Malware Triage Runbook

Malware Triage Runbook#

Objective#

Perform initial analysis and context gathering for a suspected malicious file hash identified during an investigation or alert triage. This helps determine the nature of the file and its potential impact.

Scope#

This runbook covers the initial triage steps for a file hash using GTI and SIEM tools. It does not include full reverse engineering or deep forensic analysis of the affected host.

Inputs#

  • ${FILE_HASH}: The MD5, SHA1, or SHA256 hash of the suspected malicious file.

  • ${CASE_ID}: The relevant SOAR case ID for documentation.

  • ${ALERT_GROUP_IDENTIFIERS}: Relevant alert group identifiers from the SOAR case.

  • (Optional) ${TIME_FRAME_HOURS}: Lookback period in hours for SIEM searches (default: 72).

Tools#

Workflow Steps & Diagram#

  1. Receive Input & Context: Obtain ${FILE_HASH}, ${CASE_ID}, ${ALERT_GROUP_IDENTIFIERS}, and optionally ${TIME_FRAME_HOURS}. Get case details via secops-soar.get_case_full_details.

  2. GTI File Report:

    • Use gti-mcp.get_file_report with hash=${FILE_HASH}.

    • Record key details (${GTI_REPORT_DETAILS}): detection ratio, malware family classification, first/last seen, associated threats.

  3. GTI Behavior Summary:

    • Use gti-mcp.get_file_behavior_summary with hash=${FILE_HASH}.

    • Record key behavioral indicators (${GTI_BEHAVIOR_SUMMARY}): network connections (contacted IPs/domains - NETWORK_IOCs_GTI), dropped files, registry keys modified, MITRE TTPs observed in sandbox.

  4. SIEM Execution Check:

    • Use secops-mcp.search_security_events with hours_back=${TIME_FRAME_HOURS} and queries like:

      • target.file.sha256 = "${FILE_HASH}" OR target.file.md5 = "${FILE_HASH}" OR target.file.sha1 = "${FILE_HASH}"

      • Look for PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION events (${SIEM_EXECUTION_EVENTS}).

    • Identify hosts (AFFECTED_HOSTS) and users (AFFECTED_USERS) associated with these events.

  5. SIEM Network Activity Check:

    • Use secops-mcp.search_security_events to check for network connections (NETWORK_CONNECTION, NETWORK_DNS) originating from processes associated with ${FILE_HASH} (using principal.process.file.sha256 = "${FILE_HASH}" or similar). Let these be ${SIEM_NETWORK_EVENTS}.

    • Extract contacted IPs/domains (NETWORK_IOCs_SIEM) from these events.

  6. Enrich Network IOCs:

    • Combine unique IOCs from NETWORK_IOCs_GTI and NETWORK_IOCs_SIEM into ALL_NETWORK_IOCs.

    • Initialize NETWORK_IOC_ENRICHMENT. For each IOC Ni in ALL_NETWORK_IOCs:

      • Execute common_steps/enrich_ioc.md with IOC_VALUE=Ni and appropriate IOC_TYPE.

      • Store results in NETWORK_IOC_ENRICHMENT[Ni].

  7. Check Related SOAR Cases:

    • Prepare list of key entities to search: SEARCH_TERMS = AFFECTED_HOSTS + AFFECTED_USERS + ALL_NETWORK_IOCs.

    • Execute common_steps/find_relevant_soar_case.md with SEARCH_TERMS and CASE_STATUS_FILTER="Opened".

    • Obtain ${RELATED_SOAR_CASES} (list of potentially relevant open case summaries/IDs).

  8. Synthesize & Document:

    • Combine findings: ${GTI_REPORT_DETAILS}, ${GTI_BEHAVIOR_SUMMARY}, ${SIEM_EXECUTION_EVENTS}, ${SIEM_NETWORK_EVENTS}, NETWORK_IOC_ENRICHMENT, AFFECTED_HOSTS, ${RELATED_SOAR_CASES}.

    • Assess the severity based on GTI classification, behavior, observed activity, and relation to other cases.

    • Prepare COMMENT_TEXT: “Malware Triage for Hash ${FILE_HASH}: GTI Class: […], Behavior Summary: […]. Observed on Hosts: [${AFFECTED_HOSTS}]. Network Activity: […]. Network IOC Enrichment: […]. Related Open Cases: [${RELATED_SOAR_CASES}]. Assessment: […]. Recommendation: [Trigger Endpoint Triage/Isolation for affected hosts] | [Block related Network IOCs (Trigger IOC Containment)] | [Escalate to Tier 3/IR for deeper analysis] | [Monitor]”.

    • Execute common_steps/document_in_soar.md with ${CASE_ID} and ${COMMENT_TEXT}. Obtain ${COMMENT_POST_STATUS}.

  9. (Optional) Generate Report:

    • You may ask follow up question to ask the user: “Generate a markdown report file for this triage?”. Obtain ${REPORT_CHOICE}.

