Containment Plan
This playbook handles the main containment actions available with Cortex XSIAM, including the following sub-playbooks: * Containment Plan - Isolate endpoint * Containment Plan - Disable account * Containment Plan - Quarantine file * Containment Plan - Block indicators * Containment Plan - Clear user session (currently, the playbook supports only Okta) Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.
Common Playbooks · 18 tasks · 17 inputs · 4 outputs
Inputs
AutoContainment— Whether to execute containment plan (except isolation) automatically. The specific containment playbook inputs should also be set to 'True'.HostContainment— Whether to execute endpoint isolation.UserContainment— Set to 'True' to disable the user account.BlockIndicators— Set to 'True' to block the indicators.FileContainment— Set to 'True' to quarantine the identified file.ClearUserSessions— Set to 'True' to clear the user active Okta sessions.EndpointID— The endpoint ID to run commands over.Username— The username to disable.FileHash— The file hash to block.FilePath— The path of the file to block.IP— The IP indicators.Domain— The domain indicators.URL— The URL indicator.FileRemediation— Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. For example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and will execute only file quarantine.IAMUserDomain— The Okta IAM users domain. The domain will be appended to the username. e.g. username@IAMUserDomain.UserVerification— Possible values: True/False. Whether to provide user verification for blocking those IPs and disabling the users. False - No prompt will be displayed to the user. True - The server will ask the user for blocking verification and will display the blocking list.AutoBlockIndicators— Possible values: True/False. Default: True. Should the given indicators be automatically blocked, or should the user be given the option to choose? If set to True - no prompt will appear, and all provided indicators will be blocked automatically. If set to False - the user will be prompted to select which indicators to block.
Outputs
Blocklist.Final— The blocked accounts.QuarantinedFilesFromEndpoints— The quarantined files from endpoint.Core.blocklist.added_hashes— The file Hash that was added to the blocklist.Core.Isolation.endpoint_id— The isolated endpoint ID.
Commands used
core-get-endpoints