Skip to main content

Local Analysis alert Investigation

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

When an unknown executable, DLL, or macro attempts to run on a Windows or Mac endpoint, the Cortex XDR agent uses local analysis to determine if it is likely to be malware. Local analysis uses a static set of pattern-matching rules that inspect multiple file features and attributes, and a statistical model that was developed with machine learning on WildFire threat intelligence.

Investigative Actions:

Investigate the executed process image and verify if it is malicious using:

  • XDR trusted signers
  • VT trusted signers
  • VT detection rate
  • NSRL DB

Response Actions

The playbook's first response action is a containment plan which is based on the initial data provided within the alert. In that phase, the playbook will execute:

  • Auto block indicators
  • Auto file quarantine
  • Manual endpoint isolation

When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed.

This phase will execute the following containment actions:

  • Manual block indicators
  • Manual file quarantine
  • Auto endpoint isolation

And the following eradication actions:

  • Manual process termination
  • Manual file deletion
  • Manual reset of the user’s password

External resources:

Malware Protection Flow

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Wildfire Detonate and Analyze File
  • Endpoint Investigation Plan
  • Eradication Plan
  • Recovery Plan
  • Enrichment for Verdict
  • Handle False Positive Alerts
  • Containment Plan

Integrations#

  • CortexCoreIR

Scripts#

  • GetTime
  • UnzipFile

Commands#

  • core-report-incorrect-wildfire
  • core-retrieve-file-details
  • closeInvestigation
  • internal-wildfire-get-report
  • core-retrieve-files

Playbook Inputs#


NameDescriptionDefault ValueRequired
GraywareAsMalwareWhether to treat Grayware verdict as Malware.FalseOptional
AutoContainmentSetting this input will impact both Containment Plan sub-playbooks. Without setting this input, the default values are True for the first occurrence and False for the second.
Whether to execute automatically or manually the containment plan tasks:
* Isolate endpoint
* Block indicators
* Quarantine file
* Disable user
TrueOptional
AutoEradicationWhether to execute automatically or manually the eradication plan tasks:
* Terminate process
* Delete file
* Reset the user's password
FalseOptional
FileRemediationShould be either 'Quarantine' or 'Delete'.QuarantineOptional
AutoRecoveryWhether to execute the Recovery playbook.FalseOptional
AutoCloseAlertWhether to close the alert automatically or manually, after an analyst's review.FalseOptional
ShouldRescanBenignWhether to rescan (Using WildFire detonate file) benign files.TrueOptional
ShouldManualReviewFPWhether to ask for a manual review before false positive handling. Should be True or FalseFalseOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Local Analysis alert Investigation