From 202d569e28a7efed356bb008bf5c0b5c332eb22e Mon Sep 17 00:00:00 2001
From: ArikDay <115150768+ArikDay@users.noreply.github.com>
Date: Sun, 5 Jan 2025 13:04:46 +0200
Subject: [PATCH] CortexNewPack (#37787)

* content

* rn

* add

* fix

* changepackname

* changepacknamee

* fixpackignore

* updatenewpacknameinlist

* rnwithbcupdate

* Bump pack from version Core to 3.2.11.

* Bump pack from version Core to 3.2.12.

* Bump pack from version Core to 3.2.13.

* Bump pack from version Core to 3.2.14.

* remove authimage

* fixesfromreview

* triggers new playbooks and change name

* changes

* changepbname

* test

* fix

* fix folder name

* fix

* removenamechange

* fix metadate

* Bump pack from version Core to 3.2.15.

* Bump pack from version Core to 3.2.16.

---------

Co-authored-by: Content Bot <bot@demisto.com>
Co-authored-by: ypreisler <ypreisler@paloaltonetworks.com>
---
 Config/core_packs_mpv2_list.json              |   6 +-
 Packs/Core/ReleaseNotes/3_2_16.json           |   4 +
 Packs/Core/ReleaseNotes/3_2_16.md             |   3 +
 Packs/Core/pack_metadata.json                 |   2 +-
 .../CortexResponseAndRemediation/.pack-ignore |  25 +++++
 .../.secrets-ignore                           |  95 ++++++++++++++++++
 .../playbook-A_Successful_login_from_TOR.yml  |   0
 ...book-A_Successful_login_from_TOR_README.md |   0
 ...ule_was_configured_in_Google_Workspace.yml |   0
 ...s_configured_in_Google_Workspace_README.md |   0
 ...book-A_successful_SSO_sign-in_from_TOR.yml |   0
 ..._successful_SSO_sign-in_from_TOR_README.md |   0
 ...ser_rejected_numerous_SSO_MFA_attempts.yml |   0
 ...jected_numerous_SSO_MFA_attempts_README.md |   0
 ...-Credential_Dumping_using_a_known_tool.yml |   0
 ...ntial_Dumping_using_a_known_tool_README.md |   0
 ...ncommon_remote_scheduled_task_creation.yml |   0
 ...n_remote_scheduled_task_creation_README.md |   0
 .../playbook-Event_Log_Was_Cleared.yml        |   0
 .../playbook-Event_Log_Was_Cleared_README.md  |   0
 ...aybook-Excessive_User_Account_Lockouts.yml |   0
 ...-Excessive_User_Account_Lockouts_README.md |   0
 ...ok-Exchange_forwarding_rule_configured.yml |   0
 ...hange_forwarding_rule_configured_README.md |   0
 ...playbook-External_Login_Password_Spray.yml |   0
 ...ok-External_Login_Password_Spray_README.md |   0
 ...table_from_an_uncommon_remote_location.yml |   0
 ...from_an_uncommon_remote_location_README.md |   0
 .../playbook-Remote_WMI_Process_Execution.yml |   0
 ...ook-Remote_WMI_Process_Execution_README.md |   0
 .../Playbooks/playbook-SSO_Brute_Force.yml    |   0
 .../playbook-SSO_Brute_Force_README.md        |   0
 .../Playbooks/playbook-SSO_Password_Spray.yml |   0
 .../playbook-SSO_Password_Spray_README.md     |   0
 ...ask_created_with_HTTP_or_FTP_reference.yml |   0
 ...eated_with_HTTP_or_FTP_reference_README.md |   0
 ...ybook-Successful_guest_user_invitation.yml |   0
 ...Successful_guest_user_invitation_README.md |   0
 ...laybook-Suspicious_Hidden_User_Created.yml |   0
 ...k-Suspicious_Hidden_User_Created_README.md |   0
 .../playbook-Suspicious_LDAP_search_query.yml |   0
 ...ook-Suspicious_LDAP_search_query_README.md |   0
 ...cious_SaaS_Access_From_a_TOR_Exit_Node.yml |   0
 ...SaaS_Access_From_a_TOR_Exit_Node_README.md |   0
 ...y_scheduled_task_on_a_sensitive_server.yml |   0
 ...duled_task_on_a_sensitive_server_README.md |   0
 ...ive_shadow_copy_by_a_high_risk_process.yml |   0
 ...adow_copy_by_a_high_risk_process_README.md |   0
 ...Uncommon_remote_scheduled_task_created.yml |   0
 ...on_remote_scheduled_task_created_README.md |   0
 ...vileged_process_opened_a_registry_hive.yml |   0
 ...d_process_opened_a_registry_hive_README.md |   0
 ...popular_process_performed_an_injection.yml |   0
 ...r_process_performed_an_injection_README.md |   0
 ...rator_group_using_a_PowerShell_command.yml |   0
 ...group_using_a_PowerShell_command_README.md |   0
 Packs/CortexResponseAndRemediation/README.md  |  17 ++++
 ...ious_SaaS_Access_From_a_TOR_Exit_Node.json |   0
 ...le_was_configured_in_Google_Workspace.json |   0
 ...r_-_A_successful_SSO_sign_in_from_TOR.json |   0
 ...Trigger_-_A_successful_login_from_TOR.json |   0
 ...er_rejected_numerous_SSO_MFA_attempts.json |   0
 ...Credential_Dumping_using_a_known_tool.json |   0
 ...common_remote_scheduled_task_creation.json |   0
 .../Trigger_-_Event_Log_Was_Cleared.json      |   0
 ...er_-_Excessive_User_Account_Lockkouts.json |   0
 ...-_Exchange_forwarding_rule_configured.json |   0
 ...igger_-_External_Login_Password_Spray.json |   0
 ...able_from_an_uncommon_remote_location.json |   0
 ...rigger_-_Remote_WMI_Process_Execution.json |   0
 .../Triggers/Trigger_-_SSO_Brute_Force.json   |   0
 .../Trigger_-_SSO_Brute_Force_Activity.json   |   0
 .../Trigger_-_SSO_Password_Spray.json         |   0
 ...sk_created_with_HTTP_or_FTP_reference.json |   0
 ...er_-_Successful_guest_user_invitation.json |   0
 ...gger_-_Suspicious_Hidden_User_Created.json |   0
 ...rigger_-_Suspicious_LDAP_search_query.json |   0
 ...er_-_Suspicious_access_to_shadow_file.json |   0
 ..._scheduled_task_on_a_sensitive_server.json |   0
 ...ncommon_remote_scheduled_task_created.json |   0
 ...ileged_process_opened_a_registry_hive.json |   0
 ...opular_process_performed_an_injection.json |   0
 ...ator_group_using_a_PowerShell_command.json |   0
 .../doc_files/A_Successful_login_from_TOR.png | Bin
 ...ule_was_configured_in_Google_Workspace.png | Bin
 .../A_successful_SSO_sign-in_from_TOR.png     | Bin
 ...ser_rejected_numerous_SSO_MFA_attempts.png | Bin
 .../Credential_Dumping_using_a_known_tool.png | Bin
 ...ncommon_remote_scheduled_task_creation.png | Bin
 .../doc_files/Event_Log_Was_Cleared.png       | Bin
 .../Excessive_User_Account_Lockouts.png       | Bin
 .../Exchange_forwarding_rule_configured.png   | Bin
 .../External_Login_Password_Spray.png         | Bin
 ...table_from_an_uncommon_remote_location.png | Bin
 .../Remote_WMI_Process_Execution.png          | Bin
 .../doc_files/SSO_Brute_Force.png             | Bin
 .../doc_files/SSO_Password_Spray.png          | Bin
 ...ask_created_with_HTTP_or_FTP_reference.png | Bin
 .../Successful_guest_user_invitation.png      | Bin
 .../Suspicious_Hidden_User_Created.png        | Bin
 .../Suspicious_LDAP_search_query.png          | Bin
 ...cious_SaaS_Access_From_a_TOR_Exit_Node.png | Bin
 ...y_scheduled_task_on_a_sensitive_server.png | Bin
 ...ive_shadow_copy_by_a_high-risk_process.png | Bin
 ...Uncommon_remote_scheduled_task_created.png | Bin
 ...vileged_process_opened_a_registry_hive.png | Bin
