Skip to main content

Cortex XDR - True Positive Incident Handling

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a true-positive incident closure for Cortex XDR - Malware Investigation.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Threat Hunting - Generic
  • Cortex XDR - Isolate Endpoint
  • Cortex XDR - delete file

Integrations#

CortexXDRIR

Scripts#

  • IsIntegrationAvailable
  • ServiceNowCreateIncident
  • AddEvidence

Commands#

  • jira-create-issue
  • closeInvestigation
  • setIndicators
  • setIncident
  • xdr-blocklist-files

Playbook Inputs#


NameDescriptionDefault ValueRequired
CommentAdd comment to close this incident.XSOAR Incident #${incident.id}Optional
ClassificationChoose From - "Unknown" / "TruePositive".TruePositiveOptional
BlockTagSpecify the banning tag name for found indicators.BlockTagOptional
AutoIsolationIndicates if automatic host isolation is allowed.
True/False
FalseOptional
TicketProjectNameFor ticketing systems such as Jira, a project name is required.Optional
TicketingSystemToUseThe name of the ticketing system to use, for example Jira or ServiceNow.Optional
FileSha256Enter the file SHA256 you would like to block. Also, this input can be used in the Threat Hunting step.incident.filesha256Optional
HostIDThe ID of the host for running an isolation process.${incident.deviceid}Optional
FilePathsEnter the file paths you would like to delete.incident.processpathsOptional
ManuallyChooseIOCForHuntingThis input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook.
If false, it will hunt for all IOCs detected in the incident.
Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.
TrueOptional
IPIP value to be hunt upon.IP.NoneOptional
MD5MD5 file value to be hunt upon.File.MD5.NoneOptional
URL_or_DomainURL or Domain to be hunt upon.Domain.NoneOptional
FileSha1File SHA1 value to be hunt upon.File.SHA1Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Cortex XDR - True Positive Incident Handling