Skip to main content

Palo Alto Networks - Malware Remediation

This Playbook is part of the Comprehensive Investigation by Palo Alto Networks Pack.#

Deprecated

Use Malware Investigation and Response pack instead.

Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • PAN-OS - Block URL - Custom URL Category
  • Add Indicator to Miner - Palo Alto MineMeld
  • PAN-OS - Block IP - Static Address Group
  • PAN-OS - Block IP - Custom Block Rule
  • Traps Quarantine Event
  • Traps Blacklist File
  • PAN-OS DAG Configuration
  • PAN-OS - Block IP and URL - External Dynamic List
  • Traps Isolate Endpoint
  • Cortex XDR - Isolate Endpoint
  • PAN-OS - Block Domain - External Dynamic List

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueRequired
DAGThis input establishes whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used.
Specify Dynamic Address Group tag name for IP handling.
Optional
CustomURLCategoryThis input establishes whether Palo Alto Networks Panorama or Firewall Custom URL Categories are used.
Specify Category name for URL handling.
Optional
CustomBlockRuleThis input establishes whether Palo Alto Networks Panorama or Firewall Custom block rules are used.
Specify True to use Custom Block Rules.
FalseOptional
IPListNameThis input establishes whether Palo Alto Networks Panorama or Firewall External Dynamic Lists, are used for IP Blockage.
Specify the EDL name for IP handling.
Optional
IPMalicious IP Addresses to block.IP.AddressOptional
URLMalicious URLs to block.URL.DataOptional
LogForwardingPanorama log forwarding object name.Optional
StaticAddressGroupThis input establishes whether Palo Alto Networks Panorama or Firewall Static address groups are used.
Specify Static address group name for IP handling.
Optional
MinerThis input establishes whether Palo Alto Networks Minemeld is used. Specify Miner name to
update with the malicious indicators.
Optional
AutoCommitThis input establishes whether to commit the configuration automatically.
Yes - Commit automatically.
No - Commit manually.
NoOptional
URLListNameThis input establishes whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used for URL Blockage.
Specify the EDL name for URL handling.
Optional
EDLServerIPThis input establishes whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used:
* The IP address of the web server on which the files are stored.
* The web server IP address is configured in the integration instance.
Optional
TrapsThis input establishes whether Palo Alto Networks Traps remediation will take place. Specify Yes/NoOptional
EndpointIdTraps Endpoint ID to isolate.Optional
EventIdTraps event ID to perform file quarantine on.Optional
SHA256SHA256 to blacklist using Traps.File.SHA256Optional
DomainListNameThis input establishes whether Palo Alto Networks Panorama or Firewall External Dynamic Lists, are used for domain blockage.
Specify the EDL name for domain handling.
Optional
UseXDRThis input establishes whether Palo Alto Networks Cortex XDR remediation will take place. Specify Yes/NoOptional
xdr_endpoint_idThe endpoint ID (string) to isolate using Cortex XDR. You can retrieve the string from the xdr-get-endpoints command.PaloAltoNetworksXDR.Endpoint.endpoint_idOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Palo Alto Networks - Malware Remediation