 ...popular_process_performed_an_injection.png | Bin
 ...rator_group_using_a_PowerShell_command.png | Bin
 .../pack_metadata.json                        |  23 +++++
 109 files changed, 172 insertions(+), 3 deletions(-)
 create mode 100644 Packs/Core/ReleaseNotes/3_2_16.json
 create mode 100644 Packs/Core/ReleaseNotes/3_2_16.md
 create mode 100644 Packs/CortexResponseAndRemediation/.pack-ignore
 create mode 100644 Packs/CortexResponseAndRemediation/.secrets-ignore
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-A_Successful_login_from_TOR.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-A_Successful_login_from_TOR_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Credential_Dumping_using_a_known_tool.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Credential_Dumping_using_a_known_tool_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Event_Log_Was_Cleared.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Event_Log_Was_Cleared_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Excessive_User_Account_Lockouts.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Excessive_User_Account_Lockouts_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Exchange_forwarding_rule_configured.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Exchange_forwarding_rule_configured_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-External_Login_Password_Spray.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-External_Login_Password_Spray_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Remote_WMI_Process_Execution.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Remote_WMI_Process_Execution_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-SSO_Brute_Force.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-SSO_Brute_Force_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-SSO_Password_Spray.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-SSO_Password_Spray_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Successful_guest_user_invitation.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Successful_guest_user_invitation_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Suspicious_Hidden_User_Created.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Suspicious_Hidden_User_Created_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Suspicious_LDAP_search_query.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Suspicious_LDAP_search_query_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Uncommon_remote_scheduled_task_created.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Uncommon_remote_scheduled_task_created_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection_README.md (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command.yml (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_README.md (100%)
 create mode 100644 Packs/CortexResponseAndRemediation/README.md
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_A_successful_SSO_sign_in_from_TOR.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_A_successful_login_from_TOR.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Credential_Dumping_using_a_known_tool.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Event_Log_Was_Cleared.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Excessive_User_Account_Lockkouts.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Exchange_forwarding_rule_configured.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_External_Login_Password_Spray.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Remote_WMI_Process_Execution.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_SSO_Brute_Force.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_SSO_Brute_Force_Activity.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_SSO_Password_Spray.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Successful_guest_user_invitation.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Suspicious_Hidden_User_Created.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Suspicious_LDAP_search_query.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Suspicious_access_to_shadow_file.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Uncommon_remote_scheduled_task_created.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Unprivileged_process_opened_a_registry_hive.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_Unsigned_and_unpopular_process_performed_an_injection.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/Triggers/Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command.json (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/A_Successful_login_from_TOR.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/A_mail_forwarding_rule_was_configured_in_Google_Workspace.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/A_successful_SSO_sign-in_from_TOR.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Credential_Dumping_using_a_known_tool.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Endpoint_initiated_uncommon_remote_scheduled_task_creation.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Event_Log_Was_Cleared.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Excessive_User_Account_Lockouts.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Exchange_forwarding_rule_configured.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/External_Login_Password_Spray.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Remote_WMI_Process_Execution.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/SSO_Brute_Force.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/SSO_Password_Spray.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Scheduled_task_created_with_HTTP_or_FTP_reference.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Successful_guest_user_invitation.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Suspicious_Hidden_User_Created.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Suspicious_LDAP_search_query.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high-risk_process.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Uncommon_remote_scheduled_task_created.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Unprivileged_process_opened_a_registry_hive.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/Unsigned_and_unpopular_process_performed_an_injection.png (100%)
 rename Packs/{Core => CortexResponseAndRemediation}/doc_files/User_added_to_local_administrator_group_using_a_PowerShell_command.png (100%)
 create mode 100644 Packs/CortexResponseAndRemediation/pack_metadata.json

