Cortex XDR - Retrieve File by sha256
Cortex XDR by Palo Alto Networks Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook is a sub-playbook for the Cortex XDR malware investigation flow. In this playbook, we are retrieving multiple files from the investigated device (using the Device ID incident field), based on their SHA256.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooksCortex XDR - Get File Path from alerts by hash
#
IntegrationsCortexXDRIR
#
Scripts- UnzipFile
- isError
#
Commandsxdr-file-retrieve
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
Sha256 | SHA256 for the file to be retrieved. | Optional |
#
Playbook OutputsPath | Description | Type |
---|---|---|
File | Retrieve the file details command results. | unknown |
File.Name | The full file name (including the file extension). | String |
File.EntryID | The ID for locating the file in the War Room. | String |
File.Size | The size of the file in bytes. | Number |
File.MD5 | The MD5 hash of the file. | String |
File.SHA1 | The SHA1 hash of the file. | String |
File.SHA256 | The SHA256 hash of the file. | String |
File.SHA512 | The SHA512 hash of the file. | String |
File.Extension | The file extension. For example, 'xls'. | String |
File.Type | The file type, as determined by libmagic (same as displayed in the file entries). | String |