Skip to main content

ChronicleAsset Investigation - Chronicle

This playbook receives indicators from its parent playbook, performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and gives out a list of isolated and blocked entities. This playbook also lists the events fetched for the asset identifier information associated with the indicator.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

List Device Events - Chronicle Hostname And IP Address Investigation And Remediation - Chronicle

Integrations#

This playbook does not use any integrations.

Scripts#

  • SixgillSearchIndicators
  • DeleteContext

Commands#

setIndicator

Playbook Inputs#


NameDescriptionDefault ValueRequired
chronicleasset_valueThe value of the ChronicleAsset indicator.Required
chronicleasset_support_contactThe support email address for the chronicle asset.incident.chronicleassetsupportcontactOptional
auto_block_entitiesAutoblock the detected suspicious IP Address(es). You can manually set this as 'Yes' or 'No' here or you can set it into a 'Chronicle Auto Block Entities' custom incident field.incident.chronicleautoblockentitiesOptional
skip_entity_isolationSkip the isolation of entities. You can manually set this as 'Yes' or 'No' here or you can set it into a 'Chronicle Skip Entity Isolation' custom incident field.incident.chronicleskipentityisolationOptional

Playbook Outputs#


PathDescriptionType
IsolatedEntitiesList of the isolated entities.unknown
PotentiallyBlockedIPsList of potentially blocked IP addresses.unknown

Playbook Image#


ChronicleAsset Investigation - Chronicle