Cortex XDR Alerts Handling

This playbook is used to loop over every alert in a Cortex XDR incident. Supported alert categories:

  • Malware
  • Port Scan

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Cortex XDR - Malware Investigation
  • Cortex XDR - Port Scan - Adjusted

Integrations

  • Cortex XDR - IR

Scripts

This playbook does not use any scripts.

Commands

  • xdr-get-incident-extra-data

Playbook Inputs


NameDescriptionDefault ValueRequired
incident_idIncident ID.PaloAltoNetworksXDR.Incident.incident_idOptional
alert_idAlert ID.PaloAltoNetworksXDR.Incident.alerts.alert_idOptional

Playbook Outputs


PathDescriptionType
PaloAltoNetworksXDR.Incident.incident_idUnique ID assigned to each returned incident.unknown
PaloAltoNetworksXDR.Incident.descriptionDynamic calculated description of the incident.unknown
PaloAltoNetworksXDR.Incident.alerts.alert_idUnique ID for each alert.unknown
PaloAltoNetworksXDR.Incident.alerts.severitySeverity of the alert.,"low","medium","high"""unknown
PaloAltoNetworksXDR.Incident.alerts.nameCalculated name of the alert.unknown
PaloAltoNetworksXDR.Incident.alerts.categoryCategory of the alert, for example, Spyware Detected via Anti-Spyware profile.unknown
PaloAltoNetworksXDR.Incident.alerts.host_ipHost IP involved in the alert.unknown
PaloAltoNetworksXDR.Incident.alerts.host_nameHost name involved in the alert.unknown
PaloAltoNetworksXDR.Incident.alerts.user_nameUser name involved with the alert.unknown
PaloAltoNetworksXDR.Incident.alerts.event_typeEvent type "Process Execution","Network Event","File Event","Registry Event","Injection Event","Load Image Event","Windows Event Log"unknown
PaloAltoNetworksXDR.Incident.alerts.actionThe action that triggered the alert. "REPORTED", "BLOCKED", "POST_DETECTED", "SCANNED", "DOWNLOAD", "PROMPT_ALLOW", "PROMPT_BLOCK", "DETECTED", "BLOCKED_1", "BLOCKED_2", "BLOCKED_3", "BLOCKED_5", "BLOCKED_6", "BLOCKED_7", "BLOCKED_8", "BLOCKED_9", "BLOCKED_10", "BLOCKED_11", "BLOCKED_13", "BLOCKED_14", "BLOCKED_15", "BLOCKED_16", "BLOCKED_17", "BLOCKED_24", "BLOCKED_25", "DETECTED_0", "DETECTED_4", "DETECTED_18", "DETECTED_19", "DETECTED_20", "DETECTED_21", "DETECTED_22", "DETECTED_23"unknown
PaloAltoNetworksXDR.Incident.alerts.action_prettyThe action that triggered the alert "Detected (Reported)" "Prevented (Blocked)" "Detected (Post Detected)" "Detected (Scanned)" "Detected (Download)" "Detected (Prompt Allow)" "Prevented (Prompt Block)" "Detected" "Prevented (Denied The Session)" "Prevented (Dropped The Session)" "Prevented (Dropped The Session And Sent a TCP Reset)" "Prevented (Blocked The URL)" "Prevented (Blocked The IP)" "Prevented (Dropped The Packet)" "Prevented (Dropped All Packets)" "Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)" "Prevented (Terminated The Session And Sent a TCP Reset To The Client)" "Prevented (Terminated The Session And Sent a TCP Reset To The Server)" "Prevented (Continue)" "Prevented (Block-Override)" "Prevented (Override-Lockout)" "Prevented (Override)" "Prevented (Random-Drop)" "Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)" "Prevented (Block)" "Detected (Allowed The Session)" "Detected (Raised An Alert)" "Detected (Syncookie Sent)" "Detected (Forward)" "Detected (Wildfire Upload Success)" "Detected (Wildfire Upload Failure)" "Detected (Wildfire Upload Skip)" "Detected (Sinkhole)"unknown
PaloAltoNetworksXDR.Incident.alerts.actor_process_image_nameImage nameunknown
PaloAltoNetworksXDR.Incident.alerts.actor_process_command_lineCommand lineunknown
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_statusSignature status "Signed" "Invalid Signature" "Unsigned" "Revoked" "Signature Fail" "N/A" "Weak Hash"unknown
PaloAltoNetworksXDR.Incident.alerts.actor_process_signature_vendorSingature vendor nameunknown
PaloAltoNetworksXDR.Incident.alerts.action_process_image_sha256Image SHA256unknown
PaloAltoNetworksXDR.Incident.alerts.is_whitelistedIs whitelisted "Yes" "No"unknown
PaloAltoNetworksXDR.Incident.network_artifacts.typeNetwork artifact type "IP"unknown
PaloAltoNetworksXDR.Incident.network_artifacts.network_domainThe domain related to the artifact.unknown
PaloAltoNetworksXDR.Incident.network_artifacts.network_countryThe country related to the artifactunknown
PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_ipThe remote IP related to the artifact.unknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_statusDigital signature status of the file. "SIGNATURE_UNAVAILABLE" "SIGNATURE_SIGNED" "SIGNATURE_INVALID" "SIGNATURE_UNSIGNED" "SIGNATURE_WEAK_HASH"unknown
PaloAltoNetworksXDR.Incident.file_artifacts.is_processWhether the file artifact is related to a process execution.unknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_nameName of the file.unknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_wildfire_verdictThe file verdict, calculated by Wildfire. "BENIGN" "MALWARE" "GRAYWARE" "PHISING" "UNKNOWN"unknown
PaloAltoNetworksXDR.Incident.file_artifacts.is_maliciousWhether the artifact is malicious, decided by the Wildfire verdicunknown
PaloAltoNetworksXDR.Incident.file_artifacts.typeThe artifact type "META" "GID" "CID" "HASH" "IP" "DOMAIN" "REGISTRY" "HOSTNAME"unknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_sha256SHA-256 hash of the fileunknown
PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_vendor_nameFile signature vendor nameunknown
PortScan.BlockPortsIndicates whether there's a need to block the ports used for exploitation on the scanned host.unknown
PortScan.AttackerIPsAttacker IPs from the port scan alert.unknown
PortScan.AttackerHostnamesAttacker hostnames from the port scan alert.unknown
PortScan.AttackerUsernameAttacker username from the port scan alert.unknown
PortScan.FileArtifactsFile artifacts from the port scan alert.unknown
PortScan.LateralMovementFirstDatetimeLateral Movement First Date time from the port scan alert.unknown
PortScan.PortScanFirstDatetimePort Scan First Date timeunknown

Playbook Image


Cortex XDR Alerts Handling