Cortex XDR - Retrieve File by sha256
This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook is a sub-playbook for the Cortex XDR malware investigation flow. In this playbook, we are retrieving multiple files from the investigated device (using the Device ID incident field), based on their SHA256.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
Cortex XDR - Get File Path from alerts by hash
Integrations#
CortexXDRIR
Scripts#
- UnzipFile
- isError
Commands#
xdr-file-retrieve
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| Sha256 | SHA256 for the file to be retrieved. | Optional |
Playbook Outputs#
| Path | Description | Type |
|---|---|---|
| File | Retrieve the file details command results. | unknown |
| File.Name | The full file name (including the file extension). | String |
| File.EntryID | The ID for locating the file in the War Room. | String |
| File.Size | The size of the file in bytes. | Number |
| File.MD5 | The MD5 hash of the file. | String |
| File.SHA1 | The SHA1 hash of the file. | String |
| File.SHA256 | The SHA256 hash of the file. | String |
| File.SHA512 | The SHA512 hash of the file. | String |
| File.Extension | The file extension. For example, 'xls'. | String |
| File.Type | The file type, as determined by libmagic (same as displayed in the file entries). | String |
Playbook Image#
