Ransomware Enrich and Contain
This playbook is responsible for ransomware alert data enrichment and response. The playbook executes the following: 1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible. 2.Retrieves the WildFire sandbox report and extract the indicators within it. * The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation. 3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints.
Core · 27 tasks · 4 inputs · 0 outputs
Inputs
isolateRemoteAttacker— Whether to isolate the remote attacker host.isolateSimilarEndpoints— Whether to isolate endpoints which has been detected with the alert IoCs.FileSHA256— The ransomware file SHA256.detonateRansomFile— Whether to detonate the ransomware file in sandbox, Set to True to enable file detonation and False to disable it. By default is set to True
Commands used
core-get-endpoints
core-isolate-endpoint
core-retrieve-file-details
core-retrieve-files
domain
extractIndicators
file
ip
url
wildfire-report