    • If ${REPORT_CHOICE} is “Yes”:

      • Prepare REPORT_CONTENT summarizing findings (similar to ${COMMENT_TEXT} but formatted for a report, including a Mermaid diagram).

      • Execute common_steps/generate_report_file.md with REPORT_CONTENT, REPORT_TYPE="malware_triage", REPORT_NAME_SUFFIX=${FILE_HASH}. Obtain ${REPORT_GENERATION_STATUS}.

    • Else: Set ${REPORT_GENERATION_STATUS} = “Skipped”.

  10. Completion: Conclude the runbook execution. Inform analyst of completion status and report generation status (if applicable).

        sequenceDiagram
    participant Analyst
    participant AutomatedAgent as Automated Agent (MCP Client)
    participant GTI as gti-mcp
    participant SIEM as secops-mcp
    participant SOAR as secops-soar
    participant EnrichIOC as common_steps/enrich_ioc.md
    participant FindCase as common_steps/find_relevant_soar_case.md
    participant DocumentInSOAR as common_steps/document_in_soar.md
    participant GenerateReport as common_steps/generate_report_file.md
    participant Endpoint_Triage as Endpoint Triage Runbook %% Still potentially triggered

    Analyst->>AutomatedAgent: Start Malware Triage\nInput: FILE_HASH, CASE_ID, ALERT_GROUP_IDS, TIME_FRAME_HOURS (opt)

    %% Step 1: Context
    AutomatedAgent->>SOAR: get_case_full_details(case_id=CASE_ID)
    SOAR-->>AutomatedAgent: Case Details

    %% Step 2: GTI File Report
    AutomatedAgent->>GTI: get_file_report(hash=FILE_HASH)
    GTI-->>AutomatedAgent: Detailed File Report (GTI_REPORT_DETAILS)

    %% Step 3: GTI Behavior Summary
    AutomatedAgent->>GTI: get_file_behavior_summary(hash=FILE_HASH)
    GTI-->>AutomatedAgent: Behavior Summary (NETWORK_IOCs_GTI)

    %% Step 4: SIEM Execution Check
    AutomatedAgent->>SIEM: search_security_events(text="Events for hash FILE_HASH", hours_back=TIME_FRAME_HOURS)
    SIEM-->>AutomatedAgent: Execution Events (SIEM_EXECUTION_EVENTS, AFFECTED_HOSTS, AFFECTED_USERS)

    %% Step 5: SIEM Network Activity Check
    AutomatedAgent->>SIEM: search_security_events(text="Network activity from process hash FILE_HASH", hours_back=TIME_FRAME_HOURS)
    SIEM-->>AutomatedAgent: Network Events (SIEM_NETWORK_EVENTS, NETWORK_IOCs_SIEM)

    %% Step 6: Enrich Network IOCs
    Note over AutomatedAgent: Combine NETWORK_IOCs_GTI and NETWORK_IOCs_SIEM into ALL_NETWORK_IOCs
    loop For each key Network IOC Ni in ALL_NETWORK_IOCs
        AutomatedAgent->>EnrichIOC: Execute(Input: IOC_VALUE=Ni, IOC_TYPE=...)
        EnrichIOC-->>AutomatedAgent: Results: Store in NETWORK_IOC_ENRICHMENT[Ni]
    end

    %% Step 7: Check Related SOAR Cases
    Note over AutomatedAgent: Prepare SEARCH_TERMS list (Hosts, Users, Network IOCs)
    AutomatedAgent->>FindCase: Execute(Input: SEARCH_TERMS, CASE_STATUS_FILTER="Opened")
    FindCase-->>AutomatedAgent: Results: RELATED_SOAR_CASES

    %% Step 8: Synthesize, Document & Recommend
    Note over AutomatedAgent: Synthesize findings (incl. related cases), assess severity, prepare COMMENT_TEXT with Recommendation
    AutomatedAgent->>DocumentInSOAR: Execute(Input: CASE_ID, COMMENT_TEXT)
    DocumentInSOAR-->>AutomatedAgent: Results: COMMENT_POST_STATUS

    %% Step 9: Optional Report Generation
    AutomatedAgent->>AskReport: Confirm: "Generate markdown report? (Yes/No)"
    AskReport-->>AutomatedAgent: User Response (REPORT_CHOICE)
    alt REPORT_CHOICE is "Yes"
        Note over AutomatedAgent: Prepare REPORT_CONTENT (incl. Mermaid diagram)
        AutomatedAgent->>GenerateReport: Execute(Input: REPORT_CONTENT, REPORT_TYPE="malware_triage", REPORT_NAME_SUFFIX=FILE_HASH)
        GenerateReport-->>AutomatedAgent: Results: REPORT_GENERATION_STATUS
    else REPORT_CHOICE is "No"
        Note over AutomatedAgent: REPORT_GENERATION_STATUS = "Skipped"
    end

    %% Step 10: Completion
    AutomatedAgent->>Analyst: attempt_completion(result="Malware Triage complete for FILE_HASH. Findings documented in case CASE_ID. Report Status: REPORT_GENERATION_STATUS.")
Contents