* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Playbook of the Week: Mal...

# Playbook of the Week: Malware Investigation and Response - The Sequel

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-malware-investigation-and-response-the-sequel%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Malware+Investigation+and+Response+-+The+Sequel&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-malware-investigation-and-response-the-sequel%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-malware-investigation-and-response-the-sequel%2F&title=Playbook+of+the+Week%3A+Malware+Investigation+and+Response+-+The+Sequel&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-malware-investigation-and-response-the-sequel/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Malware Investigation and Response - The Sequel)  
Link copied  
By [Bar Katzir](https://www.paloaltonetworks.com/blog/author/bar-katzir/?ts=markdown "Posts by Bar Katzir") and [Sasha Sokolovich](https://www.paloaltonetworks.com/blog/author/sasha-sokolovich/?ts=markdown "Posts by Sasha Sokolovich")  
Nov 11, 2022  
5 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex XSOAR Marketplace](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar-marketplace/?ts=markdown)  
[EDR](https://www.paloaltonetworks.com/blog/tag/edr/?ts=markdown)  
[malware](https://www.paloaltonetworks.com/blog/tag/malware/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Automation](https://www.paloaltonetworks.com/blog/tag/security-automation/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown)  
[XSOAR Content Packs](https://www.paloaltonetworks.com/blog/tag/xsoar-content-packs/?ts=markdown)  
[XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown)

Enhancing your security automation and response capabilities across multiple platforms while tending to large amounts of threat investigations is anything but easy. But not doing so requires dependency on many manual processes, increasing incident investigation time and overall risk of malware infections. To prepare for the next inevitable attack, SOC teams must continuously look for ways to improve their post-incident activity processes.
![Figure 1: NIST Incident Lifecycle process](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/11/word-image-58.png)
Figure 1: NIST Incident Lifecycle process

You don't need to do it yourself. Let automation help.

Streamline and automate the malware investigation process with Cortex XSOAR's Malware Investigation and Response pack. [Released](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-malware-investigation-and-response/) in June 2022, the Malware Investigation \& Response pack accelerates the investigation process for endpoint malware incidents and alerts by collecting evidence of malicious behaviors, searching telemetry data available through EDRs, and processing malware analysis reports through sandboxes. Incident layouts also include buttons to quickly trigger containment activities.

Customers like you have found immense value in the [Malware Investigation and Response Pack](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-malware-investigation-and-response/), alongside the [Deployment Wizard](https://www.paloaltonetworks.com/blog/security-operations/cortex-xsoar-6-8-its-a-wizard-of-a-release/), since its release.

To quote an EMEA Financial Services customer:

*"The Malware Investigation and Response pack is by far the easiest use case to deploy."*

## **Key New Features of the Malware Investigation and Response Content Pack**

After working with customers across various sectors and regions on their deployment of the pack, we incorporated their feedback into a new version of the pack to provide more value without compromising investigation speed or scale.

For the new Malware Investigation and Response pack, we focused on the following capabilities:

* **Account Enrichment**

Incorporating the capability to retrieve information about the active user on the endpoint will give the analyst context about the endpoint and possible risks to the organization.

For example, providing insight into the active user's department--- whether they are in finance or engineering--- enables the analyst to disable the user's account in the corresponding IDP as needed.
![Figure 2: Account Information details in incident view](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/11/word-image-59.png)
Figure 2: Account Information details in incident view

* **Firewall Enrichment \& Validation (with Threat Hunting Generic playbook)**

SIEM and newly added Network Security tools give more context to the threats in your organization. This provides valuable context regarding the severity of the threat and how wide it has spread within your organization.

* **Joe Security Sandbox coverage**

The new integration with Joe Security sandbox allows analysts to retrieve submitted file information or automatically detonate files that are detected by the deployed EDR. The retrieved information allows the analyst to gain more insights on the alert by using the Sandbox analysis full report or even a quick view of the extracted IOCs, such as MITRE ATT\&CK information, from the layout itself.
![Figure 3: Joe Security Sandbox Report available to analyst for incident investigation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/11/word-image-60.png)
Figure 3: Joe Security Sandbox Report available to analyst for incident investigation

![Figure 4: Joe Security Sandbox Report providing rich analysis and MITRE ATT\&CK mapping](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/11/word-image-61.png)
Figure 4: Joe Security Sandbox Report providing rich analysis and MITRE ATT\&CK mapping

* **Addition of Service Level Agreements (SLAs)**

Security investigations are time-sensitive. The longer before the threat is contained, the greater the risk of exposure to the organization. With this enhancement of the pack, you can easily track and monitor Triage, Remediation, and Containment SLAs.
![Figure 5: SLAs section within the incident](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/11/word-image-62.png)
Figure 5: SLAs section within the incident

An SLA Dashboard also allows you to quickly filter your Incident Types based on Severity so you can properly diagnose your SLAs.
![Figure 6: SLA Dashboard](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/11/word-image-63.png)
Figure 6: SLA Dashboard

* **Microsoft Defender for Endpoint Rate limit handling**

Some advanced hunting queries have [limitations](https://github.com/MicrosoftDocs/microsoft-365-docs/blob/public/microsoft-365/security/defender-endpoint/run-advanced-query-api.md#limitations). However, the Cortex XSOAR Malware Investigation and Response v2 content pack includes a baked-in rate-limiting support mechanism, which will re-run your queries in the playbooks if you have reached your Incidents API or Advanced Hunting API [quota](https://learn.microsoft.com/en-us/legal/microsoft-365/api-terms#quotas-and-resource-allocation). This ensures your investigation goes unhindered.

* **Microsoft Defender for Endpoint Advanced Hunting Batch Queries**

As the XSOAR R\&D team keeps evolving and maintaining current playbooks, it is essential to have flexibility when it comes to customization. This feature allows the customer to add a batch of pre-defined queries as a playbook input. This way, there is no need to detach the playbook for adding your custom Microsoft Defender Advanced Hunting queries.

* **Assign Analyst to an Incident**

Assigning an analyst to an incident based on the less busy user is now available. Moreover, you may define if you would like to assign an on-call analyst using the playbook inputs.

## **Continuous Innovation in Automation**

The Malware Investigation and Response pack accelerates the investigation process for cybersecurity analysts and makes containment activities push-button simple. Although the latest additions add a ton of value for our customers, we are already thinking about what's next.

For more information on the [Malware Investigation and Response Pack](https://xsoar.pan.dev/marketplace/details/MalwareInvestigationAndResponse) and other XSOAR packs and playbooks, visit our [Cortex XSOAR Developer Docs](https://xsoar.pan.dev/docs/reference/index) reference page.

To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)

We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating EDL Management](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-edl-management/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Management of XDR Identity Analytics Alerts](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-management-of-xdr-identity-analytics-alerts/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### An Automated Response to Malicious Pod Activity](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/an-automated-response-to-malicious-pod-activity/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Rapid Response for Fighting Ursa Phishing Campaign](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/rapid-response-for-fighting-ursa-phishing-campaign/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-response-to-living-off-the-land-lotl-attacks/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Prisma Cloud Compute - Compliance Alert v2](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-compliance-alert-v2/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language