Cortex XDR - quarantine file

This playbook accepts file path, file hash and endpoint id in order to quarantine a selected file and wait until the action is done.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • GenericPolling

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

  • xdr-quarantine-file
  • xdr-get-quarantine-status

Playbook Inputs#


NameDescriptionDefault ValueSourceRequired
endpoint_idThe endpoint ID (string) to search the selected file. You can retrieve the ID using the xdr-get-endpoints command.PaloAltoNetworksXDRMandatory
file_hashHash must be a valid SHA256.EndpointMandatory
file_paththe path of the file you want to quarantine.EndpointMandatory

Playbook Outputs#


Quarantine status. true if the action was successful and false otherwise.