CrowdStrike Falcon - True Positive Incident Handling

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike case or detection that was determined to be a true positive by the analyst. Actions include isolating the host, blocking the indicator by the EDR, and tagging it.

CrowdStrike Falcon · 42 tasks · 17 inputs · 0 outputs

Inputs

  • TicketingSystemToUse — The name of the ticketing system to use, for example Jira or ServiceNow.
  • BlockIOCTagName — The tag to assign for indicators to block.
  • HostID — The ID of the host to use.
  • AutoIsolation — Whether automatic host isolation is allowed.
  • TicketProjectName — The ticket project name (required for Jira).
  • BlockMaliciousIOCGlobally — Whether adding to the block list is global. If False, provide an input for the BlockHostGroup input with the group name.
  • BlockHostGroupName — The name of the allow list group to apply if BlockMaliciousIOCGlobally is set to False.
  • TicketDescription — The description to be used by the ticketing system.
  • CloseNotes — The close notes to be listed in CrowdStrike.
  • Sha256 — The SHA256 value to manage.
  • PathsForFilesToRemove — The path for the file to remove.
  • OperatingSystemToRemoveFrom — Values can be Windows, Linux, Mac
  • ManuallyChooseIOCForHunting — This input will provide you the ability to select IOCs to be hunted using the Threat Hunting - generic playbook. If false, it will hunt for all IOCs detected in the incident. Note: You can also insert "No Threat Hunting" to skip the Threat Hunting stage.
  • IP — IP value to hunt on.
  • MD5 — MD5 file value to hunt upon.
  • URL_or_Domain — URL or Domain to hunt upon.
  • FileSha1 — File SHA1 value to hunt upon.

Commands used

cs-falcon-add-case-tag cs-falcon-resolve-case cs-falcon-resolve-detection cs-falcon-rtr-remove-file cs-falcon-upload-custom-ioc jira-create-issue setIncident setIndicators

Flowchart

JIRA SNOW detection ngsiem_case true true true Globally Host Group true true true No Hunting yes yes Yes Start Start IT remediation IT remediation Is ticketing system input defined? Is ticketing system input... Open Snow ticket Open Snow ticket Done IT Remediation Done IT Remediation Block Indicators Block Indicators Block IOC globally - cs-falcon-upload-custom-ioc Block IOC globally cs-falcon-upload-custom-ioc Tag Indicators - setIndicators Tag Indicators setIndicators Done Block Indicators Done Block Indicators True Positive Incident Closing True Positive Incident Cl... Done True Positive Done True Positive Resolve CS case - cs-falcon-resolve-case Resolve CS case cs-falcon-resolve-case Resolve CS detection - cs-falcon-resolve-detection Resolve CS detection cs-falcon-resolve-detection Was this a case or a detection? Was this a case or a dete... Is ServiceNow Available? - IsIntegrationAvailable Is ServiceNow Available? IsIntegrationAvailable Is Jira Available? - IsIntegrationAvailable Is Jira Available? IsIntegrationAvailable Remove file - cs-falcon-rtr-remove-file Remove file cs-falcon-rtr-remove-file Remove File Remove File Allow to remove file Allow to remove file Done File Removal Done File Removal Crowdstrike Falcon - Isolate Endpoint - Crowdstrike Falcon - Isolate Endpoint Crowdstrike Falcon - Isol... Crowdstrike Falcon - Isolate ... Isolate Isolate Is auto isolation allowed? Is auto isolation allowed? Done Isolation Done Isolation Create Jira issue - jira-create-issue Create Jira issue jira-create-issue Is IOC allowed to be added globally? Is IOC allowed to be adde... Block IOC for host group - cs-falcon-upload-custom-ioc Block IOC for host group cs-falcon-upload-custom-ioc Confirm Indicators to block Confirm Indicators to block Were values provided? Were values provided? Were values provided? Were values provided? Containment Containment Threat Hunting Threat Hunting Remediation Remediation Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Should the analyst choose the indicators to hunt? Should the analyst choose... Specify IOCs to hunt upon Specify IOCs to hunt upon Tag the threat hunting results as Evidence - AddEvidence Tag the threat hunting re... AddEvidence Add a 'Found additional assets' tag to the incident - setIncident Add a 'Found additional a... setIncident Are there any results? Are there any results? Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Approve isolation Approve isolation Add CS case tag - cs-falcon-add-case-tag Add CS case tag cs-falcon-add-case-tag