Containment Plan - Block Indicators
## Containment Plan - Block Indicators This playbook is a sub-playbook within the containment plan playbook. ### Indicator Blocking The playbook block indicators by two methods: 1. It adds the malicious hashes into the XSIAM hash block list 2. It utilizes the sub-playbook "Block Indicators - Generic v3"
Common Playbooks · 15 tasks · 10 inputs · 1 output
Inputs
BlockIndicators— Set to 'True' to block the indicators.UserVerification— Possible values: True/False. Whether to provide user verification for blocking those IPs. False - No prompt will be displayed to the user. True - The server will ask the user for blocking verification and will display the blocking list.AutoBlockIndicators— Possible values: True/False. Default: True. Should the given indicators be automatically blocked, or should the user be given the option to choose? If set to True - no prompt will appear, and all provided indicators will be blocked automatically. If set to False - the user will be prompted to select which indicators to block.FileHash— The file hash to block.IP— The IP indicators.Domain— The domain indicators.URL— The URL indicator.Username— The username to disable.FilePath— The path of the file to block.AutoContainment— Whether to execute containment plan automatically.
Outputs
Core.blocklist.added_hashes— The file Hash that was added to the blocklist.
Commands used
core-blocklist-files
setParentIncidentContext