Skip to main content


This popular Malware Content Pack helps you automate IOC extraction and enrichment, detonate malicious files, hunt for more IOCs ,and more.

Malware, or malicious software, is any program or file that is intentionally designed to be harmful to a computer, server, client, or computer network.
Malware investigations require security teams to reconcile data from multiple malware analysis and threat intelligence tools. Valuable time is lost shuttling between screens and executing repeatable tasks while an attack continues to manifest.
This Malware content pack contains the ‘Endpoint Malware Investigation - Generic’ playbook, that automates response to a malware found on an endpoint. The pack also contains the corresponding custom malware incident fields, views, and layouts to facilitate analyst investigation.
The Malware playbooks orchestrate across multiple products to extract and enrich IOCs, detonate malicious files, hunt for more IOCs within the organization, and perform remediation on the host.

What does this pack do?

The playbooks included in this pack help you save time and automate repetitive tasks associated with malware incidents:

  • Create a malware incident within Cortex XSOAR associated with the malware.
  • Extract and enrich all relevant indicators from the source alert, including the source endpoint, malicious file, and all related IOCs.
  • Retrieve and analyze the malicious file and provide a reputation using your sandbox and threat intelligence integrations.
  • Calculate the severity for the incident based on the initial severity provided, indicator reputations, email authenticity checks, and critical assets if any are involved.
  • Engage with the analyst regarding potentially harmful tasks such as isolating the source endpoint and other infected endpoints found by the hunting playbook.
  • Remediate the incident by blocking malicious indicators.
  • Generate an investigation report to document the incident’s details.

As part of this pack, you will also get out-of-the-box malware incident type views, with incident classification mapping, fields, and a full layout. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSOAR Developer Docs



Cortex XSOAR


CertificationRead more
Supported ByCortex XSOAR
CreatedJuly 26, 2020
Last ReleaseMay 3, 2022

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.