diff --git a/Config/core_packs_mpv2_list.json b/Config/core_packs_mpv2_list.json
index a7679ae37fc4..21226dd00f61 100644
--- a/Config/core_packs_mpv2_list.json
+++ b/Config/core_packs_mpv2_list.json
@@ -22,7 +22,8 @@
     "Unit42Intel",
     "VirusTotal",
     "Whois",
-    "rasterize"
+    "rasterize",
+    "CortexResponseAndRemediation"
   ],
   "update_core_packs_list": [
     "AutoFocus",
@@ -47,6 +48,7 @@
     "Unit42Intel",
     "VirusTotal",
     "Whois",
-    "rasterize"
+    "rasterize",
+    "CortexResponseAndRemediation"
   ]
 }
diff --git a/Packs/Core/ReleaseNotes/3_2_16.json b/Packs/Core/ReleaseNotes/3_2_16.json
new file mode 100644
index 000000000000..0972bf898af6
--- /dev/null
+++ b/Packs/Core/ReleaseNotes/3_2_16.json
@@ -0,0 +1,4 @@
+{
+    "breakingChanges": true,
+    "breakingChangesNotes": "Playbooks from 'Core - Investigation & Response' have been migrated to the 'Cortex Response And Remediation' pack. Please install the new pack before updating."
+}
\ No newline at end of file
diff --git a/Packs/Core/ReleaseNotes/3_2_16.md b/Packs/Core/ReleaseNotes/3_2_16.md
new file mode 100644
index 000000000000..3986966e007e
--- /dev/null
+++ b/Packs/Core/ReleaseNotes/3_2_16.md
@@ -0,0 +1,3 @@
+## Core - Investigation and Response
+
+Playbooks from 'Core - Investigation & Response' have been migrated to the 'Cortex Response And Remediation' pack. Please install the new pack before updating.
\ No newline at end of file
diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json
index 9b847181c22b..7904caca8101 100644
--- a/Packs/Core/pack_metadata.json
+++ b/Packs/Core/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "3.2.15",
+    "currentVersion": "3.2.16",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
diff --git a/Packs/CortexResponseAndRemediation/.pack-ignore b/Packs/CortexResponseAndRemediation/.pack-ignore
new file mode 100644
index 000000000000..d9f6bd0836af
--- /dev/null
+++ b/Packs/CortexResponseAndRemediation/.pack-ignore
@@ -0,0 +1,25 @@
+[file:playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml]
+ignore=PB106
+
+[file:README.md]
+ignore=RM104,RM106
+
+# See CIAC-7711, CIAC-11954
+[file:playbook-Suspicious_Hidden_User_Created.yml]
+ignore=GR103
+
+# See CIAC-7711, CIAC-11954
+[file:playbook-Excessive_User_Account_Lockouts.yml]
+ignore=GR103
+
+# GR103 is temporary, see CIAC-11954
+[file:playbook-Scheduled_task_created_with_HTTP_or_FTP_reference.yml]
+ignore=GR103
+
+[known_words]
+xsiam
+coreirapimodule
+xdrir
+NGFW
+HTTPS
+SMTP
\ No newline at end of file
diff --git a/Packs/CortexResponseAndRemediation/.secrets-ignore b/Packs/CortexResponseAndRemediation/.secrets-ignore
new file mode 100644
index 000000000000..dd51812b3650
--- /dev/null
+++ b/Packs/CortexResponseAndRemediation/.secrets-ignore
@@ -0,0 +1,95 @@
+1.1.1.1
+2.2.2.2
+8.8.8.8
+3.3.3.3
+5.5.5.5
+0.0.0.0
+172.16.0.0
+172.31.11.11
+196.168.0.1
+192.168.0.0
+agent_version=6.1.4.1680
+1111.paloaltonetworks.com
+origin=originsic=CN=DWdeviceBlackend,O=Blackend
+origin=originsic=CN=DWdeviceBlackend
+|action|action_external_hostname|action_file_md5|action_file_path||action_local_ip|action_local_port|action_pretty|action_process_image_command_line|action_process_image_name||action_process_signature_status|action_process_signature_vendor|action_registry_data||action_remote_ip|action_remote_port|actor_process_command_line|actor_process_image_name|actor_process_signature_status|actor_process_signature_vendor|alert_id|category|causality_actor_causality_id||causality_actor_process_image_name|causality_actor_process_signature_status||description|detection_timestamp|event_type|fw_app_id|host_ip|host_name|is_whitelisted|name|severity|source|starred|user_name|
+modification_time
+creation_time
+timestamp_lte
+_external_hostname
+192.168.1.254
+woo@demisto.com
+moo@demisto.com
+xdrdummyurl.com
+some.xdr.url.com
+api.xdrurl.com
+demisto.hello.com
+paloaltonetworksxdr
+url_suffix=
+wildfire-test-pe-file.exe
+manual_description
+causality_actor_process_signature_vendor
+wildfire-test-pe-file.exe
+action_file_sha256
+manual_description
+action_registry_full_key
+action_process_image_sha256
+causality_actor_process_command_line
+high_severity_alert_count
+origin=originsicname
+||microsoft-ds
+Point|Log
+auditagentreports
+ip-172-31-15-237.eu-central-1.compute.internal
+196.168.0.111
+tableToMarkdown
+under_investigation
+resolved_threat_handled
+resolved_true_positive
+resolved_security_testing
+resolved_known_issue
+resolved_false_positive
+resolved_duplicate
+resolved_other
+"new"
+distribution_id
+endpoint_id
+cef_alerts
+https://github.com
+foo@test.com
+http://example.com
+https://raw.githubusercontent.com
+2.2.2.3
+2.2.3.3
+management_logs
+11.11.11.11
+22.22.22.22
+33.33.33.33
+44.44.44.44
+55.55.55.55
+66.66.66.66
+77.77.77.77
+88.88.88.88
+http://www.test.com
+http://www.test.org
+http://test.org
+https://test.org
+abuse@w.com
+https://us-cert.cisa.gov/tlp
+fake.url.com
+a@a.gmail.com
+https://www.cisa.gov
+SailPoint
+dummy@dummy.com
+dummy1@dummy.com
+dummy2@dummy.com
+dummy3@dummy.com
+000001e7a228b2a7abdf7f7e404bc8522df32b725e86907dde32176bccbbbb27
+80.66.75.36
+218.92.0.29
+ManagerEmail@test.com
+test2@test.com
+test@test.com
+f3322.net
+Clarizen
+https://test_api.com
\ No newline at end of file
diff --git a/Packs/Core/Playbooks/playbook-A_Successful_login_from_TOR.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-A_Successful_login_from_TOR.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-A_Successful_login_from_TOR.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-A_Successful_login_from_TOR.yml
diff --git a/Packs/Core/Playbooks/playbook-A_Successful_login_from_TOR_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-A_Successful_login_from_TOR_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-A_Successful_login_from_TOR_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-A_Successful_login_from_TOR_README.md
diff --git a/Packs/Core/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace.yml
diff --git a/Packs/Core/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-A_mail_forwarding_rule_was_configured_in_Google_Workspace_README.md
