%20hash%20of%20the%20file%20attachment,%20blocking%20the%20hash%20of%20a%20file%20downloaded%20from%20a%20URL%20in%20an%20email,%20blocking%20a%20malicious%20hash%20associated%20with%20the%20email%20by%20threat%20intelligence,%20or%20blocking%20secondary%20executions%20such%20as%20dropped%20stages%20of%20malware%20identified%20from%20dynamic%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fa4ad6aa-7fc1-4897-9588-e2366ce2cc8e", "create_time": 1764758755.6823559, "update_time": 1765479796.6307607, "name": "Contain endpoints", "order": 4, "tag": "746ae480-2639-4ffe-80ce-698238ec5721", "description": "If%20an%20endpoint%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20quarantine%20or%20otherwise%20contain%20that%20endpoint%20until%20further%20investigation%20and%20remediation%20can%20be%20done.%20Consider%20the%20criticality%20of%20the%20system%20and%20the%20likelihood%20of%20a%20compromise.%20In%20other%20cases,%20simply%20increasing%20the%20monitoring%20or%20scanning%20for%20more%20information%20can%20be%20prudent.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ffee892-3e52-4aed-ba5f-30554d3de579", "create_time": 1764758755.6824956, "update_time": 1765479796.6309698, "name": "Contain user accounts", "order": 5, "tag": "702244fa-e9c6-42d7-846a-697fb74ea060", "description": "If%20a%20user%20account%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20reset%20the%20credentials,%20reduce%20the%20account%20privileges,%20or%20disable%20the%20account%20until%20further%20investigation%20is%20completed.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f3f3a7c8-dcb4-4565-8827-356c60cac5f6", "create_time": 1765479748.8343027, "update_time": 1765479796.6315908, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "09b37ed6-4b6e-4fe0-a4c5-561480ed7c10", "create_time": 1764758755.68271, "update_time": 1765479796.631251, "name": "Analyze network activity", "order": 1, "tag": "9cf69134-6b81-45ca-ada8-fd4136a1912f", "description": "Perform%20any%20resource-intensive%20analysis%20of%20network%20activity%20left%20over%20from%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20full%20packet%20capture%20collection%20and%20analysis,%20sandbox%20detonation%20of%20URLs,%20long-running%20queries%20of%20network%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "627cb8cc-b780-437e-951d-8ec9c64062e7", "create_time": 1764758755.682851, "update_time": 1765479796.631454, "name": "Analyze endpoint activity", "order": 2, "tag": "2497b494-b80f-417b-b51d-f4c8d7aff019", "description": "Conduct%20deeper%20analysis%20on%20remaining%20malware%20and%20endpoint%20investigation%20tasks%20not%20finished%20in%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20sandbox%20detonation%20of%20files,%20forensic%20analysis%20of%20associated%20devices%20or%20memory%20dumps,%20reverse%20engineering%20of%20suspected%20malware,%20long-running%20queries%20of%20endpoint%20activity%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A4.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "934b1327-2484-49e2-9701-36a33a1462f9", "create_time": 1765479748.8349223, "update_time": 1765479796.6327975, "name": "Notification", "order": 6, "tasks": [{"id": "3b692da7-b9dc-491b-add5-2c674251a7be", "create_time": 1764758755.683051, "update_time": 1765479796.6317682, "name": "Update tickets", "order": 1, "tag": "dad41274-fb84-4b6f-bed9-fb43be506987", "description": "Make%20sure%20that%20all%20the%20necessary%20outputs%20and%20status%20updates%20from%20the%20previous%20phases%20and%20tasks%20are%20documented%20in%20the%20appropriate%20system%20of%20record.%20Summarize%20the%20current%20state%20of%20the%20investigation%20and%20any%20remaining%20tasks.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "644d1cc6-f855-4dfb-ae28-a0a58fbee6d2", "create_time": 1764758755.6832078, "update_time": 1765479796.631959, "name": "Notify system owners", "order": 2, "tag": "824481e3-9dc5-4668-9abd-585d1cd331ca", "description": "For%20any%20systems%20that%20have%20been%20changed%20or%20need%20to%20be%20changed,%20notify%20the%20necessary%20system%20owners%20so%20the%20appropriate%20change%20management%20procedures%20can%20be%20followed.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "81905435-dd7e-493d-babf-fc5f108cbb9a", "create_time": 1764758755.6833851, "update_time": 1765479796.6321607, "name": "Notify regulatory compliance team", "order": 3, "tag": "c7f7005c-6b51-49a7-a3f9-f22aaf9dfbe4", "description": "If%20appropriate,%20notify%20the%20regulatory%20compliance%20team%20to%20support%20them%20as%20they%20report%20this%20incident%20to%20the%20correct%20regulatory%20or%20accrediting%20organizations.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a4260d25-53f9-45c4-b984-4c10deddbb82", "create_time": 1764758755.6836178, "update_time": 1765479796.6323862, "name": "Assign additional tasks", "order": 4, "tag": "29d21b34-5221-4dee-9bff-276a8241b2bd", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d0cf948f-2ba6-4a7d-82c9-851aacfa80a6", "create_time": 1764758755.6839995, "update_time": 1765479796.6325488, "name": "Educate users", "order": 5, "tag": "7ee89bfe-e39d-42c9-baa0-2e74b39adcd1", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b78276c-3dff-4546-8ff4-78cd4e1b04d3", "create_time": 1764758755.6842132, "update_time": 1765479796.6327078, "name": "Share threat intelligence", "order": 6, "tag": "3773742e-ecd3-4588-a0ae-6ac80e6b70ce", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "84c951b5-a7f7-439d-9e59-b8031190be63", "active": true, "used": true, "_user": "nobody", "_key": "a72d40f3-a567-48e2-9fd3-c29db06c3907"} \ No newline at end of file diff --git a/response_templates/VulnerabilityDisclosure_v10.json b/response_templates/VulnerabilityDisclosure_v10.json new file mode 100644 index 0000000000..5cd3ef22f0 --- /dev/null +++ b/response_templates/VulnerabilityDisclosure_v10.json @@ -0,0 +1 @@ +{"id": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc", "create_time": 1764862787.2717, "update_time": 1765478160.218586, "name": "Vulnerability Disclosure", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 10, "phases": [{"id": "63140a0e-8d42-4aba-943a-899170cc7fd3", "create_time": 1765478079.1544676, "update_time": 1765478160.185931, "name": "Understand the vulnerability", "order": 1, "tasks": [{"id": "c2906aa1-2ba2-4d46-b927-04a348dfc8ed", "create_time": 1764758755.9402392, "update_time": 1765478160.1855013, "name": "Research types of systems that are affected", "order": 1, "tag": "f0045b4e-6680-4782-b80b-ba292805d290", "description": "Research%20the%20known%20hardware%20or%20software%20systems%20and%20versions%20that%20are%20affected.%20If%20possible%20use,%20a%20vulnerability%20database%20or%20software%20composition%20analysis%20solution%20to%20walk%20the%20dependency%20chain%20and%20evaluate%20the%20scope%20of%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd74c974-5d88-4136-aae1-13642d0f5bb5", "create_time": 1764758755.9403417, "update_time": 1765478160.185846, "name": "Research how the vulnerability works", "order": 2, "tag": "207e6bdb-1eed-41f8-9ee6-f87bf260978a", "description": "Research%20the%20mechanism%20that%20makes%20the%20system%20vulnerable%20and%20the%20conditions%20in%20which%20the%20system%20is%20vulnerable.%20Often%20there%20are%20certain%20configurations,%20software%20packages,%20system%20states,%20operating%20modes,%20and%20other%20characteristics%20that%20make%20a%20vulnerability%20exploitable%20and%20affect%20the%20impact%20if%20exploited.%20Assess%20the%20difficulty%20to%20exploit%20the%20vulnerability%20and%20the%20reliability%20of%20the%20exploit.%0A%0A%0A1.%20%5BES%20Use%20Case%20Library%5D(/app/SplunkEnterpriseSecuritySuite/ess_use_case_library)%0A2.%20%5BSplunk%20Security%20Content%5D(https://research.splunk.com/)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "0e4796c9-bcb5-4837-b0cd-7c83b40dd2c3", "create_time": 1765478079.1550362, "update_time": 1765478160.1863368, "name": "Understand impact to the organization", "order": 2, "tasks": [{"id": "6dc2dedf-7fe4-4d02-bc74-4b386a320460", "create_time": 1764758755.940481, "update_time": 1765478160.186015, "name": "Find potentially affected systems", "order": 1, "tag": "b5bcfe17-e8a5-40a0-984c-c8fefe77093c", "description": "Check%20the%20internal%20environment%20and%20dependencies%20of%20the%20organization%20for%20the%20software%20or%20hardware%20that%20is%20vulnerable.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A7.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "26f32c1e-5de3-4565-9a72-c17aa0dfee4e", "create_time": 1764758755.9405725, "update_time": 1765478160.186133, "name": "Determine exploitability", "order": 2, "tag": "9b967031-b163-4c25-a971-011f10df8051", "description": "Check%20for%20exploitable%20conditions.%20If%20appropriate,%20attempt%20to%20implement%20the%20vulnerability%20or%20use%20a%20safe%20proof%20of%20concept%20to%20verify%20exploitability.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1f4e957a-1bc6-4b22-b222-44c845454b45", "create_time": 1764758755.9406626, "update_time": 1765478160.1862617, "name": "Investigate possible exploitation", "order": 3, "tag": "b944edaa-aa8a-4877-8b78-f022580d2731", "description": "Investigate%20whether%20or%20not%20vulnerable%20systems%20were%20exploited.%20Use%20the%20particular%20behavior%20of%20the%20exploit%20and%20likely%20post-exploitation%20techniques%20to%20narrow%20down%20the%20search%20for%20exploited%20systems.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "e8928704-4ba7-41c1-abba-a0444d548fe0", "create_time": 1765478079.1552103, "update_time": 1765478160.1864805, "name": "Decide how to respond", "order": 3, "tasks": [{"id": "860d180e-5d53-4eb7-b867-97ad48f470e6", "create_time": 1764758755.9407957, "update_time": 1765478160.1864188, "name": "Evaluate patches, workarounds, and service outages", "order": 1, "tag": "23a1b3d3-d2db-40d9-9a96-39a154c94ff0", "description": "Consider%20how%20mitigations,%20remediations,%20and%20forced%20system%20shutdowns%20affect%20the%20situation.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1559a28c-3e76-4910-a22e-f5e6977d0647", "create_time": 1765478079.1555555, "update_time": 1765478160.1868198, "name": "Execute the response", "order": 4, "tasks": [{"id": "1d4394f7-8781-4802-a6a2-7d77b655a9ee", "create_time": 1764758755.9409366, "update_time": 1765478160.1865623, "name": "Remediate", "order": 1, "tag": "6e13819e-dfdf-4e48-90fa-95c7ddfc139c", "description": "Apply%20patches,%20upgrades,%20configuration%20changes,%20or%20state%20changes%20that%20can%20remediate%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "43f50b91-ee22-4731-a5fe-c6b4463134cf", "create_time": 1764758755.941027, "update_time": 1765478160.186665, "name": "Mitigate", "order": 2, "tag": "5c813f0c-e55c-492a-933b-59b99ad11071", "description": "Apply%20workarounds,%20temporary%20fixes,%20additional%20hardening,%20new%20security%20tools,%20new%20detections,%20and%20other%20mitigations%20to%20reduce%20risk.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "90f60618-b458-4baa-ae0d-af0fe1c4b3ec", "create_time": 1764758755.941116, "update_time": 1765478160.1867695, "name": "Document accepted risks", "order": 3, "tag": "47c9830a-c0e1-4b75-ae76-4b5e0cddbf5c", "description": "Document remaining risk and notify stakeholders.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "b0687c98-dcde-4d9a-bf6f-4a31859fef16", "active": true, "used": false, "_user": "nobody", "_key": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc"} \ No newline at end of file From 96f2f5bca79d7b20b1a069a1a30b6628e7fe8ccb Mon Sep 17 00:00:00 2001 From: Christian Cloutier Date: Thu, 11 Dec 2025 16:08:55 -0500 Subject: [PATCH 36/44] Initial version of Response Templates --- ...icatorEnrichment_6.json => NetworkIndicatorEnrichment_v6.json} | 0 ...ReplicatingMalware_14.json => SelfReplicatingMalware_v14.json} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename response_templates/{NetworkIndicatorEnrichment_6.json => NetworkIndicatorEnrichment_v6.json} (100%) rename response_templates/{SelfReplicatingMalware_14.json => SelfReplicatingMalware_v14.json} (100%) diff --git a/response_templates/NetworkIndicatorEnrichment_6.json b/response_templates/NetworkIndicatorEnrichment_v6.json similarity index 100% rename from response_templates/NetworkIndicatorEnrichment_6.json rename to response_templates/NetworkIndicatorEnrichment_v6.json diff --git a/response_templates/SelfReplicatingMalware_14.json b/response_templates/SelfReplicatingMalware_v14.json similarity index 100% rename from response_templates/SelfReplicatingMalware_14.json rename to response_templates/SelfReplicatingMalware_v14.json From b3911438c1f1e92d5d56c820c282506790919e77 Mon Sep 17 00:00:00 2001 From: kbouchard <47464052+kbouchardherjavecgroup@users.noreply.github.com> Date: Mon, 15 Dec 2025 12:31:26 -0700 Subject: [PATCH 37/44] Update and rename AccountCompromise_v14.json to AccountCompromise_v2.json --- response_templates/AccountCompromise_v14.json | 1 - response_templates/AccountCompromise_v2.json | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 response_templates/AccountCompromise_v14.json create mode 100644 response_templates/AccountCompromise_v2.json diff --git a/response_templates/AccountCompromise_v14.json b/response_templates/AccountCompromise_v14.json deleted file mode 100644 index a215ad7ee6..0000000000 --- a/response_templates/AccountCompromise_v14.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "94198adf-1fc1-4c2d-8c94-baf4523bee4f", "create_time": 1765479652.5729501, "update_time": 1765479652.5729501, "name": "Account Compromise", "description": "This response template defines a response to the potential compromise of one or more system or application accounts. Across the enterprise, user and service accounts are high-value targets that provide access to wide varieties of resources and capabilities. If an unauthorized entity gains access to an account in your organization, you can use these phases and tasks to organize the effort to investigate and respond. No two account compromises are the same, so some portions of this template might not apply to certain types of account takeovers, and in most cases there will be additional appropriate responses going beyond those listed below. The general structure of this template is based on NIST SP 800-61 Revision 2, and some of the techniques come from the Credential Access tactic in the MITRE ATT&CK framework (https://attack.mitre.org/tactics/TA0006/).", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "59f2cf8d-3c77-491f-8ff4-65ed341c7503", "create_time": 1765479652.5742395, "update_time": 1765479652.57424, "name": "Detection and Analysis", "order": 1, "tasks": [{"id": "ea986cd7-db3e-48d5-8a44-e9f0f6420d24", "create_time": 1764758755.835523, "update_time": 1765479652.5730562, "name": "Contact account owner", "order": 1, "tag": "51815ce4-c186-4418-9d6c-716e101953f0", "description": "If%20situational%20awareness%20concerns%20allow%20it,%20contact%20the%20legitimate%20owner%20of%20the%20account%20to%20gather%20additional%20insight,%20rule%20out%20false%20positives,%20and%20provide%20guidance%20on%20how%20to%20cooperate.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c24b5ac1-3e44-4f91-a55e-5c93a0c17a8a", "create_time": 1764758755.8356514, "update_time": 1765479652.573373, "name": "Determine the scope of the compromise", "order": 2, "tag": "4f6e6b64-aeec-456c-806d-d0b66c9db56c", "description": "Determine%20the%20resources%20and%20capabilities%20available%20to%20the%20compromised%20account.%20Consider%20other%20types%20of%20accounts%20that%20can%20also%20be%20accessed%20based%20on%20the%20initial%20compromise.%20Is%20this%20account%20an%20Administrative%20account?%20What%20systems%20has%20the%20account%20logged%20into?%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4b7b5058-f28e-4776-8806-c71fdfaab979", "create_time": 1764758755.8357468, "update_time": 1765479652.5734894, "name": "Analyze usage of access", "order": 3, "tag": "62fe4b55-7da1-44ba-ae88-93f42cb724c8", "description": "Query%20monitoring%20systems%20to%20determine%20which%20of%20the%20potential%20resources%20and%20capabilities%20were%20actually%20used%20by%20the%20adversary.%20Look%20for%20patterns%20in%20targeted%20resources%20and%20capabilities.%20Was%20the%20compromised%20account%20used%20to%20install%20or%20download%20something?%20Were%20credentials%20to%20other%20accounts%20collected%20and%20used?%0A%0ASuggested%20Integrations%0A1.%20%5BAccess%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_center)%0A2.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)%0A3.%20%5BAccess%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ad738c70-a259-4627-84fc-30f881b1065f", "create_time": 1764758755.835839, "update_time": 1765479652.5735939, "name": "Estimate impact", "order": 4, "tag": "5abdf8e0-f364-4f39-956a-aa912e0543c0", "description": "Estimate the business impact to appropriately allocate priority and resources.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1bc12376-4d51-45ed-9e37-38abc31a497a", "create_time": 1764758755.8359327, "update_time": 1765479652.5736716, "name": "Track stolen credentials", "order": 5, "tag": "b7814a6d-ac12-4936-a5ef-8e1a636a08dd", "description": "If%20compromised%20credentials%20were%20used,%20try%20to%20determine%20where%20else%20they%20may%20grant%20access%0A%0ASuggested%20Integrations%0A1.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5de28da8-76f3-4104-8d62-b44f8f46a4a4", "create_time": 1764758755.8360248, "update_time": 1765479652.573762, "name": "Investigate external communications", "order": 6, "tag": "4a46b5da-c9b9-453a-80ad-161db306822e", "description": "Look%20for%20exfiltration%20and/or%20command%20and%20control%20activity.%20Inspect%20network%20traffic%20with%20abnormal%20content,%20focusing%20on%20traffic%20to%20external%20hosts%20and%20internal%20systems%20that%20are%20not%20normally%20connected%20to%20the%20system%20under%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6956c82f-6811-4b3d-975b-fe690e0b54ef", "create_time": 1764758755.836118, "update_time": 1765479652.5738606, "name": "Determine initial access mechanism", "order": 7, "tag": "3b962a5e-16da-4962-9f9f-c237e88e24a3", "description": "Attempt%20to%20trace%20activity%20back%20to%20the%20point%20of%20initial%20access.%20Consider%20phishing,%20watering%20hole%20attacks,%20public-facing%20exploits,%20supply%20chain%20compromises,%20and%20other%20common%20attack%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "62a7c0a4-1c2e-4922-8dd2-9114ef305607", "create_time": 1764758755.8362353, "update_time": 1765479652.573958, "name": "Detect persistent system access", "order": 8, "tag": "023e3b98-335b-4364-8292-e34e221dcdcd", "description": "Look%20for%20attempts%20to%20establish%20persistent%20access%20to%20one%20or%20more%20systems.%20The%20persistence%20technique%20could%20include%20an%20email%20forwarding%20rule%20for%20an%20email%20account,%20a%20scheduled%20task%20on%20an%20endpoint,%20a%20newly%20added%20login%20method%20for%20a%20business%20application,%20or%20a%20wide%20array%20of%20others.%20One%20non-exhaustive%20list%20of%20persistence%20techniques%20is%20in%20the%20MITRE%20ATT&CK%20framework%20(https://attack.mitre.org/tactics/TA0003/)%20and%20another%20for%20Windows%20endpoints%20in%20particular%20is%20within%20the%20SysInternals%20Autoruns%20tool.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0bc09ecd-b582-4b51-82bd-845113fe9025", "create_time": 1764758755.8363278, "update_time": 1765479652.5740716, "name": "Enumerate other similarly vulnerable accounts", "order": 9, "tag": "44b55fc1-e45f-46ce-82d8-d23b1392790f", "description": "If an initial attack vector or other activity pattern is found, use it to look for other similarly compromised accounts.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "60b63967-c82f-4378-80ab-7234d3b8d01a", "create_time": 1764758755.8364184, "update_time": 1765479652.5741494, "name": "Notify stakeholders", "order": 10, "tag": "6f26711e-c173-4394-91cf-f2e9c7c88d8a", "description": "Notify%20incident%20response%20leadership,%20system%20owners,%20and%20other%20stakeholders%20in%20accordance%20with%20established%20incident%20notification%20and%20escalation%20procedures.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "48075a18-75b5-45d5-9c14-c791c0975316", "create_time": 1765479652.574572, "update_time": 1765479652.5745726, "name": "Containment, Eradication, and Recovery", "order": 2, "tasks": [{"id": "4fa28acc-820f-4b9c-8fbe-b06dc8f735bb", "create_time": 1764758755.8365533, "update_time": 1765479652.5743093, "name": "Disable account", "order": 1, "tag": "582f0358-63c7-4a15-ba9e-a42861e854b5", "description": "If%20the%20business%20risk%20is%20deemed%20acceptable,%20disable%20the%20account%20or%20reset%20credentials%20to%20prevent%20further%20malicious%20usage.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f20c28db-b508-4cce-bd08-df4a1b92b1e4", "create_time": 1764758755.836641, "update_time": 1765479652.5744092, "name": "Remove persistent system access", "order": 2, "tag": "5cfd8324-141b-407f-ac19-3ab946178fc8", "description": "If%20persistent%20access%20mechanisms%20were%20detected,%20remove%20them%20by%20uninstalling%20software,%20unhooking%20libraries,%20reimaging%20systems,%20disabling%20compromised%20credentials,%20or%20implementing%20other%20remediations.%20If%20this%20action%20will%20cause%20a%20service%20outage,%20it%20may%20be%20prudent%20to%20notify%20the%20affected%20teams%20or%20organizations.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b94cc55d-a653-466a-8faf-846f699ebb75", "create_time": 1764758755.836737, "update_time": 1765479652.5745091, "name": "Mitigate or remediate vulnerabilities", "order": 3, "tag": "25d66876-4448-420d-80b5-bc359805598b", "description": "If%20any%20vulnerabilities%20were%20used%20in%20this%20compromise,%20find%20a%20way%20to%20mitigate%20or%20remediate%20them.%20This%20could%20be%20a%20system%20update,%20a%20change%20in%20software,%20disabling%20a%20certain%20feature,%20a%20change%20in%20policy,%20or%20another%20action.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "36274751-b970-4375-85dc-b06a13d05cc2", "create_time": 1765479652.5748563, "update_time": 1765479652.5748568, "name": "Post-incident Activity", "order": 3, "tasks": [{"id": "c601515a-bbef-485f-819a-9c1e477e413e", "create_time": 1764758755.8368754, "update_time": 1765479652.57464, "name": "Notify necessary parties", "order": 1, "tag": "6e6b6839-fced-46a4-a660-e00281118cda", "description": "Determine%20if%20a%20regulatory%20risk%20calls%20for%20a%20notification%20to%20an%20internal%20or%20external%20compliance%20organization.%20Also%20consider%20an%20informational%20notice%20to%20users%20to%20prevent%20similar%20compromises%20through%20improved%20security%20hygiene.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "33acb96f-1113-489b-8dc4-882695963f99", "create_time": 1764758755.836966, "update_time": 1765479652.574736, "name": "Tune prevention systems", "order": 2, "tag": "47e3bd73-9fea-4f85-a805-9ebedfd000ed", "description": "Depending on the mechanism of access and the systems affected, there may be a clear next step to prevent similar compromises. This might involve deployment of strong multi-factor authentication, improved automated response, stronger application of least privilege, user training, and/or a wide array of other defensive measures. Consider using CIS Cybersecurity Best Practices (https://www.cisecurity.org/cybersecurity-best-practices/) or a similar framework to assess improvements in prevention.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0d0ded65-d9dd-497f-ab9d-f51864ad88af", "create_time": 1764758755.8370595, "update_time": 1765479652.574812, "name": "Tune detection systems", "order": 3, "tag": "9411f544-f06a-4e79-9972-3844f61cc1f7", "description": "Any of the steps taken within the Detection and Analysis phase may be candidates for automated or regularly scheduled detections to find similar activity. Focus on the most generalizable patterns that will catch high-impact compromises as early as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8b0ea69b-c29f-4a70-b58b-59164312a491", "active": true, "used": true, "_user": "nobody", "_key": "94198adf-1fc1-4c2d-8c94-baf4523bee4f"} \ No newline at end of file diff --git a/response_templates/AccountCompromise_v2.json b/response_templates/AccountCompromise_v2.json new file mode 100644 index 0000000000..8dfebb8553 --- /dev/null +++ b/response_templates/AccountCompromise_v2.json @@ -0,0 +1 @@ +{"id": "94198adf-1fc1-4c2d-8c94-baf4523bee4f", "create_time": 1765479652.5729501, "update_time": 1765479652.5729501, "name": "Account Compromise", "description": "This response template defines a response to the potential compromise of one or more system or application accounts. Across the enterprise, user and service accounts are high-value targets that provide access to wide varieties of resources and capabilities. If an unauthorized entity gains access to an account in your organization, you can use these phases and tasks to organize the effort to investigate and respond. No two account compromises are the same, so some portions of this template might not apply to certain types of account takeovers, and in most cases there will be additional appropriate responses going beyond those listed below. The general structure of this template is based on NIST SP 800-61 Revision 2, and some of the techniques come from the Credential Access tactic in the MITRE ATT&CK framework (https://attack.mitre.org/tactics/TA0006/).", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "59f2cf8d-3c77-491f-8ff4-65ed341c7503", "create_time": 1765479652.5742395, "update_time": 1765479652.57424, "name": "Detection and Analysis", "order": 1, "tasks": [{"id": "ea986cd7-db3e-48d5-8a44-e9f0f6420d24", "create_time": 1764758755.835523, "update_time": 1765479652.5730562, "name": "Contact account owner", "order": 1, "tag": "51815ce4-c186-4418-9d6c-716e101953f0", "description": "If%20situational%20awareness%20concerns%20allow%20it,%20contact%20the%20legitimate%20owner%20of%20the%20account%20to%20gather%20additional%20insight,%20rule%20out%20false%20positives,%20and%20provide%20guidance%20on%20how%20to%20cooperate.