WildFire Malware
This playbook handles WildFire Malware alerts. It performs enrichment on the different alert entities and establishes a verdict. For a possible true positive alert, the playbook performs further investigation for related IOCs and executes a containment plan.
Core · 42 tasks · 32 inputs · 0 outputs
Inputs
sha256— The SHA256 hash of the suspected file. Decided by the DT expression wether it's the initiator or the target file SHA256.GraywarePhishingAsMalware— Whether to treat grayware and phishing alerts as malware.AutoContainment— Whether to execute the containment plan (except isolation) automatically. The specific containment playbook inputs should also be set to 'True'.HostAutoContainment— Whether to automatically execute endpoint isolation in case there are investigation findings.BlockIndicators— Set to True if you want to block the indicators.OriginalFileContainment— Set to True if you want to quarantine the original malicious file.RelatedFileContainment— Set to True to quarantine the identified files found in the investigation.FileRemediation— Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. For example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and executes only file quarantine.AutoMarkFP— Whether to automatically mark alerts that were found as benign by the 'Enrichment for Verdict' playbook and report false positive alerts to WildFire. True/False.EmailAddress— User's email address to use when reporting false positive alerts to WildFire.ShouldCloseAutomatically— Whether to automatically close the alert after investigation and remediation are finished. True/False.AutoRecovery— Whether to execute the Recovery playbook after the investigation and remediation are finished. True/False.Query— The query for searching previous alerts based on the file we want to respond to. Decided by the If-Then-Else expression wether it's the initiator or the target file.ShouldOpenTicket— Whether to open a ticket automatically in a ticketing system. (True/False).serviceNowShortDescription— A short description of the ticket.serviceNowImpact— The impact for the new ticket. Leave empty for ServiceNow default impact.serviceNowUrgency— The urgency of the new ticket. Leave empty for ServiceNow default urgency.serviceNowSeverity— The severity of the new ticket. Leave empty for ServiceNow default severity.serviceNowTicketType— The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".serviceNowCategory— The category of the ServiceNow ticket.serviceNowAssignmentGroup— The group to which to assign the new ticket.ZendeskPriority— The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".ZendeskRequester— The user who requested this ticket.ZendeskStatus— The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".ZendeskSubject— The value of the subject field for this ticket.ZendeskTags— The array of tags applied to this ticket.ZendeskType— The type of this ticket. Allowed values are "problem", "incident", "question", or "task".ZendeskAssigne— The agent currently assigned to the ticket.ZendeskCollaborators— The users currently CC'ed on the ticket.description— The ticket description.addCommentPerEndpoint— Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.CommentToAdd— Comment for the ticket.
Commands used
closeInvestigation
core-allowlist-files
core-blocklist-files
core-report-incorrect-wildfire
setParentIncidentFields