Endpoint Malware Investigation - Generic V2 Deprecated
Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack') This playbook provides a framework for handling malware investigation through all essential steps. The playbook consists of 7 stages. Each stage contains the relevant playbook or tasks. This playbook auto extracts indicators from incidents using indicator extraction rules of the malware incident type. To use Illusive integration in the `Forensics - Generic` playbook, note that you will be able to set the forensic timeline by editing the `Forensics - Generic` playbook inputs.
Malware Core · 68 tasks · 25 inputs · 0 outputs
Inputs
AutoIsolation— This input determines the threshold severity from which to perform auto-isolation for the infected endpoint. Specify the severity number (Default is 3 - High): Specify the severity number: 0 - Unknown 0.5 - Informational 1 - Low 2 - Medium 3 - High 4 - CriticalEmail— The email address to send a notification if there is a possibility of the malware spreading and infecting other endpoints.MD5— The MD5 hash value for the suspicious file.SHA256— The SHA256 hash value for the suspicious file.Hostname— Hostname of the machine on which the file is located.FilePath— The path of the file to retrieve. For example: C:\users\folder\file.txtUseD2— Specifies whether to use a D2 agent to retrieve the file.SHA1— The SHA1 hash value for the suspicious file.ActivateAutomaticHunting— Activate Threat Hunting - Generic playbook for automatic hunting. Yes- to activate.ManualThreatHunting— Perform manual threat hunting. Yes- to activate.NeedMoreForensics— The value `Yes` will activate the playbook `Forensics - Generic` that retrieves additional forensics on the investigating host. Yes- to activate,IPAddress— This input is relevant if the Threat Hunting - Generic playbook is activated. If you activated the Threat Hunting - Generic playbook and you are hunting IP addresses, provide the IP addresses here.URLDomain— This input is relevant if the Threat Hunting - Generic playbook is activated. If you activated Threat Hunting - Generic playbook and you are hunting for URLs or domains, provide the URLs or domains here.InternalRange— This input is relevant if the Threat Hunting - Generic playbook is activated. The input is a list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, the playbook will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).InternalDomainName— This input is relevant if the Threat Hunting - Generic playbook is activated. The input is the organization's internal domain name. This is provided for the IsInternalHostName script that checks if the detected host names are internal or external if the hosts contain the internal domains suffix. For example, demisto.com. If there is more than one domain, use the | character to separate values such as (demisto.com|test.com)InternalHostRegex— This input is relevant if the Threat Hunting - Generic playbook is activated. This is provided for the IsInternalHostName script that checks if the detected host names are internal or external if the hosts match the organizations naming convention. For example, the host testpc1 will have the following regex \w{6}\d{1}Agent_ID— This input is relevant if retrieving the file by EDR. If so, provide the relevant Agent_ID\Endpoint id.CriticalUsers— This input will be used for the `Calculate Severity - Generic v2` playbook. Provide your critical users (CSV is optional).CriticalEndpoints— This input will be uses for the `Calculate Severity - Generic v2` playbook. Provide your critical endpoint hostnames (CSV is optional).CriticalGroups— This input will be uses for the `Calculate Severity - Generic v2` playbook. Provide the DN names of your critical AD groups (CSV is optional).AutoUnIsolation— Providing "Yes" in this playbook input will activated the "Unisolate Endpoint - Generic" playbook.Endpoint_ip— The IP of the endpoint which is involved in the investigation.LinkSimilarIncidents— Providing "Yes" in this playbook input will link the incidents that were found similar by DBotFindSimilarIncidents.DetonateFile— Providing "Yes" to this input will activate the "Detonate File - Generic".IsolationAfterHunting— Providing "Yes" to this input will activate the "Isolate Endpoint Generic V2" after the execution of threat hunting procedures.
Commands used
closeInvestigation
linkIncidents
send-mail
setIncident