Endpoint Malware Investigation - Generic V2
This Playbook is part of the Malware Core Pack.#
Deprecated
Use 'Malware Investigation & Response Incident handler' instead.
Deprecated. Please use the 'Malware Investigation & Response Incident handler (From the 'Malware Investigation And Response' Pack).
This playbook provides a framework for handling malware investigation through all essential steps. The playbook consists of 7 stages. Each stage contains the relevant playbook or tasks.
This playbook will auto extract indicators from incidents by indicator extraction rules of the malware incident type.
To use Illusive integration in the Forensics - Generic playbook, note that you will be able to set th eforensic timeline by editing the Forensics - Generic playbook inputs.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Unisolate Endpoint - Generic
- File Enrichment - Generic v2
- Block Indicators - Generic v2
- Get host forensics - Generic
- Calculate Severity - Generic v2
- Threat Hunting - Generic
- Detonate File - Generic
- Isolate Endpoint - Generic V2
- Retrieve File from Endpoint - Generic V2
- Get endpoint details - Generic
Integrations#
This playbook does not use any integrations.
Scripts#
- SetAndHandleEmpty
- AssignAnalystToIncident
- commentsToContext
- SetGridField
- Set
- DBotFindSimilarIncidents
- GenerateInvestigationSummaryReport
Commands#
- closeInvestigation
- setIncident
- send-mail
- linkIncidents
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| AutoIsolation | This input determines the threshold severity from which to perform auto-isolation for the infected endpoint. Specify the severity number. (Default is High): Specify the severity number: 0 - Unknown 0.5 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical | 3 | Optional |
| The email address to send a notification to if there is a possibility of the malware spreading and infecting other endpoints. | Optional | ||
| MD5 | The MD5 hash value for the suspicious file. | incident.md5 | Optional |
| SHA256 | The SHA256 hash value for the suspicious file. | incident.sha256 | Optional |
| Hostname | Hostname of the machine on which the file is located. | incident.hostname | Optional |
| FilePath | The path of the file to retrieve. For example: C:\users\folder\file.txt | File.Path | Optional |
| UseD2 | Specifies whether to use a D2 agent to retrieve the file. | no | Optional |
| SHA1 | The SHA1 hash value for the suspicious file. | incident.sha1 | Optional |
| ActivateAutomaticHunting | Activate Threat Hunting - Generic playbook for automatic hunting. Yes- to activate. | no | Optional |
| ManualThreatHunting | Perform manual threat hunting. Yes- to activate. | No | Optional |
| NeedMoreForensics | Providing the value `Yes` will activate the `Forensics - Generic` playbook that retrieves additional forensics on the investigating host. Yes- to activate. | no | Optional |
| IPAddress | This input is relevant if the Threat Hunting - Generic playbook is activated. If you activated the Threat Hunting - Generic playbook and you are hunting IP addresses, provide the IP addresses here. | Optional | |
| URLDomain | This input is relevant if the Threat Hunting - Generic playbook is activated. If you activated the Threat Hunting - Generic playbook and you are hunting for URLs or domains, provide them here. | Optional | |
| InternalRange | This input is relevant if the Threat Hunting - Generic playbook is activated. The input is a list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, it will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges). | Optional | |
| InternalDomainName | This input is relevant if the Threat Hunting - Generic playbook is activated. The input is the organization's internal domain name. This is provided for the IsInternalHostName script that checks if the detected host names are internal or external if the hosts contain the internal domains suffix. For example, demisto.com. If there is more than one domain, use the | character to separate values such as (demisto.com|test.com) | Optional | |
| InternalHostRegex | This input is relevant if the Threat Hunting - Generic playbook is activated. This is provided for the IsInternalHostName script that checks if the detected host names are internal or external if the hosts match the organizations naming convention. For example, the host testpc1 will have the following regex \w{6}\d{1} | Optional | |
| Agent_ID | This input is relevant if retrieving the file by EDR. If so, provide the relevant Agent_ID\Endpoint ID. | Agents ID | Optional |
| CriticalUsers | This input will be used by the `Calculate Severity - Generic v2` playbook. Provide your critical users (CSV is optional). | admin | Optional |
| CriticalEndpoints | This input will be used by the `Calculate Severity - Generic v2` playbook. Provide your critical endpoint hostnames (CSV is optional). | Optional | |
| CriticalGroups | This input be used by the `Calculate Severity - Generic v2` playbook. Provide the DN names of your critical AD groups (CSV is optional). | Optional | |
| AutoUnIsolation | Providing "Yes" in this playbook input will activate the "Unisolate Endpoint - Generic" playbook. | no | Optional |
| Endpoint_ip | The IP of the endpoint which is involved in the investigation. | Optional | |
| LinkSimilarIncidents | Providing "Yes" in this playbook input will link the incidents that were found similar by DBotFindSimilarIncidents. | no | Optional |
| DetonateFile | Providing "Yes" to this input will activate the "Detonate File - Generic". | no | Optional |
| IsolationAfterHunting | Providing "Yes" to this input will activate "Isolate Endpoint Generic V2" after the execution of the threat hunting procedures. | no | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
