IR-002endpointv1.0.0

Malware Endpoint Containment

⚠️ high⚠️ critical

⏱ Est. Time45m

📋 Steps12 steps

🔧 Tools5 required

🔗 Integrations5 platforms

📊 Avg Resolution90m

★ View on GitHub

🎯 MITRE ATT&CK

T1059.001 T1059.003 T1055 T1027 T1547.001 T1036 T1071.001 T1105

🔧 Tools Required

edrsiemthreat intelligence platformnetwork firewallforensics platform

⚡ Triggers

edr_malware_detectionav_alertsiem_malware_correlation_ruleuser_reported_suspicious_behaviorndr_c2_beacon_detected

🔌 Integrations

req

crowdstrike falcon

Primary EDR — real-time detection, containment, and forensics

req

splunk

SIEM correlation, log aggregation, threat hunting

opt

carbon black

Alternative EDR — process tree analysis and live response

opt

palo alto cortex xdr

Alternative XDR platform

req

virustotal

Malware hash and file reputation lookups

Click each step to expand the full procedure, automation hints, and expected outputs.

Review the EDR alert details: detection engine verdict (ML, behavioral, signature), process tree, parent-child relationships, detection confidence score, and any existing threat intel classification (ransomware, RAT, info-stealer, cryptominer). Determine if this is a confirmed detection or false positive based on file reputation, process context, and user context.

⚡ Automation Hint

CrowdStrike Falcon: GET https://api.crowdstrike.com/detections/entities/summaries/GET/v1 {"ids": ["<detection_id>"]} Carbon Black: GET https://defense.conferdeploy.net/integrationServices/v3/alertNotifications

📤 Outputs

detection_verdictmalware_familydetection_confidenceaffected_hostaffected_user