Skip to main content

Powershell Payload Response

This Playbook is part of the Malware Lateral Movement Assessment and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

The Powershell Payload Response playbook is designed to be used when file payload executions are detected from an endpoint machines Powershell and begins the remediation process.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Process Email - Generic
  • Isolate Endpoint - Generic V2
  • Block File - Generic v2
  • Dedup - Generic v3
  • Detonate File - Generic


  • Carbon Black Defense
  • Carbon Black Enterprise EDR
  • ServiceNow v2
  • SplunkPy


  • AssignAnalystToIncident
  • IncreaseIncidentSeverity


  • cb-eedr-device-background-scan
  • splunk-search
  • closeInvestigation
  • cbd-create-policy
  • servicenow-update-ticket
  • cb-eedr-device-unquarantine
  • servicenow-create-ticket

Playbook Inputs#

NameDescriptionDefault ValueRequired
Endpoint IDID of the endpoint in question.${incident.endpointid}Optional
HostnameHostname of the endpoint in question.${incident.hostname}Optional
EmailEmail attachment.${}Optional
FilePayload file that was executed.${File}Optional
File PathFile Path of the Executed Payload.${incident.filepath}Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Powershell Payload Response