Introduction
The Block Malicious File Hash and Isolate Endpoint on Crowdstrike Falcon playbook automates the response to malware alerts, ensuring swift containment and remediation. By integrating threat intelligence and endpoint security tools, this playbook enables proactive incident handling, minimizing the potential spread and impact of malware.
Challenges Faced
Delayed Containment: Manual investigation and response to malware alerts prolong the containment process.
Coordination Overhead: Communication gaps between the SOC team and asset owners can delay further analysis.
Risk of Malware Propagation: Uncontained endpoints can lead to lateral movement and escalate incidents.
How SIRP Solves This
This playbook provides a structured and automated approach to respond to malicious file hashes detected in malware alerts.
Hash Reputation Check
The playbook fetches the reported file hash from the alert and calls Virus Total to verify its reputation.
Hash Blocking
If the hash is identified as malicious, it is immediately blocked on Crowdstrike Falcon, preventing its execution across managed endpoints.
Endpoint Isolation
The playbook fetches the affected asset (hostname) details from the alert and isolates the endpoint (host) via Crowdstrike Falcon, ensuring the malware does not spread further.
Notification to SOC Team
SOC analysts are notified to contact the asset owner for further analysis, remediation, and to assess potential collateral damage.
Playbook Prerequisites
SIEM/EDR Alert Configuration: Malware alerts should be configured and ingested into SIRP.
EDR Capabilities: Ensure the endpoint detection and response tool supports hash blocking and host containment.
Virus Total Integration: To fetch and verify hash reputations.
Playbook Integrations
Virus Total: Fetches and verifies the reputation of file hashes.
Crowdstrike Falcon: Blocks malicious hashes and isolates endpoints.
SIRP: Manages alert updates, workflows, and notifications.
Playbook Inputs
Hostname: The name of the affected host in the alert.
Hash: The malicious file hash reported in the alert.
Playbook Outputs
Block Hash: Prevents the malicious file hash from being executed on endpoints.
Contain Host: Isolates the affected endpoint to stop malware propagation.
Send Notification to Analyst: Notifies the SOC team to coordinate further actions.
The SIRP Playbook
Key Benefits
Accelerated Malware Response: Automates critical containment steps, reducing response time.
Enhanced Security Posture: Prevents malware execution and lateral movement by isolating compromised endpoints.
Streamlined Communication: Ensures SOC teams are promptly informed for follow-up actions.
Integration-Driven Efficiency: Combines Virus Total, Crowdstrike Falcon, and SIRP to deliver seamless incident handling.
FAQs
What happens if a hash is not found malicious?
The playbook can be configured to flag the alert for further manual investigation by the SOC team.
Can this playbook support other EDR tools besides Crowdstrike Falcon?
Yes, the playbook can be adapted to integrate with other EDR tools that support similar functionalities.
Does the playbook notify asset owners?
Notifications are sent to the SOC team, who can coordinate with the asset owner as needed.