Skip to main content

Endpoint Malware Investigation - Generic V2

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook provides a framework for handling malware investigation through all essential steps. The playbook consists of 7 stages. Each stage contains the relevant playbook or tasks. This playbook will auto extract indicators from incidents by indicator extraction rules of the malware incident type. To use Illusive integration in the Forensics - Generic playbook, note that you will be able to set th eforensic timeline by editing the Forensics - Generic playbook inputs.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Unisolate Endpoint - Generic
  • File Enrichment - Generic v2
  • Block Indicators - Generic v2
  • Get host forensics - Generic
  • Calculate Severity - Generic v2
  • Threat Hunting - Generic
  • Detonate File - Generic
  • Isolate Endpoint - Generic V2
  • Retrieve File from Endpoint - Generic V2
  • Get endpoint details - Generic

Integrations#

This playbook does not use any integrations.

Scripts#

  • SetAndHandleEmpty
  • AssignAnalystToIncident
  • commentsToContext
  • SetGridField
  • Set
  • DBotFindSimilarIncidents
  • GenerateInvestigationSummaryReport

Commands#

  • closeInvestigation
  • setIncident
  • send-mail
  • linkIncidents

Playbook Inputs#


NameDescriptionDefault ValueRequired
AutoIsolationThis input determines the threshold severity from which to perform auto-isolation for the infected endpoint.
Specify the severity number. (Default is High):
Specify the severity number:
0 - Unknown
0.5 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
3Optional
EmailThe email address to send a notification to if there is a possibility of the malware spreading and infecting other endpoints.Optional
MD5The MD5 hash value for the suspicious file.incident.md5Optional
SHA256The SHA256 hash value for the suspicious file.incident.sha256Optional
HostnameHostname of the machine on which the file is located.incident.hostnameOptional
FilePathThe path of the file to retrieve.
For example:
C:\users\folder\file.txt
File.PathOptional
UseD2Specifies whether to use a D2 agent to retrieve the file.noOptional
SHA1The SHA1 hash value for the suspicious file.incident.sha1Optional
ActivateAutomaticHuntingActivate Threat Hunting - Generic playbook for automatic hunting.
Yes- to activate.
noOptional
ManualThreatHuntingPerform manual threat hunting.
Yes- to activate.
NoOptional
NeedMoreForensicsProviding the value `Yes` will activate the `Forensics - Generic` playbook that retrieves additional forensics on the investigating host.
Yes- to activate.
noOptional
IPAddressThis input is relevant if the Threat Hunting - Generic playbook is activated.
If you activated the Threat Hunting - Generic playbook and you are hunting IP addresses, provide the IP addresses here.
Optional
URLDomainThis input is relevant if the Threat Hunting - Generic playbook is activated.
If you activated the Threat Hunting - Generic playbook and you are hunting for URLs or domains, provide them here.
Optional
InternalRangeThis input is relevant if the Threat Hunting - Generic playbook is activated.
The input is a list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, it will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).
Optional
InternalDomainNameThis input is relevant if the Threat Hunting - Generic playbook is activated.
The input is the organization's internal domain name. This is provided for the IsInternalHostName script that checks if the detected host names are internal or external if the hosts contain the internal domains suffix. For example, demisto.com. If there is more than one domain, use the | character to separate values such as (demisto.com|test.com)
Optional
InternalHostRegexThis input is relevant if the Threat Hunting - Generic playbook is activated.
This is provided for the IsInternalHostName script that checks if the detected host names are internal or external if the hosts match the organizations naming convention. For example, the host testpc1 will have the following regex \w{6}\d{1}
Optional
Agent_IDThis input is relevant if retrieving the file by EDR. If so, provide the relevant Agent_ID\Endpoint ID.Agents ID.NoneOptional
CriticalUsersThis input will be used by the `Calculate Severity - Generic v2` playbook.
Provide your critical users (CSV is optional).
adminOptional
CriticalEndpointsThis input will be used by the `Calculate Severity - Generic v2` playbook.
Provide your critical endpoint hostnames (CSV is optional).
Optional
CriticalGroupsThis input be used by the `Calculate Severity - Generic v2` playbook.
Provide the DN names of your critical AD groups (CSV is optional).
Optional
AutoUnIsolationProviding "Yes" in this playbook input will activate the "Unisolate Endpoint - Generic" playbook.noOptional
Endpoint_ipThe IP of the endpoint which is involved in the investigation.Optional
LinkSimilarIncidentsProviding "Yes" in this playbook input will link the incidents that were found similar by DBotFindSimilarIncidents.noOptional
DetonateFileProviding "Yes" to this input will activate the "Detonate File - Generic".noOptional
IsolationAfterHuntingProviding "Yes" to this input will activate "Isolate Endpoint Generic V2" after the execution of the threat hunting procedures.noOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Endpoint Malware Investigation - Generic V2