FireEye Red Team Tools Investigation and Response

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook does the following:

Collect indicators to aid in your threat hunting process.

  • Retrieve IOCs of FireEye red team tools.
  • Discover IOCs of associated activity related to the infection.
  • Generate an indicator list to block indicators with SUNBURST tags.

Hunt for the indicators

  • Search endpoints with the FireEye red team tools CVEs.
  • Search endpoint logs for FireEye red team tools hashes.
  • Search and link previous incidents with the FireEye hashes.

If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Search Endpoints By Hash - Generic V2
  • Search Endpoint by CVE - Generic
  • Isolate Endpoint - Generic


This playbook does not use any integrations.


  • findIncidentsWithIndicator
  • http


  • appendIndicatorField
  • cve
  • extractIndicators
  • linkIncidents
  • enrichIndicators
  • closeInvestigation
  • createNewIndicator

Playbook Inputs

NameDescriptionDefault ValueRequired
FireEyeToolsCVECVE-2019-0708 ,CVE-2017-11774CVE-2018-15961,CVE-2019-19781 ,CVE-2019-3398,CVE-2019-11580 ,CVE-2018-13379,CVE-2020-0688 ,CVE-2019-11510,CVE-2019-0604 ,CVE-2020-10189,CVE-2019-8394 ,CVE-2020-1472,CVE-2018-8581 ,CVE-2016-0167,CVE-2014-1812Optional
FireEyeRedTeamToolsCVEsURLThe URL of FireEye red team tools CVEs
IsolateEndpointAutomaticallyWhether to automatically isolate endpoints, or opt for manual user approval. True means isolation will be done automatically.FalseOptional

Playbook Outputs

There are no outputs for this playbook.

Playbook Image

FireEye Red Team Tools Investigation and Response