The Malware Investigation & Response Incident Handler playbook is triggered after fetching an incident from your EDR, which for this tutorial is a Cortex XDR incident.
The playbook flow follows the following actions:
An SLA timer starts.
An analyst is assigned.
Tags are set for context.
If the incoming alert is from a SIEM, run the Malware SIEM Ingestion - Get Incident Data playbook.
If the incoming alert is not from a SIEM, run the relevant endpoint detection playbook, which for this tutorial is the Cortex XDR Malware - Investigation And Response playbook.
The Cortex XDR Malware - Investigation And Response playbook syncs and updates new alerts that construct the incident and triggers a sub-playbook to handle each alert by type. The playbook subsequently performs enrichment on the incident’s indicators, optionally performs deduplication, hunts for related IOCs, performs command line analysis, and searches for file hashes in the sandbox. Based on the severity, it lets the analyst decide whether to continue to the remediation stage or close the investigation as a false positive.
The playbook syncs all the data and provides the analyst the option to classify the incident before the remediation process. Remediation takes place only for true positives. Until then, the playbook waits for the analyst to proceed.
The Cortex XDR Malware - Investigation And Response playbook uses the following sub playbooks:
Cortex XDR Malware - Incident Enrichment
Dedup Generic - v4
Cortex XDR - Endpoint Investigation
Command-Line Analysis
Search for Hash in Sandbox - Generic
Cortex XDR - Retrieve File by sha256
Detonate and Analyze File - Generic
Cortex XDR - True Positive Incident Handling
Cortex XDR - False Positive Incident Handling