IsolationAssetWrapper
This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0).
python · Common Scripts
Source
from CommonServerPython import * """ STANDALONE FUNCTION """ INCIDENT_ID = demisto.incident().get("id") XDR_ACTIONS = {"isolate": "xdr-isolate-endpoint", "unisolate": "xdr-unisolate-endpoint"} MSDE_ACTIONS: Dict[str, tuple[str, Dict[str, str]]] = { "isolate": ("microsoft-atp-isolate-machine", {"isolation_type": "Full"}), "unisolate": ("microsoft-atp-unisolate-machine", {}), } CROWDSTRIKE_ACTIONS = {"isolate": "cs-falcon-contain-host", "unisolate": "cs-falcon-lift-host-containment"} CROWDSTRIKE_HASH_ACTIONS = { "allow": {"action": "allow", "description": f"Whitelisted based on XSOAR inc {INCIDENT_ID}", "severity": "low"}, "block": {"action": "prevent", "description": f"Blacklisted based on XSOAR inc {INCIDENT_ID}", "severity": "high"}, } def create_commands(device_ids: List[str], action: str) -> List[CommandRunner.Command]: """ Create a list of `Command` of the isolate/unisolate command to `Cortex XDR`, `CrowdstrikeFalcon`, `Microsoft Defender Advanced Threat Protection` :param device_ids: The device id's to run :param action: The action to have (one of {'isolate', 'unisolate'}) :return: A list of `Command` """ msde_command, msde_args = MSDE_ACTIONS[action] msde_args.update({"machine_id": ",".join(device_ids), "comment": f"XSOAR - related incident {INCIDENT_ID}"}) return [ CommandRunner.Command( commands=XDR_ACTIONS.get(action), args_lst=[{"endpoint_id": device_id} for device_id in device_ids] ), CommandRunner.Command(commands=msde_command, args_lst=msde_args), CommandRunner.Command(commands=CROWDSTRIKE_ACTIONS.get(action), args_lst={"ids": ",".join(device_ids)}), ] def run_isolation_action(device_ids: List[str], action: str) -> list: """ Given arguments to the command, returns a list of results to return :param device_ids: List of device ids :param action: The action to perform (isolate or unisolate) :return: list of results to return :rtype: ``list`` """ commands = create_commands(device_ids, action) # pragma: no cover return CommandRunner.run_commands_with_summary(commands) # pragma: no cover """ MAIN FUNCTION """ def main(): # pragma: no cover args = demisto.args() device_ids = argToList(args.get("device_ids")) if not device_ids: raise ValueError("hash not specified") action = args.get("action") if not action or action not in {"isolate", "unisolate"}: raise ValueError("Action not specified or not in allowed actions") try: return_results(run_isolation_action(device_ids, action)) except Exception as ex: return_error(f"Failed to execute IsolationAssetWrapper. Error: {ex!s}") """ ENTRY POINT """ if __name__ in ("__main__", "__builtin__", "builtins"): main()
README
This is a wrapper to isolate or unisolate hash lists from Cortex XDR, MSDE or CrowdStrike (Available from Cortex XSOAR 6.0.0).
