Cortex XDR - True Positive Incident Handling
Palo Alto Networks Cortex XDR - Investigation and Response Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This Playbook handles true-positive incident closure for Cortex XDR - Malware Investigation.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooks- Cortex XDR - delete file
- Cortex XDR - Isolate Endpoint
#
IntegrationsCortexXDRIR
#
Scripts- ServiceNowCreateIncident
- IsIntegrationAvailable
#
Commands- setIndicators
- closeInvestigation
- jira-create-issue
- xdr-blocklist-files
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
Comment | Add a comment to close this incident. | XSOAR Incident #${incident.id} | Optional |
Classification | Possible values: Unknown TruePositive | TruePositive | Optional |
BlockTag | The banning tag name for founded indicators. | BlockTag | Optional |
AutoIsolation | Whether automatic host isolation is allowed. | False | Optional |
TicketProjectName | The ticket project name (required for Jira). | Optional | |
TicketingSystemToUse | The name of the ticketing system to use, for example Jira or ServiceNow. | Optional | |
FileSha256 | The file SHA256 you want to block. | ${incident.filesha256} | Optional |
HostID | The ID of the host for running an isolation process. | ${incident.deviceid} | Optional |
FilePaths | The file paths you want to delete. | ${incident.processpath} | Optional |
#
Playbook OutputsThere are no outputs for this playbook.