WildFire Malware

This playbook handles WildFire Malware alerts. It performs enrichment on the different alert entities and establishes a verdict. For a possible true positive alert, the playbook performs further investigation for related IOCs and executes a containment plan.

Core · 42 tasks · 32 inputs · 0 outputs

Inputs

  • sha256 — The SHA256 hash of the suspected file. Decided by the DT expression wether it's the initiator or the target file SHA256.
  • GraywarePhishingAsMalware — Whether to treat grayware and phishing alerts as malware.
  • AutoContainment — Whether to execute the containment plan (except isolation) automatically. The specific containment playbook inputs should also be set to 'True'.
  • HostAutoContainment — Whether to automatically execute endpoint isolation in case there are investigation findings.
  • BlockIndicators — Set to True if you want to block the indicators.
  • OriginalFileContainment — Set to True if you want to quarantine the original malicious file.
  • RelatedFileContainment — Set to True to quarantine the identified files found in the investigation.
  • FileRemediation — Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. For example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and executes only file quarantine.
  • AutoMarkFP — Whether to automatically mark alerts that were found as benign by the 'Enrichment for Verdict' playbook and report false positive alerts to WildFire. True/False.
  • EmailAddress — User's email address to use when reporting false positive alerts to WildFire.
  • ShouldCloseAutomatically — Whether to automatically close the alert after investigation and remediation are finished. True/False.
  • AutoRecovery — Whether to execute the Recovery playbook after the investigation and remediation are finished. True/False.
  • Query — The query for searching previous alerts based on the file we want to respond to. Decided by the If-Then-Else expression wether it's the initiator or the target file.
  • ShouldOpenTicket — Whether to open a ticket automatically in a ticketing system. (True/False).
  • serviceNowShortDescription — A short description of the ticket.
  • serviceNowImpact — The impact for the new ticket. Leave empty for ServiceNow default impact.
  • serviceNowUrgency — The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  • serviceNowSeverity — The severity of the new ticket. Leave empty for ServiceNow default severity.
  • serviceNowTicketType — The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  • serviceNowCategory — The category of the ServiceNow ticket.
  • serviceNowAssignmentGroup — The group to which to assign the new ticket.
  • ZendeskPriority — The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  • ZendeskRequester — The user who requested this ticket.
  • ZendeskStatus — The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  • ZendeskSubject — The value of the subject field for this ticket.
  • ZendeskTags — The array of tags applied to this ticket.
  • ZendeskType — The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  • ZendeskAssigne — The agent currently assigned to the ticket.
  • ZendeskCollaborators — The users currently CC'ed on the ticket.
  • description — The ticket description.
  • addCommentPerEndpoint — Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.
  • CommentToAdd — Comment for the ticket.

Commands used

closeInvestigation core-allowlist-files core-blocklist-files core-report-incorrect-wildfire setParentIncidentFields

Flowchart

Yes Malware yes Allow list Block list yes 24H yes yes False Positive Possible False Positive Yes yes Yes yes yes yes Start Start Was the malware prevented? (blocked) Was the malware prevented... Investigation Investigation Pre-Investigation Containment Pre-Investigation Contain... Check WildFire type Check WildFire type False Positive Alert False Positive Alert Should report alert to WildFire and handle as False Positive? Should report alert to Wi... Manual - Review and handle alert Manual - Review and handl... Add hash to Allowed List - core-allowlist-files Add hash to Allowed List core-allowlist-files Add hash to Blocked List - core-blocklist-files Add hash to Blocked List core-blocklist-files Should investigate further? Should investigate further? Done Done Remediation Remediation Containment Plan - Containment Plan Containment Plan Containment Plan WildFire report - Review identified characteristics WildFire report - Review... Report False Positive to WildFire - core-report-incorrect-wildfire Report False Positive to ... core-report-incorrect-wildfire Check hash execution timestamp Check hash execution time... Verdict Verdict Handle False Positive Alerts - Handle False Positive Alerts Handle False Positive Alerts Handle False Positive Alerts close alert - closeInvestigation close alert closeInvestigation Should restore affected endpoint? Should restore affected e... Should close alert automatically? Should close alert automa... Recovery Plan - Recovery Plan Recovery Plan Recovery Plan Recovery Recovery Enrichment for Verdict - Enrichment for Verdict Enrichment for Verdict Enrichment for Verdict Containment Plan - Containment Plan Containment Plan Containment Plan Get time for the last day - GetTime Get time for the last day GetTime Endpoint Investigation Plan - Endpoint Investigation Plan Endpoint Investigation Plan Endpoint Investigation Plan Establish verdict Establish verdict Manual - Mark alert as False Positive? Manual - Mark alert as Fa... Malware Malware Grayware and Phishing Grayware and Phishing Should treat grayware and phishing as malware? Should treat grayware and... Possible False Positive Possible False Positive Manuel Review - Should continue to investigate? Manuel Review - Should co... Is auto-containment set to true? Is auto-containment set t... Possible True Positive Possible True Positive Are there investigation findings? Are there investigation f... Set Alert Severity to High - setParentIncidentFields Set Alert Severity to High setParentIncidentFields Set Alert Severity to High - setParentIncidentFields Set Alert Severity to High setParentIncidentFields Should open a ticket automatically in a ticketing system? Should open a ticket auto... Ticket Management - Generic - Ticket Management - Generic Ticket Management - Generic Ticket Management - Generic