CrowdStrike Falcon Malware - Investigation and Response

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike Falcon malware investigation, including: - Extracting and displaying MITRE data from the EDR and sandboxes - Deduplicating similar incidents - Searching for hashes in an alert in a sandbox to provide their relevant information. If the hashes are not found, retrieving them from the endpoint and detonating them in the sandbox. - Verifying the actions taken by the EDR - Analyzing the command line - Searching for relevant hashes in additional hosts in the organization - Retrieving data about the host, including process list and network connections - Performing containment and mitigation actions as part of handling false/true positives - Setting the relevant layouts.

CrowdStrike Falcon · 49 tasks · 18 inputs · 2 outputs

Inputs

  • RetrieveFile — Whether file retrieval from the endpoint is allowed.
  • DetonateFile — Whether file detonation is allowed on the sandbox.
  • EnableDeduplication — Whether the deduplication playbook will be used.
  • EnableClosureSteps — When closing an incident, whether to use closure steps or to close automatically.
  • TicketingSystemToUse — The name of the ticketing system to use, for example Jira or ServiceNow (Used in case incident classified as True Positive).
  • BlockIOCTagName — The tag to assign for indicators to block.
  • AutoIsolation — Whether host isolation is allowed.
  • AllowIOCTagName — The name of the tag to apply for allowed indicators.
  • TicketProjectName — The ticket project name (required for Jira).
  • AutoUnisolation — Whether automatic un-isolation is allowed.
  • DidAlertOriginateFromSIEM — Whether the alert originated from a SIEM. If True, the incident enrichment flow does not run.
  • DedupHandleSimilar — This input defines how to handle similar incidents. Possible values: "Link " (default), "Close", and "Link and Close". Note: Close incidents requires you to define the "CloseSimilar" input as well. Also, the incidents found by similar indicators or fields will be closed if their similarity score is above the CloseSimilar value.
  • DedupLimit — The maximum number of incidents to query and set to context data.
  • DedupCloseSimilar — Defines the threshold of similarity to close a similar incident. All similar incidents with similarity above this value will be closed. For example, if CloseSimilar is set to .8 and an incident has a similarity score of .9, the incident will be closed. The value should be between 0 and 1 [0=low similarity , 1=identical].
  • ApplyOCGlobally — Whether to apply the IOC globally. If False, provide an input for the HostGroupName input with the group name.
  • HostGroupName — The name of the list group to apply if ApplyOCGlobally is set to False.
  • DedupSimilarTextField — A comma-separated list of incident text fields to take into account when computing similarity. For example commandline, URL.
  • DedupMinimunIncidentSimilarity — Retain incidents with a similarity score greater than the MinimunIncidentSimilarity. Value should be between 0 to 1 [0=low similarity, 1=identical]

Outputs

  • CrowdStrike — All the CrowdStrike data.
  • Endpoint — All the endpoint data.

Commands used

attack-pattern closeInvestigation setIncident

Flowchart

true true true true true true true true False Positive True Positive Unknown true Start Start Is file retrieval allowed? Is file retrieval allowed? Sandbox Sandbox Sandbox Done Sandbox Done Is detonation allowed? Is detonation allowed? Verdict and Closure Verdict and Closure False Positive False Positive Additional findings Additional findings Dedup - Generic v4 - Dedup - Generic v4 Dedup - Generic v4 Dedup - Generic v4 Deduplication Deduplication Use deduplication? Use deduplication? Deduplication Done Deduplication Done Known Files Known Files Unknown Files Unknown Files CrowdStrike Falcon - Get Endpoint Forensics Data - CrowdStrike Falcon - Get Endpoint Forensics Data CrowdStrike Falcon - Get ... CrowdStrike Falcon - Get Endp... Search For Hash In Sandbox - Generic - Search For Hash In Sandbox - Generic Search For Hash In Sandbo... Search For Hash In Sandbox - ... Were all the hashes found by the sandbox? Were all the hashes found... CrowdStrike Falcon - False Positive Incident Handling - CrowdStrike Falcon - False Positive Incident Handling CrowdStrike Falcon - Fals... CrowdStrike Falcon - False Po... CrowdStrike Falcon - True Positive Incident Handling - CrowdStrike Falcon - True Positive Incident Handling CrowdStrike Falcon - True... CrowdStrike Falcon - True Pos... Done Done Close XSOAR incident as True Positive - closeInvestigation Close XSOAR incident as ... closeInvestigation Close XSOAR incident as False Positive - closeInvestigation Close XSOAR incident as F... closeInvestigation Parse results for summary - InvestigationSummaryParse Parse results for summary InvestigationSummaryParse Detonate and Analyze File - Generic - Detonate and Analyze File - Generic Detonate and Analyze File... Detonate and Analyze File - G... Verify Host State Verify Host State CrowdStrike Falcon Malware - Verify Containment Actions - CrowdStrike Falcon Malware - Verify Containment Actions CrowdStrike Falcon Malwar... CrowdStrike Falcon Malware - ... CrowdStrike Falcon - Search Endpoints By Hash - CrowdStrike Falcon - Search Endpoints By Hash CrowdStrike Falcon - Sear... CrowdStrike Falcon - Search E... Manual Containment Manual Containment Automatic Containment Automatic Containment Manual containment Manual containment Mitre Attack - Extract Technique Information From ID - Mitre Attack - Extract Technique Information From ID Mitre Attack - Extract Te... Mitre Attack - Extract Techni... Get paths for files to retrieve - SetAndHandleEmpty Get paths for files to re... SetAndHandleEmpty CrowdStrike Falcon - Retrieve File - CrowdStrike Falcon - Retrieve File CrowdStrike Falcon - Retr... CrowdStrike Falcon - Retrieve... CrowdStrike Falcon Malware - Incident Enrichment - CrowdStrike Falcon Malware - Incident Enrichment CrowdStrike Falcon Malwar... CrowdStrike Falcon Malware - ... Perform Incident Closure Steps? Perform Incident Closure ... Command Line Analysis Command Line Analysis Command-Line Analysis - Command-Line Analysis Command-Line Analysis Command-Line Analysis Found any suspicious components? Found any suspicious comp... Set Tag `Suspicious Command-line` - setIncident Set Tag `Suspicious Comma... setIncident Is there a CMD line parameter? Is there a CMD line param... Did the alert originate from SIEM? Did the alert originate f... Confirm if true or false positive Confirm if true or false ... False/True/Manual False/True/Manual Parse results for detailed summary - InvestigationDetailedSummaryParse Parse results for detaile... InvestigationDetailedSummaryP... Incidents without detections Incidents without detections Proceed to Manual Proceed to Manual Was this an incident without detections? Was this an incident with... Get MITRE details - attack-pattern Get MITRE details attack-pattern Stop Triage SLA Stop Triage SLA