diff --git a/Packs/Core/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR.yml
diff --git a/Packs/Core/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-A_successful_SSO_sign-in_from_TOR_README.md
diff --git a/Packs/Core/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.yml
diff --git a/Packs/Core/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts_README.md
diff --git a/Packs/Core/Playbooks/playbook-Credential_Dumping_using_a_known_tool.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Credential_Dumping_using_a_known_tool.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Credential_Dumping_using_a_known_tool.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Credential_Dumping_using_a_known_tool.yml
diff --git a/Packs/Core/Playbooks/playbook-Credential_Dumping_using_a_known_tool_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Credential_Dumping_using_a_known_tool_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Credential_Dumping_using_a_known_tool_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Credential_Dumping_using_a_known_tool_README.md
diff --git a/Packs/Core/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation.yml
diff --git a/Packs/Core/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Endpoint_initiated_uncommon_remote_scheduled_task_creation_README.md
diff --git a/Packs/Core/Playbooks/playbook-Event_Log_Was_Cleared.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Event_Log_Was_Cleared.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Event_Log_Was_Cleared.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Event_Log_Was_Cleared.yml
diff --git a/Packs/Core/Playbooks/playbook-Event_Log_Was_Cleared_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Event_Log_Was_Cleared_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Event_Log_Was_Cleared_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Event_Log_Was_Cleared_README.md
diff --git a/Packs/Core/Playbooks/playbook-Excessive_User_Account_Lockouts.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Excessive_User_Account_Lockouts.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Excessive_User_Account_Lockouts.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Excessive_User_Account_Lockouts.yml
diff --git a/Packs/Core/Playbooks/playbook-Excessive_User_Account_Lockouts_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Excessive_User_Account_Lockouts_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Excessive_User_Account_Lockouts_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Excessive_User_Account_Lockouts_README.md
diff --git a/Packs/Core/Playbooks/playbook-Exchange_forwarding_rule_configured.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Exchange_forwarding_rule_configured.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Exchange_forwarding_rule_configured.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Exchange_forwarding_rule_configured.yml
diff --git a/Packs/Core/Playbooks/playbook-Exchange_forwarding_rule_configured_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Exchange_forwarding_rule_configured_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Exchange_forwarding_rule_configured_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Exchange_forwarding_rule_configured_README.md
diff --git a/Packs/Core/Playbooks/playbook-External_Login_Password_Spray.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-External_Login_Password_Spray.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-External_Login_Password_Spray.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-External_Login_Password_Spray.yml
diff --git a/Packs/Core/Playbooks/playbook-External_Login_Password_Spray_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-External_Login_Password_Spray_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-External_Login_Password_Spray_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-External_Login_Password_Spray_README.md
diff --git a/Packs/Core/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.yml
diff --git a/Packs/Core/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Msiexec_execution_of_an_executable_from_an_uncommon_remote_location_README.md
diff --git a/Packs/Core/Playbooks/playbook-Remote_WMI_Process_Execution.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Remote_WMI_Process_Execution.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Remote_WMI_Process_Execution.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Remote_WMI_Process_Execution.yml
diff --git a/Packs/Core/Playbooks/playbook-Remote_WMI_Process_Execution_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Remote_WMI_Process_Execution_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Remote_WMI_Process_Execution_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Remote_WMI_Process_Execution_README.md
diff --git a/Packs/Core/Playbooks/playbook-SSO_Brute_Force.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-SSO_Brute_Force.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-SSO_Brute_Force.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-SSO_Brute_Force.yml
diff --git a/Packs/Core/Playbooks/playbook-SSO_Brute_Force_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-SSO_Brute_Force_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-SSO_Brute_Force_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-SSO_Brute_Force_README.md
diff --git a/Packs/Core/Playbooks/playbook-SSO_Password_Spray.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-SSO_Password_Spray.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-SSO_Password_Spray.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-SSO_Password_Spray.yml
diff --git a/Packs/Core/Playbooks/playbook-SSO_Password_Spray_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-SSO_Password_Spray_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-SSO_Password_Spray_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-SSO_Password_Spray_README.md
diff --git a/Packs/Core/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference.yml
