- Incident Responder Release Notes
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Prerequisites for Configuring Incident Responder Microsoft Services with OAuth2.0 Authentication
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the Cisco Umbrella Enforcement Service
- Configure the Cisco Umbrella Investigate Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam Cloud Search Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Microsoft Windows Defender ATP Service
- Configure the Microsoft Windows Management Instrumentation Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Firewall Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
Malware Turnkey Playbook
Analyze suspicious files and detonate potential malware with the Malware turnkey playbook.
The Malware turnkey playbook helps you analyze, triage, and detonate suspicious files that may be potential malware. Depending on the reputation of the file entities and their related hashes, it changes the incident's priority and comments on the incident.
First, the playbook gathers the file entities and artifacts from an incident. Then, it scans and assesses the reputation of the files, and detonates them in a sandbox. It also the assesses the reputation of any associated MD5, SHA1, and SHA256 hashes. View the output in the workbench under SCAN FILE – YARA.
If any file entities, artifacts, or hashes have malicious reputation, it changes the incident's priority to Critical and comments on the incident, Exabeam Actions detected at least one malicious file on this incident. As a result, the priority has been raised to critical. If none of the files, entities, and hashes have a malicious reputation, it changes the incident's priority to Low and comments on the incident, Exabeam Actions didn't detect malicious files on this incident. As a result, the priority has been changed to low.
If the associated hashes have a malicious reputation, the playbook searches for other incidents with the same hashes. View the output in the workbench, under IR INCIDENTS WITH IOC.
If you configured any third-party services, you can customize the Malware turnkey playbook and make it more robust. For example, if your incident doesn't have a file entity or artifact, you can use a Get File action to retrieve a file from another data source. You can also take further action on the malware; for example, using Okta's Suspend User action, CarbonBlack Response's or FireEye's Isolate (Contain) Host action, CiscoAMP's Isolate Host action, or Quarantine Host action from various services.
Keep in mind that you may input only a limited number of files, URLs, or other entities and artifacts to Exabeam Action's Sandbox by Detonate action per day, up to Exabeam's sole discretion. Exabeam throttles your inputs to prevent internal services from overloading and to ensure all Exabeam users can access the action. The exact number of entities and artifacts you can input varies per day.