Customize the Malware Investigation & Response Incident Handler Playbook - Tutorials - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR 6.x Tutorials
Product
Cortex XSOAR
Version
6.x
Creation date
2022-10-13
Last date published
2023-06-05
Category
Tutorials

In this tutorial, we use the Malware Investigation & Response Incident Handler playbook, which uses numerous sub playbooks to create a complete flow from detection to remediation.

  1. From Playbooks, search for Cortex XDR Malware - Investigation And Response.

  2. To edit the playbook, click gear-icon.png and then Detach Playbook . You can duplicate rather than detach if you want to receive content updates for the playbook.

    For example, if you create a custom playbook to handle true positive incidents, you can replace the out of the box Cortex XDR - True Positive Incident Handling playbook with yours.

    Note

    You don't need to detach a playbook to change inputs.

  3. Review and change the playbook inputs by clicking the Playbook Triggered section header task at the top of the playbook.

    1. In the Inputs tab, review the inputs.

      The inputs define how the playbook will carry out the investigation and response.

      For example, the EnableClosureSteps input defines when closing an incident, whether to use closure steps to close automatically.

    2. Click Save to save any changes.

  4. Review the playbook flow for your fetching integration, which for this tutorial is the Cortex XDR Malware - Investigation And Response playbook.

    1. Deduplication

      The playbook looks for similar incidents based on specific fields, including the Description field.

      If there are similar incidents, the playbook automatically links and/or closes the duplicate incidents based on the playbook input settings. By default, similar incidents are linked.

      If you do not want to link similar incidents, or you want to change how it links the incidents (based on description), edit the DedupSimilarTextField setting in the Playbook Triggered section header task at the top of the playbook.

    2. Endpoint device analysis

      • Advanced hunting - Enriches the infected endpoint details.

      • Command line analysis

      • Any prevention actions - Checks whether a malicious hash was blocked.

      • File detonation in the sandbox (if manually retrieved from Cortex XDR) - Provides details about file reputation. Any sandbox integrations that you have enabled will run and provide details about the file reputation. In this tutorial, we use Wildfire.

    3. Manual review

    4. Closure actions, including incident handling for:

      • True positives

      • Manual handling

      • False positives