Skip to main content

Cortex XDR Malware - Incident Enrichment

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook enriches the Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Mitre Attack - Extract Technique Information From ID
  • Account Enrichment - Generic v2.1


  • Cortex XDR - IR
  • CortexXDRIR


  • isError
  • SetGridField


  • extractIndicators
  • endpoint
  • xdr-get-incident-extra-data
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
IncidentIDThe incident ID to be enriched.${incident.externalsystemid}Optional

Playbook Outputs#

PaloAltoNetworksXDR.IncidentCortex XDR incident information.unknown
FileFile information.unknown
ProcessProcess information.unknown
IPIP information.unknown
DomainDomain information.unknown
Endpoint.IDThe endpoint identifier.unknown
Endpoint.HostnameThe host name that is mapped to this endpoint.unknown
Endpoint.OSThe endpoint operating system.unknown
Endpoint.OSVersionThe endpoint operating system version.unknown
Endpoint.IPAddressThe endpoint IP address.unknown
Endpoint.StatusThe health status of the endpoint.unknown
Endpoint.MACAddressThe endpoint MAC address.unknown
Endpoint.VendorThe integration name of the endpoint vendor.unknown
AttackPatternArray of attack pattern names and IDs.string
MITREATTACKThe full MITRE data for the attack pattern.string

Playbook Image#

Cortex XDR Malware - Incident Enrichment