Skip to main content

Malware Investigation & Response Incident Handler

This Playbook is part of the Malware Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is triggered by a malware incident from an ‘Endpoint’ type integration. The playbook performs enrichment, detonation, and hunting within the organization, and remediation on the malware. The playbook also covers the SIEM ingestion flow in which the fetching integration is the SIEM and the playbook uses the EDR integrations to grab all the additional data. Currently supported EDR integrations are XDR, CrowdStrike Falcon and Microsoft Defender for Endpoint and for SIEM QRadar and Splunk


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Malware SIEM Ingestion - Get Incident Data
  • CrowdStrike Falcon - Investigation and Response
  • Cortex XDR - Malware Investigation And Response
  • MDE Malware - Investigation and Response


This playbook does not use any integrations.


  • Set
  • SetMultipleValues


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
SIEMEDRProductToUseValues can be CrowdStrike, XDR, Microsoft Defender. Configure this setting if the fetching integration will be a SIEM and not the EDR productOptional
RetrieveFileIndicates if file retrieval from the endpoint is allowed.
DetonateFileIndicates if file detonation is allowed on the sandbox.
EnableDeduplicationIndicates if the deduplication playbook will be used.
TicketingSystemToUseThe name of the ticketing system to use, for example Jira or ServiceNowOptional
MaliciousTagNameThe tag to assign for indicators to block.Bad_IndicatorOptional
AutoIsolationIndicates if host isolation is allowed.
AutoUnisolationIndicates if automatic un-isolation is allowed
BenignTagNameThe name of the tag to apply for allowed indicators.Good_IndicatorOptional
SIEMincidentFieldForTypeThe name of the field that specifies the type of the alert. For example in CrowdStrike this specified if this is a detection or incident.${incident.externalcategoryname}Optional
SIEMincidentFieldForIDThe name of the field that provides the external id of the alert or incident in the EDR.${incident.externalsystemid}Optional
OverrideSIEMSeverityIndicates if to set the severity according to the ScaleToSetSeverity and SeverityValuesMapping settings (True) or keep the original severity as mapped by the SIEM (False)
TicketProjectNameFor ticketing systems such as Jira a project name is required.Optional
EnableClosureStepsIndicates if use of closure steps is allow or incident will close automatically.
AdvancedHuntingChoose if you want to run Advance Hunting queries through your relevant integrations. Note that it may take some time.TrueOptional
DedupHandleSimilar"This input defines how to handle Similar incidents.
You may choose between: ""Link"", ""Close"", ""Link and Close"".
Note: that closing incidents will require you to define ""CloseSimilar"" input as well.
Also, note that the closer will apply on at least one of the options (indicators or fields) which will match the ""closer percentage"" criteria.
Default: Link "
DedupCloseSimilar"Define if you would like to close incidents by a similarity percentage. The percentage will be the bottom border for closing inc.
This option will close also exact matches as well ( if there are).
Value should be between 0 to 1 [0=low similarity , 1=identical]"
DedupLimitThe maximum number of incidents to query and set to context data.Default is: 200200Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Malware Investigation & Response Incident Handler