Cortex XDR Malware - Investigation And Response

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook investigates Cortex XDR malware incidents. It uses: - Cortex XDR insights - Command Line Analysis - Dedup - Sandbox hash search and detonation - Cortex XDR enrichment - Incident Handling (True/False Positive).

Cortex XDR by Palo Alto Networks · 43 tasks · 17 inputs · 1 output

Inputs

  • EnableDeduplication — Whether the deduplication playbook will be used.
  • AutoIsolation — Whether endpoint isolation is allowed.
  • RetrieveFile — Whether file retrieval from the endpoint is allowed.
  • TicketingSystemToUse — The name of the ticketing system to use, for example, Jira, or ServiceNow. (Used in case incident is classified as True Positive).
  • TicketProjectName — The ticket project name. (Required for Jira).
  • MaliciousTagName — The tag to assign for indicators to block.
  • EnableClosureSteps — Whether the incident will be closed with closure steps or automatically.
  • DedupSimilarTextField — A comma-separated list of incident text fields to take into account when computing similarity. For example commandline, URL.
  • AutoUnisolation — Whether automatic un-isolation is allowed.
  • DedupLimit — The maximum number of incidents to query and set to context data.
  • DedupHandleSimilar — Defines how to handle Similar incidents. Choose between: "Link", "Close", "Link and Close". Note: Closing incidents requires you to define the "CloseSimilar" input as well. Also, the incidents found by similar indicators or fields will be closed if their similarity score is above the CloseSimilar value.
  • DedupCloseSimilar — Defines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed. For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed. The value should be between 0 and 1 [0=low similarity , 1=identical].
  • DedupMinimunIncidentSimilarity — Retain incidents with a similarity score greater than the MinimunIncidentSimilarity. Value should be between 0 to 1 [0=low similarity, 1=identical]
  • BenignTagName — The name of the tag to apply for allowed indicators.
  • AdvancedHunting — 'Whether to run Advance Hunting queries through your Cortex XDR instance using the information on Alert Insights. Note: It may take some time.'
  • RunAllHuntMitreTactics — Whether to run the Advanced Hunting section for all Mitre Tactics.
  • DetonateFile — Whether file detonation is allowed on the sandbox.

Outputs

  • PaloAltoNetworksXDR.ScriptResult.results — Palo ALto Networks Script reuslts information.

Commands used

setIncident xdr-script-run

Flowchart

true Prevention true true true true true true true true true true true False Positive True Positive true true Start Start Use deduplication? Use deduplication? Deduplication Done Deduplication Done Sandbox Sandbox Any prevention actions? Any prevention actions? Check if there were any prevention Actions? Check if there were any p... Was the malicious hash Blocked? Was the malicious hash Bl... Manual Review if needed to proceed with the investigation Manual Review if needed t... Parse Finding from the sandboxes - InvestigationSummaryParse Parse Finding from the sa... InvestigationSummaryParse Is file retrieval allowed? Is file retrieval allowed? Were there any hashes without a verdict? Were there any hashes wit... Parse Findings Parse Findings Known File Known File Unknown File Unknown File Detonate and Analyze File - Generic - Detonate and Analyze File - Generic Detonate and Analyze File... Detonate and Analyze File - G... Is Detonate Allowed? Is Detonate Allowed? Conclusion Conclusion Done Done False / True Positive False / True Positive Dedup Dedup Raise the incident severity - setIncident Raise the incident severity setIncident Check if the device is not isolated? Check if the device is no... Command Line Analysis Command Line Analysis Command-Line Analysis - Command-Line Analysis Command-Line Analysis Command-Line Analysis Found any suspicious components? Found any suspicious comp... Set Tag `Suspicious Command-line` - setIncident Set Tag `Suspicious Comma... setIncident Is there a CMD line parameter? Is there a CMD line param... Cortex XDR Malware - Incident Enrichment - Cortex XDR Malware - Incident Enrichment Cortex XDR Malware - Inci... Cortex XDR Malware - Incident... Proceed To Closure Steps? Proceed To Closure Steps? Dedup - Generic v4 - Dedup - Generic v4 Dedup - Generic v4 Dedup - Generic v4 Search For Hash In Sandbox - Generic - Search For Hash In Sandbox - Generic Search For Hash In Sandbo... Search For Hash In Sandbox - ... Check Classification Check Classification Manual Handling Manual Handling Cortex XDR - True Positive Incident Handling - Cortex XDR - True Positive Incident Handling Cortex XDR - True Positiv... Cortex XDR - True Positive In... Cortex XDR - False Positive Incident Handling - Cortex XDR - False Positive Incident Handling Cortex XDR - False Positi... Cortex XDR - False Positive I... Advanced Hunting Advanced Hunting Cortex XDR - Endpoint Investigation - Cortex XDR - Endpoint Investigation Cortex XDR - Endpoint Inv... Cortex XDR - Endpoint Investi... Should run Advanced Hunting? Should run Advanced Hunting? Parse Findings From the Sandbox - InvestigationDetailedSummaryParse Parse Findings From the S... InvestigationDetailedSummaryP... Get Device's Process List - xdr-script-run Get Device's Process List xdr-script-run Check if the device is online Check if the device is on... Cortex XDR - Retrieve File by sha256 - Cortex XDR - Retrieve File by sha256 Cortex XDR - Retrieve Fil... Cortex XDR - Retrieve File by... Stop Triage SLA timer Stop Triage SLA timer