Skip to main content

WildFire Malware

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles WildFire Malware alerts. It performs enrichment on the different alert entities and establishes a verdict. For a possible true positive alert, the playbook performs further investigation for related IOCs and executes a containment plan.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Containment Plan
  • Handle False Positive Alerts
  • Endpoint Investigation Plan
  • Enrichment for Verdict
  • Ticket Management - Generic
  • Recovery Plan


  • CortexCoreIR


  • GetTime


  • core-blocklist-files
  • setParentIncidentFields
  • closeInvestigation
  • core-report-incorrect-wildfire
  • core-allowlist-files

Playbook Inputs#

NameDescriptionDefault ValueRequired
sha256The SHA256 hash of the suspected file. Decided by the DT expression wether it's the initiator or the target file SHA256.alertOptional
GraywarePhishingAsMalwareWhether to treat grayware and phishing alerts as malware.trueOptional
AutoContainmentWhether to execute the containment plan (except isolation) automatically.
The specific containment playbook inputs should also be set to 'True'.
HostAutoContainmentWhether to automatically execute endpoint isolation in case there are investigation findings.trueOptional
BlockIndicatorsSet to True if you want to block the indicators.falseOptional
OriginalFileContainmentSet to True if you want to quarantine the original malicious file.trueOptional
RelatedFileContainmentSet to True to quarantine the identified files found in the investigation.trueOptional
FileRemediationChoose 'Quarantine' or 'Delete' to avoid file remediation conflicts.
For example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and executes only file quarantine.
AutoMarkFPWhether to automatically mark alerts that were found as benign by the 'Enrichment for Verdict' playbook and report false positive alerts to WildFire. True/False.Optional
EmailAddressUser's email address to use when reporting false positive alerts to WildFire.Optional
ShouldCloseAutomaticallyWhether to automatically close the alert after investigation and remediation are finished. True/False.Optional
AutoRecoveryWhether to execute the Recovery playbook after the investigation and remediation are finished. True/False.Optional
QueryThe query for searching previous alerts based on the file we want to respond to. Decided by the If-Then-Else expression wether it's the initiator or the target file.alertOptional
ShouldOpenTicketWhether to open a ticket automatically in a ticketing system. (True/False).FalseOptional
serviceNowShortDescriptionA short description of the ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
serviceNowImpactThe impact for the new ticket. Leave empty for ServiceNow default impact.Optional
serviceNowUrgencyThe urgency of the new ticket. Leave empty for ServiceNow default urgency.Optional
serviceNowSeverityThe severity of the new ticket. Leave empty for ServiceNow default severity.Optional
serviceNowTicketTypeThe ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
serviceNowCategoryThe category of the ServiceNow ticket.Optional
serviceNowAssignmentGroupThe group to which to assign the new ticket.Optional
ZendeskPriorityThe urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".Optional
ZendeskRequesterThe user who requested this ticket.Optional
ZendeskStatusThe state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".Optional
ZendeskSubjectThe value of the subject field for this ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
ZendeskTagsThe array of tags applied to this ticket.Optional
ZendeskTypeThe type of this ticket. Allowed values are "problem", "incident", "question", or "task".Optional
ZendeskAssigneThe agent currently assigned to the ticket.Optional
ZendeskCollaboratorsThe users currently CC'ed on the ticket.Optional
descriptionThe ticket description.${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}Optional
addCommentPerEndpointWhether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.TrueOptional
CommentToAddComment for the ticket.${}. Alert ID: ${}Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

WildFire Malware