Containment Plan

This playbook handles the main containment actions available with Cortex XSIAM, including the following sub-playbooks: * Containment Plan - Isolate endpoint * Containment Plan - Disable account * Containment Plan - Quarantine file * Containment Plan - Block indicators * Containment Plan - Clear user session (currently, the playbook supports only Okta) Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.

Common Playbooks · 18 tasks · 17 inputs · 4 outputs

Inputs

  • AutoContainment — Whether to execute containment plan (except isolation) automatically. The specific containment playbook inputs should also be set to 'True'.
  • HostContainment — Whether to execute endpoint isolation.
  • UserContainment — Set to 'True' to disable the user account.
  • BlockIndicators — Set to 'True' to block the indicators.
  • FileContainment — Set to 'True' to quarantine the identified file.
  • ClearUserSessions — Set to 'True' to clear the user active Okta sessions.
  • EndpointID — The endpoint ID to run commands over.
  • Username — The username to disable.
  • FileHash — The file hash to block.
  • FilePath — The path of the file to block.
  • IP — The IP indicators.
  • Domain — The domain indicators.
  • URL — The URL indicator.
  • FileRemediation — Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. For example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and will execute only file quarantine.
  • IAMUserDomain — The Okta IAM users domain. The domain will be appended to the username. e.g. username@IAMUserDomain.
  • UserVerification — Possible values: True/False. Whether to provide user verification for blocking those IPs and disabling the users. False - No prompt will be displayed to the user. True - The server will ask the user for blocking verification and will display the blocking list.
  • AutoBlockIndicators — Possible values: True/False. Default: True. Should the given indicators be automatically blocked, or should the user be given the option to choose? If set to True - no prompt will appear, and all provided indicators will be blocked automatically. If set to False - the user will be prompted to select which indicators to block.

Outputs

  • Blocklist.Final — The blocked accounts.
  • QuarantinedFilesFromEndpoints — The quarantined files from endpoint.
  • Core.blocklist.added_hashes — The file Hash that was added to the blocklist.
  • Core.Isolation.endpoint_id — The isolated endpoint ID.

Commands used

core-get-endpoints

Flowchart

yes yes Start Start Isolate Device Isolate Device Disable Account Disable Account Quarantine File Quarantine File Block Indicators Block Indicators Clear User Sessions Clear User Sessions Should containment automatically? Should containment automa... Which containment actions would you like to perform? Which containment actions... Containment Plan - Disable Account - Containment Plan - Disable Account Containment Plan - Disabl... Containment Plan - Disable Ac... Containment Plan - Quarantine File - Containment Plan - Quarantine File Containment Plan - Quaran... Containment Plan - Quarantine... Containment Plan - Block Indicators - Containment Plan - Block Indicators Containment Plan - Block ... Containment Plan - Block Indi... Containment Plan - Clear User Sessions - Containment Plan - Clear User Sessions Containment Plan - Clear ... Containment Plan - Clear User... Containment Plan - Isolate Device - Containment Plan - Isolate Device Containment Plan - Isolat... Containment Plan - Isolate De... Get endpoint info - core-get-endpoints Get endpoint info core-get-endpoints Containment Containment Done Done Set Process list - Set Set Process list Set The file path and file hash defined? The file path and file ha...