Skip to main content

Post Intrusion Ransomware Investigation

This Playbook is part of the Ransomware Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Provides the first step in the investigation of ransomware attacks. The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database. You will be guided with further investigation steps throughout the playbook, some of the key features are:

  • Encrypted file owner investigation
  • Endpoint forensic investigation
  • Active Directory investigation
  • Timeline of the breach investigation
  • Indicator and account enrichment

Playbook settings and mapping: For the full operation of the playbook, the following data should be mapped to the relevant incident fields. Username - Usernames (common incident field) Hostname - Hostnames (common incident field)


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Endpoint Enrichment - Generic v2.1
  • Active Directory Investigation
  • Extract Indicators From File - Generic v2
  • Detonate File - Generic
  • Isolate Endpoint - Generic
  • Account Enrichment - Generic v2.1
  • File Enrichment - File reputation
  • Block Indicators - Generic v3


  • Active Directory Query v2
  • Rasterize


  • ReadFile


  • setIndicators
  • send-mail
  • relatedIncidents
  • setIncident
  • rasterize-email
  • ad-disable-account

Playbook Inputs#

NameDescriptionDefault ValueRequired
AutoRemediationDetermines whether to perform auto-isolation and remediation for the infected endpoint and indicators.
- True
- False. This is the default.
NotificationEmailThe email addresses to notify if there is a possibility of the malware spreading and infecting other endpoints.
Can be a CSV list.
EmailBodyThe malware notification message content.During an endpoint investigation in XSOAR, other infected endpoints were found, indicating the malware is spreading in your organization and requires your attention.
To get more information, go to this incident in XSOAR: ${}.
UserVerificationPossible values: True/False.
Whether to provide user verification for blocking IPs.

False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.
AutoBlockIndicatorsPossible values: True/False. Default: True.
Should the given indicators be automatically blocked, or should the user be given the option to choose?

If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Post Intrusion Ransomware Investigation