Malware Investigation and Response
Malware threat is one of the most common cybersecurity challenges facing businesses today. It causes data breaches, hardware failures, and inoperable computers and system networks that can be extremely costly to recover.
Malware investigations require security teams to reconcile data from multiple security products like EDRs, sandboxes, malware analysis tools, and threat intelligence providers.
Manual investigation wastes valuable time while malware may be propagating within an organization.
The Malware Investigation & Response content pack accelerates the investigation process for endpoint malware incidents and alerts by collecting evidence of malicious behavior from telemetry data available through EDRs and processing malware analysis reports through sandboxes. Incident layouts also include buttons to remediate activities quickly.
The pack closely maps evidence to MITRE ATT&CK to uncover evidence of:
- Persistence (for example, registry and scheduled jobs)
- Evasion or tampering (for example and service stop and process kill)
- Lateral movement (for example, network connections and file share enumeration)
- PowerShell abuse and command-line analysis
- Digitally signed files
What Does This Pack Do?#
- Provides forensic data, including running processes and open network connections at alert detection time.
- Retrieves files and detonates sandboxes.
- Analyzes process command line strings to identify suspicious behavior.
- Processes select sandbox reports and visualizes the results in layouts.
- Extracts indicators and provides threat intelligence enrichment.
- Tags malicious and benign indicators for allow and deny lists for threat prevention and false-positive management.
- Mirrors incidents between the EDR and Cortex XSOAR and enables incident closure with the EDR.
- Supports aggregating incidents from EDRs, including multiple alerts and files.
- Supports fetching malware incidents either from the EDR product or from a SIEM solution.
- Enriches information on the account associated with the incident/alert.
- Leverages other security tools that search for extracted IOCs to identify additional threat activity.
- Utilizes various SLA timers such as triage and containment SLAs.
Getting Started / How to Set up the Pack#
Use the Deployment Wizard (Available for version 6.8)#
For a better user experience and easier onboarding, use the Deployment Wizard after installing the content pack on the Marketplace page in Cortex XSOAR (Available from version 6.8).
Manually Configure Your Use Case#
For manual configuration, it is recommended to configure your integration instance to use:
- The primary playbook: Malware Investigation and Response Incident Handler (Available from version 6.5)
- The primary incident type: Malware Investigation and Response (Available from version 6.5)
Fetch Data from an EDR integration#
- In MarketPlace, select a fetching integration (for more details on supported EDR integrations, check the Endpoint Integrations section):
- PaloAlto Cortex XDR
- Microsoft Defender For Endpoint
- CrowdStrike Falcon
- In the Settings > Integrations tab, configure your fetching integration instance.
CrowdStrike Falcon & Microsoft Defender For Endpoint#
| Setting | Value |
|---|---|
| Fetch Incidents | true |
| Incident Type | Malware Investigation and Response |
| Classifier | null |
Cortex XDR by Palo Alto Networks#
| Setting | Value |
|---|---|
| Fetch Incidents | true |
| Incident Type | null |
| Classifier | Cortex XDR Incident Handler - Classifier |
- Review the master playbook inputs. These inputs control key features in the investigation process.
Fetch Data from a SIEM#
If you prefer fetching incidents using a SIEM integration, you need to perform the following steps.
Before you start: Set up your relevant EDR integration. For more details on supported EDR integrations, check the Endpoint Integrations section.
Through your SIEM integration mapper, map the following fields to retrieve all required information:
- Original alert ID mapped to the
External System IDincident field. - Incident type mapped to the
External Category Nameincident field. For example, in CrowdStrike you have two different types - Detections and Incidents.
If you do not want to update your current mapper, change the following playbook inputs to the preferred
Alert IDand theIncident Typeincident fields in the master playbook (Malware Investigation and Response Incident Handler):SIEMincidentFieldForIDSIEMincidentFieldForType
- Original alert ID mapped to the
Validate the relevant EDR integration is enabled.
Ensure the relevant incoming incidents are assigned the 'Malware Investigation And Response' incident type (through the SIEM Classifier).
Additional Integrations#
Mitre ATT&CK (Optional but highly recommended)#
The Mitre Att&ck integration enables easy classification for investigated incidents and better understanding of the current stage in the kill chain phase. The Mitre Att&ck integration ingests enriched information about the found techniques associated with the incident.
Information on findings are presented in the layout in the Investigation Summary and Detailed Investigation sections.
You need to enable this integration (you can optionally enable the fetching setting in advance).
Related Playbook: Mitre Attack - Extract Technique Information From ID
Sandbox Integrations#
Palo Alto Networks WildFire (Optional)#
The Palo Alto Networks Wildfire sandbox integration enables you to automatically identify unknown threats by detonating unknown files. It also stops attacks by dynamically analyzing files.
CrowdStrike Falcon Intelligence Sandbox (Optional)#
The CrowdStrike Falcon Intelligence Sandbox integration enables you to automatically identify unknown threats by detonating unknown files and retrieving report information. It also stops attacks by dynamically analyzing files.
Joe Security (Optional)#
The Joe Security sandbox integration enables you to automatically identify unknown threats by detonating unknown files and retrieving report information. It also stops attacks by dynamically analyzing files.
Ticketing Systems#
As part of the True positive flow, the True Positive Incident Handling playbooks (each vendor has its own) enable opening tickets in relevant IT ticketing systems to re-image affected hosts. The inputs that enable using ticketing systems are specified in the main Malware Investigation & Response Incident Handler playbook (TicketingSystemToUse and TicketProjectName). The ticket description is derived from the confirmation whether a true/false positive task exists for each of the EDR vendor-specific playbooks.
ServiceNow (Optional)#
The ServiceNow integration enables creating and managing tickets in ServiceNow.
