IOC Alert

IOCs provide the ability to alert on known malicious objects on endpoints across the organization. **Analysis Actions:** The playbook will use several enrichment sources to determine the IOC verdict. Additionally, will use the Analytics module to run a prevalence check for the IOC. **Response Actions:** The playbook's first response action is a containment plan that is based on the playbook input. In that phase, the playbook will execute endpoint isolation **Investigative Actions:** When the playbook executes, it checks for additional abnormal activity using the Endpoint Investigation Plan playbook that can indicate the endpoint might be compromised. **Remediation Actions:** In case results are found within the investigation phase, the playbook will execute remediation actions that include containment and eradication. This phase will execute the following containment actions: * File quarantine * Endpoint isolation And the following eradication actions: * Manual process termination * Manual file deletion.

Core · 25 tasks · 27 inputs · 0 outputs

Inputs

  • BlockIndicatorsAutomatically — Whether to block suspicious/malicious indicators automatically. Specify True/False.
  • ShouldCloseAutomatically — Whether to close the alert automatically if it's established verdict is False Positive. Specify True/False.
  • PreHostContainment — Whether to isolate the host before the investigation phase in case an IOC was found to be suspicious. Specify True/False.
  • ShouldHandleFPautomatically — Whether to automatically handle false positive alerts. Specify true/false.
  • AutoRestoreEndpoint — Whether to execute the Recovery playbook. Specify True/False.
  • AutoContainment — Setting this input will impact both Containment Plan sub-playbooks. Without setting this input, the default values are True for the first occurrence and False for the second. Whether to execute automatically or manually the containment plan tasks: * Isolate endpoint * Block indicators * Quarantine file * Disable user Specify True/False.
  • FileRemediation — Should be either 'Quarantine' or 'Delete'.
  • AutoEradication — Whether to execute automatically or manually the eradication plan tasks: * Terminate process * Delete file * Reset the user's password Specify True/False.
  • ShouldOpenTicket — Whether to open a ticket automatically in a ticketing system. (True/False).
  • serviceNowShortDescription — A short description of the ticket.
  • serviceNowImpact — The impact for the new ticket. Leave empty for ServiceNow default impact.
  • serviceNowUrgency — The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  • serviceNowSeverity — The severity of the new ticket. Leave empty for ServiceNow default severity.
  • serviceNowTicketType — The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  • serviceNowCategory — The category of the ServiceNow ticket.
  • serviceNowAssignmentGroup — The group to which to assign the new ticket.
  • ZendeskPriority — The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  • ZendeskRequester — The user who requested this ticket.
  • ZendeskStatus — The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  • ZendeskSubject — The value of the subject field for this ticket.
  • ZendeskTags — The array of tags applied to this ticket.
  • ZendeskType — The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  • ZendeskAssigne — The agent currently assigned to the ticket.
  • ZendeskCollaborators — The users currently CC'ed on the ticket.
  • description — The ticket description.
  • addCommentPerEndpoint — Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.
  • CommentToAdd — Comment for the ticket.

Commands used

closeInvestigation extractIndicators setParentIncidentFields

Flowchart

yes yes yes yes yes yes Start Start Found suspicious IOC? Found suspicious IOC? Handle False Positive Handle False Positive Investigation Investigation Done Done Analysis Analysis Found relevant information? Found relevant information? Recovery Recovery Enrichment for Verdict - Enrichment for Verdict Enrichment for Verdict Enrichment for Verdict Containment Plan - Containment Plan Containment Plan Containment Plan Endpoint Investigation Plan - Endpoint Investigation Plan Endpoint Investigation Plan Endpoint Investigation Plan Handle False Positive Alerts - Handle False Positive Alerts Handle False Positive Alerts Handle False Positive Alerts close alert - closeInvestigation close alert closeInvestigation Should restore affected endpoint? Should restore affected e... Should close alert automatically? Should close alert automa... Recovery Plan - Recovery Plan Recovery Plan Recovery Plan Pre-Investigation Containment Pre-Investigation Contain... Should run pre-investigation containment? Should run pre-investigat... Remediation Remediation Containment Plan - Containment Plan Containment Plan Containment Plan Eradication Plan - Eradication Plan Eradication Plan Eradication Plan Extract IOC - extractIndicators Extract IOC extractIndicators Set Incident Severity to High - setParentIncidentFields Set Incident Severity to ... setParentIncidentFields Should open a ticket automatically in a ticketing system? Should open a ticket auto... Ticket Management - Generic - Ticket Management - Generic Ticket Management - Generic Ticket Management - Generic