Response action name
|
Parameters
|
updateBases
|
Update databases response action. Possible parameters:
To launch this response action, you need to specify the asset parameter of the response function.
|
avScan
|
Run malware scan response action. Possible parameters:
wait. Possible values:scope. Possible values:full—Perform a full scan of the device where the alert is detected.critical—Perform a scan of the kernel memory, running processes, and disk boot sectors.selective—Perform a scan of the specified files. To specify a path to the files, use the path parameter.
allowScanNetworkDrives. Possible values:By default, the value is false.
This parameter is available only if you want to perform a full scan.
Note that scanning network drives can overload the system.
path—A jq expression or a string with a path to the files you want to scan. You can also specify multiple file paths.
To launch this response action, you need to specify the asset parameter of the response function.
|
moveHostsToAdministrationGroup
|
Move to group response action. Possible parameters:
group—Open Single Management Platform administration group path. For examples, HQ/OrgUnit1.
To launch this response action, you need to specify the asset parameter of the response function.
|
quarantineFile
|
Move to quarantine response action. Possible parameters:
path—Path to the file you want to quarantine.md5—MD5 hash of the file.sha256—SHA256 hash of the file.
You can specify the response action parameters in one of the following ways:
- Specify the full path to the file you want to quarantine. In this case, you do not need to specify an MD5 hash or a SHA256 hash.
- Specify the file path and the file hash (MD5 or SHA256).
To launch this response action, you need to specify the asset parameter of the response function.
|
killProcess
|
Terminate process response action. Possible parameters:
pid—Process identifier.path—Path to the file you want to quarantine.md5—MD5 hash of the file.sha256—SHA256 hash of the file.
To launch this response action, you need to specify the asset parameter of the response function.
|
changeAuthorizationStatus
|
Change authorization status response action. Possible parameter:
authorized. Possible values:
To launch this response action, you need to specify the asset parameter of the response function.
|
netIsolateOn
|
Enable network isolation response action. Possible parameters:
isolationTimeoutSec—Network isolation period. You can specify this parameter in hours or days.The minimum value in hours is 1 hour, the maximum is 9999 hours.
The minimum value in days is 1 day, the maximum is 416 days.
The network isolation period is specified in seconds.
exclusions—Exclusion rules. You can specify one or more exclusion rules.remoteIPV4Address—Network traffic from the specified IPv4 address will be excluded from the block. For example, 192.168.2.15.remoteIPV6Address—Network traffic from the specified IPv6 address will be excluded from the block. For example, 2001:0db8:0000:0000:0000:ff00:0042.remotePortRange—Interval of remote ports.localPortRange—Interval of local ports.
If the remotePortRange and localPortRange are not specified, the exclusion rule applies to all ports.
exclusionsConflictBehavior—Defines the behavior if there is a conflict between different exclusion rules. Possible parameters:
|
netIsolateOff
|
Disable network isolation response action.
To launch this response action, you need to specify the asset parameter of the response function.
|
executeCommand
|
Run executable file response action. Possible parameters:
path—Path to the custom script or executable file that you want to run.workingDirectory—Path to the working directory.commandLineParameters—Command-line parameters that you want to apply to the command.
To launch this response action, you need to specify the asset parameter of the response function.
|
addFilePreventionRules
|
Add prevention rule response action. Possible parameters:
md5—MD5 hash array.sha256—SHA256 hash array.
To launch this response action, you need to specify the asset parameter of the response function.
|
deleteFilePreventionRules
|
Delete prevention rule response action. Possible parameters:
md5—MD5 hash array.sha256—SHA256 hash array.
To launch this response action, you need to specify the asset parameter of the response function.
|
resetFilePreventionRules
|
Delete all prevention rules.
To launch this response action, you need to specify the asset parameter of the response function.
|
assignKasapGroup
|
Assign KASAP group response action. Possible parameters:
groupId—KASAP group identifier.
To launch this response action, you need to specify the asset parameter of the response function.
|
addToLDAPGroup
|
Add user to security group response action. Possible parameters:
groupDN—Distinguished name (DN) of the LDAP group.
To launch this response action, you need to specify the asset parameter of the response function.
|
removeFromLDAPGroup
|
Delete user from security group response action. Possible parameters:
groupDN—Distinguished name (DN) of the LDAP group.
To launch this response action, you need to specify the asset parameter of the response function.
|
blockLDAPAccount
|
Lock account response action.
To launch this response action, you need to specify the asset parameter of the response function.
|
resetLDAPPassword
|
Reset password response action.
To launch this response action, you need to specify the asset parameter of the response function.
|
executeCustomScript
|
Execution of custom scripts. Possible parameters:
commandLine—Command to run.commandLineParameters—Command-line parameters that you want to apply to the command.stdIn—Standard input stream. Use this parameter if a script requires some additional data from the standard input.workingDirectory—Path to the working directory.
|
iocsEnrichment
|
Data enrichment. Possible parameters:
observables—A jq expression with an array of observables that you want to enrich.source—Source of data. Possible values:fullEnrichment—Defines the number of records to be requested. Possible values:true—Request all records from the source.false—Request the top 100 records from the source.
|