Comprehensive Investigation by Palo Alto Networks

Details
Content
Dependencies
Version History

Are you a Palo Alto Networks customer? We have just the content pack to help you orchestrate incident response across Palo Alto Networks products.

Responding and managing cyber security attacks requires security teams to reconcile data from a variety of different sources. Valuable time is lost shuttling between screens and executing repeatable tasks while an attack continues to manifest.
This Palo Alto Networks Comprehensive Investigation content pack contains the ‘Palo Alto Networks - Endpoint Malware Investigation v3’ playbook, that automates response to a malware found on an endpoint, the ‘Palo Alto Networks - Malware Remediation’ playbook, that automates remediation strategies to many different cyber security incidents, and the ‘Palo Alto Networks - Hunting And Threat Detection’ playbook, that automates hunting for other affected entities in your organizations.
The pack also contains the corresponding custom malware incident views and layouts to facilitate analyst investigation.
These playbooks orchestrate across multiple products to extract and enrich IOCs, detonate malicious files, hunt for more IOCs within the organization, and perform remediation using only Palo Alto Networks products.

What does this pack do?

The playbooks included in this pack help you save time and automate repetitive tasks using Palo Alto Networks product integrations:

Find and link similar incidents
Extract and enrich all relevant indicators from the source alert
Calculate severity for the incident based on initial severity provided, indicator reputations, email authenticity check and critical assets if any are involved.
Hunt for related and affected indicators by leveraging Palo Alto Cortex data received by products
Remediate the incident by blocking malicious indicators using many different Palo Alto Networks products and techniques.
Generate an investigation report to document the incident’s details.

As part of this pack, you will also get out-of-the-box incident type views, with incident fields and a full layout. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSOAR Developer Docs

Palo Alto Networks - Endpoint Malware Investigation v3

What does this pack do?

The playbooks included in this pack help you save time and automate repetitive tasks using Palo Alto Networks product integrations:

Find and link similar incidents
Extract and enrich all relevant indicators from the source alert
Calculate severity for the incident based on initial severity provided, indicator reputations, email authenticity check and critical assets if any are involved.
Hunt for related and affected indicators by leveraging Palo Alto Cortex data received by products
Remediate the incident by blocking malicious indicators using many different Palo Alto Networks products and techniques.
Generate an investigation report to document the incident’s details.

As part of this pack, you will also get out-of-the-box incident type views, with incident fields and a full layout. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSOAR Developer Docs

Palo Alto Networks - Endpoint Malware Investigation v3

Automations

Name	Description
PanwIndicatorCreateQueries	The script accepts indicators as input and creates an indicator query in the relevant Palo Alto Networks products.

Layouts

Name	Description
PANW Endpoint Malware Incident

Playbooks

Name	Description
Palo Alto Networks - Malware Remediation	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.
Palo Alto Networks - Hunting And Threat Detection	This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks. The playbook leverages data received by PANW products including, Strata Logging Service and Pan-OS to search for IP addresses, host names and users related to the provided indicators. The output provided by the playbook enables you to find possibly affected IP addresses, users, and endpoints.
Palo Alto Networks - Endpoint Malware Investigation v3	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps. Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories. After the investigation review the incident is automatically closed.
Palo Alto Networks - Endpoint Malware Investigation	Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook is triggered by a Palo Alto Networks Cortex threat alert, generated by Traps. The playbook performs host enrichment for the source host with Palo Alto Networks Traps, enriches information for the suspicious file with Palo Alto Networks Minemeld and AutoFocus, and automatically performs file detonation for the extracted file. It then performs IOC enrichment with Minemeld for all related IOCs, and calculates the incident severity based on all the findings. In addition we detonate the file for the full analysis report. The analyst can perform a manual memory dump for the suspected endpoint based on the incident’s severity, and choose to isolate the source endpoint with Traps. Hunting tasks to find more endpoints that are infected is performed automatically based on a playbook input, and after all infected endpoints are found, remediation for all malicious IOCs is performed, including file quarantine, and IP and URLs blocking with Palo Alto Networks FireWall components such as Dynamic Address Groups and Custom URL Categories. After the investigation review the incident is automatically closed.

Automations

Name	Description
PanwIndicatorCreateQueries	The script accepts indicators as input and creates an indicator query in the relevant Palo Alto Networks products.

Playbooks

Name

Description

Palo Alto Networks - Malware Remediation

Deprecated. Use Malware Investigation and Response pack instead. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response.This Playbook performs malicious IOC remediation using Palo Alto Networks integrations.

Palo Alto Networks - Hunting And Threat Detection

This is a multipurpose playbook used for hunting and threat detection. The playbook receives inputs based on hashes, IP addresses, or domain names provided manually or from outputs by other playbooks.
The playbook leverages data received by PANW products including, Strata Logging Service and Pan-OS to search for IP addresses, host names and users related to the provided indicators.
The output provided by the playbook enables you to find possibly affected IP addresses, users, and endpoints.

