Skip to main content


Download With Dependencies

This pack is used to identify, investigate, and contain ransomware attacks.

When a ransomware attack is detected, for example by your endpoint protection service, this pack can help you better understand your position and exposure against the threat actor group by collecting the needed information from your environment, performing the required investigation steps, containing the incident, and visualizing the data with its custom Post Intrusion Ransomware layout.

What does this pack do?

The main features of the semi-automated Post Intrusion Ransomware Investigation playbook included in the pack are:

  • Performs automated user and host data enrichment.
  • Performs automated endpoint isolation and user revocation.
  • Provides guidance to retrieve the necessary files to identify the ransomware strain.
  • Extracts indicators from the ransomware note, including cryptocurrency and onion addresses.
  • Provides guidance on additional recommended investigation steps such as endpoint forensics, searching for more infected endpoints, and investigating activities of the infected user.
  • Performs Active Directory forensics.
  • Automatically blocks malicious indicators.
    As part of this pack, you will get out-of-the-box playbook, incident type, incident fields and a layout to display all of the information gathered during the ransomware investigation performed by the playbook.


Integrations required for this pack.




Cortex XSOARCortex XSIAM


CertificationRead more
Supported ByCortex
CreatedNovember 9, 2020
Last ReleaseJuly 5, 2023

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.