Script Data
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | basescript |
| Cortex XSOAR Version | 6.0.0 |
Inputs
| Argument Name | Description |
|---|---|
| device_ids | Device IDs to isolate or unisolate. |
| action | The action to apply to device IDs - isolate or unisolate. |
Outputs
| Path | Description | Type |
|---|---|---|
| MicrosoftATP.MachineAction.ID | The machine action ID. | String |
| MicrosoftATP.MachineAction.Type | The type of the machine action. | String |
| MicrosoftATP.MachineAction.Scope | The scope of the action. | Unknown |
| MicrosoftATP.MachineAction.Requestor | The ID of the user that executed the action. | String |
| MicrosoftATP.MachineAction.RequestorComment | The comment that was written when issuing the action. | String |
| MicrosoftATP.MachineAction.Status | The current status of the command. | String |
| MicrosoftATP.MachineAction.MachineID | The machine ID on which the action was executed. | String |
| MicrosoftATP.MachineAction.ComputerDNSName | The machine DNS name on which the action was executed. | String |
| MicrosoftATP.MachineAction.CreationDateTimeUtc | The date and time the action was created. | Date |
| MicrosoftATP.MachineAction.LastUpdateTimeUtc | The last date and time the action status was updated. | Date |
| MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifier | The file identifier. | String |
| MicrosoftATP.MachineAction.RelatedFileInfo.FileIdentifierType | The type of the file identifier. Possible values: “SHA1” ,”SHA256”, and “MD5”. | String |
| PaloAltoNetworksXDR.Isolation.endpoint_id | The endpoint ID. | String |
| PaloAltoNetworksXDR.UnIsolation.endpoint_id | Isolates the specified endpoint. | String |
Script Examples
Example command
!IsolationAssetWrapper action=unisolate device_ids=15dbb9d8f06b45fe9f61eb46e829d986,046761c46ec84f40b27b6f79ce7cd32c
Context Example
{
"MicrosoftATP": {
"MachineAction": {
"Status": "Pending",
"Commands": [],
"CreationDateTimeUtc": "2022-03-27T10:14:29.9635187Z",
"MachineID": null,
"LastUpdateTimeUtc": null,
"ComputerDNSName": null,
"Requestor": "2f48b784-5da5-4e61-9957-012d2630f1e4",
"RelatedFileInfo": {
"FileIdentifier": null,
"FileIdentifierType": null
},
"Scope": null,
"Type": "Unisolate",
"ID": "7e7cae42-6e9b-41a2-be6a-69817ec077a6",
"RequestorComment": "XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116"
}
}
}
Human Readable Output
Results Summary
| Instance | Command | Result | Comment |
|---|---|---|---|
| CrowdstrikeFalcon: CrowdstrikeFalcon_instance_1 | command: cs-falcon-lift-host-containment args: ids: 15dbb9d8f06b45fe9f61eb46e829d986,046761c46ec84f40b27b6f79ce7cd32c |
Success | |
| Cortex XDR - IR: Cortex XDR - IR_instance_1_copy | command: xdr-unisolate-endpoint args: endpoint_id: 15dbb9d8f06b45fe9f61eb46e829d986 |
Error | Error: Endpoint 1dbb9d8f06b4fe9f61eb46e829d986 was not found |
| Cortex XDR - IR: Cortex XDR - IR_instance_1 | command: xdr-unisolate-endpoint args: endpoint_id: 15dbb9d8f06b45fe9f61eb46e829d986 |
Error | Error: Endpoint 1dbb9d8f06b4fe9f61eb46e829d986 was not found |
| Cortex XDR - IR: Cortex XDR - IR_instance_1_copy | command: xdr-unisolate-endpoint args: endpoint_id: 046761c46ec84f40b27b6f79ce7cd32c |
Error | Error: Endpoint 046761c46ec84f40b27b6f79ce7cd32c was not found |
| Cortex XDR - IR: Cortex XDR - IR_instance_1 | command: xdr-unisolate-endpoint args: endpoint_id: 046761c46ec84f40b27b6f79ce7cd32c |
Error | Error: Endpoint 046761c46ec84f40b27b6f79ce7cd32c was not found |
| Microsoft Defender Advanced Threat Protection: Microsoft Defender Advanced Threat Protection_instance_1 | command: microsoft-atp-unisolate-machine args: machine_id: 15dbb9d8f06b45fe9f61eb46e829d986,046761c46ec84f40b27b6f79ce7cd32c comment: XSOAR - related incident ab57e22c-ad03-4aba-8b6c-b42bd895a116 |
Error | Microsoft Defender ATP The command was failed with the errors: {‘15dbb9d8f06b45fe9f61eb46e829d986’: NotFoundError({‘error’: {‘code’: ‘ResourceNotFound’, ‘message’: ‘Machine 15dbb9d8f06b45fe9f61eb46e829d986 was not found. OrgId: b7df6ab7-5c73-4e13-8cd3-82e1f3d849ed.’, ‘target’: ‘9b321da9-6458-4ab3-a818-92f33247508a’}}), ‘046761c46ec84f40b27b6f79ce7cd32c’: NotFoundError({‘error’: {‘code’: ‘ResourceNotFound’, ‘message’: ‘Machine 046761c46ec84f40b27b6f79ce7cd32c was not found. OrgId: b7df6ab7-5c73-4e13-8cd3-82e1f3d849ed.’, ‘target’: ‘d3d4f57f-73a2-4905-bd35-13eccbcaedb6’}})} |
Containment has been lift off host ‘15dbb9d8f06b45fe9f61eb46e829d986’, ‘046761c46ec84f40b27b6f79ce7cd32c’