Skip to main content

Hostname And IP Address Investigation And Remediation - Chronicle

This Playbook is part of the Chronicle Pack.#

This playbook receives the ChronicleAsset type of indicators from its parent playbook "ChronicleAsset Investigation - Chronicle", performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and provides a list of isolated and blocked entities.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Endpoint Enrichment - Generic v2.1
  • IP Enrichment - Generic v2
  • Isolate Endpoint - Generic
  • Block IP - Generic v2

Integrations#

This playbook does not use any integrations.

Scripts#

  • Set
  • DeleteContext

Commands#

  • ip
  • setIndicator
  • df-get-asset

Playbook Inputs#


NameDescriptionDefault ValueRequired
chronicleasset_valueThe value of the ChronicleAsset indicator.Required
chronicleasset_hostnameThe hostname associated with the ChronicleAsset.Optional
chronicleasset_ipThe IP address associated with the ChronicleAsset.Optional
chronicleasset_support_contactThe support email address for the ChronicleAsset.incident.chronicleassetsupportcontactOptional
auto_block_entitiesAutoblock the detected suspicious IP address(es). You can manually set this as 'Yes' or 'No' here or you can set it in a 'Chronicle Auto Block Entities' custom incident field.incident.chronicleautoblockentitiesOptional
skip_entity_isolationSkip the isolation of entities. You can manually set this as 'Yes' or 'No' here or you can set it in a 'Chronicle Skip Entity Isolation' custom incident field.incident.chronicleskipentityisolationOptional

Playbook Outputs#


PathDescriptionType
IsolatedEntitiesList of the isolated entities.unknown
PotentiallyBlockedIPsList of potentially blocked IP addresses.unknown

Playbook Image#


Hostname And IP Address Investigation And Remediation - Chronicle