WildFire Malware
This Playbook is part of the Core - Investigation and Response Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.6.0 and later.
This playbook handles WildFire Malware alerts. It performs enrichment on the different alert entities and establishes a verdict. For a possible true positive alert, the playbook performs further investigation for related IOCs and executes a containment plan.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Containment Plan
- Handle False Positive Alerts
- Endpoint Investigation Plan
- Enrichment for Verdict
- Ticket Management - Generic
- Recovery Plan
Integrations#
- CortexCoreIR
Scripts#
- GetTime
Commands#
- core-blocklist-files
- setParentIncidentFields
- closeInvestigation
- core-report-incorrect-wildfire
- core-allowlist-files
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| sha256 | The SHA256 hash of the suspected file. Decided by the DT expression wether it's the initiator or the target file SHA256. | alert | Optional |
| GraywarePhishingAsMalware | Whether to treat grayware and phishing alerts as malware. | true | Optional |
| AutoContainment | Whether to execute the containment plan (except isolation) automatically. The specific containment playbook inputs should also be set to 'True'. | true | Optional |
| HostAutoContainment | Whether to automatically execute endpoint isolation in case there are investigation findings. | true | Optional |
| BlockIndicators | Set to True if you want to block the indicators. | false | Optional |
| OriginalFileContainment | Set to True if you want to quarantine the original malicious file. | true | Optional |
| RelatedFileContainment | Set to True to quarantine the identified files found in the investigation. | true | Optional |
| FileRemediation | Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. For example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and executes only file quarantine. | Quarantine | Optional |
| AutoMarkFP | Whether to automatically mark alerts that were found as benign by the 'Enrichment for Verdict' playbook and report false positive alerts to WildFire. True/False. | Optional | |
| EmailAddress | User's email address to use when reporting false positive alerts to WildFire. | Optional | |
| ShouldCloseAutomatically | Whether to automatically close the alert after investigation and remediation are finished. True/False. | Optional | |
| AutoRecovery | Whether to execute the Recovery playbook after the investigation and remediation are finished. True/False. | Optional | |
| Query | The query for searching previous alerts based on the file we want to respond to. Decided by the If-Then-Else expression wether it's the initiator or the target file. | alert | Optional |
| ShouldOpenTicket | Whether to open a ticket automatically in a ticketing system. (True/False). | False | Optional |
| serviceNowShortDescription | A short description of the ticket. | XSIAM Incident ID - ${parentIncidentFields.incident_id} | Optional |
| serviceNowImpact | The impact for the new ticket. Leave empty for ServiceNow default impact. | Optional | |
| serviceNowUrgency | The urgency of the new ticket. Leave empty for ServiceNow default urgency. | Optional | |
| serviceNowSeverity | The severity of the new ticket. Leave empty for ServiceNow default severity. | Optional | |
| serviceNowTicketType | The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident". | Optional | |
| serviceNowCategory | The category of the ServiceNow ticket. | Optional | |
| serviceNowAssignmentGroup | The group to which to assign the new ticket. | Optional | |
| ZendeskPriority | The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low". | Optional | |
| ZendeskRequester | The user who requested this ticket. | Optional | |
| ZendeskStatus | The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed". | Optional | |
| ZendeskSubject | The value of the subject field for this ticket. | XSIAM Incident ID - ${parentIncidentFields.incident_id} | Optional |
| ZendeskTags | The array of tags applied to this ticket. | Optional | |
| ZendeskType | The type of this ticket. Allowed values are "problem", "incident", "question", or "task". | Optional | |
| ZendeskAssigne | The agent currently assigned to the ticket. | Optional | |
| ZendeskCollaborators | The users currently CC'ed on the ticket. | Optional | |
| description | The ticket description. | ${parentIncidentFields.description}. ${parentIncidentFields.xdr_url} | Optional |
| addCommentPerEndpoint | Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False. | True | Optional |
| CommentToAdd | Comment for the ticket. | ${alert.name}. Alert ID: ${alert.id} | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
