Skip to main content

Malware SIEM Ingestion - Get Incident Data

This Playbook is part of the Malware Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook handles incident ingestion from a SIEM.
The user provides which EDR system to use, the field containing the incident ID or detection ID, and the field indicating whether the ingested item is an incident or detection.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • CrowdStrike Falcon - SIEM ingestion Get Incident Data
  • MDE SIEM ingestion - Get Incident Data


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
EDRProductToUseThe EDR to get data from when ingesting endpoint alerts using a SIEM. Values can be CrowdStrike or MDE.
SIEMincidentFieldForTypeThe name of the field specifying the alert type. For example, for CrowdStrike this field specifies a detection or an incident.${incident.externalcategoryname}Optional
SIEMincidentFieldForIDThe name of the field that provides the external ID of the alert or incident in the EDR.${incident.externalsystemid}Optional
OverrideSIEMSeverityWhether to set the severity according to the EDR severity scale and its mapping to Cortex XSOAR (True) or keep the original severity scale as mapped by the SIEM (False).FalseOptional

Playbook Outputs#

CrowdStrike.Detection.Behavior.FileNameThe file name of the behavior.unknown
CrowdStrike.Detection.Behavior.ScenarioThe scenario name of the behavior.unknown
CrowdStrike.Detection.Behavior.MD5The MD5 hash of the IOC of the behavior.unknown
CrowdStrike.Detection.Behavior.SHA256The SHA256 hash of the IOC of the behavior.unknown
CrowdStrike.Detection.Behavior.IOCTypeThe type of the IOC.unknown
CrowdStrike.Detection.Behavior.IOCValueThe value of the IOC.unknown
CrowdStrike.Detection.Behavior.CommandLineThe command line executed in the behavior.unknown
CrowdStrike.Detection.Behavior.UserNameThe user name related to the behavior.unknown
CrowdStrike.Detection.Behavior.SensorIDThe sensor ID related to the behavior.unknown
CrowdStrike.Detection.Behavior.ParentProcessIDThe ID of the parent process.unknown
CrowdStrike.Detection.Behavior.ProcessIDThe process ID of the behavior.unknown
CrowdStrike.Detection.Behavior.IDThe ID of the behavior.unknown
CrowdStrike.Detection.SystemThe system name of the detection.unknown
CrowdStrike.Detection.CustomerIDThe ID of the customer (CID).unknown
CrowdStrike.Detection.MachineDomainThe name of the domain of the detection machine.unknown
CrowdStrike.Detection.IDThe detection ID.unknown
CrowdStrike.Detection.ProcessStartTimeThe start time of the process that generated the detection.unknown
CrowdStrike.FoundDetectionsIndicates whether detections were found.unknown

Playbook Image#

Malware SIEM Ingestion - Get Incident Data