Skip to main content

Cortex XDR - Malware Investigation

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Investigates a Cortex XDR incident containing internal malware alerts. The playbook:

  • Enriches the infected endpoint details.
  • The analyst can manually retrieve the malicious file.
  • Performs file detonation.

The playbook is used as a sub- playbook in ‘Cortex XDR Incident Handling - v2’.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cortex XDR - Retrieve File v2
  • Detonate File - Generic


  • Cortex XDR - IR


  • SetMultipleValues


  • xdr-get-endpoints

Playbook Inputs#

NameDescriptionDefault ValueRequired
xdr_alert_idUnique ID for the XDR alert.Optional
host_ipHost IP involved in the alert.Optional
file_nameThe name of the malicious file.Optional
file_sha256SHA-256 hash of the file.Optional
file_pathFull Path of the file.Optional
endpoint_idthe endpoint_idOptional

Playbook Outputs#

Joe.AnalysisThe Analysis object.unknown
FileThe File's object.unknown
File.MaliciousThe malicious file's description.unknown
DBotScoreThe indicator's object.unknown
IPIP objects.unknown
DBotScore.MaliciousDbot Score malicious information.unknown
SampleSample data object.unknown
InfoFileThe report file's object.unknown
WildFireWildfire analysis object.unknown
WildFire.ReportThe submission object.unknown
JoeJoe Sandbox analysis object.unknown
Cuckoo.TaskCuckoo task object.unknown
SNDBOX.AnalysisSNDBOX analysis.unknown
HybridAnalysis.SubmitThe HybridAnalysis object.unknown
ANYRUN.TaskANYRUN task object.unknown
ANYRUN.Task.BehaviorANYRUN task behavior.unknown
ANYRUN.Task.ConnectionANYRUN task connection.unknown
ANYRUN.Task.DnsRequestANYRUN task DNS request.unknown
ANYRUN.Task.ThreatANYRUN task threat.unknown
ANYRUN.Task.HttpRequestANYRUN task HTTP request.unknown
ANYRUN.Task.ProcessANYRUN task process information.unknown
ANYRUN.Task.Process.VersionANYRUN task process version.unknown
PaloAltoNetworksXDR.Incident.shouldRetrieveFileFiles hashes which are not present and were marked as "not retrieve" by the user.unknown

Playbook Image#

Cortex XDR - Malware Investigation