Sample Analysis - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

View static and dynamic analysis of file samples to identify malware, investigate trends, and create reports.

Cortex XSOAR Sample Analysis tools enable you to conduct in depth investigations and analyses of file samples. File samples are run and analyzed using Palo Alto Networks’ WildFire cloud-based threat analysis service, and you can view dynamic analysis of observed behavior, static analysis of the file contents, and related sessions and submissions.

For example, you have an incident with an extracted file indicator. The Unit 42 Intel tab shows the file’s behavior. You scroll through the sample's behavior and see a suspicious behavior: Powershell.exe wrote to a file in the Administrator's User folder, named 443.exe. You want to find other samples with the same behavior, and to determine if they are related to a known adversary or malware - so you add that specific behavior to your search. When you run the search, you see that this behavior is associated with Emotet, a known banking trojan (malware). You have identified your original file sample as part of a larger threat campaign and you can now take steps to remediate.

unit42-wildfire-example.png

The Unit 42 Intel tab for a file sample includes:

  • WildFire Dynamic Analysis - Observed Behavior

    A high level overview of the behavior observed when the file was run in the WildFire sandbox. Examples might include potentially malicious behaviors such as connecting to a potentially vulnerable port or creating an executable file in the Windows folder, as well as behaviors frequently performed by legitimate software, such as scheduling a task in Windows Task Scheduler.

  • WildFire Dynamic Analysis - Sections

    Dynamic analysis provides a granular view of file activity, process activity, registry activity, connection activity, etc. Files run in a custom built, evasion resistant virtual environment in which previously unknown submissions are detonated to determine real-world effects and behavior. Behavior can be observed in one or more operating system environments.

  • WildFire Static Analysis

    The WildFire Static analysis detects known threats by analyzing the characteristics of a sample prior to execution in the sandbox. Static analysis can provide instant identification of malware variants and includes dynamic unpacking to analyze threats attempting to evade detection using packer tools.

  • Related Sessions & Submissions

    Shows any related sessions and submissions where the file was seen. Related sessions and submissions data is available if you have one of the following products: Palo Alto Networks Firewall, WildFire, Cortex XDR, Prisma SaaS, or Prisma Access.

In addition to viewing the file activities, properties, and behaviors within the Cortex XSOAR Threat Intel page, you can also download a PDF with a full report.

Sample Analysis Search

You can use Unit 42 Intel data to build complex searches for file samples with similar characteristics. For example, in WildFire Dynamic Analysis - Sections, you can add Parent Process, Action, or Parameters or all characteristics of the file activity to a search. In WildFire Static Analysis, you can add Behavior, Description, or both characteristics to a search.

WildFire Dynamic Analysis - Sections shows not only the observed behavior of the file sample, but also how many times the behavior was observed in other Unit 42 samples - malicious samples, suspicious samples, and unknown samples. For example, you see that the parent process sample.exe wrote to file data1.tmp. The same behavior occurred in 75 samples that had a verdict of malicious. To investigate further you can build a new search that contains this specific behavior and view the relevant samples. To add an entire row to a new Sample Analysis search, hover the cursor over the last column on the right, in the row that you want to add.

unit42-empty-column.png

A drill-down button appears when you hover over the empty column. Click on the button to see the two options:

unit42-add-to-search.png
  • Add to Sample Analysis Search

    Adds selected information from the row to a Sample Analysis search. After choosing Add to Sample Analysis search, a pop up appears at the bottom of the screen: Your selected terms were added to Sample Analysis Search. Go to Sample Analysis tab to apply the added terms.. If you click on the link, you go to the Sample Analysis tab where you can edit or run your search for samples that exhibited the same behavior. You can also Add to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the Threat Intel page and click on the Sample Analysis tab.

    Instead of adding the entire row, you can also add one or more items in the row to a search. For example, in Wildfire Dynamic Analysis - Sections - File Activity, you can add the parent process and the action, without including the parameters, by clicking the drill-down search button to the right of each option you want to add.

    unit42-add-parent-process.png
  • Create New Sample Analysis Search

    Clears any search characteristics you have already added and starts a new Sample Analysis search with the selected characteristic(s). After choosing this option, a pop up appears at the bottom of the screen: Your selected terms were added to Sample Analysis Search. Go to Sample Analysis tab to apply the added terms.. If you click on the link, you go to the Sample Analysis tab where you can edit or run your search for samples that exhibited the same behavior. You can also Add to Saved Queries. If you do not click the link, the popup will disappear and you can continue to add additional items to the search. To run the search without clicking on the popup link, go to the Threat Intel page and click on the Sample Analysis tab.

Note

  • The Sample Analysis search page includes a drop-down for Sample Type. Options include All Samples, Public Samples, and My Samples. The My Samples option is only available for customers with a Palo Alto Networks Firewall, WildFire, Cortex XDR, Prisma SaaS, or Prisma Access. My Samples data is not available for multi-tenant deployments.

  • Known limitation: When searching on the Sample Analysis page for relationships -relationships"", some results may appear without their specific relationships listed, due to internal relationship permissions.