Cortex XDR - Malware Investigation

Investigates a Cortex XDR incident containing internal malware alerts. The playbook:

  • Enriches the infected endpoint details.
  • Lets the analyst manually retrieve the malicious file.
  • Performs file detonation.

The playbook is used as a sub- playbook in ‘Cortex XDR Incident Handling - v2’

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Detonate File - Generic

Integrations

  • Cortex XDR - IR

Scripts

This playbook does not use any scripts.

Commands

  • xdr-get-endpoints

Playbook Inputs


NameDescriptionDefault ValueRequired
xdr_alert_idUnique ID for the XDR alert.Optional
host_ipHost IP involved in the alert.Optional
file_nameThe name of the malicious file.Optional
file_sha256SHA-256 hash of the file.Optional

Playbook Outputs


PathDescriptionType
Joe.AnalysisThe Analysis objectunknown
FileThe File's object.unknown
File.MaliciousThe malicious file's description.unknown
DBotScoreThe indicator's object.unknown
IPIP objects.unknown
DBotScore.MaliciousDbot Score malicious information.unknown
SampleSample data object.unknown
InfoFileThe report file's object.unknown
WildFireWildfire analysis object.unknown
WildFire.ReportThe submission object.unknown
JoeJoe Sandbox analysis object.unknown
Cuckoo.TaskCuckoo task object.unknown
SNDBOX.AnalysisSNDBOX analysis.unknown
HybridAnalysis.SubmitThe HybridAnalysis objectunknown
ANYRUN.TaskANYRUN task object.unknown
ANYRUN.Task.BehaviorANYRUN task behavior.unknown
ANYRUN.Task.ConnectionANYRUN task connection.unknown
ANYRUN.Task.DnsRequestANYRUN task DNS request.unknown
ANYRUN.Task.ThreatANYRUN task threat.unknown
ANYRUN.Task.HttpRequestANYRUN task HTTP request.unknown
ANYRUN.Task.ProcessANYRUN task process information.unknown
ANYRUN.Task.Process.VersionANYRUN task process version.unknown

Playbook Image


Cortex XDR - Malware Investigation