Skip to content

new playbook for hidden user created #40199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

new playbook for hidden user created #40199

wants to merge 17 commits into from

Conversation

karinafishman
Copy link
Contributor

@karinafishman karinafishman commented Jun 5, 2025
edited
Loading

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

  • In Progress
  • Ready
  • In Hold - (Reason for hold)

Related Issues

fixes: https://jira-dc.paloaltonetworks.com/browse/CIAC-13984

Description

A few sentences describing the overall goals of the pull request's commits.

Must have

  • Tests
  • Documentation

@karinafishman karinafishman requested a review from AdiPeret June 5, 2025 15:17
@karinafishman karinafishman force-pushed the hidden-user-created-deep branch from 9fe7057 to 4c3954b Compare June 8, 2025 07:59
@richardbluestone
Copy link
Contributor

Doc review done

@content-bot
Copy link
Collaborator

This PR was automatically updated by a GitHub Action

  • CortexResponseAndRemediation pack version was bumped to 1.1.59.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

@karinafishman karinafishman added the ready-for-pipeline-running Whether the pr is ready for running the whole pipeline, including testing on SAAS machines label Jun 8, 2025
@karinafishman karinafishman requested a review from idovandijk June 9, 2025 09:58
idovandijk
idovandijk reviewed Jun 9, 2025
View reviewed changes
...rtexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml
task:
id: ffc38261-3670-469d-8305-79521159bde0
version: -1
name: Evaluate suspicious process involvement
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we terminate the CGO if CIDToTerminate is empty? Since we now have 2 new conditions
image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right. I changed it to AND. It is not possible to terminate if it is empty.

idovandijk
idovandijk requested changes Jun 9, 2025
View reviewed changes
Copy link
Contributor

@idovandijk idovandijk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome work! looks great with some needed changes. Let me know if something is not clear

idovandijk
idovandijk reviewed Jun 9, 2025
View reviewed changes
...rtexResponseAndRemediation/Playbooks/silent-playbook-Suspicious_Hidden_User_Created_Test.yml
- "70"
scriptarguments:
query:
simple: "dataset = xdr_data // Using the xdr dataset\n | filter agent_hostname = \"${alert.hostname}\" \n | filter event_type = ENUM.PROCESS \n | filter actor_process_command_line ~= \"net1?\\s+user\\s+\\S+\\$\\s+\\S+\\s+/add\"\n or actor_process_command_line contains \"New-LocalUser\"\n or actor_process_command_line ~= \"SpecialAccounts\\\\UserList\"\n or actor_process_command_line contains \"TmV3LUxvY2FsVXNlcg==\"\n or actor_process_command_line contains \"L2FkZA==\"\n| fields actor_process_image_name, actor_process_command_line, actor_process_signature_status, causality_actor_process_image_name,causality_actor_process_os_pid ,causality_actor_process_signature_status "
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a hidden user was created, wouldn't we always get a result here since we search 5 min before and after our alert? In that case the verdict will always go to TP no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This query I use to find the parent process; I am not relying on it at all in the TP/FP calculation.

@content-bot
Copy link
Collaborator

This PR was automatically updated by a GitHub Action

  • CortexResponseAndRemediation pack version was bumped to 1.1.60.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

@karinafishman karinafishman requested a review from idovandijk June 10, 2025 13:14
@content-bot
Copy link
Collaborator

Validate summary
The following errors were thrown as a part of this pr: PA114, ST110.
The following errors cannot be ignored: PA114, ST110.
The following errors don't run as part of the nightly flow and therefore can be force merged: PA114.

Verdict: PR can be force merged from validate perspective? ❌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richardbluestone richardbluestone richardbluestone left review comments

@AdiPeret AdiPeret Awaiting requested review from AdiPeret

@idovandijk idovandijk Awaiting requested review from idovandijk

Requested changes must be addressed to merge this pull request.

Assignees

@richardbluestone richardbluestone

Labels
docs-approved ready-for-pipeline-running Whether the pr is ready for running the whole pipeline, including testing on SAAS machines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@karinafishman @richardbluestone @content-bot @idovandijk