This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Mitigation Actions - What is the best way perform mitigation only on the relevant entities?

Posted 3 weeks ago
ORBR
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hey, 

Let`s say we have a malicious case with multiple account entities , or even host entities.

and we also have a block for mitigation actions in EDR \ AAD, but we want to block only one of each entities, not all.

Is there a way to perform this task automatically? 

If not, is there a way to pop a window to the analysts to write or select the relevant entities? 

generally, do you have any best practices for these kind of actions? 

0 1 176
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @ORBR ,

As of now, it's not natively supported, but I do have a workaround that will solve your use case.


It's possible to create a custom "Entity Selection Scope" and use it inside the actions. It can be dynamic and resolved during the playbook execution. 
 
Here are the examples of configuration:

 
ylandovskyy_1-1748353092192.png
 
ylandovskyy_2-1748353122561.png
 
Real use case example, I've created a test case that has 4 entities and the goal is to run the action only on 1 entity (ENTITY4):
 
ylandovskyy_6-1748353317236.png
 
ylandovskyy_3-1748353143735.png
 
ylandovskyy_4-1748353227822.png

This is how it's possible to solve the use case of creating a custom scope for blocks for remediation and ensure that the actions are only executed on a specific subset of entities. Let me know, if it makes sense.

0 Likes
Top Solution Authors
View all