Ransomware Enrich and Contain

This playbook is responsible for ransomware alert data enrichment and response. The playbook executes the following: 1.Checks if the initiator is a remote attacker and allows isolating the remote host, if possible. 2.Retrieves the WildFire sandbox report and extract the indicators within it. * The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation. 3.Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints.

Core · 27 tasks · 4 inputs · 0 outputs

Inputs

  • isolateRemoteAttacker — Whether to isolate the remote attacker host.
  • isolateSimilarEndpoints — Whether to isolate endpoints which has been detected with the alert IoCs.
  • FileSHA256 — The ransomware file SHA256.
  • detonateRansomFile — Whether to detonate the ransomware file in sandbox, Set to True to enable file detonation and False to disable it. By default is set to True

Commands used

core-get-endpoints core-isolate-endpoint core-retrieve-file-details core-retrieve-files domain extractIndicators file ip url wildfire-report

Flowchart

yes yes yes yes yes yes no yes Start Start Check Remote Attacker Check Remote Attacker Is remote attacker? Is remote attacker? Should execute remote attacker containment? Should execute remote att... Robust search of IoCs - SearchIncidentsV2 Robust search of IoCs SearchIncidentsV2 Found more endpoints? Found more endpoints? Indicators extraction - extractIndicators Indicators extraction extractIndicators Should contain identified endpoints? Should contain identified... Containment Plan - Containment Plan Containment Plan Containment Plan Done Done Detonation Detonation Fetch ransomware file - core-retrieve-files Fetch ransomware file core-retrieve-files Should detonate file? Should detonate file? Get WildFire report - wildfire-report Get WildFire report wildfire-report Was there a report for the ransomware SHA256? Was there a report for th... Retrieve file to the playbook's war room - core-retrieve-file-details Retrieve file to the play... core-retrieve-file-details Remote attacker enrichment - core-get-endpoints Remote attacker enrichment core-get-endpoints Checks if the containment plan completed successfully - isError Checks if the containment... isError Manual containment of the remote attacker Manual containment of the... Remote attacker isolation - core-isolate-endpoint Remote attacker isolation core-isolate-endpoint Determine Scope Determine Scope Enrichment Enrichment IP enrichment - ip IP enrichment ip Domain enrichment - domain Domain enrichment domain URL enrichment - url URL enrichment url File enrichment - file File enrichment file WildFire - Detonate file v2 - WildFire - Detonate file v2 WildFire - Detonate file v2 WildFire - Detonate file v2