Skip to main content

Eradication Plan

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles all the eradication actions available with Cortex XSIAM, including the following tasks:

  • Reset user password
  • Delete file
  • Kill process (currently, the playbook supports terminating a process by name)

Note: The playbook inputs enable manipulating the execution flow; read the input descriptions for details.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

This playbook does not use any integrations.

Scripts#

  • Set
  • IsIntegrationAvailable

Commands#

  • ad-expire-password
  • core-run-script-delete-file
  • core-run-script-kill-process

Playbook Inputs#


NameDescriptionDefault ValueRequired
AutoEradicateSet to True to execute the eradication playbook automatically.AutoOptional
EndpointIDThe endpoint ID.alert.agentidOptional
FilePathThe file path for the file deletion task.foundIncidents.CustomFields.initiatorpathOptional
UsernameThe username to reset the password for.foundIncidents.CustomFields.usernameOptional
FileRemediationChoose 'Quarantine' or 'Delete' to avoid file remediation conflicts.
For example, choosing 'Delete' ignores the 'Quarantine file' task under the containment playbook and executes only file deletion.
DeleteOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Eradication Plan