Skip to main content

Cortex XDR Malware - Investigation And Response

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook investigates Cortex XDR malware incidents. It uses:

  • Cortex XDR insights
  • Command Line Analysis
  • Dedup
  • Sandbox hash search and detonation
  • Cortex XDR enrichment
  • Incident Handling (True/False Positive)


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cortex XDR - False Positive Incident Handling
  • Command-Line Analysis
  • Cortex XDR - Retrieve File by sha256
  • Detonate and Analyze File - Generic
  • Cortex XDR Malware - Incident Enrichment
  • Search For Hash In Sandbox - Generic
  • Cortex XDR - Endpoint Investigation
  • Cortex XDR - True Positive Incident Handling
  • Dedup - Generic v4


  • CortexXDRIR


  • InvestigationDetailedSummaryParse
  • InvestigationSummaryParse


  • setIncident
  • xdr-script-run

Playbook Inputs#

NameDescriptionDefault ValueRequired
EnableDeduplicationWhether the deduplication playbook will be used.FalseOptional
AutoIsolationWhether endpoint isolation is allowed.FalseOptional
RetrieveFileWhether file retrieval from the endpoint is allowed.TrueOptional
TicketingSystemToUseThe name of the ticketing system to use, for example, Jira, or ServiceNow. (Used in case incident is classified as True Positive).Optional
TicketProjectNameThe ticket project name. (Required for Jira).Optional
MaliciousTagNameThe tag to assign for indicators to block.MaliciousTagNameOptional
EnableClosureStepsWhether the incident will be closed with closure steps or automatically.TrueOptional
DedupSimilarTextFieldA comma-separated list of incident text fields to take into account when computing similarity. For example commandline, URL.agnetsid,users,agentsid,CMDline,Hostnames,filenames,filepathsOptional
AutoUnisolationWhether automatic un-isolation is allowed.FalseOptional
DedupLimitThe maximum number of incidents to query and set to context data.200Optional
DedupHandleSimilarDefines how to handle Similar incidents.
Choose between: "Link", "Close", "Link and Close".
Note: Closing incidents requires you to define the "CloseSimilar" input as well.
Also, the incidents found by similar indicators or fields will be closed if their similarity score is above the CloseSimilar value.
DedupCloseSimilarDefines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed.
For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed.
The value should be between 0 and 1 [0=low similarity , 1=identical].
DedupMinimunIncidentSimilarityRetain incidents with a similarity score greater than the MinimunIncidentSimilarity.
Value should be between 0 to 1 [0=low similarity, 1=identical]
BenignTagNameThe name of the tag to apply for allowed indicators.BenignTagNameOptional
AdvancedHunting'Whether to run Advance Hunting queries through your Cortex XDR instance using the information on Alert Insights. Note: It may take some time.'TrueOptional
RunAllHuntMitreTacticsWhether to run the Advanced Hunting section for all Mitre Tactics.TrueOptional
DetonateFileWhether file detonation is allowed on the sandbox.TrueOptional

Playbook Outputs#

PaloAltoNetworksXDR.ScriptResult.resultsPalo ALto Networks Script reuslts information.unknown

Playbook Image#

Cortex XDR Malware - Investigation And Response