Jira (Optional)#
The Jira integration enables creating and managing tickets in Jira.
Layouts#
Incident info
This tab provides an overview for the incident and easy remediation actions to be performed by the analyst.
Investigation
This tab dives into the investigation process, providing details such as enriched information about indicators and alerts.
Forensics
This tab provides forensics information collected from the endpoint. Here you can check the Process list and Netstat information collected from the investigated endpoint.
Layout Feature Support Summary#
The primary layout is the standard and common layout for all supported vendors, however certain features are not available for some vendors. The table below summarizes the support for each vendor per layout feature.
| Type | Name | Microsoft Defender For Endpoint | CrowdStrike Falcon | Cortex XDR |
|---|---|---|---|---|
| Button | Kill Process | โ | โ * | โ ** |
| Button | Delete file | โ | โ | โ |
| Button | Isolate / Unisolate endpoint | โ | โ | โ |
| Dynamic Section | Disable Account in IDP | โ | โ | โ |
| Dynamic Section | Process List | โ | โ | โ |
| Dynamic Section | Netstat Information | โ | โ | โ |
*Only supports 'file path'
**Only supports 'file name'
Endpoint Integrations#
Create integration instances from the following content packs.
Palo Alto Networks Cortex XDR - Investigation and Response#
Main Playbook: Cortex XDR Malware - Investigation And Response
Noteworthy feature in this pack:
Hunting for Dedicated Insights
XDR Insights are suspicious activity detections that occur from a rule and are observed and enriched on a dedicated endpoint. This playbook searches for dedicated Insights by filtering them through Mitre Techniques and the investigated endpoint.
Related Playbook: Cortex XDR - Endpoint Investigation
Microsoft Defender For Endpoint#
Main Playbook: MDE Malware - Investigation and Response
Noteworthy features in this pack:
Advanced Hunting
Microsoft Defender For Endpoint provides advanced features to query your integration instance to search for information. This playbook uses pre-defined commands, enrichment logic, and tagging results as incident evidence. In addition, You may choose to use BYOQ (Bring Your Own Queries) with the incidents fields, without detaching the playbook. For example, see the!microsoft-atp-advanced-huntingcommand or theQuaerBatchinput hint.Related playbook: MDE - Host Advanced Hunting
Pro-Active Incident Investigation
The analyst can run the following pro-active incident investigation actions, which can be automated using playbook inputs:- Running an automated investigation.
- Running antiVirus full scan on the endpoint.
- Collecting an Investigation Package (forensics).
Related playbook: MDE - Pro-Active Actions
Note:
Some playbook inputs can be configured on the MDE Malware - Investigation and Response playbook.
CrowdStrike Falcon#
Main Playbook: CrowdStrike Falcon Malware - Investigation and Response
Noteworthy features in this pack:
Allow and Block IOCs Per Device Group
Due to the complexity of managing multiple devices and exclusions, a policy may require certain modifications to fit each device group. This playbook enables choosing which device groups (specific or all groups) will be affected by your exclusions. To enable these settings, use the ApplyOCGlobally and HostGroupName playbook inputs which can be defined in the CrowdStrike Falcon - True Positive Incident Handling and CrowdStrike Falcon - False Positive Incident Handling playbooks.
Pivoting from CrowdStrike Detections to Incidents
CrowdStrike Falcon has detections, which are single alerts, and incidents, which can contain multiple detections. The CrowdStrike Falcon integration supports fetching incidents as well as detections. Since the data provided for fetched CrowdStrike incidents is limited, the pack contains the CrowdStrike Falcon - Get Detections by Incident playbook, which enables listing CrowdStrike detections that are associated with a CrowdStrike incident and adding all the relevant data from the detections to the Cortex XSOAR incident.
Notes:
The main playbooks contain most of the common playbook inputs across vendor playbooks, however specific vendor inputs are not in the main playbook. For example:
- In the CrowdStrike Falcon Malware - Investigation and Response playbook, the following inputs are responsible for managing IOCs through the EDR system:
HostGroupNameApplyIOCGlobally
- In the MDE Malware - Investigation and Response playbook, the following inputs are responsible for setting up pro-active activities:
ActionTaskAutoAVScanAutoAutomatedInvestigationAutoCollectinvestigationPackege
- In the CrowdStrike Falcon Malware - Investigation and Response playbook, the following inputs are responsible for managing IOCs through the EDR system:
Cortex XSOAR supports pre-processing rules for incidents, which can handle incidents that share the same incident information by using an exact value match (for example for alert names, IPs, and hashes).
Cortex XSOAR also supports deduplication, which uses a configurable similarity setting and not just an exact value match. Mirroring functionality can help with deduplication since it enables handling incidents in Cortex XSOAR with automatic updates to the incidents in your EDR consoles and vice-versa (check your EDR pack in advance if it supports mirroring).
For more details about deduplication check the Dedup - Generic V4 playbook. Some of the deduplication inputs are exposed in the master playbook, and some are through each vendor's main playbook. For example:DedupSimilarTextFieldDedupMinimunIncidentSimilarity
Pack Disclaimers#
- The current layout shows only one item being searched (for example, one endpoint or one file SHA256) even though the logic is running and analyzing all the relevant information and performing enrichment on all the items.
- Some actions are irreversible. For example, the analyst should be careful when deleting files since deleting a file cannot be reversed (do not delete explorer.exe from the investigated device).
- The logic supports only Microsoft Windows OS platforms. However, certain parts of the playbooks can analyze and provide information on other operating systems. For example, the sandbox section can run on Linux, Mac, Android, and others.
- Keep in mind that setting the
DedupHandleSimilarinput to 'Close' may permanently close incidents with status 'Pending'. This means you cannot reopen those incidents (However you may 'Delete' or 'Mark as Duplicate').