Supported Cortex XSOAR versions: 6.6.0 and later.
This playbook handles all the eradication actions available with Cortex XSIAM, including the following sub-playbooks:
- Eradication Plan - Reset user password
- Eradication Plan - Delete file
- Eradication Plan - Kill process (currently, the playbook supports terminating a process by name)
Note: The playbook inputs enable manipulating the execution flow. Read the input descriptions for details.
This playbook uses the following sub-playbooks, integrations, and scripts.
- Eradication Plan - Terminate Process
- Eradication Plan - Reset Password
- Eradication Plan - Delete File
This playbook does not use any integrations.
This playbook does not use any commands.
|AutoEradicate||Set to True to execute the eradication playbook automatically.||True||Optional|
|EndpointID||The endpoint ID.||alert.agentid||Optional|
|FilePath||The file path for the file deletion and for the process termination task.||foundIncidents.CustomFields.initiatorpath||Optional|
|Username||The username to reset the password for.||foundIncidents.CustomFields.username||Optional|
|FileRemediation||Choose 'Quarantine' or 'Delete' to avoid file remediation conflicts. |
For example, choosing 'Delete' ignores the 'Quarantine file' task under the containment playbook and executes only file deletion.
|UserRemediation||Set to 'True' to reset the user's password.||True||Optional|
|ProcessTermination||Choose 'PID' to terminate the process using the Process ID, or 'Name' to terminate the process using its name.|
Please note that providing the file path is mandatory for the process termination.
If 'PID' is chosen, the input `ProcessID` should not be empty; otherwise, the termination will not proceed.
|ProcessID||The process ID to terminate.||Optional|
|TerminatedProcessFromEndpoints||The terminated process from endpoint||unknown|