Palo Alto Networks - Endpoint Malware Investigation
Performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report.
The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps.
Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories. After the investigation review the incident is automatically closed.
This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps.
Dependencies
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks
- Calculate Severity - Standard
- Isolate Endpoint - Traps
- WildFire - Detonate file
- PANW - Hunting and threat detection by indicator type
- Traps Retrieve And Download Files
- Palo Alto Networks - Malware Remediation
Integrations
- Builtin
- Palo Alto Minemeld
- Traps
- AutoFocus V2
Scripts
This playbook does not use any scripts.
Commands
- ip
- closeInvestigation
- autofocus-sample-analysis
- url
- traps-get-endpoint-by-id
- file
- traps-event-update
- domain
Playbook Inputs
Name | Description | Default Value | Source | Required |
---|---|---|---|---|
AutoIsolation | Establishes the threshold severity from which to perform auto-isolation for the infected endpoint. The default is High. Specify the severity number: 0 - Unknown, 0.5 - Informational, 1 - Low, 2 - Medium, 3 - High, 4 - Critical. | 3 | - | Optional |
traps_endpoint_id | The Traps Endpoint ID. | agentid | incident | Optional |
traps_file_name | The Traps file name. | filename | incident | Optional |
traps_event_id | The Traps event ID. | trapsid | incident | Optional |
SHA256 | The SHA256 hash. | sha256 | incident | Optional |
DAG | Whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used. Specifies the Dynamic Address Group tag name for IP address handling. | - | - | Optional |
CustomURLCategory | Whether the Palo Alto Networks Panorama or Firewall Custom URL Categories are used. Specifies the category name for URL handling. | - | - | Optional |
CustomBlockRule | Whether the Palo Alto Networks Panorama or Firewall Custom block rules are used. To use the Custom Block Rules set to "True". | - | - | Optional |
IPListName | Whether the Palo Alto Networks Panorama or Firewall External Dynamic Lists, are used for IP address blocking. Specify the EDL name for IP address handling. | - | - | Optional |
Miner | Whether the Palo Alto Networks Minemeld is used. Specify the Miner name to update using the malicious indicators. | - | - | Optional |
StaticAddressGroup | Whether the Palo Alto Networks Panorama or Firewall Static address groups are used. Specify the Static IP address group name for IP address handling. | - | - | Optional |
AutoCommit | Whether to commit the configuration automatically. Choosing "Yes" will commit automatically. Choosing "No" will require you to comming manually. | no | - | Optional |
URLListName | Whether the Palo Alto Networks Panorama or Firewall External Dynamic Lists are used for URL Blockage. Specify the EDL name for URL handling. | - | - | Optional |
EDLServerIP | This input establishes whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used. The IP address of the web server on which the files are stored. The web server IP address is configured in the integration instance. | - | - | Optional |
Traps | Whether the Palo Alto Networks Traps remediation will take place. Can be, "Yes" or "No". | yes | - | Optional |
Playbook Outputs
There are no outputs for this playbook.