Required Content Packs (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

Optional Content Packs (7)

Pack Name	Pack By
Active Directory Query	By: Cortex XSOAR
AutoFocus by Palo Alto Networks	By: Cortex XSOAR
Strata Logging Service by Palo Alto Networks	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
WildFire by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (9)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

1.3.32 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

1.3.31 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.3.30 - 5392573 (October 15, 2025)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Updated the playbook not to use the Auto Focus integration, as it will be deprecated.

Related pull requests:
- 41001
- 41487

Download

1.3.29 - 3526238 (May 25, 2025)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39931

Download

1.3.28 - R3444919 (May 18, 2025)

Scripts

PanwIndicatorCreateQueries

Metadata and documentation improvements.

Related pull requests:
- 38985

Download

1.3.27 - 2086795 (January 27, 2025)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Added transformers to "Prisma Cloud search IP" task in order to support IP list.

Related pull requests:
- 38352

Download

1.3.26 - R1973041 (January 13, 2025)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37147
- 37137
- 37136
- 37140
- 37138
- 37139

Download

1.3.25 - 1602991 (November 6, 2024)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.11.10.113941.

Related pull requests:
- 37006
- 36995
- 36994
- 36998
- 36993
- 36992
- 36997

Download

1.3.24 - 897231 (March 18, 2024)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

1.3.23 - 886558 (March 12, 2024)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Added a hash search enrichment using Cortex XDR.
Added an IP search enrichment using Prisma Cloud.

Related pull requests:
- 33244

Download

1.3.22 - R828628 (February 14, 2024)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Replaced references to Cortex Data Lake to Strata Logging Service.

Palo Alto Networks - Hunting And Threat Detection

Replaced references to Cortex Data Lake to Strata Logging Service.

Related pull requests:
- 31064

Download

1.3.21 - 7216131 (December 20, 2023)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Replaced the usage of the deprecated Demisto REST API integration with the Core REST API integration.

Related pull requests:
- 31388

Download

1.3.20 - 5940472 (August 2, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28679

Download

1.3.19 - R5692327 (July 5, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27577

Download

1.3.18 - 5450895 (June 5, 2023)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Updated the playbook to skip tasks which use commands of Cortex Data Lake integration if the Cortex Data Lake pack is not installed.

Related pull requests:
- 25505

Download

1.3.17 - 5418978 (June 1, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27113

Download

1.3.16 - R5170573 (May 2, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25934

Download

1.3.15 - 4851609 (March 19, 2023)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation

Deprecated. Use Malware Investigation and Response pack instead.

Palo Alto Networks - Endpoint Malware Investigation v3

Deprecated. Use Malware Investigation and Response pack instead.

Palo Alto Networks - Malware Remediation

Deprecated. Use Malware Investigation and Response pack instead.

Related pull requests:
- 25116

Download

1.3.14 - 4718798 (March 1, 2023)

Scripts

PanwIndicatorCreateQueries

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24932

Download

1.3.13 - R4646022 (February 19, 2023)

Layouts

PANW Endpoint Malware Incident
This item is no longer supported in XSIAM.

Related pull requests:
- 24222

Download

1.3.12 - R4494864 (January 29, 2023)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Fixed an issue where the query pointed to the global context path instead of the playbook inputs.

Related pull requests:
- 21205

Download

1.3.11 - 3745478 (September 28, 2022)

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Fixed an issue with the "Hunting And Threat Detection" task (id: 137) to use the correct playbook input "internal_range".

Related pull requests:
- 21415

Download

1.3.10 - R2146019 (December 21, 2021)

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Fixed an issue where an incorrect name (inputs.IP addresses) is given in an sub-playbook argument.

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	March 22, 2026

Comprehensive Investigation by Palo Alto Networks

What does this pack do?

What does this pack do?

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Scripts

PanwIndicatorCreateQueries

Scripts

PanwIndicatorCreateQueries

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Scripts

PanwIndicatorCreateQueries

Scripts

PanwIndicatorCreateQueries

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Palo Alto Networks - Hunting And Threat Detection

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Scripts

PanwIndicatorCreateQueries

Scripts

PanwIndicatorCreateQueries

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Scripts

PanwIndicatorCreateQueries

Scripts

PanwIndicatorCreateQueries

Playbooks

Palo Alto Networks - Endpoint Malware Investigation

Palo Alto Networks - Endpoint Malware Investigation v3

Palo Alto Networks - Malware Remediation

Scripts

PanwIndicatorCreateQueries

Layouts

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Scripts

PanwIndicatorCreateQueries

Scripts

PanwIndicatorCreateQueries

Scripts

PanwIndicatorCreateQueries

Scripts

PanwIndicatorCreateQueries

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Playbooks

Palo Alto Networks - Endpoint Malware Investigation v3

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Playbooks

Palo Alto Networks - Malware Remediation

Palo Alto Networks - Endpoint Malware Investigation v2

Palo Alto Networks - Endpoint Malware Investigation

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Scripts

PanwIndicatorCreateQueries

Scripts

PanwIndicatorCreateQueries

Playbooks

Palo Alto Networks - Hunting And Threat Detection

Scripts

PanwIndicatorCreateQueries

Scripts