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c24b5ac1-3e44-4f91-a55e-5c93a0c17a8a", "create_time": 1764758755.8356514, "update_time": 1765479652.573373, "name": "Determine the scope of the compromise", "order": 2, "tag": "4f6e6b64-aeec-456c-806d-d0b66c9db56c", "description": "Determine%20the%20resources%20and%20capabilities%20available%20to%20the%20compromised%20account.%20Consider%20other%20types%20of%20accounts%20that%20can%20also%20be%20accessed%20based%20on%20the%20initial%20compromise.%20Is%20this%20account%20an%20Administrative%20account?%20What%20systems%20has%20the%20account%20logged%20into?%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4b7b5058-f28e-4776-8806-c71fdfaab979", "create_time": 1764758755.8357468, "update_time": 1765479652.5734894, "name": "Analyze usage of access", "order": 3, "tag": "62fe4b55-7da1-44ba-ae88-93f42cb724c8", "description": "Query%20monitoring%20systems%20to%20determine%20which%20of%20the%20potential%20resources%20and%20capabilities%20were%20actually%20used%20by%20the%20adversary.%20Look%20for%20patterns%20in%20targeted%20resources%20and%20capabilities.%20Was%20the%20compromised%20account%20used%20to%20install%20or%20download%20something?%20Were%20credentials%20to%20other%20accounts%20collected%20and%20used?%0A%0ASuggested%20Integrations%0A1.%20%5BAccess%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_center)%0A2.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)%0A3.%20%5BAccess%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ad738c70-a259-4627-84fc-30f881b1065f", "create_time": 1764758755.835839, "update_time": 1765479652.5735939, "name": "Estimate impact", "order": 4, "tag": "5abdf8e0-f364-4f39-956a-aa912e0543c0", "description": "Estimate the business impact to appropriately allocate priority and resources.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1bc12376-4d51-45ed-9e37-38abc31a497a", "create_time": 1764758755.8359327, "update_time": 1765479652.5736716, "name": "Track stolen credentials", "order": 5, "tag": "b7814a6d-ac12-4936-a5ef-8e1a636a08dd", "description": "If%20compromised%20credentials%20were%20used,%20try%20to%20determine%20where%20else%20they%20may%20grant%20access%0A%0ASuggested%20Integrations%0A1.%20%5BAccount%20Management%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/account_management)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5de28da8-76f3-4104-8d62-b44f8f46a4a4", "create_time": 1764758755.8360248, "update_time": 1765479652.573762, "name": "Investigate external communications", "order": 6, "tag": "4a46b5da-c9b9-453a-80ad-161db306822e", "description": "Look%20for%20exfiltration%20and/or%20command%20and%20control%20activity.%20Inspect%20network%20traffic%20with%20abnormal%20content,%20focusing%20on%20traffic%20to%20external%20hosts%20and%20internal%20systems%20that%20are%20not%20normally%20connected%20to%20the%20system%20under%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "6956c82f-6811-4b3d-975b-fe690e0b54ef", "create_time": 1764758755.836118, "update_time": 1765479652.5738606, "name": "Determine initial access mechanism", "order": 7, "tag": "3b962a5e-16da-4962-9f9f-c237e88e24a3", "description": "Attempt%20to%20trace%20activity%20back%20to%20the%20point%20of%20initial%20access.%20Consider%20phishing,%20watering%20hole%20attacks,%20public-facing%20exploits,%20supply%20chain%20compromises,%20and%20other%20common%20attack%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "62a7c0a4-1c2e-4922-8dd2-9114ef305607", "create_time": 1764758755.8362353, "update_time": 1765479652.573958, "name": "Detect persistent system access", "order": 8, "tag": "023e3b98-335b-4364-8292-e34e221dcdcd", "description": "Look%20for%20attempts%20to%20establish%20persistent%20access%20to%20one%20or%20more%20systems.%20The%20persistence%20technique%20could%20include%20an%20email%20forwarding%20rule%20for%20an%20email%20account,%20a%20scheduled%20task%20on%20an%20endpoint,%20a%20newly%20added%20login%20method%20for%20a%20business%20application,%20or%20a%20wide%20array%20of%20others.%20One%20non-exhaustive%20list%20of%20persistence%20techniques%20is%20in%20the%20MITRE%20ATT&CK%20framework%20(https://attack.mitre.org/tactics/TA0003/)%20and%20another%20for%20Windows%20endpoints%20in%20particular%20is%20within%20the%20SysInternals%20Autoruns%20tool.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0bc09ecd-b582-4b51-82bd-845113fe9025", "create_time": 1764758755.8363278, "update_time": 1765479652.5740716, "name": "Enumerate other similarly vulnerable accounts", "order": 9, "tag": "44b55fc1-e45f-46ce-82d8-d23b1392790f", "description": "If an initial attack vector or other activity pattern is found, use it to look for other similarly compromised accounts.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "60b63967-c82f-4378-80ab-7234d3b8d01a", "create_time": 1764758755.8364184, "update_time": 1765479652.5741494, "name": "Notify stakeholders", "order": 10, "tag": "6f26711e-c173-4394-91cf-f2e9c7c88d8a", "description": "Notify%20incident%20response%20leadership,%20system%20owners,%20and%20other%20stakeholders%20in%20accordance%20with%20established%20incident%20notification%20and%20escalation%20procedures.%0A%0ASuggested%20Integrations%0A1.%20%5BIdentity%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_center)%0A2.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A3.%20SMTP%20(preconfigured)%0A4.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A5.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A6.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A7.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A8.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "48075a18-75b5-45d5-9c14-c791c0975316", "create_time": 1765479652.574572, "update_time": 1765479652.5745726, "name": "Containment, Eradication, and Recovery", "order": 2, "tasks": [{"id": "4fa28acc-820f-4b9c-8fbe-b06dc8f735bb", "create_time": 1764758755.8365533, "update_time": 1765479652.5743093, "name": "Disable account", "order": 1, "tag": "582f0358-63c7-4a15-ba9e-a42861e854b5", "description": "If%20the%20business%20risk%20is%20deemed%20acceptable,%20disable%20the%20account%20or%20reset%20credentials%20to%20prevent%20further%20malicious%20usage.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f20c28db-b508-4cce-bd08-df4a1b92b1e4", "create_time": 1764758755.836641, "update_time": 1765479652.5744092, "name": "Remove persistent system access", "order": 2, "tag": "5cfd8324-141b-407f-ac19-3ab946178fc8", "description": "If%20persistent%20access%20mechanisms%20were%20detected,%20remove%20them%20by%20uninstalling%20software,%20unhooking%20libraries,%20reimaging%20systems,%20disabling%20compromised%20credentials,%20or%20implementing%20other%20remediations.%20If%20this%20action%20will%20cause%20a%20service%20outage,%20it%20may%20be%20prudent%20to%20notify%20the%20affected%20teams%20or%20organizations.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b94cc55d-a653-466a-8faf-846f699ebb75", "create_time": 1764758755.836737, "update_time": 1765479652.5745091, "name": "Mitigate or remediate vulnerabilities", "order": 3, "tag": "25d66876-4448-420d-80b5-bc359805598b", "description": "If%20any%20vulnerabilities%20were%20used%20in%20this%20compromise,%20find%20a%20way%20to%20mitigate%20or%20remediate%20them.%20This%20could%20be%20a%20system%20update,%20a%20change%20in%20software,%20disabling%20a%20certain%20feature,%20a%20change%20in%20policy,%20or%20another%20action.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "36274751-b970-4375-85dc-b06a13d05cc2", "create_time": 1765479652.5748563, "update_time": 1765479652.5748568, "name": "Post-incident Activity", "order": 3, "tasks": [{"id": "c601515a-bbef-485f-819a-9c1e477e413e", "create_time": 1764758755.8368754, "update_time": 1765479652.57464, "name": "Notify necessary parties", "order": 1, "tag": "6e6b6839-fced-46a4-a660-e00281118cda", "description": "Determine%20if%20a%20regulatory%20risk%20calls%20for%20a%20notification%20to%20an%20internal%20or%20external%20compliance%20organization.%20Also%20consider%20an%20informational%20notice%20to%20users%20to%20prevent%20similar%20compromises%20through%20improved%20security%20hygiene.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "33acb96f-1113-489b-8dc4-882695963f99", "create_time": 1764758755.836966, "update_time": 1765479652.574736, "name": "Tune prevention systems", "order": 2, "tag": "47e3bd73-9fea-4f85-a805-9ebedfd000ed", "description": "Depending on the mechanism of access and the systems affected, there may be a clear next step to prevent similar compromises. This might involve deployment of strong multi-factor authentication, improved automated response, stronger application of least privilege, user training, and/or a wide array of other defensive measures. Consider using CIS Cybersecurity Best Practices (https://www.cisecurity.org/cybersecurity-best-practices/) or a similar framework to assess improvements in prevention.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0d0ded65-d9dd-497f-ab9d-f51864ad88af", "create_time": 1764758755.8370595, "update_time": 1765479652.574812, "name": "Tune detection systems", "order": 3, "tag": "9411f544-f06a-4e79-9972-3844f61cc1f7", "description": "Any of the steps taken within the Detection and Analysis phase may be candidates for automated or regularly scheduled detections to find similar activity. Focus on the most generalizable patterns that will catch high-impact compromises as early as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8b0ea69b-c29f-4a70-b58b-59164312a491", "active": true, "used": true, "_user": "nobody", "_key": "94198adf-1fc1-4c2d-8c94-baf4523bee4f"} From be8e912c6f88678eb641916d270d62329aee78b4 Mon Sep 17 00:00:00 2001 From: kbouchard <47464052+kbouchardherjavecgroup@users.noreply.github.com> Date: Mon, 15 Dec 2025 12:33:34 -0700 Subject: [PATCH 38/44] Update and rename DataBreach_v15.json to DataBreach_v2.json --- response_templates/DataBreach_v15.json | 1 - response_templates/DataBreach_v2.json | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 response_templates/DataBreach_v15.json create mode 100644 response_templates/DataBreach_v2.json diff --git a/response_templates/DataBreach_v15.json b/response_templates/DataBreach_v15.json deleted file mode 100644 index 3534746ef5..0000000000 --- a/response_templates/DataBreach_v15.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "b0ad7421-221a-4859-8af7-7cd8949ad10f", "create_time": 1764862877.558638, "update_time": 1765481882.0017216, "name": "Data Breach", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 15, "phases": [{"id": "3864ce09-a850-44af-86ef-9ade49d18356", "create_time": 1765481830.6013758, "update_time": 1765481881.9174762, "name": "Escalate to accountable system owners", "order": 1, "tasks": [{"id": "5a3d4ceb-6a30-4aa3-8e8a-b30e3438dff4", "create_time": 1764758755.724739, "update_time": 1765481881.9169092, "name": "Identify accountable system owners", "order": 1, "tag": "f45e1890-72d0-4bdf-8932-ea8d78c2c58f", "description": "Query%20configuration%20management%20databases,%20ask%20teammates,%20and%20query%20on-call%20personnel%20directories%20to%20find%20the%20right%20people%20for%20notification%20and%20response.%0A%0ASuggested%20Integrations%0A1.%20%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8d090f83-6590-48b7-8233-db738d054005", "create_time": 1764758755.7248507, "update_time": 1765481881.9171314, "name": "Notify accountable system owners", "order": 2, "tag": "b0816205-58e4-4e29-991b-f415717d1c03", "description": "Determine%20what%20is%20needed%20from%20each%20team%20member%20and%20notify%20them%20as%20soon%20as%20possible.%20Consider%20speed,%20confidentiality,%20integrity,%20and%20availability%20when%20choosing%20a%20communication%20channel.%20The%20right%20choice%20may%20be%20an%20in-person%20meeting,%20email,%20chat,%20text,%20phone%20call,%20or%20a%20notification%20in%20Splunk%20Mission%20Control.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2950919f-a5ca-4dec-b3d0-5ef7edf213e3", "create_time": 1764758755.7249453, "update_time": 1765481881.9173613, "name": "Set up collaboration channels", "order": 3, "tag": "2b1518b8-77a6-4e03-8b50-e0a89dc40ed8", "description": "Establish%20shared%20access%20to%20the%20appropriate%20notable%20investigation%20that%20is%20tracking%20the%20data%20breach.%20If%20necessary%20establish%20an%20additional%20channel%20for%20communications%20such%20as%20a%20chat%20room,%20email%20chain,%20ticketing%20system,%20or%20VictorOps%20Incident.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "fa5bb456-dfe8-4f27-88a3-1639a35796c6", "create_time": 1765481830.6017647, "update_time": 1765481881.918081, "name": "Stop exfiltration", "order": 2, "tasks": [{"id": "3fcbd598-8be3-4c81-a89e-1896912ffea4", "create_time": 1764758755.725092, "update_time": 1765481881.9176087, "name": "Identify likely means of exfiltration", "order": 1, "tag": "b562799f-7155-43a2-a36a-e736575a6b1d", "description": "Evaluate%20likely%20means%20of%20exfiltration%20using%20the%20information%20from%20the%20initial%20detection%20and%20any%20other%20associated%20investigation%20the%20team%20can%20conduct.%20Use%20https://attack.mitre.org/wiki/Persistence%20and%20other%20open%20source%20intelligence%20to%20check%20for%20common%20exfiltration%20mechanisms.%20Consider%20the%20sophistication%20of%20the%20adversary,%20the%20data%20that%20is%20likely%20to%20be%20targeted,%20the%20systems%20that%20may%20have%20been%20breached,%20and%20any%20other%20knowledge%20from%20further%20investigation.%20Query%20the%20logs%20of%20any%20available%20systems%20around%20the%20time%20of%20the%20incident%20for%20context%20and%20additional%20leads.%20If%20possible%20analyze%20and/or%20reverse%20engineer%20any%20executables%20or%20scripts%20discovered%20in%20the%20investigation.%20Try%20to%20determine%20exfiltration%20mechanisms,%20protocols,%20ports,%20IP%20addresses,%20hostnames,%20URLs,%20and%20other%20indicators.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b7bfe3f3-8035-45bd-a16a-4d847cb74ba3", "create_time": 1764758755.725215, "update_time": 1765481881.9178276, "name": "Determine mitigations and remediations", "order": 2, "tag": "2c398364-ef0f-4e7d-877e-0abfaa91d72d", "description": "Taking into account the confidentiality and availability considerations of the systems involved, determine which mitigations and remediations are appropriate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0a27527c-f0c1-4e54-a875-d110a8f71cb8", "create_time": 1764758755.7253134, "update_time": 1765481881.9179668, "name": "Stop exfiltration", "order": 3, "tag": "e80c691b-9bab-4f4d-86ca-8496300842c3", "description": "Use%20host-based%20or%20network%20controls%20to%20interrupt%20exfiltration.%20Scope%20the%20response%20according%20to%20the%20severity%20of%20the%20event.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A6.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A7.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A8.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a1d5e293-2b61-43f1-a776-f8d2126a1d7a", "create_time": 1765481830.6020367, "update_time": 1765481881.918544, "name": "Remove persistent adversaries", "order": 3, "tasks": [{"id": "fecaae1e-a6d8-47b2-8386-5af5bcac6d54", "create_time": 1764758755.7254562, "update_time": 1765481881.9182255, "name": "Identify likely means of persistence", "order": 1, "tag": "27ff7f99-5263-4a23-ba71-775e2a96ea00", "description": "Trace%20exfiltration%20as%20far%20as%20possible%20back%20toward%20a%20root%20cause.%20Look%20for%20patterns%20of%20activity%20from%20scheduled%20tasks,%20system%20restarts,%20polling%20of%20external%20systems,%20and%20other%20common%20means%20of%20persistence.%20Sysinternals%20AutoRuns%20and%20other%20similar%20tools%20can%20check%20wide%20varieties%20of%20persistence%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a951c1a1-61c6-4afa-b0c7-c721a97b5d3e", "create_time": 1764758755.7255518, "update_time": 1765481881.9184313, "name": "Remove identified persistence mechanisms", "order": 2, "tag": "3c87ad49-a462-47b1-93fa-401c82da9270", "description": "Block%20adversary%20persistence%20at%20the%20host%20and/or%20network%20level.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5BPalo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9577e82b-f68e-4fa7-a86b-987bbb51a504", "create_time": 1765481830.6022003, "update_time": 1765481881.918786, "name": "Assess impact", "order": 4, "tasks": [{"id": "be68378a-13d6-499d-bc94-d7f54c51e012", "create_time": 1764758755.7256913, "update_time": 1765481881.9186735, "name": "Measure the size and scope", "order": 1, "tag": "26cca1bb-80c3-43ab-ab5b-13975111b607", "description": "Measure%20the%20impact%20of%20the%20breach%20by%20amount%20of%20data,%20importance%20of%20data,%20potential%20follow-on%20impacts,%20and%20other%20appropriate%20criteria.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20TrackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "befcad6f-d66d-459c-8b71-9ac22c902c6f", "create_time": 1765481830.6024225, "update_time": 1765481881.9191456, "name": "Report to appropriate stakeholders", "order": 5, "tasks": [{"id": "aa30f51a-a2fb-4284-be1d-c8d6a0f2935b", "create_time": 1764758755.7259164, "update_time": 1765481881.91892, "name": "Identify appropriate stakeholders", "order": 1, "tag": "4bb2a31a-ccc7-4bc3-a5b7-cf946cb10fb0", "description": "Identify who should receive which information. This may include the regulatory compliance team, all internal employees, customers, partners, appropriate government officials, the public, system vendors, open source communities, and others.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c2c0365b-7e90-4f34-a074-05b31a6bbb00", "create_time": 1764758755.7260718, "update_time": 1765481881.9190648, "name": "Send reports", "order": 2, "tag": "03fd935b-9848-4eee-8179-1d33592a2658", "description": "Send the appropriate amount of information to identified parties. If it is beneficial, give them a way to respond to the information.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "370933e2-b9c1-4de8-90bd-10477e48ed7e", "create_time": 1765481830.602553, "update_time": 1765481881.9215052, "name": "Prevent future breaches", "order": 6, "tasks": [{"id": "574bfcd8-31c3-4b51-9e73-b8a35403894c", "create_time": 1764758755.726329, "update_time": 1765481881.921397, "name": "Prevent future breaches", "order": 1, "tag": "690e3199-c277-4a6f-8ada-9c4c5bbc3e48", "description": "Use information from this case to investigate further, apply patches, prevent behaviors, change systems, and otherwise prevent similar situations from occurring again. Setup automated checks for reinfection using similar indicators or TTP's.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "dcb047a2-c621-41c6-b3d5-acabcbb20b1d", "active": true, "used": false, "_user": "nobody", "_key": "b0ad7421-221a-4859-8af7-7cd8949ad10f"} \ No newline at end of file diff --git a/response_templates/DataBreach_v2.json b/response_templates/DataBreach_v2.json new file mode 100644 index 0000000000..7e8bf46071 --- /dev/null +++ b/response_templates/DataBreach_v2.json @@ -0,0 +1 @@ +{"id": "b0ad7421-221a-4859-8af7-7cd8949ad10f", "create_time": 1764862877.558638, "update_time": 1765481882.0017216, "name": "Data Breach", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "3864ce09-a850-44af-86ef-9ade49d18356", "create_time": 1765481830.6013758, "update_time": 1765481881.9174762, "name": "Escalate to accountable system owners", "order": 1, "tasks": [{"id": "5a3d4ceb-6a30-4aa3-8e8a-b30e3438dff4", "create_time": 1764758755.724739, "update_time": 1765481881.9169092, "name": "Identify accountable system owners", "order": 1, "tag": "f45e1890-72d0-4bdf-8932-ea8d78c2c58f", "description": "Query%20configuration%20management%20databases,%20ask%20teammates,%20and%20query%20on-call%20personnel%20directories%20to%20find%20the%20right%20people%20for%20notification%20and%20response.%0A%0ASuggested%20Integrations%0A1.%20%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8d090f83-6590-48b7-8233-db738d054005", "create_time": 1764758755.7248507, "update_time": 1765481881.9171314, "name": "Notify accountable system owners", "order": 2, "tag": "b0816205-58e4-4e29-991b-f415717d1c03", "description": "Determine%20what%20is%20needed%20from%20each%20team%20member%20and%20notify%20them%20as%20soon%20as%20possible.%20Consider%20speed,%20confidentiality,%20integrity,%20and%20availability%20when%20choosing%20a%20communication%20channel.%20The%20right%20choice%20may%20be%20an%20in-person%20meeting,%20email,%20chat,%20text,%20phone%20call,%20or%20a%20notification%20in%20Splunk%20Mission%20Control.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2950919f-a5ca-4dec-b3d0-5ef7edf213e3", "create_time": 1764758755.7249453, "update_time": 1765481881.9173613, "name": "Set up collaboration channels", "order": 3, "tag": "2b1518b8-77a6-4e03-8b50-e0a89dc40ed8", "description": "Establish%20shared%20access%20to%20the%20appropriate%20notable%20investigation%20that%20is%20tracking%20the%20data%20breach.%20If%20necessary%20establish%20an%20additional%20channel%20for%20communications%20such%20as%20a%20chat%20room,%20email%20chain,%20ticketing%20system,%20or%20VictorOps%20Incident.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "fa5bb456-dfe8-4f27-88a3-1639a35796c6", "create_time": 1765481830.6017647, "update_time": 1765481881.918081, "name": "Stop exfiltration", "order": 2, "tasks": [{"id": "3fcbd598-8be3-4c81-a89e-1896912ffea4", "create_time": 1764758755.725092, "update_time": 1765481881.9176087, "name": "Identify likely means of exfiltration", "order": 1, "tag": "b562799f-7155-43a2-a36a-e736575a6b1d", "description": "Evaluate%20likely%20means%20of%20exfiltration%20using%20the%20information%20from%20the%20initial%20detection%20and%20any%20other%20associated%20investigation%20the%20team%20can%20conduct.%20Use%20https://attack.mitre.org/wiki/Persistence%20and%20other%20open%20source%20intelligence%20to%20check%20for%20common%20exfiltration%20mechanisms.%20Consider%20the%20sophistication%20of%20the%20adversary,%20the%20data%20that%20is%20likely%20to%20be%20targeted,%20the%20systems%20that%20may%20have%20been%20breached,%20and%20any%20other%20knowledge%20from%20further%20investigation.%20Query%20the%20logs%20of%20any%20available%20systems%20around%20the%20time%20of%20the%20incident%20for%20context%20and%20additional%20leads.%20If%20possible%20analyze%20and/or%20reverse%20engineer%20any%20executables%20or%20scripts%20discovered%20in%20the%20investigation.%20Try%20to%20determine%20exfiltration%20mechanisms,%20protocols,%20ports,%20IP%20addresses,%20hostnames,%20URLs,%20and%20other%20indicators.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b7bfe3f3-8035-45bd-a16a-4d847cb74ba3", "create_time": 1764758755.725215, "update_time": 1765481881.9178276, "name": "Determine mitigations and remediations", "order": 2, "tag": "2c398364-ef0f-4e7d-877e-0abfaa91d72d", "description": "Taking into account the confidentiality and availability considerations of the systems involved, determine which mitigations and remediations are appropriate.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0a27527c-f0c1-4e54-a875-d110a8f71cb8", "create_time": 1764758755.7253134, "update_time": 1765481881.9179668, "name": "Stop exfiltration", "order": 3, "tag": "e80c691b-9bab-4f4d-86ca-8496300842c3", "description": "Use%20host-based%20or%20network%20controls%20to%20interrupt%20exfiltration.%20Scope%20the%20response%20according%20to%20the%20severity%20of%20the%20event.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A6.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A7.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A8.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a1d5e293-2b61-43f1-a776-f8d2126a1d7a", "create_time": 1765481830.6020367, "update_time": 1765481881.918544, "name": "Remove persistent adversaries", "order": 3, "tasks": [{"id": "fecaae1e-a6d8-47b2-8386-5af5bcac6d54", "create_time": 1764758755.7254562, "update_time": 1765481881.9182255, "name": "Identify likely means of persistence", "order": 1, "tag": "27ff7f99-5263-4a23-ba71-775e2a96ea00", "description": "Trace%20exfiltration%20as%20far%20as%20possible%20back%20toward%20a%20root%20cause.%20Look%20for%20patterns%20of%20activity%20from%20scheduled%20tasks,%20system%20restarts,%20polling%20of%20external%20systems,%20and%20other%20common%20means%20of%20persistence.%20Sysinternals%20AutoRuns%20and%20other%20similar%20tools%20can%20check%20wide%20varieties%20of%20persistence%20mechanisms.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a951c1a1-61c6-4afa-b0c7-c721a97b5d3e", "create_time": 1764758755.7255518, "update_time": 1765481881.9184313, "name": "Remove identified persistence mechanisms", "order": 2, "tag": "3c87ad49-a462-47b1-93fa-401c82da9270", "description": "Block%20adversary%20persistence%20at%20the%20host%20and/or%20network%20level.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5BPalo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9577e82b-f68e-4fa7-a86b-987bbb51a504", "create_time": 1765481830.6022003, "update_time": 1765481881.918786, "name": "Assess impact", "order": 4, "tasks": [{"id": "be68378a-13d6-499d-bc94-d7f54c51e012", "create_time": 1764758755.7256913, "update_time": 1765481881.9186735, "name": "Measure the size and scope", "order": 1, "tag": "26cca1bb-80c3-43ab-ab5b-13975111b607", "description": "Measure%20the%20impact%20of%20the%20breach%20by%20amount%20of%20data,%20importance%20of%20data,%20potential%20follow-on%20impacts,%20and%20other%20appropriate%20criteria.