diff --git a/Packs/Core/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Scheduled_task_created_with_HTTP_or_FTP_reference_README.md
diff --git a/Packs/Core/Playbooks/playbook-Successful_guest_user_invitation.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Successful_guest_user_invitation.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Successful_guest_user_invitation.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Successful_guest_user_invitation.yml
diff --git a/Packs/Core/Playbooks/playbook-Successful_guest_user_invitation_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Successful_guest_user_invitation_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Successful_guest_user_invitation_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Successful_guest_user_invitation_README.md
diff --git a/Packs/Core/Playbooks/playbook-Suspicious_Hidden_User_Created.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_Hidden_User_Created.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Suspicious_Hidden_User_Created.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_Hidden_User_Created.yml
diff --git a/Packs/Core/Playbooks/playbook-Suspicious_Hidden_User_Created_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_Hidden_User_Created_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Suspicious_Hidden_User_Created_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_Hidden_User_Created_README.md
diff --git a/Packs/Core/Playbooks/playbook-Suspicious_LDAP_search_query.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_LDAP_search_query.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Suspicious_LDAP_search_query.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_LDAP_search_query.yml
diff --git a/Packs/Core/Playbooks/playbook-Suspicious_LDAP_search_query_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_LDAP_search_query_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Suspicious_LDAP_search_query_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_LDAP_search_query_README.md
diff --git a/Packs/Core/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node.yml
diff --git a/Packs/Core/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_SaaS_Access_From_a_TOR_Exit_Node_README.md
diff --git a/Packs/Core/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.yml
diff --git a/Packs/Core/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server_README.md
diff --git a/Packs/Core/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process.yml
diff --git a/Packs/Core/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high_risk_process_README.md
diff --git a/Packs/Core/Playbooks/playbook-Uncommon_remote_scheduled_task_created.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Uncommon_remote_scheduled_task_created.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Uncommon_remote_scheduled_task_created.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Uncommon_remote_scheduled_task_created.yml
diff --git a/Packs/Core/Playbooks/playbook-Uncommon_remote_scheduled_task_created_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Uncommon_remote_scheduled_task_created_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Uncommon_remote_scheduled_task_created_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Uncommon_remote_scheduled_task_created_README.md
diff --git a/Packs/Core/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive.yml
diff --git a/Packs/Core/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Unprivileged_process_opened_a_registry_hive_README.md
diff --git a/Packs/Core/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection.yml
diff --git a/Packs/Core/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-Unsigned_and_unpopular_process_performed_an_injection_README.md
diff --git a/Packs/Core/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command.yml b/Packs/CortexResponseAndRemediation/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command.yml
similarity index 100%
rename from Packs/Core/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command.yml
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command.yml
diff --git a/Packs/Core/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_README.md b/Packs/CortexResponseAndRemediation/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_README.md
similarity index 100%
rename from Packs/Core/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_README.md
rename to Packs/CortexResponseAndRemediation/Playbooks/playbook-User_added_to_local_administrator_group_using_a_PowerShell_command_README.md
diff --git a/Packs/CortexResponseAndRemediation/README.md b/Packs/CortexResponseAndRemediation/README.md
new file mode 100644
index 000000000000..5053dc172fb5
--- /dev/null
+++ b/Packs/CortexResponseAndRemediation/README.md
@@ -0,0 +1,17 @@
+The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes, built to support an Autonomous SOC vision.
+The playbooks in this pack are tightly coupled to Issues, leveraging detector logic to provide highly accurate and context-aware responses. This ensures seamless integration with Cortex XSIAM, enabling SOC teams to focus on high-priority threats while automating repetitive tasks.
+
+
+## Response & Remediation Pack playbooks Key Principles
+- Focused Security Response: Playbooks prioritize high-quality security responses while delegating organizational tasks to incident-level or sub-playbooks.
+- Research-Based Design: The playbooks in the Response & Remediation pack are designed by the Cortex & Prisma Research team with extensive expertise and knowledge in responding to incidents and alerts.
+- Detector Alignment: Playbooks are tailored to specific Cortex and Prisma issues, ensuring precision by aligning with detector logic.
+- Cortex Analytics Integration: Playbooks leverage Cortex analytics capabilities to derive precise verdicts for accurate and effective remediation.
+- AI-Driven Investigations: Advanced AI capabilities enrich investigations by providing deeper insights and contextual data to improve decision-making.
