Supported Cortex XSOAR versions: 6.6.0 and later.
This playbook handles the main containment actions available with Cortex XSIAM, including the following sub-playbooks:
- Containment Plan - Isolate endpoint
- Containment Plan - Disable account
- Containment Plan - Quarantine file
- Containment Plan - Block indicators
- Containment Plan - Clear user session (currently, the playbook supports only Okta)
Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.
This playbook uses the following sub-playbooks, integrations, and scripts.
- Containment Plan - Block Indicators
- Containment Plan - Isolate Device
- Containment Plan - Clear User Sessions
- Containment Plan - Disable Account
- Containment Plan - Quarantine File
This playbook does not use any integrations.
|Whether to execute containment plan (except isolation) automatically.
The specific containment playbook inputs should also be set to 'True'.
|Whether to execute endpoint isolation.
|Set to 'True' to disable the user account.
|Set to 'True' to block the indicators.
|Set to 'True' to quarantine the identified file.
|Set to 'True' to clear the user active Okta sessions.
|The endpoint ID to run commands over.
|The username to disable.
|The file hash to block.
|The path of the file to block.
|The IP indicators.
|The domain indicators.
|The URL indicator.
|Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts.
For example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and will execute only file quarantine.
|The Okta IAM users domain. The domain will be appended to the username. e.g. username@IAMUserDomain.
|Possible values: True/False.
Whether to provide user verification for blocking those IPs and disabling the users.
False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.
|Possible values: True/False. Default: True.
Should the given indicators be automatically blocked, or should the user be given the option to choose?
If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.
|The blocked accounts.
|The quarantined files from endpoint.
|The file Hash that was added to the blocklist.
|The isolated endpoint ID.