Malware (malicious software) refers to any software intentionally designed to cause damage to a single computer, server, or computer network.
Malicious entities commonly use the following malware types to infect target computers:
Virus: A type of code that when executed replicates itself by modifying other programs and inserting its own code.
Worm: A standalone program that replicates itself and spreads from one computer to another.
Trojan: Any Malware which misleads users of its true intent. Malware can also play a role in phishing attempts. For example, where users are duped into downloading and running a file on their machine, which in turn infects their machine and possibly other machines.
Ransomware: Threatens to publish the victim's data or perpetually block access to it unless a ransom is paid.
To get up and running with a Malware incident in Cortex XSOAR, follow these stages.
Stage | Description |
---|---|
Plan Your Malware Use Case | In the planning stage, consider the following before installing Cortex XSOAR.
|
Install the Malware Investigation and Response Content Pack | The Malware Investigation and Response content pack supports:
Installing the Malware Investigation and Response content pack requires installing additional supporting content packs. Use the Deployment Wizard to configure your integration instances and get your use case up and running quickly. |
Use the Deployment Wizard to Configure Your Integration Instances and Main Playbook | Use the Deployment Wizard to add mandatory and optional third-party integration instances. For example, configure Palo Alto Networks Cortex XDR - Investigation and Response integration to ingest incidents (mandatory). |
Review the Malware Investigation & Response Incident Handler Playbook | Playbooks are triggered either when an incident is created or when you run them manually as part of an investigation. Each EDR has a dedicated playbook that also contains relevant playbook inputs for its specific purposes. In this tutorial, we use the Malware Investigation & Response Incident Handler playbook. |
Investigation | Now everything is set up, it is ready for analysts to start investigating an incident. |
Add Pre-Process rules | After ingesting alerts, add pre-process rules as needed to perform specific actions on incidents as they are ingested into Cortex XSOAR. For example, security testing or reducing false positive incidents coming into Cortex XSOAR. |