Local Analysis alert Investigation

When an unknown executable, DLL, or macro attempts to run on a Windows or Mac endpoint, the Cortex XDR agent uses local analysis to determine if it is likely to be malware. Local analysis uses a static set of pattern-matching rules that inspect multiple file features and attributes, and a statistical model that was developed with machine learning on WildFire threat intelligence. **Investigative Actions:** Investigate the executed process image and verify if it is malicious using: * XDR trusted signers * VT trusted signers * VT detection rate * NSRL DB **Response Actions** The playbook's first response action is a containment plan that is based on the initial data provided within the alert. In that phase, the playbook will execute: * Auto block indicators * Auto file quarantine * Manual endpoint isolation When the playbook executes, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed. This phase will execute the following containment actions: * Manual block indicators * Manual file quarantine * Auto endpoint isolation And the following eradication actions: * Manual process termination * Manual file deletion * Manual reset of the user’s password External resources: [Malware Protection Flow](https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/File-Analysis-and-Protection-Flow)

Core · 45 tasks · 30 inputs · 0 outputs

Inputs

  • GraywareAsMalware — Whether to treat Grayware verdict as Malware.
  • AutoContainment — Setting this input will impact both Containment Plan sub-playbooks. Without setting this input, the default values are True for the first occurrence and False for the second. Whether to execute automatically or manually the containment plan tasks: * Isolate endpoint * Block indicators * Quarantine file * Disable user
  • AutoEradication — Whether to execute automatically or manually the eradication plan tasks: * Terminate process * Delete file * Reset the user's password
  • FileRemediation — Should be either 'Quarantine' or 'Delete'.
  • AutoRecovery — Whether to execute the Recovery playbook.
  • AutoCloseAlert — Whether to close the alert automatically or manually, after an analyst's review.
  • ShouldRescanBenign — Whether to rescan (Using WildFire detonate file) benign files.
  • ShouldManualReviewFP — Whether to ask for a manual review before false positive handling. Should be True or False
  • SHA256 — The SHA256 hash of the file to respond to. Decided by the DT expression wether it's the initiator or the target file SHA256.
  • Path — The path of the file to respond to. Decided by the DT expression wether it's the initiator or the target file path.
  • Query — The query for searching previous alerts based on the file we want to respond to. Decided by the If-Then-Else expression wether it's the initiator or the target file.
  • ShouldOpenTicket — Whether to open a ticket automatically in a ticketing system. (True/False).
  • serviceNowShortDescription — A short description of the ticket.
  • serviceNowImpact — The impact for the new ticket. Leave empty for ServiceNow default impact.
  • serviceNowUrgency — The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  • serviceNowSeverity — The severity of the new ticket. Leave empty for ServiceNow default severity.
  • serviceNowTicketType — The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  • serviceNowCategory — The category of the ServiceNow ticket.
  • serviceNowAssignmentGroup — The group to which to assign the new ticket.
  • ZendeskPriority — The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  • ZendeskRequester — The user who requested this ticket.
  • ZendeskStatus — The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  • ZendeskSubject — The value of the subject field for this ticket.
  • ZendeskTags — The array of tags applied to this ticket.
  • ZendeskType — The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  • ZendeskAssigne — The agent currently assigned to the ticket.
  • ZendeskCollaborators — The users currently CC'ed on the ticket.
  • description — The ticket description.
  • addCommentPerEndpoint — Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.
  • CommentToAdd — Comment for the ticket.

Commands used

closeInvestigation core-report-incorrect-wildfire core-retrieve-file-details core-retrieve-files internal-wildfire-get-report setParentIncidentFields

Flowchart

True Positive Blocked Benign Greyware false Yes true true true true 24H true Benign yes no True Positive yes Start Start Verdict by FileVerdict AND Prevalence Verdict by FileVerdict AN... Analysis Analysis Was the action prevented? Was the action prevented? Check WF alert verdict Check WF alert verdict Handle FP Handle FP Manual review - was it your security vendor? Manual review - was it yo... WildFire Verdict WildFire Verdict Investigate Investigate Remediation Remediation Found relevant information? Found relevant information? Close alert - closeInvestigation Close alert closeInvestigation Restore affected endpoint? Restore affected endpoint? Close alert automatically? Close alert automatically? Continue with the alert investigation Continue with the alert i... Recovery Recovery Done Done Pre-Investigation Containment Pre-Investigation Contain... Check hash execution timestamp Check hash execution time... Get time for the last day - GetTime Get time for the last day GetTime Is auto-containment set to true? Is auto-containment set t... Retrieve the suspected file - core-retrieve-files Retrieve the suspected file core-retrieve-files Get retrieved file - core-retrieve-file-details Get retrieved file core-retrieve-file-details Enrichment for Verdict - Enrichment for Verdict Enrichment for Verdict Enrichment for Verdict Containment Plan - Containment Plan Containment Plan Containment Plan Endpoint Investigation Plan - Endpoint Investigation Plan Endpoint Investigation Plan Endpoint Investigation Plan Containment Plan - Containment Plan Containment Plan Containment Plan Eradication Plan - Eradication Plan Eradication Plan Eradication Plan Recovery Plan - Recovery Plan Recovery Plan Recovery Plan Handle False Positive Alerts - Handle False Positive Alerts Handle False Positive Alerts Handle False Positive Alerts Extract retrieved file - UnzipFile Extract retrieved file UnzipFile Wildfire Detonate and Analyze File - Wildfire Detonate and Analyze File Wildfire Detonate and Ana... Wildfire Detonate and Analyze... Check WildFire alert verdict Check WildFire alert verdict Flip verdict request to keep WF updated - core-report-incorrect-wildfire Flip verdict request to k... core-report-incorrect-wildfire Is manual review required? Is manual review required? Flip WildFire Verdict Flip WildFire Verdict Check for existing WF report - internal-wildfire-get-report Check for existing WF report internal-wildfire-get-report Should detonate file? Should detonate file? Continue by Verdict Continue by Verdict Verdict by DbotScore Verdict by DbotScore Set Incident Severity to High - setParentIncidentFields Set Incident Severity to ... setParentIncidentFields Should open a ticket automatically in a ticketing system? Should open a ticket auto... Ticket Management - Generic - Ticket Management - Generic Ticket Management - Generic Ticket Management - Generic Benign Benign Greyware Greyware