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BPort%20and%20Protocol%20TrackerDashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A5.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A6.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "befcad6f-d66d-459c-8b71-9ac22c902c6f", "create_time": 1765481830.6024225, "update_time": 1765481881.9191456, "name": "Report to appropriate stakeholders", "order": 5, "tasks": [{"id": "aa30f51a-a2fb-4284-be1d-c8d6a0f2935b", "create_time": 1764758755.7259164, "update_time": 1765481881.91892, "name": "Identify appropriate stakeholders", "order": 1, "tag": "4bb2a31a-ccc7-4bc3-a5b7-cf946cb10fb0", "description": "Identify who should receive which information. This may include the regulatory compliance team, all internal employees, customers, partners, appropriate government officials, the public, system vendors, open source communities, and others.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c2c0365b-7e90-4f34-a074-05b31a6bbb00", "create_time": 1764758755.7260718, "update_time": 1765481881.9190648, "name": "Send reports", "order": 2, "tag": "03fd935b-9848-4eee-8179-1d33592a2658", "description": "Send the appropriate amount of information to identified parties. If it is beneficial, give them a way to respond to the information.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "370933e2-b9c1-4de8-90bd-10477e48ed7e", "create_time": 1765481830.602553, "update_time": 1765481881.9215052, "name": "Prevent future breaches", "order": 6, "tasks": [{"id": "574bfcd8-31c3-4b51-9e73-b8a35403894c", "create_time": 1764758755.726329, "update_time": 1765481881.921397, "name": "Prevent future breaches", "order": 1, "tag": "690e3199-c277-4a6f-8ada-9c4c5bbc3e48", "description": "Use information from this case to investigate further, apply patches, prevent behaviors, change systems, and otherwise prevent similar situations from occurring again. Setup automated checks for reinfection using similar indicators or TTP's.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "dcb047a2-c621-41c6-b3d5-acabcbb20b1d", "active": true, "used": false, "_user": "nobody", "_key": "b0ad7421-221a-4859-8af7-7cd8949ad10f"} From a7a243d8ec13ce806fe343a8764f56c9e3a4dd33 Mon Sep 17 00:00:00 2001 From: kbouchard <47464052+kbouchardherjavecgroup@users.noreply.github.com> Date: Mon, 15 Dec 2025 12:34:06 -0700 Subject: [PATCH 39/44] Update and rename GenericIncidentResponse_v13.json to GenericIncidentResponse_v2.json --- response_templates/GenericIncidentResponse_v13.json | 1 - response_templates/GenericIncidentResponse_v2.json | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 response_templates/GenericIncidentResponse_v13.json create mode 100644 response_templates/GenericIncidentResponse_v2.json diff --git a/response_templates/GenericIncidentResponse_v13.json b/response_templates/GenericIncidentResponse_v13.json deleted file mode 100644 index 631cedc8eb..0000000000 --- a/response_templates/GenericIncidentResponse_v13.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "c3326c0e-417c-46de-b79a-7a33e457b91b", "create_time": 1764862802.518435, "update_time": 1765478297.8226988, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 13, "phases": [{"id": "c8c1bb29-a14c-4230-ba02-283f98645b90", "create_time": 1765478297.7930639, "update_time": 1765478297.7930644, "name": "Detection", "order": 1, "tasks": [{"id": "76fd8383-b2f7-47d8-b952-49a60105c23f", "create_time": 1764758755.9055116, "update_time": 1765478297.7925363, "name": "Report incident response execution", "order": 1, "tag": "69c9baf1-bd12-4b09-b6b6-a77df9428682", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20starting.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c62f8956-c622-4c11-a664-9d68661f2df1", "create_time": 1764758755.905616, "update_time": 1765478297.7928247, "name": "Document associated events", "order": 2, "tag": "8ca56a2a-f0d7-43c1-96e3-06bac95deffe", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8e84a157-60e0-4914-97e7-a59936ba4fcf", "create_time": 1764758755.9057095, "update_time": 1765478297.7929223, "name": "Document known attack surface and attacker information", "order": 3, "tag": "604e26c0-fb5a-4320-9d95-ef887d406d71", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ea952b70-0c68-4750-b791-7489117f5a3a", "create_time": 1764758755.9058, "update_time": 1765478297.7930133, "name": "Assign roles", "order": 4, "tag": "389fce05-2170-4971-aabb-da3d88ea668a", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "816cf263-fcdd-45d6-8f5f-f4c5c3f638bd", "create_time": 1765478297.7943053, "update_time": 1765478297.7943058, "name": "Analysis", "order": 2, "tasks": [{"id": "2444a355-821e-4485-86c5-03c836cba7c5", "create_time": 1764758755.9059348, "update_time": 1765478297.7931442, "name": "Research intelligence resources", "order": 1, "tag": "595d75bb-316e-4dec-bfc6-6729d3e7b280", "description": "Find%20out%20if%20this%20attacker%20is%20a%20known%20agent%20and%20gather%20associated%20tactics,%20techniques,%20and%20procedures%20(TTP)%20used.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%203.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a947eacc-04e3-485e-bac4-6566e85df173", "create_time": 1764758755.9060266, "update_time": 1765478297.7932744, "name": "Research proxy logs", "order": 2, "tag": "7586c74e-6844-45bb-9535-4924752ff0de", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bfa0b1ad-7bb1-484d-bcfa-16df7989518c", "create_time": 1764758755.906122, "update_time": 1765478297.7933776, "name": "Research firewall logs", "order": 3, "tag": "5f7e4c57-343a-4a5c-8c90-643bdb578dbb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0168209e-eb24-4a5a-b72a-7c074a96a19c", "create_time": 1764758755.906265, "update_time": 1765478297.7934852, "name": "Research OS logs", "order": 4, "tag": "357d8065-7af2-4968-a52e-1daba8d36bcb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "82beb15d-df47-49e4-a504-6a7dd5f33558", "create_time": 1764758755.9063575, "update_time": 1765478297.7935877, "name": "Research network logs", "order": 5, "tag": "f5aabd39-0213-498c-9a91-db8b62c1d262", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d339af9b-fdfb-4944-8f9a-6febf9fbceb3", "create_time": 1764758755.9064476, "update_time": 1765478297.7936852, "name": "Research endpoint protection logs", "order": 6, "tag": "a0d0a5b6-e961-470a-8fed-2fd0f1f56e54", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a6d8b29-55f0-4eb8-817b-281fbddccd40", "create_time": 1764758755.9065409, "update_time": 1765478297.7937844, "name": "Determine infection vector", "order": 7, "tag": "e840c5b9-b804-4851-ace7-ed2b20e94374", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ef1d9524-231c-4c12-9544-f01fe50f0e9b", "create_time": 1764758755.9066322, "update_time": 1765478297.7938728, "name": "Document all attack targets", "order": 8, "tag": "2a1efed7-4cba-4f66-b7f4-c51555f6dafd", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "27b6ef2b-735d-4598-ab6e-6875f837a484", "create_time": 1764758755.9067245, "update_time": 1765478297.7939599, "name": "Document all attacker sources and TTP", "order": 9, "tag": "3ce58599-9e4e-4936-a604-9b2783fbb4be", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a2fdf16b-e79d-4cf6-8f57-026a2c0b63d0", "create_time": 1764758755.9068127, "update_time": 1765478297.794048, "name": "Document infected devices", "order": 10, "tag": "8854bf07-df2e-4536-a7ef-c268776eba0e", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a16d098a-10a7-4b53-a798-fd83c467ddb6", "create_time": 1764758755.9069023, "update_time": 1765478297.7941349, "name": "Determine full impact of attack", "order": 11, "tag": "2419ca1b-fa9e-4443-8334-4642877218c4", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92b46948-e8f0-4194-9ada-76bbf21bea3a", "create_time": 1764758755.9069924, "update_time": 1765478297.7942424, "name": "Analyze malware samples", "order": 12, "tag": "7486b744-568f-4a71-b6ab-6c18b0975234", "description": "Analyze%20discovered%20malware%20and%20document%20indicators%20of%20compromise%20(IOCs).%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1cfc9549-b74f-4dfd-b1c5-956b1587e546", "create_time": 1765478297.7946434, "update_time": 1765478297.7946439, "name": "Containment", "order": 3, "tasks": [{"id": "91691144-6812-44e7-ae84-769b7c91778f", "create_time": 1764758755.9071276, "update_time": 1765478297.7943835, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "fa5fbdd4-4224-460f-80b1-081083c3a8e5", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "884da2c4-4fb8-494f-bd5a-2c0eacb81646", "create_time": 1764758755.9072351, "update_time": 1765478297.794471, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "f735a650-8d7e-42ee-95fa-ca8122e29df4", "description": "Suggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b6fd766-744a-4ada-9612-9934ff090668", "create_time": 1764758755.9073257, "update_time": 1765478297.7945688, "name": "Contain incident", "order": 3, "tag": "de5b8d96-bc90-47e5-a707-4b4ce273b2f5", "description": "Suggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A8.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A9.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A10.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A11.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A12.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a5675456-ec54-4045-beb4-d521f14192cc", "create_time": 1765478297.7949696, "update_time": 1765478297.7949698, "name": "Eradication", "order": 4, "tasks": [{"id": "74739ca3-8849-4d32-b41f-6dcf53ab6598", "create_time": 1764758755.9074597, "update_time": 1765478297.7947214, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "160a14ef-e1d7-46db-9a35-5e452602416a", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf7fc36c-f08b-4fda-89ec-95594bbf238c", "create_time": 1764758755.9075792, "update_time": 1765478297.794821, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "f02e09fa-0ed7-4ca7-a001-a6adcfe83437", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f5c72b7c-f274-4825-9b9f-5c34f8d384e9", "create_time": 1764758755.907677, "update_time": 1765478297.7949193, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "c8032097-7574-438a-8473-d614b8f135ff", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "50452b43-98af-43ab-bfb0-1e9f7368b2c9", "create_time": 1765478297.795289, "update_time": 1765478297.7952893, "name": "Recovery", "order": 5, "tasks": [{"id": "91a74317-f931-4ced-b4aa-6cdf54433221", "create_time": 1764758755.9079046, "update_time": 1765478297.7950459, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "c3c83a87-0d75-4d0a-b4e7-9fef0d60e5f4", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "91f6342d-a92b-4157-a124-5e87ab0c9827", "create_time": 1764758755.9080007, "update_time": 1765478297.7951343, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "27d8d5a5-4c1b-470c-b995-c39275b61444", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5840a534-399b-4ac1-b0bc-80927edf8f8b", "create_time": 1764758755.9080942, "update_time": 1765478297.7952387, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "085d0c66-3bb9-48c8-9403-0fc21217d77c", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "dd359232-b8be-435a-b5bc-1a5fd3e44559", "create_time": 1765478297.795616, "update_time": 1765478297.7956161, "name": "Post", "order": 6, "tasks": [{"id": "0f4c6d6e-5e22-4d2c-8de3-8fb45346b917", "create_time": 1764758755.908245, "update_time": 1765478297.7953663, "name": "Schedule after-action review meeting", "order": 1, "tag": "815e442f-e87d-42ef-81ea-5c13b4d1e3cf", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8864f28a-1b75-4317-b6e7-4088f8d19d9a", "create_time": 1764758755.9083498, "update_time": 1765478297.7954535, "name": "Generate incident response action report", "order": 2, "tag": "5a4862af-5001-4418-a48b-e028ef91b542", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "08014d2b-5977-45d2-a14e-519c990aed93", "create_time": 1764758755.9084463, "update_time": 1765478297.7955399, "name": "Report incident response complete", "order": 3, "tag": "4b12a641-8105-4b64-bd89-eef26fabb47a", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20complete.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "28753dcd-47c7-44ad-b85f-f840c3f0da96", "active": true, "used": false, "_user": "nobody", "_key": "c3326c0e-417c-46de-b79a-7a33e457b91b"} \ No newline at end of file diff --git a/response_templates/GenericIncidentResponse_v2.json b/response_templates/GenericIncidentResponse_v2.json new file mode 100644 index 0000000000..60d4b9303d --- /dev/null +++ b/response_templates/GenericIncidentResponse_v2.json @@ -0,0 +1 @@ +{"id": "c3326c0e-417c-46de-b79a-7a33e457b91b", "create_time": 1764862802.518435, "update_time": 1765478297.8226988, "name": "Generic Incident Response", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "c8c1bb29-a14c-4230-ba02-283f98645b90", "create_time": 1765478297.7930639, "update_time": 1765478297.7930644, "name": "Detection", "order": 1, "tasks": [{"id": "76fd8383-b2f7-47d8-b952-49a60105c23f", "create_time": 1764758755.9055116, "update_time": 1765478297.7925363, "name": "Report incident response execution", "order": 1, "tag": "69c9baf1-bd12-4b09-b6b6-a77df9428682", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20starting.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c62f8956-c622-4c11-a664-9d68661f2df1", "create_time": 1764758755.905616, "update_time": 1765478297.7928247, "name": "Document associated events", "order": 2, "tag": "8ca56a2a-f0d7-43c1-96e3-06bac95deffe", "description": "This is the escalation. Create a notable and populate it with significant data.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8e84a157-60e0-4914-97e7-a59936ba4fcf", "create_time": 1764758755.9057095, "update_time": 1765478297.7929223, "name": "Document known attack surface and attacker information", "order": 3, "tag": "604e26c0-fb5a-4320-9d95-ef887d406d71", "description": "Rough triage of the situation. No complete picture of the situation, but targets to analyze.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ea952b70-0c68-4750-b791-7489117f5a3a", "create_time": 1764758755.9058, "update_time": 1765478297.7930133, "name": "Assign roles", "order": 4, "tag": "389fce05-2170-4971-aabb-da3d88ea668a", "description": "For example: Incident commander, Tech lead, Scribe, Intel analysts, Security analysts", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "816cf263-fcdd-45d6-8f5f-f4c5c3f638bd", "create_time": 1765478297.7943053, "update_time": 1765478297.7943058, "name": "Analysis", "order": 2, "tasks": [{"id": "2444a355-821e-4485-86c5-03c836cba7c5", "create_time": 1764758755.9059348, "update_time": 1765478297.7931442, "name": "Research intelligence resources", "order": 1, "tag": "595d75bb-316e-4dec-bfc6-6729d3e7b280", "description": "Find%20out%20if%20this%20attacker%20is%20a%20known%20agent%20and%20gather%20associated%20tactics,%20techniques,%20and%20procedures%20(TTP)%20used.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%203.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a947eacc-04e3-485e-bac4-6566e85df173", "create_time": 1764758755.9060266, "update_time": 1765478297.7932744, "name": "Research proxy logs", "order": 2, "tag": "7586c74e-6844-45bb-9535-4924752ff0de", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bfa0b1ad-7bb1-484d-bcfa-16df7989518c", "create_time": 1764758755.906122, "update_time": 1765478297.7933776, "name": "Research firewall logs", "order": 3, "tag": "5f7e4c57-343a-4a5c-8c90-643bdb578dbb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BMalware%20Search%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "0168209e-eb24-4a5a-b72a-7c074a96a19c", "create_time": 1764758755.906265, "update_time": 1765478297.7934852, "name": "Research OS logs", "order": 4, "tag": "357d8065-7af2-4968-a52e-1daba8d36bcb", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "82beb15d-df47-49e4-a504-6a7dd5f33558", "create_time": 1764758755.9063575, "update_time": 1765478297.7935877, "name": "Research network logs", "order": 5, "tag": "f5aabd39-0213-498c-9a91-db8b62c1d262", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BWeb%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/web_center)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d339af9b-fdfb-4944-8f9a-6febf9fbceb3", "create_time": 1764758755.9064476, "update_time": 1765478297.7936852, "name": "Research endpoint protection logs", "order": 6, "tag": "a0d0a5b6-e961-470a-8fed-2fd0f1f56e54", "description": "Find%20and%20document%20any%20evidence%20linked%20to%20attacker%20actions.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8a6d8b29-55f0-4eb8-817b-281fbddccd40", "create_time": 1764758755.9065409, "update_time": 1765478297.7937844, "name": "Determine infection vector", "order": 7, "tag": "e840c5b9-b804-4851-ace7-ed2b20e94374", "description": "Find and document how the initial infection occurred.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ef1d9524-231c-4c12-9544-f01fe50f0e9b", "create_time": 1764758755.9066322, "update_time": 1765478297.7938728, "name": "Document all attack targets", "order": 8, "tag": "2a1efed7-4cba-4f66-b7f4-c51555f6dafd", "description": "Find and document the full attack surface.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "27b6ef2b-735d-4598-ab6e-6875f837a484", "create_time": 1764758755.9067245, "update_time": 1765478297.7939599, "name": "Document all attacker sources and TTP", "order": 9, "tag": "3ce58599-9e4e-4936-a604-9b2783fbb4be", "description": "Document all discovered attack sources and tactics, techniques, and procedures (TTP).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a2fdf16b-e79d-4cf6-8f57-026a2c0b63d0", "create_time": 1764758755.9068127, "update_time": 1765478297.794048, "name": "Document infected devices", "order": 10, "tag": "8854bf07-df2e-4536-a7ef-c268776eba0e", "description": "Document all devices known to have been modified by the attacker.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a16d098a-10a7-4b53-a798-fd83c467ddb6", "create_time": 1764758755.9069023, "update_time": 1765478297.7941349, "name": "Determine full impact of attack", "order": 11, "tag": "2419ca1b-fa9e-4443-8334-4642877218c4", "description": "For example, the functional and informational impact of the attack.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "92b46948-e8f0-4194-9ada-76bbf21bea3a", "create_time": 1764758755.9069924, "update_time": 1765478297.7942424, "name": "Analyze malware samples", "order": 12, "tag": "7486b744-568f-4a71-b6ab-6c18b0975234", "description": "Analyze%20discovered%20malware%20and%20document%20indicators%20of%20compromise%20(IOCs).%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1cfc9549-b74f-4dfd-b1c5-956b1587e546", "create_time": 1765478297.7946434, "update_time": 1765478297.7946439, "name": "Containment", "order": 3, "tasks": [{"id": "91691144-6812-44e7-ae84-769b7c91778f", "create_time": 1764758755.9071276, "update_time": 1765478297.7943835, "name": "Acquire, preserve, secure, and document evidence", "order": 1, "tag": "fa5fbdd4-4224-460f-80b1-081083c3a8e5", "description": "Before modifying systems housing evidence of the attack, document the evidence.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "884da2c4-4fb8-494f-bd5a-2c0eacb81646", "create_time": 1764758755.9072351, "update_time": 1765478297.794471, "name": "Report devices and applications to be contained to proper channels", "order": 2, "tag": "f735a650-8d7e-42ee-95fa-ca8122e29df4", "description": "Suggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b6fd766-744a-4ada-9612-9934ff090668", "create_time": 1764758755.9073257, "update_time": 1765478297.7945688, "name": "Contain incident", "order": 3, "tag": "de5b8d96-bc90-47e5-a707-4b4ce273b2f5", "description": "Suggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A8.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A9.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A10.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A11.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A12.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "a5675456-ec54-4045-beb4-d521f14192cc", "create_time": 1765478297.7949696, "update_time": 1765478297.7949698, "name": "Eradication", "order": 4, "tasks": [{"id": "74739ca3-8849-4d32-b41f-6dcf53ab6598", "create_time": 1764758755.9074597, "update_time": 1765478297.7947214, "name": "Identify and mitigate all vulnerabilities that were exploited", "order": 1, "tag": "160a14ef-e1d7-46db-9a35-5e452602416a", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bf7fc36c-f08b-4fda-89ec-95594bbf238c", "create_time": 1764758755.9075792, "update_time": 1765478297.794821, "name": "Remove malware, inappropriate materials and other components", "order": 2, "tag": "f02e09fa-0ed7-4ca7-a001-a6adcfe83437", "description": "Suggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f5c72b7c-f274-4825-9b9f-5c34f8d384e9", "create_time": 1764758755.907677, "update_time": 1765478297.7949193, "name": "Repeat analysis and containment on any newly discovered infected hosts", "order": 3, "tag": "c8032097-7574-438a-8473-d614b8f135ff", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "50452b43-98af-43ab-bfb0-1e9f7368b2c9", "create_time": 1765478297.795289, "update_time": 1765478297.7952893, "name": "Recovery", "order": 5, "tasks": [{"id": "91a74317-f931-4ced-b4aa-6cdf54433221", "create_time": 1764758755.9079046, "update_time": 1765478297.7950459, "name": "Return affected systems to an operationally ready state", "order": 1, "tag": "c3c83a87-0d75-4d0a-b4e7-9fef0d60e5f4", "description": "Restore network connectivity and system access.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "91f6342d-a92b-4157-a124-5e87ab0c9827", "create_time": 1764758755.9080007, "update_time": 1765478297.7951343, "name": "Confirm that the affected systems are functioning normally", "order": 2, "tag": "27d8d5a5-4c1b-470c-b995-c39275b61444", "description": "Work with system owners to validate successful recovery.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5840a534-399b-4ac1-b0bc-80927edf8f8b", "create_time": 1764758755.9080942, "update_time": 1765478297.7952387, "name": "If necessary, implement additional monitoring to look for future related activity", "order": 3, "tag": "085d0c66-3bb9-48c8-9403-0fc21217d77c", "description": "Be ready to identify a similar attack with proper monitoring.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "dd359232-b8be-435a-b5bc-1a5fd3e44559", "create_time": 1765478297.795616, "update_time": 1765478297.7956161, "name": "Post", "order": 6, "tasks": [{"id": "0f4c6d6e-5e22-4d2c-8de3-8fb45346b917", "create_time": 1764758755.908245, "update_time": 1765478297.7953663, "name": "Schedule after-action review meeting", "order": 1, "tag": "815e442f-e87d-42ef-81ea-5c13b4d1e3cf", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8864f28a-1b75-4317-b6e7-4088f8d19d9a", "create_time": 1764758755.9083498, "update_time": 1765478297.7954535, "name": "Generate incident response action report", "order": 2, "tag": "5a4862af-5001-4418-a48b-e028ef91b542", "description": "Both an executive report and a detailed final report.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "08014d2b-5977-45d2-a14e-519c990aed93", "create_time": 1764758755.9084463, "update_time": 1765478297.7955399, "name": "Report incident response complete", "order": 3, "tag": "4b12a641-8105-4b64-bd89-eef26fabb47a", "description": "Alert%20appropriate%20parties%20that%20incident%20response%20is%20complete.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "28753dcd-47c7-44ad-b85f-f840c3f0da96", "active": true, "used": false, "_user": "nobody", "_key": "c3326c0e-417c-46de-b79a-7a33e457b91b"} From 26f1a2bca49728b17e43098a73ad8415682cf2c8 Mon Sep 17 00:00:00 2001 From: kbouchard <47464052+kbouchardherjavecgroup@users.noreply.github.com> Date: Mon, 15 Dec 2025 12:34:33 -0700 Subject: [PATCH 40/44] Update and rename NIST80061_v14.json to NIST80061_v2.json --- response_templates/NIST80061_v14.json | 1 - response_templates/NIST80061_v2.json | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 response_templates/NIST80061_v14.json create mode 100644 response_templates/NIST80061_v2.json diff --git a/response_templates/NIST80061_v14.json b/response_templates/NIST80061_v14.json deleted file mode 100644 index 225c2dd043..0000000000 --- a/response_templates/NIST80061_v14.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "475a4c40-0996-4b54-a634-711205549572", "create_time": 1765482414.4679432, "update_time": 1765482414.4679432, "name": "NIST%20800-61:%20Computer%20Security%20Incident%20Handling%20Guide", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "97bc8622-69ca-48a1-bf2b-e4067281f71a", "create_time": 1765482414.4685507, "update_time": 1765482414.4685512, "name": "Detection", "order": 1, "tasks": [{"id": "9126eb2f-d5e2-48e7-a9f5-0c851f2ecc57", "create_time": 1764758755.7593036, "update_time": 1765482414.4680352, "name": "Determine if an incident has occurred", "order": 1, "tag": "dd8a2e5b-9131-4321-ad10-0cef889e30f1", "description": "Suggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d9a756c-20dc-4e2e-94e1-87f4eb164447", "create_time": 1764758755.7594106, "update_time": 1765482414.4681613, "name": "Analyze precursors and indicators", "order": 2, "tag": "cd6639cc-79b1-4f66-b03a-0b29118e9439", "description": "Suggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "974fdd62-7d20-40f3-912d-60d708146ac7", "create_time": 1764758755.7595055, "update_time": 1765482414.4682908, "name": "Look for correlating information", "order": 3, "tag": "64b3aaa7-416e-4ec2-8cc1-b54b1e0758db", "description": "Suggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8d1664e-4d06-4470-8b99-124c615500ca", "create_time": 1764758755.759612, "update_time": 1765482414.4683938, "name": "Perform research", "order": 4, "tag": "c534e89d-327c-4deb-bc29-51fb49f65af6", "description": "Use%20search%20engines,%20knowledge%20bases,%20etc..