Skip to main content

Malware Investigation & Response Incident Handler

This Playbook is part of the Malware Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is triggered by a malware incident from an endpoint integration. It performs enrichment, detonation, and hunting within the organization, and remediation on the malware. The playbook also covers the SIEM ingestion flow in which the fetching integration is the SIEM and EDR integrations grab all additional data. Currently supported EDR integrations are XDR, CrowdStrike Falcon, and Microsoft Defender for Endpoint. Currently supported SIEM integrations are QRadar and Splunk.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Cortex XDR Malware - Investigation And Response
  • MDE Malware - Investigation and Response
  • Malware SIEM Ingestion - Get Incident Data
  • CrowdStrike Falcon Malware - Investigation and Response


This playbook does not use any integrations.


  • SetMultipleValues
  • Set
  • AssignAnalystToIncident


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
OnCallDefine whether to assign OnCall to this flow.
Possible values: True/False.
Leave it empty if you do want not to assign an analyst to the incident.
EnableDeduplicationWhether the deduplication playbook will be used.FalseOptional
DedupLimitThe maximum number of incidents to query and set to context data.200Optional
DedupCloseSimilar"Defines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed.
For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed.
The value should be between 0 and 1 [0=low similarity , 1=identical]."
DedupHandleSimilar"This input defines how to handle Similar incidents.
You may choose between: ""Link"", ""Close"", ""Link and Close"".
Note: that closing incidents will require you to define ""CloseSimilar"" input as well.
Also, note that the closer will apply on at least one of the options (indicators or fields) which will match the ""closer percentage"" criteria.
Default: Link "
SIEMEDRProductToUseFor EDR alerts routed through a SIEM, provide the supported originating EDR. Possible values: CrowdStrike, XDR, or Microsoft Defender.Optional
EnableClosureStepsWhen closing an incident, whether to use closure steps to close automatically.TrueOptional
TicketProjectNameFor ticketing systems such as Jira a project name is required.Optional
OverrideSIEMSeverityWhether to set the severity according to the ScaleToSetSeverity and SeverityValuesMapping settings (True) or keep the original severity as mapped by the SIEM (False).FalseOptional
SIEMincidentFieldForIDThe name of the field that provides the external ID of the alert or incident in the EDR.${incident.externalsystemid}Optional
SIEMincidentFieldForTypeThe name of the field that specifies the type of the alert. For example in CrowdStrike this field specifies a detection or incident.${incident.externalcategoryname}Optional
TicketingSystemToUseThe name of the ticketing system to use, for example Jira or ServiceNow.Optional
AdvancedHuntingChoose True to run Advance Hunting queries through your relevant integrations. Note: It may take some time.TrueOptional
BenignTagNameThe name of the tag to apply for allowed indicators.Good_IndicatorOptional
MaliciousTagNameThe tag to assign for indicators to block.Bad_IndicatorOptional
RetrieveFileWhether file retrieval from the endpoint is allowed.TrueOptional
DetonateFileWhether file detonation is allowed on the sandbox.TrueOptional
AutoIsolationWhether host isolation is allowed.FalseOptional
AutoUnisolationWhether automatic un-isolation is allowed.FalseOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Malware Investigation & Response Incident Handler