Cortex XDR - True Positive Incident Handling

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a true-positive incident closure for Cortex XDR - Malware Investigation.

Cortex XDR by Palo Alto Networks · 37 tasks · 14 inputs · 0 outputs

Inputs

  • Comment — Add comment to close this incident.
  • Classification — Choose From - "Unknown" / "TruePositive"
  • BlockTag — Specify the banning tag name for founded indicators.
  • AutoIsolation — Indicates if automatic host isolation is allowed. True/False
  • TicketProjectName — For ticketing systems such as Jira a project name is required.
  • TicketingSystemToUse — The name of the ticketing system to use, for example Jira or ServiceNow
  • FileSha256 — Enter the File SHA256 you would like to block. Also, this input can be used in the Threat Hunting step.
  • HostID — The ID of the host for running an isolation process.
  • FilePaths — Enter the File paths you would like to delete.
  • ManuallyChooseIOCForHunting — This input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook. If false, it will hunt for all IOCs detected in the incident. Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.
  • IP — IP value to hunt for.
  • MD5 — MD5 file value to hunt for.
  • URL_or_Domain — URL or domain to hunt for.
  • FileSha1 — File SHA1 value to hunt on.

Commands used

closeInvestigation jira-create-issue setIncident setIndicators xdr-blocklist-files xdr-file-delete-script-execute

Flowchart

true true JIRA SNOW true true true true true No Hunting yes yes Start Start Done Done Close XSOAR incident - closeInvestigation Close XSOAR incident closeInvestigation Approve isolation Approve isolation Is auto isolation allowed? Is auto isolation allowed? Incident Auditing Incident Auditing Is a ticketing system defined? Is a ticketing system def... Done auditing step Done auditing step Block Indicators Block Indicators Confirm Indicators to block Confirm Indicators to block Tag Indicators - setIndicators Tag Indicators setIndicators Done block indicators Done block indicators Isolate system/s Isolate system/s Done with isolating the infected device Done with isolating the i... Final Closure Final Closure Open Snow ticket Open Snow ticket Open Jira ticket - jira-create-issue Open Jira ticket jira-create-issue Is ServiceNow Available? - IsIntegrationAvailable Is ServiceNow Available? IsIntegrationAvailable Is Jira Available? - IsIntegrationAvailable Is Jira Available? IsIntegrationAvailable Done cleaning malicious file Done cleaning malicious file Clean Malicious Files Clean Malicious Files Cortex XDR - Isolate Endpoint - Cortex XDR - Isolate Endpoint Cortex XDR - Isolate Endp... Cortex XDR - Isolate Endpoint Create IOCs in Cortex XDR - Banned Hashes - xdr-blocklist-files Create IOCs in Cortex XDR... xdr-blocklist-files Confirm which File Path will be deleted Confirm which File Path w... Was there any hash selected? Was there any hash selected? Was there any hash selected? Was there any hash selected? Containment Containment Threat Hunting Threat Hunting Remediation Remediation Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Should the analyst choose the indicators to hunt? Should the analyst choose... Specify IOCs to hunt upon Specify IOCs to hunt upon Tag the threat hunting results as Evidence - AddEvidence Tag the threat hunting re... AddEvidence Add 'Found additional assets' tag to the incident - setIncident Add 'Found additional ass... setIncident Are there any results? Are there any results? Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic xdr-file-delete-script-execute - xdr-file-delete-script-execute xdr-file-delete-script-ex... xdr-file-delete-script-execute