+- Clear Design: Understandable within minutes.
+
+## Playbook Features
+- Prebuilt: Use out-of-the-box (OOTB) playbooks to ensure rapid deployment and reliable functionality.
+- Context-aware Actions: Implement responsive actions based on alert triggers.
+- Seamless Integrations: Fully compatible with Palo Alto Networks products and compatible also with third-party solutions.
+- Granular Monitoring: Provides detailed logs for tracking execution.
diff --git a/Packs/Core/Triggers/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.json b/Packs/CortexResponseAndRemediation/Triggers/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.json
similarity index 100%
rename from Packs/Core/Triggers/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.json
rename to Packs/CortexResponseAndRemediation/Triggers/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.json
diff --git a/Packs/Core/Triggers/Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_A_mail_forwarding_rule_was_configured_in_Google_Workspace.json
diff --git a/Packs/Core/Triggers/Trigger_-_A_successful_SSO_sign_in_from_TOR.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_A_successful_SSO_sign_in_from_TOR.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_A_successful_SSO_sign_in_from_TOR.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_A_successful_SSO_sign_in_from_TOR.json
diff --git a/Packs/Core/Triggers/Trigger_-_A_successful_login_from_TOR.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_A_successful_login_from_TOR.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_A_successful_login_from_TOR.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_A_successful_login_from_TOR.json
diff --git a/Packs/Core/Triggers/Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.json
diff --git a/Packs/Core/Triggers/Trigger_-_Credential_Dumping_using_a_known_tool.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Credential_Dumping_using_a_known_tool.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Credential_Dumping_using_a_known_tool.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Credential_Dumping_using_a_known_tool.json
diff --git a/Packs/Core/Triggers/Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Endpoint_initiated_uncommon_remote_scheduled_task_creation.json
diff --git a/Packs/Core/Triggers/Trigger_-_Event_Log_Was_Cleared.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Event_Log_Was_Cleared.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Event_Log_Was_Cleared.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Event_Log_Was_Cleared.json
diff --git a/Packs/Core/Triggers/Trigger_-_Excessive_User_Account_Lockkouts.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Excessive_User_Account_Lockkouts.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Excessive_User_Account_Lockkouts.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Excessive_User_Account_Lockkouts.json
diff --git a/Packs/Core/Triggers/Trigger_-_Exchange_forwarding_rule_configured.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Exchange_forwarding_rule_configured.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Exchange_forwarding_rule_configured.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Exchange_forwarding_rule_configured.json
diff --git a/Packs/Core/Triggers/Trigger_-_External_Login_Password_Spray.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_External_Login_Password_Spray.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_External_Login_Password_Spray.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_External_Login_Password_Spray.json
diff --git a/Packs/Core/Triggers/Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.json
diff --git a/Packs/Core/Triggers/Trigger_-_Remote_WMI_Process_Execution.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Remote_WMI_Process_Execution.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Remote_WMI_Process_Execution.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Remote_WMI_Process_Execution.json
diff --git a/Packs/Core/Triggers/Trigger_-_SSO_Brute_Force.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_SSO_Brute_Force.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_SSO_Brute_Force.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_SSO_Brute_Force.json
diff --git a/Packs/Core/Triggers/Trigger_-_SSO_Brute_Force_Activity.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_SSO_Brute_Force_Activity.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_SSO_Brute_Force_Activity.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_SSO_Brute_Force_Activity.json
diff --git a/Packs/Core/Triggers/Trigger_-_SSO_Password_Spray.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_SSO_Password_Spray.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_SSO_Password_Spray.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_SSO_Password_Spray.json
diff --git a/Packs/Core/Triggers/Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Scheduled_task_created_with_HTTP_or_FTP_reference.json
diff --git a/Packs/Core/Triggers/Trigger_-_Successful_guest_user_invitation.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Successful_guest_user_invitation.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Successful_guest_user_invitation.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Successful_guest_user_invitation.json
diff --git a/Packs/Core/Triggers/Trigger_-_Suspicious_Hidden_User_Created.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Suspicious_Hidden_User_Created.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Suspicious_Hidden_User_Created.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Suspicious_Hidden_User_Created.json
diff --git a/Packs/Core/Triggers/Trigger_-_Suspicious_LDAP_search_query.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Suspicious_LDAP_search_query.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Suspicious_LDAP_search_query.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Suspicious_LDAP_search_query.json
