Cortex XDR Malware - Incident Enrichment
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enriches the Cortex XDR incident. The enrichment is done on the involved endpoint and Mitre technique ID information, and sets the 'Malware-Investigation and Response' layout.
Cortex XDR by Palo Alto Networks · 24 tasks · 1 input · 15 outputs
Inputs
IncidentID— The incident ID to be enriched.
Outputs
PaloAltoNetworksXDR.Incident— Cortex XDR incident information.File— File information.Process— Process information.IP— IP information.Domain— Domain information.Endpoint.ID— The endpoint identifier.Endpoint.Hostname— The host name that is mapped to this endpoint.Endpoint.OS— The endpoint operating system.Endpoint.OSVersion— The endpoint operating system version.Endpoint.IPAddress— The endpoint IP address or list of IP addresses.Endpoint.Status— The health status of the endpoint.Endpoint.MACAddress— The endpoint MAC address.Endpoint.Vendor— The integration name of the endpoint vendor.AttackPattern— Array of attack pattern names and IDs.MITREATTACK— The full MITRE data for the attack pattern.
Commands used
endpoint
extractIndicators
setIncident
xdr-get-incident-extra-data