Skip to main content

Palo Alto Networks - Endpoint Malware Investigation v2

This Playbook is part of the Deprecated Content (Deprecated) Pack.#

Deprecated

Use the "Palo Alto Networks - Endpoint Malware Investigation v3"\ \ playbook instead.

Deprecated. Use the "Palo Alto Networks - Endpoint Malware Investigation v3" playbook instead. This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. \nThe analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps.\nHunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories.\nAfter the investigation review the incident is automatically closed.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • WildFire - Detonate file
  • Palo Alto Networks - Malware Remediation
  • Calculate Severity - Generic v2
  • PANW - Hunting and threat detection by indicator type V2

Integrations#

  • Cortex XDR - IR

Scripts#

  • GenerateInvestigationSummaryReport
  • FindSimilarIncidents
  • DemistoLinkIncidents

Commands#

  • xdr-get-endpoints
  • autofocus-sample-analysis
  • closeInvestigation
  • ad-get-user

Playbook Inputs#


NameDescriptionDefault ValueRequired
AutoIsolationThis input determines the threshold severity from which to perform auto-isolation for the infected endpoint.
Default is High.
Specify the severity number:
0 - Unknown
0.5 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
3Optional
similarIncidentFieldsThis input accepts a comma-separated list of similar incident fields keys.Optional
LinkSimilarIncidentsThis input determines whether similar incidents that are found will be linked. Specify Yes/No.Optional
SHA256File SHA256.incident.sha256Optional
endpoint_id_listA list of XDR endpoint IDs.Optional
UseXDRThis input determines whether Palo Alto Networks Cortex XDR remediation will take place. Specify Yes/NoYesOptional
DAGThis input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used.
Specify Dynamic Address Group tag name for IP handling.
Optional
CustomURLCategoryThis input determines whether Palo Alto Networks Panorama or Firewall Custom URL Categories are used.
Specify Category name for URL handling.
Optional
CustomBlockRuleThis input determines whether Palo Alto Networks Panorama or Firewall Custom block rules are used.
Specify True to use Custom Block Rules.
Optional
IPListNameThis input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used for IP Blockage.
Specify the EDL name for IP handling.
Optional
MinerThis input determines whether Palo Alto Networks Minemeld is used. Specify Miner name to update with the malicious indicators.Optional
StaticAddressGroupThis input determines whether Palo Alto Networks Panorama or Firewall Static address groups are used.
Specify Static address group name for IP handling.
Optional
AutoCommitThis input determines whether to commit the configuration automatically.
Yes - Commit automatically.
No - Commit manually.
NoOptional
URLListNameThis input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used for URL Blockage.
Specify the EDL name for URL handling.
Optional
EDLServerIPThis input determines whether Palo Alto Networks Panorama or Firewall External Dynamic Lists are used:
* The IP address of the web server on which the files are stored.
* The web server IP address is configured in the integration instance.
Optional
TrapsThis input determines whether Palo Alto Networks Traps remediation will take place. Specify Yes/No.NoOptional
internal_rangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional

Playbook Outputs#


PathDescriptionType
IP.AddressIP addresses.unknown
URL.Malicious.DescriptionFor malicious URLs, the reason that the vendor decided that the URL is malicious.unknown
URL.MaliciousMalicious URLs.unknown
File.Malicious.DescriptionFor malicious files, the reason that the vendor decided that the file is malicious.unknown

Playbook Image#


Palo Alto Networks - Endpoint Malware Investigation v2