diff --git a/Packs/Core/Triggers/Trigger_-_Suspicious_access_to_shadow_file.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Suspicious_access_to_shadow_file.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Suspicious_access_to_shadow_file.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Suspicious_access_to_shadow_file.json
diff --git a/Packs/Core/Triggers/Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.json
diff --git a/Packs/Core/Triggers/Trigger_-_Uncommon_remote_scheduled_task_created.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Uncommon_remote_scheduled_task_created.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Uncommon_remote_scheduled_task_created.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Uncommon_remote_scheduled_task_created.json
diff --git a/Packs/Core/Triggers/Trigger_-_Unprivileged_process_opened_a_registry_hive.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Unprivileged_process_opened_a_registry_hive.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Unprivileged_process_opened_a_registry_hive.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Unprivileged_process_opened_a_registry_hive.json
diff --git a/Packs/Core/Triggers/Trigger_-_Unsigned_and_unpopular_process_performed_an_injection.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Unsigned_and_unpopular_process_performed_an_injection.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_Unsigned_and_unpopular_process_performed_an_injection.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_Unsigned_and_unpopular_process_performed_an_injection.json
diff --git a/Packs/Core/Triggers/Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command.json b/Packs/CortexResponseAndRemediation/Triggers/Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command.json
similarity index 100%
rename from Packs/Core/Triggers/Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command.json
rename to Packs/CortexResponseAndRemediation/Triggers/Trigger_-_User_added_to_local_administrator_group_using_a_PowerShell_command.json
diff --git a/Packs/Core/doc_files/A_Successful_login_from_TOR.png b/Packs/CortexResponseAndRemediation/doc_files/A_Successful_login_from_TOR.png
similarity index 100%
rename from Packs/Core/doc_files/A_Successful_login_from_TOR.png
rename to Packs/CortexResponseAndRemediation/doc_files/A_Successful_login_from_TOR.png
diff --git a/Packs/Core/doc_files/A_mail_forwarding_rule_was_configured_in_Google_Workspace.png b/Packs/CortexResponseAndRemediation/doc_files/A_mail_forwarding_rule_was_configured_in_Google_Workspace.png
similarity index 100%
rename from Packs/Core/doc_files/A_mail_forwarding_rule_was_configured_in_Google_Workspace.png
rename to Packs/CortexResponseAndRemediation/doc_files/A_mail_forwarding_rule_was_configured_in_Google_Workspace.png
diff --git a/Packs/Core/doc_files/A_successful_SSO_sign-in_from_TOR.png b/Packs/CortexResponseAndRemediation/doc_files/A_successful_SSO_sign-in_from_TOR.png
similarity index 100%
rename from Packs/Core/doc_files/A_successful_SSO_sign-in_from_TOR.png
rename to Packs/CortexResponseAndRemediation/doc_files/A_successful_SSO_sign-in_from_TOR.png
diff --git a/Packs/Core/doc_files/Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.png b/Packs/CortexResponseAndRemediation/doc_files/Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.png
similarity index 100%
rename from Packs/Core/doc_files/Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.png
rename to Packs/CortexResponseAndRemediation/doc_files/Compromise_Accounts_-_User_rejected_numerous_SSO_MFA_attempts.png
diff --git a/Packs/Core/doc_files/Credential_Dumping_using_a_known_tool.png b/Packs/CortexResponseAndRemediation/doc_files/Credential_Dumping_using_a_known_tool.png
similarity index 100%
rename from Packs/Core/doc_files/Credential_Dumping_using_a_known_tool.png
rename to Packs/CortexResponseAndRemediation/doc_files/Credential_Dumping_using_a_known_tool.png
diff --git a/Packs/Core/doc_files/Endpoint_initiated_uncommon_remote_scheduled_task_creation.png b/Packs/CortexResponseAndRemediation/doc_files/Endpoint_initiated_uncommon_remote_scheduled_task_creation.png
similarity index 100%
rename from Packs/Core/doc_files/Endpoint_initiated_uncommon_remote_scheduled_task_creation.png
rename to Packs/CortexResponseAndRemediation/doc_files/Endpoint_initiated_uncommon_remote_scheduled_task_creation.png
diff --git a/Packs/Core/doc_files/Event_Log_Was_Cleared.png b/Packs/CortexResponseAndRemediation/doc_files/Event_Log_Was_Cleared.png
similarity index 100%
rename from Packs/Core/doc_files/Event_Log_Was_Cleared.png
rename to Packs/CortexResponseAndRemediation/doc_files/Event_Log_Was_Cleared.png
diff --git a/Packs/Core/doc_files/Excessive_User_Account_Lockouts.png b/Packs/CortexResponseAndRemediation/doc_files/Excessive_User_Account_Lockouts.png
similarity index 100%
rename from Packs/Core/doc_files/Excessive_User_Account_Lockouts.png
rename to Packs/CortexResponseAndRemediation/doc_files/Excessive_User_Account_Lockouts.png
diff --git a/Packs/Core/doc_files/Exchange_forwarding_rule_configured.png b/Packs/CortexResponseAndRemediation/doc_files/Exchange_forwarding_rule_configured.png
similarity index 100%
rename from Packs/Core/doc_files/Exchange_forwarding_rule_configured.png
rename to Packs/CortexResponseAndRemediation/doc_files/Exchange_forwarding_rule_configured.png
diff --git a/Packs/Core/doc_files/External_Login_Password_Spray.png b/Packs/CortexResponseAndRemediation/doc_files/External_Login_Password_Spray.png
similarity index 100%
rename from Packs/Core/doc_files/External_Login_Password_Spray.png
rename to Packs/CortexResponseAndRemediation/doc_files/External_Login_Password_Spray.png
diff --git a/Packs/Core/doc_files/Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.png b/Packs/CortexResponseAndRemediation/doc_files/Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.png
similarity index 100%
rename from Packs/Core/doc_files/Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.png
rename to Packs/CortexResponseAndRemediation/doc_files/Msiexec_execution_of_an_executable_from_an_uncommon_remote_location.png
