Skip to main content

Containment Plan - Block Indicators

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

Containment Plan - Block Indicators#

This playbook is a sub-playbook within the containment plan playbook.

Indicator Blocking#

The playbook block indicators by two methods:

  1. It adds the malicious hashes into the XSIAM hash block list
  2. It utilizes the sub-playbook "Block Indicators - Generic v3"


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block Indicators - Generic v3


This playbook does not use any integrations.


This playbook does not use any scripts.


  • setParentIncidentContext
  • core-blocklist-files

Playbook Inputs#

NameDescriptionDefault ValueRequired
BlockIndicatorsSet to 'True' to block the indicators.TrueOptional
UserVerificationPossible values: True/False.
Whether to provide user verification for blocking those IPs.

False - No prompt will be displayed to the user.
True - The server will ask the user for blocking verification and will display the blocking list.
AutoBlockIndicatorsPossible values: True/False. Default: True.
Should the given indicators be automatically blocked, or should the user be given the option to choose?

If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.
FileHashThe file hash to block.Optional
IPThe IP indicators.Optional
DomainThe domain indicators.Optional
URLThe URL indicator.Optional
UsernameThe username to disable.Optional
FilePathThe path of the file to block.Optional
AutoContainmentWhether to execute containment plan automatically.Optional

Playbook Outputs#

Core.blocklist.added_hashesThe file Hash that was added to the blocklist.unknown

Playbook Image#

Containment Plan - Block Indicators