This playbook investigates and remediates malware infections on the endpoint.
This content is not mapped to any local saved search. Add mapping
How to Implement
This playbook starts by performing a reputation lookup against a potentially malicious file hash. Based on the output from the reputation lookup a decision is made on one of two possible branches of actions in the playbook where additional containment actions are performed.
How To Respond
Typically this playbook would be triggered for any suspicious or confirmed malicious processes that require further evaluation. By default the playbook uses a file hash from an alert but can be modified to get a copy of the file off of the endpoint based off of a specified file path. This file can then be detonated in a sandbox to observe it's behavior and get additional contextual information about the file.
Malware Investigation Help
Simply deploy Phantom and work with your technical team to deploy this.