Run the automated malware playbook flow

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 6 minutes de lecture

    • Use this flow to automate tasks in the playbook to analyze and resolve malware attacks against your organization.

    Avant de commencer

    • Role required: sn_si.admin, flow_designer, and action_designer
    • Install and configure the following integrations with the correct credentials:
      • Palo Alto Networks WildFire for Security Operations
      • Sighting Search (Splunk)
      • Block Requests
      • Threat Lookup
      • Enrich Observables

      Verify that these integrations are working properly before you activate the Security Incident - Automated Malware Playbook Template.

    • Security Operations Palo Alto Networks Wildfire App: To access the automated malware playbook flow, you must install the Security Operations Spoke and Security Operations Palo Alto Networks - WildFire app from the ServiceNow Store. If the Security Operations Palo Alto Networks Wildfire App is not installed, you will see an error "workflow on action number 15.4.1 not found" as shown below:

      Palo Alto Networks Wildfire App error message

      If you do not want to install this App, delete steps 15.2, 15.3, and 15.4 from the automated malware playbook flow.

    • Ensure that the following conditions have been met:
      • The security incident has been assigned to a security analyst who belongs to the appropriate approval group.
      • The security analyst handling the incident must have a valid email address.
      • The necessary configuration items and observables have been added to the security incident.
    • For step 21 (Ask for Approval), change the Group from Security Incident Assignment to your preferred group.
    • Step 21 of the flow is a mandatory task approval step where an approval request is sent to the administrator. To approve the request, the administrator must navigate to the Task Approvals page and set the State field to Approved. If the task is not approved, the flow designer cannot proceed further and the process ends.

    Pourquoi et quand exécuter cette tâche

    When a malicious code activity is detected in the network, a security incident is created and the automated malware playbook flow is launched. You can use the tasks defined in the automated malware playbook flow to triage, analyze, contain, and eradicate the threat.

    Procédure

    1. Navigate to All > Flow Designer > Designer to view the flows available with the Security Operations spoke.
    2. Click the Security Incident - Automated Malware Playbook Template VI link.
    3. In the Flow page, click the more icon More icon, make a copy of the flow and open it for your use.
      You can now make changes to your flow, such as modifying trigger conditions or actions, or adding and removing actions.Automated malware playbook template

      This shows the trigger and the steps that will be executed with the flow. The-right hand panel shows the data flow. Click on an icon to expand the step and view the details.

    4. Click the Trigger icon.
      In the first step, you define or set the trigger for the flow. Specify the conditions for the trigger and task to be performed when the conditions are met.Automated malware playbook flow: trigger

      When the condition defined in the flow (Category is Malicious Code activity) is met in the incident record, the tasks in the automated phishing flow start executing sequentially. You can modify the trigger, add annotations, add or delete conditions, and so on.

    5. The first step in the flow is Update Security Incident Record.
      Automated malware playbook flow: step 1

      Click the link and click the annotation icon Annotation icon to add a note to the security analyst indicating that there has been some malicious code activity, and the automated malware response playbook flow has begun executing.

    6. Proceed with the step 2 in the flow and click the Create Task link.

      In this step, an automated response task is created to check if all the necessary observables have been captured and if the investigation can begin.

      Automated malware playbook flow: step 2

    7. If the Outcome type is No, this indicates that no observables and CIs are available to initiate the investigation.
      Update the security incident record to indicate that the playbook cannot proceed further.
    8. If the Outcome type is Yes, the Set Incident Severity subflow automatically assigns the correct severity to the security incident.
    9. In the next step, the security incident record is updated.
    10. In the next step, all observables involved in the incident or a selected category are collected to perform additional automated actions in the subsequent playbook steps.
    11. In the next step, an automated response task is created.
      This task captures the beginning of process of getting the reputation of all observables and performing enrichment with configured integrations.
    12. In step 8, two subflows are called:
      • Run Threat Lookups for Observables: This subflow is used to get the reputation of all observables using threat look up implementations.
      • Enrich Observables: This subflow is used perform enrichment of observables with configured implementations.

      Automated malware playbook flow: step 8

      Notice the icons for this task. The parallel operations icon Parallel operations icon indicates that both the tasks will be performed in parallel and the subflow icon Subflow icon indicates that the task being performed is a subflow as shown below:

      Automated malware playbook flow: step 8.1.1

      Notice the number 5 in the observables field. This indicates that the threat lookup will be run on observables retrieved in step 5. This subflow in turn calls existing workflows and actions.

    13. In the next step, the Run the Look Up Records action is executed.
      This action is used to look up workflow context records where the parent workflows can be one of the following.
      • Threat Lookup Abstract Workflow Context
      • Observable Enrichment Abstract Workflow Context
    14. In the next step, the reputation and enrichment results are reviewed for every 8 records.
    15. Continue reviewing the next steps:
      1. Update Security Incident Record: Updates the security incident record to indicate that the reputation lookup and enrichment activities have been completed.
      2. Get Observables from Task: Retrieves all the malicious observables associated with the security incident.
      3. Create Task: Checks and confirms if the automated triage runs have been successful.
    16. If there are observables that have been flagged as malicious:
      1. Update Security Incident Record: Post a worknote indicating that a threat has been detected.
      2. Create Input Query from Observables: If more than ten observables have been flagged as malicious, the Sighting Search on Observables subflow (on Splunk or Carbon Black) is executed.
    17. If the observables are not flagged as malicious, the flow continues with the following steps:
      1. Update Security Incident Record: Post a worknote indicating that no threat has been detected
      2. Get Observables from Task: Identifies all SHA256 Hash Ids from the incident.
      3. Look Up Observable Records: Looks up records that meet this criteria.
    18. Continue reviewing the next steps:
      1. For each malicious observable, the Security Operations Palo Alto Networks - Get Wildfire Data Enrichment workflow is executed.
      2. Reviews the investigation results to see if they are satisfactory.
        A response task is created to check if the suspected malware is a ransomware attack. If yes, the Ransomware Playbook subflow is executed.
      3. In the next step, an email is sent with a summary of the analysis and request for approval to initiate containment procedures.
      4. A task is created to capture details of the approval requested.
      5. The next step is to update the security incident record.
        Post a worknote informing the security analyst that the approval request has been made.
      6. Requests approval to contain the malware attacks from your SOC manager.
        Step 21
        Remarque :
        When an approval request will be generated by the flow, the Work note will be updated with the following message:
        An Approval request has been made for <task id> proceeding with containment. To approve this task, as a SOC manager, follow these steps manually:
        • Navigate to the Task Approvals page.
        • You will see the list of approvals. Click the <task id> that is to be approved.
        • Change State to Approve and Save the updated <task id>.
      7. In the next step, the security incident record is updated to track the approval status.
      8. Next, a task is created to initiate containment procedures.
      9. The Run the Create Block Requests for Malicious Observables subflow is executed and an incident record is created with a request to rebuild the infected device and its assets.
      10. Next, a task is created to run sightings search to confirm if the environment is secure.
        The sightings search is repeated till no sightings found.
      11. Next, a task is created to indicate that the security incident record is ready for review.
      12. Finally, the record is updated and moved to the Review stage.

    Que faire ensuite

    You can click Test to simulate the actions in the flow before it is published. After testing the flow, click Activate to activate the flow so that it can be executed.

    Click Executions to view the execution details of the flow.

    Automated malware playbook flow: execution