Skip to main content

Ransomware Enrich and Contain

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook is responsible for ransomware alert data enrichment and response. The playbook executes the following:

  1. Checks if the initiator is a remote attacker and allows isolating the remote host, if possible.

  2. Retrieves the WildFire sandbox report and extracts the indicators within it.

    • The playbook tries to retrieve the report, but if there is no report available, the playbook tries to fetch the ransomware file for detonation.
  3. Hunts for the ransomware alert indicators from the alert table, searches for endpoints that have been seen with them, and allows containing the identified endpoints.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • WildFire - Detonate file v2
  • Containment Plan


  • CoreIOCs
  • CortexCoreIR


  • isError
  • SearchIncidentsV2


  • extractIndicators
  • core-isolate-endpoint
  • core-retrieve-file-details
  • domain
  • file
  • ip
  • core-retrieve-files
  • url
  • wildfire-report
  • core-get-endpoints

Playbook Inputs#

NameDescriptionDefault ValueRequired
isolateRemoteAttackerWhether to isolate the remote attacker host.trueOptional
isolateSimilarEndpointsWhether to isolate endpoints which has been detected with the alert IoCs.falseOptional
FileSHA256The ransomware file SHA256.alert.initiatorsha256Optional
detonateRansomFileWhether to detonate the ransomware file in sandbox, Set to True to enable file detonation and False to disable it.
By default is set to True.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Ransomware Enrich and Contain