Customize the Malware Investigation and Response Incident Type - Tutorials - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR 6.x Tutorials
Product
Cortex XSOAR
Version
6.x
Creation date
2022-10-13
Last date published
2023-06-05
Category
Tutorials

When a malware incident is ingested into Cortex XSOAR, it is classified as a Malware Investigation and Response incident type. You can then customize the layout, playbook, color, and define the indicators to extract for this incident type. Indicator extraction extracts indicators from incident fields and enriches them using commands and scripts defined for the indicator type.

  1. In Marketplace, install the Malware Investigation and Response content pack, which contains the following components to manage incidents.

    • Malware Investigation and Response incident type: relevant to stop network, endpoint, and cloud data attacks. For example, when a Cortex XDR incident is ingested into Cortex XSOAR, specific incidents that contain files are associated with the Malware Investigation and Response incident type.

    • Malware Investigation and Response layout: Displays relevant data for analysts to investigate a malware incident, such as port scan and violations. In the Investigation tab, you can see information about the incidents, for example Cortex XDR file and network artifacts, the file image (using Rasterize), and indicators.

      malware-invest-2.png

    • Incident fields: Contains fields which assist with the malware investigation, including Alerts and related info, Malware Detailed Investigation Summary, and Malware Investigation Summary.

    • Malware Investigation and Response playbooks and sub-playbooks: Automates the malware investigation and alert response. For example, the Malware Investigation & Response Incident Handler playbook and its sub-playbooks.

    • Automations: Scripts that parse alert details, format the details into a table, retrieve reputation information, and more. Run these in a playbook or in the CLI.

    Note

    Classifiers and mappers are specific to the endpoint detection integration you use, for example for Cortex XDR, the Deployment Wizard recommends choosing the Cortex XDR Incident Handler - Classifier and XDR - Incoming Mapper.

  2. Select SettingsOBJECTS SETUPIncidentsTypesMalware Investigation and Response .

  3. Click DetachEdit.

    Tip

    When an incident type is detached, it no longer receives updates to the incident type from the content pack. Usually the incident type itself does receive regular updates, although the incident type associated with the playbook may change. If you want to receive updates, duplicate the incident type instead (the original incident type receives the update and not the duplicated incident).

  4. From the Settings tab, review the following:

    • The Malware Investigation & Response Incident Handler playbook appears in the Playbook field. This is a comprehensive playbook covering triage to remediation. By default, this playbook runs automatically. You can unselect it by clicking the incident type name and editing the Settings .

    • In the Layout field, keep the Malware Investigation and Response layout, but in this tutorial we will customize it.

  5. By default, no indicators are extracted from indicator extraction rules. Indicator extraction occurs when the playbook runs. You can also define specific fields to extract in the Indicator Extraction tab, such as File Hash, Destination IP, MD5, and SHA256.

  6. Click Save.