Endpoint Malware Investigation - Generic
This Playbook is part of the Malware Core Pack.#
Deprecated
Use 'Malware Investigation & Response Incident handler' instead.
Deprecated. Please use the 'Malware Investigation & Response Incident handler (From the 'Malware Investigation And Response' Pack).
Performs enrichment, detonation, and hunting within the organization, and remediation on the malware. This playbook is triggered by a malware incident from an Endpoint type integration.
Used sub-playbooks:
- Endpoint Enrichment - Generic v2.1
- Retrieve File from Endpoint - Generic
- Detonate File - Generic
- File Enrichment - Generic v2
- Calculate Severity - Generic v2
- Isolate Endpoint - Generic
- Block Indicators - Generic v2
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Endpoint Enrichment - Generic v2.1
- Detonate File - Generic
- Retrieve File from Endpoint - Generic
- Calculate Severity - Generic v2
- Isolate Endpoint - Generic
- Block Indicators - Generic v2
- File Enrichment - Generic v2
Integrations#
- Builtin
Scripts#
- GenerateInvestigationSummaryReport
Commands#
- send-mail
- setIncident
- closeInvestigation
Playbook Inputs#
| Name | Description | Default Value | Source | Required |
|---|---|---|---|---|
| AutoIsolation | This input determines the threshold severity from which to perform auto-isolation for the infected endpoint. Specify the severity number (default is High): Specify the severity number:"0" means Unknown, "0.5" means Informational, "1" means Low, "2" means Medium, "3" means High, "4" means Critical. | 3 | - | Optional |
| The email address to notify if there is a possibility of the malware spreading and infecting other endpoints. | - | - | Optional | |
| MD5 | The MD5 hash of the file. | md5string | incident | Optional |
| SHA256 | The SHA256 hash of the file. | sha256 | incident | Optional |
| Hostname | The hostname of the machine on which the file is located. | Hostname | Endpoint | Optional |
| FilePath | The file path. | Path | File | Optional |
| UseD2 | Whether to use the D2 agent to retrieve the file. | no | - | Optional |
| SHA1 | The SHA1 hash of the file. | sha1 | incident | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
