IOC Alert
IOCs provide the ability to alert on known malicious objects on endpoints across the organization. **Analysis Actions:** The playbook will use several enrichment sources to determine the IOC verdict. Additionally, will use the Analytics module to run a prevalence check for the IOC. **Response Actions:** The playbook's first response action is a containment plan that is based on the playbook input. In that phase, the playbook will execute endpoint isolation **Investigative Actions:** When the playbook executes, it checks for additional abnormal activity using the Endpoint Investigation Plan playbook that can indicate the endpoint might be compromised. **Remediation Actions:** In case results are found within the investigation phase, the playbook will execute remediation actions that include containment and eradication. This phase will execute the following containment actions: * File quarantine * Endpoint isolation And the following eradication actions: * Manual process termination * Manual file deletion.
Core · 25 tasks · 27 inputs · 0 outputs
Inputs
BlockIndicatorsAutomatically— Whether to block suspicious/malicious indicators automatically. Specify True/False.ShouldCloseAutomatically— Whether to close the alert automatically if it's established verdict is False Positive. Specify True/False.PreHostContainment— Whether to isolate the host before the investigation phase in case an IOC was found to be suspicious. Specify True/False.ShouldHandleFPautomatically— Whether to automatically handle false positive alerts. Specify true/false.AutoRestoreEndpoint— Whether to execute the Recovery playbook. Specify True/False.AutoContainment— Setting this input will impact both Containment Plan sub-playbooks. Without setting this input, the default values are True for the first occurrence and False for the second. Whether to execute automatically or manually the containment plan tasks: * Isolate endpoint * Block indicators * Quarantine file * Disable user Specify True/False.FileRemediation— Should be either 'Quarantine' or 'Delete'.AutoEradication— Whether to execute automatically or manually the eradication plan tasks: * Terminate process * Delete file * Reset the user's password Specify True/False.ShouldOpenTicket— Whether to open a ticket automatically in a ticketing system. (True/False).serviceNowShortDescription— A short description of the ticket.serviceNowImpact— The impact for the new ticket. Leave empty for ServiceNow default impact.serviceNowUrgency— The urgency of the new ticket. Leave empty for ServiceNow default urgency.serviceNowSeverity— The severity of the new ticket. Leave empty for ServiceNow default severity.serviceNowTicketType— The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".serviceNowCategory— The category of the ServiceNow ticket.serviceNowAssignmentGroup— The group to which to assign the new ticket.ZendeskPriority— The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".ZendeskRequester— The user who requested this ticket.ZendeskStatus— The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".ZendeskSubject— The value of the subject field for this ticket.ZendeskTags— The array of tags applied to this ticket.ZendeskType— The type of this ticket. Allowed values are "problem", "incident", "question", or "task".ZendeskAssigne— The agent currently assigned to the ticket.ZendeskCollaborators— The users currently CC'ed on the ticket.description— The ticket description.addCommentPerEndpoint— Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.CommentToAdd— Comment for the ticket.
Commands used
closeInvestigation
extractIndicators
setParentIncidentFields