Skip to main content

Containment Plan

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles all the alert containment actions available with Cortex XSIAM, including the following tasks:

  • Isolate endpoint
  • Disable account
  • Quarantine file
  • Block indicators
  • Clear user session (currently, the playbook supports only Okta)

Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Block Indicators - Generic v2
  • Block Account - Generic

Integrations#

This playbook does not use any integrations.

Scripts#

  • IsIntegrationAvailable
  • Set

Commands#

  • okta-clear-user-sessions
  • core-isolate-endpoint
  • core-blocklist-files
  • okta-get-user
  • core-quarantine-files
  • core-get-endpoints
  • core-get-quarantine-status

Playbook Inputs#


NameDescriptionDefault ValueRequired
AutoContainmentWhether to execute containment plan (except isolation) automatically.
The specific containment playbook inputs should also be set to 'True'.
FalseOptional
HostContainmentWhether to execute endpoint isolation automatically.TrueOptional
UserContainmentSet to 'True' to disable the user account.TrueOptional
BlockIndicatorsSet to 'True' to block the indicators.TrueOptional
FileContainmentSet to 'True' to quarantine the identified file.TrueOptional
ClearUserSessionsSet to 'True' to clear the user active Okta sessions.TrueOptional
EndpointIDThe endpoint ID to run commands over.Optional
UsernameThe username to disable.Optional
FileHashThe file hash to block.Optional
FilePathThe path of the file to block.Optional
IPThe IP indicators.Optional
DomainThe domain indicators.Optional
URLThe URL indicator.Optional
FileRemediationChoose 'Quarantine' or 'Delete' to avoid file remediation conflicts.
For example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and will execute only file quarantine.
QuarantineOptional
IAMUserDomainThe Okta IAM users domain. The domain will be appended to the username. e.g. username@IAMUserDomain.@demisto.comOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Containment Plan