Skip to main content

IOC Alert

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

IOCs provide the ability to alert on known malicious objects on endpoints across the organization.

Analysis Actions: The playbook will use several enrichment sources to determine the IOC verdict. Additionally, will use the Analytics module to run a prevalence check for the IOC.

Response Actions: The playbook's first response action is a containment plan that is based on the playbook input. In that phase, the playbook will execute endpoint isolation

Investigative Actions: When the playbook executes, it checks for additional abnormal activity using the Endpoint Investigation Plan playbook that can indicate the endpoint might be compromised.

Remediation Actions: In case results are found within the investigation phase, the playbook will execute remediation actions that include containment and eradication.

This phase will execute the following containment actions:

  • File quarantine
  • Endpoint isolation

And the following eradication actions:

  • Manual process termination
  • Manual file deletion


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Endpoint Investigation Plan
  • Recovery Plan
  • Eradication Plan
  • Enrichment for Verdict
  • Handle False Positive Alerts
  • Ticket Management - Generic
  • Containment Plan


This playbook does not use any integrations.


This playbook does not use any scripts.


  • extractIndicators
  • setParentIncidentFields
  • closeInvestigation

Playbook Inputs#

NameDescriptionDefault ValueRequired
BlockIndicatorsAutomaticallyWhether to block suspicious/malicious indicators automatically. Specify True/False.FalseOptional
ShouldCloseAutomaticallyWhether to close the alert automatically if it's established verdict is False Positive. Specify True/False.TrueOptional
PreHostContainmentWhether to isolate the host before the investigation phase in case an IOC was found to be suspicious. Specify True/False.FalseOptional
ShouldHandleFPautomaticallyWhether to automatically handle false positive alerts. Specify true/false.Optional
AutoRestoreEndpointWhether to execute the Recovery playbook. Specify True/False.Optional
AutoContainmentSetting this input will impact both Containment Plan sub-playbooks. Without setting this input, the default values are True for the first occurrence and False for the second.
Whether to execute automatically or manually the containment plan tasks:
* Isolate endpoint
* Block indicators
* Quarantine file
* Disable user
Specify True/False.
FileRemediationShould be either 'Quarantine' or 'Delete'.QuarantineOptional
AutoEradicationWhether to execute automatically or manually the eradication plan tasks:
* Terminate process
* Delete file
* Reset the user's password
Specify True/False.
ShouldOpenTicketWhether to open a ticket automatically in a ticketing system. (True/False).FalseOptional
serviceNowShortDescriptionA short description of the ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
serviceNowImpactThe impact for the new ticket. Leave empty for ServiceNow default impact.Optional
serviceNowUrgencyThe urgency of the new ticket. Leave empty for ServiceNow default urgency.Optional
serviceNowSeverityThe severity of the new ticket. Leave empty for ServiceNow default severity.Optional
serviceNowTicketTypeThe ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
serviceNowCategoryThe category of the ServiceNow ticket.Optional
serviceNowAssignmentGroupThe group to which to assign the new ticket.Optional
ZendeskPriorityThe urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".Optional
ZendeskRequesterThe user who requested this ticket.Optional
ZendeskStatusThe state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".Optional
ZendeskSubjectThe value of the subject field for this ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
ZendeskTagsThe array of tags applied to this ticket.Optional
ZendeskTypeThe type of this ticket. Allowed values are "problem", "incident", "question", or "task".Optional
ZendeskAssigneThe agent currently assigned to the ticket.Optional
ZendeskCollaboratorsThe users currently CC'ed on the ticket.Optional
descriptionThe ticket description.${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}Optional
addCommentPerEndpointWhether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.TrueOptional
CommentToAddComment for the ticket.${}. Alert ID: ${}Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

IOC Alert