Hostname And IP Address Investigation And Remediation - Chronicle
Chronicle Pack.#
This Playbook is part of theThis playbook receives the ChronicleAsset type of indicators from its parent playbook "ChronicleAsset Investigation - Chronicle", performs enrichment and investigation for each one of them, provides an opportunity to isolate and block the hostname or IP address associated with the current indicator, and provides a list of isolated and blocked entities.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooks- Endpoint Enrichment - Generic v2.1
- IP Enrichment - Generic v2
- Isolate Endpoint - Generic
- Block IP - Generic v2
#
IntegrationsThis playbook does not use any integrations.
#
Scripts- Set
- DeleteContext
#
Commands- ip
- setIndicator
- df-get-asset
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
chronicleasset_value | The value of the ChronicleAsset indicator. | Required | |
chronicleasset_hostname | The hostname associated with the ChronicleAsset. | Optional | |
chronicleasset_ip | The IP address associated with the ChronicleAsset. | Optional | |
chronicleasset_support_contact | The support email address for the ChronicleAsset. | incident.chronicleassetsupportcontact | Optional |
auto_block_entities | Autoblock the detected suspicious IP address(es). You can manually set this as 'Yes' or 'No' here or you can set it in a 'Chronicle Auto Block Entities' custom incident field. | incident.chronicleautoblockentities | Optional |
skip_entity_isolation | Skip the isolation of entities. You can manually set this as 'Yes' or 'No' here or you can set it in a 'Chronicle Skip Entity Isolation' custom incident field. | incident.chronicleskipentityisolation | Optional |
#
Playbook OutputsPath | Description | Type |
---|---|---|
IsolatedEntities | List of the isolated entities. | unknown |
PotentiallyBlockedIPs | List of potentially blocked IP addresses. | unknown |