Comprehensive Investigation by Palo Alto Networks

Details
Content
Dependencies
Version History

Are you a Palo Alto Networks customer? We have just the content pack to help you orchestrate incident response across Palo Alto Networks products.

Responding and managing cyber security attacks requires security teams to reconcile data from a variety of different sources. Valuable time is lost shuttling between screens and executing repeatable tasks while an attack continues to manifest.
This Palo Alto Networks Comprehensive Investigation content pack contains the ‘Palo Alto Networks - Endpoint Malware Investigation v3’ playbook, that automates response to a malware found on an endpoint, the ‘Palo Alto Networks - Malware Remediation’ playbook, that automates remediation strategies to many different cyber security incidents, and the ‘Palo Alto Networks - Hunting And Threat Detection’ playbook, that automates hunting for other affected entities in your organizations.
The pack also contains the corresponding custom malware incident views and layouts to facilitate analyst investigation.
These playbooks orchestrate across multiple products to extract and enrich IOCs, detonate malicious files, hunt for more IOCs within the organization, and perform remediation using only Palo Alto Networks products.

What does this pack do?

The playbooks included in this pack help you save time and automate repetitive tasks using Palo Alto Networks product integrations:

Find and link similar incidents
Extract and enrich all relevant indicators from the source alert
Calculate severity for the incident based on initial severity provided, indicator reputations, email authenticity check and critical assets if any are involved.
Hunt for related and affected indicators by leveraging Palo Alto Cortex data received by products
Remediate the incident by blocking malicious indicators using many different Palo Alto Networks products and techniques.
Generate an investigation report to document the incident’s details.

As part of this pack, you will also get out-of-the-box incident type views, with incident fields and a full layout. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSOAR Developer Docs

Palo Alto Networks - Endpoint Malware Investigation v3

What does this pack do?

The playbooks included in this pack help you save time and automate repetitive tasks using Palo Alto Networks product integrations:

Find and link similar incidents
Extract and enrich all relevant indicators from the source alert
Calculate severity for the incident based on initial severity provided, indicator reputations, email authenticity check and critical assets if any are involved.
Hunt for related and affected indicators by leveraging Palo Alto Cortex data received by products
Remediate the incident by blocking malicious indicators using many different Palo Alto Networks products and techniques.
Generate an investigation report to document the incident’s details.

As part of this pack, you will also get out-of-the-box incident type views, with incident fields and a full layout. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSIAM Developer Docs

Palo Alto Networks - Endpoint Malware Investigation v3

Automations

Name	Description
PanwIndicatorCreateQueries	The script accepts indicators as input and creates an indicator query in the relevant Palo Alto Networks products.

Layouts

Name	Description
PANW Endpoint Malware Incident

Playbooks

Name	Description
Palo Alto Networks - Endpoint Malware Investigation v3	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps. Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories. After the investigation review the incident is automatically closed.
Palo Alto Networks - Endpoint Malware Investigation	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps. Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories. After the investigation review the incident is automatically closed.
Palo Alto Networks - Malware Remediation	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.
Palo Alto Networks - Hunting And Threat Detection	This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks. The playbook leverages data received by PANW products including, Strata Logging Service, Autofocus and Pan-OS to search for IP addresses, host names and users related to the provided indicators. The output provided by the playbook enables you to find possibly affected IP addresses, users, and endpoints.

Automations

Name	Description
PanwIndicatorCreateQueries	The script accepts indicators as input and creates an indicator query in the relevant Palo Alto Networks products.

Playbooks

Name	Description
Palo Alto Networks - Malware Remediation	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.
Palo Alto Networks - Hunting And Threat Detection	This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks. The playbook leverages data received by PANW products including, Strata Logging Service, Autofocus and Pan-OS to search for IP addresses, host names and users related to the provided indicators. The output provided by the playbook enables you to find possibly affected IP addresses, users, and endpoints.

Name

Description

Palo Alto Networks - Malware Remediation

Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.

Palo Alto Networks - Hunting And Threat Detection

This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks.
The playbook leverages data received by PANW products including, Strata Logging Service, Autofocus and Pan-OS to search for IP addresses, host names and users related to the provided indicators.
The output provided by the playbook enables you to find possibly affected IP addresses, users, and endpoints.

