Endpoint Malware Investigation - Generic

Performs enrichment, detonation, and hunting within the organization, and remediation on the malware. This playbook is triggered by a malware incident from an Endpoint type integration.

Used sub-playbooks:

  • Endpoint Enrichment - Generic v2.1
  • Retrieve File from Endpoint - Generic
  • Detonate File - Generic
  • File Enrichment - Generic v2
  • Calculate Severity - Generic v2
  • Isolate Endpoint - Generic
  • Block Indicators - Generic v2

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Endpoint Enrichment - Generic v2.1
  • Detonate File - Generic
  • Retrieve File from Endpoint - Generic
  • Calculate Severity - Generic v2
  • Isolate Endpoint - Generic
  • Block Indicators - Generic v2
  • File Enrichment - Generic v2

Integrations

  • Builtin

Scripts

  • GenerateInvestigationSummaryReport

Commands

  • send-mail
  • setIncident
  • closeInvestigation

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
AutoIsolationThis input determines the threshold severity from which to perform auto-isolation for the infected endpoint. Specify the severity number (default is High): Specify the severity number:"0" means Unknown, "0.5" means Informational, "1" means Low, "2" means Medium, "3" means High, "4" means Critical.3-Optional
EmailThe email address to notify if there is a possibility of the malware spreading and infecting other endpoints.--Optional
MD5The MD5 hash of the file.md5stringincidentOptional
SHA256The SHA256 hash of the file.sha256incidentOptional
HostnameThe hostname of the machine on which the file is located.HostnameEndpointOptional
FilePathThe file path.PathFileOptional
UseD2Whether to use the D2 agent to retrieve the file.no-Optional
SHA1The SHA1 hash of the file.sha1incidentOptional

Playbook Outputs


There are no outputs for this playbook.

Playbook Image


Endpoint_Malware_Investigation_Generic