CrowdStrike Falcon - True Positive Incident Handling
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike case or detection that was determined to be a true positive by the analyst. Actions include isolating the host, blocking the indicator by the EDR, and tagging it.
CrowdStrike Falcon · 42 tasks · 17 inputs · 0 outputs
Inputs
TicketingSystemToUse— The name of the ticketing system to use, for example Jira or ServiceNow.BlockIOCTagName— The tag to assign for indicators to block.HostID— The ID of the host to use.AutoIsolation— Whether automatic host isolation is allowed.TicketProjectName— The ticket project name (required for Jira).BlockMaliciousIOCGlobally— Whether adding to the block list is global. If False, provide an input for the BlockHostGroup input with the group name.BlockHostGroupName— The name of the allow list group to apply if BlockMaliciousIOCGlobally is set to False.TicketDescription— The description to be used by the ticketing system.CloseNotes— The close notes to be listed in CrowdStrike.Sha256— The SHA256 value to manage.PathsForFilesToRemove— The path for the file to remove.OperatingSystemToRemoveFrom— Values can be Windows, Linux, MacManuallyChooseIOCForHunting— This input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook. If false, it will hunt for all IOCs detected in the incident. Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.IP— IP value to hunt on.MD5— MD5 file value to hunt upon.URL_or_Domain— URL or Domain to hunt upon.FileSha1— File SHA1 value to hunt upon.
Commands used
cs-falcon-add-case-tag
cs-falcon-resolve-case
cs-falcon-resolve-detection
cs-falcon-rtr-remove-file
cs-falcon-upload-custom-ioc
jira-create-issue
setIncident
setIndicators