Skip to main content

Malware Investigation and Response

Malware threat is one of the most common cybersecurity challenges facing businesses today. It causes data breaches, hardware failures, and inoperable computers and system networks that can be extremely costly to recover.
Malware investigations require security teams to reconcile data from multiple security products like EDRs, sandboxes, malware analysis tools, and threat intelligence providers. Manual investigation wastes valuable time when malware may be propagating within an organization.

The Malware Investigation & Response content pack accelerates the investigation process for endpoint malware incidents and alerts by collecting evidence of malicious behaviors from telemetry data available through EDRs and processing malware analysis reports through sandboxes. Incident layouts also include buttons to remediate activities quickly.

The pack closely maps evidence to MITRE ATT&CK to uncover evidence of:

  • Persistence (for example, registry and scheduled jobs)
  • Evasion or tampering (for example and service stop and process kill)
  • Lateral movement (for example, network connections and file share enumeration)
  • PowerShell abuse and command-line analysis
  • Digitally signed files

What Does This Pack Do?#

  • Provides forensic data, including running processes and open network connections at alert detection time.
  • Retrieves files and detonates sandboxes.
  • Analyzes process command line strings to identify suspicious behavior.
  • Processes select sandbox reports and visualizes the results in layouts.
  • Extracts indicators and provides threat intelligence enrichment.
  • Tags malicious and benign indicators for allow and deny lists for threat prevention and false-positive management.
  • Mirrors incidents between the EDR and Cortex XSOAR and enables incident closure with the EDR.
  • Supports aggregating incidents from EDRs, including multiple alerts and files.
  • Supports fetching malware incidents either from the EDR product or from a SIEM solution.

Getting Started / How to Set up the Pack#

Use the Deployment Wizard (Available for version 6.8)#

For better user experience and easier onboarding, use the Deployment Wizard after installing the content pack on the Marketplace page in Cortex XSOAR (Available for version 6.8). Deployment Wizard

Manually Configure Your Use Case#

For manual configuration, it is recommended to configure your integration instance to use:

Fetch Data from an EDR integration#

  1. In MarketPlace, select a fetching integration (for more details on supported EDR integrations, check the Endpoint Integrations section):
    1. PaloAlto Cortex XDR
    2. Microsoft Defender For Endpoint
    3. CrowdStrike Falcon
  2. In the Settings > Integrations tab, configure your fetching integration instance.
    Note:
    Set Fetch Incidents to true and set the Incident Type to Malware Investigation and Response (for Cortex XDR - you should use the classifier Cortex XDR Incident Handler - Classifier instead of the incident type).
  3. Review the master playbook inputs. These inputs control key features in the investigation process.

Fetch Data from a SIEM#

If you prefer fetching incidents using a SIEM integration, you need to perform the following steps.

  1. Before you start: Set up your relevant EDR integration. For more details on supported EDR integrations, check the Endpoint Integrations section.

  2. Through your SIEM integration mapper, map the following fields to retrieve all required information:

    • Original alert ID mapped to the External System ID incident field.
    • Incident type mapped to the External Category Name incident field. For example, in CrowdStrike you have two different types - Detections and Incidents.

    If you do not want to update your current mapper, change the following playbook inputs to the preferred Alert ID and the Incident Type incident fields in the master playbook (Malware Investigation and Response Incident Handler):

    • SIEMincidentFieldForID
    • SIEMincidentFieldForType
  3. Validate the relevant EDR integration is enabled.

  4. Ensure the relevant incoming incidents are assigned the 'Malware Investigation And Response' incident type (through the SIEM Classifier).

Additional Integrations#

Mitre ATT&CK#

The Mitre Att&ck integration enables easy classification for investigated incidents and better understanding of the current stage in the kill chain phase. The Mitre Att&ck integration ingests enriched information about the found techniques associated with the incident.
Information on findings are presented in the layout in the Investigation Summary and Detailed Investigation sections.

You need to enable this integration (you can optionally enable the fetching setting in advance).

Related Playbook: Mitre Attack - Extract Technique Information From ID

Sandbox Integrations#

Palo Alto Networks WildFire (Optional)#

The Palo Alto Networks Wildfire sandbox integration enables you to automatically identify unknown threats by detonating unknown files. It also stops attacks by dynamically analyzing files.

CrowdStrike FalconX (Optional)#

The CrowdStrike FalconX sandbox integration enables you to automatically identify unknown threats by detonating unknown files and retrieving report information. It also stops attacks by dynamically analyzing files.

Ticketing Systems#

As part of the True positive flow, the True Positive Incident Handling playbooks (each vendor has its own) enable opening tickets in relevant IT ticketing systems. In order to re-image affected hosts. The inputs that enable using ticketing systems are specified in the main Malware Investigation & Response Incident Handler playbook (TicketingSystemToUse and TicketProjectName). The ticket description is derived from the confirmation whether a true/false positive task exists for each of the EDR vendor-specific playbooks.

ServiceNow (Optional)#

The ServiceNow integration enables creating and managing tickets in ServiceNow.

Jira (Optional)#

The Jira integration enables creating and managing tickets in Jira.

