IncMan SOAR Use Case: Malicious File Download

Back to all articles

malicious file use case

The purpose of this use case is to demonstrate how to utilize IncMan SOAR’s integrations and R3 Rapid Response Runbooks to quickly detect and respond to threats targeting an organization’s endpoints. This use case will combine advanced endpoint detection capabilities with automated workflows to gather additional evidence and take containment actions network-wide.


  • Automatically gather incident evidence from endpoint and network-based tools
  • Evaluate incident evidence to make automated response decisions
  • Adjust incident priority based off incident findings
  • Take containment actions against would-be attackers
  • Create tickets for responsible parties to take manual action where necessary

Integrations Used


Creating an R3 Rapid Response Runbook

When creating an R3 Rapid Response Runbook within the IncMan SOAR platform performing enrichment actions are usually the first tasks built into the automation process. For the “Malicious File Download Use Case” we will assume the alert contains the following information:

  • Source Address
  • Destination Address
  • SHA-256 File Hash
  • Domain Name

This R3 Runbook can be broken down in to three main sections; information gathering and enrichment, escalation, and containment. Figure 1 shows the entire Runbook from beginning to end. Next, we will discuss the actions contained in each subsection in additional detail.

Information Gathering and Enrichment

Upon receipt of a malicious download event, IncMan will kick-off the Malicious File Download Runbook. The Runbook begins by pulling information from Cisco AMP for Endpoints regarding the current activity observed from the victim machine, as well as any other host activity who may have interacted with the malicious file or domain in question.

Next, the R3 Runbook will query DomainTools to gather domain reputation information on the potentially malicious domain. Once this information is gathered, the R3 Rapid Response Runbook will split off into two separate conditional statements which will determine how the automated workflow will continue.

Escalation and Containment

This R3 Runbook examines the previously enriched information for one of the following conditions:

  • Are there additional hosts which interacted with the malicious file in the past 30 days?
  • Does the domain visited have a negative reputation score?
  • If the visited domain has a negative reputation score, have any additional hosts visited this domain in the last 30 days?

If any one of these conditions exist, the incident priority will automatically be updated to a high priority incident and any additional hosts will be added to the incident as an incident artifact. This will be followed by creating a new helpdesk ticket through the organization’s ticketing system to alert the responsible teams that an incident has occurred.

Finally, the organization’s SIEM will be queried for any alerts that have been generated by the vulnerable host in the recent past. If none of these conditions exist, this R3 Runbook will conclude, without alerting the security team to the false positive event.

If any of the criteria in the Escalation section were met, this R3 Runbook will issue a containment action associated with the condition being evaluated. If the file which was downloaded is found to be malicious, it is automatically added to the block list created in Cisco AMP.

Finally, if the domain where the file was downloaded from is also found to be malicious or have a negative reputation score, IncMan will automatically block the domain using Cisco Umbrella. Once these containment and escalation actions have been executed the R3 Runbook will conclude.

Utilizing the R3 Rapid Response Runbook

When the new R3 Runbook is created, IncMan must be told how and when to automate the use of this Runbook. This is achieved by creating an Incident Template, which will be used any time an incident is generated for a potentially malicious download. Through this Incident Template, critical pieces of information such as Type, Summary, Category can be automatically applied to the newly created incident.

In addition to incident information, the Incident Template also allows R3 Runbooks to be automatically assigned and executed each time the incident template is used. Assigning the previous R3 Runbook to the Malicious File Download Incident Template will cause the R3 Runbook to be automatically run for each matching incident.

Finally, conditions must be set to indicate when IncMan should utilize the Malicious File Download Incident Template. In this use case, this Incident Template will be used to create an incident each time a syslog message is received from the organization’s endpoint detection system.


This use case allows the security team to be automatically notified once a potential incident has been confirmed as valid, preventing valuable time from being wasted by analysts triaging an event.

The automated portions of this R3 Runbook are executed in less than 60 seconds, which is exponentially faster than the time an analyst would need to spend querying and evaluating incident evidence to determine validity. This R3 Runbook also will allow security teams to identify poorly executed rulesets which will provide insight on what aspects of these ruleset must be adjusted to eliminate false positive alerting.

Download our eBook "The Most Comprehensive eBook on SOAR Use Cases", and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo