Skip to main content

Cortex XDR - True Positive Incident Handling

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook handles a true-positive incident closure for Cortex XDR - Malware Investigation.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Threat Hunting - Generic
  • Cortex XDR - Isolate Endpoint


  • CortexXDRIR
  • Cortex XDR - IR


  • AddEvidence
  • ServiceNowCreateIncident
  • IsIntegrationAvailable


  • setIncident
  • jira-create-issue
  • xdr-blocklist-files
  • closeInvestigation
  • setIndicators
  • xdr-file-delete-script-execute

Playbook Inputs#

NameDescriptionDefault ValueRequired
CommentAdd comment to close this incident.XSOAR Incident #${}Optional
ClassificationChoose From - "Unknown" / "TruePositive"TruePositiveOptional
BlockTagSpecify the banning tag name for founded indicators.BlockTagOptional
AutoIsolationIndicates if automatic host isolation is allowed.
TicketProjectNameFor ticketing systems such as Jira a project name is required.Optional
TicketingSystemToUseThe name of the ticketing system to use, for example Jira or ServiceNowOptional
FileSha256Enter the File SHA256 you would like to block. Also, this input can be used in the Threat Hunting step.incident.filesha256Optional
HostIDThe ID of the host for running an isolation process.incident.deviceidOptional
FilePathsEnter the File paths you would like to delete.incident.processpathsOptional
ManuallyChooseIOCForHuntingThis input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook.
If false, it will hunt for all IOCs detected in the incident.
Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.
IPIP value to hunt for.IPOptional
MD5MD5 file value to hunt for.File.MD5Optional
URL_or_DomainURL or domain to hunt for.DomainOptional
FileSha1File SHA1 value to hunt on.File.SHA1Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cortex XDR - True Positive Incident Handling