Cortex XDR - True Positive Incident Handling
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a true-positive incident closure for Cortex XDR - Malware Investigation.
Cortex XDR by Palo Alto Networks · 37 tasks · 14 inputs · 0 outputs
Inputs
Comment— Add comment to close this incident.Classification— Choose From - "Unknown" / "TruePositive"BlockTag— Specify the banning tag name for founded indicators.AutoIsolation— Indicates if automatic host isolation is allowed. True/FalseTicketProjectName— For ticketing systems such as Jira a project name is required.TicketingSystemToUse— The name of the ticketing system to use, for example Jira or ServiceNowFileSha256— Enter the File SHA256 you would like to block. Also, this input can be used in the Threat Hunting step.HostID— The ID of the host for running an isolation process.FilePaths— Enter the File paths you would like to delete.ManuallyChooseIOCForHunting— This input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook. If false, it will hunt for all IOCs detected in the incident. Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.IP— IP value to hunt for.MD5— MD5 file value to hunt for.URL_or_Domain— URL or domain to hunt for.FileSha1— File SHA1 value to hunt on.
Commands used
closeInvestigation
jira-create-issue
setIncident
setIndicators
xdr-blocklist-files
xdr-file-delete-script-execute