Skip to main content

Isolate Endpoint - Generic V2

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

This playbook isolates a given endpoint using various endpoint product integrations. Make sure to provide valid playbook inputs for the integration you are using.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Microsoft Defender For Endpoint - Isolate Endpoint
  • FireEye HX - Isolate Endpoint
  • Block Endpoint - Carbon Black Response V2.1
  • Isolate Endpoint - Cybereason
  • Crowdstrike Falcon - Isolate Endpoint
  • Cortex XDR - Isolate Endpoint

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

  • core-isolate-endpoint

Playbook Inputs#


NameDescriptionDefault ValueRequired
Endpoint_hostnameThe host name of the endpoint to isolate.Optional
Endpoint_ipThe IP of the endpoint to isolate.Optional
Endpoint_idThe ID of the endpoint to isolate.Optional

Playbook Outputs#


PathDescriptionType
EndpointThe isolated endpoint.string
Traps.Isolate.EndpointIDThe ID of the endpoint.string
Traps.IsolateResult.StatusThe status of the isolation operation.string
Cybereason.MachineThe Cybereason machine name.unknown
Cybereason.IsIsolatedWhether the machine is isolated.unknown
Endpoint.HostnameThe host name of the endpoint.unknown
PaloAltoNetworksXDR.Endpoint.endpoint_idThe endpoint ID.unknown
PaloAltoNetworksXDR.Endpoint.endpoint_nameThe endpoint name.unknown
PaloAltoNetworksXDR.Endpoint.endpoint_statusThe status of the endpoint.unknown
PaloAltoNetworksXDR.Endpoint.ipThe endpoint's IP address.unknown
PaloAltoNetworksXDR.Endpoint.is_isolatedWhether the endpoint is isolated.unknown
MicrosoftATP.MachineAction.IDThe machine action ID.string
MicrosoftATP.IsolateListThe IDs of the machines that were isolated.string
MicrosoftATP.NonIsolateListThe IDs of the machines that will not be isolated.string
MicrosoftATP.IncorrectIDsIncorrect device IDs entered.string
MicrosoftATP.IncorrectHostnamesIncorrect device host names entered.string
MicrosoftATP.IncorrectIPsIncorrect device IPs entered.string
Core.Isolation.endpoint_idThe ID of the isolated endpoint.string
CarbonBlackEDR.SensorThe sensor info.unknown
CarbonBlackEDR.Sensor.idThe sensor id of this sensor.unknown
CarbonBlackEDR.Sensor.is_isolatingBoolean representing the sensor-reported isolation status.unknown
CarbonBlackEDR.Sensor.statusThe sensor status.unknown

Playbook Image#


Isolate Endpoint - Generic V2