In this tutorial, we use the Malware Investigation & Response Incident Handler playbook, which uses numerous sub playbooks to create a complete flow from detection to remediation.
From Playbooks, search for Cortex XDR Malware - Investigation And Response.
To edit the playbook, click and then Detach Playbook . You can duplicate rather than detach if you want to receive content updates for the playbook.
For example, if you create a custom playbook to handle true positive incidents, you can replace the out of the box Cortex XDR - True Positive Incident Handling playbook with yours.
Note
You don't need to detach a playbook to change inputs.
Review and change the playbook inputs by clicking the Playbook Triggered section header task at the top of the playbook.
In the Inputs tab, review the inputs.
The inputs define how the playbook will carry out the investigation and response.
For example, the EnableClosureSteps input defines when closing an incident, whether to use closure steps to close automatically.
Click Save to save any changes.
Review the playbook flow for your fetching integration, which for this tutorial is the Cortex XDR Malware - Investigation And Response playbook.
Deduplication
The playbook looks for similar incidents based on specific fields, including the Description field.
If there are similar incidents, the playbook automatically links and/or closes the duplicate incidents based on the playbook input settings. By default, similar incidents are linked.
If you do not want to link similar incidents, or you want to change how it links the incidents (based on description), edit the DedupSimilarTextField setting in the Playbook Triggered section header task at the top of the playbook.
Endpoint device analysis
Advanced hunting - Enriches the infected endpoint details.
Command line analysis
Any prevention actions - Checks whether a malicious hash was blocked.
File detonation in the sandbox (if manually retrieved from Cortex XDR) - Provides details about file reputation. Any sandbox integrations that you have enabled will run and provide details about the file reputation. In this tutorial, we use Wildfire.
Manual review
Closure actions, including incident handling for:
True positives
Manual handling
False positives