Malware Investigation


This playbook investigates and remediates malware infections on the endpoint.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring, Advanced Threat Detection, SOC Automation


Endpoint Compromise, Lateral Movement

Security Impact

Investigating and responding to malware alerts can take 30+ minutes. By automating this investigation and response Phantom validates that the process is malicious and takes immediate action to block the hash on the infected endpoints.

Alert Volume

Very Low


Stage 5

Data Sources

Windows Security

   How to Implement

This playbook starts by performing a reputation lookup against a potentially malicious file hash. Based on the output from the reputation lookup a decision is made on one of two possible branches of actions in the playbook where additional containment actions are performed.

   How To Respond

Typically this playbook would be triggered for any suspicious or confirmed malicious processes that require further evaluation. By default the playbook uses a file hash from an alert but can be modified to get a copy of the file off of the endpoint based off of a specified file path. This file can then be detonated in a sandbox to observe it's behavior and get additional contextual information about the file.


Malware Investigation Help

Simply deploy Phantom and work with your technical team to deploy this.

Screenshot of Demo Data