diff --git a/Packs/Core/doc_files/Remote_WMI_Process_Execution.png b/Packs/CortexResponseAndRemediation/doc_files/Remote_WMI_Process_Execution.png
similarity index 100%
rename from Packs/Core/doc_files/Remote_WMI_Process_Execution.png
rename to Packs/CortexResponseAndRemediation/doc_files/Remote_WMI_Process_Execution.png
diff --git a/Packs/Core/doc_files/SSO_Brute_Force.png b/Packs/CortexResponseAndRemediation/doc_files/SSO_Brute_Force.png
similarity index 100%
rename from Packs/Core/doc_files/SSO_Brute_Force.png
rename to Packs/CortexResponseAndRemediation/doc_files/SSO_Brute_Force.png
diff --git a/Packs/Core/doc_files/SSO_Password_Spray.png b/Packs/CortexResponseAndRemediation/doc_files/SSO_Password_Spray.png
similarity index 100%
rename from Packs/Core/doc_files/SSO_Password_Spray.png
rename to Packs/CortexResponseAndRemediation/doc_files/SSO_Password_Spray.png
diff --git a/Packs/Core/doc_files/Scheduled_task_created_with_HTTP_or_FTP_reference.png b/Packs/CortexResponseAndRemediation/doc_files/Scheduled_task_created_with_HTTP_or_FTP_reference.png
similarity index 100%
rename from Packs/Core/doc_files/Scheduled_task_created_with_HTTP_or_FTP_reference.png
rename to Packs/CortexResponseAndRemediation/doc_files/Scheduled_task_created_with_HTTP_or_FTP_reference.png
diff --git a/Packs/Core/doc_files/Successful_guest_user_invitation.png b/Packs/CortexResponseAndRemediation/doc_files/Successful_guest_user_invitation.png
similarity index 100%
rename from Packs/Core/doc_files/Successful_guest_user_invitation.png
rename to Packs/CortexResponseAndRemediation/doc_files/Successful_guest_user_invitation.png
diff --git a/Packs/Core/doc_files/Suspicious_Hidden_User_Created.png b/Packs/CortexResponseAndRemediation/doc_files/Suspicious_Hidden_User_Created.png
similarity index 100%
rename from Packs/Core/doc_files/Suspicious_Hidden_User_Created.png
rename to Packs/CortexResponseAndRemediation/doc_files/Suspicious_Hidden_User_Created.png
diff --git a/Packs/Core/doc_files/Suspicious_LDAP_search_query.png b/Packs/CortexResponseAndRemediation/doc_files/Suspicious_LDAP_search_query.png
similarity index 100%
rename from Packs/Core/doc_files/Suspicious_LDAP_search_query.png
rename to Packs/CortexResponseAndRemediation/doc_files/Suspicious_LDAP_search_query.png
diff --git a/Packs/Core/doc_files/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.png b/Packs/CortexResponseAndRemediation/doc_files/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.png
similarity index 100%
rename from Packs/Core/doc_files/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.png
rename to Packs/CortexResponseAndRemediation/doc_files/Suspicious_SaaS_Access_From_a_TOR_Exit_Node.png
diff --git a/Packs/Core/doc_files/Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.png b/Packs/CortexResponseAndRemediation/doc_files/Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.png
similarity index 100%
rename from Packs/Core/doc_files/Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.png
rename to Packs/CortexResponseAndRemediation/doc_files/Suspicious_process_execution_by_scheduled_task_on_a_sensitive_server.png
diff --git a/Packs/Core/doc_files/Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high-risk_process.png b/Packs/CortexResponseAndRemediation/doc_files/Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high-risk_process.png
similarity index 100%
rename from Packs/Core/doc_files/Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high-risk_process.png
rename to Packs/CortexResponseAndRemediation/doc_files/Uncommon_creation_or_access_operation_of_sensitive_shadow_copy_by_a_high-risk_process.png
diff --git a/Packs/Core/doc_files/Uncommon_remote_scheduled_task_created.png b/Packs/CortexResponseAndRemediation/doc_files/Uncommon_remote_scheduled_task_created.png
similarity index 100%
rename from Packs/Core/doc_files/Uncommon_remote_scheduled_task_created.png
rename to Packs/CortexResponseAndRemediation/doc_files/Uncommon_remote_scheduled_task_created.png
diff --git a/Packs/Core/doc_files/Unprivileged_process_opened_a_registry_hive.png b/Packs/CortexResponseAndRemediation/doc_files/Unprivileged_process_opened_a_registry_hive.png
similarity index 100%
rename from Packs/Core/doc_files/Unprivileged_process_opened_a_registry_hive.png
rename to Packs/CortexResponseAndRemediation/doc_files/Unprivileged_process_opened_a_registry_hive.png
diff --git a/Packs/Core/doc_files/Unsigned_and_unpopular_process_performed_an_injection.png b/Packs/CortexResponseAndRemediation/doc_files/Unsigned_and_unpopular_process_performed_an_injection.png
similarity index 100%
rename from Packs/Core/doc_files/Unsigned_and_unpopular_process_performed_an_injection.png
rename to Packs/CortexResponseAndRemediation/doc_files/Unsigned_and_unpopular_process_performed_an_injection.png
diff --git a/Packs/Core/doc_files/User_added_to_local_administrator_group_using_a_PowerShell_command.png b/Packs/CortexResponseAndRemediation/doc_files/User_added_to_local_administrator_group_using_a_PowerShell_command.png
similarity index 100%
rename from Packs/Core/doc_files/User_added_to_local_administrator_group_using_a_PowerShell_command.png
rename to Packs/CortexResponseAndRemediation/doc_files/User_added_to_local_administrator_group_using_a_PowerShell_command.png
diff --git a/Packs/CortexResponseAndRemediation/pack_metadata.json b/Packs/CortexResponseAndRemediation/pack_metadata.json
new file mode 100644
index 000000000000..8127c4c74649
--- /dev/null
+++ b/Packs/CortexResponseAndRemediation/pack_metadata.json
@@ -0,0 +1,23 @@
+{
+    "name": "Cortex Response And Remediation",
+    "description": "The Cortex Response & Remediation Pack delivers a powerful collection of automated playbooks designed to streamline incident response and remediation processes. Built to support an Autonomous SOC vision.",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Case Management",
+        "Endpoint",
+        "Cloud Security",
+        "Email"
+    ],
+    "tags": [
+        "Palo Alto Networks Products"
+    ],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "marketplacev2"
+    ]
+}
\ No newline at end of file