Skip to main content
All CollectionsUse Cases
Automated Blocking of Malicious File Hashes and Endpoint Isolation on Crowdstrike Falcon
Automated Blocking of Malicious File Hashes and Endpoint Isolation on Crowdstrike Falcon

Automate malware response with hash blocking and endpoint isolation using Virus Total, Crowdstrike Falcon, and SIRP integrations

Saad Noor avatar
Written by Saad Noor
Updated over 2 weeks ago

Introduction

The Block Malicious File Hash and Isolate Endpoint on Crowdstrike Falcon playbook automates the response to malware alerts, ensuring swift containment and remediation. By integrating threat intelligence and endpoint security tools, this playbook enables proactive incident handling, minimizing the potential spread and impact of malware.


Challenges Faced

  • Delayed Containment: Manual investigation and response to malware alerts prolong the containment process.

  • Coordination Overhead: Communication gaps between the SOC team and asset owners can delay further analysis.

  • Risk of Malware Propagation: Uncontained endpoints can lead to lateral movement and escalate incidents.


How SIRP Solves This

This playbook provides a structured and automated approach to respond to malicious file hashes detected in malware alerts.

  1. Hash Reputation Check

    • The playbook fetches the reported file hash from the alert and calls Virus Total to verify its reputation.

  2. Hash Blocking

    • If the hash is identified as malicious, it is immediately blocked on Crowdstrike Falcon, preventing its execution across managed endpoints.

  3. Endpoint Isolation

    • The playbook fetches the affected asset (hostname) details from the alert and isolates the endpoint (host) via Crowdstrike Falcon, ensuring the malware does not spread further.

  4. Notification to SOC Team

    • SOC analysts are notified to contact the asset owner for further analysis, remediation, and to assess potential collateral damage.


Playbook Prerequisites

  • SIEM/EDR Alert Configuration: Malware alerts should be configured and ingested into SIRP.

  • EDR Capabilities: Ensure the endpoint detection and response tool supports hash blocking and host containment.

  • Virus Total Integration: To fetch and verify hash reputations.


Playbook Integrations

  • Virus Total: Fetches and verifies the reputation of file hashes.

  • Crowdstrike Falcon: Blocks malicious hashes and isolates endpoints.

  • SIRP: Manages alert updates, workflows, and notifications.


Playbook Inputs

  • Hostname: The name of the affected host in the alert.

  • Hash: The malicious file hash reported in the alert.


Playbook Outputs

  • Block Hash: Prevents the malicious file hash from being executed on endpoints.

  • Contain Host: Isolates the affected endpoint to stop malware propagation.

  • Send Notification to Analyst: Notifies the SOC team to coordinate further actions.


The SIRP Playbook


Key Benefits

  • Accelerated Malware Response: Automates critical containment steps, reducing response time.

  • Enhanced Security Posture: Prevents malware execution and lateral movement by isolating compromised endpoints.

  • Streamlined Communication: Ensures SOC teams are promptly informed for follow-up actions.

  • Integration-Driven Efficiency: Combines Virus Total, Crowdstrike Falcon, and SIRP to deliver seamless incident handling.


FAQs

  1. What happens if a hash is not found malicious?

    • The playbook can be configured to flag the alert for further manual investigation by the SOC team.

  2. Can this playbook support other EDR tools besides Crowdstrike Falcon?

    • Yes, the playbook can be adapted to integrate with other EDR tools that support similar functionalities.

  3. Does the playbook notify asset owners?

    • Notifications are sent to the SOC team, who can coordinate with the asset owner as needed.

Did this answer your question?