Skip to main content

Containment Plan

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles the main containment actions available with Cortex XSIAM, including the following sub-playbooks:

  • Containment Plan - Isolate endpoint
  • Containment Plan - Disable account
  • Containment Plan - Quarantine file
  • Containment Plan - Block indicators
  • Containment Plan - Clear user session (currently, the playbook supports only Okta)

Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Containment Plan - Block Indicators
  • Containment Plan - Isolate Device
  • Containment Plan - Clear User Sessions
  • Containment Plan - Disable Account
  • Containment Plan - Quarantine File


This playbook does not use any integrations.


  • Set


  • core-get-endpoints

Playbook Inputs#

NameDescriptionDefault ValueRequired
AutoContainmentWhether to execute containment plan (except isolation) automatically.
The specific containment playbook inputs should also be set to 'True'.
HostContainmentWhether to execute endpoint isolation.TrueOptional
UserContainmentSet to 'True' to disable the user account.TrueOptional
BlockIndicatorsSet to 'True' to block the indicators.TrueOptional
FileContainmentSet to 'True' to quarantine the identified file.TrueOptional
ClearUserSessionsSet to 'True' to clear the user active Okta sessions.TrueOptional
EndpointIDThe endpoint ID to run commands over.Optional
UsernameThe username to disable.Optional
FileHashThe file hash to block.Optional
FilePathThe path of the file to block.Optional
IPThe IP indicators.Optional
DomainThe domain indicators.Optional
URLThe URL indicator.Optional
FileRemediationChoose 'Quarantine' or 'Delete' to avoid file remediation conflicts.
For example, choosing 'Quarantine' ignores the 'Delete file' task under the eradication playbook and will execute only file quarantine.
IAMUserDomainThe Okta IAM users domain. The domain will be appended to the username. e.g. username@IAMUserDomain.Optional
UserVerificationPossible values: True/False.
Whether to provide user verification for blocking those IPs and disabling the users.

False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.
AutoBlockIndicatorsPossible values: True/False. Default: True.
Should the given indicators be automatically blocked, or should the user be given the option to choose?

If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.

Playbook Outputs#

Blocklist.FinalThe blocked accounts.unknown
QuarantinedFilesFromEndpointsThe quarantined files from endpoint.unknown
Core.blocklist.added_hashesThe file Hash that was added to the blocklist.unknown
Core.Isolation.endpoint_idThe isolated endpoint ID.unknown

Playbook Image#

Containment Plan