%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "247f8ee3-e7db-437d-9a16-07e2d19673c0", "create_time": 1764758755.7597096, "update_time": 1765482414.4685001, "name": "Confirmed incident", "order": 5, "tag": "415e3412-85ed-4af6-bf6e-09e6e13542b3", "description": "For a confirmed incident, document the investigation and gather evidence. Attach all relevant information from detection steps to the notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ef47436d-de45-4aab-ba6b-736137c41076", "create_time": 1765482414.4691532, "update_time": 1765482414.469154, "name": "Analysis and Containment", "order": 2, "tasks": [{"id": "27f4ca0d-ef69-4211-9401-34d3817e879f", "create_time": 1764758755.759852, "update_time": 1765482414.4686282, "name": "Determine functional impact", "order": 1, "tag": "58850454-d4af-4cc4-a5dd-fded4be0ff4d", "description": "Suggested categories: None, Low, Medium, High", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b298ad0a-b53c-4e4d-9e27-0307d2b49d9f", "create_time": 1764758755.759945, "update_time": 1765482414.4687133, "name": "Determine information impact", "order": 2, "tag": "1150410e-72c0-4259-a499-d632727e083b", "description": "Suggested categories: None, Privacy breach, Proprietary breach, Integrity loss", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "650388ac-fa31-48c9-8031-fab7fbc1cce8", "create_time": 1764758755.760036, "update_time": 1765482414.4687974, "name": "Determine recoverability effort", "order": 3, "tag": "d6e187c9-188c-49de-ac41-5092d7ce6435", "description": "Suggested categories: Regular, Supplemented, Extended, Not Recoverable", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ae810a6c-7314-49f2-84cb-b40557c17734", "create_time": 1764758755.7601304, "update_time": 1765482414.4688811, "name": "Prioritize incident", "order": 4, "tag": "082dfce7-169c-4bd2-aa73-7d39f5e26be8", "description": "Prioritize handling the incident based on the relevant factors", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3db4552a-5c3b-46e2-8792-88f27397d5ef", "create_time": 1764758755.760304, "update_time": 1765482414.4689677, "name": "Report incident", "order": 5, "tag": "716c8ff4-f8f9-406a-aa10-871b499d0892", "description": "Report%20the%20incident%20to%20the%20the%20appropriate%20internal%20personnel%20and%20external%20organizations%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ab31b96-9544-4949-8e63-04a674e6bdb6", "create_time": 1764758755.7604578, "update_time": 1765482414.4690719, "name": "Contain incident", "order": 6, "tag": "d05de9e0-1c72-4835-874a-83f6127ef09a", "description": "Suggested%20Integrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A4.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A5.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A6.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A7.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A8.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A9.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A10.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A11.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A12.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A13.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A14.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "37031e87-5234-4694-a5d9-cff1c29f8f4d", "create_time": 1765482414.4695153, "update_time": 1765482414.4695156, "name": "Eradicate", "order": 3, "tasks": [{"id": "31e6eacc-4f57-4329-b146-8d3f689e3086", "create_time": 1764758755.7606778, "update_time": 1765482414.4692445, "name": "Identify and mitigate all vulnerabilities", "order": 1, "tag": "f0381ae6-f28f-402a-9f05-3e990496dd50", "description": "Identify%20and%20mitigate%20all%20vulnerabilities%20that%20were%20exploited.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A4.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A5.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A6.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A7.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A8.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "680e54ac-3708-4d38-884f-20a1a7edf0de", "create_time": 1764758755.7608309, "update_time": 1765482414.4693527, "name": "Remove malicious content", "order": 2, "tag": "e7029c6f-cce7-4c43-9a1c-b0425432ad81", "description": "Remove%20malware,%20inappropriate%20materials%20and%20other%20components.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a41b242d-1640-4d15-8104-ec399e12d1de", "create_time": 1764758755.7609744, "update_time": 1765482414.469451, "name": "Verify no other hosts are affected", "order": 3, "tag": "7e41266d-aa31-4b86-b2f4-47f68023fb3e", "description": "If%20more%20affected%20hosts%20are%20discovered,%20repeat%20the%20Detection%20and%20Analysis%20Steps.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b12466ec-8616-4519-b133-f6d93f9e32c4", "create_time": 1765482414.4698043, "update_time": 1765482414.4698048, "name": "Recovery", "order": 4, "tasks": [{"id": "43ba0f0e-1fda-4051-a97b-8f7f4682ac33", "create_time": 1764758755.7611475, "update_time": 1765482414.46959, "name": "Restore affected systems", "order": 1, "tag": "3a888228-8354-43a5-809b-41e85114db15", "description": "Return affected systems to an operationally ready state.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "579fa706-4719-4a36-92a0-8c89395b18e6", "create_time": 1764758755.7612762, "update_time": 1765482414.4696727, "name": "Validate restoration", "order": 2, "tag": "39fc29b1-1047-4d0c-bd88-4581b10fe376", "description": "Confirm that the affected systems are functioning normally.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "080aeef1-8fb9-40e2-863e-428fd8f7f017", "create_time": 1764758755.7614079, "update_time": 1765482414.4697568, "name": "Implement additional monitoring", "order": 3, "tag": "7d818e21-eb6b-48ef-92fa-e5c447194ae0", "description": "If necessary, implement additional monitoring to look for future activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1ec64d29-231e-4c34-aec1-4aee974fc8df", "create_time": 1765482414.4700096, "update_time": 1765482414.4700098, "name": "Post Incident Activity", "order": 5, "tasks": [{"id": "bab81f67-66e8-4326-be3c-6c11894e50c7", "create_time": 1764758755.7615948, "update_time": 1765482414.469876, "name": "Create a follow-up report", "order": 1, "tag": "e0d07d6c-00cb-44bc-8536-c8eeda5470a9", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77497e1-95ce-4ebe-8b62-4929dbfdd8a5", "create_time": 1764758755.7616863, "update_time": 1765482414.4699602, "name": "Lessons learned", "order": 2, "tag": "95974f42-e739-440a-ba79-00fc2d32a7ad", "description": "Hold a lessons learned meeting (mandatory for major incidents, optional otherwise).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8756f985-929a-4076-9343-86c92b82c94f", "active": true, "used": true, "_user": "nobody", "_key": "475a4c40-0996-4b54-a634-711205549572"} \ No newline at end of file diff --git a/response_templates/NIST80061_v2.json b/response_templates/NIST80061_v2.json new file mode 100644 index 0000000000..2766ec7983 --- /dev/null +++ b/response_templates/NIST80061_v2.json @@ -0,0 +1 @@ +{"id": "475a4c40-0996-4b54-a634-711205549572", "create_time": 1765482414.4679432, "update_time": 1765482414.4679432, "name": "NIST%20800-61:%20Computer%20Security%20Incident%20Handling%20Guide", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "97bc8622-69ca-48a1-bf2b-e4067281f71a", "create_time": 1765482414.4685507, "update_time": 1765482414.4685512, "name": "Detection", "order": 1, "tasks": [{"id": "9126eb2f-d5e2-48e7-a9f5-0c851f2ecc57", "create_time": 1764758755.7593036, "update_time": 1765482414.4680352, "name": "Determine if an incident has occurred", "order": 1, "tag": "dd8a2e5b-9131-4321-ad10-0cef889e30f1", "description": "Suggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d9a756c-20dc-4e2e-94e1-87f4eb164447", "create_time": 1764758755.7594106, "update_time": 1765482414.4681613, "name": "Analyze precursors and indicators", "order": 2, "tag": "cd6639cc-79b1-4f66-b03a-0b29118e9439", "description": "Suggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "974fdd62-7d20-40f3-912d-60d708146ac7", "create_time": 1764758755.7595055, "update_time": 1765482414.4682908, "name": "Look for correlating information", "order": 3, "tag": "64b3aaa7-416e-4ec2-8cc1-b54b1e0758db", "description": "Suggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c8d1664e-4d06-4470-8b99-124c615500ca", "create_time": 1764758755.759612, "update_time": 1765482414.4683938, "name": "Perform research", "order": 4, "tag": "c534e89d-327c-4deb-bc29-51fb49f65af6", "description": "Use%20search%20engines,%20knowledge%20bases,%20etc..%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "247f8ee3-e7db-437d-9a16-07e2d19673c0", "create_time": 1764758755.7597096, "update_time": 1765482414.4685001, "name": "Confirmed incident", "order": 5, "tag": "415e3412-85ed-4af6-bf6e-09e6e13542b3", "description": "For a confirmed incident, document the investigation and gather evidence. Attach all relevant information from detection steps to the notable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "ef47436d-de45-4aab-ba6b-736137c41076", "create_time": 1765482414.4691532, "update_time": 1765482414.469154, "name": "Analysis and Containment", "order": 2, "tasks": [{"id": "27f4ca0d-ef69-4211-9401-34d3817e879f", "create_time": 1764758755.759852, "update_time": 1765482414.4686282, "name": "Determine functional impact", "order": 1, "tag": "58850454-d4af-4cc4-a5dd-fded4be0ff4d", "description": "Suggested categories: None, Low, Medium, High", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b298ad0a-b53c-4e4d-9e27-0307d2b49d9f", "create_time": 1764758755.759945, "update_time": 1765482414.4687133, "name": "Determine information impact", "order": 2, "tag": "1150410e-72c0-4259-a499-d632727e083b", "description": "Suggested categories: None, Privacy breach, Proprietary breach, Integrity loss", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "650388ac-fa31-48c9-8031-fab7fbc1cce8", "create_time": 1764758755.760036, "update_time": 1765482414.4687974, "name": "Determine recoverability effort", "order": 3, "tag": "d6e187c9-188c-49de-ac41-5092d7ce6435", "description": "Suggested categories: Regular, Supplemented, Extended, Not Recoverable", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "ae810a6c-7314-49f2-84cb-b40557c17734", "create_time": 1764758755.7601304, "update_time": 1765482414.4688811, "name": "Prioritize incident", "order": 4, "tag": "082dfce7-169c-4bd2-aa73-7d39f5e26be8", "description": "Prioritize handling the incident based on the relevant factors", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "3db4552a-5c3b-46e2-8792-88f27397d5ef", "create_time": 1764758755.760304, "update_time": 1765482414.4689677, "name": "Report incident", "order": 5, "tag": "716c8ff4-f8f9-406a-aa10-871b499d0892", "description": "Report%20the%20incident%20to%20the%20the%20appropriate%20internal%20personnel%20and%20external%20organizations%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "2ab31b96-9544-4949-8e63-04a674e6bdb6", "create_time": 1764758755.7604578, "update_time": 1765482414.4690719, "name": "Contain incident", "order": 6, "tag": "d05de9e0-1c72-4835-874a-83f6127ef09a", "description": "Suggested%20Integrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A4.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A5.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A6.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A7.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A8.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A9.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A10.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A11.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A12.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A13.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A14.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "37031e87-5234-4694-a5d9-cff1c29f8f4d", "create_time": 1765482414.4695153, "update_time": 1765482414.4695156, "name": "Eradicate", "order": 3, "tasks": [{"id": "31e6eacc-4f57-4329-b146-8d3f689e3086", "create_time": 1764758755.7606778, "update_time": 1765482414.4692445, "name": "Identify and mitigate all vulnerabilities", "order": 1, "tag": "f0381ae6-f28f-402a-9f05-3e990496dd50", "description": "Identify%20and%20mitigate%20all%20vulnerabilities%20that%20were%20exploited.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)%0A4.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A5.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A6.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A7.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A8.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "680e54ac-3708-4d38-884f-20a1a7edf0de", "create_time": 1764758755.7608309, "update_time": 1765482414.4693527, "name": "Remove malicious content", "order": 2, "tag": "e7029c6f-cce7-4c43-9a1c-b0425432ad81", "description": "Remove%20malware,%20inappropriate%20materials%20and%20other%20components.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a41b242d-1640-4d15-8104-ec399e12d1de", "create_time": 1764758755.7609744, "update_time": 1765482414.469451, "name": "Verify no other hosts are affected", "order": 3, "tag": "7e41266d-aa31-4b86-b2f4-47f68023fb3e", "description": "If%20more%20affected%20hosts%20are%20discovered,%20repeat%20the%20Detection%20and%20Analysis%20Steps.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A3.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A4.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b12466ec-8616-4519-b133-f6d93f9e32c4", "create_time": 1765482414.4698043, "update_time": 1765482414.4698048, "name": "Recovery", "order": 4, "tasks": [{"id": "43ba0f0e-1fda-4051-a97b-8f7f4682ac33", "create_time": 1764758755.7611475, "update_time": 1765482414.46959, "name": "Restore affected systems", "order": 1, "tag": "3a888228-8354-43a5-809b-41e85114db15", "description": "Return affected systems to an operationally ready state.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "579fa706-4719-4a36-92a0-8c89395b18e6", "create_time": 1764758755.7612762, "update_time": 1765482414.4696727, "name": "Validate restoration", "order": 2, "tag": "39fc29b1-1047-4d0c-bd88-4581b10fe376", "description": "Confirm that the affected systems are functioning normally.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "080aeef1-8fb9-40e2-863e-428fd8f7f017", "create_time": 1764758755.7614079, "update_time": 1765482414.4697568, "name": "Implement additional monitoring", "order": 3, "tag": "7d818e21-eb6b-48ef-92fa-e5c447194ae0", "description": "If necessary, implement additional monitoring to look for future activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1ec64d29-231e-4c34-aec1-4aee974fc8df", "create_time": 1765482414.4700096, "update_time": 1765482414.4700098, "name": "Post Incident Activity", "order": 5, "tasks": [{"id": "bab81f67-66e8-4326-be3c-6c11894e50c7", "create_time": 1764758755.7615948, "update_time": 1765482414.469876, "name": "Create a follow-up report", "order": 1, "tag": "e0d07d6c-00cb-44bc-8536-c8eeda5470a9", "description": "", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77497e1-95ce-4ebe-8b62-4929dbfdd8a5", "create_time": 1764758755.7616863, "update_time": 1765482414.4699602, "name": "Lessons learned", "order": 2, "tag": "95974f42-e739-440a-ba79-00fc2d32a7ad", "description": "Hold a lessons learned meeting (mandatory for major incidents, optional otherwise).", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "8756f985-929a-4076-9343-86c92b82c94f", "active": true, "used": true, "_user": "nobody", "_key": "475a4c40-0996-4b54-a634-711205549572"} From 7366e06e25b3698b90694b1c16a7830763f1e154 Mon Sep 17 00:00:00 2001 From: kbouchard <47464052+kbouchardherjavecgroup@users.noreply.github.com> Date: Mon, 15 Dec 2025 12:35:04 -0700 Subject: [PATCH 41/44] Update and rename NetworkIndicatorEnrichment_v6.json to NetworkIndicatorEnrichment_v2.json --- ...torEnrichment_v6.json => NetworkIndicatorEnrichment_v2.json} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename response_templates/{NetworkIndicatorEnrichment_v6.json => NetworkIndicatorEnrichment_v2.json} (99%) diff --git a/response_templates/NetworkIndicatorEnrichment_v6.json b/response_templates/NetworkIndicatorEnrichment_v2.json similarity index 99% rename from response_templates/NetworkIndicatorEnrichment_v6.json rename to response_templates/NetworkIndicatorEnrichment_v2.json index cad8f820e8..70709c53b2 100644 --- a/response_templates/NetworkIndicatorEnrichment_v6.json +++ b/response_templates/NetworkIndicatorEnrichment_v2.json @@ -1 +1 @@ -{"id": "8b1df498-d692-4212-a4fd-6b99b99e9027", "create_time": 1765481757.0347831, "update_time": 1765481757.0347831, "name": "Network Indicator Enrichment", "description": "Gather and analyze contextual information about URLs, hostnames, top level domain names, IP addresses, TLS certificates, and MAC addresses. These network indicators can be involved in security investigations of all types, so this response template is meant to be added as a modular component into an event or case that can have other more specific phases and tasks. For instance, when investigating an account compromise, this response template can be used during the investigation phase to rule out false positives and inform decisions about further investigation and response.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 6, "phases": [{"id": "5fc00a86-ecb5-473c-af5f-0eabced9921e", "create_time": 1765481757.0357888, "update_time": 1765481757.0357893, "name": "Network Indicator Enrichment", "order": 1, "tasks": [{"id": "09b3b9c0-1c5b-4c3f-941f-fcc4bcb6f2f6", "create_time": 1764758755.7974405, "update_time": 1765481757.0349212, "name": "Enrich URLs", "order": 1, "tag": "8fab0a3f-b436-4e3e-8c3a-9cc0a9cff8b5", "description": "Gather%20reputation%20and%20behavioral%20information%20about%20a%20suspicious%20URL.%20Automated%20actions%20can%20include%20querying%20threat%20intelligence%20databases,%20dynamic%20profiling%20of%20the%20URL%20and%20the%20associated%20redirects,%20or%20checking%20the%20categorization%20of%20a%20URL%20in%20a%20proxy%20or%20other%20safe%20browsing%20tool.%20Manual%20actions%20can%20include%20checking%20for%20typosquatting/brandjacking,%20evaluating%20the%20appropriateness%20of%20the%20URL%20given%20the%20context%20in%20which%20it%20was%20detected,%20or%20manually%20investigating%20the%20site%20from%20a%20sandboxed%20environment.%20Additionally,%20it%20might%20be%20appropriate%20to%20ask%20the%20user%20if%20they%20can%20explain%20why%20the%20URL%20was%20accessed.%20Outputs%20from%20this%20task%20could%20be%20used%20to%20pivot%20to%20investigation%20to%20underlying%20or%20associated%20domain%20names,%20other%20URLs,%20TLS%20certificates,%20IP%20addresses,%20or%20specific%20behaviors%20associated%20with%20the%20website%20such%20as%20Javascript%20execution%20patterns%20or%20downloaded%20files.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77c2c5b-488b-4ef6-a987-d4f1795e8c09", "create_time": 1764758755.7976081, "update_time": 1765481757.0352638, "name": "Enrich domain names", "order": 2, "tag": "f494c551-d513-4503-a268-32d14cd9352c", "description": "Domain%20names%20can%20be%20involved%20in%20investigations%20of%20phishing,%20watering%20hole%20attacks,%20malware%20command%20and%20control,%20exfiltration,%20and%20many%20other%20malicious%20behaviors.%20Some%20of%20the%20key%20questions%20to%20answer%20about%20a%20domain%20are:%20Who%20controls%20the%20domain?%20Who%20registered%20the%20domain?%20What%20is%20the%20purpose%20of%20the%20domain?%20What%20services%20are%20hosted%20on%20the%20domain?%20What%20traffic%20would%20you%20expect%20to%20see%20to%20and%20from%20the%20domain?%20How%20popular%20is%20the%20domain?%20Does%20the%20domain%20host%20dynamic%20content%20such%20as%20cloud%20services?%20What%20sub-domains%20or%20parent%20domains%20are%20associated%20with%20the%20domain?%20Is%20the%20domain%20known%20to%20host%20malicious%20content?%20Where%20in%20the%20world%20is%20the%20domain%20hosted?%20How%20recently%20was%20the%20domain%20registered?%20What%20is%20the%20DNS%20history%20of%20the%20domain?%20Is%20the%20domain%20meant%20to%20look%20similar%20to%20another%20more%20legitimate%20domain?%20Does%20the%20domain%20name%20appear%20to%20have%20been%20randomly%20generated?%20The%20results%20of%20these%20queries%20can%20produce%20related%20IP%20addresses,%20file%20hashes,%20downloaded%20files,%20URLs,%20TLS%20certificates,%20and%20behaviors%20which%20are%20useful%20elsewhere%20in%20this%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fed103ab-b8bf-458e-a9d1-a80d7c1691ce", "create_time": 1764758755.7977073, "update_time": 1765481757.0354254, "name": "Enrich IP addresses", "order": 3, "tag": "b0444819-8d84-47b0-8011-97c9004966cc", "description": "Enrichment%20of%20IP%20addresses%20can%20be%20similar%20to%20domain%20names%20in%20many%20ways,%20but%20typically%20IP%20addresses%20will%20change%20more%20frequently.%20Frequent%20changes%20can%20be%20legitimate%20behavior%20caused%20by%20load%20balancers%20or%20content%20delivery%20networks,%20or%20it%20can%20be%20malicious%20behavior%20due%20to%20fast%20flux%20DNS%20changes,%20so%20additional%20context%20about%20the%20network%20traffic%20is%20needed.%20Also%20consider%20that%20traffic%20going%20straight%20to%20an%20IP%20address%20without%20doing%20a%20DNS%20query%20might%20be%20relevant%20to%20the%20investigation,%20and%20consider%20querying%20Tor%20or%20other%20anonymization%20systems%20to%20check%20if%20the%20IP%20address%20is%20a%20known%20exit%20node.%20Outputs%20of%20this%20task%20can%20inform%20URL%20enrichment,%20downloaded%20file%20analysis,%20domain%20name%20enrichment,%20TLS%20certificate%20enrichment,%20and%20more%20advanced%20behavioral%20analysis%20based%20on%20the%20services%20hosted%20at%20the%20IP%20address%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "9d096815-7876-4f42-9c93-73e3cc21d3ce", "create_time": 1764758755.7977993, "update_time": 1765481757.0355642, "name": "Enrich TLS certificates", "order": 4, "tag": "d98902d9-2620-41c6-90d2-d197a49a90ca", "description": "If%20an%20investigation%20involves%20a%20TLS%20certificate,%20it%20can%20be%20useful%20to%20gather%20registrant%20and%20certificate%20authority%20information%20about%20that%20certificate,%20and%20to%20query%20for%20other%20uses%20of%20similar%20infrastructure.%20The%20usage%20of%20free%20and%20automated%20certificate%20authorities%20such%20as%20Let's%20Encrypt%20does%20not%20necessarily%20imply%20that%20a%20domain%20is%20malicious,%20but%20that%20is%20a%20common%20technique%20used%20to%20build%20malicious%20infrastructure%20so%20it%20should%20warrant%20further%20investigation.%20Consider%20comparing%20the%20registrant%20information%20and%20certificate%20authority%20chain%20with%20the%20expected%20values%20for%20the%20organization%20allegedly%20hosting%20the%20website%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4e38a46a-1af2-477a-9349-8defa965ac2b", "create_time": 1764758755.7979288, "update_time": 1765481757.0357046, "name": "Enrich MAC addresses", "order": 5, "tag": "38d3329d-0ecd-494f-bbcf-5be0fd99a7c3", "description": "While%20MAC%20(media%20access%20control)%20addresses%20are%20less%20frequently%20involved%20in%20security%20investigations,%20when%20they%20are%20present%20they%20can%20sometimes%20be%20useful%20to%20cross-reference,%20identify,%20or%20profile%20a%20device.%20MAC%20addresses%20can%20be%20changed%20and%20spoofed,%20but%20it%20is%20usually%20less%20common%20than%20a%20change%20in%20IP%20address%20or%20hostname.%20In%20wifi%20investigations%20the%20MAC%20address%20can%20be%20used%20to%20identify%20both%20the%20access%20point%20and%20the%20clients%20that%20connect%20to%20it.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "47bb10fa-61c2-4bd8-b7dd-f69f376e2750", "active": true, "used": true, "_user": "nobody", "_key": "8b1df498-d692-4212-a4fd-6b99b99e9027"} \ No newline at end of file +{"id": "8b1df498-d692-4212-a4fd-6b99b99e9027", "create_time": 1765481757.0347831, "update_time": 1765481757.0347831, "name": "Network Indicator Enrichment", "description": "Gather and analyze contextual information about URLs, hostnames, top level domain names, IP addresses, TLS certificates, and MAC addresses. These network indicators can be involved in security investigations of all types, so this response template is meant to be added as a modular component into an event or case that can have other more specific phases and tasks. For instance, when investigating an account compromise, this response template can be used during the investigation phase to rule out false positives and inform decisions about further investigation and response.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "5fc00a86-ecb5-473c-af5f-0eabced9921e", "create_time": 1765481757.0357888, "update_time": 1765481757.0357893, "name": "Network Indicator Enrichment", "order": 1, "tasks": [{"id": "09b3b9c0-1c5b-4c3f-941f-fcc4bcb6f2f6", "create_time": 1764758755.7974405, "update_time": 1765481757.0349212, "name": "Enrich URLs", "order": 1, "tag": "8fab0a3f-b436-4e3e-8c3a-9cc0a9cff8b5", "description": "Gather%20reputation%20and%20behavioral%20information%20about%20a%20suspicious%20URL.%20Automated%20actions%20can%20include%20querying%20threat%20intelligence%20databases,%20dynamic%20profiling%20of%20the%20URL%20and%20the%20associated%20redirects,%20or%20checking%20the%20categorization%20of%20a%20URL%20in%20a%20proxy%20or%20other%20safe%20browsing%20tool.