Skip to main content

Endpoint Malware Investigation - Generic V2

The Endpoint Malware Investigation content pack provides a generic framework to handle malware investigation. This pack incorporates the most relevant integrations in Cortex XSOAR for handling malware incidents.

The playbook in this pack includes the following steps:

  • endpoint enrichment
  • file retrieval for reputation enrichment and detonation
  • host forensics
  • enterprise threat hunting,
  • isolation of suspicious endpoints
  • unisolation endpoints after investigation and blocking malicious indicators

These steps provide a solid basis and guidelines for malware investigation.

The new feature in Endpoint Malware Investigation - Generic V2 (available from version 6.1) is the indicators extraction rules. This feature extracts all the relevant fields from incidents in order to run the Endpoint Malware Investigation - Generic V2 playbook properly.

Pack Workflow#

First you need to decide in which incidents to activate the Malware incident type. If you don't have a default playbook or incident type for your endpoint protection integration, this pack could be a good fit. You just need to define the malware incident type for the relevant integration or create a dedicated Classifier.

What's in this Content Pack?#

Playbooks#

There is 1 playbook in this pack. This playbook uses all the other playbooks mentioned in this article.

Endpoint Malware Investigation - Generic V2

This playbook provides a framework for handling a malware investigation through all essential stages. The playbook consists of 7 stages where each stage contains the relevant playbook or tasks.

Enrichment#

The Get endpoint details - Generic playbook uses the generic !endpoint command to retrieve details on specific endpoints.

For additional information, refer to: Get endpoint details - Generic

Retrieve File#

The Retrieve File from Endpoint - Generic V2 playbook retrieves the required file for further investigation. This playbook can retrieve a file by its hash or by its file path.

For additional information, refer to: Retrieve File from Endpoint - Generic V2

Detonation#

Dynamic analysis for suspicious files is a significant stage in every malware incident. The analysis will not only determine if the file is malicious, but also provide indicators for further investigation. The Detonate File - Generic playbook detonates files through active integrations that support file detonation.

For additional information, refer to: Detonate File - Generic

Forensics#

The Get host forensics - Generic playbook provides additional forensics on the investigated host. Currently, this playbook uses only the Illusive network integration.

For additional information, refer to: Get host forensics - Generic

Threat Hunting#

The Threat Hunting - Generic playbook assists in hunting IOCs in your organization as part of the malware investigation.

For additional information, refer to: refer to: Threat Hunting - Generic

Isolation#

The Isolate Endpoint - Generic V2 playbook rapidly isolates the infected host and prevents the threat from spreading throughout your organization.

For additional information, refer to: Isolate Endpoint - Generic V2

Unisolation#

The Unisolate Endpoint - Generic playbook unisolates endpoints according to the endpoint ID or hostname that is provided by the playbook input.

For additional information, refer to: Unisolate Endpoint - Generic

Remediation and Blocking Indicators#

The Block Indicators - Generic v2 playbook blocks the malicious indicators that were discovered during the investigation. The playbook blocks files, IPs, URLs, and user accounts.

For additional information, refer to: Block Indicators - Generic v2

Layouts#

This layout has three tabs:

Incident info tab#

Layout sectionsDescription
Case DetailsInformation that is associated with the incident, such as: Type, Owner, Source Brand, Source instance, Playbook, Severity.
Source DetailsInformation that is associated with the source host of the incident, such as: IP, user, hostname, src OS, etc.
File AttributesInformation regarding the suspicious file that was involved in the incident.
Threat Hunting ResultsResults of the Threat Hunting - Generic playbook.
NotesComments entered by the user regarding the incident.
Team MembersA list of the analysts who participated in this incident.
Timeline InformationInformation regarding the incident timeline, such as: time occurred, last update, closed time, etc.
Child IncidentsIncidents that were created from this incident.
Work PlanInformation regarding the playbook tasks from the Work Plan.
Linked IncidentsIncidents that were linked to the current incident.
Closing InformationInformation regarding the closing of the incident.

Investigation tab#

Layout sectionsDescription
Malware DetailsMalicious file details such as: tactics, technique, command line, etc.
Endpoint detailsDetails of the endpoints that were involved in the investigation.
ForensicsForensic data that was retrieved by the Get host forensics playbook.
Investigation ReportThe investigation summary report.
IndicatorsIndicators that were extracted from the incident.

Similar incidents tab#

Displays information for similar incidents based on the DBotFindSimilarIncidentsByIndicators script.

Layout sectionsDescription
Incident IDThe similar incident ID.
CreatedThe date when the similar incident was created.
NameThe name of the similar incident.
Similarity IncidentThe score for the similarity for the incident.
Parent CMD lineThe arguments in the command line of the parent process.
File PathThe path of the suspicious file.
Command LineThe arguments of the command line that triggered the file.

