Skip to main content

Enrichment for Verdict

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook checks prior alert closing reasons and performs enrichment and prevalence checks on different IOC types. It then returns the information needed to establish the alert's verdict.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • IP Enrichment - Generic v2
  • Domain Enrichment - Generic v2
  • URL Enrichment - Generic v2
  • Get prevalence for IOCs
  • Account Enrichment - Generic v2.1
  • File Reputation

Integrations#

This playbook does not use any integrations.

Scripts#

  • IsIntegrationAvailable
  • Set
  • SearchIncidentsV2

Commands#

  • wildfire-get-verdict
  • wildfire-report

Playbook Inputs#


NameDescriptionDefault ValueRequired
thresholdThe number of previous alerts that were closed as false positive alerts. This threshold establishes whether the Previous Verdict key will be marked as false positive.alert.hostipOptional
queryA query for the previous alerts search.
Use free form query (Lucene syntax) as a filter. All other filters are ignored when this filter is used.
(initiatorsha256:${inputs.FileSHA256} or hostip:${inputs.IP}) and sourceBrand:"${alert.sourceBrand}" and name:"${alert.name}"Optional
CloseReasonThe closing reason of the previous alerts to search for.
Possible values are:
- Resolved - Threat Handled
- Resolved - True Positive
- Resolved - False Positive
- Resolved - Security Testing
- Resolved - Known Issue
- Resolved - Duplicate Incident
- Resolved - Other
- Resolved - Auto
Resolved - False Positive,Resolved - Duplicate Incident,Resolved - Known IssueOptional
FileMD5File MD5 to enrich and give verdict.Optional
FileSHA256File SHA256 to enrich and give verdict.alert.initiatorsha256Optional
IPIP address to enrich and give verdict.alert.hostipOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges is: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
ResolveIPDetermines whether to convert the IP address to a hostname using a DNS query (True/ False).Optional
URLURL to enrich and give verdict.alert.urlOptional
UserUser to enrich and give verdict. (AWS IAM or Active Directory).alert.usernameOptional
DomainDomain to enrich and give verdict.alert.domainnameOptional
awsUserName of the AWS IAM user to enrich.Optional
CommandLineThe CMD to run the prevalence check.Optional
ProcessNameThe process name to run the prevalence check.Optional
RegistryKeyThe registry key to run the prevalence check. The input registry value must be provided as well.Optional
RegistryValueThe registry value to run prevalence check. The input registry key must be provided as well.Optional

Playbook Outputs#


PathDescriptionType
PreviousVerdictSuspected verdict for previous alerts.string
VTFileVerdictCheck for VirusTotal verdict.unknown
NSRLFileVerdictCheck for the file presence in NSRL DB.unknown
VTFileSignersCheck VirusTotal if the file is signed by a trusted publisher.unknown
XDRFileSignersCheck XDR alert if the file is signed by a trusted publisher.unknown
IPThe IP objects.unknown
DBotScoreIndicator's dbot Score, dbot Type and Vendor.unknown
EndpointThe endpoint's object.unknown
URLThe URL object.uknown
AWS.IAM.UsersAWS IAM user information.unknown
AWS.IAM.Users.AccessKeysAWS IAM user access keys information.unknown
AccountThe account object.unknown
ActiveDirectory.UsersActive Directory user information.unknown
IPVerdictSpecifies whether the IP addresses were found as suspicious.unknown
URLVerdictSpecifies whether the URLs were found as suspicious.unknown
FileVerdictSpecifies whether the files were found as suspicious.unknown
WildFire.ReportWildFire report object.unknown
WildFire.Report.verdictThe verdict of the report.unknown
WildFire.Verdicts.VerdictVerdict of the file.unknown
WildFire.Verdicts.VerdictDescriptionDescription of the file verdict.unknown
DomainVerdictDomain verdictunknown
Core.AnalyticsPrevalence.Ip.valueWhether the IP address is prevalent or not.unknown
Core.AnalyticsPrevalence.Ip.data.global_prevalence.valueThe global prevalence of the IP.unknown
Core.AnalyticsPrevalence.Ip.data.local_prevalence.valueThe local prevalence of the IP.unknown
Core.AnalyticsPrevalence.Hash.valueWhether the hash is prevalent or not.unknown
Core.AnalyticsPrevalence.Hash.data.global_prevalence.valueThe global prevalence of the hash.unknown
Core.AnalyticsPrevalence.Hash.data.local_prevalence.valueThe local prevalence of the hash.unknown
Core.AnalyticsPrevalence.Domain.valueWhether the domain is prevalent or not.unknown
Core.AnalyticsPrevalence.Domain.data.global_prevalence.valueThe global prevalence of the domain.unknown
Core.AnalyticsPrevalence.Domain.data.local_prevalence.valueThe local prevalence of the domain.unknown
Core.AnalyticsPrevalence.Process.valueWhether the process is prevalent or not.unknown
Core.AnalyticsPrevalence.Process.data.global_prevalence.valueThe global prevalence of the process.unknown
Core.AnalyticsPrevalence.Process.data.local_prevalence.valueThe local prevalence of the process.unknown
Core.AnalyticsPrevalence.Registry.valueWhether the registry is prevalent or not.unknown
Core.AnalyticsPrevalence.Registry.data.global_prevalence.valueThe global prevalence of the registry.unknown
Core.AnalyticsPrevalence.Registry.data.local_prevalence.valueThe local prevalence of the registry.unknown
Core.AnalyticsPrevalence.Cmd.valueWhether the CMD is prevalent or not.unknown
Core.AnalyticsPrevalence.Cmd.data.global_prevalence.valueThe global prevalence of the CMD.unknown
Core.AnalyticsPrevalence.Cmd.data.local_prevalence.valueThe local prevalence of the CDM.unknown

Playbook Image#


Enrichment for Verdict