%20Manual%20actions%20can%20include%20checking%20for%20typosquatting/brandjacking,%20evaluating%20the%20appropriateness%20of%20the%20URL%20given%20the%20context%20in%20which%20it%20was%20detected,%20or%20manually%20investigating%20the%20site%20from%20a%20sandboxed%20environment.%20Additionally,%20it%20might%20be%20appropriate%20to%20ask%20the%20user%20if%20they%20can%20explain%20why%20the%20URL%20was%20accessed.%20Outputs%20from%20this%20task%20could%20be%20used%20to%20pivot%20to%20investigation%20to%20underlying%20or%20associated%20domain%20names,%20other%20URLs,%20TLS%20certificates,%20IP%20addresses,%20or%20specific%20behaviors%20associated%20with%20the%20website%20such%20as%20Javascript%20execution%20patterns%20or%20downloaded%20files.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "b77c2c5b-488b-4ef6-a987-d4f1795e8c09", "create_time": 1764758755.7976081, "update_time": 1765481757.0352638, "name": "Enrich domain names", "order": 2, "tag": "f494c551-d513-4503-a268-32d14cd9352c", "description": "Domain%20names%20can%20be%20involved%20in%20investigations%20of%20phishing,%20watering%20hole%20attacks,%20malware%20command%20and%20control,%20exfiltration,%20and%20many%20other%20malicious%20behaviors.%20Some%20of%20the%20key%20questions%20to%20answer%20about%20a%20domain%20are:%20Who%20controls%20the%20domain?%20Who%20registered%20the%20domain?%20What%20is%20the%20purpose%20of%20the%20domain?%20What%20services%20are%20hosted%20on%20the%20domain?%20What%20traffic%20would%20you%20expect%20to%20see%20to%20and%20from%20the%20domain?%20How%20popular%20is%20the%20domain?%20Does%20the%20domain%20host%20dynamic%20content%20such%20as%20cloud%20services?%20What%20sub-domains%20or%20parent%20domains%20are%20associated%20with%20the%20domain?%20Is%20the%20domain%20known%20to%20host%20malicious%20content?%20Where%20in%20the%20world%20is%20the%20domain%20hosted?%20How%20recently%20was%20the%20domain%20registered?%20What%20is%20the%20DNS%20history%20of%20the%20domain?%20Is%20the%20domain%20meant%20to%20look%20similar%20to%20another%20more%20legitimate%20domain?%20Does%20the%20domain%20name%20appear%20to%20have%20been%20randomly%20generated?%20The%20results%20of%20these%20queries%20can%20produce%20related%20IP%20addresses,%20file%20hashes,%20downloaded%20files,%20URLs,%20TLS%20certificates,%20and%20behaviors%20which%20are%20useful%20elsewhere%20in%20this%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fed103ab-b8bf-458e-a9d1-a80d7c1691ce", "create_time": 1764758755.7977073, "update_time": 1765481757.0354254, "name": "Enrich IP addresses", "order": 3, "tag": "b0444819-8d84-47b0-8011-97c9004966cc", "description": "Enrichment%20of%20IP%20addresses%20can%20be%20similar%20to%20domain%20names%20in%20many%20ways,%20but%20typically%20IP%20addresses%20will%20change%20more%20frequently.%20Frequent%20changes%20can%20be%20legitimate%20behavior%20caused%20by%20load%20balancers%20or%20content%20delivery%20networks,%20or%20it%20can%20be%20malicious%20behavior%20due%20to%20fast%20flux%20DNS%20changes,%20so%20additional%20context%20about%20the%20network%20traffic%20is%20needed.%20Also%20consider%20that%20traffic%20going%20straight%20to%20an%20IP%20address%20without%20doing%20a%20DNS%20query%20might%20be%20relevant%20to%20the%20investigation,%20and%20consider%20querying%20Tor%20or%20other%20anonymization%20systems%20to%20check%20if%20the%20IP%20address%20is%20a%20known%20exit%20node.%20Outputs%20of%20this%20task%20can%20inform%20URL%20enrichment,%20downloaded%20file%20analysis,%20domain%20name%20enrichment,%20TLS%20certificate%20enrichment,%20and%20more%20advanced%20behavioral%20analysis%20based%20on%20the%20services%20hosted%20at%20the%20IP%20address%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "9d096815-7876-4f42-9c93-73e3cc21d3ce", "create_time": 1764758755.7977993, "update_time": 1765481757.0355642, "name": "Enrich TLS certificates", "order": 4, "tag": "d98902d9-2620-41c6-90d2-d197a49a90ca", "description": "If%20an%20investigation%20involves%20a%20TLS%20certificate,%20it%20can%20be%20useful%20to%20gather%20registrant%20and%20certificate%20authority%20information%20about%20that%20certificate,%20and%20to%20query%20for%20other%20uses%20of%20similar%20infrastructure.%20The%20usage%20of%20free%20and%20automated%20certificate%20authorities%20such%20as%20Let's%20Encrypt%20does%20not%20necessarily%20imply%20that%20a%20domain%20is%20malicious,%20but%20that%20is%20a%20common%20technique%20used%20to%20build%20malicious%20infrastructure%20so%20it%20should%20warrant%20further%20investigation.%20Consider%20comparing%20the%20registrant%20information%20and%20certificate%20authority%20chain%20with%20the%20expected%20values%20for%20the%20organization%20allegedly%20hosting%20the%20website%20in%20question.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4e38a46a-1af2-477a-9349-8defa965ac2b", "create_time": 1764758755.7979288, "update_time": 1765481757.0357046, "name": "Enrich MAC addresses", "order": 5, "tag": "38d3329d-0ecd-494f-bbcf-5be0fd99a7c3", "description": "While%20MAC%20(media%20access%20control)%20addresses%20are%20less%20frequently%20involved%20in%20security%20investigations,%20when%20they%20are%20present%20they%20can%20sometimes%20be%20useful%20to%20cross-reference,%20identify,%20or%20profile%20a%20device.%20MAC%20addresses%20can%20be%20changed%20and%20spoofed,%20but%20it%20is%20usually%20less%20common%20than%20a%20change%20in%20IP%20address%20or%20hostname.%20In%20wifi%20investigations%20the%20MAC%20address%20can%20be%20used%20to%20identify%20both%20the%20access%20point%20and%20the%20clients%20that%20connect%20to%20it.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)%0A3.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A4.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A5.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "47bb10fa-61c2-4bd8-b7dd-f69f376e2750", "active": true, "used": true, "_user": "nobody", "_key": "8b1df498-d692-4212-a4fd-6b99b99e9027"} From 08664b7c3c43ae7182f085e2e271359c6d546cd0 Mon Sep 17 00:00:00 2001 From: kbouchard <47464052+kbouchardherjavecgroup@users.noreply.github.com> Date: Mon, 15 Dec 2025 12:36:00 -0700 Subject: [PATCH 42/44] Update and rename SelfReplicatingMalware_v14.json to SelfReplicatingMalware_v2.json --- response_templates/SelfReplicatingMalware_v14.json | 1 - response_templates/SelfReplicatingMalware_v2.json | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 response_templates/SelfReplicatingMalware_v14.json create mode 100644 response_templates/SelfReplicatingMalware_v2.json diff --git a/response_templates/SelfReplicatingMalware_v14.json b/response_templates/SelfReplicatingMalware_v14.json deleted file mode 100644 index 3a28c86a8a..0000000000 --- a/response_templates/SelfReplicatingMalware_v14.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "ec7f5b1d-f689-4ea7-b00c-703d062755ef", "create_time": 1764862816.2406306, "update_time": 1765478655.8295362, "name": "Self-Replicating Malware", "description": "This response template outlines a response to a potential infection by self-replicating malware (malware that propagates itself without human interaction). While there is much overlap between the response necessary for self-replicating malware and the response to any other malware, the ability to propagate from one system to the next automatically adds the potential for faster and more thorough infection of enterprise systems. Often the infection mechanism is a particular network service or shared resource, so an appropriate response tends to be a fast configuration change to contain the effect immediately.\n\nThis template is adapted from a modified version of the CERT Societe Generale Incident Response Methodology called Worm Infection Response. The full methodology is available at https://github.com/certsocietegenerale/IRM/blob/HEAD/EN/IRM-1-WormInfection.pdf and is covered under the Creative Commons Attribution 3.0 Imported license available at https://github.com/certsocietegenerale/IRM/blob/HEAD/LICENSE.md, while the CERT Societe Generale homepage is https://cert.societegenerale.com/en/.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 14, "phases": [{"id": "56b864aa-4f46-4eab-8631-15340fe85f3d", "create_time": 1765478655.800768, "update_time": 1765478655.8007686, "name": "Preparation", "order": 1, "tasks": [{"id": "ec3ed15c-7140-4e3d-ad5f-324edaf32d30", "create_time": 1764758755.867025, "update_time": 1765478655.8002567, "name": "Define team members", "order": 1, "tag": "a901e393-ab86-4ca7-95db-14d8774a60da", "description": "Determine%20which%20team%20members%20will%20play%20which%20role%20in%20the%20response%20and%20establish%20communications%20channels%20with%20all%20involved.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "faf9efef-e4dc-4100-98b4-3ed62777f915", "create_time": 1764758755.867135, "update_time": 1765478655.8004067, "name": "Check analysis tools", "order": 2, "tag": "6700e71f-245c-4f8c-b835-d91eaefe716b", "description": "Test%20connectivity,%20check%20patch%20level,%20and%20run%20example%20queries%20on%20all%20analysis%20tools.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A3.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A4.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A5.%20%20PhishTank%20(preconfigured)%0A6.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e8b572ad-9cb7-4a0b-accc-dc0d6bc672af", "create_time": 1764758755.867274, "update_time": 1765478655.8005216, "name": "Acquire architecture map", "order": 3, "tag": "10b5cc45-188d-4152-99c2-d9ee90a0df52", "description": "Find or build an up-to-date map of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "49e8c224-9ffe-472f-b5d5-d0134314ddc0", "create_time": 1764758755.8673825, "update_time": 1765478655.800613, "name": "Acquire asset inventory", "order": 4, "tag": "27d598df-8c52-4d6b-871d-93ee5ccdaf3f", "description": "Find%20or%20build%20an%20up-to-date%20inventory%20of%20all%20devices.%0A%0ASuggested%20Integrations%0A1.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd65385f-53f6-4b16-ae5b-8480703a5e29", "create_time": 1764758755.8674753, "update_time": 1765478655.8007166, "name": "Continuous monitoring", "order": 5, "tag": "3959e856-64e9-486e-a0b6-0cb97176c283", "description": "Monitor threat trends and system activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d8781b52-5f94-496a-9221-20af11959541", "create_time": 1765478655.8011546, "update_time": 1765478655.8011549, "name": "Identification", "order": 2, "tasks": [{"id": "0fc8d25d-2b92-4617-b573-518330fb9da1", "create_time": 1764758755.867626, "update_time": 1765478655.8008454, "name": "Detect the infection", "order": 1, "tag": "27c2ab29-35d9-4643-9216-85a8c201e0ed", "description": "Detect%20abnormalities%20and%20potential%20infections%20using%20endpoint%20and%20network%20intrusion%20detection%20systems,%20application%20logs,%20authentication%20logs,%20system%20load%20monitoring,%20notification%20from%20external%20sources,%20and%20other%20methods.%20Seek%20a%20repeatable%20detection%20that%20is%20as%20reliable%20as%20possible,%20as%20future%20steps%20call%20for%20checking%20and%20re-checking%20to%20monitor%20progress.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "709ed3e1-de9b-421a-b7b2-eae661d66b04", "create_time": 1764758755.867718, "update_time": 1765478655.8009667, "name": "Identify the infection", "order": 2, "tag": "fcd59f33-221b-43aa-a26f-7a7536dc298a", "description": "Compare%20the%20known%20symptoms%20to%20all%20available%20threat%20intelligence%20and%20try%20to%20identify%20the%20threat%20as%20specifically%20as%20possible.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A6.%20%5BIndicators%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/threat_artifacts)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "07f7f8bf-c7d0-4312-a878-1cc5910284e3", "create_time": 1764758755.8678086, "update_time": 1765478655.8010774, "name": "Assess the perimeter of the infection", "order": 3, "tag": "d5aa1644-4d52-4274-92b7-c8b9e33b56e0", "description": "Check%20systems%20in%20different%20parts%20of%20the%20organization%20to%20define%20the%20perimeter%20of%20the%20infection%20and%20assess%20the%20potential%20business%20impact.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b077cd75-7ba9-467c-a53e-bfcea36eb013", "create_time": 1765478655.8017411, "update_time": 1765478655.8017416, "name": "Containment", "order": 3, "tasks": [{"id": "3aee7278-0f5f-48ff-ad16-9ddaec267689", "create_time": 1764758755.8679423, "update_time": 1765478655.80125, "name": "Disconnect infected areas from the internet", "order": 1, "tag": "e53fd536-8058-4a06-8c6c-e6fc9467ddf8", "description": "Stop%20command%20and%20control%20behavior%20and%20further%20propagation%20by%20disconnecting%20affected%20areas%20from%20the%20internet.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "50bcd8ba-7edc-4b44-8a04-fdd5ee6daa0b", "create_time": 1764758755.8680344, "update_time": 1765478655.8013616, "name": "Isolate infected area from all networks", "order": 2, "tag": "884437ea-ff98-40f7-999d-69efd55841ae", "description": "Enforce%20more%20strict%20network%20segmentation%20to%20prevent%20further%20internal%20spreading.%20Consider%20disconnecting%20mobile%20devices%20and%20laptops%20to%20minimize%20the%20propagation%20surface.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ff5509b-ae70-431c-ac11-f4445d9bd890", "create_time": 1764758755.8681533, "update_time": 1765478655.8014727, "name": "Monitor business-critical network connections that cannot be disconnected", "order": 3, "tag": "400bb1f4-670c-4503-91a0-fe813d7285f2", "description": "For%20those%20applications%20that%20cannot%20be%20disconnected%20due%20to%20continuity%20needs,%20increase%20monitoring%20and%20analyze%20traffic%20for%20malicious%20activity.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d220afbd-3306-4e8a-ad41-3028fb9f309f", "create_time": 1764758755.8682685, "update_time": 1765478655.8015823, "name": "Neutralize propagation vectors", "order": 4, "tag": "92bef873-aca9-4ef8-946b-edfb9ce66e36", "description": "Deploy%20patches,%20change%20configurations,%20sinkhole%20domains,%20re-image%20systems,%20stop%20services,%20or%20take%20other%20appropriate%20actions%20to%20prevent%20further%20propagation%20using%20all%20known%20vectors.%20Notify%20users%20of%20changes%20that%20will%20affect%20them%20and/or%20request%20their%20assistance%20for%20manual%20neutralization%20steps.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "640ecd84-2bff-4b55-b16e-2f00b863cfe0", "create_time": 1764758755.8683593, "update_time": 1765478655.8016906, "name": "Monitor progress", "order": 5, "tag": "66412e78-657c-4f0d-a15a-2533d1b9a948", "description": "Re-check neutralized systems and repeat or improve processes to cover important systems as quickly as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4999e420-9fa9-46ea-9da3-4ffb078c45a0", "create_time": 1765478655.8021305, "update_time": 1765478655.802131, "name": "Remediation", "order": 4, "tasks": [{"id": "06bd975f-1fb6-4333-b714-27ce6a1ced40", "create_time": 1764758755.8684924, "update_time": 1765478655.8018172, "name": "Identify", "order": 1, "tag": "7f4c59cc-2f64-459c-8245-31bb42439ea9", "description": "Consider vendor fixes, antivirus updates, external support options, and custom solutions. Use these to define a disinfection process and validate it with a reputable source if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "93e47407-dfd0-40ba-a01d-1ef596ee0c42", "create_time": 1764758755.8685825, "update_time": 1765478655.8019052, "name": "Test", "order": 2, "tag": "e0cc2310-9631-4a7f-b637-79d890e0a79a", "description": "Test the disinfection process on a system that is as close to a production configuration as possible and verify that it works while not damaging any service.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "448524ff-39de-428d-95f7-2cc16c03ea28", "create_time": 1764758755.8686728, "update_time": 1765478655.801993, "name": "Deploy", "order": 3, "tag": "69ea1765-0326-4559-9f52-0202bcd1684e", "description": "Deploy the process and scale it up if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "154ef40e-9a4e-4072-b222-e4b5c286ce4f", "create_time": 1764758755.8687656, "update_time": 1765478655.8020792, "name": "Confirm", "order": 4, "tag": "ec04ad38-972d-40d5-9672-64ccce7f2ebc", "description": "Confirm that the malware did not block remediations and find a workaround if it did.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "46c10e9a-74fd-4c28-ae23-80c66c6959ff", "create_time": 1765478655.802708, "update_time": 1765478655.8027081, "name": "Recovery", "order": 5, "tasks": [{"id": "b5137ace-0638-4c0d-bf3a-89808acb2796", "create_time": 1764758755.8689115, "update_time": 1765478655.8022254, "name": "Verify Containment and Remediation", "order": 1, "tag": "11e7491e-04ec-46dd-8763-7f7259aa86a9", "description": "Review current progress towards remediation by re-checking systems.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "916ce97e-d38f-41bd-8e31-fd4ebac266fa", "create_time": 1764758755.8690028, "update_time": 1765478655.8023124, "name": "Reopen propagation network mechanism", "order": 2, "tag": "3e4bb0aa-beab-472e-b19a-5d0974e25942", "description": "Turn off network enforcement for a segment of the network and monitor for new attempts to reinfect.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d6b12db-a684-4eee-b942-8d720c1e7c1a", "create_time": 1764758755.8690934, "update_time": 1765478655.8024004, "name": "Reconnect isolated sub-areas to each other", "order": 3, "tag": "ecd50bc1-ba91-4333-b50e-8065b2552e83", "description": "Turn off inter-area network enforcement and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "77f860e3-1ab9-47f4-b9f5-29b02f762628", "create_time": 1764758755.8692014, "update_time": 1765478655.8024862, "name": "Reconnect mobile devices", "order": 4, "tag": "786a211c-5a54-4465-a6ae-fb26047d3d77", "description": "Reconnect mobile devices and laptops to monitor for persistence and check coverage across all device categories.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "eea6a167-30bf-434e-a7a5-7f0af8bd0ec6", "create_time": 1764758755.8692956, "update_time": 1765478655.802572, "name": "Reconnect isolated areas to main enterprise network", "order": 5, "tag": "739634b9-8f30-4fb4-b531-8f3e1bb5dcbc", "description": "Disable network enforcement between cleaned areas and the rest of the network while monitoring for reinfection.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "7947c3e9-c721-44ad-92e5-cbda84dd7687", "create_time": 1764758755.8693867, "update_time": 1765478655.8026576, "name": "Reconnect to the internet", "order": 6, "tag": "d80ab11b-58f4-4aed-a533-93f344fdc898", "description": "Reconnect to the internet and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "76b0e701-8fe2-49da-a85d-c100fc2a3a19", "create_time": 1765478655.80292, "update_time": 1765478655.8029208, "name": "Aftermath", "order": 6, "tasks": [{"id": "bb39e701-edec-47a4-a5d9-47483140b788", "create_time": 1764758755.8695176, "update_time": 1765478655.8027844, "name": "Build crisis report", "order": 1, "tag": "bb5d871c-99f4-408a-8a1e-9efa55ff1465", "description": "Notify affected parties with as much detail as is appropriate. Consider the initial cause of the infection, actions and timelines of important events, what went right, what went wrong, and the incident cost.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4a48b7c9-f36d-412f-a2e2-c369a98d4261", "create_time": 1764758755.8696067, "update_time": 1765478655.8028712, "name": "Improve processes", "order": 2, "tag": "114c1009-376f-4715-a825-145c3dbcbba0", "description": "Capitalize on the experience by improving the processes that were used, creating new processes where needed, and automating that which is generalizable and repeatable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "633942a9-b466-49c5-9cb0-1a4488da8473", "active": true, "used": false, "_user": "nobody", "_key": "ec7f5b1d-f689-4ea7-b00c-703d062755ef"} \ No newline at end of file diff --git a/response_templates/SelfReplicatingMalware_v2.json b/response_templates/SelfReplicatingMalware_v2.json new file mode 100644 index 0000000000..116b99843f --- /dev/null +++ b/response_templates/SelfReplicatingMalware_v2.json @@ -0,0 +1 @@ +{"id": "ec7f5b1d-f689-4ea7-b00c-703d062755ef", "create_time": 1764862816.2406306, "update_time": 1765478655.8295362, "name": "Self-Replicating Malware", "description": "This response template outlines a response to a potential infection by self-replicating malware (malware that propagates itself without human interaction). While there is much overlap between the response necessary for self-replicating malware and the response to any other malware, the ability to propagate from one system to the next automatically adds the potential for faster and more thorough infection of enterprise systems. Often the infection mechanism is a particular network service or shared resource, so an appropriate response tends to be a fast configuration change to contain the effect immediately.\n\nThis template is adapted from a modified version of the CERT Societe Generale Incident Response Methodology called Worm Infection Response. The full methodology is available at https://github.com/certsocietegenerale/IRM/blob/HEAD/EN/IRM-1-WormInfection.pdf and is covered under the Creative Commons Attribution 3.0 Imported license available at https://github.com/certsocietegenerale/IRM/blob/HEAD/LICENSE.md, while the CERT Societe Generale homepage is https://cert.societegenerale.com/en/.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "56b864aa-4f46-4eab-8631-15340fe85f3d", "create_time": 1765478655.800768, "update_time": 1765478655.8007686, "name": "Preparation", "order": 1, "tasks": [{"id": "ec3ed15c-7140-4e3d-ad5f-324edaf32d30", "create_time": 1764758755.867025, "update_time": 1765478655.8002567, "name": "Define team members", "order": 1, "tag": "a901e393-ab86-4ca7-95db-14d8774a60da", "description": "Determine%20which%20team%20members%20will%20play%20which%20role%20in%20the%20response%20and%20establish%20communications%20channels%20with%20all%20involved.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A2.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A3.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "faf9efef-e4dc-4100-98b4-3ed62777f915", "create_time": 1764758755.867135, "update_time": 1765478655.8004067, "name": "Check analysis tools", "order": 2, "tag": "6700e71f-245c-4f8c-b835-d91eaefe716b", "description": "Test%20connectivity,%20check%20patch%20level,%20and%20run%20example%20queries%20on%20all%20analysis%20tools.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A3.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A4.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A5.%20%20PhishTank%20(preconfigured)%0A6.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "e8b572ad-9cb7-4a0b-accc-dc0d6bc672af", "create_time": 1764758755.867274, "update_time": 1765478655.8005216, "name": "Acquire architecture map", "order": 3, "tag": "10b5cc45-188d-4152-99c2-d9ee90a0df52", "description": "Find or build an up-to-date map of the network.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "49e8c224-9ffe-472f-b5d5-d0134314ddc0", "create_time": 1764758755.8673825, "update_time": 1765478655.800613, "name": "Acquire asset inventory", "order": 4, "tag": "27d598df-8c52-4d6b-871d-93ee5ccdaf3f", "description": "Find%20or%20build%20an%20up-to-date%20inventory%20of%20all%20devices.%0A%0ASuggested%20Integrations%0A1.%20%5BAsset%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/asset_center)%0A2.%20%5BServiceNow%5D(https://splunkbase.splunk.com/app/5932)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd65385f-53f6-4b16-ae5b-8480703a5e29", "create_time": 1764758755.8674753, "update_time": 1765478655.8007166, "name": "Continuous monitoring", "order": 5, "tag": "3959e856-64e9-486e-a0b6-0cb97176c283", "description": "Monitor threat trends and system activity.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d8781b52-5f94-496a-9221-20af11959541", "create_time": 1765478655.8011546, "update_time": 1765478655.8011549, "name": "Identification", "order": 2, "tasks": [{"id": "0fc8d25d-2b92-4617-b573-518330fb9da1", "create_time": 1764758755.867626, "update_time": 1765478655.8008454, "name": "Detect the infection", "order": 1, "tag": "27c2ab29-35d9-4643-9216-85a8c201e0ed", "description": "Detect%20abnormalities%20and%20potential%20infections%20using%20endpoint%20and%20network%20intrusion%20detection%20systems,%20application%20logs,%20authentication%20logs,%20system%20load%20monitoring,%20notification%20from%20external%20sources,%20and%20other%20methods.%20Seek%20a%20repeatable%20detection%20that%20is%20as%20reliable%20as%20possible,%20as%20future%20steps%20call%20for%20checking%20and%20re-checking%20to%20monitor%20progress.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "709ed3e1-de9b-421a-b7b2-eae661d66b04", "create_time": 1764758755.867718, "update_time": 1765478655.8009667, "name": "Identify the infection", "order": 2, "tag": "fcd59f33-221b-43aa-a26f-7a7536dc298a", "description": "Compare%20the%20known%20symptoms%20to%20all%20available%20threat%20intelligence%20and%20try%20to%20identify%20the%20threat%20as%20specifically%20as%20possible.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A6.%20%5BIndicators%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/threat_artifacts)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "07f7f8bf-c7d0-4312-a878-1cc5910284e3", "create_time": 1764758755.8678086, "update_time": 1765478655.8010774, "name": "Assess the perimeter of the infection", "order": 3, "tag": "d5aa1644-4d52-4274-92b7-c8b9e33b56e0", "description": "Check%20systems%20in%20different%20parts%20of%20the%20organization%20to%20define%20the%20perimeter%20of%20the%20infection%20and%20assess%20the%20potential%20business%20impact.