Cortex XDR - True Positive Incident Handling
This Playbook is part of the Palo Alto Networks Cortex XDR - Investigation and Response Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This Playbook handles true-positive incident closure for Cortex XDR - Malware Investigation.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Cortex XDR - delete file
- Cortex XDR - Isolate Endpoint
Integrations#
CortexXDRIR
Scripts#
- ServiceNowCreateIncident
- IsIntegrationAvailable
Commands#
- setIndicators
- closeInvestigation
- jira-create-issue
- xdr-blocklist-files
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| Comment | Add a comment to close this incident. | XSOAR Incident #${incident.id} | Optional |
| Classification | Possible values: Unknown TruePositive | TruePositive | Optional |
| BlockTag | The banning tag name for founded indicators. | BlockTag | Optional |
| AutoIsolation | Whether automatic host isolation is allowed. | False | Optional |
| TicketProjectName | The ticket project name (required for Jira). | Optional | |
| TicketingSystemToUse | The name of the ticketing system to use, for example Jira or ServiceNow. | Optional | |
| FileSha256 | The file SHA256 you want to block. | ${incident.filesha256} | Optional |
| HostID | The ID of the host for running an isolation process. | ${incident.deviceid} | Optional |
| FilePaths | The file paths you want to delete. | ${incident.processpath} | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
