Skip to main content

Cortex XDR - True Positive Incident Handling

This Playbook is part of the Palo Alto Networks Cortex XDR - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This Playbook handles true-positive incident closure for Cortex XDR - Malware Investigation.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Cortex XDR - delete file
  • Cortex XDR - Isolate Endpoint

Integrations#

CortexXDRIR

Scripts#

  • ServiceNowCreateIncident
  • IsIntegrationAvailable

Commands#

  • setIndicators
  • closeInvestigation
  • jira-create-issue
  • xdr-blocklist-files

Playbook Inputs#


NameDescriptionDefault ValueRequired
CommentAdd a comment to close this incident.XSOAR Incident #${incident.id}Optional
ClassificationPossible values:
Unknown
TruePositive
TruePositiveOptional
BlockTagThe banning tag name for founded indicators.BlockTagOptional
AutoIsolationWhether automatic host isolation is allowed.FalseOptional
TicketProjectNameThe ticket project name (required for Jira).Optional
TicketingSystemToUseThe name of the ticketing system to use, for example Jira or ServiceNow.Optional
FileSha256The file SHA256 you want to block.${incident.filesha256}Optional
HostIDThe ID of the host for running an isolation process.${incident.deviceid}Optional
FilePathsThe file paths you want to delete.${incident.processpath}Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR - True Positive Incident Handling