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BOpen%20Email%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "b077cd75-7ba9-467c-a53e-bfcea36eb013", "create_time": 1765478655.8017411, "update_time": 1765478655.8017416, "name": "Containment", "order": 3, "tasks": [{"id": "3aee7278-0f5f-48ff-ad16-9ddaec267689", "create_time": 1764758755.8679423, "update_time": 1765478655.80125, "name": "Disconnect infected areas from the internet", "order": 1, "tag": "e53fd536-8058-4a06-8c6c-e6fc9467ddf8", "description": "Stop%20command%20and%20control%20behavior%20and%20further%20propagation%20by%20disconnecting%20affected%20areas%20from%20the%20internet.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "50bcd8ba-7edc-4b44-8a04-fdd5ee6daa0b", "create_time": 1764758755.8680344, "update_time": 1765478655.8013616, "name": "Isolate infected area from all networks", "order": 2, "tag": "884437ea-ff98-40f7-999d-69efd55841ae", "description": "Enforce%20more%20strict%20network%20segmentation%20to%20prevent%20further%20internal%20spreading.%20Consider%20disconnecting%20mobile%20devices%20and%20laptops%20to%20minimize%20the%20propagation%20surface.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A6.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A7.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ff5509b-ae70-431c-ac11-f4445d9bd890", "create_time": 1764758755.8681533, "update_time": 1765478655.8014727, "name": "Monitor business-critical network connections that cannot be disconnected", "order": 3, "tag": "400bb1f4-670c-4503-91a0-fe813d7285f2", "description": "For%20those%20applications%20that%20cannot%20be%20disconnected%20due%20to%20continuity%20needs,%20increase%20monitoring%20and%20analyze%20traffic%20for%20malicious%20activity.%0A%0ASuggested%20Integrations%0A1.%20%5BAnalyst%20Queue%5D(/app/SplunkEnterpriseSecuritySuite/incident_review)%0A2.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A3.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A4.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A5.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)%0A6.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A7.%20%5BAccess%20Anomalies%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/access_anomalies)%0A8.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d220afbd-3306-4e8a-ad41-3028fb9f309f", "create_time": 1764758755.8682685, "update_time": 1765478655.8015823, "name": "Neutralize propagation vectors", "order": 4, "tag": "92bef873-aca9-4ef8-946b-edfb9ce66e36", "description": "Deploy%20patches,%20change%20configurations,%20sinkhole%20domains,%20re-image%20systems,%20stop%20services,%20or%20take%20other%20appropriate%20actions%20to%20prevent%20further%20propagation%20using%20all%20known%20vectors.%20Notify%20users%20of%20changes%20that%20will%20affect%20them%20and/or%20request%20their%20assistance%20for%20manual%20neutralization%20steps.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "640ecd84-2bff-4b55-b16e-2f00b863cfe0", "create_time": 1764758755.8683593, "update_time": 1765478655.8016906, "name": "Monitor progress", "order": 5, "tag": "66412e78-657c-4f0d-a15a-2533d1b9a948", "description": "Re-check neutralized systems and repeat or improve processes to cover important systems as quickly as possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "4999e420-9fa9-46ea-9da3-4ffb078c45a0", "create_time": 1765478655.8021305, "update_time": 1765478655.802131, "name": "Remediation", "order": 4, "tasks": [{"id": "06bd975f-1fb6-4333-b714-27ce6a1ced40", "create_time": 1764758755.8684924, "update_time": 1765478655.8018172, "name": "Identify", "order": 1, "tag": "7f4c59cc-2f64-459c-8245-31bb42439ea9", "description": "Consider vendor fixes, antivirus updates, external support options, and custom solutions. Use these to define a disinfection process and validate it with a reputable source if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "93e47407-dfd0-40ba-a01d-1ef596ee0c42", "create_time": 1764758755.8685825, "update_time": 1765478655.8019052, "name": "Test", "order": 2, "tag": "e0cc2310-9631-4a7f-b637-79d890e0a79a", "description": "Test the disinfection process on a system that is as close to a production configuration as possible and verify that it works while not damaging any service.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "448524ff-39de-428d-95f7-2cc16c03ea28", "create_time": 1764758755.8686728, "update_time": 1765478655.801993, "name": "Deploy", "order": 3, "tag": "69ea1765-0326-4559-9f52-0202bcd1684e", "description": "Deploy the process and scale it up if possible.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "154ef40e-9a4e-4072-b222-e4b5c286ce4f", "create_time": 1764758755.8687656, "update_time": 1765478655.8020792, "name": "Confirm", "order": 4, "tag": "ec04ad38-972d-40d5-9672-64ccce7f2ebc", "description": "Confirm that the malware did not block remediations and find a workaround if it did.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "46c10e9a-74fd-4c28-ae23-80c66c6959ff", "create_time": 1765478655.802708, "update_time": 1765478655.8027081, "name": "Recovery", "order": 5, "tasks": [{"id": "b5137ace-0638-4c0d-bf3a-89808acb2796", "create_time": 1764758755.8689115, "update_time": 1765478655.8022254, "name": "Verify Containment and Remediation", "order": 1, "tag": "11e7491e-04ec-46dd-8763-7f7259aa86a9", "description": "Review current progress towards remediation by re-checking systems.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "916ce97e-d38f-41bd-8e31-fd4ebac266fa", "create_time": 1764758755.8690028, "update_time": 1765478655.8023124, "name": "Reopen propagation network mechanism", "order": 2, "tag": "3e4bb0aa-beab-472e-b19a-5d0974e25942", "description": "Turn off network enforcement for a segment of the network and monitor for new attempts to reinfect.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1d6b12db-a684-4eee-b942-8d720c1e7c1a", "create_time": 1764758755.8690934, "update_time": 1765478655.8024004, "name": "Reconnect isolated sub-areas to each other", "order": 3, "tag": "ecd50bc1-ba91-4333-b50e-8065b2552e83", "description": "Turn off inter-area network enforcement and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "77f860e3-1ab9-47f4-b9f5-29b02f762628", "create_time": 1764758755.8692014, "update_time": 1765478655.8024862, "name": "Reconnect mobile devices", "order": 4, "tag": "786a211c-5a54-4465-a6ae-fb26047d3d77", "description": "Reconnect mobile devices and laptops to monitor for persistence and check coverage across all device categories.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "eea6a167-30bf-434e-a7a5-7f0af8bd0ec6", "create_time": 1764758755.8692956, "update_time": 1765478655.802572, "name": "Reconnect isolated areas to main enterprise network", "order": 5, "tag": "739634b9-8f30-4fb4-b531-8f3e1bb5dcbc", "description": "Disable network enforcement between cleaned areas and the rest of the network while monitoring for reinfection.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "7947c3e9-c721-44ad-92e5-cbda84dd7687", "create_time": 1764758755.8693867, "update_time": 1765478655.8026576, "name": "Reconnect to the internet", "order": 6, "tag": "d80ab11b-58f4-4aed-a533-93f344fdc898", "description": "Reconnect to the internet and monitor.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "76b0e701-8fe2-49da-a85d-c100fc2a3a19", "create_time": 1765478655.80292, "update_time": 1765478655.8029208, "name": "Aftermath", "order": 6, "tasks": [{"id": "bb39e701-edec-47a4-a5d9-47483140b788", "create_time": 1764758755.8695176, "update_time": 1765478655.8027844, "name": "Build crisis report", "order": 1, "tag": "bb5d871c-99f4-408a-8a1e-9efa55ff1465", "description": "Notify affected parties with as much detail as is appropriate. Consider the initial cause of the infection, actions and timelines of important events, what went right, what went wrong, and the incident cost.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "4a48b7c9-f36d-412f-a2e2-c369a98d4261", "create_time": 1764758755.8696067, "update_time": 1765478655.8028712, "name": "Improve processes", "order": 2, "tag": "114c1009-376f-4715-a825-145c3dbcbba0", "description": "Capitalize on the experience by improving the processes that were used, creating new processes where needed, and automating that which is generalizable and repeatable.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "633942a9-b466-49c5-9cb0-1a4488da8473", "active": true, "used": false, "_user": "nobody", "_key": "ec7f5b1d-f689-4ea7-b00c-703d062755ef"} From cacdc0a68d79de7926373918f961811a5599ad74 Mon Sep 17 00:00:00 2001 From: kbouchard <47464052+kbouchardherjavecgroup@users.noreply.github.com> Date: Mon, 15 Dec 2025 12:36:38 -0700 Subject: [PATCH 43/44] Update and rename SuspiciousEmail_v35.json to SuspiciousEmail_v2.json --- response_templates/SuspiciousEmail_v2.json | 1 + response_templates/SuspiciousEmail_v35.json | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 response_templates/SuspiciousEmail_v2.json delete mode 100644 response_templates/SuspiciousEmail_v35.json diff --git a/response_templates/SuspiciousEmail_v2.json b/response_templates/SuspiciousEmail_v2.json new file mode 100644 index 0000000000..922f38214b --- /dev/null +++ b/response_templates/SuspiciousEmail_v2.json @@ -0,0 +1 @@ +{"id": "a72d40f3-a567-48e2-9fd3-c29db06c3907", "create_time": 1765479748.831508, "update_time": 1765479748.831508, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "7eddb898-085a-43fa-a03b-3ded48d53093", "create_time": 1765479748.831965, "update_time": 1765479796.6274312, "name": "Ingestion", "order": 1, "tasks": [{"id": "de8fa91f-bfad-41e6-bfe5-e3a2732db2c2", "create_time": 1764758755.6795278, "update_time": 1765479796.626802, "name": "Create ticket", "order": 1, "tag": "3d75cc89-a55b-4680-931c-7a5e091baaf6", "description": "Create%20any%20necessary%20tickets%20or%20tracking%20documents%20describing%20the%20initial%20conditions%20of%20the%20suspicious%20email%20investigation.%20As%20additional%20information%20is%20collected%20or%20actions%20are%20taken%20in%20the%20following%20tasks%20and%20phases,%20update%20the%20ticket%20with%20links%20and%20relevant%20information%20to%20allow%20collaboration%20and%20tracking.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "163d3490-d8de-4df9-8900-f5a2554b8024", "create_time": 1764758755.6797986, "update_time": 1765479796.6270301, "name": "Ingest email", "order": 2, "tag": "b4f73c35-e4af-40bf-a349-bed4c51cb0fc", "description": "Identify%20and%20ingest%20the%20suspicious%20email%20into%20Splunk%20Mission%20Control.%20Actual%20steps%20vary%20depending%20on%20how%20you%20create%20the%20Splunk%20Mission%20Control%20notable%20and%20where%20the%20suspicious%20email%20resides.%20For%20example,%20if%20you%20had%20a%20Splunk%20Enterprise%20Security%20correlation%20search%20running%20to%20identify%20suspicious%20emails,%20and%20forward%20those%20notable%20events%20to%20Splunk%20Mission%20Control%20as%20notables,%20you%20have%20many%20of%20the%20useful%20artifacts%20needed%20to%20investigate%20the%20email.%20If%20you%20need%20additional%20metadata,%20you%20can%20run%20the%20%22get%20email%22%20action%20to%20retrieve%20it,%20or%20the%20%22extract%20email%22%20action%20to%20add%20the%20email%20to%20Splunk%20Mission%20Control%20if%20it%20is%20in%20the%20.msg%20or%20.eml%20format.%20Or%20for%20example,%20if%20you%20send%20suspicious%20emails%20to%20a%20dedicated%20email%20address%20for%20suspected%20phishing%20attempts,%20you%20can%20use%20a%20connector%20such%20as%20IMAP,%20EWS%20for%20Exchange,%20EWS%20for%20OFfice,%20or%20GSuite%20for%20GMail%20to%20poll%20that%20inbox%20directly%20and%20send%20the%20suspicious%20email%20to%20Splunk%20Mission%20Control%20as%20a%20notable.%0A%0ASuggested%20Integrations%0A1.%20%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BMS%20Graph%20for%20Office%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%20%5BGmail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%20%5BIMAP%5D(https://splunkbase.splunk.com/app/5798)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6d6d47d-3c94-42ea-b575-c197be210f97", "create_time": 1764758755.6799636, "update_time": 1765479796.627336, "name": "Extract actionable metadata and files", "order": 3, "tag": "0c5acee1-e985-43ec-aefa-9355f46fef2d", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9510afc9-a689-434d-8622-e7dbcf607e54", "create_time": 1765479748.832889, "update_time": 1765479796.6289487, "name": "External Investigation", "order": 2, "tasks": [{"id": "2bedd439-1521-4bc1-aa32-f6502bc3b4eb", "create_time": 1764758755.6802204, "update_time": 1765479796.6275756, "name": "Investigate URLs", "order": 1, "tag": "5c7e7c30-139a-45e5-9622-63c788fe10a3", "description": "Perhaps%20the%20most%20common%20email%20attack%20vector%20is%20a%20clickable%20link%20that%20brings%20a%20user%20to%20a%20malicious%20website.%20The%20malicious%20website%20might%20collect%20credentials%20or%20other%20confidential%20information,%20attempt%20to%20exploit%20the%20user's%20browser,%20lead%20the%20user%20to%20download%20a%20malicious%20file,%20or%20gather%20preliminary%20fingerprint%20information%20about%20the%20user%20to%20inform%20further%20operations.%20Investigate%20all%20URLs%20contained%20in%20the%20suspicious%20email%20using%20a%20mix%20of%20automated%20and%20manual%20techniques.%20Query%20threat%20intelligence%20services%20and%20other%20sources%20of%20reputation%20information%20to%20see%20if%20the%20URLs%20are%20linked%20to%20known%20malicious%20activity.%20Check%20the%20categorization%20of%20the%20URLs%20and%20their%20popularity%20using%20services%20such%20as%20Censys%20or%20Alexa.%20Determine%20whether%20the%20URL%20is%20spoofing%20a%20brand%20using%20a%20similar%20spelling,%20a%20unicode%20substitution,%20or%20an%20out-of-order%20domain%20name.%20Also%20consider%20using%20a%20less%20passive%20technique%20that%20analyzes%20the%20current%20state%20of%20the%20URL,%20such%20as%20a%20sandboxed%20URL%20detonation,%20a%20website%20scanning%20tool%20such%20as%20urlscan.io%20or%20SSL%20Labs,%20a%20manual%20inspection%20from%20a%20sandboxed%20environment,%20or%20a%20website%20screenshot%20engine%20such%20as%20Screenshot%20Machine.%20Consider%20that%20targeted%20attacks%20might%20only%20reveal%20the%20malicious%20behavior%20of%20a%20website%20if%20the%20user%20agent%20and/or%20the%20source%20address%20of%20the%20request%20matches%20the%20target%20environment.%20The%20output%20of%20this%20task%20might%20be%20more%20linked%20URLs,%20the%20domain%20names%20of%20the%20underlying%20servers%20responding%20to%20the%20request,%20other%20domain%20names%20used%20by%20the%20website,%20IP%20addresses,%20or%20downloadable%20files.%20All%20of%20the%20above%20should%20be%20passed%20on%20to%20further%20investigative%20tasks%20if%20needed.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "16fc04ea-4b88-4a0e-8f68-66ac2c216f8f", "create_time": 1764758755.6803753, "update_time": 1765479796.6279, "name": "Investigate file attachments", "order": 2, "tag": "87e971c5-924c-4eee-8a08-e84975c01812", "description": "Another%20common%20email%20attack%20vector%20is%20a%20malicious%20file%20attachment.%20Any%20file%20could%20be%20malicious,%20but%20most%20attacks%20involve%20executables,%20scripts,%20or%20documents.%20Investigate%20these%20files%20using%20either%20a%20whole%20copy%20of%20the%20file%20or%20the%20file%20hash.%20Query%20threat%20intelligence%20and%20reputation%20databases%20using%20the%20hash%20to%20see%20if%20the%20file%20has%20been%20seen%20before,%20to%20see%20if%20there%20is%20suspicious%20activity%20associated%20with%20the%20file,%20and%20to%20learn%20more%20about%20the%20file's%20behavior.%20Query%20for%20previous%20analyses%20or%20submit%20the%20file%20for%20examination%20in%20a%20dynamic%20or%20static%20tool%20to%20check%20for%20potentially%20malicious%20behaviors%20or%20properties.%20Actions%20used%20for%20this%20task%20might%20extract%20associated%20URLs,%20domain%20names,%20IP%20addresses,%20or%20secondary%20file%20hashes%20which%20can%20be%20explored%20further%20in%20other%20tasks.%0A%0A%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a259ee42-6bdf-4d0c-9b27-efae878c42c2", "create_time": 1764758755.6805224, "update_time": 1765479796.62813, "name": "Investigate%20email", "order": 3, "tag": "39af1503-2dae-40d0-8164-818a7232bf95", "description": "Analyze%20the%20full%20email%E2%80%94headers,%20subject,%20and%20body%E2%80%94using%20both%20automated%20and%20manual%20techniques%20to%20determine%20its%20origin%20and%20assess%20for%20malicious%20intent.%20Inspect%20header%20fields%20(e.g.,%20%E2%80%9CFrom,%E2%80%9D%20%E2%80%9CSender,%E2%80%9D%20%E2%80%9CReply-to%E2%80%9D)%20for%20inconsistencies,%20misleading%20display%20names,%20and%20suspicious%20infrastructure,%20validating%20authentication%20results%20such%20as%20SPF,%20DKIM,%20and%20DMARC.%20Enrich%20findings%20with%20threat%20intelligence%20and%20reputation%20sources,%20and%20use%20tools%20like%20Microsoft%20Message%20Header%20Analyzer%20or%20MxToolbox%20for%20deeper%20interpretation.%20Evaluate%20the%20content%20for%20social%20engineering%20indicators%E2%80%94such%20as%20urgency,%20context%20manipulation,%20or%20attempts%20to%20solicit%20confidential%20information%E2%80%94recognizing%20that%20these%20often%20require%20manual%20judgment%20and,%20when%20appropriate,%20direct%20confirmation%20from%20the%20recipient.%20Outputs%20such%20as%20domains%20and%20IPs%20should%20be%20forwarded%20for%20further%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": [{"id": "cf182fd6-c616-4adb-a8f6-b9969549c873", "create_time": 1764952188.108695, "update_time": 1765479796.6283174, "name": "Email - Query on Affected User", "description": "You need to have your email data being ingested into the Email data model. \n\nNOTE: in this search we have pulled the tokened field of \"src_user\" if you detection uses another output field you will need to update your search accordingly. ", "spl": "%7C%20tstats%20%60summariesonly%60%20max(_time)%20as%20_time%2C%20values(All_Email.action)%20as%20action%2C%20values(All_Email.message_id)%20as%20message_id%2C%20values(All_Email.subject)%20as%20subject%2C%20values(All_Email.size)%20as%20size%2C%20values(All_Email.protocol)%20as%20protocol%2C%20values(All_Email.recipient)%20as%20recipient%2C%20count%20from%20datamodel%3DEmail.All_Email%20by%20All_Email.src%2CAll_Email.src_user%2CAll_Email.dest%20%0A%7C%20%60drop_dm_object_name(%22All_Email%22)%60%20%0A%7C%20search%20recipient%20IN%20(%24src_user%24)%0A%7C%20sort%20-%20count%20%0A%7C%20normalizeip%20src%20dest%20%0A%7C%20fields%20_time%2C%20action%2C%20message_id%2C%20subject%2C%20size%2C%20protocol%2C%20src%2C%20src_user%2C%20dest%2C%20recipient%2C%20count"}]}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "987a5f9d-4fa2-4474-a923-10ee1fca36e9", "create_time": 1764758755.680672, "update_time": 1765479796.6285076, "name": "Investigate domains", "order": 4, "tag": "65ec0d02-4e41-4bef-ad64-bcbbe64589bf", "description": "At%20this%20point%20domain%20names%20from%20various%20sources%20should%20be%20collected%20in%20the%20notable,%20including%20email%20sending%20and%20receiving%20servers,%20web%20servers%20from%20URLs%20in%20the%20email,%20domains%20associated%20to%20other%20indicators%20in%20threat%20intelligence%20databases,%20and%20domains%20contained%20in%20the%20file%20attachment%20or%20detected%20by%20the%20detonation%20of%20the%20file%20attachment.%20Check%20each%20of%20these%20against%20threat%20intelligence%20and%20reputation%20databases,%20passive%20DNS%20trackers,%20whois%20services,%20and%20other%20information%20services.%20Look%20for%20known%20malicious%20or%20unknown%20domains,%20focusing%20more%20on%20those%20associated%20to%20clickable%20URLs%20and%20file%20attachments.%20Evaluate%20what%20services%20are%20running%20on%20each%20suspicious%20domain%20using%20a%20scanning%20service%20such%20as%20Censys%20or%20Shodan.%20Check%20the%20TLS%20certificate%20(if%20applicable),%20website%20categorization,%20popularity,%20and%20any%20other%20available%20information.%20Compare%20this%20information%20to%20the%20expected%20outcome%20given%20the%20alleged%20context%20of%20the%20email.%20For%20unknown%20domains,%20consider%20the%20domain%20history,%20the%20hosting%20provider,%20and%20whether%20the%20domain%20name%20appears%20to%20have%20been%20dynamically%20generated.%20IP%20addresses%20currently%20and%20previously%20associated%20with%20the%20domain%20should%20be%20further%20processed%20elsewhere%20in%20your%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4f72802-ef36-47d2-a6c0-9d1ab5e0aa2c", "create_time": 1764758755.6808305, "update_time": 1765479796.6287827, "name": "Investigate IP addresses", "order": 5, "tag": "bd473b00-1dc1-4446-8ce2-36d7fc8ef468", "description": "IP%20addresses%20may%20be%20involved%20in%20this%20investigation%20for%20several%20reasons.%20Some%20email%20headers%20can%20contain%20IP%20addresses%20(such%20as%20X-Originating-IP),%20URLs%20can%20contain%20IP%20addresses%20instead%20of%20hostnames,%20file%20attachments%20can%20contain%20IP%20addresses%20or%20generate%20IP%20addresses%20and%20try%20to%20connect%20to%20them%20(like%20domain%20generation%20algorithms),%20and%20IP%20addresses%20can%20be%20added%20to%20the%20notable%20through%20association%20or%20domain%20name%20resolution%20in%20other%20tasks%20within%20this%20investigation.%20Consider%20IP%20addresses%20in%20URLs%20that%20are%20not%20internal%20IP%20addresses%20for%20the%20organization%20highly%20suspicious.%20Investigate%20all%20suspicious%20IP%20addresses%20by%20checking%20the%20reputation,%20geolocation,%20whois%20record,%20DNS%20history,%20and%20by%20gathering%20information%20from%20other%20available%20services.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d36a2713-63b9-4bfd-8a66-e50df079ace9", "create_time": 1765479748.8334155, "update_time": 1765479796.6299407, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "4012859c-a956-4b21-ba9e-a2004dfeb036", "create_time": 1764758755.6812239, "update_time": 1765479796.6290972, "name": "Hunt email activity", "order": 1, "tag": "e7a6d9a6-8b9e-4f8c-afdb-475b0b3472b7", "description": "Find%20other%20similar%20emails%20sent%20into%20the%20organization%20based%20on%20the%20sender%20address,%20sender%20domain,%20subject,%20embedded%20URLs,%20file%20attachments,%20or%20other%20similar%20attributes%20shared%20across%20multiple%20emails.%20If%20possible%20determine%20which%20emails%20were%20opened,%20forwarded,%20deleted,%20marked%20as%20spam,%20or%20reported%20as%20potential%20phishing.%20Consider%20which%20types%20of%20users%20are%20targeted%20and%20why.%20Also%20check%20whether%20internal%20users%20replied%20to%20the%20emails%20and%20what%20information%20was%20contained%20in%20the%20replies.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%20%5BCisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)%5D(https://splunkbase.splunk.com/app/6145)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1701120f-ca73-42cf-87e1-5dcb228ab5a0", "create_time": 1764758755.681366, "update_time": 1765479796.629352, "name": "Hunt network activity", "order": 2, "tag": "427ba972-75bd-42eb-8218-4a522f98b947", "description": "Based%20on%20previously%20collected%20information,%20try%20to%20determine%20whether%20or%20not%20URLs%20in%20the%20email%20were%20clicked,%20phishing%20websites%20were%20visited,%20or%20other%20suspicious%20network%20connections%20were%20made%20from%20the%20computers%20of%20users%20who%20opened%20the%20email.%20This%20can%20be%20done%20using%20many%20types%20of%20network%20monitoring,%20including%20netflow,%20full%20packet%20capture,%20DNS%20logging,%20and/or%20endpoint%20monitoring.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A5.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24d8fa33-d658-4800-8113-5d7f7c90ad1d", "create_time": 1764758755.681554, "update_time": 1765479796.6295755, "name": "Hunt file executions", "order": 3, "tag": "ebe5a0e7-8705-4e69-b1e7-a21058c87822", "description": "If%20the%20email%20included%20a%20file%20attachment,%20try%20to%20determine%20which%20users%20downloaded%20the%20attachment%20and%20which%20users%20executed%20it%20or%20opened%20it%20in%20some%20other%20way.%20Use%20the%20file%20hash%20of%20the%20attachment%20to%20search%20across%20endpoint%20monitoring%20or%20network%20monitoring%20solutions%20for%20the%20transmission%20and/or%20execution%20of%20the%20file.%20If%20executions%20are%20detected,%20try%20to%20determine%20the%20behavior%20of%20the%20created%20process.%20If%20a%20potentially%20malicious%20document%20or%20other%20file%20type%20was%20opened,%20try%20to%20determine%20which%20application%20opened%20it%20and%20whether%20the%20file%20exploited%20or%20abused%20the%20opening%20application.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24ad66ec-2b93-4677-b1c4-a6e2c2bd6207", "create_time": 1764758755.6817021, "update_time": 1765479796.6298037, "name": "Hunt user activity", "order": 4, "tag": "32798d9d-6440-4f39-98c7-6d4c30d26e1e", "description": "If%20a%20phishing%20attempt%20or%20other%20user%20account%20compromise%20attempt%20is%20suspected,%20investigate%20how%20the%20credentials%20or%20account%20access%20are%20being%20used.%20Enumerate%20resources%20available%20to%20the%20account%20and%20search%20the%20access%20logs%20for%20those%20resources,%20looking%20for%20anomalous%20usage%20patterns.