Endpoint Security Part 4: How to create a playbook to isolate a machine and alert your SOC team

Cyooda Incident Response


In this fourth article of a 5 part series on 'Endpoint Security' I'm going to be showing you how to create a rule in your Elastic SIEM to generate an alert and isolate a host if the presence of malware is detected.

Step One - Create the detection rule

In your Kibana console select: Security | Rules | Detection Rules (SIEM)


Detection Rules Selection Elastic SIEM

Then in the Define Rule section select: Custom query.

Define Detection Rule

In the custom query section provide an index patern, custom query to detect the event.  In our case this is all endpoint alerts with the category malware.

Rule Parameters

Step Two - Configure the Alert

Next configure the Rule actions to Alert. In this example we will select the Email connector type ad complete the required fields. If you click on the + symbol next to the Subject and Message you can select labels that will pre-populate data from the actual event.

Rule Action Options
Email Action for SIEM

Step Three - Configure the Action to Isolate the host

Next select the Response Actions and from the 'Endpoint Security Response Action' drop down select 'Isolate' which will Isolate the host when the rule is triggered.

Response Actions

Step Four - Trigger the Alert

To trigger alert I am going to use a 'Test' Malware file from Palo Alto Networks.  I have configured my Elastic Endpoint Security agent to display a visual pop-up message if malware is detected.  When the test file is executed we will see the following pop-up:

Malware Alert

After a couple of minutes the rule will trigger on the SIEM and we should then receive an email alert as well as the host being isolated.

Email Alert

Once the host is isolated, if this was a real security event you would need to call the user to find out what they were doing and gather further information to determine the next course of action.

That's it for now!

You now have a detection rule in place that will trigger an email alert and also isolate the host for further investigation.  This is a fairly simple use case and next time I will be showing you how you can use automation workflows in the form of 'Tines' to create additional workflow actions.


Leave a Comment