Skip to main content

Cortex XDR Malware - Investigation And Response

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook investigates Cortex XDR malware incidents. It uses:

  • Cortex XDR insights
  • Command Line Analysis
  • Dedup
  • Sandbox hash search and detonation
  • Cortex XDR enrichment - Incident Handling (true/false positive)


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cortex XDR - False Positive Incident Handling
  • Cortex XDR - Endpoint Investigation
  • Cortex XDR - Run script
  • Cortex XDR Malware - Incident Enrichment
  • Dedup - Generic v4
  • Command-Line Analysis
  • Search For Hash In Sandbox - Generic
  • Cortex XDR - True Positive Incident Handling
  • Detonate and Analyze File - Generic




  • InvestigationDetailedSummaryParse
  • InvestigationSummaryParse


  • xdr-file-retrieve
  • xdr-retrieve-file-details
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
EnableDeduplicationWhether the deduplication playbook will be used.FalseOptional
AutoIsolationWhether endpoint isolation is allowed.FalseOptional
RetrieveFileWhether file retrieval from the endpoint is allowed.TrueOptional
TicketingSystemToUseThe name of the ticketing system to use, for example, Jira or ServiceNow.Optional
TicketProjectNameThe ticket project name (required for Jira).Optional
MaliciousTagNameThe tag to assign for indicators to block.MaliciousTagNameOptional
EnableClosureStepsWhether the indicator is closed with closure steps or automatically.TrueOptional
DedupSimilarTextFieldA comma-separated list of incident text fields to take into account when computing similarity. For example commandline, URL.agnetsid,users,agentsid,CMDline,Hostnames,filenames,filepathsOptional
AutoUnisolationWhether automatic un-isolation is allowed.FalseOptional
DedupLimitThe maximum number of incidents to query and set to context data.200Optional
DedupHandleSimilarDefines how to handle Similar incidents.
Possible values:
* Link and Close
Note: closing incidents requires you to define "CloseSimilar" input as well.
Also, the incidents found by similar indicators or fields will be closed if their similarity score is above the CloseSimilar value.
DedupCloseSimilarDefines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed.
For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed.
The value should be between 0 and 1 [0=low similarity , 1=identical].
DedupMinimunIncidentSimilarityRetain incidents with a similarity score greater than the MinimunIncidentSimilarity.
Value should be between 0 to 1 [0=low similarity, 1=identical]
BenignTagNameThe name of the tag to apply for allowed indicators.BenignTagNameOptional
AdvancedHuntingWhether to run Advance Hunting queries through your Cortex XDR instance by using the information on Alert Insights.
Note: It may take some time.
RunAllHuntMitreTacticsWhether to run the Advanced Hunting section for all Mitre Tactics.TrueOptional

Playbook Outputs#

PaloAltoNetworksXDR.ScriptResult.resultsPalo ALto Networks Script reuslts information.unknown

Playbook Image#

Cortex XDR Malware - Investigation And Response