Malware Investigation & Response Incident Handler
Malware Investigation and Response Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook is triggered by a malware incident from an ‘Endpoint’ type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware. The playbook also covers the SIEM ingestion flow in which the fetching integration is the SIEM and the playbook uses the EDR integrations to grab all the additional data. Currently supported EDR integrations are XDR, CrowdStrike Falcon and Microsoft Defender for Endpoint and for SIEM QRadar and Splunk
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooks- Malware SIEM Ingestion - Get Incident Data
- CrowdStrike Falcon - Investigation and Response
- Cortex XDR - Malware Investigation And Response
- MDE Malware - Investigation and Response
#
IntegrationsThis playbook does not use any integrations.
#
Scripts- Set
- SetMultipleValues
#
CommandsThis playbook does not use any commands.
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
SIEMEDRProductToUse | Values can be CrowdStrike, XDR, Microsoft Defender. Configure this setting if the fetching integration will be a SIEM and not the EDR product | Optional | |
RetrieveFile | Indicates if file retrieval from the endpoint is allowed. True/False | True | Optional |
DetonateFile | Indicates if file detonation is allowed on the sandbox. True/False | True | Optional |
EnableDeduplication | Indicates if the deduplication playbook will be used. True/False | False | Optional |
TicketingSystemToUse | The name of the ticketing system to use, for example Jira or ServiceNow | Optional | |
MaliciousTagName | The tag to assign for indicators to block. | Bad_Indicator | Optional |
AutoIsolation | Indicates if host isolation is allowed. True/False | False | Optional |
AutoUnisolation | Indicates if automatic un-isolation is allowed True/False | False | Optional |
BenignTagName | The name of the tag to apply for allowed indicators. | Good_Indicator | Optional |
SIEMincidentFieldForType | The name of the field that specifies the type of the alert. For example in CrowdStrike this specified if this is a detection or incident. | ${incident.externalcategoryname} | Optional |
SIEMincidentFieldForID | The name of the field that provides the external id of the alert or incident in the EDR. | ${incident.externalsystemid} | Optional |
OverrideSIEMSeverity | Indicates if to set the severity according to the ScaleToSetSeverity and SeverityValuesMapping settings (True) or keep the original severity as mapped by the SIEM (False) True/False | False | Optional |
TicketProjectName | For ticketing systems such as Jira a project name is required. | Optional | |
EnableClosureSteps | Indicates if use of closure steps is allow or incident will close automatically. True/False | True | Optional |
AdvancedHunting | Choose if you want to run Advance Hunting queries through your relevant integrations. Note that it may take some time. | True | Optional |
DedupHandleSimilar | "This input defines how to handle Similar incidents. You may choose between: ""Link"", ""Close"", ""Link and Close"". Note: that closing incidents will require you to define ""CloseSimilar"" input as well. Also, note that the closer will apply on at least one of the options (indicators or fields) which will match the ""closer percentage"" criteria. Default: Link " | Link | Optional |
DedupCloseSimilar | "Define if you would like to close incidents by a similarity percentage. The percentage will be the bottom border for closing inc. This option will close also exact matches as well ( if there are). Value should be between 0 to 1 [0=low similarity , 1=identical]" | 0.9 | Optional |
DedupLimit | The maximum number of incidents to query and set to context data.Default is: 200 | 200 | Optional |
#
Playbook OutputsThere are no outputs for this playbook.