Plan Your Malware Use Case - Tutorials - 6.x - Cortex XSOAR - Cortex - Security Operations

Where do your Malware incidents originate?

In this example, we are going to ingest incidents from Cortex XDR, but you can also use different products, like CrowdStrike Falcon or Microsoft Defender for Endpoint, or you can ingest incidents directly from SplunkES or QRadar.

What information do you want to see in an incident as part of an investigation?

For Cortex XDR, you will want to see information including the XDR description, incident ID, status, host count, notes, URL, and Alert Count. As a part of the configuration, you can choose how to assign analysts to fetched incidents (such as on-call or less busy users).

The Malware Investigation And Response incident layout comes out of the box with most of the fields you need to investigate Malware incidents, and it updates periodically. You may want to add custom fields, such as XDR Tuning, which enables the analyst to consider whether to fine tune a security policy. This additional information can be added by duplicating or detaching the layout, or by opening a service ticket or using AHA to request updates to the layout. If you duplicate or detach the layout, it will not receive updates.

What incident response process do you currently use?

You may want to check the file hash or the file path, block IPs, manually investigate further, and close incidents. We can add these steps into a playbook.

In this tutorial, we are going to use the out-of-the-box Malware Investigation & Response Incident Handler playbook.

What enrichment feeds do you use?

Cortex XSOAR provides out-of-the-box enrichment for threat intel. However, you may want to extract specific indicator fields, for example STIX Threat Actor, CVE, Dest, Host Name, Destination IP, and URL. Once the incident is ingested into the system, the playbook will extract any indicators associated with them and enrich them according to the threat intel integration installed and configured in your system.

In this tutorial, VirusTotal and AutoFocus are used to enrich all extracted IOCs (file, email addresses, domain enrichment) to hunt for IOCs.

What detonation systems do you use?

Based on the verdict of the IOC, you should use static/dynamic file analysis tools or sandbox integrations to determine the maliciousness of the file. You can run this automatically in the playbook or manually through a detonation integration such as Palo Alto Networks WildFire v2, CrowdStrike Falcon Intelligence Sandbox, or Joe Security v2. In this tutorial, the Palo Alto Networks WildFire v2 integration will be used to detonate malicious files.

Are there any manual steps to be taken?

Consider which manual steps need to be taken. These steps can be added to a playbook. We want the analyst to review after triage and take any immediate action as required. At the remediation stage we may need a data collection task capturing closing notes/resolve comments for Cortex XSOAR and Cortex XDR incidents respectively.

Is there any duplication?

In this tutorial, we use the out-of-the-box deduplication logic in the Dedup v4 playbook, which runs as a sub playbook in the Cortex XDR incident handling v3 playbook. Using playbook inputs you can link or close duplicated incidents.

Are there any steps to be taken after closing an incident?

After closing an incident, do you need to send a notification to a third-party service like Jira/Service Now, or verify that all tasks are done? You can set this up with playbook inputs when configuring your use case.

Do you need to restrict incident investigations?

Do you want to restrict incident actions and investigations according to roles? Do you want to give read-only access to certain roles at certain times? For example, when an incident is in triage, you may want all Tier-2 analysts to have read-only access.