Skip to main content

Block Indicators - Generic v3

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook blocks malicious Indicators using all integrations that are enabled, using the following sub-playbooks:

  • Block URL - Generic
  • Block Account - Generic
  • Block IP - Generic v3
  • Block File - Generic v2
  • Block Email - Generic
  • Block Domain - Generic

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Block IP - Generic v3
  • Block File - Generic v2
  • Block Account - Generic v2
  • Block Email - Generic
  • Block Domain - Generic
  • Block URL - Generic v2

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

  • setIndicators

Playbook Inputs#


NameDescriptionDefault ValueRequired
IPAn array of malicious IPs to block. Enter a comma-separated list of IPs (i.e.: 1.1.1.1,2.2.2.2).DBotScore.IndicatorOptional
URLArray of malicious URLs to block.DBotScore.IndicatorOptional
UsernameArray of malicious usernames to block.DBotScore.IndicatorOptional
MD5The MD5 hash of the file you want to block.File.MD5Optional
SHA256The SHA256 hash of the file you want to block.File.SHA256Optional
CustomBlockRuleThis input determines whether Palo Alto Networks Panorama or Firewall Custom Block Rules are used.
Specify "True" to create new Custom Block Rules (2 FW rules inside the PAN-OS device).
For "False" - no rules will be created.
TrueOptional
LogForwardingPanorama log forwarding object name. Indicate what type of Log Forwarding setting will be specified in the PAN-OS custom rules.Optional
AutoCommitThis input determines whether to commit the configuration automatically on PAN-OS devices and other FWs.
Yes - Commit automatically.
No - Commit manually.
NoOptional
StaticAddressGroupThis input determines whether Palo Alto Networks Panorama or Firewall Static Address Groups are used.
Specify the Static Address Group name for IPs list handling.
Optional
URLListNameURL list from the instance context with which to override the remote file.XSOAR Remediation - URL EDLOptional
CustomURLCategoryCustom URL Category name.XSOAR Remediation - Malicious URLsOptional
typeCustom URL category type. Insert "URL List"/ "Category Match".Optional
device-groupDevice group for the Custom URL Category (Panorama instances).Optional
categoriesThe list of categories. Relevant from PAN-OS v9.x.Optional
EmailToBlockThe email address that you wish to block.Optional
DomainToBlockThe domain that you wish to block.Optional
DomainBlackListIDThe Domain List ID to add the Domain to.
product: Proofpoint Threat Response
Optional
TagInsert a tag name with which indicators will get tagged. This tag can be used later in the External Dynamic Lists integration by using the tag for filtering IPs in the indicator query.Optional
DAGThis input determines whether Palo Alto Networks Panorama or Firewall Dynamic Address Groups are used.
Specify the Dynamic Address Group tag name for IPs list handling.
Optional
UserVerificationPossible values: True/False. Default: True.
Whether to provide user verification for blocking those IPs.

False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.
TrueOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
SiteNameSignal Sciences WAF - Enter the site name for the integration to be applied. The site name can be found in your instance console.Optional
AkamaiNetworkListIDAkamai's WAF network list ID, which is mandatory to be mentioned for the integration. The chosen IPs will be added to this ID.Optional
CiscoFWSourceCisco ASA (firewall) value for the rule's source object in the created blocking rule. Can be the value of an IPv4, an address block, or the name of a network object.Optional
InputEnrichmentThe rule name/description that will be presented on the created rule in certain integrations (if there is a need).
The supported integrations: PAN-OS, CheckPoint.

Default input- "XSOAR - Block IP playbook - ${incident.id}"
FalseOptional
RuleNameThe rule name/description that will be presented on the created rule in certain integrations (if there is a need).
The supported integrations: PAN-OS, CheckPoint.

Default input- "XSOAR - Block IP playbook - ${incident.id}"
XSOAR - Block Indicators playbook - ${incident.id}Optional
RuleDirectionDetermine if a newly created rule should be with the network direction of outbound or inbound blocked traffic.
Possible values: inbound or outbound
Default: outbound
outboundOptional

Playbook Outputs#


PathDescriptionType
CheckpointFWRule.DomainRule domain.unknown
CheckpointFWRule.EnabledRule status.unknown
CheckpointFWRule.NameRule name.unknown
CheckpointFWRule.UIDRule UID.unknown
CheckpointFWRule.TypeRule Type.unknown
CheckpointFWRule.DestinationNegateRule destination negate status (True/False).unknown
CheckpointFWRule.ActionRule action (Valid values are: Accept, Drop, Apply Layer, Ask, Info).unknown
CheckpointFWRule.DestinationRule Destination.unknown
CheckpointFWRule.ActionSettingRule action settings.unknown
CheckpointFWRule.CustomFieldsRule custom fields.unknown
CheckpointFWRule.DataRule data.unknown
CheckpointFWRule.DataDirectionRule data direction.unknown
CheckpointFWRule.DataNegateRule data negate status (True/False).unknown
CheckpointFWRule.HitsRule hits count.unknown
PanoramaRule.DirectionDirection of the Panorama rule. Can be 'to','from', 'both'string
PanoramaRule.IPThe IP the Panorama rule blocksstring
PanoramaRule.NameName of the Panorama rulestring
CheckpointFWRule.Data.NameRule data object name.unknown
CheckpointFWRule.Data.DomainInformation about the domain the data object belongs to.unknown
CheckpointFWRule.Domain.NameRule domain name.unknown
CheckpointFWRule.Domain.UIDRule domain UID.unknown
CheckpointFWRule.Domain.TypeRule domain type.unknown
CheckpointFWRule.Hits.FirstDateThe date of the first hit for the rule.unknown
CheckpointFWRule.Hits.LastDateThe date of the last hit for the rule.unknown
CheckpointFWRule.Hits.LevelLevel of rule hits.unknown
CheckpointFWRule.Hits.PercentagePercentage of rule hitsunknown
CheckpointFWRule.Hits.ValueValue of rule hits.unknown

Playbook Image#


Block Indicators - Generic v3