Skip to main content

ChronicleAssets Investigation And Remediation - Chronicle

This Playbook is part of the Chronicle Pack.#

Performs enrichment and investigation of the ChronicleAsset type of indicators, provides an opportunity to remediate in case any of the ChronicleAsset information i.e., hostname or IP address is found to be malicious or suspicious, and sends out an email containing the list of isolated and potentially blocked entities. To select the indicators you want to add, go to playbook inputs, choose "from indicators" and set your query. For example, type:ChronicleAsset etc. The default playbook query is "type:ChronicleAsset". In case indicators with different query parameters are to be investigated, the query must be edited accordingly. This playbook needs to be used with caution as it might use up the integration’s API license when running large amounts of indicators.


This playbook uses the following sub-playbooks, integrations, and scripts.


ChronicleAsset Investigation - Chronicle


This playbook does not use any integrations.





Playbook Inputs#

NameDescriptionDefault ValueRequired
Indicator QueryIndicators matching the indicator query will be used as playbook inputs.type:ChronicleAssetOptional
chronicleasset_support_contactThe support email address for the Chronicle asset.incident.chronicleassetsupportcontactOptional
auto_block_entitiesAutoblock the detected suspicious IP address(es). You can manuall set this as 'Yes' or 'No' here or you can set it in a 'Chronicle Auto Block Entities' custom incident field.incident.chronicleautoblockentitiesOptional
skip_entity_isolationSkip the isolation of entities. You can manually set this as 'Yes' or 'No' here or you can set it in a 'Chronicle Skip Entity Isolation' custom incident field.incident.chronicleskipentityisolationOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

ChronicleAssets Investigation And Remediation - Chronicle