Skip to main content

Enrichment for Verdict

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook checks prior alert closing reasons and performs enrichment on different IOC types. It then returns the information needed to establish the alert's verdict.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Domain Enrichment - Generic v2
  • File Reputation
  • URL Enrichment - Generic v2
  • IP Enrichment - Generic v2
  • Account Enrichment - Generic v2.1
  • AWS IAM - User enrichment

Integrations#

This playbook does not use any integrations.

Scripts#

  • IsIntegrationAvailable
  • Set
  • SearchIncidentsV2

Commands#

  • wildfire-report
  • wildfire-get-verdict

Playbook Inputs#


NameDescriptionDefault ValueRequired
thresholdThe number of previous alerts that were closed as false positive alerts. This threshold establishes whether the Previous Verdict key will be marked as false positive.5Optional
queryA query for the previous alerts search.
Use free form query (Lucene syntax) as a filter. All other filters are ignored when this filter is used.
(initiatorsha256:${inputs.FileSHA256} or hostip:${inputs.IP}) and alertsource:${alert.sourceBrand} and alertname:${alert.name}Optional
CloseReasonThe closing reason of the previous alerts to search for.
Possible values are:
- Resolved - Threat Handled
- Resolved - True Positive
- Resolved - False Positive
- Resolved - Security Testing
- Resolved - Known Issue
- Resolved - Duplicate Incident
- Resolved - Other
- Resolved - Auto
Resolved - False Positive,Resolved - Duplicate Incident,Resolved - Known IssueOptional
FileMD5File MD5 to enrich and give verdict.Optional
FileSHA256File SHA256 to enrich and give verdict.alert.initiatorsha256Optional
IPIP address to enrich and give verdict.alert.hostipOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges is: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
ResolveIPDetermines whether to convert the IP address to a hostname using a DNS query (True/ False).Optional
URLURL to enrich and give verdict.alert.urlOptional
UserUser to enrich and give verdict. (AWS IAM or Active Directory).alert.usernameOptional
DomainDomain to enrich and give verdict.alert.domainnameOptional
awsUserName of the AWS IAM user to enrich.Optional

Playbook Outputs#


PathDescriptionType
PreviousVerdictSuspected verdict for previous alerts.string
VTFileVerdictCheck for VirusTotal verdict.unknown
NSRLFileVerdictCheck for the file presence in NSRL DB.unknown
VTFileSignersCheck VirusTotal if the file is signed by a trusted publisher.unknown
XDRFileSignersCheck XDR alert if the file is signed by a trusted publisher.unknown
IPThe IP objects.unknown
DBotScoreIndicator's dbot Score, dbot Type and Vendor.unknown
EndpointThe endpoint's object.unknown
URLThe URL object.uknown
AWS.IAM.UsersAWS IAM user information.unknown
AWS.IAM.Users.AccessKeysAWS IAM user access keys information.unknown
AccountThe account object.unknown
ActiveDirectory.UsersActive Directory user information.unknown
IPVerdictSpecifies whether the IP addresses were found as suspicious.unknown
URLVerdictSpecifies whether the URLs were found as suspicious.unknown
FileVerdictSpecifies whether the files were found as suspicious.unknown
WildFire.ReportWildFire report object.unknown
WildFire.Report.verdictThe verdict of the report.unknown
WildFire.Verdicts.VerdictVerdict of the file.unknown
WildFire.Verdicts.VerdictDescriptionDescription of the file verdict.unknown
DomainVerdictDomain verdictunknown

Playbook Image#


Enrichment for Verdict