Set up a Malware Incident Using the Deployment Wizard - Tutorials - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR 6.x Tutorials
Product
Cortex XSOAR
Version
6.x
Creation date
2022-10-13
Last date published
2023-06-05
Category
Tutorials

Malware (malicious software) refers to any software intentionally designed to cause damage to a single computer, server, or computer network.

Malicious entities commonly use the following malware types to infect target computers:

  • Virus: A type of code that when executed replicates itself by modifying other programs and inserting its own code.

  • Worm: A standalone program that replicates itself and spreads from one computer to another.

  • Trojan: Any Malware which misleads users of its true intent. Malware can also play a role in phishing attempts. For example, where users are duped into downloading and running a file on their machine, which in turn infects their machine and possibly other machines.

  • Ransomware: Threatens to publish the victim's data or perpetually block access to it unless a ransom is paid.

To get up and running with a Malware incident in Cortex XSOAR, follow these stages.

Stage

Description

Plan Your Malware Use Case

In the planning stage, consider the following before installing Cortex XSOAR.

  • How are you going to ingest incidents into Cortex XSOAR?

  • What information does an analyst need to see to help the investigation?

  • How to deal with the response?

  • What integrations do you need?

Install the Malware Investigation and Response Content Pack

The Malware Investigation and Response content pack supports:

  • Aggregating incidents from EDRs, including multiple alerts and files.

  • Fetching malware incidents either from the EDR product or from a SIEM solution.

  • Enriching account information.

  • Providing forensic data, including running processes and open network connections at alert detection time.

  • Retrieving files and detonating sandboxes.

  • Analyzing process command line strings to identify suspicious behavior.

  • Processing supported sandbox reports and visualizing the results in layouts.

  • Extracting indicators and providing threat intelligence enrichment.

  • Tagging malicious and benign indicators for allow and deny lists for threat prevention and false-positive management.

  • Mirroring incidents between supported EDRs and Cortex XSOAR and incident closure with the EDR.

Installing the Malware Investigation and Response content pack requires installing additional supporting content packs. Use the Deployment Wizard to configure your integration instances and get your use case up and running quickly.

Use the Deployment Wizard to Configure Your Integration Instances and Main Playbook

Use the Deployment Wizard to add mandatory and optional third-party integration instances. For example, configure Palo Alto Networks Cortex XDR - Investigation and Response integration to ingest incidents (mandatory).

Review the Malware Investigation & Response Incident Handler Playbook

Playbooks are triggered either when an incident is created or when you run them manually as part of an investigation. Each EDR has a dedicated playbook that also contains relevant playbook inputs for its specific purposes. In this tutorial, we use the Malware Investigation & Response Incident Handler playbook.

Investigation

Now everything is set up, it is ready for analysts to start investigating an incident.

Add Pre-Process rules

After ingesting alerts, add pre-process rules as needed to perform specific actions on incidents as they are ingested into Cortex XSOAR. For example, security testing or reducing false positive incidents coming into Cortex XSOAR.