Security Orchestration Use Case: Automating Malware Analysis

Oct 15, 2018
4 minutes

Grandma, What Malicious Hashes You Have  

Detonating suspicious files in sandboxes for malware analysis is an ever-present and important investigative step during incident response. As malware analysis tools are isolated from other security products, however, it’s taxing for security analysts to coordinate across consoles while executing this repetitive task. Pasting results onto another console for documentation is also time-consuming and increases chances of error.

How Orchestration Helps

Security orchestration playbooks can automate the entire file detonation process either as an isolated workflow or in concert with other enrichment activities. This ensures that analysts don’t waste time performing the activity but are still able to benefit from the results of the analysis. Since playbooks document the result of all actions on a central console, the need for post-fact manual documentation is also eliminated.

Malware Analysis Flow Diagram


1. Ingestion

The playbook can ingest data from a variety of sources such as SIEMs, mailboxes, threat intelligence feeds, and malware analysis tools.

2. Extraction


Malware Analysis Playbook Screen

The playbook extracts the file that needs to be detonated.

3. Detonation

The playbook uploads the file to the malware analysis tool where it is detonated and the ensuing malware analysis report is generated.

4. Display Report

Malware Analysis Playbook Screen

The playbook displays the malware analysis report for analyst study and action.

5. Update Database

If the file is found to be malicious, the playbook updates relevant watchlists/blacklists with that information. From here, the playbook can branch into other actions such as quarantining infected endpoints, opening tickets, and reconciling data from other third-party threat feeds.

To access Cortex XSOAR's malware analysis playbook and other orchestration use cases, visit our GitHub playbook repository and see what's possible


Unify security functions: The malware analysis playbook coordinates between detection sources (SIEM, malboxes etc.), malware analysis tools, and threat intelligence tools, enabling security teams to have improved, centralized visibility over security data. This results in maximal usage of all security tools but without the need for keeping multiple tabs open and dividing up work and focus among disparate consoles.

Automate repeatable steps: There are multiple security actions that, while important, are time-consuming to execute every time malware needs to be analyzed. Automating these steps shave off large chunks of response time while still providing overall control and decision-making power to the security team.

Improve investigation quality: Security orchestration platforms usually correlate intelligence from multiple tools so that security teams can quickly identify whether any malware instances are isolated or persistent within their environments. In this example, security teams can study the malware analysis report, see how many other incidents the same malware instances are present in, and identify larger attack campaigns at play.

A Good Playbook Should Be...

Simple and intuitive: The playbook should ideally be represented as a task/process flow through a simple drag-and-drop graphical interface.  Coding expertise shouldn't be a 'must-have' to make even the most complex playbooks, although each playbook’s code should also be available for analysts to tweak if required.

Primed for automation: Analysts should be able to automate the entire playbook in response to a phishing attack, greatly reducing response time, effort, and the possibility of human error for large-volume attacks. However, analysts should also be able to include manual steps in playbooks and require human intervention for sophisticated attacks.

Customizable: Analysts should be able to make copies of the standard playbook, modify it, or embed it in other playbooks as needed.

We hope you found this use case walk-through helpful. This is only a skeletal workflow - your own 'playbook' can be as simple or complex as your needs merit.

To see Cortex XSOAR in action, sign up for our free Community Edition.

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.