Hostname And IP Address Investigation And Remediation - Chronicle
This playbook receives ChronicleAsset type of indicators from its parent playbook "ChronicleAsset Investigation - Chronicle", performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and provides a list of isolated and blocked entities.
Google SecOps · 44 tasks · 6 inputs · 2 outputs
Inputs
chronicleasset_value— The value of the ChronicleAsset indicator.chronicleasset_hostname— The hostname associated with the ChronicleAsset.chronicleasset_ip— The IP address associated with the ChronicleAsset.chronicleasset_support_contact— The support email address for the ChronicleAsset.auto_block_entities— Autoblock the detected suspicious IP Address(es). You can manually set this as "Yes" or "No" here or you can set it in a 'Chronicle Auto Block Entities' custom incident field.skip_entity_isolation— Skip the isolation of entities. You can manually set this as "Yes" or "No" here or you can set it in a 'Chronicle Skip Entity Isolation' custom incident field.
Outputs
IsolatedEntities— List of the isolated entities.PotentiallyBlockedIPs— List of potentially blocked IP Addresses.
Commands used
df-get-asset
ip
setIndicator