Threat Hunting - Chronicle
Use this playbook to investigate and remediate suspicious IOC domain matches with recent activity found in the enterprise. This playbook also creates indicators for the entities fetched, as well as investigating and enriching them. Supported Integrations: - Chronicle - Google SecOps - Whois
Google SecOps · 29 tasks · 1 input · 0 outputs
Inputs
auto_block_entities— Autoblock the detected suspicious Domain(s) and URL(s). You can set this as 'Yes' or 'No' manually here or you can set it into a custom incident field 'Chronicle Auto Block Entities' using mapping classification from integration configuration.
Commands used
closeInvestigation
createNewIndicator
domain
gcb-assets
whois