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "42eb2edf-fc7d-4327-8f3e-37ee80c2536c", "create_time": 1765479748.8340182, "update_time": 1765479796.6310995, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "2eb1f1a5-8f1a-45d8-8953-ba30d1a8a6e9", "create_time": 1764758755.6819034, "update_time": 1765479796.6300797, "name": "Block or monitor email activity", "order": 1, "tag": "6b567916-424d-41b3-836f-b4abfa555448", "description": "If%20specific%20malicious%20emails%20have%20been%20identified,%20delete%20them%20from%20any%20mailboxes%20in%20which%20they%20still%20pose%20a%20threat.%20Similarly,%20if%20a%20sender%20address%20or%20an%20entire%20sender%20domain%20is%20found%20to%20be%20malicious,%20block%20inbound%20email%20from%20that%20source.%20Set%20filtering%20rules%20to%20block%20inbound%20email%20or%20increase%20monitoring%20of%20email%20based%20on%20other%20detected%20characteristics%20of%20an%20email%20campaign%20or%20malicious%20technique.%0A%0ASuggested%20Intergrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0d28b16-b4ba-46a9-8d20-c888d0d50137", "create_time": 1764758755.6820495, "update_time": 1765479796.6303134, "name": "Block or monitor network activity", "order": 2, "tag": "b537f91c-ce46-4a52-8894-0797dbc13b6b", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20malicious%20network%20connections%20associated%20with%20the%20suspicious%20email.%20Prevent%20other%20receivers%20of%20similar%20phishing%20emails%20from%20accessing%20the%20clickable%20URL%20by%20blocking%20that%20URL%20itself,%20the%20underlying%20domain%20name,%20and/or%20the%20underlying%20IP%20addresses.%20If%20malware%20or%20unwanted%20software%20was%20detected,%20block%20outbound%20connections%20known%20to%20be%20associated%20with%20that%20malware%20based%20on%20threat%20intelligence%20or%20dynamic%20analysis.%20If%20the%20threat%20is%20severe%20enough,%20consider%20isolating%20entire%20portions%20of%20the%20network.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79abbff6-2d34-46b0-b570-c9788da8668a", "create_time": 1764758755.6822183, "update_time": 1765479796.6305444, "name": "Block or monitor file executions", "order": 3, "tag": "e7cb23b5-9baa-4a66-994d-43cd0f17d017", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20endpoint%20activity%20caused%20by%20the%20suspicious%20email.%20This%20could%20mean%20blocking%20the%20hash%20of%20the%20file%20attachment,%20blocking%20the%20hash%20of%20a%20file%20downloaded%20from%20a%20URL%20in%20an%20email,%20blocking%20a%20malicious%20hash%20associated%20with%20the%20email%20by%20threat%20intelligence,%20or%20blocking%20secondary%20executions%20such%20as%20dropped%20stages%20of%20malware%20identified%20from%20dynamic%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fa4ad6aa-7fc1-4897-9588-e2366ce2cc8e", "create_time": 1764758755.6823559, "update_time": 1765479796.6307607, "name": "Contain endpoints", "order": 4, "tag": "746ae480-2639-4ffe-80ce-698238ec5721", "description": "If%20an%20endpoint%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20quarantine%20or%20otherwise%20contain%20that%20endpoint%20until%20further%20investigation%20and%20remediation%20can%20be%20done.%20Consider%20the%20criticality%20of%20the%20system%20and%20the%20likelihood%20of%20a%20compromise.%20In%20other%20cases,%20simply%20increasing%20the%20monitoring%20or%20scanning%20for%20more%20information%20can%20be%20prudent.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ffee892-3e52-4aed-ba5f-30554d3de579", "create_time": 1764758755.6824956, "update_time": 1765479796.6309698, "name": "Contain user accounts", "order": 5, "tag": "702244fa-e9c6-42d7-846a-697fb74ea060", "description": "If%20a%20user%20account%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20reset%20the%20credentials,%20reduce%20the%20account%20privileges,%20or%20disable%20the%20account%20until%20further%20investigation%20is%20completed.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f3f3a7c8-dcb4-4565-8827-356c60cac5f6", "create_time": 1765479748.8343027, "update_time": 1765479796.6315908, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "09b37ed6-4b6e-4fe0-a4c5-561480ed7c10", "create_time": 1764758755.68271, "update_time": 1765479796.631251, "name": "Analyze network activity", "order": 1, "tag": "9cf69134-6b81-45ca-ada8-fd4136a1912f", "description": "Perform%20any%20resource-intensive%20analysis%20of%20network%20activity%20left%20over%20from%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20full%20packet%20capture%20collection%20and%20analysis,%20sandbox%20detonation%20of%20URLs,%20long-running%20queries%20of%20network%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "627cb8cc-b780-437e-951d-8ec9c64062e7", "create_time": 1764758755.682851, "update_time": 1765479796.631454, "name": "Analyze endpoint activity", "order": 2, "tag": "2497b494-b80f-417b-b51d-f4c8d7aff019", "description": "Conduct%20deeper%20analysis%20on%20remaining%20malware%20and%20endpoint%20investigation%20tasks%20not%20finished%20in%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20sandbox%20detonation%20of%20files,%20forensic%20analysis%20of%20associated%20devices%20or%20memory%20dumps,%20reverse%20engineering%20of%20suspected%20malware,%20long-running%20queries%20of%20endpoint%20activity%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A4.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "934b1327-2484-49e2-9701-36a33a1462f9", "create_time": 1765479748.8349223, "update_time": 1765479796.6327975, "name": "Notification", "order": 6, "tasks": [{"id": "3b692da7-b9dc-491b-add5-2c674251a7be", "create_time": 1764758755.683051, "update_time": 1765479796.6317682, "name": "Update tickets", "order": 1, "tag": "dad41274-fb84-4b6f-bed9-fb43be506987", "description": "Make%20sure%20that%20all%20the%20necessary%20outputs%20and%20status%20updates%20from%20the%20previous%20phases%20and%20tasks%20are%20documented%20in%20the%20appropriate%20system%20of%20record.%20Summarize%20the%20current%20state%20of%20the%20investigation%20and%20any%20remaining%20tasks.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "644d1cc6-f855-4dfb-ae28-a0a58fbee6d2", "create_time": 1764758755.6832078, "update_time": 1765479796.631959, "name": "Notify system owners", "order": 2, "tag": "824481e3-9dc5-4668-9abd-585d1cd331ca", "description": "For%20any%20systems%20that%20have%20been%20changed%20or%20need%20to%20be%20changed,%20notify%20the%20necessary%20system%20owners%20so%20the%20appropriate%20change%20management%20procedures%20can%20be%20followed.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "81905435-dd7e-493d-babf-fc5f108cbb9a", "create_time": 1764758755.6833851, "update_time": 1765479796.6321607, "name": "Notify regulatory compliance team", "order": 3, "tag": "c7f7005c-6b51-49a7-a3f9-f22aaf9dfbe4", "description": "If%20appropriate,%20notify%20the%20regulatory%20compliance%20team%20to%20support%20them%20as%20they%20report%20this%20incident%20to%20the%20correct%20regulatory%20or%20accrediting%20organizations.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a4260d25-53f9-45c4-b984-4c10deddbb82", "create_time": 1764758755.6836178, "update_time": 1765479796.6323862, "name": "Assign additional tasks", "order": 4, "tag": "29d21b34-5221-4dee-9bff-276a8241b2bd", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d0cf948f-2ba6-4a7d-82c9-851aacfa80a6", "create_time": 1764758755.6839995, "update_time": 1765479796.6325488, "name": "Educate users", "order": 5, "tag": "7ee89bfe-e39d-42c9-baa0-2e74b39adcd1", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b78276c-3dff-4546-8ff4-78cd4e1b04d3", "create_time": 1764758755.6842132, "update_time": 1765479796.6327078, "name": "Share threat intelligence", "order": 6, "tag": "3773742e-ecd3-4588-a0ae-6ac80e6b70ce", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "84c951b5-a7f7-439d-9e59-b8031190be63", "active": true, "used": true, "_user": "nobody", "_key": "a72d40f3-a567-48e2-9fd3-c29db06c3907"} diff --git a/response_templates/SuspiciousEmail_v35.json b/response_templates/SuspiciousEmail_v35.json deleted file mode 100644 index 0ba80ed93b..0000000000 --- a/response_templates/SuspiciousEmail_v35.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "a72d40f3-a567-48e2-9fd3-c29db06c3907", "create_time": 1765479748.831508, "update_time": 1765479748.831508, "name": "Suspicious Email", "description": "There are many ways in which attackers can use email to gain a foothold in an organization or advance an existing campaign. This response template guides an analyst through the process of investigating and remediating several of these methods. The main objective of the first three phases is to determine if the email is malicious and what impact it might have if the attack is successful. The fourth and fifth phases focus on taking action to prevent further harm to the organization and conducting more investigation and analysis to learn more about the threat. Finally, the sixth phase describes communications to other parts of the organization which may be appropriate based on what was observed in the first five phases. This response template uses the structure of the SOEL framework (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1532986430.pdf) to organize the phases and tasks.", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 35, "phases": [{"id": "7eddb898-085a-43fa-a03b-3ded48d53093", "create_time": 1765479748.831965, "update_time": 1765479796.6274312, "name": "Ingestion", "order": 1, "tasks": [{"id": "de8fa91f-bfad-41e6-bfe5-e3a2732db2c2", "create_time": 1764758755.6795278, "update_time": 1765479796.626802, "name": "Create ticket", "order": 1, "tag": "3d75cc89-a55b-4680-931c-7a5e091baaf6", "description": "Create%20any%20necessary%20tickets%20or%20tracking%20documents%20describing%20the%20initial%20conditions%20of%20the%20suspicious%20email%20investigation.%20As%20additional%20information%20is%20collected%20or%20actions%20are%20taken%20in%20the%20following%20tasks%20and%20phases,%20update%20the%20ticket%20with%20links%20and%20relevant%20information%20to%20allow%20collaboration%20and%20tracking.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "163d3490-d8de-4df9-8900-f5a2554b8024", "create_time": 1764758755.6797986, "update_time": 1765479796.6270301, "name": "Ingest email", "order": 2, "tag": "b4f73c35-e4af-40bf-a349-bed4c51cb0fc", "description": "Identify%20and%20ingest%20the%20suspicious%20email%20into%20Splunk%20Mission%20Control.%20Actual%20steps%20vary%20depending%20on%20how%20you%20create%20the%20Splunk%20Mission%20Control%20notable%20and%20where%20the%20suspicious%20email%20resides.%20For%20example,%20if%20you%20had%20a%20Splunk%20Enterprise%20Security%20correlation%20search%20running%20to%20identify%20suspicious%20emails,%20and%20forward%20those%20notable%20events%20to%20Splunk%20Mission%20Control%20as%20notables,%20you%20have%20many%20of%20the%20useful%20artifacts%20needed%20to%20investigate%20the%20email.%20If%20you%20need%20additional%20metadata,%20you%20can%20run%20the%20%22get%20email%22%20action%20to%20retrieve%20it,%20or%20the%20%22extract%20email%22%20action%20to%20add%20the%20email%20to%20Splunk%20Mission%20Control%20if%20it%20is%20in%20the%20.msg%20or%20.eml%20format.%20Or%20for%20example,%20if%20you%20send%20suspicious%20emails%20to%20a%20dedicated%20email%20address%20for%20suspected%20phishing%20attempts,%20you%20can%20use%20a%20connector%20such%20as%20IMAP,%20EWS%20for%20Exchange,%20EWS%20for%20OFfice,%20or%20GSuite%20for%20GMail%20to%20poll%20that%20inbox%20directly%20and%20send%20the%20suspicious%20email%20to%20Splunk%20Mission%20Control%20as%20a%20notable.%0A%0ASuggested%20Integrations%0A1.%20%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BMS%20Graph%20for%20Office%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%20%5BGmail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%20%5BIMAP%5D(https://splunkbase.splunk.com/app/5798)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a6d6d47d-3c94-42ea-b575-c197be210f97", "create_time": 1764758755.6799636, "update_time": 1765479796.627336, "name": "Extract actionable metadata and files", "order": 3, "tag": "0c5acee1-e985-43ec-aefa-9355f46fef2d", "description": "Depending on how the email was ingested, additional steps might be required to extract actionable metadata and files. For example, if the suspicious email is attached to the Splunk Mission Control notable as a file, run the \"extract ioc\" action to extract URLs, domain names, IP addresses, file hashes, and whole file attachments as artifacts. In some cases, you might need to write specific playbooks or ingestion scripts to extract or reformat fields from the email. Be aware that malicious emails can obfuscate links and file attachments, so it might be necessary to view the email in a sandboxed email client to see it in the same context as a user would see it.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "9510afc9-a689-434d-8622-e7dbcf607e54", "create_time": 1765479748.832889, "update_time": 1765479796.6289487, "name": "External Investigation", "order": 2, "tasks": [{"id": "2bedd439-1521-4bc1-aa32-f6502bc3b4eb", "create_time": 1764758755.6802204, "update_time": 1765479796.6275756, "name": "Investigate URLs", "order": 1, "tag": "5c7e7c30-139a-45e5-9622-63c788fe10a3", "description": "Perhaps%20the%20most%20common%20email%20attack%20vector%20is%20a%20clickable%20link%20that%20brings%20a%20user%20to%20a%20malicious%20website.%20The%20malicious%20website%20might%20collect%20credentials%20or%20other%20confidential%20information,%20attempt%20to%20exploit%20the%20user's%20browser,%20lead%20the%20user%20to%20download%20a%20malicious%20file,%20or%20gather%20preliminary%20fingerprint%20information%20about%20the%20user%20to%20inform%20further%20operations.%20Investigate%20all%20URLs%20contained%20in%20the%20suspicious%20email%20using%20a%20mix%20of%20automated%20and%20manual%20techniques.%20Query%20threat%20intelligence%20services%20and%20other%20sources%20of%20reputation%20information%20to%20see%20if%20the%20URLs%20are%20linked%20to%20known%20malicious%20activity.%20Check%20the%20categorization%20of%20the%20URLs%20and%20their%20popularity%20using%20services%20such%20as%20Censys%20or%20Alexa.%20Determine%20whether%20the%20URL%20is%20spoofing%20a%20brand%20using%20a%20similar%20spelling,%20a%20unicode%20substitution,%20or%20an%20out-of-order%20domain%20name.%20Also%20consider%20using%20a%20less%20passive%20technique%20that%20analyzes%20the%20current%20state%20of%20the%20URL,%20such%20as%20a%20sandboxed%20URL%20detonation,%20a%20website%20scanning%20tool%20such%20as%20urlscan.io%20or%20SSL%20Labs,%20a%20manual%20inspection%20from%20a%20sandboxed%20environment,%20or%20a%20website%20screenshot%20engine%20such%20as%20Screenshot%20Machine.%20Consider%20that%20targeted%20attacks%20might%20only%20reveal%20the%20malicious%20behavior%20of%20a%20website%20if%20the%20user%20agent%20and/or%20the%20source%20address%20of%20the%20request%20matches%20the%20target%20environment.%20The%20output%20of%20this%20task%20might%20be%20more%20linked%20URLs,%20the%20domain%20names%20of%20the%20underlying%20servers%20responding%20to%20the%20request,%20other%20domain%20names%20used%20by%20the%20website,%20IP%20addresses,%20or%20downloadable%20files.%20All%20of%20the%20above%20should%20be%20passed%20on%20to%20further%20investigative%20tasks%20if%20needed.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%20PhishTank%20(preconfigured)%0A5.%20%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "16fc04ea-4b88-4a0e-8f68-66ac2c216f8f", "create_time": 1764758755.6803753, "update_time": 1765479796.6279, "name": "Investigate file attachments", "order": 2, "tag": "87e971c5-924c-4eee-8a08-e84975c01812", "description": "Another%20common%20email%20attack%20vector%20is%20a%20malicious%20file%20attachment.%20Any%20file%20could%20be%20malicious,%20but%20most%20attacks%20involve%20executables,%20scripts,%20or%20documents.%20Investigate%20these%20files%20using%20either%20a%20whole%20copy%20of%20the%20file%20or%20the%20file%20hash.%20Query%20threat%20intelligence%20and%20reputation%20databases%20using%20the%20hash%20to%20see%20if%20the%20file%20has%20been%20seen%20before,%20to%20see%20if%20there%20is%20suspicious%20activity%20associated%20with%20the%20file,%20and%20to%20learn%20more%20about%20the%20file's%20behavior.%20Query%20for%20previous%20analyses%20or%20submit%20the%20file%20for%20examination%20in%20a%20dynamic%20or%20static%20tool%20to%20check%20for%20potentially%20malicious%20behaviors%20or%20properties.%20Actions%20used%20for%20this%20task%20might%20extract%20associated%20URLs,%20domain%20names,%20IP%20addresses,%20or%20secondary%20file%20hashes%20which%20can%20be%20explored%20further%20in%20other%20tasks.%0A%0A%0A", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a259ee42-6bdf-4d0c-9b27-efae878c42c2", "create_time": 1764758755.6805224, "update_time": 1765479796.62813, "name": "Investigate%20email", "order": 3, "tag": "39af1503-2dae-40d0-8164-818a7232bf95", "description": "Analyze%20the%20full%20email%E2%80%94headers,%20subject,%20and%20body%E2%80%94using%20both%20automated%20and%20manual%20techniques%20to%20determine%20its%20origin%20and%20assess%20for%20malicious%20intent.%20Inspect%20header%20fields%20(e.g.,%20%E2%80%9CFrom,%E2%80%9D%20%E2%80%9CSender,%E2%80%9D%20%E2%80%9CReply-to%E2%80%9D)%20for%20inconsistencies,%20misleading%20display%20names,%20and%20suspicious%20infrastructure,%20validating%20authentication%20results%20such%20as%20SPF,%20DKIM,%20and%20DMARC.%20Enrich%20findings%20with%20threat%20intelligence%20and%20reputation%20sources,%20and%20use%20tools%20like%20Microsoft%20Message%20Header%20Analyzer%20or%20MxToolbox%20for%20deeper%20interpretation.%20Evaluate%20the%20content%20for%20social%20engineering%20indicators%E2%80%94such%20as%20urgency,%20context%20manipulation,%20or%20attempts%20to%20solicit%20confidential%20information%E2%80%94recognizing%20that%20these%20often%20require%20manual%20judgment%20and,%20when%20appropriate,%20direct%20confirmation%20from%20the%20recipient.%20Outputs%20such%20as%20domains%20and%20IPs%20should%20be%20forwarded%20for%20further%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": [{"id": "cf182fd6-c616-4adb-a8f6-b9969549c873", "create_time": 1764952188.108695, "update_time": 1765479796.6283174, "name": "Email - Query on Affected User", "description": "You need to have your email data being ingested into the Email data model. \n\nNOTE: in this search we have pulled the tokened field of \"src_user\" if you detection uses another output field you will need to update your search accordingly. ", "spl": "%7C%20tstats%20%60summariesonly%60%20max(_time)%20as%20_time%2C%20values(All_Email.action)%20as%20action%2C%20values(All_Email.message_id)%20as%20message_id%2C%20values(All_Email.subject)%20as%20subject%2C%20values(All_Email.size)%20as%20size%2C%20values(All_Email.protocol)%20as%20protocol%2C%20values(All_Email.recipient)%20as%20recipient%2C%20count%20from%20datamodel%3DEmail.All_Email%20by%20All_Email.src%2CAll_Email.src_user%2CAll_Email.dest%20%0A%7C%20%60drop_dm_object_name(%22All_Email%22)%60%20%0A%7C%20search%20recipient%20IN%20(%24src_user%24)%0A%7C%20sort%20-%20count%20%0A%7C%20normalizeip%20src%20dest%20%0A%7C%20fields%20_time%2C%20action%2C%20message_id%2C%20subject%2C%20size%2C%20protocol%2C%20src%2C%20src_user%2C%20dest%2C%20recipient%2C%20count"}]}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "987a5f9d-4fa2-4474-a923-10ee1fca36e9", "create_time": 1764758755.680672, "update_time": 1765479796.6285076, "name": "Investigate domains", "order": 4, "tag": "65ec0d02-4e41-4bef-ad64-bcbbe64589bf", "description": "At%20this%20point%20domain%20names%20from%20various%20sources%20should%20be%20collected%20in%20the%20notable,%20including%20email%20sending%20and%20receiving%20servers,%20web%20servers%20from%20URLs%20in%20the%20email,%20domains%20associated%20to%20other%20indicators%20in%20threat%20intelligence%20databases,%20and%20domains%20contained%20in%20the%20file%20attachment%20or%20detected%20by%20the%20detonation%20of%20the%20file%20attachment.%20Check%20each%20of%20these%20against%20threat%20intelligence%20and%20reputation%20databases,%20passive%20DNS%20trackers,%20whois%20services,%20and%20other%20information%20services.%20Look%20for%20known%20malicious%20or%20unknown%20domains,%20focusing%20more%20on%20those%20associated%20to%20clickable%20URLs%20and%20file%20attachments.%20Evaluate%20what%20services%20are%20running%20on%20each%20suspicious%20domain%20using%20a%20scanning%20service%20such%20as%20Censys%20or%20Shodan.%20Check%20the%20TLS%20certificate%20(if%20applicable),%20website%20categorization,%20popularity,%20and%20any%20other%20available%20information.%20Compare%20this%20information%20to%20the%20expected%20outcome%20given%20the%20alleged%20context%20of%20the%20email.%20For%20unknown%20domains,%20consider%20the%20domain%20history,%20the%20hosting%20provider,%20and%20whether%20the%20domain%20name%20appears%20to%20have%20been%20dynamically%20generated.%20IP%20addresses%20currently%20and%20previously%20associated%20with%20the%20domain%20should%20be%20further%20processed%20elsewhere%20in%20your%20investigation.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A3.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A4.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A5.%20%5BDomainTools%20Iris%20Investigate%5D(https://splunkbase.splunk.com/app/6010)%0A6.%20%5BCisco%20Umbrella%20Investigates%5D(https://splunkbase.splunk.com/app/5780)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "c4f72802-ef36-47d2-a6c0-9d1ab5e0aa2c", "create_time": 1764758755.6808305, "update_time": 1765479796.6287827, "name": "Investigate IP addresses", "order": 5, "tag": "bd473b00-1dc1-4446-8ce2-36d7fc8ef468", "description": "IP%20addresses%20may%20be%20involved%20in%20this%20investigation%20for%20several%20reasons.%20Some%20email%20headers%20can%20contain%20IP%20addresses%20(such%20as%20X-Originating-IP),%20URLs%20can%20contain%20IP%20addresses%20instead%20of%20hostnames,%20file%20attachments%20can%20contain%20IP%20addresses%20or%20generate%20IP%20addresses%20and%20try%20to%20connect%20to%20them%20(like%20domain%20generation%20algorithms),%20and%20IP%20addresses%20can%20be%20added%20to%20the%20notable%20through%20association%20or%20domain%20name%20resolution%20in%20other%20tasks%20within%20this%20investigation.%20Consider%20IP%20addresses%20in%20URLs%20that%20are%20not%20internal%20IP%20addresses%20for%20the%20organization%20highly%20suspicious.%20Investigate%20all%20suspicious%20IP%20addresses%20by%20checking%20the%20reputation,%20geolocation,%20whois%20record,%20DNS%20history,%20and%20by%20gathering%20information%20from%20other%20available%20services.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Talos%20Intelligence%5D(https://splunkbase.splunk.com/app/7711)%0A2.%20%5BVirusTotal%20v3%5D(https://splunkbase.splunk.com/app/5865)%0A3.%20%5BAlien%20Vault%5D(https://splunkbase.splunk.com/app/5878)%0A4.%20Whois%20(preconfigured)%0A5.%20MaxMind%20(preconfigured)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "d36a2713-63b9-4bfd-8a66-e50df079ace9", "create_time": 1765479748.8334155, "update_time": 1765479796.6299407, "name": "Internal Hunting", "order": 3, "tasks": [{"id": "4012859c-a956-4b21-ba9e-a2004dfeb036", "create_time": 1764758755.6812239, "update_time": 1765479796.6290972, "name": "Hunt email activity", "order": 1, "tag": "e7a6d9a6-8b9e-4f8c-afdb-475b0b3472b7", "description": "Find%20other%20similar%20emails%20sent%20into%20the%20organization%20based%20on%20the%20sender%20address,%20sender%20domain,%20subject,%20embedded%20URLs,%20file%20attachments,%20or%20other%20similar%20attributes%20shared%20across%20multiple%20emails.%20If%20possible%20determine%20which%20emails%20were%20opened,%20forwarded,%20deleted,%20marked%20as%20spam,%20or%20reported%20as%20potential%20phishing.%20Consider%20which%20types%20of%20users%20are%20targeted%20and%20why.%20Also%20check%20whether%20internal%20users%20replied%20to%20the%20emails%20and%20what%20information%20was%20contained%20in%20the%20replies.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)%0A2.%20%20%5BCisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)%5D(https://splunkbase.splunk.com/app/6145)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1701120f-ca73-42cf-87e1-5dcb228ab5a0", "create_time": 1764758755.681366, "update_time": 1765479796.629352, "name": "Hunt network activity", "order": 2, "tag": "427ba972-75bd-42eb-8218-4a522f98b947", "description": "Based%20on%20previously%20collected%20information,%20try%20to%20determine%20whether%20or%20not%20URLs%20in%20the%20email%20were%20clicked,%20phishing%20websites%20were%20visited,%20or%20other%20suspicious%20network%20connections%20were%20made%20from%20the%20computers%20of%20users%20who%20opened%20the%20email.%20This%20can%20be%20done%20using%20many%20types%20of%20network%20monitoring,%20including%20netflow,%20full%20packet%20capture,%20DNS%20logging,%20and/or%20endpoint%20monitoring.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A5.%20%5BNetwork%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/network_changes)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24d8fa33-d658-4800-8113-5d7f7c90ad1d", "create_time": 1764758755.681554, "update_time": 1765479796.6295755, "name": "Hunt file executions", "order": 3, "tag": "ebe5a0e7-8705-4e69-b1e7-a21058c87822", "description": "If%20the%20email%20included%20a%20file%20attachment,%20try%20to%20determine%20which%20users%20downloaded%20the%20attachment%20and%20which%20users%20executed%20it%20or%20opened%20it%20in%20some%20other%20way.%20Use%20the%20file%20hash%20of%20the%20attachment%20to%20search%20across%20endpoint%20monitoring%20or%20network%20monitoring%20solutions%20for%20the%20transmission%20and/or%20execution%20of%20the%20file.%20If%20executions%20are%20detected,%20try%20to%20determine%20the%20behavior%20of%20the%20created%20process.%20If%20a%20potentially%20malicious%20document%20or%20other%20file%20type%20was%20opened,%20try%20to%20determine%20which%20application%20opened%20it%20and%20whether%20the%20file%20exploited%20or%20abused%20the%20opening%20application.