Supported Cortex XSOAR versions: 5.5.0 and later.
This playbook receives ChronicleAsset type of indicators from its parent playbook "ChronicleAsset Investigation - Chronicle", performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and provides a list of isolated and blocked entities.
This playbook uses the following sub-playbooks, integrations, and scripts.
- IP Enrichment - Generic v2
- Isolate Endpoint - Generic
- Block IP - Generic v2
- Isolate Endpoint - Generic V2
- Endpoint Enrichment - Generic v2.1
|The value of the ChronicleAsset indicator.
|The hostname associated with the ChronicleAsset.
|The IP address associated with the ChronicleAsset.
|The support email address for the ChronicleAsset.
|Autoblock the detected suspicious IP Address(es). You can manually set this as "Yes" or "No" here or you can set it in a 'Chronicle Auto Block Entities' custom incident field.
|Skip the isolation of entities. You can manually set this as "Yes" or "No" here or you can set it in a 'Chronicle Skip Entity Isolation' custom incident field.
|List of the isolated entities.
|List of potentially blocked IP Addresses.