CrowdStrike Falcon Malware - Verify Containment Actions

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook verifies and sets the policy actions applied by CrowdStrike Falcon.

CrowdStrike Falcon · 20 tasks · 1 input · 3 outputs

Inputs

  • PolicyBehaviourDetails — The path that contains the detection results.

Outputs

  • Policy.State — Is the policy active?
  • Host.State — Is the host isolated?
  • Process.State — Was the process contained?

Flowchart

true true Process blocked process killed process suspended yes Start Start Is policy enabled? Is policy enabled? Set policy status not active - Set Set policy status not active Set Set policy status active - Set Set policy status active Set Done Done Was host isolated? Was host isolated? Set host isolated - Set Set host isolated Set Set host no isolated - Set Set host no isolated Set Policy State Policy State Host State Host State Done Host State Done Host State Process State Process State Was process handled? Was process handled? Set process suspended - Set Set process suspended Set Set process killed - Set Set process killed Set Done Host State Done Host State Set no action taken - Set Set no action taken Set Set process blocked - Set Set process blocked Set Get full detection details - Set Get full detection details Set Is there a policy object? Is there a policy object?