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "24ad66ec-2b93-4677-b1c4-a6e2c2bd6207", "create_time": 1764758755.6817021, "update_time": 1765479796.6298037, "name": "Hunt user activity", "order": 4, "tag": "32798d9d-6440-4f39-98c7-6d4c30d26e1e", "description": "If%20a%20phishing%20attempt%20or%20other%20user%20account%20compromise%20attempt%20is%20suspected,%20investigate%20how%20the%20credentials%20or%20account%20access%20are%20being%20used.%20Enumerate%20resources%20available%20to%20the%20account%20and%20search%20the%20access%20logs%20for%20those%20resources,%20looking%20for%20anomalous%20usage%20patterns.%0A%0ASuggested%20Integrations%0A1.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A2.%20%5BIdentity%20Investigator%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/identity_investigator)%0A3.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "42eb2edf-fc7d-4327-8f3e-37ee80c2536c", "create_time": 1765479748.8340182, "update_time": 1765479796.6310995, "name": "Enforcement and increased monitoring", "order": 4, "tasks": [{"id": "2eb1f1a5-8f1a-45d8-8953-ba30d1a8a6e9", "create_time": 1764758755.6819034, "update_time": 1765479796.6300797, "name": "Block or monitor email activity", "order": 1, "tag": "6b567916-424d-41b3-836f-b4abfa555448", "description": "If%20specific%20malicious%20emails%20have%20been%20identified,%20delete%20them%20from%20any%20mailboxes%20in%20which%20they%20still%20pose%20a%20threat.%20Similarly,%20if%20a%20sender%20address%20or%20an%20entire%20sender%20domain%20is%20found%20to%20be%20malicious,%20block%20inbound%20email%20from%20that%20source.%20Set%20filtering%20rules%20to%20block%20inbound%20email%20or%20increase%20monitoring%20of%20email%20based%20on%20other%20detected%20characteristics%20of%20an%20email%20campaign%20or%20malicious%20technique.%0A%0ASuggested%20Intergrations%0A1.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A2.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A3.%20%5BEmail%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/email_search)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "f0d28b16-b4ba-46a9-8d20-c888d0d50137", "create_time": 1764758755.6820495, "update_time": 1765479796.6303134, "name": "Block or monitor network activity", "order": 2, "tag": "b537f91c-ce46-4a52-8894-0797dbc13b6b", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20malicious%20network%20connections%20associated%20with%20the%20suspicious%20email.%20Prevent%20other%20receivers%20of%20similar%20phishing%20emails%20from%20accessing%20the%20clickable%20URL%20by%20blocking%20that%20URL%20itself,%20the%20underlying%20domain%20name,%20and/or%20the%20underlying%20IP%20addresses.%20If%20malware%20or%20unwanted%20software%20was%20detected,%20block%20outbound%20connections%20known%20to%20be%20associated%20with%20that%20malware%20based%20on%20threat%20intelligence%20or%20dynamic%20analysis.%20If%20the%20threat%20is%20severe%20enough,%20consider%20isolating%20entire%20portions%20of%20the%20network.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)%0A5.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "79abbff6-2d34-46b0-b570-c9788da8668a", "create_time": 1764758755.6822183, "update_time": 1765479796.6305444, "name": "Block or monitor file executions", "order": 3, "tag": "e7cb23b5-9baa-4a66-994d-43cd0f17d017", "description": "Based%20on%20gathered%20indicators%20and%20metadata,%20block%20or%20increase%20monitoring%20of%20endpoint%20activity%20caused%20by%20the%20suspicious%20email.%20This%20could%20mean%20blocking%20the%20hash%20of%20the%20file%20attachment,%20blocking%20the%20hash%20of%20a%20file%20downloaded%20from%20a%20URL%20in%20an%20email,%20blocking%20a%20malicious%20hash%20associated%20with%20the%20email%20by%20threat%20intelligence,%20or%20blocking%20secondary%20executions%20such%20as%20dropped%20stages%20of%20malware%20identified%20from%20dynamic%20analysis.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "fa4ad6aa-7fc1-4897-9588-e2366ce2cc8e", "create_time": 1764758755.6823559, "update_time": 1765479796.6307607, "name": "Contain endpoints", "order": 4, "tag": "746ae480-2639-4ffe-80ce-698238ec5721", "description": "If%20an%20endpoint%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20quarantine%20or%20otherwise%20contain%20that%20endpoint%20until%20further%20investigation%20and%20remediation%20can%20be%20done.%20Consider%20the%20criticality%20of%20the%20system%20and%20the%20likelihood%20of%20a%20compromise.%20In%20other%20cases,%20simply%20increasing%20the%20monitoring%20or%20scanning%20for%20more%20information%20can%20be%20prudent.%0A%0ASuggested%20Integrations%0A1.%20%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "8ffee892-3e52-4aed-ba5f-30554d3de579", "create_time": 1764758755.6824956, "update_time": 1765479796.6309698, "name": "Contain user accounts", "order": 5, "tag": "702244fa-e9c6-42d7-846a-697fb74ea060", "description": "If%20a%20user%20account%20compromise%20is%20suspected,%20it%20might%20be%20necessary%20to%20reset%20the%20credentials,%20reduce%20the%20account%20privileges,%20or%20disable%20the%20account%20until%20further%20investigation%20is%20completed.%0A%0ASuggested%20Integrations%0A1.%20%5BMS%20Graph%20For%20Active%20Directory%5D(https://splunkbase.splunk.com/app/6395)%0A2.%20%5BAD%20LDAP%5D(https://splunkbase.splunk.com/app/5755)%0A3.%20%5BOkta%5D(https://splunkbase.splunk.com/app/5921)%0A4.%20%5BAWS%20IAM%5D(https://splunkbase.splunk.com/app/5763)%0A5.%20%5BAzure%20AD%20Graph%5D(https://splunkbase.splunk.com/app/5771)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "f3f3a7c8-dcb4-4565-8827-356c60cac5f6", "create_time": 1765479748.8343027, "update_time": 1765479796.6315908, "name": "Longer-running analysis jobs", "order": 5, "tasks": [{"id": "09b37ed6-4b6e-4fe0-a4c5-561480ed7c10", "create_time": 1764758755.68271, "update_time": 1765479796.631251, "name": "Analyze network activity", "order": 1, "tag": "9cf69134-6b81-45ca-ada8-fd4136a1912f", "description": "Perform%20any%20resource-intensive%20analysis%20of%20network%20activity%20left%20over%20from%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20full%20packet%20capture%20collection%20and%20analysis,%20sandbox%20detonation%20of%20URLs,%20long-running%20queries%20of%20network%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_center)%0A2.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A3.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A4.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "627cb8cc-b780-437e-951d-8ec9c64062e7", "create_time": 1764758755.682851, "update_time": 1765479796.631454, "name": "Analyze endpoint activity", "order": 2, "tag": "2497b494-b80f-417b-b51d-f4c8d7aff019", "description": "Conduct%20deeper%20analysis%20on%20remaining%20malware%20and%20endpoint%20investigation%20tasks%20not%20finished%20in%20the%20External%20Investigation%20and%20Internal%20Hunting%20phases.%20This%20might%20mean%20sandbox%20detonation%20of%20files,%20forensic%20analysis%20of%20associated%20devices%20or%20memory%20dumps,%20reverse%20engineering%20of%20suspected%20malware,%20long-running%20queries%20of%20endpoint%20activity%20history%20and%20anomalous%20behavior,%20or%20other%20similar%20analysis%20tasks.%0A%0ASuggested%20Integrations%0A1.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A2.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A3.%20%5BMalware%20Search%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_search)%0A4.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "934b1327-2484-49e2-9701-36a33a1462f9", "create_time": 1765479748.8349223, "update_time": 1765479796.6327975, "name": "Notification", "order": 6, "tasks": [{"id": "3b692da7-b9dc-491b-add5-2c674251a7be", "create_time": 1764758755.683051, "update_time": 1765479796.6317682, "name": "Update tickets", "order": 1, "tag": "dad41274-fb84-4b6f-bed9-fb43be506987", "description": "Make%20sure%20that%20all%20the%20necessary%20outputs%20and%20status%20updates%20from%20the%20previous%20phases%20and%20tasks%20are%20documented%20in%20the%20appropriate%20system%20of%20record.%20Summarize%20the%20current%20state%20of%20the%20investigation%20and%20any%20remaining%20tasks.%0A%0A%5BSuggested%20Integrations%5D(https://splunkbase.splunk.com/apps?page=1&product=soar&categories=ticketing)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "644d1cc6-f855-4dfb-ae28-a0a58fbee6d2", "create_time": 1764758755.6832078, "update_time": 1765479796.631959, "name": "Notify system owners", "order": 2, "tag": "824481e3-9dc5-4668-9abd-585d1cd331ca", "description": "For%20any%20systems%20that%20have%20been%20changed%20or%20need%20to%20be%20changed,%20notify%20the%20necessary%20system%20owners%20so%20the%20appropriate%20change%20management%20procedures%20can%20be%20followed.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "81905435-dd7e-493d-babf-fc5f108cbb9a", "create_time": 1764758755.6833851, "update_time": 1765479796.6321607, "name": "Notify regulatory compliance team", "order": 3, "tag": "c7f7005c-6b51-49a7-a3f9-f22aaf9dfbe4", "description": "If%20appropriate,%20notify%20the%20regulatory%20compliance%20team%20to%20support%20them%20as%20they%20report%20this%20incident%20to%20the%20correct%20regulatory%20or%20accrediting%20organizations.%0A%0ASuggested%20Integrations%0A1.%20SMTP%20(preconfigured)%0A2.%20%5BMS%20Graph%20for%20Office%20365%5D(https://splunkbase.splunk.com/app/5824)%0A3.%20%5BG%20Suite%20for%20GMail%5D(https://splunkbase.splunk.com/app/5795)%0A4.%20%5BCisco%20Webex%5D(https://splunkbase.splunk.com/app/5781)%0A5.%20%5BSlack%5D(https://splunkbase.splunk.com/app/5846)%0A6.%20%5BMicrosoft%20Teams%5D(https://splunkbase.splunk.com/app/5818)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "a4260d25-53f9-45c4-b984-4c10deddbb82", "create_time": 1764758755.6836178, "update_time": 1765479796.6323862, "name": "Assign additional tasks", "order": 4, "tag": "29d21b34-5221-4dee-9bff-276a8241b2bd", "description": "Create tickets to track any follow-on tasks that came out of this investigation. Example tasks might include conducting deeper endpoint investigation, re-provisioning systems, re-enabling accounts, or tuning filtering systems to block future emails.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "d0cf948f-2ba6-4a7d-82c9-851aacfa80a6", "create_time": 1764758755.6839995, "update_time": 1765479796.6325488, "name": "Educate users", "order": 5, "tag": "7ee89bfe-e39d-42c9-baa0-2e74b39adcd1", "description": "If appropriate, inform the broader user base about the types of suspicious emails being sent to the organization to try to prevent them from clicking malicious links or opening malicious file attachments in the future.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "5b78276c-3dff-4546-8ff4-78cd4e1b04d3", "create_time": 1764758755.6842132, "update_time": 1765479796.6327078, "name": "Share threat intelligence", "order": 6, "tag": "3773742e-ecd3-4588-a0ae-6ac80e6b70ce", "description": "If appropriate, communicate relevant findings to trusted third parties and/or the public threat intelligence community. Make sure that outbound messages do not contain confidential information. Consider sharing or confirming the usage of indicators and techniques to peer organizations, security vendors, public databases, or industry-specific threat intelligence sharing communities.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "84c951b5-a7f7-439d-9e59-b8031190be63", "active": true, "used": true, "_user": "nobody", "_key": "a72d40f3-a567-48e2-9fd3-c29db06c3907"} \ No newline at end of file From 00c9f22a1c8a984c5c39631dfc63b1e99c6ac908 Mon Sep 17 00:00:00 2001 From: kbouchard <47464052+kbouchardherjavecgroup@users.noreply.github.com> Date: Mon, 15 Dec 2025 12:37:13 -0700 Subject: [PATCH 44/44] Update and rename VulnerabilityDisclosure_v10.json to VulnerabilityDisclosure_v2.json --- response_templates/VulnerabilityDisclosure_v10.json | 1 - response_templates/VulnerabilityDisclosure_v2.json | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 100644 response_templates/VulnerabilityDisclosure_v10.json create mode 100644 response_templates/VulnerabilityDisclosure_v2.json diff --git a/response_templates/VulnerabilityDisclosure_v10.json b/response_templates/VulnerabilityDisclosure_v10.json deleted file mode 100644 index 5cd3ef22f0..0000000000 --- a/response_templates/VulnerabilityDisclosure_v10.json +++ /dev/null @@ -1 +0,0 @@ -{"id": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc", "create_time": 1764862787.2717, "update_time": 1765478160.218586, "name": "Vulnerability Disclosure", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 10, "phases": [{"id": "63140a0e-8d42-4aba-943a-899170cc7fd3", "create_time": 1765478079.1544676, "update_time": 1765478160.185931, "name": "Understand the vulnerability", "order": 1, "tasks": [{"id": "c2906aa1-2ba2-4d46-b927-04a348dfc8ed", "create_time": 1764758755.9402392, "update_time": 1765478160.1855013, "name": "Research types of systems that are affected", "order": 1, "tag": "f0045b4e-6680-4782-b80b-ba292805d290", "description": "Research%20the%20known%20hardware%20or%20software%20systems%20and%20versions%20that%20are%20affected.%20If%20possible%20use,%20a%20vulnerability%20database%20or%20software%20composition%20analysis%20solution%20to%20walk%20the%20dependency%20chain%20and%20evaluate%20the%20scope%20of%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd74c974-5d88-4136-aae1-13642d0f5bb5", "create_time": 1764758755.9403417, "update_time": 1765478160.185846, "name": "Research how the vulnerability works", "order": 2, "tag": "207e6bdb-1eed-41f8-9ee6-f87bf260978a", "description": "Research%20the%20mechanism%20that%20makes%20the%20system%20vulnerable%20and%20the%20conditions%20in%20which%20the%20system%20is%20vulnerable.%20Often%20there%20are%20certain%20configurations,%20software%20packages,%20system%20states,%20operating%20modes,%20and%20other%20characteristics%20that%20make%20a%20vulnerability%20exploitable%20and%20affect%20the%20impact%20if%20exploited.%20Assess%20the%20difficulty%20to%20exploit%20the%20vulnerability%20and%20the%20reliability%20of%20the%20exploit.%0A%0A%0A1.%20%5BES%20Use%20Case%20Library%5D(/app/SplunkEnterpriseSecuritySuite/ess_use_case_library)%0A2.%20%5BSplunk%20Security%20Content%5D(https://research.splunk.com/)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "0e4796c9-bcb5-4837-b0cd-7c83b40dd2c3", "create_time": 1765478079.1550362, "update_time": 1765478160.1863368, "name": "Understand impact to the organization", "order": 2, "tasks": [{"id": "6dc2dedf-7fe4-4d02-bc74-4b386a320460", "create_time": 1764758755.940481, "update_time": 1765478160.186015, "name": "Find potentially affected systems", "order": 1, "tag": "b5bcfe17-e8a5-40a0-984c-c8fefe77093c", "description": "Check%20the%20internal%20environment%20and%20dependencies%20of%20the%20organization%20for%20the%20software%20or%20hardware%20that%20is%20vulnerable.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A7.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "26f32c1e-5de3-4565-9a72-c17aa0dfee4e", "create_time": 1764758755.9405725, "update_time": 1765478160.186133, "name": "Determine exploitability", "order": 2, "tag": "9b967031-b163-4c25-a971-011f10df8051", "description": "Check%20for%20exploitable%20conditions.%20If%20appropriate,%20attempt%20to%20implement%20the%20vulnerability%20or%20use%20a%20safe%20proof%20of%20concept%20to%20verify%20exploitability.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1f4e957a-1bc6-4b22-b222-44c845454b45", "create_time": 1764758755.9406626, "update_time": 1765478160.1862617, "name": "Investigate possible exploitation", "order": 3, "tag": "b944edaa-aa8a-4877-8b78-f022580d2731", "description": "Investigate%20whether%20or%20not%20vulnerable%20systems%20were%20exploited.%20Use%20the%20particular%20behavior%20of%20the%20exploit%20and%20likely%20post-exploitation%20techniques%20to%20narrow%20down%20the%20search%20for%20exploited%20systems.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "e8928704-4ba7-41c1-abba-a0444d548fe0", "create_time": 1765478079.1552103, "update_time": 1765478160.1864805, "name": "Decide how to respond", "order": 3, "tasks": [{"id": "860d180e-5d53-4eb7-b867-97ad48f470e6", "create_time": 1764758755.9407957, "update_time": 1765478160.1864188, "name": "Evaluate patches, workarounds, and service outages", "order": 1, "tag": "23a1b3d3-d2db-40d9-9a96-39a154c94ff0", "description": "Consider%20how%20mitigations,%20remediations,%20and%20forced%20system%20shutdowns%20affect%20the%20situation.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1559a28c-3e76-4910-a22e-f5e6977d0647", "create_time": 1765478079.1555555, "update_time": 1765478160.1868198, "name": "Execute the response", "order": 4, "tasks": [{"id": "1d4394f7-8781-4802-a6a2-7d77b655a9ee", "create_time": 1764758755.9409366, "update_time": 1765478160.1865623, "name": "Remediate", "order": 1, "tag": "6e13819e-dfdf-4e48-90fa-95c7ddfc139c", "description": "Apply%20patches,%20upgrades,%20configuration%20changes,%20or%20state%20changes%20that%20can%20remediate%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "43f50b91-ee22-4731-a5fe-c6b4463134cf", "create_time": 1764758755.941027, "update_time": 1765478160.186665, "name": "Mitigate", "order": 2, "tag": "5c813f0c-e55c-492a-933b-59b99ad11071", "description": "Apply%20workarounds,%20temporary%20fixes,%20additional%20hardening,%20new%20security%20tools,%20new%20detections,%20and%20other%20mitigations%20to%20reduce%20risk.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "90f60618-b458-4baa-ae0d-af0fe1c4b3ec", "create_time": 1764758755.941116, "update_time": 1765478160.1867695, "name": "Document accepted risks", "order": 3, "tag": "47c9830a-c0e1-4b75-ae76-4b5e0cddbf5c", "description": "Document remaining risk and notify stakeholders.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "b0687c98-dcde-4d9a-bf6f-4a31859fef16", "active": true, "used": false, "_user": "nobody", "_key": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc"} \ No newline at end of file diff --git a/response_templates/VulnerabilityDisclosure_v2.json b/response_templates/VulnerabilityDisclosure_v2.json new file mode 100644 index 0000000000..25f1e2a41e --- /dev/null +++ b/response_templates/VulnerabilityDisclosure_v2.json @@ -0,0 +1 @@ +{"id": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc", "create_time": 1764862787.2717, "update_time": 1765478160.218586, "name": "Vulnerability Disclosure", "description": "", "template_status": "published", "creator": "splunker", "updated_by": "splunker", "is_default": false, "version": 2, "phases": [{"id": "63140a0e-8d42-4aba-943a-899170cc7fd3", "create_time": 1765478079.1544676, "update_time": 1765478160.185931, "name": "Understand the vulnerability", "order": 1, "tasks": [{"id": "c2906aa1-2ba2-4d46-b927-04a348dfc8ed", "create_time": 1764758755.9402392, "update_time": 1765478160.1855013, "name": "Research types of systems that are affected", "order": 1, "tag": "f0045b4e-6680-4782-b80b-ba292805d290", "description": "Research%20the%20known%20hardware%20or%20software%20systems%20and%20versions%20that%20are%20affected.%20If%20possible%20use,%20a%20vulnerability%20database%20or%20software%20composition%20analysis%20solution%20to%20walk%20the%20dependency%20chain%20and%20evaluate%20the%20scope%20of%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "bd74c974-5d88-4136-aae1-13642d0f5bb5", "create_time": 1764758755.9403417, "update_time": 1765478160.185846, "name": "Research how the vulnerability works", "order": 2, "tag": "207e6bdb-1eed-41f8-9ee6-f87bf260978a", "description": "Research%20the%20mechanism%20that%20makes%20the%20system%20vulnerable%20and%20the%20conditions%20in%20which%20the%20system%20is%20vulnerable.%20Often%20there%20are%20certain%20configurations,%20software%20packages,%20system%20states,%20operating%20modes,%20and%20other%20characteristics%20that%20make%20a%20vulnerability%20exploitable%20and%20affect%20the%20impact%20if%20exploited.%20Assess%20the%20difficulty%20to%20exploit%20the%20vulnerability%20and%20the%20reliability%20of%20the%20exploit.%0A%0A%0A1.%20%5BES%20Use%20Case%20Library%5D(/app/SplunkEnterpriseSecuritySuite/ess_use_case_library)%0A2.%20%5BSplunk%20Security%20Content%5D(https://research.splunk.com/)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "0e4796c9-bcb5-4837-b0cd-7c83b40dd2c3", "create_time": 1765478079.1550362, "update_time": 1765478160.1863368, "name": "Understand impact to the organization", "order": 2, "tasks": [{"id": "6dc2dedf-7fe4-4d02-bc74-4b386a320460", "create_time": 1764758755.940481, "update_time": 1765478160.186015, "name": "Find potentially affected systems", "order": 1, "tag": "b5bcfe17-e8a5-40a0-984c-c8fefe77093c", "description": "Check%20the%20internal%20environment%20and%20dependencies%20of%20the%20organization%20for%20the%20software%20or%20hardware%20that%20is%20vulnerable.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)%0A7.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "26f32c1e-5de3-4565-9a72-c17aa0dfee4e", "create_time": 1764758755.9405725, "update_time": 1765478160.186133, "name": "Determine exploitability", "order": 2, "tag": "9b967031-b163-4c25-a971-011f10df8051", "description": "Check%20for%20exploitable%20conditions.%20If%20appropriate,%20attempt%20to%20implement%20the%20vulnerability%20or%20use%20a%20safe%20proof%20of%20concept%20to%20verify%20exploitability.%0A%0ASuggested%20Integrations%0A1.%20%5BSplunk%20Attack%20Analyzer%5D(https://splunkbase.splunk.com/app/6783)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "1f4e957a-1bc6-4b22-b222-44c845454b45", "create_time": 1764758755.9406626, "update_time": 1765478160.1862617, "name": "Investigate possible exploitation", "order": 3, "tag": "b944edaa-aa8a-4877-8b78-f022580d2731", "description": "Investigate%20whether%20or%20not%20vulnerable%20systems%20were%20exploited.%20Use%20the%20particular%20behavior%20of%20the%20exploit%20and%20likely%20post-exploitation%20techniques%20to%20narrow%20down%20the%20search%20for%20exploited%20systems.%0A%0ASuggested%20Integrations%0A1.%20%5BTraffic%20Search%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_search)%0A2.%20%5BTraffic%20Size%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/traffic_size_analysis)%0A3.%20%5BPort%20and%20Protocol%20Tracker%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/port_protocol_tracker)%0A4.%20%5BEndpoint%20Changes%20%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/endpoint_changes)%0A5.%20%5BMalware%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/malware_center)%0A6.%20%5BRisk%20Analysis%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/risk_analysis)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "e8928704-4ba7-41c1-abba-a0444d548fe0", "create_time": 1765478079.1552103, "update_time": 1765478160.1864805, "name": "Decide how to respond", "order": 3, "tasks": [{"id": "860d180e-5d53-4eb7-b867-97ad48f470e6", "create_time": 1764758755.9407957, "update_time": 1765478160.1864188, "name": "Evaluate patches, workarounds, and service outages", "order": 1, "tag": "23a1b3d3-d2db-40d9-9a96-39a154c94ff0", "description": "Consider%20how%20mitigations,%20remediations,%20and%20forced%20system%20shutdowns%20affect%20the%20situation.%0A%0ASuggested%20Integrations%0A1.%20%5BUpdate%20Center%20Dashboard%5D(/app/SplunkEnterpriseSecuritySuite/update_center)%0A2.%20%5BAsset%20and%20Risk%20Intelligence%5D(https://splunkbase.splunk.com/app/7180)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}, {"id": "1559a28c-3e76-4910-a22e-f5e6977d0647", "create_time": 1765478079.1555555, "update_time": 1765478160.1868198, "name": "Execute the response", "order": 4, "tasks": [{"id": "1d4394f7-8781-4802-a6a2-7d77b655a9ee", "create_time": 1764758755.9409366, "update_time": 1765478160.1865623, "name": "Remediate", "order": 1, "tag": "6e13819e-dfdf-4e48-90fa-95c7ddfc139c", "description": "Apply%20patches,%20upgrades,%20configuration%20changes,%20or%20state%20changes%20that%20can%20remediate%20the%20vulnerability.%0A%0ASuggested%20Integrations%0A1.%20%5BCrowdstrike%5D(https://splunkbase.splunk.com/app/5786)%0A2.%20%5BMicrosoft%20Defender%20for%20Endpoint%5D(https://splunkbase.splunk.com/app/5870)%0A3.%20%5BVMware%20Carbon%20Black%20Cloud%20for%20Splunk%20SOAR%5D(https://splunkbase.splunk.com/app/6732)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "43f50b91-ee22-4731-a5fe-c6b4463134cf", "create_time": 1764758755.941027, "update_time": 1765478160.186665, "name": "Mitigate", "order": 2, "tag": "5c813f0c-e55c-492a-933b-59b99ad11071", "description": "Apply%20workarounds,%20temporary%20fixes,%20additional%20hardening,%20new%20security%20tools,%20new%20detections,%20and%20other%20mitigations%20to%20reduce%20risk.%0A%0ASuggested%20Integrations%0A1.%20%5BCisco%20Firepower%5D(https://splunkbase.splunk.com/app/5995)%0A2.%20%5BCisco%20Secure%20Firewall%5D(https://splunkbase.splunk.com/app/7745)%0A3.%20%5B%20Palo%20Alto%5D(https://splunkbase.splunk.com/app/5830)%0A4.%20%5BZscaler%5D(https://splunkbase.splunk.com/app/5872)", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}, {"id": "90f60618-b458-4baa-ae0d-af0fe1c4b3ec", "create_time": 1764758755.941116, "update_time": 1765478160.1867695, "name": "Document accepted risks", "order": 3, "tag": "47c9830a-c0e1-4b75-ae76-4b5e0cddbf5c", "description": "Document remaining risk and notify stakeholders.", "owner": "", "is_note_required": false, "status": "Pending", "notes": [], "files": [], "suggestions": {"playbooks": [], "actions": [], "searches": []}, "start_time": 0, "end_time": 0, "total_time_taken": 0}]}], "template_id": "b0687c98-dcde-4d9a-bf6f-4a31859fef16", "active": true, "used": false, "_user": "nobody", "_key": "83c7c93e-eb22-4a6c-981f-d7a857b71dfc"}