Layouts#

  • Incident info
    This tab provides an overview for the incident and easy remediation actions to be performed by the analyst.

    Incident info tab

  • Investigation
    This tab dives into the investigation process, providing details such as enriched information about indicators and alerts.

    Investigation tab

  • Forensics
    This tab provides forensics information collected from the endpoint. Here you can check the Process list and Netstat information collected from the investigated endpoint.

    Forensics

Layout Feature Support Summary#

The primary layout is the standard and common layout for all supported vendors, however certain features are not available for some vendors. The table below summarizes the support for each vendor per layout feature.

TypeNameMicrosoft Defender For EndpointCrowdStrike FalconCortex XDR
ButtonKill ProcessโŒโœ…*โœ…**
ButtonDelete fileโœ…โœ…โœ…
ButtonIsolate / Unisolate endpointโœ…โœ…โœ…
Dynamic SectionProcess ListโŒโœ…โœ…
Dynamic SectionNetstat InformationโŒโœ…โŒ

*Only supports 'file path'
**Only supports 'file name'

Endpoint Integrations#

Create integration instances from the following content packs.

  • Palo Alto Networks Cortex XDR - Investigation and Response#

    Main Playbook: Cortex XDR Malware - Investigation And Response

    Noteworthy feature in this pack:

    • Hunting for Dedicated Insights

      XDR Insights are suspicious activity detections that occur from a rule and are observed and enriched on a dedicated endpoint. This playbook searches for dedicated Insights by filtering them through Mitre Techniques and the investigated endpoint.

      Related Playbook: Cortex XDR - Endpoint Investigation

  • Microsoft Defender For Endpoint#

    Main Playbook: MDE Malware - Investigation and Response

    Noteworthy features in this pack:

    • Advanced Hunting
      Microsoft Defender For Endpoint provides advanced features to query your integration instance and search for information. This playbook uses pre-defined commands, enrichment logic, and tagging results as incident evidence.

      Related playbook: MDE - Host Advanced Hunting

    • Pro-Active Incident Investigation
      The analyst can run the following pro-active incident investigation actions, which can be automated using playbook inputs:

      • Running an automated investigation.
      • Running antiVirus full scan on the endpoint.
      • Collecting an Investigation Package (forensics).

      Related playbook: MDE - Pro-Active Actions

      Note:
      Some playbook inputs can be configured on the MDE Malware - Investigation and Response playbook.

  • CrowdStrike Falcon#

    Main Playbook: CrowdStrike Falcon Malware - Investigation and Response

    Noteworthy features in this pack:

    • Allow and Block IOCs Per Device Group

      Due to the complexity of managing multiple devices and exclusions, a policy may require certain modifications to fit each device group. This playbook enables choosing which device groups (specific or all groups) will be affected by your exclusions. To enable these settings, use the ApplyOCGlobally and HostGroupName playbook inputs which can be defined in the CrowdStrike Falcon - True Positive Incident Handling and CrowdStrike Falcon - False Positive Incident Handling playbooks.

    • Pivoting from CrowdStrike Detections to Incidents

      CrowdStrike Falcon has detections, which are single alerts, and incidents, which can contain multiple detections. The CrowdStrike Falcon integration supports fetching incidents as well as detections. Since the data provided for fetched CrowdStrike incidents is limited, the pack contains the CrowdStrike Falcon - Get Detections by Incident playbook, which enables listing CrowdStrike detections that are associated with a CrowdStrike incident and adding all the relevant data from the detections to the Cortex XSOAR incident.

Notes:

  • The main playbooks contain most of the common playbook inputs across vendor playbooks, however specific vendor inputs are not in the main playbook. For example:

  • Cortex XSOAR supports pre-processing rules for incidents, which can handle incidents that share the same incident information by using an exact value match (for example for alert names, IPs, and hashes).

  • Cortex XSOAR also supports deduplication, which uses a configurable similarity setting and not just an exact value match. Mirroring functionality can help with deduplication since it enables handling incidents in Cortex XSOAR with automatic updates to the incidents in your EDR consoles and vice-versa (check your EDR pack in advance if it supports mirroring).
    For more details about deduplication check the Dedup - Generic V4 playbook. Some of the deduplication inputs are exposed in the master playbook, and some are through each vendor's main playbook. For example:

    • DedupSimilarTextField
    • DedupMinimunIncidentSimilarity

Pack Disclaimers#

  1. The current layout shows only one item being searched (for example, one endpoint or one file SHA256) even though the logic is running and analyzing all the relevant information and performing enrichment on all the items.
  2. Some actions are irreversible. For example, the analyst should be careful when deleting files since deleting a file cannot be reversed (do not delete explorer.exe from the investigated device).
  3. The logic supports only Microsoft Windows OS platforms. However, certain parts of the playbooks can analyze and provide information on other operating systems. For example, the sandbox section can run on Linux, Mac, Android, and others.
  4. Keep in mind that setting the DedupHandleSimilar input to 'Close' may permanently close incidents with status 'Pending'. This means you cannot reopen those incidents (However you may 'Delete' or 'Mark as Duplicate').