Required Content Packs (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

Optional Content Packs (7)

Pack Name	Pack By
Active Directory Query	By: Cortex XSOAR
AutoFocus by Palo Alto Networks	By: Cortex XSOAR
Strata Logging Service by Palo Alto Networks	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
WildFire by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (8)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

1.3.24 - 897231 (March 18, 2024)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

1.3.23 - 886558 (March 12, 2024)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Added a hash search enrichment using Cortex XDR.
Added an IP search enrichment using Prisma Cloud.

Related pull requests:
- 33244

Download

1.3.22 - R828628 (February 14, 2024)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Replaced references to Cortex Data Lake to Strata Logging Service.

Palo Alto Networks - Hunting And Threat Detection

Replaced references to Cortex Data Lake to Strata Logging Service.

Related pull requests:
- 31064

Download

1.3.21 - 7216131 (December 20, 2023)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Replaced the usage of the deprecated Demisto REST API integration with the Core REST API integration.

Related pull requests:
- 31388

Download

1.3.20 - 5940472 (August 2, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28679

Download

1.3.19 - R5692327 (July 5, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27577

Download

1.3.18 - 5450895 (June 5, 2023)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Updated the playbook to skip tasks which use commands of Cortex Data Lake integration if the Cortex Data Lake pack is not installed.

Related pull requests:
- 25505

Download

1.3.17 - 5418978 (June 1, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27113

Download

1.3.16 - R5170573 (May 2, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25934

Download

1.3.15 - 4851609 (March 19, 2023)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation

Deprecated. Use Malware Investigation and Response pack instead.

Palo Alto Networks - Endpoint Malware Investigation v3

Deprecated. Use Malware Investigation and Response pack instead.

Palo Alto Networks - Malware Remediation

Deprecated. Use Malware Investigation and Response pack instead.

Related pull requests:
- 25116

Download

1.3.14 - 4718798 (March 1, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24932

Download

1.3.13 - R4646022 (February 19, 2023)

Layouts

PANW Endpoint Malware Incident
This item is no longer supported in XSIAM.

Related pull requests:
- 24222

Download

1.3.12 - R4494864 (January 29, 2023)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Fixed an issue where the query pointed to the global context path instead of the playbook inputs.

Related pull requests:
- 21205

Download

1.3.11 - 3745478 (September 28, 2022)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Fixed an issue with the "Hunting And Threat Detection" task (id: 137) to use the correct playbook input "internal_range".

Related pull requests:
- 21415

Download

1.3.10 - R2146019 (December 21, 2021)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Fixed an issue where an incorrect name (inputs.IP addresses) is given in an sub-playbook argument.

Download

1.3.9 - 7772209 (September 25, 2021)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.9.7.24076.

Download

1.3.8 - 400661 (July 21, 2021)

Scripts

PanwIndicatorCreateQueries

Updated the AutoFocus hash query to use alias.hash_lookup.
Updated the Docker image to: demisto/python3:3.9.6.22912.

Download

1.3.7 - 388887 (June 23, 2021)

Scripts

PanwIndicatorCreateQueries

Upgraded the Docker image to: demisto/python3:3.9.5.21272.

Download

1.3.6 - 381353 (June 8, 2021)

Scripts

PanwIndicatorCreateQueries

Upgraded the Docker image to: demisto/python3:3.9.5.20958.

Download

1.3.5 - 269882 (February 2, 2021)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Replaced Rest API LinkIncident command with the builtin LinkIncident Command.

Download

1.3.4 - R264879 (January 27, 2021)

Improved pack description and updated documentation links.

Download

1.3.3 - 182367 (November 10, 2020)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Fixed bug in is enabled tasks.

Download

1.3.2 - R180529 (November 9, 2020)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

New playbook - "Palo Alto Networks - Endpoint Malware Investigation v3", including bug fixes for previous version
and new hunting sub-playbook.

Download

1.3.1 - 93891 (August 24, 2020)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Documentation and metadata improvements.

Download

1.3.0 - R90859 (August 19, 2020)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

New playbook.

Download

1.2.2 - 74226 (July 26, 2020)

Playbooks

Palo Alto Networks - Malware Remediation

Handled dependencies for the playbook.

Palo Alto Networks - Endpoint Malware Investigation v2

Handled dependencies for the playbook.

Palo Alto Networks - Endpoint Malware Investigation

Handled dependencies for the playbook.

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	March 18, 2024

Malware

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.