Before You Start#

Classification and Mapping#

(https://xsoar.pan.dev/docs/incidents/incident-classification-mapping)

To use the Endpoint Malware Investigation - Generic V2 playbook we strongly recommend that you map the playbook for the relevant integration.

  1. Navigate to Settings > Integrations > Classification and Mapping.
  2. Mark the checkbox of the relevant integration that you want to map.
  3. Click Duplicate.

Duplicate

  1. Click the copy you just created.
  2. From the Incident Type dropdown list, select Malware.

Malware

  1. From the Select Instance dropdown list, select the instance that you want to map.

Instance

After selecting your instance the Data fetched JSON will be loaded.

Data-fetched-JSON

  1. Map the relevant fields from the JSON by selecting the keys and clicking Choose data path. See the table in the Auto Extraction section for the fields to map. For information about creating a mapper, see Create a Mapper.

mapping

  1. Click Save Version.
  2. Navigate to Settings > Integration > Servers & Services.
  3. Access the relevant integration instance setting and edit it as follows:
  • From the Incident Type dropdown list, select Malware.
  • For the Mapper, select the mapper you created.

mapping2

Extraction Rules#

(https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-threat-intel-management-guide/manage-indicators/auto-extract-indicators/define-indicator-extraction-rules-for-an-indicator-type.html)

In the 6.1 version a new future was added to XSOAR. The Auto Extract from incidents fields feature extracts indicators from incidents fields and enriches their reputations using commands and scripts defined for the indicator type. You can automatically extract indicators in the following scenarios:

  • When fetching incidents
  • In a playbook task
  • Using the command line

In order for the malware incident type layout to properly display the relevant fields and for the playbook to extract the fields it is important to map the fields as shown in the table below so that they will appear in the malware incident layout.

Refer to the incident classification and mapping documentation for relevant guidance.

Note: Fields that are not mapped will not appear in the layout.

File AttributesSource DetailsMalware Details
File NameSrcCMD
File PathHost NameScenario
File HashSrc NT DomainObjective
MD5Src Operating SystemTactic
SHA1UsersTactic ID
SHA256Technique
File SizeTechnique ID
SignatureDescription

In the Endpoint Malware Investigation - Generic V2 playbook, the indicators are extracted according to the indicators extraction rules of the malware incident type.

To view the indicators that will be extracted:

  1. Navigate to Settings > Advanced > Incidents Types.
  2. Mark the Malware checkbox.
  3. Click Indicator Extraction Rules.

Rules

If you want to edit the indicator extraction rules, you need to detach the Malware incident type. When you finish editing the rules, you must reattach the Malware incident type.

  1. Navigate to Settings > Advanced > Incidents Types.
  2. Mark the Malware checkbox.
  3. Click Detach.

detach

  1. Mark the Malware checkbox.
  2. Click Indicator Extraction Rules.
  3. Edit the rules.
  4. When you are finished editing, click Save.
  5. Mark the Malware checkbox.
  6. (Optional.) Click Reattach. Note that if you reattach the incident type, the next update will override any changes you made to the default playbook and indicator extraction rules.

Integrations#

The following is a list of integrations each playbook/sub-playbook uses.

PlaybookIntegrations
Get endpoint details - Generic- Palo Alto Networks Cortex XDR - Investigation and Response
- CrowdStrike Falcon
Retrieve File from Endpoint - Generic V2- VMware Carbon Black EDR
- VMware Carbon Black EDR - Live Response API
- Cylance Protect v2
Detonate File - Generic- Group-IB TDS Polygon
- JoeSecurity
- Cisco Threat Grid
- McAfee Advanced Threat Defense
- CrowdStrike Falcon Sandbox
- Palo Alto Networks WildFire V2
- Lastline v2
- Cuckoo Sandbox
- SNDBOX
- Hybrid Analysis
- ANY.RUN
- FireEye (AX Series)
- VMRay
Threat Hunting - Generic- SplunkPY
- IBM Qradar
- Palo Alto Networks PAN-OS
- Palo Alto Networks AutoFocus v2
- Cortex Data Lake
Isolate Endpoint - Generic V2- Carbon Black Response
- Cortex XDR
- CrowdStrike Falcon
- FireEye HX
- Cybereason
Unisoloate Endpoint - Generic- Carbon Black Response
- Cortex XDR
- CrowdStrike Falcon
- FireEye HX
- Cybereason
Block Indicators - Generic v2- PAN-OS
- Minemeld
- Cortex XDR
- Cylance Protect v2
- Carbon Black Response
- Palo Alto Networks Traps
- Cybereason
- Active Directory Query V2
- Check Point Firewall V2
- Zscaler
- FortiGate
- Symantec Messaging Gateway