An endpoint trips an alert for suspicious behavior in the middle of the night. A weekend night, no less. What’s the right course of action? The process might be to page the on-call analyst, forcing them to get up and manually triage the endpoint. But if you have Cortex XSOAR and a properly configured auto-triage use case, you can let Cortex XSOAR handle the initial response to the alert while your analyst sleeps peacefully through the night.
This post describes one approach you could take to set up an auto-triage use case in Cortex XSOAR by combining the forces of the Kroll Artifact Parser and Extractor (KAPE) triage tool and Cortex XDR. This general workflow could be adapted to support the endpoint detection and response (EDR) platform and triage tool of your choice.
KAPE simplifies forensic artifact acquisition by providing Targets, meaning artifacts that KAPE knows how to collect. It even takes the guesswork about what to collect by including pre-set compound Targets, which are collections of important related artifacts. For example, there is a compound Target for EvidenceOfExecution artifacts, which we will use for today’s example.
In order to follow along with today’s use case, you will need to set up the following:
This workflow can be set to trigger automatically as part of your EDR alert response playbook.
In order to execute KAPE on the remote endpoint, you first need to copy or download it to the endpoint. There are a number of different ways you can achieve this depending on your organization’s processes and the integrations you have set up, but for today’s example we will use the Cortex XSOAR RemoteAccess v2 integration, which operates over the SSH protocol.
First, create a custom 7zip file containing only the KAPE components you need to minimize the size of the file to transfer to the endpoint. For today’s example, that looks like this – just the KAPE executable and the EvidenceOfExecution Target, which is then 7zipped into a file called kape-EvidenceOfExecution.7z. Additionally, we will copy the 7-Zip standalone executable to the endpoint so it can be used to unzip the archive.
You can manually upload these files to XSOAR or use an integration to retrieve them, e.g., the GitHub integration to download them from a repository. Once the files exist in XSOAR, to avoid the need to manually upload them during an automated response, you can automatically copy them from the incident where they already exist to the current incident using the Core REST API integration.
So if I already have my files uploaded to incident #3 and their EntryIDs are 48@3 and 49@3, I can download them to the current incident I’m working out of by running:
!core-api-download uri="/entry/download/48@3"
!core-api-download uri="/entry/download/49@3"
Then I copy them to the root of the C:\ drive on the remote endpoint by running:
!copy-to entry_id="486@4" dest-dir="C:" host="asawyer-fygywpnb"
!copy-to entry_id="490@4" dest-dir="C:" host="asawyer-fygywpnb"
Of course, no need to run these actions manually; they can all be automated using a playbook, attached to this post.
Once the necessary files have been transferred to the endpoint, it is time to run KAPE! This can be done automatically using a Cortex XDR agent script. Create the script in XDR by navigating to Incident Response > Action Center > Agent Script Library > + New Script. If you are following along with this example, you can upload the script (.py) file and manifest (.def) file attached to this post.
The script first runs the 7za.exe executable to extract the KAPE files. Then it runs KAPE, pointing it at the specified Target. Finally, the script identifies the most recently created .zip file (the KAPE output) and .txt file (the KAPE console log) and returns their paths as outputs.
Call the script automatically from Cortex XSOAR using the xdr-script-run command.
Retrieve script results automatically into Cortex XSOAR using the xdr-file-retrieve command.
While outside the scope of this post, it is certainly recommended at this point to isolate the endpoint until an analyst can review the evidence Cortex XSOAR has collected and determine whether the endpoint is truly compromised. This can be done automatically using the xdr-endpoint-isolate command.
Tie all of these steps together with a Cortex XSOAR playbook. The playbook automatically copies and extracts the KAPE files on the remote endpoint:
Then it executes the XDR script to run KAPE:
And voilà! The KAPE output files are written to the endpoint.
The actions are logged and results are displayed in the Cortex XDR console:
Finally, the playbook retrieves the KAPE output back to Cortex XSOAR and marks it as evidence. This way, evidence related to the incident can be centralized in one place.
Cortex XSOAR is an excellent tool for automated triage of a potentially compromised endpoint because it allows for a quick, consistent response via automation. Evidence is captured immediately, no need to wake up an analyst and wait for them to get online. Make analysts’ lives easier by letting Cortex XSOAR do the work of triaging the endpoint.
Resources attached to this post:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 3 Likes | |
| 3 Likes | |
| 2 Likes | |
| 2 Likes | |
| 2 Likes |
| User | Likes Count |
|---|---|
| 6 | |
| 4 | |
| 3 | |
| 2 | |
| 2 |
