Skip to main content

Cortex XDR Malware - Incident Enrichment

This Playbook is part of the Palo Alto Networks Cortex XDR - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook enriches a Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

Mitre Attack - Extract Technique Information From ID

Integrations#

  • CortexXDRIR
  • Cortex XDR - IR

Scripts#

  • isError
  • SetGridField

Commands#

  • setIncident
  • endpoint
  • xdr-get-incident-extra-data

Playbook Inputs#


NameDescriptionDefault ValueRequired
IncidentIDThe incident ID to be enriched.${incident.externalsystemid}Optional

Playbook Outputs#


PathDescriptionType
PaloAltoNetworksXDR.IncidentCortex XDR incident information.unknown
FileFile information.unknown
ProcessProcess information.unknown
IPIP information.unknown
DomainDomain information.unknown
Endpoint.IDThe endpoint identifier.unknown
Endpoint.HostnameThe host name that is mapped to this endpoint.unknown
Endpoint.OSThe endpoint operating system.unknown
Endpoint.OSVersionThe endpoint operating system version.unknown
Endpoint.IPAddressThe endpoint IP address.unknown
Endpoint.StatusThe health status of the endpoint.unknown
Endpoint.MACAddressThe endpoint MAC address.unknown
Endpoint.VendorThe integration name of the endpoint vendor.unknown

Playbook Image#


Cortex XDR Malware - Incident Enrichment