Cortex XDR - Malware Investigation
This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#
Investigates a Cortex XDR incident containing internal malware alerts. The playbook:
- Enriches the infected endpoint details.
- The analyst can manually retrieve the malicious file.
- Performs file detonation.
The playbook is used as a sub- playbook in ‘Cortex XDR Incident Handling - v2’.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Cortex XDR - Retrieve File v2
- Detonate File - Generic
Integrations#
- Cortex XDR - IR
Scripts#
- SetMultipleValues
Commands#
- xdr-get-endpoints
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| xdr_alert_id | Unique ID for the XDR alert. | Optional | |
| host_ip | Host IP involved in the alert. | Optional | |
| file_name | The name of the malicious file. | Optional | |
| file_sha256 | SHA-256 hash of the file. | Optional | |
| file_path | Full Path of the file. | Optional | |
| endpoint_id | the endpoint_id | Optional |
Playbook Outputs#
| Path | Description | Type |
|---|---|---|
| Joe.Analysis | The Analysis object. | unknown |
| File | The File's object. | unknown |
| File.Malicious | The malicious file's description. | unknown |
| DBotScore | The indicator's object. | unknown |
| IP | IP objects. | unknown |
| DBotScore.Malicious | Dbot Score malicious information. | unknown |
| Sample | Sample data object. | unknown |
| InfoFile | The report file's object. | unknown |
| WildFire | Wildfire analysis object. | unknown |
| WildFire.Report | The submission object. | unknown |
| Joe | Joe Sandbox analysis object. | unknown |
| Cuckoo.Task | Cuckoo task object. | unknown |
| SNDBOX.Analysis | SNDBOX analysis. | unknown |
| HybridAnalysis.Submit | The HybridAnalysis object. | unknown |
| ANYRUN.Task | ANYRUN task object. | unknown |
| ANYRUN.Task.Behavior | ANYRUN task behavior. | unknown |
| ANYRUN.Task.Connection | ANYRUN task connection. | unknown |
| ANYRUN.Task.DnsRequest | ANYRUN task DNS request. | unknown |
| ANYRUN.Task.Threat | ANYRUN task threat. | unknown |
| ANYRUN.Task.HttpRequest | ANYRUN task HTTP request. | unknown |
| ANYRUN.Task.Process | ANYRUN task process information. | unknown |
| ANYRUN.Task.Process.Version | ANYRUN task process version. | unknown |
| PaloAltoNetworksXDR.Incident.shouldRetrieveFile | Files hashes which are not present and were marked as "not retrieve" by the user. | unknown |
Playbook Image#
